Setting Up A Spam-Proof Home Email Server (The Somewhat Alternate Way) (Debian Squeeze) - Page 2
On this page
Set Up Postfix
We made sure to this point, that we have a domain name, that the domain can be hosted on a dynamic ip address and that the resolution of the domain name works from inside the lan as well as outside. Now we can put our focus on how to actually setup the mail server. The mail server usually consists of two parts. For me this was in the beginning a bit confusing and I try to explain it quickly.
One part that makes up the mail server is the MTA. The MTA in this case is postfix. It's job is to actually send emails between different servers. What MTAs (usually) don't provide is "end user access". So if you want with thunderbird to connect to your email account and check your mail or send mail, you will also need a pop3 or imap server. Their job is just the transfer of emails between you as enduser and the mailserver.
In this part we'll first setup postfix and make it ready to be used in a secured way (STARTTLS).
(1) Install the required packages
apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail
During this you'll be asked two questions:
General type of mail configuration: <-- Select "Internet Site"
System mail name: <-- Enter: "MYDOMAIN.COM"
(2) Reconfigure postfix
dpkg-reconfigure postfix
Again, you'll be asked some questions:
General type of mail configuration: <-- Select "Internet Site"
System mail name: <-- Enter: "MYDOMAIN.COM"
Root and postmaster mail recipient: <-- Leave blank
Other destinations to accept mail for (blank for none): <-- Enter: "MYDOMAIN.COM, localhost.MYDOMAIN.COM, localhost.localdomain, localhost"
Force synchronous updates on mail queue? <-- Select "No"
Local networks: <-- Leave as default
Use procmail for local delivery? <-- Select "Yes"
Mailbox size limit (bytes): <-- Enter "0"
Local address extension character: <-- Enter "+"
Internet protocols to use: <-- Select "all"
(3) Enhance the postfix configuration
Make sure to replace MYDOMAIN.COM with your domain name
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'myhostname = MYDOMAIN.COM'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'home_mailbox = Maildir/'
postconf -e 'virtual_maps = hash:/etc/postfix/virtual'
postconf -e 'mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
(4) Generate certificates for TLS
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
A problem I've encountered on Debian Squeeze is that from the second OpenSSL generation with the previously created certificate always an error comes. It will prompt you for the password for the smtpd.key and if you enter it, you'll get an error. What I ended up doing was first to not enter passwords when asked for the one for smtpd key -> it'll just continue demainding one. Then press ctrl-c to abort and rerun it but this time I enter the password. That seems to have worked for me just fine.
(5) Adjust SASL
mkdir -p /var/spool/postfix/var/run/saslauthd
Edit /etc/default/saslauthd.
In order to activate saslauthd and set START to yes and alter options to this:
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
(6) Add postfix user to SASL group
adduser postfix sasl
(7) Creating virtual.db
touch /etc/postfix/virtual
postmap /etc/postfix/virtual
Before restarting postfix, the virtual.db must exist. For more info about it, skip ahead to the Setup Email Address Management section.
(8) Restart daemons
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
(9) Check if it works correctly
telnet localhost 25
And enter:
ehlo localhost
You should get an output that contain STARTTLS and two times AUTH LOGIN PLAIN (one time with a "="). Exit by typing
quit
(10) Add port 587
Edit the file /etc/postfix/master.cf and copy this line
smtp inet n - - - - smtpd
to
587 inet n - - - - smtpd
You have now the smtp and the 587 line there.
Set Up Outgoing SMTP
While the postfix MTA would work now just fine, there is still a problem with dynamic ip addresses. Most mailservers will not accept incoming email from a mailserver on a dynamic ip address. If you have a static ip address, you can simply skip this part.
In order to successfully send email, you can use your ISPs email server for relaying. That means postfix won't contact the recipient email server directly, but it will authenticate against your IPSs email server and send (better: relay) the email through it. It's unlikely that your ISP is blocked.
Instead of using your ISPs email server you could also relay through google and maybe even other free providers.
(1) Enhance postfix config
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_security_options = noanonymous'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd'
postconf -e 'smtp_always_send_ehlo = yes'
postconf -e 'relayhost = SMTP.YOURISP.COM'
Of course replace SMTP.YOURISP.COM with your ISPs actual smtp server.
In some cases ISPs allow to being submitted emails from their customers only on a given port. Very often the "submission" port 587 is being used.
In that case use as relayhost the following:
relayhost = [SMTP.YOURISP.COM]:PORT
The edgy brackets around SMTP.YOURISP.COM are required. Replace port with the one given by your ISP and necessarly adjust your routers portforwarding.
(2) Edit /etc/postfix/saslpasswd
And add
SMTP.YOURISP.COM USERLOGIN:PASSWORD
You usually can get an email account with your ISP. When doing so you should get also a username and password to login. The username can be the full email address or something else. Just set according login info there.
(3) Hash the saslpasswd file
postmap /etc/postfix/saslpasswd
(4) Restart postfix
/etc/init.d/postfix restart
Now all outgoing email is being sent through your ISP.
Set Up Inital Maildir
(1) Change to USER
su USER cd ~
(2) Create the Maildir folder
maildirmake.dovecot Maildir
(3) Create Maildir subfolders
maildirmake.dovecot Maildir/.Drafts
maildirmake.dovecot Maildir/.Sent
maildirmake.dovecot Maildir/.Trash
maildirmake.dovecot Maildir/.Templates
You can create more subfolders. The leading "." for the subfolder is required.
If you plan not to be the only email user on the system, then it's wise to create the structure in the /etc/skel folder also. This enables for all future generated users that they have the Maildir directly available.
(4) Change back to root and create the maildirs
exit
maildirmake.dovecot /etc/skel/Maildir
maildirmake.dovecot /etc/skel/Maildir/.Drafts
maildirmake.dovecot /etc/skel/Maildir/.Sent
maildirmake.dovecot /etc/skel/Maildir/.Trash
maildirmake.dovecot /etc/skel/Maildir/.Templates
(5) If you already have more existing users on the system, just repeate step 1-3 for them.
Procmail
Procmail is a local delivery agent. Simply said procmail can filter email based on rules. It can pre-sort them into different folders or even discard email. In the postfix setup section the groundwork for procmail filtering is already laid out. If you want to make use of serverside filtering with procmail, then do the following as actual USER and not as root.
(1) Change to USER
su USER cd ~
(2) Edit ~/.procmailrc and add
PATH=/bin:/usr/bin:/usr/local/bin:/usr/sbin DROPPRIVS=yes MAILDIR=$HOME/Maildir/ DEFAULT=$HOME/Maildir/ :0 * ^From:.*SOMEONE@SOMEDOMAIN\.COM $MAILDIR/.SOMEONE/ :0 * ^From:.*MAILLIST@MAILLIST\.COM $MAILDIR/.MAILLIST/
The first four lines just are some variables, don't worry about them. The next three lines indicate that all incoming email matching "*[email protected]" should be put into the SOMEONE folder. Then you have another rule for the sender MAILLIST.
Those are just two simple rules. The web is full with more examples.
Procmail seems meanwhile unmaintained and Dovecot has an own local delivery agent which also updates the according dovecot index files. I have no experience yet with it or how to set it up, hence I skip this part here. If someone is willing to enhance this howto with Dovecote LDA, please do so.