VPN Mail Apache Server
VM
Freebsd mit vm-bhyve minimalst installieren.
1freebsd-update fetch
2freebsd-update install
3pkg update
4pkg upgrade
5pkg install htop zsh nano rsync openvpn ncdu
Vorerst root login aktivieren.
1nano /etc/ssh/sshd_config
1PermitRootLogin yes
VPN
1mkdir /usr/local/etc/openvpn
2cd /usr/local/etc/openvpn/
Laden der Konfigurationsdateien und Schlüssel per wget.
1wget https://service.portunity.net/downloads/vpntunnel-via-v4.tar.gz
Entpacken
1tar -xzvf vpntunnel-via-v4.tar.gz
Ändern des Benutzernamens und des Kennworts.
1nano portunity.login
2nano portunity.conf
Wichtig! Bitte öffne die Datei portunity.conf und ersetze in der Zeile
1remote OpenVPN-Server 1194
den OpenVPN-Server durch die im Produkt unter:
Konfiguration-Info-OpenVPN-Server angegebene Adresse tauschen. Und füge die Zeile
1tls-version-min 1.0
an das ende der Konfiguration hinzu.
Jedoch kann es sinnvoll sein folgende Optionen seinen eigenen Bedürfnissen anzupassen:
- auth-user-pass um die Logindaten nicht aus einer Datei auslesen zu lassen
- redirect-gateway damit der Tunnel nicht das Default Gateway wird einfach kommentieren oder löschen
- user nobody Den Tunnel nach dem Aufbau alle Rechte entziehen
- group nogroup bei anderen Distributionen kann diese gruppe nobody heisen.
- verb Um mehr Debug Informationen zu erhalten (Empfehlung von 3 auf 7 erhöhen)
Bei FreeBSD: user und group nobody
1sysrc openvpn_enable="YES"
oder
1nano /etc/rc.conf
1openvpn_enable="YES"
1service openvpn start
braucht man das? gateway_enable=“YES”
https://thomas-leister.de/mailserver-debian-buster/
Vorbereitungen
Hostname und Server-FQDN setzen
1nano /etc/hosts
2127.0.0.1 localhost
3127.0.1.1 mail.sonnenhaus-schmidt.de mail
4192.168.2.20 FreeBSD.at-home FreeBSD
5192.168.2.21 FreeBSD.at-home FreeBSD
6192.168.2.22 FreeBSD.at-home FreeBSD
7192.168.2.23 FreeBSD.at-home FreeBSD
8192.168.2.24 FreeBSD.at-home FreeBSD
9192.168.2.25 FreeBSD.at-home FreeBSD
Unbound installieren
1pkg install unbound bind-tools
2service unbound onestart
Testen mit
1dig @::1 denic.de +short +dnssec
oder
1dig @127.0.0.1 denic.de +short +dnssec
Wenn der dig-Befehl funktioniert hat, kann der lokale Resolver als primärer Resolver gesetzt werden:
1nano /etc/resolv.conf
2#search at-home
3#nameserver 192.168.2.1
4nameserver 127.0.0.1
5nameserver ::1
DNS einrichten
siehe https://thomas-leister.de/mailserver-debian-buster
Reverse DNS
siehe https://thomas-leister.de/mailserver-debian-buster
SPF-Records
siehe https://thomas-leister.de/mailserver-debian-buster
DMARC Records
siehe https://thomas-leister.de/mailserver-debian-buster
Nginx Webserver
1pkg install nginx
1nano /usr/local/etc/nginx/nginx.conf
1server {
2 listen 80;
3 listen [::]:80;
4# listen 443 ssl http2;
5# listen [::]:443 ssl http2;
6
7 server_name sonnenhaus-schmidt.de mail.sonnenhaus-schmidt.de imap.sonnenhaus-schmidt.de smtp.sonnenhaus-schmidt.de;
8
9# ssl_certificate /root/.acme.sh/sonnenhaus-schmidt.de/fullchain.cer;
10# ssl_certificate_key /root/.acme.sh/sonnenhaus-schmidt.de/sonnenhaus-schmidt.de.key;
11
12# add_header Strict-Transport-Security max-age=15768000;
13
14# if ($ssl_protocol = "") {
15# return 301 https://$server_name$request_uri;
16# }
17}
1service nginx onestart
2pkg install curl
3curl https://get.acme.sh | sh
neu einloggen, nginx muss laufen, ebenso openvpn
1acme.sh --issue --nginx -d sonnenhaus-schmidt.de -d mail.sonnenhaus-schmidt.de -d imap.sonnenhaus-schmidt.de -d smtp.sonnenhaus-schmidt.de
2-----BEGIN CERTIFICATE-----
3
4MIIFhTCCBG2gAwIBAgISBHr59lAiLgZP3jqcECeEmA4YMA0GCSqGSIb3DQEBCwUA
5MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
6EwJSMzAeFw0yMTAyMTAxMTUyNDZaFw0yMTA1MTExMTUyNDZaMCAxHjAcBgNVBAMT
7................
85SUuHw05/+KTRqL83Z0s19/XEQ8p5c8zw29VvZ9YSqXc0TYSnFJ59gxVAtFiI7Ov
9NNuJzbpAk3WnuUZmaMYGro1Zra2bDNuazQ==
10-----END CERTIFICATE-----
11[Wed Feb 10 13:52:47 CET 2021] Your cert is in /root/.acme.sh/sonnenhaus-schmidt.de/sonnenhaus-schmidt.de.cer
12[Wed Feb 10 13:52:47 CET 2021] Your cert key is in /root/.acme.sh/sonnenhaus-schmidt.de/sonnenhaus-schmidt.de.key
13[Wed Feb 10 13:52:47 CET 2021] The intermediate CA cert is in /root/.acme.sh/sonnenhaus-schmidt.de/ca.cer
14[Wed Feb 10 13:52:47 CET 2021] And the full chain certs is there: /root/.acme.sh/sonnenhaus-schmidt.de/fullchain.cer
eher net:
1acme.sh --install-cert --cert-home /root/mycerts -d mail.sonnenhaus-schmidt.de --cert-file /root/.acme.sh/mail.sonnenhaus-schmidt.de/mail.sonnenhaus-schmidt.de.cer --key-file /root/.acme.sh/mail.sonnenhaus-schmidt.de/mail.sonnenhaus-schmidt.de.key --ca-file /root/.acme.sh/mail.sonnenhaus-schmidt.de/ca.cer --fullchain-file /root/.acme.sh/mail.sonnenhaus-schmidt.de/fullchain.cer --reloadcmd "service nginx reload; service dovecot reload; service postfix reload;"
2acme.sh --install-cert -d sonnenhaus-schmidt.de --reloadcmd "service nginx reload; service dovecot reload; service postfix reload;"
Damit die automatische Zertifikatserneuerung funktioniert, wird noch der Cronjob für acme.sh aktiviert:
1acme.sh --install-cronjob
mariadb Server
1pkg search mariadb
2pkg install mariadb105-server
3sysrc mysql_enable="YES"
4service mysql-server start
5mysql_secure_installation
6mysql
7create database vmail CHARACTER SET 'utf8';
8grant select on vmail.* to 'vmail'@'localhost' identified by 'Passwort';
9use vmail;
10
11
12CREATE TABLE `domains` (
13 `id` int unsigned NOT NULL AUTO_INCREMENT,
14 `domain` varchar(255) NOT NULL,
15 PRIMARY KEY (`id`),
16 UNIQUE KEY (`domain`)
17);
18
19CREATE TABLE `accounts` (
20 `id` int unsigned NOT NULL AUTO_INCREMENT,
21 `username` varchar(64) NOT NULL,
22 `domain` varchar(255) NOT NULL,
23 `password` varchar(255) NOT NULL,
24 `quota` int unsigned DEFAULT '0',
25 `enabled` boolean DEFAULT '0',
26 `sendonly` boolean DEFAULT '0',
27 PRIMARY KEY (id),
28 UNIQUE KEY (`username`, `domain`),
29 FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
30);
31
32CREATE TABLE `aliases` (
33 `id` int unsigned NOT NULL AUTO_INCREMENT,
34 `source_username` varchar(64),
35 `source_domain` varchar(255) NOT NULL,
36 `destination_username` varchar(64) NOT NULL,
37 `destination_domain` varchar(255) NOT NULL,
38 `enabled` boolean DEFAULT '0',
39 PRIMARY KEY (`id`),
40 UNIQUE KEY (`source_username`, `source_domain`, `destination_username`, `destination_domain`),
41 FOREIGN KEY (`source_domain`) REFERENCES `domains` (`domain`)
42);
43
44CREATE TABLE `tlspolicies` (
45 `id` int unsigned NOT NULL AUTO_INCREMENT,
46 `domain` varchar(255) NOT NULL,
47 `policy` enum('none', 'may', 'encrypt', 'dane', 'dane-only', 'fingerprint', 'verify', 'secure') NOT NULL,
48 `params` varchar(255),
49 PRIMARY KEY (`id`),
50 UNIQUE KEY (`domain`)
51);
vmail-Benutzer und -Verzeichnis einrichten
1adduser -d /var -s /usr/sbin/nologin
2mkdir /var/vmail/mailboxes
3mkdir -p /var/vmail/sieve/global
4chown -R vmail /var/vmail
5chgrp -R vmail /var/vmail
6chmod -R 770 /var/vmail
Dovecot installieren und konfigurieren
1pkg install dovecot
2pkg install dovecot-pigeonhole
1nano /etc/rc.conf
1dovecot_enable="YES"
eher net
1cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot
lieber so:
1cd /usr/local/etc/dovecot
1nano dovecot.conf
1##
2## Aktivierte Protokolle
3##
4
5protocols = imap lmtp sieve
6
7
8##
9## TLS Config
10## Quelle: https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d&guideline=5.4
11##
12
13ssl = required
14
15ssl_cert = </root/.acme.sh/sonnenhaus-schmidt.de/fullchain.cer
16ssl_key = </root/.acme.sh/sonnenhaus-schmidt.de/sonnenhaus-schmidt.de.key
17
18ssl_dh = </usr/local/etc/dovecot/dh4096.pem
19
20ssl_min_protocol = TLSv1.2
21ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
22ssl_prefer_server_ciphers = no
23
24
25##
26## Dovecot services
27##
28
29service imap-login {
30 inet_listener imap {
31 port = 143
32 }
33}
34
35service managesieve-login {
36 inet_listener sieve {
37 port = 4190
38 }
39}
40
41service lmtp {
42 unix_listener /var/spool/postfix/private/dovecot-lmtp {
43 mode = 0660
44 group = postfix
45 user = postfix
46 }
47
48 user = vmail
49}
50
51service auth {
52 ### Auth socket für Postfix
53 unix_listener /var/spool/postfix/private/auth {
54 mode = 0660
55 user = postfix
56 group = postfix
57 }
58
59 ### Auth socket für LMTP-Dienst
60 unix_listener auth-userdb {
61 mode = 0660
62 user = vmail
63 group = vmail
64 }
65}
66
67
68##
69## Protocol settings
70##
71
72protocol imap {
73 mail_plugins = $mail_plugins quota imap_quota imap_sieve
74 mail_max_userip_connections = 20
75 imap_idle_notify_interval = 29 mins
76}
77
78protocol lmtp {
79 postmaster_address = postmaster@sonnenhaus-schmidt.de
80 mail_plugins = $mail_plugins sieve notify push_notification
81}
82
83
84##
85## Client authentication
86##
87
88disable_plaintext_auth = yes
89auth_mechanisms = plain login
90auth_username_format = %Lu
91
92passdb {
93 driver = sql
94 args = /usr/local/etc/dovecot/dovecot-sql.conf
95}
96
97userdb {
98 driver = sql
99 args = /usr/local/etc/dovecot/dovecot-sql.conf
100}
101
102
103##
104## Address tagging
105##
106recipient_delimiter = +
107
108
109##
110## Mail location
111##
112
113mail_uid = vmail
114mail_gid = vmail
115mail_privileged_group = vmail
116
117mail_home = /var/vmail/mailboxes/%d/%n
118mail_location = maildir:~/mail:LAYOUT=fs
119
120
121##
122## Mailbox configuration
123##
124
125namespace inbox {
126 inbox = yes
127
128 mailbox Spam {
129 auto = subscribe
130 special_use = \Junk
131 }
132
133 mailbox Trash {
134 auto = subscribe
135 special_use = \Trash
136 }
137
138 mailbox Drafts {
139 auto = subscribe
140 special_use = \Drafts
141 }
142
143 mailbox Sent {
144 auto = subscribe
145 special_use = \Sent
146 }
147}
148
149
150##
151## Mail plugins
152##
153
154plugin {
155 sieve_plugins = sieve_imapsieve sieve_extprograms
156 sieve_before = /var/vmail/sieve/global/spam-global.sieve
157 sieve = file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/active-script.sieve
158
159 ###
160 ### Spam learning
161 ###
162 # From elsewhere to Spam folder
163 imapsieve_mailbox1_name = Spam
164 imapsieve_mailbox1_causes = COPY
165 imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve
166
167 # From Spam folder to elsewhere
168 imapsieve_mailbox2_name = *
169 imapsieve_mailbox2_from = Spam
170 imapsieve_mailbox2_causes = COPY
171 imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve
172
173 sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
174 sieve_global_extensions = +vnd.dovecot.pipe
175
176 quota = maildir:User quota
177 quota_exceeded_message = Benutzer %u hat das Speichervolumen überschritten. / User %u has exhausted allowed storage space.
178}
Diffie-Hellman Parameter für Dovecot generieren
1openssl dhparam -out /usr/local/etc/dovecot/dh4096.pem 4096
SQL-Konfgurationsdatei
1nano /usr/local/etc/dovecot/dovecot-sql.conf
1driver=mysql
2connect = "host=localhost dbname=vmail user=vmail password=Passwort"
3default_pass_scheme = SHA512-CRYPT
4
5password_query = SELECT username AS user, domain, password FROM accounts WHERE username = '%Ln' AND domain = '%Ld' and enabled = true;
6user_query = SELECT concat('*:storage=', quota, 'M') AS quota_rule FROM accounts WHERE username = '%Ln' AND domain = '%Ld' AND sendonly = false;
7iterate_query = SELECT username, domain FROM accounts where sendonly = false;
Absichern:
1chmod 440 dovecot-sql.conf
1cd /var/vmail/sieve/global/
1nano spam-global.sieve
1require "fileinto";
2
3if header :contains "X-Spam-Flag" "YES" {
4 fileinto "Spam";
5}
6
7if header :is "X-Spam" "Yes" {
8 fileinto "Spam";
9}
1nano learn-spam.sieve
1require ["vnd.dovecot.pipe", "copy", "imapsieve"];
2pipe :copy "rspamc" ["learn_spam"];
1nano learn-ham.sieve
1require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
2
3if environment :matches "imap.mailbox" "*" {
4 set "mailbox" "${1}";
5}
6
7if string "${mailbox}" "Trash" {
8 stop;
9}
10
11pipe :copy "rspamc" ["learn_ham"];
Postfix installieren und konfigurieren
1pkg install postfix
2sysrc postfix_enable="YES"
3sysrc sendmail_enable="NONE"
If postfix is not already activated in /usr/local/etc/mail/mailer.conf
1mv /usr/local/etc/mail/mailer.conf /usr/local/etc/mail/mailer.conf.old
wenn nicht vorhanden:
1mkdir /usr/local/etc/mail/
2
3install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
Disable sendmail(8) specific tasks, add the following lines to /etc/periodic.conf(.local):
1nano /etc/defaults/periodic.conf
1daily_clean_hoststat_enable="NO"
2daily_status_mail_rejects_enable="NO"
3daily_status_include_submit_mailq="NO"
4daily_submit_queuerun="NO"
Andere Einträge deaktivieren.
If you are using SASL, you need to make sure that postfix has access to read the sasldb file. This is accomplished by adding postfix to group mail and making the /usr/local/etc/sasldb* file(s) readable by group mail (this should be the default for new installs).
1cd /usr/local/etc/postfix
2rm -r sasl
1nano main.cf
1##
2## Netzwerkeinstellungen
3##
4
5mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
6inet_interfaces = 127.0.0.1, ::1, 192.168.2.45, 188.246.4.243
7myhostname = mail.sonnenhaus-schmidt.de
8
9
10##
11## Mail-Queue Einstellungen
12##
13
14maximal_queue_lifetime = 1h
15bounce_queue_lifetime = 1h
16maximal_backoff_time = 15m
17minimal_backoff_time = 5m
18queue_run_delay = 5m
19
20
21##
22## TLS Einstellungen
23## Quelle: https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=intermediate&openssl=1.1.1d&guideline=5.4
24##
25
26### Allgemein
27tls_preempt_cipherlist = no
28tls_ssl_options = NO_COMPRESSION
29tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
30
31### Ausgehende SMTP-Verbindungen (Postfix als Sender)
32smtp_tls_security_level = dane
33smtp_dns_support_level = dnssec
34smtp_tls_policy_maps = proxy:mysql:/usr/local/etc/postfix/sql/tls-policy.cf
35smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
36smtp_tls_ciphers = medium
37smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
38#oder smtp_tls_CAfile = /root/ca-certificates.crt (kopie von debian)
39#smtp_tls_CApath = /etc/ssl/certs/
40
41### Eingehende SMTP-Verbindungen
42smtpd_tls_security_level = may
43smtpd_tls_auth_only = yes
44smtpd_tls_ciphers = medium
45smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
46smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
47smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
48smtpd_tls_cert_file=/root/.acme.sh/sonnenhaus-schmidt.de/fullchain.cer
49smtpd_tls_key_file=/root/.acme.sh/sonnenhaus-schmidt.de/sonnenhaus-schmidt.de.key
50smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/dh2048.pem
51
52
53##
54## Lokale Mailzustellung an Dovecot
55##
56
57virtual_transport = lmtp:unix:private/dovecot-lmtp
58
59
60##
61## Spamfilter und DKIM-Signaturen via Rspamd
62##
63
64smtpd_milters = inet:localhost:11332
65non_smtpd_milters = inet:localhost:11332
66milter_protocol = 6
67milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
68milter_default_action = accept
69
70
71
72##
73## Server Restrictions für Clients, Empfänger und Relaying
74## (im Bezug auf S2S-Verbindungen. Mailclient-Verbindungen werden in master.cf im Submission-Bereich konfiguriert)
75##
76
77### Bedingungen, damit Postfix als Relay arbeitet (für Clients)
78smtpd_relay_restrictions = reject_non_fqdn_recipient
79 reject_unknown_recipient_domain
80 permit_mynetworks
81 reject_unauth_destination
82
83
84### Bedingungen, damit Postfix ankommende E-Mails als Empfängerserver entgegennimmt (zusätzlich zu relay-Bedingungen)
85### check_recipient_access prüft, ob ein account sendonly ist
86smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/usr/local/etc/postfix/sql/recipient-access.cf
87
88
89### Bedingungen, die SMTP-Clients erfüllen müssen (sendende Server)
90smtpd_client_restrictions = permit_mynetworks
91 check_client_access hash:/usr/local/etc/postfix/without_ptr
92 reject_unknown_client_hostname
93
94
95### Wenn fremde Server eine Verbindung herstellen, müssen sie einen gültigen Hostnamen im HELO haben.
96smtpd_helo_required = yes
97smtpd_helo_restrictions = permit_mynetworks
98 reject_invalid_helo_hostname
99 reject_non_fqdn_helo_hostname
100 reject_unknown_helo_hostname
101
102# Clients blockieren, wenn sie versuchen zu früh zu senden
103smtpd_data_restrictions = reject_unauth_pipelining
104
105
106##
107## Restrictions für MUAs (Mail user agents)
108##
109
110mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
111mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
112mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
113
114
115##
116## MySQL Abfragen
117##
118
119proxy_read_maps = proxy:mysql:/usr/local/etc/postfix/sql/aliases.cf
120 proxy:mysql:/usr/local/etc/postfix/sql/accounts.cf
121 proxy:mysql:/usr/local/etc/postfix/sql/domains.cf
122 proxy:mysql:/usr/local/etc/postfix/sql/recipient-access.cf
123 proxy:mysql:/usr/local/etc/postfix/sql/sender-login-maps.cf
124 proxy:mysql:/usr/local/etc/postfix/sql/tls-policy.cf
125
126virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/sql/aliases.cf
127virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/sql/accounts.cf
128virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/sql/domains.cf
129local_recipient_maps = $virtual_mailbox_maps
130
131
132##
133## Sonstiges
134##
135
136### Maximale Größe der gesamten Mailbox (soll von Dovecot festgelegt werden, 0 = unbegrenzt)
137mailbox_size_limit = 0
138
139### Maximale Größe eingehender E-Mails in Bytes (50 MB)
140message_size_limit = 52428800
141
142### Keine System-Benachrichtigung für Benutzer bei neuer E-Mail
143biff = no
144
145### Nutzer müssen immer volle E-Mail Adresse angeben - nicht nur Hostname
146append_dot_mydomain = no
147
148### Trenn-Zeichen für "Address Tagging"
149recipient_delimiter = +
150
151### Keine Rückschlüsse auf benutzte Mailadressen zulassen
152disable_vrfy_command = yes
Diffie-Hellman-Parameter für Postfix generieren
1openssl dhparam -out /usr/local/etc/postfix/dh2048.pem 2048
1nano master.cf
1# ==========================================================================
2# service type private unpriv chroot wakeup maxproc command + args
3# (yes) (yes) (no) (never) (100)
4# ==========================================================================
5###
6### SMTP-Serverbindungen aus dem Internet
7### Authentifizuerung hier nicht erlaubt (Anmeldung nur via smtps/submission!)
8smtp inet n - y - 1 smtpd
9 -o smtpd_sasl_auth_enable=no
10###
11### SMTPS Service (Submission mit implizitem TLS - ohne STARTTLS) - Port 465
12### Für Mailclients gelten andere Regeln, als für andere Mailserver (siehe smtpd_ in main.cf)
13###
14smtps inet n - y - - smtpd
15 -o syslog_name=postfix/smtps
16 -o smtpd_tls_wrappermode=yes
17 -o smtpd_tls_security_level=encrypt
18 -o smtpd_sasl_auth_enable=yes
19 -o smtpd_sasl_type=dovecot
20 -o smtpd_sasl_path=private/auth
21 -o smtpd_sasl_security_options=noanonymous
22 -o smtpd_client_restrictions=$mua_client_restrictions
23 -o smtpd_sender_restrictions=$mua_sender_restrictions
24 -o smtpd_relay_restrictions=$mua_relay_restrictions
25 -o milter_macro_daemon_name=ORIGINATING
26 -o smtpd_sender_login_maps=proxy:mysql:/usr/local/etc/postfix/sql/sender-login-maps.cf
27 -o smtpd_helo_required=no
28 -o smtpd_helo_restrictions=
29 -o cleanup_service_name=submission-header-cleanup
30###
31### Submission-Zugang für Clients (mit STARTTLS - für Rückwärtskompatibilität) - Port 587
32### J.S. brauchen wir nicht....
33#submission inet n - y - - smtpd
34# -o syslog_name=postfix/submission
35# -o smtpd_tls_security_level=encrypt
36# -o smtpd_sasl_auth_enable=yes
37# -o smtpd_sasl_type=dovecot
38# -o smtpd_sasl_path=private/auth
39# -o smtpd_sasl_security_options=noanonymous
40# -o smtpd_client_restrictions=$mua_client_restrictions
41# -o smtpd_sender_restrictions=$mua_sender_restrictions
42# -o smtpd_relay_restrictions=$mua_relay_restrictions
43# -o milter_macro_daemon_name=ORIGINATING
44# -o smtpd_sender_login_maps=proxy:mysql:/usr/local/etc/postfix/sql/sender-login-maps.cf
45# -o smtpd_helo_required=no
46# -o smtpd_helo_restrictions=
47# -o cleanup_service_name=submission-header-cleanup
48###
49### Weitere wichtige Dienste für den Serverbetrieb
50###
51pickup unix n - y 60 1 pickup
52cleanup unix n - y - 0 cleanup
53qmgr unix n - n 300 1 qmgr
54tlsmgr unix - - y 1000? 1 tlsmgr
55rewrite unix - - y - - trivial-rewrite
56bounce unix - - y - 0 bounce
57defer unix - - y - 0 bounce
58trace unix - - y - 0 bounce
59verify unix - - y - 1 verify
60flush unix n - y 1000? 0 flush
61proxymap unix - - n - - proxymap
62proxywrite unix - - n - 1 proxymap
63smtp unix - - y - - smtp
64relay unix - - y - - smtp
65showq unix n - y - - showq
66error unix - - y - - error
67retry unix - - y - - error
68discard unix - - y - - discard
69local unix - n n - - local
70virtual unix - n n - - virtual
71lmtp unix - - y - - lmtp
72anvil unix - - y - 1 anvil
73scache unix - - y - 1 scache
74###
75### Cleanup-Service um MUA header zu entfernen
76###
77submission-header-cleanup unix n - n - 0 cleanup
78 -o header_checks=regexp:/usr/local/etc/postfix/submission_header_cleanup
1nano submission_header_cleanup
1### Entfernt Datenschutz-relevante Header aus E-Mails von MTUAs
2
3/^Received:/ IGNORE
4/^X-Originating-IP:/ IGNORE
5/^X-Mailer:/ IGNORE
6/^User-Agent:/ IGNORE
SQL-Konfiguration
1mkdir /usr/local/etc/postfix/sql
1nano accounts.cf
1user = vmail
2password = vmaildbpass
3hosts = unix:/var/run/mysql/mysql.sock
4dbname = vmail
5query = select 1 as found from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
1nano aliases.cf
1user = vmail
2password = vmaildbpass
3hosts = unix:/var/run/mysql/mysql.sock
4dbname = vmail
5query = SELECT DISTINCT concat(destination_username, '@', destination_domain) AS destinations FROM aliases
6 WHERE (source_username = '%u' OR source_username IS NULL) AND source_domain = '%d'
7 AND enabled = true
8 AND NOT EXISTS (SELECT id FROM accounts WHERE username = '%u' and domain = '%d');
1nano domains.cf
1user = vmail
2password = vmaildbpass
3hosts = unix:/var/run/mysql/mysql.sock
4dbname = vmail
5query = SELECT domain FROM domains WHERE domain='%s';
1nano recipient-access.cf
1user = vmail
2password = vmaildbpass
3hosts = unix:/var/run/mysql/mysql.sock
4dbname = vmail
5query = select if(sendonly = true, 'REJECT', 'OK') AS access from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
1nano sender-login-maps.cf
1user = vmail
2password = vmaildbpass
3hosts = unix:/var/run/mysql/mysql.sock
4dbname = vmail
5query = select concat(username, '@', domain) as 'owns' from accounts where username = '%u' AND domain = '%d' and enabled = true union select
6 concat(destination_username, '@', destination_domain) AS 'owns' from aliases
7 where source_username = '%u' and source_domain = '%d' and enabled = true;
1nano tls-policy.cf
1user = vmail
2password = vmaildbpass
3hosts = unix:/var/run/mysql/mysql.sock
4dbname = vmail
5query = SELECT policy, params FROM tlspolicies WHERE domain = '%s';
Vergesst nicht, vmaildbpass in jeder der Dateien durch euer eigenes Passwort zu ersetzen!
1chown -R root:postfix /usr/local/etc/postfix/sql
2chmod g+x /usr/local/etc/postfix/sql
3
4touch /usr/local/etc/postfix/without_ptr
5
6postmap /usr/local/etc/postfix/without_ptr
7
8service postfix reload
9
10newaliases
Rspamd
1pkg install rspamd
1service rspamd enable
oder
1nano /etc/rc.conf
1rspamd_enable="YES"
1rspamadm pw
2passphrase ’PasswortPasswort’
3$2$1bo9khn4k93qetr7zcmt11dj3pxgaadx$y45ycz557h8yuja5zxjbsxuft9b4hb5ddk474uz8c5w3qprph9ky
4
5cd /usr/local/etc/rspamd
6mkdir local.d
7cd local.d
Kopie von Dateien hier einfügen.
1nano worker-controller.inc
Password eintragen, und:
1bind 127.0.0.1
1nano logging.inc
1type = "syslog";
2level = "warning";
1nano milter_headers.conf
1use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
2authenticated_headers = ["authentication-results"];
1nano classifier-bayes.conf
1backend = "redis";
1nano redis.conf
1servers = "127.0.0.1";
1nano multimap.conf
1WHITELIST_IP {
2 type = "ip";
3 map = "$CONFDIR/local.d/whitelist_ip.map";
4 description = "Local ip whitelist";
5 action = "accept";
6}
7
8WHITELIST_FROM {
9 type = "from";
10 map = "$CONFDIR/local.d/whitelist_from.map";
11 description = "Local from whitelist";
12 action = "accept";
13}
14
15BLACKLIST_IP {
16 type = "ip";
17 map = "$CONFDIR/local.d/blacklist_ip.map";
18 description = "Local ip blacklist";
19 action = "reject";
20}
21
22BLACKLIST_FROM {
23 type = "from";
24 map = "$CONFDIR/local.d/blacklist_from.map";
25 description = "Local from blacklist";
26 action = "reject";
27}
1touch whitelist_ip.map
2touch whitelist_from.map
3touch blacklist_ip.map
4touch blacklist_from.map
1nano dkim_signing.conf
1path = "/var/lib/rspamd/dkim/$selector.key";
2selector = "2018";
3
4### Enable DKIM signing for alias sender addresses
5allow_username_mismatch = true;
1cp dkim_signing.conf arc.conf
2
3cd ..
4
5mkdir override.d
6cd override.d
1nano classifier-bayes.conf
1autolearn = true;
DKIM Signing
1mkdir /var/lib/rspamd/dkim
2018.key 2018.txt kopieren
1chown -R rspamd:rspamd /var/lib/rspamd/dkim
2chmod 440 /var/lib/rspamd/dkim/*
Redis als Cache und Key-Value Store für Rspamd-Module
1pkg install redis
Konfigdatei ist /usr/local/etc/redis.conf
1nano /etc/rc.conf
1redis_enable="YES"
oder
1service redis enable
nginx proxy für rspamd
1nano /usr/local/etc/nginx/nginx.conf
Abschnitt dazu
1add_header Strict-Transport-Security max-age=15768000;
2
3 location /rspamd/ {
4 proxy_pass http://localhost:11334/;
5 proxy_set_header Host $host;
6 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 }
8
9 if ($ssl_protocol = "") {
10 return 301 https://$server_name$request_uri;
11 }
testen
1nginx -t
1service nginx restart
2service redis restart
3service rspamd restart
4service postfix restart
5service dovecot restart
6service unbound restart
Problem mit dovecot wegen mysql interface.
Quelle: https://www.teslina.com/tutorials/freebsd/installation-software/installation-dovecot/
1portsnap fetch
2portsnap extract
dann
1portsnap fetch update
2
3cd /usr/ports/mail/dovecot
4make configure
mysql wählen
1make install
2pkg lock dovecot
wegen dovecot auch das:
1cd /usr/ports/mail/dovecot-pigeonhole
2make configure
3make install
4pkg lock dovecot-pigeonhole