User Tools

This is an old revision of the document!

Installation: servers

Install Postfix and Dovecot

USE flags: 

echo "*/* maildir dovecot sasl" >> /etc/portage/package.use/mailserver
echo "net-mail/dovecot managesieve sqlite lz4" >> /etc/portage/package.use/mailserver
echo "mail-mta/postfix dovecot-sasl sqlite -sasl" >> /etc/portage/package.use/mailserver 
echo "dev-lang/php imap" >> /etc/portage/package.use/mailserver

Emerge the servers: 

emerge -vp postfix dovecot

Installation: user, permissions & storage

Since different pieces of the email infrastructure will need to interoperate, it is a good idea to create a specific user to store all the emails on the filesystem. This user will own the email storage folders which i assume will be located under /home/vmail. I choose UID and GID 5000 since the ones <1000 are reserved for system users: 

groupadd -g 5000 vmail
useradd -m -d /home/vmail -s /bin/false -u 5000 -g vmail vmail
chmod 2770 /home/vmail/

The resulting permissions should look like: 

ls -ld /home/vmail
drwxrws--- 3 vmail vmail 4096 Aug 2 07:24 /home/vmail

FIX QUI I PERMESSI DEL DB

Now create the database: 

su - vmail
mkdir db
sqlite3 db/vmail.sqlite3
sqlite> .databases
main: /home/vmail/db/vmail.sqlite3 r/w
sqlite> .tables
sqlite> .exit

Installation: postfixadmin web gui

postfixadmin and roundcube will be installed manually and not via Gentoo portage, to avoid upgrade issues.

Download latest release of postfixadmin from here and decompress in a folder accessible to the web user, since i use the web user to run all PHP based software on the external webserver: 

su # do this as root! You don't need to make postfixadmin writable by the web user
cd /home/web
mkdir postfixadmin
cd postfixadmin
wget https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.15.tar.gz
tar xvf postfixadmin-3.3.15.tar.gz
mv postfixadmin-postfixadmin-3.3.15 postfixadmin
#The following folder must be writeable by web user:
mkdir -p postfixadmin/templates_c
chown -R web postfixadmin/templates_c

Now, configure it by creating a file called postfixadmin/config.local.php with the following content (see postfixadmin/config.inc.php for all available stuff to configure):

config.local.php
<?php
$CONF['database_type'] = 'sqlite';
$CONF['database_name'] = '/home/vmail/db/vmail.sqlite3';
$CONF['encrypt'] = 'dovecot:SHA512';
$CONF['postfix_admin_url'] = 'https://mail.mydomain.com';
$CONF['admin_email'] = 'postmaster@mydomain.com';
$CONF['default_aliases'] = array (
    'abuse' => 'abuse@mydomain.com',
    'hostmaster' => 'hostmaster@mydomain.com',
    'postmaster' => 'postmaster@mydomain.com',
    'webmaster' => 'webmaster@mydomain.com'
);
$CONF['transport'] = 'YES';
$CONF['configured'] = true;
/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */

Now setup NGINX to point to it. You need of course to setup a certbot certificate, then (see this page) configure your NGINX to use PHP-FPM. See the following postfixadmin.conf file as reference: 

server {
        server_name mail.mydomain.com;
        listen 443 ssl;
 
        access_log /var/log/nginx/mail.mydomain.com_access_log main;
        error_log /var/log/nginx/mail.mydomain.com_error_log info;
 
        index index.php;
 
        root /home/web/postfixadmin/postfixadmin/public;     
 
# Uncomment the following lines only AFTER setup is complete!         
#        location ~ /(setup.php) {
#                deny all;
#                alias /home/web/postfixadmin/postfixadmin/public;
#        }
 
        location ~ /.*\.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_pass 127.0.0.1:9000;
        }
}

restart NGINX and go to the URL https://mail.mydomain.com/setup.php and follow the on-screen instructions to create a password hash that you need to add to the above config.local.php file, then reload the page itself.

Also don't forget to create a superadmin-account. I suggest you call it user@mydomain.com and set a password you will not forget.

Go back, uncomment the lines in the NGINX config file to disable the setup.php, and restart NGINX.

note: when adding new domains, choose “virtual” as transport, and 0 as password expiry.

At this point, you can already create all the mail domains and user accounts you want.

Configuration: postfix

Link to SQL.

File: /etc/postfix/sql/virtual_mailbox_domains.cf:

virtual_mailbox_domains.cf
dbpath = /home/vmail/db/vmail.sqlite3
query  = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1';

File: /etc/postfix/sql/virtual_mailbox_maps.cf:

virtual_mailbox_maps.cf
dbpath = /home/vmail/db/vmail.sqlite3
query  = SELECT maildir FROM mailbox WHERE local_part='%u' AND domain='%d' AND active='1';

File: /etc/postfix/sql/virtual_alias_maps.cf:

virtual_alias_maps.cf
dbpath = /home/vmail/db/vmail.sqlite3
query  = SELECT goto FROM alias WHERE address='%s' AND active='1';

Now, link it all in /etc/postfix/main.cf: 

# A list of all virtual domains serviced by this instance of postfix.
virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf
# Look up the mailbox location based on the email address received.
virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf
# Any aliases that are supported by this system
virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf
compatibility_level = 3.6

# Prevent hard-bounces
soft_bounce = yes

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix

mail_owner = postfix

# Usa gethostname() per default
#myhostname = gardiol.org

mydomain = gardiol.org

#myorigin = $mydomain
#inet_interfaces = all

mydestination = localhost.localdomain
unknown_local_recipient_reject_code = 550

mynetworks_style = host

in_flow_delay = 1s

home_mailbox = .maildir/

header_checks = regexp:/etc/postfix/header_checks

smtpd_banner = $myhostname ESMTP NO UCE

debug_peer_level = 2
#debug_peer_list = 127.0.0.1

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq

setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = no
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix/${mail_version}


############################################
###########################################
###########################################
disable_vrfy_command = yes
message_size_limit = 0
#20971520
biff = no

local_transport = virtual
local_recipient_maps = $alias_maps $virtual_mailbox_maps

virtual_transport = lmtp:unix:private/dovecot-lmtp

virtual_uid_maps = static:999
virtual_gid_maps = static:999

virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
                       proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf

# if you let postfix store your mails directly (without using maildrop, dovecot deliver etc.)
virtual_mailbox_base = /home/vmail

# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = no
smtpd_sasl_authenticated_header = yes
# Setup TLS
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.gardiol.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.gardiol.org/privkey.pem
# abilita il debug...
smtpd_tls_loglevel = 0
# metti a "encrypt" per obbligare l'uso di TLS lato server (non fare, sconsigliato)
smtpd_tls_security_level = may
# Metti a yes per impedire AUTH non cifrata
smtpd_tls_auth_only = no
# Fai la cache delle sessioni
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

# Some ANTISPAM
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient,  check_policy_service unix:private/policy-spf, permit
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
#, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

policy-spf_time_limit = 3600s

smtpd_timeout = 60s
default_process_limit = 200

smtputf8_enable = no
smtp_data_done_timeout = 1800

smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock

syslog_facility = mail
syslog_name = postfix

body_checks = regexp:/etc/postfix/body_checks

maximal_queue_lifetime = 60m
bounce_queue_lifetime = 60m
smtp_connect_timeout  = 15s
smtp_helo_timeout = 60s

smtpd_relay_before_recipient_restrictions = no

Installation: DKIM, SPF and DKIM

This step is mandatory and critical for proper email delivery.

Installation: Antispam

Install spamassassin & amavisd-new

FILE /etc/postfix/main.cf Binding UID and GID's to postfix 

# Link the mailbox uid and gid to postfix.
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
 
# Set the base address for all virtual mailboxes
virtual_mailbox_base = /var/vmail

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information