This is an old revision of the document!
Installation: servers
Install Postfix and Dovecot
USE flags:
echo "*/* maildir dovecot sasl" >> /etc/portage/package.use/mailserver echo "net-mail/dovecot managesieve sqlite lz4" >> /etc/portage/package.use/mailserver echo "mail-mta/postfix dovecot-sasl sqlite -sasl" >> /etc/portage/package.use/mailserver echo "dev-lang/php imap" >> /etc/portage/package.use/mailserver
Emerge the servers:
emerge -vp postfix dovecot
Installation: user, permissions & storage
Since different pieces of the email infrastructure will need to interoperate, it is a good idea to create a specific user to store all the emails on the filesystem. This user will own the email storage folders which i assume will be located under /home/vmail. I choose UID and GID 5000 since the ones <1000 are reserved for system users:
groupadd -g 5000 vmail useradd -m -d /home/vmail -s /bin/false -u 5000 -g vmail vmail chmod 2770 /home/vmail/
The resulting permissions should look like:
ls -ld /home/vmail drwxrws--- 3 vmail vmail 4096 Aug 2 07:24 /home/vmail
FIX QUI I PERMESSI DEL DB
Now create the database:
su - vmail mkdir db sqlite3 db/vmail.sqlite3 sqlite> .databases main: /home/vmail/db/vmail.sqlite3 r/w sqlite> .tables sqlite> .exit
Installation: postfixadmin web gui
postfixadmin and roundcube will be installed manually and not via Gentoo portage, to avoid upgrade issues.
Download latest release of postfixadmin from here and decompress in a folder accessible to the web user, since i use the web user to run all PHP based software on the external webserver:
su # do this as root! You don't need to make postfixadmin writable by the web user cd /home/web mkdir postfixadmin cd postfixadmin wget https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.15.tar.gz tar xvf postfixadmin-3.3.15.tar.gz mv postfixadmin-postfixadmin-3.3.15 postfixadmin #The following folder must be writeable by web user: mkdir -p postfixadmin/templates_c chown -R web postfixadmin/templates_c
Now, configure it by creating a file called postfixadmin/config.local.php with the following content (see postfixadmin/config.inc.php for all available stuff to configure):
- config.local.php
<?php $CONF['database_type'] = 'sqlite'; $CONF['database_name'] = '/home/vmail/db/vmail.sqlite3'; $CONF['encrypt'] = 'dovecot:SHA512'; $CONF['postfix_admin_url'] = 'https://mail.mydomain.com'; $CONF['admin_email'] = 'postmaster@mydomain.com'; $CONF['default_aliases'] = array ( 'abuse' => 'abuse@mydomain.com', 'hostmaster' => 'hostmaster@mydomain.com', 'postmaster' => 'postmaster@mydomain.com', 'webmaster' => 'webmaster@mydomain.com' ); $CONF['transport'] = 'YES'; $CONF['configured'] = true; /* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */
Now setup NGINX to point to it. You need of course to setup a certbot certificate, then (see this page) configure your NGINX to use PHP-FPM. See the following postfixadmin.conf file as reference:
server {
server_name mail.mydomain.com;
listen 443 ssl;
access_log /var/log/nginx/mail.mydomain.com_access_log main;
error_log /var/log/nginx/mail.mydomain.com_error_log info;
index index.php;
root /home/web/postfixadmin/postfixadmin/public;
# Uncomment the following lines only AFTER setup is complete!
# location ~ /(setup.php) {
# deny all;
# alias /home/web/postfixadmin/postfixadmin/public;
# }
location ~ /.*\.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
restart NGINX and go to the URL https://mail.mydomain.com/setup.php and follow the on-screen instructions to create a password hash that you need to add to the above config.local.php file, then reload the page itself.
Also don't forget to create a superadmin-account. I suggest you call it user@mydomain.com and set a password you will not forget.
Go back, uncomment the lines in the NGINX config file to disable the setup.php, and restart NGINX.
note: when adding new domains, choose “virtual” as transport, and 0 as password expiry.
At this point, you can already create all the mail domains and user accounts you want.
Configuration: postfix
Link to SQL.
File: /etc/postfix/sql/virtual_mailbox_domains.cf:
- virtual_mailbox_domains.cf
dbpath = /home/vmail/db/vmail.sqlite3 query = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1';
File: /etc/postfix/sql/virtual_mailbox_maps.cf:
- virtual_mailbox_maps.cf
dbpath = /home/vmail/db/vmail.sqlite3 query = SELECT maildir FROM mailbox WHERE local_part='%u' AND domain='%d' AND active='1';
File: /etc/postfix/sql/virtual_alias_maps.cf:
- virtual_alias_maps.cf
dbpath = /home/vmail/db/vmail.sqlite3 query = SELECT goto FROM alias WHERE address='%s' AND active='1';
Now, link it all in /etc/postfix/main.cf:
# A list of all virtual domains serviced by this instance of postfix. virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf # Look up the mailbox location based on the email address received. virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf # Any aliases that are supported by this system virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf
compatibility_level = 3.6
# Prevent hard-bounces
soft_bounce = yes
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
# Usa gethostname() per default
#myhostname = gardiol.org
mydomain = gardiol.org
#myorigin = $mydomain
#inet_interfaces = all
mydestination = localhost.localdomain
unknown_local_recipient_reject_code = 550
mynetworks_style = host
in_flow_delay = 1s
home_mailbox = .maildir/
header_checks = regexp:/etc/postfix/header_checks
smtpd_banner = $myhostname ESMTP NO UCE
debug_peer_level = 2
#debug_peer_list = 127.0.0.1
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = no
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix/${mail_version}
############################################
###########################################
###########################################
disable_vrfy_command = yes
message_size_limit = 0
#20971520
biff = no
local_transport = virtual
local_recipient_maps = $alias_maps $virtual_mailbox_maps
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:999
virtual_gid_maps = static:999
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
# if you let postfix store your mails directly (without using maildrop, dovecot deliver etc.)
virtual_mailbox_base = /home/vmail
# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = no
smtpd_sasl_authenticated_header = yes
# Setup TLS
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.gardiol.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.gardiol.org/privkey.pem
# abilita il debug...
smtpd_tls_loglevel = 0
# metti a "encrypt" per obbligare l'uso di TLS lato server (non fare, sconsigliato)
smtpd_tls_security_level = may
# Metti a yes per impedire AUTH non cifrata
smtpd_tls_auth_only = no
# Fai la cache delle sessioni
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
# Some ANTISPAM
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, check_policy_service unix:private/policy-spf, permit
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
#, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
policy-spf_time_limit = 3600s
smtpd_timeout = 60s
default_process_limit = 200
smtputf8_enable = no
smtp_data_done_timeout = 1800
smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
syslog_facility = mail
syslog_name = postfix
body_checks = regexp:/etc/postfix/body_checks
maximal_queue_lifetime = 60m
bounce_queue_lifetime = 60m
smtp_connect_timeout = 15s
smtp_helo_timeout = 60s
smtpd_relay_before_recipient_restrictions = no
Installation: DKIM, SPF and DKIM
This step is mandatory and critical for proper email delivery.
Installation: Antispam
Install spamassassin & amavisd-new
FILE /etc/postfix/main.cf Binding UID and GID's to postfix
# Link the mailbox uid and gid to postfix. virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 # Set the base address for all virtual mailboxes virtual_mailbox_base = /var/vmail