Differences

This shows you the differences between two versions of the page.

--- email:install-servers [2025/03/03 08:36] – created willy
+++ email:install-servers [2025/03/13 13:29] (current) – [Installation: servers] willy
@@ Line 1: / Line 1: @@
-===== Installation: servers =====
+===== C) Installation: servers =====
-Install Postfix and Dovecot
+Postfix is your Mail Transfer Agent, which means that Postfix role is to actually send emails from one server to the other. Postfix is the server that will let you send an email, and also the server which will receive emails for you from other email servers.
-USE flags:
+Dovecot instead, is the IMAP server, which will let you access your email, store it.
-<code bash>
-echo "*/* maildir dovecot sasl" >> /etc/portage/package.use/mailserver
-echo "net-mail/dovecot managesieve sqlite lz4" >> /etc/portage/package.use/mailserver
-echo "mail-mta/postfix dovecot-sasl sqlite -sasl" >> /etc/portage/package.use/mailserver
-echo "dev-lang/php imap" >> /etc/portage/package.use/mailserver
-</code>
-Emerge the servers:
-<code bash>
-emerge -vp postfix dovecot
-</code>
+===== USE flags =====
-===== Installation: user, permissions & storage =====
+You need to setup some specific USE flags before installing Postfix and Dovecot
-Since different pieces of the email infrastructure will need to interoperate, it is a good idea to create a specific user to store all the emails on the filesystem. This user will own the email storage folders which i assume will be located under **/home/vmail**. I choose UID and GID 5000 since the ones <1000 are reserved for system users:
+USE flags:
 <code bash>
-groupadd -g 5000 vmail
+echo "*/* maildir dovecot" >> /etc/portage/package.use/mailserver
-useradd -m -d /home/vmail -s /bin/false -u 5000 -g vmail vmail
+echo "net-mail/dovecot managesieve sqlite lz4" >> /etc/portage/package.use/mailserver
-chmod 2770 /home/vmail/
+echo "mail-mta/postfix dovecot-sasl sqlite" >> /etc/portage/package.use/mailserver
 </code>
-The resulting permissions should look like:
+This is needed to ensure that the storage format is //mailbox//, that we will need SQLite support and we want SASL authentication.
-<code bash>
-ls -ld /home/vmail
-drwxrws--- 3 vmail vmail 4096 Aug 2 07:24 /home/vmail
-</code>
-FIX QUI I PERMESSI DEL DB
-Now create the database:
+===== Installation =====
-<code bash>
-su - vmail
-mkdir db
-sqlite3 db/vmail.sqlite3
-sqlite> .databases
-main: /home/vmail/db/vmail.sqlite3 r/w
-sqlite> .tables
-sqlite> .exit
-</code>
+Emerge the servers:
-===== Installation: postfixadmin web gui =====
-postfixadmin and roundcube will be installed manually and not via Gentoo portage, to avoid upgrade issues.
-Download latest release of **postfixadmin** from [[https://github.com/postfixadmin/postfixadmin/releases|here]] and decompress in a folder accessible to the **web** user, since i use the **web** user to run all PHP based software on the external webserver:
 <code bash>
-su # do this as root! You don't need to make postfixadmin writable by the web user
+emerge -vp postfix dovecot
-cd /home/web
-mkdir postfixadmin
-cd postfixadmin
-wget https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.15.tar.gz
-tar xvf postfixadmin-3.3.15.tar.gz
-mv postfixadmin-postfixadmin-3.3.15 postfixadmin
-#The following folder must be writeable by web user:
-mkdir -p postfixadmin/templates_c
-chown -R web postfixadmin/templates_c
 </code>
-Now, configure it by creating a file called **postfixadmin/config.local.php** with the following content (see postfixadmin/config.inc.php for all available stuff to configure):
-<file - config.local.php>
-<?php
-$CONF['database_type'] = 'sqlite';
-$CONF['database_name'] = '/home/vmail/db/vmail.sqlite3';
-$CONF['encrypt'] = 'dovecot:SHA512';
-$CONF['postfix_admin_url'] = 'https://mail.mydomain.com';
-$CONF['admin_email'] = 'postmaster@mydomain.com';
-$CONF['default_aliases'] = array (
-    'abuse' => 'abuse@mydomain.com',
-    'hostmaster' => 'hostmaster@mydomain.com',
-    'postmaster' => 'postmaster@mydomain.com',
-    'webmaster' => 'webmaster@mydomain.com'
-);
-$CONF['transport'] = 'YES';
-$CONF['configured'] = true;
-/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */
-</file>
-Now setup NGINX to point to it. You need of course to setup a certbot certificate, then (see [[selfhost:nginx|this page]]) configure your NGINX to use PHP-FPM. See the following **postfixadmin.conf** file as reference:
-<file postfixadmin.conf>
-server {
-        server_name mail.mydomain.com;
-        listen 443 ssl;
-        access_log /var/log/nginx/mail.mydomain.com_access_log main;
-        error_log /var/log/nginx/mail.mydomain.com_error_log info;
-        index index.php;
-        root /home/web/postfixadmin/postfixadmin/public;
-# Uncomment the following lines only AFTER setup is complete!
-#        location ~ /(setup.php) {
-#                deny all;
-#                alias /home/web/postfixadmin/postfixadmin/public;
-#        }
-        location ~ /.*\.php$ {
-                try_files $uri =404;
-                fastcgi_split_path_info ^(.+\.php)(/.+)$;
-                include fastcgi_params;
-                fastcgi_param SCRIPT_FILENAME $request_filename;
-                fastcgi_pass 127.0.0.1:9000;
-        }
-}
-</file>
-restart NGINX and go to the URL **https://mail.mydomain.com/setup.php** and follow the on-screen instructions to create a password hash that you need to add to the above config.local.php file, then reload the page itself.
-Also don't forget to create a superadmin-account. I suggest you call it **user@mydomain.com** and set a password you will not forget.
-Go back, uncomment the lines in the NGINX config file to disable the setup.php, and restart NGINX.
-__note:__ when adding new domains, choose "virtual" as transport, and 0 as password expiry.
-At this point, you can already create all the mail domains and user accounts you want.
-===== Configuration: postfix =====
-Link to SQL.
-File: **/etc/postfix/sql/virtual_mailbox_domains.cf**:
-<file - virtual_mailbox_domains.cf>
-dbpath = /home/vmail/db/vmail.sqlite3
-query  = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1';
-</file>
-File: **/etc/postfix/sql/virtual_mailbox_maps.cf**:
-<file - virtual_mailbox_maps.cf>
-dbpath = /home/vmail/db/vmail.sqlite3
-query  = SELECT maildir FROM mailbox WHERE local_part='%u' AND domain='%d' AND active='1';
-</file>
-File: **/etc/postfix/sql/virtual_alias_maps.cf**:
-<file - virtual_alias_maps.cf>
-dbpath = /home/vmail/db/vmail.sqlite3
-query  = SELECT goto FROM alias WHERE address='%s' AND active='1';
-</file>
-Now, link it all in **/etc/postfix/main.cf**:
-<code>
-# A list of all virtual domains serviced by this instance of postfix.
-virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf
-# Look up the mailbox location based on the email address received.
-virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf
-# Any aliases that are supported by this system
-virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf
-</code>
-<file>
-compatibility_level = 3.6
-# Prevent hard-bounces
-soft_bounce = yes
-queue_directory = /var/spool/postfix
-command_directory = /usr/sbin
-daemon_directory = /usr/libexec/postfix
-data_directory = /var/lib/postfix
-mail_owner = postfix
-# Usa gethostname() per default
-#myhostname = gardiol.org
-mydomain = gardiol.org
-#myorigin = $mydomain
-#inet_interfaces = all
-mydestination = localhost.localdomain
-unknown_local_recipient_reject_code = 550
-mynetworks_style = host
-in_flow_delay = 1s
-home_mailbox = .maildir/
-header_checks = regexp:/etc/postfix/header_checks
-smtpd_banner = $myhostname ESMTP NO UCE
-debug_peer_level = 2
-#debug_peer_list = 127.0.0.1
-sendmail_path = /usr/sbin/sendmail
-newaliases_path = /usr/bin/newaliases
-mailq_path = /usr/bin/mailq
-setgid_group = postdrop
-html_directory = no
-manpage_directory = /usr/share/man
-sample_directory = /etc/postfix
-readme_directory = no
-inet_protocols = ipv4
-meta_directory = /etc/postfix
-shlib_directory = /usr/lib64/postfix/${mail_version}
-############################################
-###########################################
-###########################################
-disable_vrfy_command = yes
-message_size_limit = 0
-#20971520
-biff = no
-local_transport = virtual
-local_recipient_maps = $alias_maps $virtual_mailbox_maps
-virtual_transport = lmtp:unix:private/dovecot-lmtp
-virtual_uid_maps = static:999
-virtual_gid_maps = static:999
-virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
-virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
-                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
-                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
-virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
-                       proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
-# if you let postfix store your mails directly (without using maildrop, dovecot deliver etc.)
-virtual_mailbox_base = /home/vmail
-# SASL
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
-smtpd_sasl_auth_enable = yes
-smtpd_sasl_security_options = noanonymous
-smtpd_sasl_local_domain =
-broken_sasl_auth_clients = no
-smtpd_sasl_authenticated_header = yes
-# Setup TLS
-smtpd_tls_cert_file = /etc/letsencrypt/live/mail.gardiol.org/fullchain.pem
-smtpd_tls_key_file = /etc/letsencrypt/live/mail.gardiol.org/privkey.pem
-# abilita il debug...
-smtpd_tls_loglevel = 0
-# metti a "encrypt" per obbligare l'uso di TLS lato server (non fare, sconsigliato)
-smtpd_tls_security_level = may
-# Metti a yes per impedire AUTH non cifrata
-smtpd_tls_auth_only = no
-# Fai la cache delle sessioni
-smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
-# Some ANTISPAM
-smtpd_delay_reject = yes
-smtpd_helo_required = yes
-smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender, permit
-smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient,  check_policy_service unix:private/policy-spf, permit
-smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
-#, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
-policy-spf_time_limit = 3600s
-smtpd_timeout = 60s
-default_process_limit = 200
-smtputf8_enable = no
-smtp_data_done_timeout = 1800
-smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
-non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
-syslog_facility = mail
-syslog_name = postfix
-body_checks = regexp:/etc/postfix/body_checks
-maximal_queue_lifetime = 60m
-bounce_queue_lifetime = 60m
-smtp_connect_timeout  = 15s
-smtp_helo_timeout = 60s
-smtpd_relay_before_recipient_restrictions = no
-</file>
-===== Installation: DKIM, SPF and DKIM =====
-This step is **mandatory** and critical for proper email delivery.
-===== Installation: Antispam =====
-Install spamassassin & amavisd-new
-FILE /etc/postfix/main.cf Binding UID and GID's to postfix
-<code>
-# Link the mailbox uid and gid to postfix.
-virtual_uid_maps = static:5000
-virtual_gid_maps = static:5000
-# Set the base address for all virtual mailboxes
-virtual_mailbox_base = /var/vmail
-</code>

Willy's Wiki

User Tools

Differences