User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
email:install-preliminary [2025/03/03 06:57] – created willyemail:install-preliminary [2025/03/13 13:29] (current) willy
Line 1: Line 1:
 +===== B) user, permissions & storage =====
  
-===== Installation: servers =====+Since different pieces of the email infrastructure will need to interoperate, it is a good idea to create a specific user to store all the emails on the filesystem. This user will own the email storage folders which i assume will be located under **/home/vmail**. I choose UID and GID 5000 since the ones  up to 1000 are reserved for system users.
  
-Install Postfix and Dovecot+The second user that you need to take into account is user **web**. PostfixAdmin will be running under user web, because on the external server i choose to run only one instance of PHP-FPM. This means that the database itself will need to be writable by user web and readable by user vmail. Due to security concern, you do not want the user web to be in the same group as user vmail, and vice versa.
  
-USE flags+As storage structure, you will need two different locations
-<code bash> +  **/home/vmail/storage** to actually store the mail accounts mailbox'es 
-echo "*/maildir dovecot sasl" >> /etc/portage/package.use/mailserver +  * **/home/vmail/database** to store the shared SQLite3 database for PostfixAdmin, Postfix and Dovecot.
-echo "net-mail/dovecot managesieve sqlite lz4" >> /etc/portage/package.use/mailserver +
-echo "mail-mta/postfix dovecot-sasl sqlite -sasl" >> /etc/portage/package.use/mailserver  +
-echo "dev-lang/php imap" >> /etc/portage/package.use/mailserver  +
-</code> +
- +
-Emerge the servers: +
-<code bash> +
-emerge -vp postfix dovecot +
-</code> +
- +
- +
-===== Installation: user, permissions & storage ===== +
- +
-Since different pieces of the email infrastructure will need to interoperate, it is a good idea to create a specific user to store all the emails on the filesystem. This user will own the email storage folders which i assume will be located under **/home/vmail**. I choose UID and GID 5000 since the ones <1000 are reserved for system users:+
  
 +I assume you already have a //web// account. So:
 <code bash> <code bash>
 groupadd -g 5000 vmail groupadd -g 5000 vmail
-useradd -m -d /home/vmail -s /bin/false -u 5000 -g vmail vmail +mkdir /home/vmail 
-chmod 2770 /home/vmail/+useradd -m -d /home/vmail/storage -s /bin/false -u 5000 -g vmail vmail 
 +chmod 2770 /home/vmail/storage 
 +mkdir /home/vmail/database 
 +chown web:vmail /home/vmail/database
 </code> </code>
  
 The resulting permissions should look like: The resulting permissions should look like:
 <code bash> <code bash>
-ls -ld /home/vmail +ls -ld /home/vmail
-drwxrws--- 3 vmail vmail 4096 Aug 2 07:24 /home/vmail+drwxrw-xr-x 3 root root 4096 Aug 2 07:24 /home/vmail 
 +ls -ld /home/vmail/storage 
 +drwxrws--- 3 vmail vmail 4096 Aug 2 07:24 /home/vmail/storage 
 +ls -ld /home/vmail/database 
 +drwxr-x--- 3 web vmail 4096 Aug 2 07:24 /home/vmail/database
 </code> </code>
  
-FIX QUI I PERMESSI DEL DB 
  
 Now create the database: Now create the database:
 <code bash> <code bash>
-su - vmail +su - web 
-mkdir db +cd /home/vmail/database 
-sqlite3 db/vmail.sqlite3+sqlite3 vmail.sqlite3
 sqlite> .databases sqlite> .databases
-main: /home/vmail/db/vmail.sqlite3 r/w+main: vmail.sqlite3 r/w
 sqlite> .tables sqlite> .tables
 sqlite> .exit sqlite> .exit
Line 48: Line 42:
  
  
-===== Installation: postfixadmin web gui ===== 
- 
-postfixadmin and roundcube will be installed manually and not via Gentoo portage, to avoid upgrade issues. 
- 
-Download latest release of **postfixadmin** from [[https://github.com/postfixadmin/postfixadmin/releases|here]] and decompress in a folder accessible to the **web** user, since i use the **web** user to run all PHP based software on the external webserver: 
-<code bash> 
-su # do this as root! You don't need to make postfixadmin writable by the web user 
-cd /home/web 
-mkdir postfixadmin 
-cd postfixadmin 
-wget https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.15.tar.gz 
-tar xvf postfixadmin-3.3.15.tar.gz 
-mv postfixadmin-postfixadmin-3.3.15 postfixadmin 
-#The following folder must be writeable by web user: 
-mkdir -p postfixadmin/templates_c 
-chown -R web postfixadmin/templates_c 
-</code> 
- 
-Now, configure it by creating a file called **postfixadmin/config.local.php** with the following content (see postfixadmin/config.inc.php for all available stuff to configure): 
-<file - config.local.php> 
-<?php 
-$CONF['database_type'] = 'sqlite'; 
-$CONF['database_name'] = '/home/vmail/db/vmail.sqlite3'; 
-$CONF['encrypt'] = 'dovecot:SHA512'; 
-$CONF['postfix_admin_url'] = 'https://mail.mydomain.com'; 
-$CONF['admin_email'] = 'postmaster@mydomain.com'; 
-$CONF['default_aliases'] = array ( 
-    'abuse' => 'abuse@mydomain.com', 
-    'hostmaster' => 'hostmaster@mydomain.com', 
-    'postmaster' => 'postmaster@mydomain.com', 
-    'webmaster' => 'webmaster@mydomain.com' 
-); 
-$CONF['transport'] = 'YES'; 
-$CONF['configured'] = true; 
-/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */ 
-</file> 
- 
-Now setup NGINX to point to it. You need of course to setup a certbot certificate, then (see [[selfhost:nginx|this page]]) configure your NGINX to use PHP-FPM. See the following **postfixadmin.conf** file as reference: 
-<file postfixadmin.conf> 
-server { 
-        server_name mail.mydomain.com; 
-        listen 443 ssl; 
- 
-        access_log /var/log/nginx/mail.mydomain.com_access_log main; 
-        error_log /var/log/nginx/mail.mydomain.com_error_log info; 
-         
-        index index.php; 
-         
-        root /home/web/postfixadmin/postfixadmin/public;      
-  
-# Uncomment the following lines only AFTER setup is complete!          
-#        location ~ /(setup.php) { 
-#                deny all; 
-#                alias /home/web/postfixadmin/postfixadmin/public; 
-#        } 
-       
-        location ~ /.*\.php$ { 
-                try_files $uri =404; 
-                fastcgi_split_path_info ^(.+\.php)(/.+)$; 
-                include fastcgi_params; 
-                fastcgi_param SCRIPT_FILENAME $request_filename; 
-                fastcgi_pass 127.0.0.1:9000; 
-        } 
-} 
-</file> 
- 
-restart NGINX and go to the URL **https://mail.mydomain.com/setup.php** and follow the on-screen instructions to create a password hash that you need to add to the above config.local.php file, then reload the page itself. 
- 
-Also don't forget to create a superadmin-account. I suggest you call it **user@mydomain.com** and set a password you will not forget. 
- 
-Go back, uncomment the lines in the NGINX config file to disable the setup.php, and restart NGINX. 
- 
-__note:__ when adding new domains, choose "virtual" as transport, and 0 as password expiry. 
- 
-At this point, you can already create all the mail domains and user accounts you want. 
- 
- 
-===== Configuration: postfix ===== 
- 
-Link to SQL. 
- 
-File: **/etc/postfix/sql/virtual_mailbox_domains.cf**: 
-<file - virtual_mailbox_domains.cf> 
-dbpath = /home/vmail/db/vmail.sqlite3 
-query  = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1'; 
-</file> 
- 
-File: **/etc/postfix/sql/virtual_mailbox_maps.cf**: 
-<file - virtual_mailbox_maps.cf> 
-dbpath = /home/vmail/db/vmail.sqlite3 
-query  = SELECT maildir FROM mailbox WHERE local_part='%u' AND domain='%d' AND active='1'; 
-</file> 
- 
-File: **/etc/postfix/sql/virtual_alias_maps.cf**: 
-<file - virtual_alias_maps.cf> 
-dbpath = /home/vmail/db/vmail.sqlite3 
-query  = SELECT goto FROM alias WHERE address='%s' AND active='1'; 
-</file> 
- 
-Now, link it all in **/etc/postfix/main.cf**: 
-<code> 
-# A list of all virtual domains serviced by this instance of postfix. 
-virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf 
-# Look up the mailbox location based on the email address received. 
-virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf 
-# Any aliases that are supported by this system 
-virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf 
-</code> 
- 
- 
- 
-<file> 
-compatibility_level = 3.6 
- 
-# Prevent hard-bounces 
-soft_bounce = yes 
- 
-queue_directory = /var/spool/postfix 
-command_directory = /usr/sbin 
-daemon_directory = /usr/libexec/postfix 
-data_directory = /var/lib/postfix 
- 
-mail_owner = postfix 
- 
-# Usa gethostname() per default 
-#myhostname = gardiol.org 
- 
-mydomain = gardiol.org 
- 
-#myorigin = $mydomain 
-#inet_interfaces = all 
- 
-mydestination = localhost.localdomain 
-unknown_local_recipient_reject_code = 550 
- 
-mynetworks_style = host 
- 
-in_flow_delay = 1s 
- 
-home_mailbox = .maildir/ 
- 
-header_checks = regexp:/etc/postfix/header_checks 
- 
-smtpd_banner = $myhostname ESMTP NO UCE 
- 
-debug_peer_level = 2 
-#debug_peer_list = 127.0.0.1 
- 
-sendmail_path = /usr/sbin/sendmail 
-newaliases_path = /usr/bin/newaliases 
-mailq_path = /usr/bin/mailq 
- 
-setgid_group = postdrop 
-html_directory = no 
-manpage_directory = /usr/share/man 
-sample_directory = /etc/postfix 
-readme_directory = no 
-inet_protocols = ipv4 
-meta_directory = /etc/postfix 
-shlib_directory = /usr/lib64/postfix/${mail_version} 
- 
- 
-############################################ 
-########################################### 
-########################################### 
-disable_vrfy_command = yes 
-message_size_limit = 0 
-#20971520 
-biff = no 
- 
-local_transport = virtual 
-local_recipient_maps = $alias_maps $virtual_mailbox_maps 
- 
-virtual_transport = lmtp:unix:private/dovecot-lmtp 
- 
-virtual_uid_maps = static:999 
-virtual_gid_maps = static:999 
- 
-virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf 
-virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, 
-                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, 
-                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf 
-virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, 
-                       proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf 
- 
-# if you let postfix store your mails directly (without using maildrop, dovecot deliver etc.) 
-virtual_mailbox_base = /home/vmail 
- 
-# SASL 
-smtpd_sasl_type = dovecot 
-smtpd_sasl_path = private/auth 
-smtpd_sasl_auth_enable = yes 
-smtpd_sasl_security_options = noanonymous 
-smtpd_sasl_local_domain = 
-broken_sasl_auth_clients = no 
-smtpd_sasl_authenticated_header = yes 
-# Setup TLS 
-smtpd_tls_cert_file = /etc/letsencrypt/live/mail.gardiol.org/fullchain.pem 
-smtpd_tls_key_file = /etc/letsencrypt/live/mail.gardiol.org/privkey.pem 
-# abilita il debug... 
-smtpd_tls_loglevel = 0 
-# metti a "encrypt" per obbligare l'uso di TLS lato server (non fare, sconsigliato) 
-smtpd_tls_security_level = may 
-# Metti a yes per impedire AUTH non cifrata 
-smtpd_tls_auth_only = no 
-# Fai la cache delle sessioni 
-smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache 
- 
-# Some ANTISPAM 
-smtpd_delay_reject = yes 
-smtpd_helo_required = yes 
-smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit 
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender, permit 
-smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient,  check_policy_service unix:private/policy-spf, permit 
-smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated 
-#, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net 
- 
-policy-spf_time_limit = 3600s 
- 
-smtpd_timeout = 60s 
-default_process_limit = 200 
- 
-smtputf8_enable = no 
-smtp_data_done_timeout = 1800 
- 
-smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock 
-non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock 
- 
-syslog_facility = mail 
-syslog_name = postfix 
- 
-body_checks = regexp:/etc/postfix/body_checks 
- 
-maximal_queue_lifetime = 60m 
-bounce_queue_lifetime = 60m 
-smtp_connect_timeout  = 15s 
-smtp_helo_timeout = 60s 
- 
-smtpd_relay_before_recipient_restrictions = no 
-</file> 
- 
- 
- 
- 
- 
-===== Installation: DKIM, SPF and DKIM ===== 
- 
-This step is **mandatory** and critical for proper email delivery. 
- 
- 
-===== Installation: Antispam ===== 
- 
-Install spamassassin & amavisd-new 
- 
- 
-FILE /etc/postfix/main.cf Binding UID and GID's to postfix 
-<code> 
-# Link the mailbox uid and gid to postfix. 
-virtual_uid_maps = static:5000 
-virtual_gid_maps = static:5000 
-  
-# Set the base address for all virtual mailboxes 
-virtual_mailbox_base = /var/vmail 
-</code> 
  

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information