## 0 ##

Dieser Begleittext gehört zur Artikelserie über das Einrichten eines Mailservers:
http://www.projekt-rootserver.de/?p=289

Bitte bearbeite diese Text-Datei und trage darin die Werte von Deinem Server ein. Sichere sie *ausschließlich* in Deinem Vera-Crypt Volume!
Die Datei dient auch als Dokumentation und Referenz, wenn Du später dringend ein Passwort brauchst oder den Installationsweg nachvollziehen möchtest...


Links und Credits
******************

https://kura.io/2015/01/03/debian-wheezy-tls-mailserver-with-mysql-clamav-domainkeys-dkim-spf-solr-imap-search/
(!) https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql
(!!)https://blog.unterhaltungsbox.com/mailserver-mit-postfix-dovecot-postfixadmin-und-mysql/
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
http://wiki2.dovecot.org/Plugins/Zlib
http://www.joseftschiggerl.name/2014/04/mail-compression-with-dovecot/
http://postfixadmin.sourceforge.net/
(!!!)https://www.linode.com/docs/email/postfix/troubleshooting-problems-with-postfix-dovecot-and-mysql
https://www.unlocktheinbox.com/resources/emailauthentication/


DNS
****

mail.bla.de => als 'E-Mail Domain' einrichten
pfa.bla.de => Subdomain eintragen

Die Einträge für „bla.de“ müssten dann so aussehen:
bla.de – A – 12.34.56.78
bla.de – MX – 10 mail.bla.de.
mail.bla.de – A – 12.34.56.78
www.bla.de – A – 12.34.56.78
mysql.bla.de – A – 12.34.56.78
pfa.bla.de – A – 12.34.56.78


Im VPS-Controlcenter
----------------------
Auf "Verwalten" - Netzwerk - Reverse DNS
"mail.bla.de" eingeben - Speichern.



Firewall aufmachen!
********************

	$ nano /etc/shorewall/rules

------------------- SNIP IT -----------------------------
## MAIL - smtp, submission, smtps
ACCEPT:info net		$FW		tcp		25		-		-
ACCEPT:info net		$FW		tcp		587		-		-
ACCEPT:info net		$FW		tcp		465		-		-

## IMAP - imap, imaps
ACCEPT:info net		$FW		tcp		143		-		-
ACCEPT:info net		$FW		tcp		993		-		-

## POP3 - pop3, pop3s
ACCEPT:info net		$FW		tcp		110		-		-
ACCEPT:info net		$FW		tcp		995		-		-
---------------------------------------------------------

* Firewall neu starten
	$ shorewall safe-restart

...
Do you want to accept the new firewall configuration? [y/n] y
New configuration has been accepted


Passwörter
***********

* Passwörter erzeugen
(Siehe dazu - http://www.projekt-rootserver.de/passwoerter-erstellen-mit-pwgen/)

	$ pwgen -sy 32 64

### Für alles, was NICHT mit Postfächern zu tun hat...

[Copy / Paste HIER]


	$ pwgen -s 32

### Für Postfächer

[Copy / Paste HIER]


(DB) mailuser:	[Copy / Paste HIER]
ich@bla.de:		[Copy / Paste HIER]

Postfixadmin Webbereich:	[Copy / Paste HIER]
postfixadmin Setup:			[Copy / Paste HIER]
Postfixadmin Admin-User:	[Copy / Paste HIER]


Zertifikate (nur Mail!)
************************

	$ nano /root/CA/bla.de-mail.cnf
------------------- SNIP IT -----------------------------
#
# bla.de-mail.cnf - Zertifikatsvorlage
#
[ req ]
prompt                  = no
distinguished_name      = server_distinguished_name
req_extensions          = v3_req
#
[ server_distinguished_name ]
commonName				= mail.bla.de
stateOrProvinceName		= BY
countryName				= DE
emailAddress			= postmaster@bla.de
organizationName		= bla.de Mail Department
organizationalUnitName	= Secure Deliveries. Yay!
#
[ v3_req ]
basicConstraints		= CA:FALSE
keyUsage				= nonRepudiation, digitalSignature, keyEncipherment
subjectAltName			= @alt_names
#
[ alt_names ]
DNS.0					= mail.bla.de
---------------------------------------------------------


	$ cd /root/CA
	$ export OPENSSL_CONF=/root/CA/bla.de-mail.cnf
	$ openssl req -newkey rsa:2048 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
		- Enter PEM pass phrase: [irgendein einfaches Passwort vergeben. Wird wieder entfernt! [1234]
		- Verifying - Enter PEM pass phrase: [1234]
* Passwort aus dem private Key wieder entfernen
	$ openssl rsa < tempkey.pem > bla.de-mail.key
		- Enter pass phrase: [1234]

* Singieren des Zertifikatrequests
	$ export OPENSSL_CONF=/root/CA/caconfig.cnf
	$ openssl ca -in tempreq.pem -out bla.de-mail.crt
		- Enter pass phrase for /root/CA/private/cakey.pem: [hier jetzt das Passwort der Root-CA!]
			...
			Sign the certificate? [y/n]: [y] und [Enter]
		- 1 out of 1 certificate requests certified, commit? [y/n]: [y] und [Enter] - Ja, noch mal...

* Noch a bissl aufräumen
	$ rm -f tempkey.pem tempreq.pem && mv bla.de-mail.crt certs/ && mv bla.de-mail.key private/ && mv bla.de-mail.cnf configs/



Postfix und Dovecot installieren
*********************************

	$ apt-get update && apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql

Die folgenden zusätzlichen Pakete werden installiert:
  ssl-cert
Vorgeschlagene Pakete:
  ntp dovecot-gssapi dovecot-sieve dovecot-pgsql dovecot-sqlite dovecot-ldap
  dovecot-managesieved dovecot-solr postfix-pgsql postfix-ldap postfix-pcre sasl2-bin
  dovecot-common resolvconf postfix-cdb ufw postfix-doc openssl-blacklist
Die folgenden Pakete werden ENTFERNT:
  exim4 exim4-base exim4-config exim4-daemon-light
Die folgenden NEUEN Pakete werden installiert:
  dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-pop3d postfix postfix-mysql
  ssl-cert
0 aktualisiert, 8 neu installiert, 4 zu entfernen und 0 nicht aktualisiert.
Es müssen 6.228 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 7.874 kB Plattenplatz zusätzlich benutzt.


"Internet Site" auswählen
"mail.bla.de" als "System mail name" angeben...

### Erst mal beide Dienste stoppen, bis wir die Configs so weit haben...
	$ service dovecot stop && service postfix stop


Datenbank und Benutzer anlegen
*******************************

	$ mysql -p
### [MariaDB-root-PW eingeben]

CREATE DATABASE mailserver;
GRANT ALL PRIVILEGES ON mailserver.* TO 'mailuser'@'localhost' IDENTIFIED BY '[Passwort Copy/Paste]';
FLUSH PRIVILEGES;
exit



Benutzer für die virtuellen Postfächer anlegen
***********************************************

Wir legen alle Postfächer unterhalb von "/var/vmail/" an.

	$ mkdir /var/vmail
	$ groupadd -g 5000 vmail
	$ useradd -g vmail -u 5000 vmail -d /var/vmail
	$ chown vmail:vmail /var/vmail


Postfix-Admin
**************

	$ wget http://sourceforge.net/projects/postfixadmin/files/latest/download?source=files
	$ mv download?source=files postfixadmin.tar.gz
	$ tar xvfz postfixadmin.tar.gz
	$ mkdir /var/www/postfixadmin
	$ mv postfixadmin-2.93/* /var/www/postfixadmin
	$ rmdir postfixadmin-2.93
	$ chown -R www-data:www-data /var/www/postfixadmin/templates_c

	$ htpasswd -cm /var/www/postfixadmin/.htpass user
### [Passwort Copy/Paste]

	$ nano /etc/nginx/sites-available/postfixadmin.conf

------------------- SNIP IT -----------------------------
### HTTP sofort auf HTTPS umleiten
server {
	listen 80;
	server_name pfa.bla.de;
	rewrite ^(.*) https://$server_name$1 permanent;
}

### HTTPS Servervariablen
server {
	server_name pfa.bla.de;
	root /var/www/postfixadmin;
	auth_basic "Admin-Bereich - Zugriff nur mit Passwort!";
	auth_basic_user_file /var/www/postfixadmin/.htpass;
	index index.php;
	access_log /var/log/nginx/postfixadmin-access.log;
	error_log /var/log/nginx/postfixadmin-error.log;
	include hhvm.conf;
	include nein.conf;
	include ssl-base.conf;
	ssl_certificate /root/CA/certs/bla.de-vhost.crt;
	ssl_certificate_key /root/CA/private/bla.de-vhost.key;
}
-----------------------------------------------------------

	$ ln -s /etc/nginx/sites-available/postfixadmin.conf /etc/nginx/sites-enabled
	$ service nginx restart

	$ nano /var/www/postfixadmin/config.inc.php

$CONF['configured'] = true;

$CONF['default_language'] = 'de';

$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'mailuser';
$CONF['database_password'] = '[Passwort Copy/Paste]';
$CONF['database_name'] = 'mailserver';

$CONF['aliases'] = '0';
$CONF['mailboxes'] = '0';
$CONF['maxquota'] = '0';

$CONF['show_footer_text'] = 'YES';
$CONF['footer_text'] = 'Back to pfa.bla.de';
$CONF['footer_link'] = 'https://pfa.bla.de';


### Im Browser jetzt https://pfa.bla.de/setup.php aufmachen. Hier den Bildschirmanweisungen folgen...
### Setup-PW vergeben, den Hash-Key mittels "nano /var/www/postfixadmin/config.inc.php" einfügen.
### Admin-User anlegen. Nun kannst Du in Postfixadmin einloggen.


Postfix-MySQL-Anbindung: Config-Dateien erzeugen
*************************************************

	$ mkdir /etc/postfix/sql
	$ cd /var/www/postfixadmin/DOCUMENTS/
	$ sh POSTFIX_CONF.txt
### Daten eingeben, der Bildschirmausgabe folgen und die Config-Dateien verschieben

	$ mv /tmp/postfixadmin[TAB]/* /etc/postfix/sql/
	$ less POSTFIX_CONF.txt
### erhellende Infos über die main.cf

	$ nano /etc/postfix/mysql_sender_login_maps.cf

------------------- SNIP IT -----------------------------
hosts = localhost
user = mailuser
password = [Passwort Copy/Paste]
dbname = mailserver
query = SELECT username AS allowedUser FROM mailbox WHERE username='%s' AND active = 1 UNION SELECT goto FROM alias WHERE address='%s' AND active = 1
----------------------------------------------------------


Postfix konfigurieren
**********************

	$ cp /etc/postfix/main.cf{,.orig}
	$ nano /etc/postfix/main.cf

------------------- SNIP IT -----------------------------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = bla.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#
## Mailboxen und Anbindung an MySQL
virtual_mailbox_base = /var/vmail/
virtual_minimum_uid = 1000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_alias_maps =
	proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
	proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
	proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps =
	proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
	proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
#
## Authentification
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth-dovecot
smtpd_sasl_auth_enable=yes
smtpd_sasl_authenticated_header=yes
broken_sasl_auth_clients=yes
#
## SSL
smtpd_tls_cert_file=/root/CA/certs/bla.de-mail.crt
smtpd_tls_key_file=/root/CA/private/bla.de-mail.key
smtpd_tls_session_cache_timeout = 86400s
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
#
## ProxyMaps einlesen (gehört in EINE Zeile)
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
##
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf
smtpd_sender_restrictions =
	reject_authenticated_sender_login_mismatch,
	reject_unknown_sender_domain
#
## Spam Stuff
smtpd_helo_required=yes
disable_vrfy_command=yes
#
## Einschränkungen für SMTP - die Liste wird von oben nach unten abgearbeitet
smtpd_recipient_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unknown_client_hostname,
	reject_unauth_destination,
	reject_non_fqdn_sender,
	reject_unknown_sender_domain,
	reject_invalid_hostname,
	reject_multi_recipient_bounce,
	reject_non_fqdn_recipient,
	reject_unknown_recipient_domain,
	reject_rbl_client bl.spamcop.net,
	reject_rbl_client zen.spamhaus.org,
	permit
#EOF
------------------------------------------------------------


	$ cp /etc/postfix/master.cf{,.orig}
	$ nano /etc/postfix/master.cf

### Vor "submission", "smtps" und "-o smtpd_tls_wrappermode=yes" die Rauten entfernen!


# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
[...]



Dovecot konfigurieren
**********************

	$ mv /etc/dovecot/dovecot.conf{,.orig}
	$ nano /etc/dovecot/dovecot.conf

------------------- SNIP IT -----------------------------
## Mailordner Struktur
mail_location = maildir:/var/vmail/%d/%n
#
## Kompressionsbibliothek aktivieren
mail_plugins = $mail_plugins zlib
#
## Mails beim Speichern komprimieren
plugin {
	zlib_save_level = 6 # 1..9; default is 6
	zlib_save = gz # or bz2, xz or lz4
}
#
## SSL
disable_plaintext_auth = yes
ssl = required
ssl_cert =</root/CA/certs/bla.de-mail.crt
ssl_key =</root/CA/private/bla.de-mail.key
#
auth_mechanisms = plain login
log_timestamp = "%Y-%m-%d %H:%M:%S "
#
## Protokolle und Dienste einrichten
protocols = imap pop3 lmtp
#
service lmtp {
	unix_listener /var/spool/postfix/private/dovecot-lmtp {
		mode = 0600
		user = postfix
		group = postfix
	}
}
#
service auth {
	unix_listener /var/spool/postfix/private/auth-dovecot {
		mode = 0660
		user = postfix
		group = postfix
	}
	unix_listener auth-master {
		mode = 0600
		user = vmail
	}
user = dovecot
}
#
service auth-worker {
	user = vmail
}
#
passdb {
	driver = sql
	args = /etc/dovecot/dovecot-mysql.conf
}
#
userdb {
	driver = static
	args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}
#
protocol pop3 {
	pop3_uidl_format = %08Xu%08Xv
}
#
protocol lda {
	auth_socket_path = /var/run/dovecot/auth-master
	postmaster_address = notfall@e-mail-provider.de
}
#
#EOF
---------------------------------------------------------


	$ nano /etc/dovecot/dovecot-mysql.conf

------------------- SNIP IT -----------------------------
driver = mysql
connect = host=localhost dbname=mailserver user=mailuser password=[Passwort Copy/Paste]
default_pass_scheme = MD5-CRYPT
password_query = SELECT password FROM mailbox WHERE username = '%u'
---------------------------------------------------------

	$ chown -R vmail:dovecot /etc/dovecot && chmod -R o-rwx /etc/dovecot
	$ chown -R postfix:postfix /etc/postfix && chmod -R o-rwx /etc/postfix
	$ service dovecot start && service postfix start


Test OpenRelay:
****************

http://www.mailradar.com/openrelay/
http://mxtoolbox.com/diagnostic.aspx

#EOF