We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on Vesta 2.0 and expect to release it by the end of 2024. Read more about it: https://vestacp.com/docs/vesta-2-development
[HowTo] Install and Setup Mail Server with PostfixAdmin, Postfix and Dovecot, Rspamd, Roundcube
[HowTo] Install and Setup Mail Server with PostfixAdmin, Postfix and Dovecot, Rspamd, Roundcube
This Tutorial is for users if some how they need to re-install PostfixAdmin, postfix, dovecot, rspamd, roundcube.
Note: This tutorial also can be used to configure Rspamd. VestaCP comes with Spamassasin pre-installed but if you want to replace it you can use same method.
You must already have Nginx installed.
Download and Configure PostfixAdmin
At the time of the writing, 3.1 is the latest stable version of PostfixAdmin. Issue the following commands to download and extract the PostfixAdmin archive to the /var/www directory.
Both Nginx and PHP-FPM are running under user www-data so we need to change the ownership of the /var/www/postfixadmin to that user:
PostfixAdmin will use a MySQL database to store information about users, domains and the application configuration. Login to the MySQL shell:
and create a new database and user:
Don’t forget to change the password (P4ssvv0rD) to something more secure.
Instead of editing the default PostfixAdmin configuration we will create a new file named config.local.php which will overwrite the default values:
With the configuration above we are defining the database type and the login credentials, the default aliases, disabled fetchmail tab and enabled quota.
Run the following command to create the schema for the PostfixAdmin database:
Once the database is populated, we can go on and create our first PostfixAdmin superadmin user using the postfixadmin-cli tool . This user will be able to login and modify any domain or setting.
Don’t forget to change the password (P4ssvv0rD) for the superadmin account to something more secure.
Install free Let’s Encrypt SSL Certificate
We have a tutorial about how to install a Let’s Encrypt SSL Certificate here. We are gonna use the SSL certificate to access our PostfixAdmin installation and to enable Dovecot and Postfix SSL/TLS encryption. The most important point here is to generate a SSL Certificate for your server hostname (FQDN) in our case mail.yourdomain.com.
At the end your Nginx configuration should look as follows:
Reload the Nginx service for changes to take effect:
Finally you should be able to login to your PostfixAdmin installation at https://mail.yourdomain.com/postfixadmin
Install Postfix and Dovecot
Dovecot packages in the Ubuntu default repositories are outdated so in order to take advantage of the imap_sieve module we will install Dovecot from the Dovecot community repository:
Postfix Configuration
We will setup Postfix with virtual mailboxes and multiple domains, so first we’ll create the configuration files which will allow postfix to access the database that we created in the first part of this series:
Once the SQL configuration files are created, update the main postfix configuration file to include information about the virtual domains, users, and aliases which are stored in the SQLite database.
The postconf command displays the actual values of configuration parameters, changes configuration parameter values, or displays other configuration information about the Postfix mail system.
The local delivery will be handled by the Dovecot’s LMTP. The local delivery agent will take mail from our MTA (Postfix) and deliver it to a user’s mailbox.
Set the TL parameters using the previously generated Let’s encrypt SSL certificate:
Configure the authenticated SMTP settings and hand off authentication to Dovecot:
We also need to edit the Postfix master process configuration file master.cf and enable the submission port (587) and smtps port (465), uncomment and edit the following lines:
Restart the postfix service for changes to take effect.
By now you should have successfully configured the Postfix service.
Install Redis
Redis will be used as a storage and caching system by Rspamd, to install it just run:
Install Unbound
Unbound is a very secure validating, recursive, and caching DNS resolver.
The main purpose of installing this service is to reduce the number of external DNS requests. This step is optional and can be skipped.
The default settings should be sufficient for most servers.
Set unbound as your server primary DNS resolver:
If you are not using resolvconf then you need to edit the /etc/resolv.conf file manually.
Install Rspamd
We will install the lastest stable version of Rspamd from its official repository:
Configure Rspamd
Instead of modifying the stock config files we will create new files in the /etc/rspamd/local.d/local.d/ directory which will overwrite the default setting.
By default Rspamd’s normal worker the worker that scans email messages listens on all interfaces on port 11333. Create the following file to configure the Rspamd normal worker to listen only to localhost interface:
The proxy worker listens on port 11332 and supports milter protocol. In order for Postfix to communicate with Rspamd we need to enable milter mode:
Next we need to set up a password for the controller worker which provides access to the Rspamd web interface. To generate an encrypted pasword run:
Don’t forget to change the password (P4ssvv0rD) to something more secure.
and paste it into the configuration file:
In order to access the web interface we will later configure Nginx as a reverse proxy to the controller worker web server.
We will use Redis as a backend for Rspamd statistics:
Set the milter headers:
You can find more information about the milter headers here.
Finaly restart the Rspamd service:
Configure Nginx
In the first part of this series, we created an Nginx server block for the PostfixAdmin instance. Open the configuration file and add the following location directives, the ones highlighted in yellow:
Reload the Nginx service for changes to take effect:
Head over to https://mail.yourdomain.com/rspamd/ enter the password you previously generated with the rspamadm pw command and you will be presented with the Rspamd web interface.
Configure Postfix
We need to configure Postfix to use the Rspamd milter. Run the following command to update the Postfix main configuration file:
Restart the Postfix service for changes to take effect:
Configure Dovecot
We already installed and configured Dovecot in the second part of this series and now we will install the sieve filtering module and integrate Dovecot with Rspamd.
Open the following files and edit the lines highlighted in yellow.
Create a directory for our sieve scripts:
Create a global sieve filter to move emails marked as spam to the Spam directory:
The following two sieve scripts will be triggered whenever you move an email in or out of the Spam directory:
Restart the Dovecot service for changes to take effect:
Compile sieve scripts and set the correct permissions:
Create DKIM keys
DomainKeys Identified Mail (DKIM) is an email authentication method which adds a cryptographic signature to the outbound message headers. It allows the receiver to verify that an email claiming to originate from a specific domain was indeed authorized by the owner of that domain. The main purpose of this is to prevent forged email messages.
We can have different DKIM keys for all our domains and even a multiple keys for a single domain but for simplicity of this article we’re gonna use a single DKIM key which later can be used for all new domains.
Create a new directory to store the DKIM key and generate a new DKIM keypair using the rspamadm utility:
In the example above we are using mail as a DKIM selector.
You should now have a two new files in the /var/lib/rspamd/dkim/ directory, mail.key which is our private key file and mail.pub a file which contains the DKIM public key. We will update our DNS zone records later.
Set the correct ownership and permissions:
Now we need to tell Rspamd where to look for the DKIM key, the selector name and the last line will enable DKIM signing for alias sender addresses. To do that create a new file with the following contents:
Rspamd also supports signing for Authenticated Received Chain (ARC) signatures. You can find more information about the ARC specification here. Rspamd is using the dkim module for dealing with ARC signatures so we can simply copy the previous configuration:
Restart the Rspamd service for changes to take effect.
DNS settings
We already created a DKIM key pair and now we need to update our DNS zone. DKIM public key is stored in the mail.pub file. The content of the file should look like this:
If you are running your own Bind DNS server you just need to copy and paste the record directly into your domain zone file. If you are using a DNS web interface, then you need to create a new TXT record with mail._domainkey as a name and for the value/content you will need to remove the quotes an concatenate all three lines together. In our case the value/content of the TXT record should look like this:
We will also create a Domain-based Message Authentication (DMARC) which is designed to tell the receiving server whether or not to accept an email from a particular sender. Basically it will protect your domain against direct domain spoofing and improve your domain reputation.
If you followed the series from the beginning you should already have a SFP record for your domain. To setup a DMARC record, the sending domain needs to have an SPF and DKIM record published. DMARC policy is published as a TXT record, and defines how the receiver should treat the mails from your domain when validations fail.
In this article we will implement the following DMARC policy:
Let’s break down the above DMARC record:
v=DMARC1 - This is the DMARC identifier
p=none - This tells the receiver what to do with messages that fail DMARC. In our case it is set to none which means take no action if a message fails DMARC. You can also use ‘reject’ or quarantine
adkim=r and aspf=r - DKIM and SPF alignment, r for Relaxed and s for Strict, in our case we are using Relaxed Alignment for both DKIM and SPF.
Same as before if you are running your own Bind DNS server you just need to copy and paste the record into your domain zone file, and if you are using another DNS provider you need to create a TXT record with _dmarc as a name and v=DMARC1; p=none; adkim=r; aspf=r; as a value/content.
It may take a while for the DNS changes to propagate. You can check whether the records have propagated using the dig command:
You can also inspect your domain current DMARC policy or create your own DMARC policy here.
PHP dependencies
We’ll start off by installing all required PHP dependencies:
Set the date.timezone value to UTC:
Restart the PHP FPM service for changes to take effect:
Create MySQL Database
Roundcube supports MySQL, PostgreSQL and SQLite database backends.
In this tutorial we will use MySQL as our database server. Create a new database and user and grant privileges to that user over the newly created database:
Download Roundcube
At the time of the writing, 1.3.6 is the latest stable version of Roundcube. Download and extract the Roundcube archive to the /var/www directory:
Nginx and PHP-FPM are running under the www-data user so we need to change the ownership of the /var/www/postfixadmin to that user:
Configure Nginx
In the first part of this series, we created an Nginx server block for the PostfixAdmin instance. Open the configuration file and add the following location directives, the ones highlighted in yellow:
Reload the Nginx service for changes to take effect:
Configure Roundcube
Open your browser and navigate to https://mail.linuxize.com/roundcubemail/installer
You will be presented with the following screen:
In the Checking available databases section only the MySQL extension is required.
If all required PHP extensions are loaded we can proceed to the next step, where we can configure our Roundcube installation:
The most important part here is to enter the correct MySQL database settings.
When you are done with the configuration step, proceed to the next step and import Roundcube’s MySQL database structure by clicking on the Initialize database button.
Once the database structure is created we need to to delete the installer directory to prevent reconfiguration and/or unauthorized access.
Enabling Roundcube’s automatic cache-cleaning is optional but recommended:
Verify your Roundcube Installation
Open your web browser, navigate to: https://mail.yourdomain.com/roundcubemail and log in using your email account’s username and password.
Enable Roundcube plugins
Roundcube comes with a number of plugins which are disabled by default. In this guide we will enable password and managesieve plugins. This plugins will allow users to create sieve filters and change their passwords from within the Roundcube interface.
Do not forget to enter PostfixAdmin database credentials in the password_db_dsn line.
Note: This is an un-official tutorial and i am not responsible for any loss or damage.
Note: This tutorial also can be used to configure Rspamd. VestaCP comes with Spamassasin pre-installed but if you want to replace it you can use same method.
You must already have Nginx installed.
Download and Configure PostfixAdmin
At the time of the writing, 3.1 is the latest stable version of PostfixAdmin. Issue the following commands to download and extract the PostfixAdmin archive to the /var/www directory.
Code: Select all
VERSION=3.1
wget -q https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${VERSION}/postfixadmin-${VERSION}.tar.gz
tar xzf postfixadmin-${VERSION}.tar.gz
sudo mv postfixadmin-${VERSION}/ /var/www/postfixadmin
rm -f postfixadmin-${VERSION}.tar.gz
mkdir /var/www/postfixadmin/templates_cCode: Select all
sudo chown -R www-data: /var/www/postfixadminPostfixAdmin will use a MySQL database to store information about users, domains and the application configuration. Login to the MySQL shell:
Code: Select all
mysql -u root -pand create a new database and user:
Code: Select all
CREATE DATABASE postfixadmin;
GRANT ALL ON postfixadmin.* TO 'postfixadmin'@'localhost' IDENTIFIED BY 'P4ssvv0rD';
FLUSH PRIVILEGES;Instead of editing the default PostfixAdmin configuration we will create a new file named config.local.php which will overwrite the default values:
Code: Select all
nano /var/www/postfixadmin/config.local.phpCode: Select all
<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'P4ssvv0rD';
$CONF['database_name'] = 'postfixadmin';
$CONF['default_aliases'] = array (
'abuse' => '[email protected]',
'hostmaster' => '[email protected]',
'postmaster' => '[email protected]',
'webmaster' => '[email protected]'
);
$CONF['fetchmail'] = 'NO';
$CONF['show_footer_text'] = 'NO';
$CONF['quota'] = 'YES';
$CONF['domain_quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';
$CONF['aliases'] = '0';
$CONF['mailboxes'] = '0';
$CONF['maxquota'] = '0';
$CONF['domain_quota_default'] = '0';
?>With the configuration above we are defining the database type and the login credentials, the default aliases, disabled fetchmail tab and enabled quota.
Run the following command to create the schema for the PostfixAdmin database:
Code: Select all
sudo -u www-data php /var/www/postfixadmin/upgrade.phpCode: Select all
sudo bash /var/www/postfixadmin/scripts/postfixadmin-cli admin add [email protected] --superadmin 1 --active 1 --password P4ssvv0rD --password2 P4ssvv0rDCode: Select all
Welcome to Postfixadmin-CLI v0.2
---------------------------------------------------------------
The admin [email protected] has been added!
---------------------------------------------------------------Don’t forget to change the password (P4ssvv0rD) for the superadmin account to something more secure.
Install free Let’s Encrypt SSL Certificate
We have a tutorial about how to install a Let’s Encrypt SSL Certificate here. We are gonna use the SSL certificate to access our PostfixAdmin installation and to enable Dovecot and Postfix SSL/TLS encryption. The most important point here is to generate a SSL Certificate for your server hostname (FQDN) in our case mail.yourdomain.com.
At the end your Nginx configuration should look as follows:
Code: Select all
nano /etc/nginx/sites-enabled/mail.yourdomain.com.confCode: Select all
server {
listen 80;
server_name mail.yourdomain.com;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name mail.yourdomain.com;
root /var/www;
ssl_certificate /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mail.yourdomain.com/chain.pem;
include snippets/ssl.conf;
location / {
try_files $uri $uri/ /index.php;
}
location /postfixadmin {
index index.php;
try_files $uri $uri/ /postfixadmin/index.php;
}
location ~* \.php$ {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {return 404;}
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}Reload the Nginx service for changes to take effect:
Code: Select all
sudo systemctl reload nginxInstall Postfix and Dovecot
Dovecot packages in the Ubuntu default repositories are outdated so in order to take advantage of the imap_sieve module we will install Dovecot from the Dovecot community repository:
Code: Select all
wget -O- https://repo.dovecot.org/DOVECOT-REPO-GPG | sudo apt-key add -
echo "deb https://repo.dovecot.org/ce-2.3-latest/ubuntu/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/dovecot.listCode: Select all
sudo apt update
debconf-set-selections <<< "postfix postfix/mailname string $(hostname -f)"
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
sudo apt install postfix postfix-mysql dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysqlWe will setup Postfix with virtual mailboxes and multiple domains, so first we’ll create the configuration files which will allow postfix to access the database that we created in the first part of this series:
Code: Select all
sudo mkdir -p /etc/postfix/sqlCode: Select all
nano /etc/postfix/sql/mysql_virtual_domains_maps.cfCode: Select all
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'Code: Select all
nano /etc/postfix/sql/mysql_virtual_alias_maps.cfCode: Select all
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'Code: Select all
nano /etc/postfix/sql/mysql_virtual_alias_domain_maps.cfCode: Select all
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'Code: Select all
nano /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cfCode: Select all
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'Code: Select all
nano /etc/postfix/sql/mysql_virtual_mailbox_maps.cfCode: Select all
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'Code: Select all
nano /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cfCode: Select all
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active='1'Code: Select all
sudo postconf -e "virtual_mailbox_domains = mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf"
sudo postconf -e "virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf"
sudo postconf -e "virtual_mailbox_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf"The local delivery will be handled by the Dovecot’s LMTP. The local delivery agent will take mail from our MTA (Postfix) and deliver it to a user’s mailbox.
Code: Select all
sudo postconf -e "virtual_transport = lmtp:unix:private/dovecot-lmtp"Code: Select all
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/mail.linuxize.com/fullchain.pem'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/mail.linuxize.com/privkey.pem'Code: Select all
sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'Code: Select all
nano /etc/postfix/master.cfCode: Select all
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATINGCode: Select all
sudo systemctl postfix restartInstall Redis
Redis will be used as a storage and caching system by Rspamd, to install it just run:
Code: Select all
sudo apt install redis-serverUnbound is a very secure validating, recursive, and caching DNS resolver.
The main purpose of installing this service is to reduce the number of external DNS requests. This step is optional and can be skipped.
Code: Select all
sudo apt install unboundSet unbound as your server primary DNS resolver:
Code: Select all
sudo echo "nameserver 127.0.0.1" >> /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -uInstall Rspamd
We will install the lastest stable version of Rspamd from its official repository:
Code: Select all
sudo apt install software-properties-common lsb-release
sudo apt install lsb-release wget
wget -O- https://rspamd.com/apt-stable/gpg.key | sudo apt-key add -
echo "deb http://rspamd.com/apt-stable/ $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list
sudo apt update
sudo apt install rspamdInstead of modifying the stock config files we will create new files in the /etc/rspamd/local.d/local.d/ directory which will overwrite the default setting.
By default Rspamd’s normal worker the worker that scans email messages listens on all interfaces on port 11333. Create the following file to configure the Rspamd normal worker to listen only to localhost interface:
Code: Select all
nano /etc/rspamd/local.d/worker-normal.incCode: Select all
bind_socket = "127.0.0.1:11333";Code: Select all
nano /etc/rspamd/local.d/worker-proxy.incCode: Select all
bind_socket = "127.0.0.1:11332";
milter = yes;
timeout = 120s;
upstream "local" {
default = yes;
self_scan = yes;
}Code: Select all
rspamadm pw --encrypt -p P4ssvv0rDCode: Select all
$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctband paste it into the configuration file:
Code: Select all
nano /etc/rspamd/local.d/worker-controller.incCode: Select all
password = "$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb";We will use Redis as a backend for Rspamd statistics:
Code: Select all
nano /etc/rspamd/local.d/classifier-bayes.confCode: Select all
servers = "127.0.0.1";
backend = "redis";Code: Select all
nano /etc/rspamd/local.d/milter_headers.confCode: Select all
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];Finaly restart the Rspamd service:
Code: Select all
sudo systemctl restart rspamdIn the first part of this series, we created an Nginx server block for the PostfixAdmin instance. Open the configuration file and add the following location directives, the ones highlighted in yellow:
Code: Select all
nano /etc/nginx/sites-enabled/mail.linuxize.com.confCode: Select all
...
location /rspamd {
proxy_pass http://127.0.0.1:11334/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
...Code: Select all
sudo systemctl reload nginxConfigure Postfix
We need to configure Postfix to use the Rspamd milter. Run the following command to update the Postfix main configuration file:
Code: Select all
sudo postconf -e "milter_protocol = 6"
sudo postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"
sudo postconf -e "milter_default_action = accept"
sudo postconf -e "smtpd_milters = inet:127.0.0.1:11332"
sudo postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"Code: Select all
sudo systemctl restart postfixWe already installed and configured Dovecot in the second part of this series and now we will install the sieve filtering module and integrate Dovecot with Rspamd.
Code: Select all
sudo apt install dovecot-sieve dovecot-managesievedCode: Select all
nano /etc/dovecot/conf.d/20-lmtp.confCode: Select all
...
protocol lmtp {
postmaster_address = [email protected]
mail_plugins = $mail_plugins sieve
}
...Code: Select all
nano /etc/dovecot/conf.d/20-imap.confCode: Select all
...
protocol imap {
...
mail_plugins = $mail_plugins imap_quota imap_sieve
...
}
...Code: Select all
nano /etc/dovecot/conf.d/20-managesieve.confCode: Select all
...
service managesieve-login {
inet_listener sieve {
port = 4190
}
...
}
...
service managesieve {
process_limit = 1024
}
...Code: Select all
nano /etc/dovecot/conf.d/90-sieve.confCode: Select all
plugin {
...
# sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_before = /var/mail/vmail/sieve/global/spam-global.sieve
sieve = file:/var/mail/vmail/sieve/%d/%n/scripts;active=/var/mail/vmail/sieve/%d/%n/active-script.sieve
imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/var/mail/vmail/sieve/global/report-spam.sieve
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/var/mail/vmail/sieve/global/report-ham.sieve
sieve_pipe_bin_dir = /usr/bin
sieve_global_extensions = +vnd.dovecot.pipe
....
}Code: Select all
mkdir -p /var/mail/vmail/sieve/globalCode: Select all
nano /var/mail/vmail/sieve/global/spam-global.sieveCode: Select all
require ["fileinto","mailbox"];
if anyof(
header :contains ["X-Spam-Flag"] "YES",
header :contains ["X-Spam"] "Yes",
header :contains ["Subject"] "*** SPAM ***"
)
{
fileinto :create "Spam";
stop;
}Code: Select all
nano /var/mail/vmail/sieve/global/report-spam.sieveCode: Select all
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];Code: Select all
nano /var/mail/vmail/sieve/global/report-ham.sieveCode: Select all
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_ham"];Code: Select all
sudo systemctl restart dovecotCode: Select all
sievec /var/mail/vmail/sieve/global/spam-global.sieve
sievec /var/mail/vmail/sieve/global/report-spam.sieve
sievec /var/mail/vmail/sieve/global/report-ham.sieve
sudo chown -R vmail: /var/mail/vmail/sieve/DomainKeys Identified Mail (DKIM) is an email authentication method which adds a cryptographic signature to the outbound message headers. It allows the receiver to verify that an email claiming to originate from a specific domain was indeed authorized by the owner of that domain. The main purpose of this is to prevent forged email messages.
We can have different DKIM keys for all our domains and even a multiple keys for a single domain but for simplicity of this article we’re gonna use a single DKIM key which later can be used for all new domains.
Create a new directory to store the DKIM key and generate a new DKIM keypair using the rspamadm utility:
Code: Select all
mkdir /var/lib/rspamd/dkim/
rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key > /var/lib/rspamd/dkim/mail.pubYou should now have a two new files in the /var/lib/rspamd/dkim/ directory, mail.key which is our private key file and mail.pub a file which contains the DKIM public key. We will update our DNS zone records later.
Set the correct ownership and permissions:
Code: Select all
chown -R _rspamd: /var/lib/rspamd/dkim
chmod 440 /var/lib/rspamd/dkim/*Code: Select all
nano /etc/rspamd/local.d/dkim_signing.confCode: Select all
selector = "mail";
path = "/var/lib/rspamd/dkim/$selector.key";
allow_username_mismatch = true;Code: Select all
cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.confCode: Select all
sudo systemctl restart rspamdWe already created a DKIM key pair and now we need to update our DNS zone. DKIM public key is stored in the mail.pub file. The content of the file should look like this:
Code: Select all
cat /var/lib/rspamd/dkim/mail.pubCode: Select all
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4yl"
"nVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"
) ;Code: Select all
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQABIf you followed the series from the beginning you should already have a SFP record for your domain. To setup a DMARC record, the sending domain needs to have an SPF and DKIM record published. DMARC policy is published as a TXT record, and defines how the receiver should treat the mails from your domain when validations fail.
In this article we will implement the following DMARC policy:
Code: Select all
_dmarc IN TXT "v=DMARC1; p=none; adkim=r; aspf=r;"v=DMARC1 - This is the DMARC identifier
p=none - This tells the receiver what to do with messages that fail DMARC. In our case it is set to none which means take no action if a message fails DMARC. You can also use ‘reject’ or quarantine
adkim=r and aspf=r - DKIM and SPF alignment, r for Relaxed and s for Strict, in our case we are using Relaxed Alignment for both DKIM and SPF.
Same as before if you are running your own Bind DNS server you just need to copy and paste the record into your domain zone file, and if you are using another DNS provider you need to create a TXT record with _dmarc as a name and v=DMARC1; p=none; adkim=r; aspf=r; as a value/content.
It may take a while for the DNS changes to propagate. You can check whether the records have propagated using the dig command:
Code: Select all
dig mail._domainkey.yourdomain.com TXT +shortCode: Select all
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGa" "VuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFdepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"Code: Select all
dig _dmarc.yourdomain.com TXT +shortCode: Select all
"v=DMARC1; p=none; adkim=r; aspf=r;"PHP dependencies
We’ll start off by installing all required PHP dependencies:
Code: Select all
sudo apt install php-auth php-intl php-mail-mime php-mail-mimedecode php-mcrypt php-net-smtp php-net-socket php-pear php-xml php7.0-intl php7.0-mcrypt php7.0-xml php7.0-gd php7.0-gd php-imagickCode: Select all
sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/7.0/fpm/php.iniCode: Select all
systemctl php7.0-fpm restartRoundcube supports MySQL, PostgreSQL and SQLite database backends.
In this tutorial we will use MySQL as our database server. Create a new database and user and grant privileges to that user over the newly created database:
Code: Select all
mysql -u root -pCode: Select all
CREATE DATABASE roundcubemail;
GRANT ALL ON roundcubemail.* TO 'roundcubemail'@'localhost' IDENTIFIED BY 'P4ssvv0rD';
FLUSH PRIVILEGES;At the time of the writing, 1.3.6 is the latest stable version of Roundcube. Download and extract the Roundcube archive to the /var/www directory:
Code: Select all
VERSION=1.3.6
wget -q https://github.com/roundcube/roundcubemail/releases/download/${VERSION}/roundcubemail-${VERSION}-complete.tar.gz
tar xzf roundcubemail-${VERSION}-complete.tar.gz
sudo mv roundcubemail-${VERSION}/ /var/www/roundcubemail
rm -f roundcubemail-${VERSION}-complete.tar.gzCode: Select all
sudo chown -R www-data: /var/www/roundcubemailIn the first part of this series, we created an Nginx server block for the PostfixAdmin instance. Open the configuration file and add the following location directives, the ones highlighted in yellow:
Code: Select all
nano /etc/nginx/sites-enabled/mail.yourdomain.com.confCode: Select all
...
location /roundcubemail {
index index.php;
try_files $uri $uri/ /roundcubemail/index.php;
}
location ~ ^/roundcubemail/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/roundcubemail/(bin|SQL|config|temp|logs)/ {
deny all;
}
...Code: Select all
sudo systemctl reload nginxOpen your browser and navigate to https://mail.linuxize.com/roundcubemail/installer
You will be presented with the following screen:
In the Checking available databases section only the MySQL extension is required.
If all required PHP extensions are loaded we can proceed to the next step, where we can configure our Roundcube installation:
The most important part here is to enter the correct MySQL database settings.
When you are done with the configuration step, proceed to the next step and import Roundcube’s MySQL database structure by clicking on the Initialize database button.
Once the database structure is created we need to to delete the installer directory to prevent reconfiguration and/or unauthorized access.
Code: Select all
sudo rm -rf /var/www/roundcubemail/installerCode: Select all
sudo crontab -u www-data -l | { cat; echo "18 11 * * * /var/www/roundcubemail/bin/cleandb.sh"; } | sudo crontab -u www-data -Open your web browser, navigate to: https://mail.yourdomain.com/roundcubemail and log in using your email account’s username and password.
Enable Roundcube plugins
Roundcube comes with a number of plugins which are disabled by default. In this guide we will enable password and managesieve plugins. This plugins will allow users to create sieve filters and change their passwords from within the Roundcube interface.
Code: Select all
nano /var/www/roundcubemail/config/config.inc.phpCode: Select all
// Enable plugins
$config['plugins'] = array('managesieve','password');
// Configure managesieve plugin
$rcmail_config['managesieve_port'] = 4190;
// Configure password plugin
$config['password_driver'] = 'sql';
$config['password_db_dsn'] = 'mysql://postfixadmin:P4ssvv0rD@localhost/postfixadmin';
$config['password_query'] = 'UPDATE mailbox SET password=%c WHERE username=%u';Note: This is an un-official tutorial and i am not responsible for any loss or damage.
-
salvatorenz
- Posts: 8
- Joined: Mon Jun 10, 2019 4:38 am
- Os: CentOS 6x
- Web: apache + nginx
Re: [HowTo] Install and Setup Mail Server with PostfixAdmin, Postfix and Dovecot, Rspamd, Roundcube
Hi,
Thanks for the great guide, do you have any idea the replacement steps on Centos 7 for the sieve integration to Rspamd?
I have Rspamd installed and working well with Exim but want to integrate the sieve for Dovecot.
I followed another guide about the sieve but could not work out how to get integrated to Rspamd
Thanks
Thanks for the great guide, do you have any idea the replacement steps on Centos 7 for the sieve integration to Rspamd?
I have Rspamd installed and working well with Exim but want to integrate the sieve for Dovecot.
I followed another guide about the sieve but could not work out how to get integrated to Rspamd
Thanks
Re: [HowTo] Install and Setup Mail Server with PostfixAdmin, Postfix and Dovecot, Rspamd, Roundcube
Configuring an email server using PostfixAdmin, Postfix and Dovecot, Rspamd, Roundcube involves the following steps:
- Set up a Linode and implement proper security measures.
Configure DNS so that the server can receive email.
Install and configure MySQL.
Setup Postfix, including making any necessary configuration changes within the appropriate files (such as main.cf).
Install and configure Dovecot as the mail delivery agent.
Test the email server using Mailutils.
Update MySQL to add additional domains and email addresses as needed.
Next, we will go through each step and set up our email server with Postfix, Dovecot and MySQL.