Page 1 of 1

[HowTo] Install and Setup Mail Server with PostfixAdmin, Postfix and Dovecot, Rspamd, Roundcube

Posted: Thu Sep 13, 2018 5:11 pm
by xorro
This Tutorial is for users if some how they need to re-install PostfixAdmin, postfix, dovecot, rspamd, roundcube.

Note: This tutorial also can be used to configure Rspamd. VestaCP comes with Spamassasin pre-installed but if you want to replace it you can use same method.

You must already have Nginx installed.

Download and Configure PostfixAdmin

At the time of the writing, 3.1 is the latest stable version of PostfixAdmin. Issue the following commands to download and extract the PostfixAdmin archive to the /var/www directory.

Code: Select all

VERSION=3.1
wget -q https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${VERSION}/postfixadmin-${VERSION}.tar.gz
tar xzf postfixadmin-${VERSION}.tar.gz
sudo mv postfixadmin-${VERSION}/ /var/www/postfixadmin
rm -f postfixadmin-${VERSION}.tar.gz
mkdir /var/www/postfixadmin/templates_c
Both Nginx and PHP-FPM are running under user www-data so we need to change the ownership of the /var/www/postfixadmin to that user:

Code: Select all

sudo chown -R www-data: /var/www/postfixadmin


PostfixAdmin will use a MySQL database to store information about users, domains and the application configuration. Login to the MySQL shell:

Code: Select all

mysql -u root -p


and create a new database and user:

Code: Select all

CREATE DATABASE postfixadmin;
GRANT ALL ON postfixadmin.* TO 'postfixadmin'@'localhost' IDENTIFIED BY 'P4ssvv0rD';
FLUSH PRIVILEGES;
Don’t forget to change the password (P4ssvv0rD) to something more secure.

Instead of editing the default PostfixAdmin configuration we will create a new file named config.local.php which will overwrite the default values:

Code: Select all

nano /var/www/postfixadmin/config.local.php

Code: Select all

<?php
$CONF['configured'] = true;

$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'P4ssvv0rD';
$CONF['database_name'] = 'postfixadmin';

$CONF['default_aliases'] = array (
  'abuse'      => 'abuse@yourdomain.com',
  'hostmaster' => 'hostmaster@yourdomain.com',
  'postmaster' => 'postmaster@yourdomain.com',
  'webmaster'  => 'webmaster@yourdomain.com'
);

$CONF['fetchmail'] = 'NO';
$CONF['show_footer_text'] = 'NO';

$CONF['quota'] = 'YES';
$CONF['domain_quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

$CONF['aliases'] = '0';
$CONF['mailboxes'] = '0';
$CONF['maxquota'] = '0';
$CONF['domain_quota_default'] = '0';
?>

With the configuration above we are defining the database type and the login credentials, the default aliases, disabled fetchmail tab and enabled quota.

Run the following command to create the schema for the PostfixAdmin database:

Code: Select all

sudo -u www-data php /var/www/postfixadmin/upgrade.php
Once the database is populated, we can go on and create our first PostfixAdmin superadmin user using the postfixadmin-cli tool . This user will be able to login and modify any domain or setting.

Code: Select all

sudo bash /var/www/postfixadmin/scripts/postfixadmin-cli admin add superadmin@yourdomain.com --superadmin 1 --active 1 --password P4ssvv0rD --password2 P4ssvv0rD

Code: Select all

Welcome to Postfixadmin-CLI v0.2
---------------------------------------------------------------

The admin superadmin@yourdomain.com has been added!

---------------------------------------------------------------


Don’t forget to change the password (P4ssvv0rD) for the superadmin account to something more secure.
Install free Let’s Encrypt SSL Certificate

We have a tutorial about how to install a Let’s Encrypt SSL Certificate here. We are gonna use the SSL certificate to access our PostfixAdmin installation and to enable Dovecot and Postfix SSL/TLS encryption. The most important point here is to generate a SSL Certificate for your server hostname (FQDN) in our case mail.yourdomain.com.

At the end your Nginx configuration should look as follows:

Code: Select all

nano /etc/nginx/sites-enabled/mail.yourdomain.com.conf

Code: Select all

server {
    listen 80;
    server_name mail.yourdomain.com;

    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name mail.yourdomain.com;
    root /var/www;

    ssl_certificate /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/mail.yourdomain.com/chain.pem;
    include snippets/ssl.conf;

    location / {
       try_files $uri $uri/ /index.php;
    }

    location /postfixadmin {
       index index.php;
       try_files $uri $uri/ /postfixadmin/index.php;
    }

    location ~* \.php$ {
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         if (!-f $document_root$fastcgi_script_name) {return 404;}
         fastcgi_pass  unix:/run/php/php7.0-fpm.sock;
         fastcgi_index index.php;
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

Reload the Nginx service for changes to take effect:

Code: Select all

sudo systemctl reload nginx
Finally you should be able to login to your PostfixAdmin installation at https://mail.yourdomain.com/postfixadmin

Install Postfix and Dovecot

Dovecot packages in the Ubuntu default repositories are outdated so in order to take advantage of the imap_sieve module we will install Dovecot from the Dovecot community repository:

Code: Select all

wget -O- https://repo.dovecot.org/DOVECOT-REPO-GPG | sudo apt-key add -
echo "deb https://repo.dovecot.org/ce-2.3-latest/ubuntu/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/dovecot.list

Code: Select all

sudo apt update
debconf-set-selections <<< "postfix postfix/mailname string $(hostname -f)"
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
sudo apt install postfix postfix-mysql dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysql
Postfix Configuration

We will setup Postfix with virtual mailboxes and multiple domains, so first we’ll create the configuration files which will allow postfix to access the database that we created in the first part of this series:

Code: Select all

sudo mkdir -p /etc/postfix/sql

Code: Select all

nano /etc/postfix/sql/mysql_virtual_domains_maps.cf

Code: Select all

user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'

Code: Select all

nano /etc/postfix/sql/mysql_virtual_alias_maps.cf

Code: Select all

user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

Code: Select all

nano /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf

Code: Select all

user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

Code: Select all

nano /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf

Code: Select all

user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query  = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

Code: Select all

nano /etc/postfix/sql/mysql_virtual_mailbox_maps.cf

Code: Select all

user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

Code: Select all

nano /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf

Code: Select all

user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active='1'
Once the SQL configuration files are created, update the main postfix configuration file to include information about the virtual domains, users, and aliases which are stored in the SQLite database.

Code: Select all

sudo postconf -e "virtual_mailbox_domains = mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf"
sudo postconf -e "virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf"
sudo postconf -e "virtual_mailbox_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf"
The postconf command displays the actual values of configuration parameters, changes configuration parameter values, or displays other configuration information about the Postfix mail system.

The local delivery will be handled by the Dovecot’s LMTP. The local delivery agent will take mail from our MTA (Postfix) and deliver it to a user’s mailbox.

Code: Select all

sudo postconf -e "virtual_transport = lmtp:unix:private/dovecot-lmtp"
Set the TL parameters using the previously generated Let’s encrypt SSL certificate:

Code: Select all

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/mail.linuxize.com/fullchain.pem'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/mail.linuxize.com/privkey.pem'
Configure the authenticated SMTP settings and hand off authentication to Dovecot:

Code: Select all

sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
We also need to edit the Postfix master process configuration file master.cf and enable the submission port (587) and smtps port (465), uncomment and edit the following lines:

Code: Select all

nano /etc/postfix/master.cf

Code: Select all

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
Restart the postfix service for changes to take effect.

Code: Select all

sudo systemctl postfix restart
By now you should have successfully configured the Postfix service.

Install Redis

Redis will be used as a storage and caching system by Rspamd, to install it just run:

Code: Select all

sudo apt install redis-server
Install Unbound

Unbound is a very secure validating, recursive, and caching DNS resolver.

The main purpose of installing this service is to reduce the number of external DNS requests. This step is optional and can be skipped.

Code: Select all

sudo apt install unbound
The default settings should be sufficient for most servers.

Set unbound as your server primary DNS resolver:

Code: Select all

sudo echo "nameserver 127.0.0.1" >> /etc/resolvconf/resolv.conf.d/head
sudo resolvconf -u
If you are not using resolvconf then you need to edit the /etc/resolv.conf file manually.
Install Rspamd

We will install the lastest stable version of Rspamd from its official repository:

Code: Select all

sudo apt install software-properties-common lsb-release
sudo apt install lsb-release wget
wget -O- https://rspamd.com/apt-stable/gpg.key | sudo apt-key add -
echo "deb http://rspamd.com/apt-stable/ $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.list
sudo apt update
sudo apt install rspamd
Configure Rspamd

Instead of modifying the stock config files we will create new files in the /etc/rspamd/local.d/local.d/ directory which will overwrite the default setting.

By default Rspamd’s normal worker the worker that scans email messages listens on all interfaces on port 11333. Create the following file to configure the Rspamd normal worker to listen only to localhost interface:

Code: Select all

nano /etc/rspamd/local.d/worker-normal.inc

Code: Select all

bind_socket = "127.0.0.1:11333";
The proxy worker listens on port 11332 and supports milter protocol. In order for Postfix to communicate with Rspamd we need to enable milter mode:

Code: Select all

nano /etc/rspamd/local.d/worker-proxy.inc

Code: Select all

bind_socket = "127.0.0.1:11332";
milter = yes;
timeout = 120s;
upstream "local" {
  default = yes;
  self_scan = yes;
}
Next we need to set up a password for the controller worker which provides access to the Rspamd web interface. To generate an encrypted pasword run:

Code: Select all

rspamadm pw --encrypt -p P4ssvv0rD

Code: Select all

$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb
Don’t forget to change the password (P4ssvv0rD) to something more secure.

and paste it into the configuration file:

Code: Select all

nano /etc/rspamd/local.d/worker-controller.inc

Code: Select all

password = "$2$khz7u8nxgggsfay3qta7ousbnmi1skew$zdat4nsm7nd3ctmiigx9kjyo837hcjodn1bob5jaxt7xpkieoctb";
In order to access the web interface we will later configure Nginx as a reverse proxy to the controller worker web server.

We will use Redis as a backend for Rspamd statistics:

Code: Select all

nano /etc/rspamd/local.d/classifier-bayes.conf

Code: Select all

servers = "127.0.0.1";
backend = "redis";
Set the milter headers:

Code: Select all

nano /etc/rspamd/local.d/milter_headers.conf

Code: Select all

use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
You can find more information about the milter headers here.

Finaly restart the Rspamd service:

Code: Select all

sudo systemctl restart rspamd
Configure Nginx

In the first part of this series, we created an Nginx server block for the PostfixAdmin instance. Open the configuration file and add the following location directives, the ones highlighted in yellow:

Code: Select all

nano /etc/nginx/sites-enabled/mail.linuxize.com.conf

Code: Select all

...
location /rspamd {
    proxy_pass http://127.0.0.1:11334/;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
...
Reload the Nginx service for changes to take effect:

Code: Select all

sudo systemctl reload nginx
Head over to https://mail.yourdomain.com/rspamd/ enter the password you previously generated with the rspamadm pw command and you will be presented with the Rspamd web interface.

Configure Postfix

We need to configure Postfix to use the Rspamd milter. Run the following command to update the Postfix main configuration file:

Code: Select all

sudo postconf -e "milter_protocol = 6"
sudo postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"
sudo postconf -e "milter_default_action = accept"
sudo postconf -e "smtpd_milters = inet:127.0.0.1:11332"
sudo postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
Restart the Postfix service for changes to take effect:

Code: Select all

sudo systemctl restart postfix
Configure Dovecot

We already installed and configured Dovecot in the second part of this series and now we will install the sieve filtering module and integrate Dovecot with Rspamd.

Code: Select all

sudo apt install dovecot-sieve dovecot-managesieved
Open the following files and edit the lines highlighted in yellow.

Code: Select all

nano /etc/dovecot/conf.d/20-lmtp.conf

Code: Select all

...
protocol lmtp {
  postmaster_address = postmaster@linuxize.com
  mail_plugins = $mail_plugins sieve
}
...

Code: Select all

nano /etc/dovecot/conf.d/20-imap.conf

Code: Select all

...
protocol imap {
  ...
  mail_plugins = $mail_plugins imap_quota imap_sieve
  ...
}
...

Code: Select all

nano /etc/dovecot/conf.d/20-managesieve.conf

Code: Select all

...
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  ...
}
...
service managesieve {
  process_limit = 1024
}
...

Code: Select all

nano /etc/dovecot/conf.d/90-sieve.conf

Code: Select all

plugin {
    ...
    # sieve = file:~/sieve;active=~/.dovecot.sieve
    sieve_plugins = sieve_imapsieve sieve_extprograms
    sieve_before = /var/mail/vmail/sieve/global/spam-global.sieve
    sieve = file:/var/mail/vmail/sieve/%d/%n/scripts;active=/var/mail/vmail/sieve/%d/%n/active-script.sieve

    imapsieve_mailbox1_name = Spam
    imapsieve_mailbox1_causes = COPY
    imapsieve_mailbox1_before = file:/var/mail/vmail/sieve/global/report-spam.sieve

    imapsieve_mailbox2_name = *
    imapsieve_mailbox2_from = Spam
    imapsieve_mailbox2_causes = COPY
    imapsieve_mailbox2_before = file:/var/mail/vmail/sieve/global/report-ham.sieve

    sieve_pipe_bin_dir = /usr/bin
    sieve_global_extensions = +vnd.dovecot.pipe
    ....
}
Create a directory for our sieve scripts:

Code: Select all

mkdir -p /var/mail/vmail/sieve/global
Create a global sieve filter to move emails marked as spam to the Spam directory:

Code: Select all

nano /var/mail/vmail/sieve/global/spam-global.sieve

Code: Select all

require ["fileinto","mailbox"];

if anyof(
    header :contains ["X-Spam-Flag"] "YES",
    header :contains ["X-Spam"] "Yes",
    header :contains ["Subject"] "*** SPAM ***"
    )
{
    fileinto :create "Spam";
    stop;
}
The following two sieve scripts will be triggered whenever you move an email in or out of the Spam directory:

Code: Select all

nano /var/mail/vmail/sieve/global/report-spam.sieve

Code: Select all

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];

Code: Select all

nano /var/mail/vmail/sieve/global/report-ham.sieve

Code: Select all

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_ham"];
Restart the Dovecot service for changes to take effect:

Code: Select all

sudo systemctl restart dovecot
Compile sieve scripts and set the correct permissions:

Code: Select all

sievec /var/mail/vmail/sieve/global/spam-global.sieve
sievec /var/mail/vmail/sieve/global/report-spam.sieve
sievec /var/mail/vmail/sieve/global/report-ham.sieve
sudo chown -R vmail: /var/mail/vmail/sieve/
Create DKIM keys

DomainKeys Identified Mail (DKIM) is an email authentication method which adds a cryptographic signature to the outbound message headers. It allows the receiver to verify that an email claiming to originate from a specific domain was indeed authorized by the owner of that domain. The main purpose of this is to prevent forged email messages.

We can have different DKIM keys for all our domains and even a multiple keys for a single domain but for simplicity of this article we’re gonna use a single DKIM key which later can be used for all new domains.

Create a new directory to store the DKIM key and generate a new DKIM keypair using the rspamadm utility:

Code: Select all

mkdir /var/lib/rspamd/dkim/
rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key > /var/lib/rspamd/dkim/mail.pub
In the example above we are using mail as a DKIM selector.

You should now have a two new files in the /var/lib/rspamd/dkim/ directory, mail.key which is our private key file and mail.pub a file which contains the DKIM public key. We will update our DNS zone records later.

Set the correct ownership and permissions:

Code: Select all

chown -R _rspamd: /var/lib/rspamd/dkim
chmod 440 /var/lib/rspamd/dkim/*
Now we need to tell Rspamd where to look for the DKIM key, the selector name and the last line will enable DKIM signing for alias sender addresses. To do that create a new file with the following contents:

Code: Select all

nano /etc/rspamd/local.d/dkim_signing.conf

Code: Select all

selector = "mail";
path = "/var/lib/rspamd/dkim/$selector.key";
allow_username_mismatch = true;
Rspamd also supports signing for Authenticated Received Chain (ARC) signatures. You can find more information about the ARC specification here. Rspamd is using the dkim module for dealing with ARC signatures so we can simply copy the previous configuration:

Code: Select all

cp  /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
Restart the Rspamd service for changes to take effect.

Code: Select all

sudo systemctl restart rspamd
DNS settings

We already created a DKIM key pair and now we need to update our DNS zone. DKIM public key is stored in the mail.pub file. The content of the file should look like this:

Code: Select all

cat /var/lib/rspamd/dkim/mail.pub

Code: Select all

mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
	"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4yl"
	"nVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"
) ;
If you are running your own Bind DNS server you just need to copy and paste the record directly into your domain zone file. If you are using a DNS web interface, then you need to create a new TXT record with mail._domainkey as a name and for the value/content you will need to remove the quotes an concatenate all three lines together. In our case the value/content of the TXT record should look like this:

Code: Select all

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB
We will also create a Domain-based Message Authentication (DMARC) which is designed to tell the receiving server whether or not to accept an email from a particular sender. Basically it will protect your domain against direct domain spoofing and improve your domain reputation.

If you followed the series from the beginning you should already have a SFP record for your domain. To setup a DMARC record, the sending domain needs to have an SPF and DKIM record published. DMARC policy is published as a TXT record, and defines how the receiver should treat the mails from your domain when validations fail.

In this article we will implement the following DMARC policy:

Code: Select all

_dmarc  IN  TXT  "v=DMARC1; p=none; adkim=r; aspf=r;"
Let’s break down the above DMARC record:

v=DMARC1 - This is the DMARC identifier
p=none - This tells the receiver what to do with messages that fail DMARC. In our case it is set to none which means take no action if a message fails DMARC. You can also use ‘reject’ or quarantine
adkim=r and aspf=r - DKIM and SPF alignment, r for Relaxed and s for Strict, in our case we are using Relaxed Alignment for both DKIM and SPF.

Same as before if you are running your own Bind DNS server you just need to copy and paste the record into your domain zone file, and if you are using another DNS provider you need to create a TXT record with _dmarc as a name and v=DMARC1; p=none; adkim=r; aspf=r; as a value/content.

It may take a while for the DNS changes to propagate. You can check whether the records have propagated using the dig command:

Code: Select all

dig mail._domainkey.yourdomain.com TXT +short

Code: Select all

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGa" "VuUZBmi4ZTg0O4ylnVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFdepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"

Code: Select all

dig _dmarc.yourdomain.com TXT +short

Code: Select all

"v=DMARC1; p=none; adkim=r; aspf=r;"
You can also inspect your domain current DMARC policy or create your own DMARC policy here.

PHP dependencies

We’ll start off by installing all required PHP dependencies:

Code: Select all

sudo apt install php-auth php-intl php-mail-mime php-mail-mimedecode php-mcrypt php-net-smtp php-net-socket php-pear php-xml php7.0-intl php7.0-mcrypt php7.0-xml php7.0-gd php7.0-gd php-imagick
Set the date.timezone value to UTC:

Code: Select all

sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/7.0/fpm/php.ini
Restart the PHP FPM service for changes to take effect:

Code: Select all

systemctl php7.0-fpm restart
Create MySQL Database

Roundcube supports MySQL, PostgreSQL and SQLite database backends.

In this tutorial we will use MySQL as our database server. Create a new database and user and grant privileges to that user over the newly created database:

Code: Select all

mysql -u root -p

Code: Select all

CREATE DATABASE roundcubemail;
GRANT ALL ON roundcubemail.* TO 'roundcubemail'@'localhost' IDENTIFIED BY 'P4ssvv0rD';
FLUSH PRIVILEGES;
Download Roundcube

At the time of the writing, 1.3.6 is the latest stable version of Roundcube. Download and extract the Roundcube archive to the /var/www directory:

Code: Select all

VERSION=1.3.6
wget -q https://github.com/roundcube/roundcubemail/releases/download/${VERSION}/roundcubemail-${VERSION}-complete.tar.gz
tar xzf roundcubemail-${VERSION}-complete.tar.gz
sudo mv roundcubemail-${VERSION}/ /var/www/roundcubemail
rm -f roundcubemail-${VERSION}-complete.tar.gz
Nginx and PHP-FPM are running under the www-data user so we need to change the ownership of the /var/www/postfixadmin to that user:

Code: Select all

sudo chown -R www-data: /var/www/roundcubemail
Configure Nginx

In the first part of this series, we created an Nginx server block for the PostfixAdmin instance. Open the configuration file and add the following location directives, the ones highlighted in yellow:

Code: Select all

nano /etc/nginx/sites-enabled/mail.yourdomain.com.conf

Code: Select all

...
location /roundcubemail {
   index index.php;
   try_files $uri $uri/ /roundcubemail/index.php;
}
location ~ ^/roundcubemail/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
   deny all;
}
location ~ ^/roundcubemail/(bin|SQL|config|temp|logs)/ {
   deny all;
}
...
Reload the Nginx service for changes to take effect:

Code: Select all

sudo systemctl reload nginx
Configure Roundcube

Open your browser and navigate to https://mail.linuxize.com/roundcubemail/installer

You will be presented with the following screen:

Image

In the Checking available databases section only the MySQL extension is required.

If all required PHP extensions are loaded we can proceed to the next step, where we can configure our Roundcube installation:

Image

The most important part here is to enter the correct MySQL database settings.

When you are done with the configuration step, proceed to the next step and import Roundcube’s MySQL database structure by clicking on the Initialize database button.

Image

Once the database structure is created we need to to delete the installer directory to prevent reconfiguration and/or unauthorized access.

Code: Select all

sudo rm -rf /var/www/roundcubemail/installer
Enabling Roundcube’s automatic cache-cleaning is optional but recommended:

Code: Select all

sudo crontab -u www-data -l | { cat; echo "18 11 * * * /var/www/roundcubemail/bin/cleandb.sh"; } | sudo crontab -u www-data -
Verify your Roundcube Installation

Open your web browser, navigate to: https://mail.yourdomain.com/roundcubemail and log in using your email account’s username and password.

Image

Enable Roundcube plugins

Roundcube comes with a number of plugins which are disabled by default. In this guide we will enable password and managesieve plugins. This plugins will allow users to create sieve filters and change their passwords from within the Roundcube interface.

Code: Select all

nano /var/www/roundcubemail/config/config.inc.php

Code: Select all

// Enable plugins
$config['plugins'] = array('managesieve','password');
// Configure managesieve plugin
$rcmail_config['managesieve_port'] = 4190;
// Configure password plugin
$config['password_driver'] = 'sql';
$config['password_db_dsn'] = 'mysql://postfixadmin:P4ssvv0rD@localhost/postfixadmin';
$config['password_query'] = 'UPDATE mailbox SET password=%c WHERE username=%u';
Do not forget to enter PostfixAdmin database credentials in the password_db_dsn line.

Note: This is an un-official tutorial and i am not responsible for any loss or damage.