-------

---

Email Server With Postfix Dovecot and MailScanner (Part 1 - LEMP)

Posted on 2016-04-20   |   In Email Server , LEMP   |   2 Comments

Email server is quite complicate. It is not only just for sending and receiving emails, but also need lots features and protections. Recently I built such an email server for my company. The whole process is worth to document.

I know there are some solutions exist for easy and quick setup a mail server, such as iRedMail. But I prefer to build the server step by step from scratch. This way I can understand how these all different components put together and how they work with each other. It’s kind of like driving an automobile, knowing a little bit better how the engine and transmission works will help me when there is a problem or need improvement down the road.

Features and Components

I begin with a list of some important features I needed for the mail system:

• • support virtual domain and mailboxes

  • support SMTP submission with STARTTLS

  • support IMAP/POP3 with SSL/TLS

  • have a secured web mail

  • have a management web interface for user accounts

  • have a management web interface for MailScanner

Here I list the major components I will build on the new email server:

• • LEMP server (CentOS 7 + Nginx + MariaDB + PHP)

  • Postfix

  • Dovecot (with Sieve filter)

  • MailScanner (which using ClamAV and Spamassassin)

  • MailWatch (Web UI for MailScanner)

  • RoundCube webmail

  • Postfix Admin (a web based interface used to manage mailboxes, virtual domains and aliases.)

  • Fail2ban and iptables (Firewall)

  • OpenSSL and Let’s Encripts SSL certificate

  • OpenDKIM and SPF

Domain name and DNS

Before I start to build the email server, I checked that I have these network related stuff ready:

• • Domain name: mydomain.com. I’ll use subdomain smtp.mydomain.com as the host name of the mail server.

  • A static IP from my ISP: 11.22.33.44

  • DNS records:

• • Reverse DNS PTR record: (Need ask my ISP to set this reverse DNS up for me)

Install iptables:

Now install fail2ban:

Create fail2ban local configration file:

Edit this file to enable sshd jail. Set:

Now enable and start the fail2ban service:

Now the ssh port 22 is protected by Fail2ban against brutal-force attack. In the future, anytime I need open up a new port for a service in iptables, I’ll also need to configure the corresponding fail2ban jail to have it protected.

 There are lots scan activities on the well-known ssh port 22. So I changed the sshd to listen on a different port. Also configured iptables and fail2ban accordingly.

NTP

CentOS 7 use chronyd to keep the clock synchronized.

If timezone is not set, then:

Now install Chrony:

Use the following commands to check the status:

Update system then reboot

Bring the system up to date:

After reboot, log in and check:

LEMP

MariaDB

Install MariaDB server:

Secure MariaDB. Run this command, set the root password, and answer Y to all other questions:

Install Nginx

Add Nginx Repo by create a configration file /etc/yum.repos.d/nginx.repo with the following content:

Install Nginx:

Edit /etc/nginx/nginx.conf:

Set worker_processes to the CPU core number.

Start nginx:

Check to see Nginx is running on port 80:

Now open up port 80 and 443 on iptables. I can access http://smtp.mydomain.com for the nginx’s default page.

Install PHP5

PHP5 works in nginx through PHP-FPM. So install some php packages:

yum install php-fpm php-cli php-mysql php-gd php-mcrypt php-intl php-ldap php-odbc php-pdo php-pecl-memcache php-pear php-mbstring php-xml php-xmlrpc php-mbstring php-snmp php-soap php-imap

Edit /etc/php.ini , set

Edit /etc/php-fpm.d/www.conf, use socket instead of TCP port for better performance:

Next enable and start php-fpm:

Let’s Encrypt SSL Certificate

I use the free LE SSL Cert for all the virtual hosts and SMTP/IMAP/POP3

First make sure all DNS record are pointed to the correct IP. This includes all A records for @, www, and smtp.

Also make sure port 443 is open on iptables.

Obtain a certicate:

Fill in my email address, then agree the agreement, then fill in all the domain names:

output:

IMPORTANT NOTES:

• • Congratulations! Your certificate and chain have been saved at

  • /etc/letsencrypt/live/mydomain.com/fullchain.pem. Your cert will

  • expire on 2016-05-29. To obtain a new version of the certificate in

  • the future, simply run Let’s Encrypt again.

Let’s Encript SSL Cert is only valid for 90 days. To renew it, set a cron job (or wrote a script). The command to renew is:

To test this command, add --dry-run flag at the end.

Here is my simple bash script le_renew.sh:

 Tip:

To obtain LE SSL certificates in one liner command:

/opt/letsencrypt/letsencrypt-auto certonly --standalone --agree-tos --email myemail@domain.tld -d mydomain.com -d www.mydomain.com -d smtp.mydomain.com -d mailwatch.mydomain.com -d postfixadmin.mydomain.com -d smtp.mydomain.com -d roundcube.mydomain.com

Configure Virtual Host

I will have few web sites running on this server using named based virtual host. They are RoundCube webmail, Postfix Admin and MailWatch.

I need to create a 2048 bit DH params file(default is 1024 bit):

Now let’s configure the first virtual host postfixadmin.mydomain.com by create a new configration file /etc/nginx/conf.d/postfixadmin.conf with content:

server {

 listen 80;

 server_name postfixadmin.mydomain.com;

 return 301 https://$server_name$request_uri; # enforce https

}

server {

  listen          443 ssl;

  server_name     postfixadmin.mydomain.com;

  root            /var/www/html/postfixadmin;

  index           index.php;

  charset         utf-8;

  access_log      /var/log/nginx/pa-access.log;

  error_log       /var/log/nginx/pa-error.log;

  ## SSL settings

  ssl_certificate           /etc/letsencrypt/live/mydomain.com/fullchain.pem;

  ssl_certificate_key           /etc/letsencrypt/live/mydomain.com/privkey.pem;

  ssl_protocols             TLSv1.2 TLSv1.1 TLSv1;

  ssl_prefer_server_ciphers on;

  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

  ssl_dhparam               /etc/nginx/dhparams.pem;  

  ssl_session_cache         shared:SSL:10m;

  ssl_session_timeout       10m;

  ssl_ecdh_curve            secp521r1;

  add_header Strict-Transport-Security max-age=31536000;

  location / {

     try_files $uri $uri/ index.php;

  }

  location ~ \.php$ {

       try_files $uri =404;

       fastcgi_split_path_info ^(.+\.php)(/.+)$;

       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

       include       fastcgi_params;

       fastcgi_pass  unix:/run/php-fpm/php-fpm.sock;

       fastcgi_index index.php;

  }

}

Let’s make a test page:

Restart Nginx and test by go to http://postfixadmin.mydomain.com/info.php, it should jump to https:// automatcally and show the PHP info page.

A good test for SSL can be done at SSL LABS. I got the highest score “A+“!

 Repeat the above steps to create other virtual host sites(mailwatch, roundcube). Later we will build these sites in their doc root directory.

Now I have a basic LEMP server with SSL and firewall protections. I’m now ready to build the mail server on this system.

Quick links:

• • Part 1: LEMP

  • Part 2: Postfix and Dovecot

  • Part 3: MailScanner and MailWatch

  • Part 4: SPF, DKIM and DMARC

  • Part 5: Roundcube Webmail

  • Part 6: Afterthoughts

Email Server With Postfix Dovecot and MailScanner (Part 2 - Postfix and Dovecot)

Posted on 2016-04-20   |   In Email Server   |   13 Comments

Postfix is the mail transfer agent (MTA) that routes and delivers email. Dovecot is the IMAP and POP3 server. The two works together make a perfect email server.

Postfix

Postfix is installed and running after default CentOS 7 installation. It is just a basic SMTP server lintening on local interface (127.0.0.1) and serve for existing local user only.

Database for virtual domain and user

We will install PostfixAdmin which use MaridDB as back-end to handle virtual domain and user accounts. When Postfix and Dovecot want authenticate users they will query the MariaDB database.

Login MariaDB as root and create a database postfix. Add user postfix and grant accesses to it.

Create a database

Postfix Admin

Postfix Admin is a web based interface used to manage mailboxes, virtual domains and aliases

Get the Postfix Admin site ready:

Edit /var/www/html/postfixadmin/config.inc.php

With:

I also need to manual create a session dir:

Postfix Admin web setup

Now go to https://postfixadmin.mydomain.com/setup.php to continue the setup in the web interface.

Type in “Setup Password” and generate password hash.

Copy this line back to /var/www/html/postfixadmin/config.inc.php, at line 30:

Then create the superadmin account.

Now use the superadmin account to login at https://postfixadmin.mydomain.com/login.php. This is the admin login.

Once we create user email account, the user may login to manage their own account at https://postfixadmin.mydomain.com/users/login.php. Note the different address.

Bug Fix:

After login, click on “Fetch email” I got error “Invalid query: FUNCTION postfix.FROM_BASE64 does not exist”

To fix it, edit /var/www/html/postfixadmin/model/PFAHandler.php at line 572:

Link Postfix to MariaDB

Create 5 database query configration files:

• 1. /etc/postfix/mysql-virtual_domains_maps.cf

• 1. /etc/postfix/mysql-relay_domains_maps.cf

• 1. /etc/postfix/mysql-virtual_mailbox_maps.cf

• 1. /etc/postfix/mysql-virtual_mailbox_limit_maps.cf

• 1. /etc/postfix/mysql-virtual_alias_maps.cf

Change permission to protect this files:

Make Postfix use these 5 files to qurey database, add the following lines to /etc/postfix/main.cf

relay_domains = proxy:mysql:/etc/postfix/mysql-relay_domains_maps.cf

virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf,regexp:/etc/postfix/virtual_regexp

virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains_maps.cf

virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf

virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps $virtual_mailbox_limit_maps

Create virtual_regexp file

To enable postfix listen on all interface, edit /etc/postfix/main.cf line 113,116:

vmail user

Create a local user vmail and set its home dir as maildir:

Make postfix to use this vmail account, add to /etc/postfix/main.cf

Restart postfix:

Also open TCP port 25 in iptables.

Now the Postfix SMTP is running. I can test it from another computer:

Test virtual domain/mailbox

Setup test email account

Go to Postfix Admin site [https://postfixadmin.mydomain.com], log in as admin user, then create a virtual domain. In my case, I go to “Domain List” –> “New Domain”, add “mydomain.com”.

Next go to “Virtual List”, then “Add Mailbox”, add a newmail box(Username: “gao”). Make sure “Active” and “Send Welcome mail” are checked. Then click on “Add Mailbox”.

Test receiving email

If everything is ok, you should see an email has been sent to gao@mydomain.com in the /var/log/maillog log file:

Apr 20 15:47:13 smtp postfix/smtpd[27293]: connect from localhost[::1]

Apr 20 15:47:14 smtp postfix/smtpd[27293]: 5CC0199812: client=localhost[::1]

Apr 20 15:47:14 smtp postfix/cleanup[27300]: 5CC0199812: message-id=<20160420224714.5CC0199812@smtp.mydomain.com>

Apr 20 15:47:14 smtp postfix/smtpd[27293]: disconnect from localhost[::1]

Apr 20 15:47:14 smtp postfix/qmgr[27051]: 5CC0199812: from=<gao@mydomain.com>, size=485, nrcpt=1 (queue active)

Apr 20 15:47:14 smtp postfix/virtual[27309]: 5CC0199812: to=<gao@mydomain.com>, relay=virtual, delay=0.34, delays=0.11/0.07/0/0.17, dsn=2.0.0, status=sent (delivered to maildir)

Apr 20 15:47:14 smtp postfix/qmgr[27051]: 5CC0199812: removed

Check the maildir I saw the email has been put in the maildir:

I also tested it by sending an email from my Gmail account and watch the maillog to see the mail arrived.

Test send email out

I still use telnet command from a remote PC to send a test email out:

Check the maillog to make sure the mail is send out.

At this stage, sending email to Gmail may fail. This will be fixed later by setup proper SPF and DKIM record in our DNS settings. If you have to test with Gmail then you may add mydomain.com as truseted domain at [https://postmaster.google.com]

SMTP Submission

I will enable SMTP submission on port 587, and use dovecot embebed SASL authentication to verify user identity.

Edit /etc/postfix/master.cf, remove comments in these lines:

Edit /etc/postfix/main.cf, add lines:

Restart postfix

Enable and start dovecot:

Check use netstat to see dovecot is listening on port 110,143,993,995

Dovecot authentication

I configured Dovecot to use database created by PostfixAdmin for user authentication with Let’s Encript’s SSL certificate:

database query configration

Create a file /etc/dovecot/conf.d/dovecot-mysql.conf.ext

driver = mysql

connect = host=localhost dbname=postfix user=postfix password=PApassword

password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home,  concat('maildir:/home/vmail/', maildir) as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM mailbox  WHERE username = '%u' AND active = '1'

user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail,  5000 AS uid, 5000 AS gid, CONCAT('*:bytes=', quota) as quota_rule FROM mailbox WHERE  username = '%u' AND active = '1'

Also we need a file to provide information about accounts quota. Edit /etc/dovecot/conf.d/dovecot-mysql-quota.conf.ext

Set file permission

With above files dovecot will query mariadb info about users idendity and mailbox quotas.

Make dovecot use MariaDB for authentication

Edit /etc/dovecot/conf.d/auth-sql.conf.ext

Enable dovecot to use sql_auth, edit /etc/dovecot/conf.d/10-auth.conf

Enable SSL/TLS support

Edit /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem

ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem

# SSL protocols to use

ssl_protocols = !SSLv2 !SSLv3

# SSL ciphers to use

ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

# Prefer the server's order of ciphers over client's.

ssl_prefer_server_ciphers = yes

Edit /etc/dovecot/conf.d/10-master.conf

Maildir and mail user

Edit /etc/dovecot/conf.d/10-mail.conf

Test dovecot

Open TCP port 993,995 and 587 on iptables. (I force all clients to use SSL/TLS so I keep port 110 and 143 closed.)

Restart dovecot

Test SSL login to IMAPS on port 993 from a remote PC:

#openssl s_client -connect smtp.mydomain.com:993 -quiet

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1

verify error:num=20:unable to get local issuer certificate

verify return:0

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready.

a1 LOGIN gao@mydomain.com my_password

a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in

a2 LIST "" "*"

* LIST (\HasNoChildren) "." INBOX

a2 OK List completed.

a3 EXAMINE INBOX

* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)

* OK [PERMANENTFLAGS ()] Read-only mailbox.

* 4 EXISTS

* 4 RECENT

* OK [UNSEEN 1] First unseen.

* OK [UIDVALIDITY 1457462303] UIDs valid

* OK [UIDNEXT 5] Predicted next UID

a3 OK [READ-ONLY] Examine completed (2.716 secs).

a4 LOGOUT

* BYE Logging out

a4 OK Logout completed.

Mailbox quota

I enable imap_quota plugin:

Edit /etc/dovecot/conf.d/10-mail.conf, line 215 should be

Edit /etc/dovecot/conf.d/20-imap.conf, line 56 should be

Edit /etc/dovecot/conf.d/90-quota.conf, line 68 should look like these

Now restart dovecot service

Edit mailbox quota in PostfixAdmin, set to non-zero, then I can see the quota of INBOX.

Test the email server

Now I can create an new email account in Thunderbird to test.

Always use full email address as login name. Here is the setup with IMAP on port 993:

Now I can send out and receive email so the basic mail server is working.

Email Server With Postfix Dovecot and MailScanner (Part 3 - MailScanner and MailWatch)

http://blog.pztop.com/2016/04/21/Email-Server-With-Postfix-Dovecot-MailScanner-3/

I use MailScanner to scan emails for viruses, spam, phishing, malware, and other attacks against security vulnerabilities. Under the hood, MailScanner uses ClamAV(clamd) for virus scan, and uses Spamassassin to scan for spams.

MailWatch is the web UI frontend to manage MailScanner. I can manage qurantine and generate reports easily right in the web browser.

 MailScanner come with a installation script you may use it for easy setup. It will install all compoenets once you made your selection.

ClamAV

Clam AV can be load in 3 different mode. Here is the explaination:

clamscan: most expensive CPU-wise, but involves no extra setup. This just executes the clamscan command-line tool. This causes the signature database to be re-read for each object scanned and can be pretty CPU intensive compared to the others.

clamav module: less expensive than clamscan CPU-wise, but needs the Mail::ClamAV perl module. This method loads a copy of the libclamav scanner library into MailScanner and keeps it resident, using it to perform scans without needing to re-read the signature libraries, etc. It can be somewhat touchy about what versions of Mail::ClamAV work with various versions of clamav.

clamd: less expensive than clamscan CPU-wise, but needs clamd running and is relatively new code. This causes MailScanner to connect to clamd’s socket and use that for scanning. Since clamd is already resident, there’s no need to re-read signatures. Since it’s using clamd, which comes with clamav, there’s no real version-compatibility problems like with the module, at least in theory

So I decide to run ClamAV as a daemon (clamd) for better performance.

ClamAVInstallation

Install ClamAV:

ClamAV will need unrar, it can be installed from rpmforge repository, so:

After install unrar, I disabled rpmforge repo:

freshclam

freshclam will update the virus signature database. To enable it and update:

Also edit /etc/sysconfig/freshclam, comment out this line as:

The MailScanner will call /usr/local/bin/freshclam to update the database, so make the proper link:

clamd daemon

Enable clamd by editing /etc/clamd.d/scan.conf like this:

Create the log file:

Now enable and start the service:

Test clamd service

I download a virus file (Eicar Test) and send to ClamAV

Spamassassin

Install Spamassassin”

Update database:

Enable snd start Spamassassin:

MailScanner

MailScanner work like this:

• 1. As instructed, Postfix holds the mail upon receipt.

  2. MailScanner swoops in and scans the email in queue.

  3. MailScanner re queues the email and hands it over back to Postfix.

  4. Postfix processes the email as necessary and delivers the mail to recipient.

Install MailScanner

First stop and disable postfix. We will use MailScanner in the future.

Download MailScanner and install:

Start the installation. Answer Y to all questions except these three(they have been took care in the previous steps):

MailScanner Configuration

Edit /etc/MailScanner/MailScanner.conf

Correct a permission to allow write for group clamscan:

Edit /etc/MailScanner/spam.assassin.prefs.conf

Edit /etc/MailScanner/virus.scanners.conf

clamd permission

When clamd scan emails, I want pass --fdpass to it, so it won’t have permssion issue:

Now create a new file /usr/bin/clamdscan

Make it executable:

Postfix hold queue

Let postfix hold all mails for scan, add line at bottom of /etc/postfix/header_checks

Enable header check in Postfix, edit /etc/postfix/main.cf, uncomment this line 548:

Check MailScanner configration to see if there is any error:

Spamassassin Plugins

With plugins, Spamassassin can detect spam and bulk email better with online resources.

First, I need open some ports on iptables needed by DCC, pyzor and razor. Add these rules to /etc/sysconfig/iptables in the INPUT chain and reload iptables:

Edit /etc/mail/spamassassin/mailscanner.cf

Enable these in spamassassin. Edit /etc/mail/spamassassin/v310.pre

DCC

Install DCC

Test

Pyzor

Add a line in /etc/mail/spamassassin/local.cf

Install Pyzor:

Test

Razor

Edit /etc/mail/spamassassin/razor/razor-agent.conf

Test Razor2

Test

Check MailScanner configration again:

Also check for SpamAssassin:

Now restart services and check maillog to see if any error

Now I can send some spam test email then check the maillog to see if it has need catched. Here are some test site:

[http://www.emailsecuritycheck.net/]

[https://www.mail-tester.com/]

MailWatch

Download code

MariaDB database

Create a database with downloaded sql file:

Create a DB user:

Admin user

Create an Admin user gao:

Configure MailWatch

Move the mailscanner directory to the web server’s root

Copy /var/www/html/mailscanner/conf.php.example to conf.php then edit the database setting:

Now stop MailScanner

Edit /etc/MailScanner/MailScanner.conf

Copy Perl module to CustomFunctions

Edit /usr/share/MailScanner/MailScanner/CustomFunctions/SQLBlackWhiteList.pm

Edit /usr/share/MailScanner/MailScanner/CustomFunctions/MailWatch.pm

I also installed a perl module Encoding::FixLatin in CPAN:

Start MailScanner again, check /var/log/maillog for any error.

Nginx configuration

Create a new nginx virtual host configration file /etc/nginx/conf.d/mailwatch.conf

server {

 listen 80;

 server_name mailwatch.mydomain.com;

 return 301 https://$server_name$request_uri; # enforce https

}

server {

  listen          443 ssl;

  server_name     mailwatch.mydomain.com;

  root            /var/www/html/mailscanner;

  index           index.php;

  charset         utf-8;

  ## SSL settings

  ssl_certificate           /etc/letsencrypt/live/mydomain.com/fullchain.pem;

  ssl_certificate_key           /etc/letsencrypt/live/mydomain.com/privkey.pem;

  ssl_protocols             TLSv1.2 TLSv1.1 TLSv1;

  ssl_prefer_server_ciphers on;

  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

  ssl_dhparam     /etc/nginx/dhparams.pem;

  ssl_session_cache         shared:SSL:10m;

  ssl_session_timeout       10m;

  ssl_ecdh_curve            secp521r1;

  add_header Strict-Transport-Security max-age=31536000;

  # add_header X-Frame-Options DENY;

  # auth_basic "Restricted area";

  # auth_basic_user_file /etc/nginx/passwd;

  location / {

     try_files $uri $uri/ index.php;

  }

  location ~ \.php$ {

       try_files $uri =404;

       fastcgi_split_path_info ^(.+\.php)(/.+)$;

       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

       include       fastcgi_params;

       fastcgi_pass  unix:/run/php-fpm/php-fpm.sock;

       fastcgi_index index.php;

  }

}

Mail queue

Configure mail queue directory:

Test

Restart Nginx:

Now it’s time to go to https://mailwatch.mydomain.com/

Login as admin user “gao” with password “mwpassword”

Go to http://www.emailsecuritycheck.net/ and send myself some spam and virus, check MailWatch to see the result.

 There are few tools came with MailWatch souce code in the "tools" directory. You may need to setup them following the instruction.

SpamAssassin Bayes

SpamAssassin Bayes can try to identify spam (or ham) by learning tokens. Here I configrue it with MailWatch installed.

Edit /etc/MailScanner/spam.assassin.prefs.conf

Create the ‘new’ bayes directory, make the directory owned by the same group as the web server user and make the directory setgid:

Since I already some spam mails in quarantine, so I force a sa-learn

After this I see few files have been generated in bayes home directory:

Test to see bayes work

shoud see these lines:

It can also be verified in MailWatch in “Tools/Link” –> “Spamassassin Bayes Database Info”

Now restart Spamassassin and MailScanner and check maillog.

 Now I have an email server with protections. Unforturnatly this is just a start. There are so many things need further configuration to improve the security of the mail system.

Quick links:

• • Part 1: LEMP

  • Part 2: Postfix and Dovecot

  • Part 3: MailScanner and MailWatch

  • Part 4: SPF, DKIM and DMARC

  • Part 5: Roundcube Webmail

  • Part 6: Afterthoughts

#MariaDB #Postfix #Dovecot #MailScanner

 Email Server With Postfix Dovecot and MailScanner (Part 2 - Postfix and Dovecot) Email Server With Postfix Dovecot and MailScanner (Part 4 - SPF DKIM and DMARC) 

Email Server With Postfix Dovecot and MailScanner (Part 4 - SPF DKIM and DMARC)

Posted on 2016-04-21   |   In Email Server   |   6 Comments

Both SPF and DKIM has two parts: One is the DNS records for SPF/DKIM serve the purpose of setting your own policy for others to check. The other is to check if the incoming mail message is in accordance with the SPF/DKIM that is set by the admins of the domain from which the message was sent.

SPF

DNS txt record

Add a txt record to DNS server:

Test it by sending an email to check-auth@verifier.port25.com and will get a report back.

SPF on Postfix

To prevent sender address forgery, we setup The Sender Policy Framework (SPF) on the postfix. When there is an incoming email, postfix will check the SPF record.

Then edit /etc/postfix/master.cf and add the following stanza at the end:

(The leading spaces before user=nobody ... are important so that Postfix knows that this line belongs to the previous one!)

Then open /etc/postfix/main.cf and search for the smtpd_recipient_restrictions directive. You should have reject_unauth_destination in that directive, and right after reject_unauth_destination you add check_policy_service unix:private/policy like this:

Restart MailScanner, send an email from gmail to gao@mydomain.com, in header:

Received-SPF: pass (gmail.com ... _spf.google.com: Sender is authorized to use 'gao@gmail.com' in 'mfrom' identity (mechanism 'include:_netblocks.google.com' matched)) receiver=szeta; identity=mailfrom; envelope-from="gao@gmail.com"; helo=mail-pa0-f48.google.com; client-ip=209.85.220.48

DKIM

OpenDKIM

Install OpenDKIM

Generate keys for signing

You need to generate a private and a public key for each of the domains for which you wish to sign mail. The private key is stored away on your server, while the public key gets published in your domain’s DNS records so that receiving mail servers can verify your DKIM-signed mail.

You need decide now what the name of your selector is going to be. A selector is a unique keyword that is associated with both keys (public and private), included in all the signatures, and published in your DNS records. For simplicity, I use the word szeta as my default selector.

Now we have two files for each domain(the text file is the public key).

Edit four configuration files:

• 1. /etc/opendkim.conf (I created a new file)

Now enable OpenDKIM in Postfix, edit /etc/postfix/main.cf, add

Now start services

DNS txt record

Now that the mail server is signing outgoing mail and verifying incoming mail, you’ll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed.

Use the public key created above to add a DNS TEXT record to mydomain.com.

Check:

$ dig szeta._domainkey.mydomain.com TXT +noall +answer

szeta._domainkey.mydomain.com. 3599 IN TXT  "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGYaonAHWmVitTa9p4QRmtjobBRyWflXwCa3akQ87aJ2iT8bg/25/t7dwzOq4nRS9CoW6vu9gVPBS6hWIumRoWFwYfwgUXGWCxMQLr6Nc7wuKnqPOoA6/JTa0s1o0QWiY18k1Rsh8p4/oRQilCEVjvdezRxsIigIEGUlEn9a+xqwIDAQAB"

Test

Restart MailScanner then send email to check-auth@verifier.port25.com then read the report, also analyse header as well.

DMARC

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

To enable DMARC, just add a TXT DNS record. Host name is _dmarc and text value is v=DMARC1; p=none ;rua=mailto:postmaster@mydomain.com

To check:

Email Server With Postfix Dovecot and MailScanner (Part 5 - Roundcube webmail)

Posted on 2016-04-25   |   In Email Server   |   0 Comments

Roundcube is a free opensource web-based IMAP email client. It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking. At the time of this writing, Roundcube just released v1.1.5.

Download souce code

Now copy the source code to web root:

Database

Roundcube uses MariaDB as the backend database. So create a database and add a database user:

Nginx Configuration

Create a new Nginx site configrration file /etc/nginx/conf.d/roundcube.conf

server {

 listen 80;

 server_name roundcube.mydomain.com;

 return 301 https://$server_name$request_uri; # enforce https

}

server {

  listen          443 ssl;

  server_name     roundcube.mydomain.com;

  root            /var/www/html/roundcubemail;

  index           index.php;

  charset         utf-8;

  ## SSL settings

  ssl_certificate           /etc/letsencrypt/live/mydomain.com/fullchain.pem;

  ssl_certificate_key           /etc/letsencrypt/live/mydomain.com/privkey.pem;

  ssl_protocols             TLSv1.2 TLSv1.1 TLSv1;

  ssl_prefer_server_ciphers on;

  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

  ssl_dhparam               /etc/nginx/dhparams.pem;

  ssl_session_cache         shared:SSL:10m;

  ssl_session_timeout       10m;

  ssl_ecdh_curve            secp521r1;

  add_header Strict-Transport-Security max-age=31536000;

  # add_header X-Frame-Options DENY;

  # auth_basic "Restricted area";

  # auth_basic_user_file /etc/nginx/passwd;

  location / {

     try_files $uri $uri/ index.php;

  }

  location ~ \.php$ {

       try_files $uri =404;

       fastcgi_split_path_info ^(.+\.php)(/.+)$;

       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

       include       fastcgi_params;

       fastcgi_pass  unix:/run/php-fpm/php-fpm.sock;

       fastcgi_index index.php;

  }

}

Reload Nginx

Web installation

Now I can start installation by go to https://roundcube.mydomain.com/installer/

Check environment

First the RouncCube installer will check the environment. There may be some items show as “NOT AVAILABLE”, for these items I only need make sure what I needed is “OK”

I found that it complain that “Mcrypt” and “Intl” PHP modules shows as “NOT AVALIABLE”, so let’s intall them and restart PHP-FPM”

Then refreash the web page and now the environment is ready. Click “NEXT” button to go on.

Create config

Fill the “Database password”. Also fill in SMTP and IMAP configration. Create the config file

 Don't warray to much about put in wrong configration inforamtion on the IMAP and SMTP sections. I will fix them later by manually editing the configration file later.

Test config

Go ahead to inatialize database.

When test SMTP and IMAP there are errors. I manually edited the configured file config/config.inc.php

Save the configration file. To test again, go back to

https://roundcube.mydomain.com/installer/index.php?_step=1

All tests passed. Last remove the installer folder.

Now Roundcube wabmail is working. I can use it at https://roundcube.mydomain.com/

Sieve filter

One of the reason I use Dovecot is that I need to use Sieve filter in RoundCube Mail, so user can setup their own filter such as Vacation Autoresponse.

LMTP

Till now my mail server use Postfix as the LDA(Local Delivery Agent) to diliver mails to users maildir. For sieve to work we need to use dovecot as a LDA. This means that dovecot has to write the email to the email folder of the user for the final delivery.

We will configure dovecot acting as local delivery using LMTP. (The other option is using LDA, which works like a binary command, each time that postfix sends a email lda deliver is called.)

Configure LMTP by editing /etc/dovecot/conf.d/10-master.conf

Also set up a postmaster addr at /etc/dovecot/conf.d/20-lmtp.conf

Then we will enable lmtp protocol in /etc/dovecot/dovecot.conf

Now I need tell Postfix to use Dovecot LDA, edit /etc/postfix/main.cf add lines:

Restart Dovecot and MailScanner, send a test email then check maillog to see LMTP in action for local delivery:

Apr 24 13:29:32 smtp dovecot: master: Dovecot v2.2.10 starting up for imap, pop3, lmtp (core dumps disabled)

...

Apr 24 13:32:34 smtp dovecot: lmtp(3544): Connect from local

Apr 24 13:32:35 smtp dovecot: lmtp(3544, gao@mydomain.com): ZIvkJGJx6FbYDQAA1qURPQ: msgid=<56E8714F.4060405@gmail.com>: saved mail to INBOX

Apr 24 13:32:35 smtp postfix/lmtp[3543]: D23571331C6: to=<gao@mydomain.com>, relay=smtp.mydomain.com[private/dovecot-lmtp], delay=12, delays=11/0.31/0.24/0.81, dsn=2.0.0, status=sent (250 2.0.0 <gao@mydomain.com> ZIvkJGJx6FbYDQAA1qURPQ Saved)

Apr 24 13:32:35 smtp dovecot: lmtp(3544): Disconnect from local: Successful quit

Apr 24 13:32:35 smtp postfix/qmgr[3461]: D23571331C6: removed

Managesieve

I use dovecot-pigeonhole and it’s been installed already.

Enable sieve filter, edit /etc/dovecot/conf.d/20-lmtp.conf

Configure sieve, edit /etc/dovecot/conf.d/90-sieve.conf

Configure managesieve, edit /etc/dovecot/conf.d/20-managesieve.conf