{{tag>Debian Serveur Mail TLS SMTP Postfix}}
= Monter son serveur mail sous Debian
Voir [[https://doc.fedora-fr.org/wiki/G%C3%A9rer_ses_courriels_en_ligne_de_commande|Gérer ses courriels en ligne de commande]]
Tester la conf : https://www.mail-tester.com/
Voir : https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
== Configuration du serveur SMTP Postfix
serv1
''/etc/postfix/main.cf''
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
#smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT.
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = serv1.acme.fr
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = acme.fr, serv1.acme.fr, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
mailbox_command = procmail -a "$EXTENSION"
#smtpd_sasl_local_domain =
#smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_type = dovecot
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth
# On Debian Wheezy path must be relative and queue_directory defined
#queue_directory = /var/spool/postfix
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
# With Postfix version before 2.10, use smtpd_recipient_restrictions
#smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# virtual_alias_maps = hash:/etc/postfix/virtual
# inbound
smtpd_tls_security_level = may
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
# outbound
smtp_tls_security_level = may
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
Koala
''/etc/postfix/main.cf''
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
#smtpd_banner = $myhostname ESMTP $mail_name (GNU)
smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT.
biff = yes
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = smtp.acme.fr
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = acme.fr, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24 172.16.0.0/12
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 10485760
recipient_delimiter = +
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
relay_domains = acme.fr
home_mailbox = Maildir/
notify_classes = resource, software, protocol
defer_transports = smtp
delay_warning_time = 5m
#maximal_queue_lifetime = 5d
debug_peer_level = 7
#default_transport = smtp:smtp.acme.fr
defer_transports =
disable_dns_lookups = no
''/etc/mailname''
acme.fr
''/etc/aliases''
# See man 5 aliases for format
dev-null: /dev/null
postmaster: root
abuse: root
jean: jibe
root: jibe
# https://arno0x0x.wordpress.com/2016/02/07/postfix-lancer-un-script-sur-reception-dun-e-mail/
bot: "|/path/to/script/mailBot.php"
Puis
''/etc/postfix/virtual''
emailadresse comptelocal
postmap /etc/postfix/virtual
Puis
vi /etc/aliases
newaliases
mkdir /etc/skel/Maildir/
mkdir /etc/skel/Maildir/cur
mkdir /etc/skel/Maildir/new
mkdir /etc/skel/Maildir/tmp
touch /etc/skel/Maildir/Trash
touch /etc/skel/Maildir/Drafts
touch /etc/skel/Maildir/Sent
''/etc/skel/.procmailrc''
VERBOSE=Yes
SHELL=/bin/bash
PATH=$HOME/bin:/usr/bin:/bin:/usr/local/bin:.
MAILDIR=$HOME/Maildir/ # You d better make sure it exists
DEFAULT=$MAILDIR/$USERNAME
LOGFILE=$MAILDIR/.procmail.log
LOCKFILE=$HOME/.lockmail
LOGNAME=$USERNAME
== Configuration Dovecot
''/etc/dovecot/dovecot.conf''
mail_location = maildir:~/Maildir
''/etc/dovecot/conf.d/10-auth.conf''
disable_plaintext_auth = yes
''/etc/dovecot/conf.d/15-mailboxes.conf''
mailbox Drafts {
auto = subscribe # <-- ADD THIS
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Trash {
# Fix invisible Trash
auto = subscribe # <-- ADD THIS
special_use = \Trash
}
https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle
''/etc/dovecot/conf.d/10-ssl.conf''
ssl = required
ssl_protocols = !SSLv2 !SSLv3
Debug
doveadm -Dv force-resync -u jibe INBOX
''/etc/letsencrypt/cli.ini''
# Source : https://gist.github.com/mrothNET/cb6f313e9cbe896f3e0fdec80ad2f3fa
# Manage Firewall
#pre-hook = ufw allow http
#post-hook = ufw deny http
# Restart Postfix & Dovecot
renew-hook = systemctl restart dovecot.service postfix.service
== Dovecot Exploit
Nettoyage cache / log
find ~/Maildir/ -type f \( -iname dovecot.index.cache -o -iname dovecot.index.log \) -delete
=== Pb
Pb suite à mis-à-jour Wheezy=>Stretch
''/var/log/mail.log''
Jan 19 18:42:10 sever1 dovecot[394]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
Solution de contournement provisoir
''/etc/dovecot/conf.d/10-ssl.conf''
#ssl_protocols = !SSLv2 !SSLv3
ssl_protocols = !SSLv3
systemctl restart dovecot
=== Postfix authentification avec Dovecot
Vérification compatibilité authentification Docecot
# postconf -a
cyrus
dovecot
''/etc/dovecot/conf.d/10-master.conf''
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
/etc/init.d/dovecot restart
$ ls -l /var/spool/postfix/private/auth
srw-rw---- 1 postfix postfix 0 mai 20 12:48 /var/spool/postfix/private/auth
''/etc/postfix/main.cf''
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth
# On Debian Wheezy path must be relative and queue_directory defined
#queue_directory = /var/spool/postfix
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
== Configuration DNS
* champ MX
* SRV (TXT)
== Vérification
=== Vérification sécurité
Avant toute chose nous devons être certain que notre serveur SMTP n'est pas un relais ouvert.
telnet smtp.acme.fr 25
EHLO localhost
Vous devez voir la ligne suivante :
250-STARTTLS
$ echo -ne "\0nom\0MOTDEPASS" |openssl enc -base64
AG5vbQBNT1RERVBBU1M=
openssl s_client -tls1 -starttls smtp -crlf -connect smtp.acme.fr:25
EHLO localhost
AUTH PLAIN
AG5vbQBNT1RERVBBU1M=
On test que SSLv3 soit bien désactivé
openssl s_client -ssl3 -starttls smtp -crlf -connect smtp.acme.fr:25
http://mxtoolbox.com/diagnostic.aspx
=== Vérification DNS
Champs DNS : SPF DKIM ARC DMARC etc....
Voir :
* https://support.google.com/mail/?p=IPv6AuthError
* https://support.google.com/mail/answer/81126?visit_id=638143306072056339-3415253875&p=IPv6AuthError&rd=1#authentication
* https://www.gmx.net/mail/senderguidelines/
* https://www.spamhaus.org/faq/section/ISP%20Spam%20Issues
$ dig acme.fr TXT @8.8.8.8 +short
"v=spf1 mx ~all"
$ dig acme.fr MX @8.8.8.8 +short
1 smtp.acme.fr.
100 smtp2.acme.fr.
Pour ne pas être considéré comme un spammer, il faut aussi créer le PTR dans le Reverse DNS. \\
ip => smtp.acme.fr
== Fail2ban
''/etc/fail2ban/jail.local''
### SSH
[ssh]
enabled = true
port = 7001
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[ssh-ddos]
enabled = true
port = 7001
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
### GENERIC
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = true
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
### MAILS
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
[dovecot]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
service fail2ban restart
service fail2ban status
== Webmail avec RoundCube
Si vous avez toujours nom@localhost au lieu de nom@domain.com il peut être nécessaire de supprimer la base de donnée sqlite (par précaution renommer le fichier sqlite (**base.db** dans notre exemple)
''defaults.inc.php''
$config['mail_domain'] = '%d';
La base de donnée (ici sqlite)
''config.inc.php''
$config['db_dsnw'] = 'sqlite:////var/www/roundcubemail/config/base.db?mode=0646';
apt-get install php5-fpm php5-sqlite php5-mcrypt php5-intl
''/etc/php5/fpm/php.ini''
date.timezone = 'Europe/Paris'
''/etc/nginx/sites-available/webmail''
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/private/serv1.acme.fr.crt;
ssl_certificate_key /etc/ssl/private/serv1.acme.fr.key;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
ssl_dhparam /etc/ssl/private/dh2048.pem;
add_header Strict-Transport-Security max-age=2678400;
root /var/www/roundcubemail;
index index.html index.htm index.php;
client_max_body_size 20M;
server_name webmail.serv1.acme.fr;
access_log /var/log/nginx/webmail/access.log;
error_log /var/log/nginx/webmail/error.log;
autoindex off;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
ln -s /etc/nginx/sites-available/webmail /etc/nginx/sites-enabled/
nginx -t
service nginx reload
cd /etc/ssl/private/
openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
openssl genrsa -des3 -out serv1.acme.fr.key 2048
# Ou : "openssl ecparam -genkey" pour Elliptic Curve key
openssl req -new -key serv1.acme.fr.key -out serv1.acme.fr.csr
openssl rsa -in serv1.acme.fr.key -out serv1.acme.fr.key.unencrypted
mv -f serv1.acme.fr.key.unencrypted serv1.acme.fr.key
chmod 600 serv1.acme.fr.key
openssl x509 -req -days 3650 -in serv1.acme.fr.csr -signkey serv1.acme.fr.key -out serv1.acme.fr.crt
chown www-data: /var/www/roundcubemail/temp
chown www-data: /var/www/roundcubemail/logs
chown www-data: /var/www/roundcubemail/config
Après avoir fait la conf sur https://webmail.serv1.acme.fr/installer
rm /var/www/roundcubemail/installer/ -rf
FIXME
Bloquer les URLS:
https://webmail.serv1.acme.fr/logs/errors
ln -s /var/www/roundcubemail/logs /var/log/roundcube
=== Extension
==== Tag thunderbird, couleurs en fonction des étiquettes sur les mails
cd /var/www/roundcubemail/plugins
git clone https://github.com/mike-kfed/rcmail-thunderbird-labels
chmod -R a+rX rcmail-thunderbird-labels
mv rcmail-thunderbird-labels thunderbird_labels
''config.inc.php''
$config['plugins'] = array('thunderbird_labels');
==== Plugin zipdownload pour télécharger toutes les pièces jointes dans un fichier Zip
php_zip extension (including ZipArchive class)
apt-get install libphp-pclzip
''config/config.inc.php''
$config['plugins'] = array(
'thunderbird_labels',
'archive',
'zipdownload',
);
== Note commande postconf
postconf -d ; Affiche les valeurs par défaut à la place de la conf actuelle.
-n Print main.cf parameter settings that are explicitly specified in main.cf. Specify -nf to fold long lines for human readability
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
bounce_size_limit = 2000
broken_sasl_auth_clients = no
config_directory = /etc/postfix
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
maximal_queue_lifetime = 1d
mydestination = $mydomain, localhost.$mydomain, localhost
myhostname = serv1.acme.fr
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12
mynetworks_style = host
myorigin = /etc/mailname
policy-spf_time_limit = 3600s
readme_directory = no
recipient_delimiter = +
relayhost =
show_user_unknown_table_name = no
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT.
smtpd_client_message_rate_limit = 3
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, warn_if_reject reject_invalid_hostname
smtpd_junk_command_limit = 3
smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_multi_recipient_bounce, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unknown_client, warn_if_reject reject_unknown_hostname, reject_unauth_pipelining, reject_rhsbl_sender dsn.rfc-ignorant.org reject_rhsbl_sender bogusmx.rfc-ignorant.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy-spf, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address
smtpd_soft_error_limit = 2
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom