Partie 2 - Serveur: Installation et Sécurisation

Partie 2 - Serveur: Installation et Sécurisation

howto admin system

Nous allons maintenant aborder la configuration du serveur mail en lui
même. Comme dit précédemment, nous allons nous appuyer sur le couple
Dovecot et Postfix, l'installation est prévu pour fonctionner avec une
base MySQL pour stocker les comptes mails, les alias ainsi que les
domaines.

Ce tuto fait suite à l'article Partie 1 : Installation et Sécurisation d’un serveur dédié

Attention, cette partie est assez longue et fastidieuse, donc il va falloir s'armer de patience et prévoir un certain temps voir un temps certain afin de mener cette configuration à bien.

Création de la BDD MySQL et de son utilisateur

Cette base de données servira à stocker les informations des comptes utilisateurs et des domaines. Je vous conseille plus que fortement de choisir un mdp fort pour protéger ce compte. On commence par se loguer (le mots de passe demandé est celui indiqué lors de l'installation du package MySQL)

mysql -uroot -p

Ensuite on crée la base, puis le user avec ses droits (remplacer VOTREMDP par le mdp du compte):

create database mail;
grant all on mail.* to 'mail'@'localhost' identified by 'VOTREMDP';

Installation de Postfix Admin

On télécharge postfixadmin depuis SourceForge et on le place dans /var/www/html/postfixadmin

wget sourceforge.net/projects/postfixadmin/files/postfixadmin/postfixadmin-2.91/postfixadmin-2.91.tar.gz
tar -xf postfixadmin-2.91.tar.gz
rm -f postfixadmin-2.91.tar.gz
mv postfixadmin-2.91 /var/www/html/postfixadmin
chown -R www-data:www-data /var/www/html/postfixadmin
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

Puis on édite le fichier de configuration /var/www/html/postfixadmin/config.inc.php pour modifier les paramètres suivant : (Le fichier étant long, je ne mets que les paramètres à vérifier ou modifier)

/*****************************************************************
 *  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 * You have to set $CONF['configured'] = true; before the
 * application will run!
 * Doing this implies you have changed this file as required.
 * i.e. configuring database etc; specifying setup.php password etc.
 */
$CONF['configured'] = true;
// Database Config
// mysql = MySQL 3.23 and 4.0, 4.1 or 5
// mysqli = MySQL 4.1+
// pgsql = PostgreSQL
$CONF['database_type'] = 'mysql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'mail';
$CONF['database_password'] = 'VOTREMDP';
$CONF['database_name'] = 'mail';
 // Site Admin 
// Define the Site Admins email address below. 
// This will be used to send emails from to create mailboxes. $CONF['admin_email'] = 'admin@example.com'; 
// Mail Server // Hostname (FQDN) of your mail server. 
// This is used to send email to Postfix in order to create mailboxes. 
// 
// Set this to localhost for now, but change it later.
$CONF['smtp_server'] = 'localhost'; 
$CONF['smtp_port'] = '25';
// Encrypt
// In what way do you want the passwords to be crypted?
// md5crypt = internal postfix admin md5
// md5 = md5 sum of the password
// system = whatever you have set as your PHP system default
// cleartext = clear text passwords (ouch!)
// mysql_encrypt = useful for PAM integration
// authlib = support for courier-authlib style passwords
// dovecot:CRYPT-METHOD = use dovecotpw -s 'CRYPT-METHOD'. Example: dovecot:CRAM-MD5
$CONF['encrypt'] = 'md5crypt';
// Default Aliases
// The default aliases that need to be created for all domains.
$CONF['default_aliases'] = array (
    'abuse' => 'admin@example.com',
    'hostmaster' => 'admin@example.com',
    'postmaster' => 'admin@example.com',
    'webmaster' => 'admin@example.com'
);
// link to display under 'Main' menu when logged in as a user.
$CONF['user_footer_link'] = "https://mail.example.com/main.php";

// Footer
// Below information will be on all pages.
// If you don't want the footer information to appear set this to 'NO'.
$CONF['show_footer_text'] = 'YES';
$CONF['footer_text'] = 'Return to mail.example.com';
$CONF['footer_link'] = 'https://mail.example.com';
// Mailboxes
// If you want to store the mailboxes per domain set this to 'YES'.
// Examples:
//   YES: /usr/local/virtual/domain.tld/username@domain.tld
//   NO:  /usr/local/virtual/username@domain.tld
$CONF['domain_path'] = 'YES';
// If you don't want to have the domain in your mailbox set this to 'NO'.
// Examples:
//   YES: /usr/local/virtual/domain.tld/username@domain.tld
//   NO:  /usr/local/virtual/domain.tld/username
// Note: If $CONF['domain_path'] is set to NO, this setting will be forced to YES.
$CONF['domain_in_mailbox'] = 'YES';

La dernière partie détermine comment Postfix Admin va ranger vos mailbox. Une fois tout ceci fait, on va se connecter à Postfix Admin qui va vérifier la config et remplir la BDD. on va en profiter pour créer le hash du Master Password qui sera utiliser par la suite pour la création du Super Admin (vous avez suivi ? ;))

https://mail.example.com/postfixadmin/setup.php

Suivez les indications de la pages, noter le hash et indiquer le dans le fichier de configuration :

// In order to setup Postfixadmin, you MUST specify a hashed password here.
// To create the hash, visit setup.php in a browser and type a password into the field,
// on submission it will be echoed out to you as a hashed value.
$CONF['setup_password'] = '....Indiquer votre hash....';

Maintenant que c'est fait retourner sur la page de setup, et créer le Super Admin. Maintenant que c'est fait on désactive l’accès à ce fichier et empêche la navigation dans ce dossier, on va donc créer un fichier .htaccess contenant les lignes suivantes :

Order deny,allow
Allow from all
Options -Indexes
<Files setup.php>
Order deny,allow
deny from all
</Files>

Création d'un domaine et d'un compte mail dans Postfix Admin

Allez sur la page https://mail.example.com/postfixadmin/login.php Une fois logué avec le Super Admin, créer un domaine, n'oublier pas de cocher la case afin d'ajouter les alias. Ensuite on crée la premier compte mail qui sera admin@example.com afin d'assurer le bon fonctionnement des alias. les alias abuse et posmaster sont particulièrement important et font partie des éléments pris en compte dans l'évaluation de la fiabilité de votre domaine par les outils anti-spam. Il est important de vérifier de temps en temps ces boites, surtout en usage pro, puisque ce sont celles sur lesquelles vous devriez recevoir les notifications de problèmes de fonctionnement ou d'abus de vos utilisateurs.

Création du dossier de stockage

La configuration de notre serveur mail reposant sur des utilisateurs virtuels, ceux ci n'ont pas de compte système Unix, nous allons donc créer un espace de stockage, ainsi qu'un utilisateur ayant les droits sur dossiers. les mails seront stocké dans un sous dossier par domaine puis par nom d'utilisateur dans /var/vmail (ex:/var/vmail/example.com/admin)

useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin -c "Virtual maildir handler" vmail
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:mail /var/vmail

Paramétrage de Dovecot

Dovecot gère les connexions IMAP et pop3, le stockage des mails et leur réception via Postfix. Il est aussi capable de gérer l’authentification SMTP, on va donc s'en servir afin de centraliser les comptes (Et de se simplifier la vie). La configuration de Dovecot est réparti sur de nombreux fichiers, même si ça peut paraitre compliqué, dans les faits, c'est plutôt logique, donc soyez méticuleux et tout ira bien ;). En premier on règle l’accès à la BDD des mails dans /etc/dovecot/dovecot-sql.conf.ext :

# Database driver: mysql, pgsql, sqlite
driver = mysql
# Examples:
#   connect = host=192.168.1.1 dbname=users
#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
#   connect = /etc/dovecot/authdb.sqlite
#
connect = host=localhost dbname=mail user=mail password=VOTREMDP
# Default password scheme.
#
# List of supported schemes is in
# http://wiki2.dovecot.org/Authentication/PasswordSchemes
#
default_pass_scheme = MD5-CRYPT
# Define the query to obtain a user password.
#
# Note that uid 150 is the "vmail" user and gid 8 is the "mail" group.
#
password_query = \
  SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, \
  'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, 8 as userdb_gid \
  FROM mailbox WHERE username = '%u' AND active = '1'
# Define the query to obtain user information.
#
# Note that uid 150 is the "vmail" user and gid 8 is the "mail" group.
#
user_query = \
  SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, \
  150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota \
  FROM mailbox WHERE username = '%u' AND active = '1'

On va maintenant changer la façon dont Dovecot gère les authentifications et qu'il puisse allez chercher les infos de connexion dans la BDD, on édite donc /etc/dovecot/conf.d/10-auth.conf.

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
disable_plaintext_auth = yes
# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login
##
## Password and user databases
##

#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
# Use the SQL database configuration for authentication rather than
# any of these others.
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

On va maintenant indiquer à Dovecot où stocker les mails, on va donc editer /etc/dovecot/conf.d/10-mail.conf comme suit :

# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = maildir:/var/vmail/%d/%n
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
mail_uid = vmail
mail_gid = mail
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#
# Use the vmail user uid here.
first_valid_uid = 150
last_valid_uid = 150
## Maildir-specific settings
##

# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
maildir_stat_dirs = yes

On indique ensuite où est stocké votre certificat SSL en éditant /etc/dovecot/conf.d/10-ssl.conf

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf

#Paramétrage par défaut de Dovecot
#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem

# Le certirtificat auto-généré "snakeoil certificate":
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key

#Si vous avez achetez un certificat
#ssl_cert = </etc/ssl/certs/example.com.crt
#ssl_key = </etc/ssl/private/example.com.key

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
# ssl_ca = </etc/ssl/certs/ca-bundle.crt

Ensuite on édite /etc/dovecot/conf.d/10-master.conf et on ajoute le support postfix

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    mode = 0666
    user = vmail
    group = mail
  }

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix       
  }

On paramètre l'adresse du postmaster dans /etc/dovecot/conf.d/15-lda.conf (Ce réglage corrige l'erreur Invalid settings: postmaster_address setting not given), on indique donc l'alias crée précédement lors de la configuration du domaine.

# Address to use when sending rejection mails.
# Default is postmaster@<your domain>.
postmaster_address = postmaster@example.com

On rend la configuration de Dovecot accessible à l'utilisateur vmail

chown -R vmail:dovecot /etc/dovecot
chmod -R o-rwx /etc/dovecot

Petit détails, les dossiers sont crées au furt et à mesure par Dovecot,
il est donc normal qu'un user n'ayant jamais recu de mail n'ai pas de
dossier.

Configuration des logiciels tiers (Amavis, ClamAV, Postgrey et SpamAssassin)

Avant de configurer Postfix, on va paramétrer les outils concernant les spams et les virus. Les configurations sont celles par défaut, elles conviennent la plupart du temps, pour plus de détails, il vous faudra consulter la doc de chaque outils, je ne vais indiquer ici que comment les intégrés à notre configuration. On va rendre la cohabitation de ClamAV et de Amavis un peu plus simple :

adduser clamav amavis
adduser amavis clamav

on active Amavis en éditant
/etc/amavis/conf.d/15-content_filter_mode (il suffit de décomenter
les lignes @bypass...)

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

#
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # ensure a defined return

On activer ensuite SpamAssassin en éditant /etc/default/spamassassin

# Change to one to enable spamd
ENABLED=1
# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=1

On donne accés à Amavis à la BDD des mails en éditant
/etc/amavis/conf.d/50-user:

use strict;

#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#

# Three concurrent processes. This should fit into the RAM available on an
# AWS micro instance. This has to match the number of processes specified
# for Amavis in /etc/postfix/master.cf.
$max_servers  = 3;

# Add spam info headers if at or above that level - this ensures they
# are always added.
$sa_tag_level_deflt  = -9999;

# Check the database to see if mail is for local delivery, and thus
# should be spam checked.
@lookup_sql_dsn = (
    ['DBI:mysql:database=mail;host=127.0.0.1;port=3306',
     'mail',
     'VOTREMDP']);
$sql_select_policy = 'SELECT domain from domain WHERE CONCAT("@",domain) IN (%k)';

# Uncomment to bump up the log level when testing.
# $log_level = 2;

#------------ Do not modify anything below this line -------------
1;  # ensure a defined return

On edite /etc/default/postgrey

# postgrey startup options, created for Debian

# you may want to set
#   --delay=N   how long to greylist, seconds (default: 300)
#   --max-age=N delete old entries after N days (default: 35)
# see also the postgrey(8) manpage

POSTGREY_OPTS="--inet=10023"
POSTGREY_OPTS="$POSTGREY_OPTS --whitelist-clients=/etc/postgrey/whitelist_clients"
POSTGREY_OPTS="$POSTGREY_OPTS --whitelist-recipients=/etc/postgrey/whitelist_recipients"

# the --greylist-text commandline argument can not be easily passed through
# POSTGREY_OPTS when it contains spaces.  So, insert your text here:
#POSTGREY_TEXT="Your customized rejection message here"

  On mets à jour ClamAV avec la commande freshclam puis on démarre
tout ce petit monde :

service clamav-daemon restart
service amavis restart
service spamassassin restart

 

Configuration de Postfix

Enfin, on attaque le gros morceau (comment ça vous pensiez que c'était déjà fait ?), Postfix va géré les mail entrant via le protocole SMTP, on va intégrer à ce configuration tous les outils que nous avons pré-configurer précédemment ce qui lui permettra de lutter efficacement contre les spams et les virus avant que les mails arrive dans les petits bras musclés de Dovecot, on va aussi intégrer le fait que les comptes mails s’authentifie via Dovecot pour l'utilisation du SMTP. On va créer tous les fichiers de configuration afin d'expliquer à Postfix où sont les données de vos comptes mails, domaines etc... Attention : L'option host doit être rempli à l'identique que l'option bind-address du fichier /etc/mysql/my.cnf si vous avez localhost, veillez à mettre localhost au lieu de 127.0.0.1, sinon il ne pourra pas se connecter, je sais c'est bête mais c'est comme ça. La commande suivante vous permettra d'avoir l'info recherchée.

cat /etc/mysql/my.cnf | grep bind-address

 /etc/postfix/mysql_virtual_alias_domainaliases_maps.cf

user = mail
password = VOTREMDP
hosts = 127.0.0.1
dbname = mail
query = SELECT goto FROM alias,alias_domain
  WHERE alias_domain.alias_domain = '%d'
  AND alias.address=concat('%u', '@', alias_domain.target_domain)
  AND alias.active = 1

/etc/postfix/mysql_virtual_alias_maps.cf

user = mail
password = VOTREMDP
hosts = 127.0.0.1
dbname = mail
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'

/etc/postfix/mysql_virtual_domains_maps.cf

user = mail
password = VOTREMDP
hosts = 127.0.0.1
dbname = mail
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'

/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf

user = mail
password = VOTREMDP
hosts = 127.0.0.1
dbname = mail
query = SELECT maildir FROM mailbox, alias_domain
  WHERE alias_domain.alias_domain = '%d'
  AND mailbox.username=concat('%u', '@', alias_domain.target_domain )
  AND mailbox.active = 1

/etc/postfix/mysql_virtual_mailbox_maps.cf

user = mail
password = VOTREMDP
hosts = 127.0.0.1
dbname = mail
table = mailbox
select_field = CONCAT(domain, '/', local_part)
where_field = username
additional_conditions = and active = '1'

Afin d'améliorer quelques peu la protection des données privées on va
demander à Postfix de retirer certaines information du Header. Vous
pouvez vous reporter à la docs Postfix pour plus d'explication. On crée
donc le fichier /etc/postfix/header_checks

/^Received:/                 IGNORE
/^User-Agent:/               IGNORE
/^X-Mailer:/                 IGNORE
/^X-Originating-IP:/         IGNORE
/^x-cr-[a-z]*:/              IGNORE
/^Thread-Index:/             IGNORE

Les deux prochains fichiers concernent le fonctionnement à proprement parlé du SMTP et de la facon dont les mails vont être traités par Postfix, il intègre également ce qu'il faut pour que les modules installés précédement fonctionnent. Les explications détailées de ces fichiers mériteraient à elles seules un article complet, je vous conseille donc de prendre le temps de vérifier que tout est ok pour vous. En l'état ces fichiers sont fonctionels avec la configuration que nous mettons en places, mais je ne saurais trop insisté sur l'utilité de se reporter à la doc et de bien comprendre ce qu'il y a dedans. Avant de mettre en place ces deux fichiers, on va sauver les fichiers de configuration par défaut

mv /etc/postfix/main.cf /etc/postfix/main.cf.bak
mv /etc/postfix/master.cf /etc/postfix/master.cf.back

/etc/postfix/main.cf Les lignes à adapter sont  :

  • myhostname = mail.example.com
  • Les lignes concernant les certificats de 26 à 39
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# The first text sent to a connecting process.
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no

# SASL parameters
# ---------------------------------

# Use Dovecot to authenticate.
smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes

# TLS parameters
# ---------------------------------

# The default snakeoil certificate. Comment if using a purchased 
# SSL certificate.
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

# Uncomment if using a purchased SSL certificate.
# smtpd_tls_cert_file=/etc/ssl/certs/example.com.crt
# smtpd_tls_key_file=/etc/ssl/private/example.com.key

# The snakeoil self-signed certificate has no need for a CA file. But
# if you are using your own SSL certificate, then you probably have
# a CA certificate bundle from your provider. The path to that goes
# here.
# smtpd_tls_CAfile=/etc/ssl/certs/ca-bundle.crt

smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Note that forcing use of TLS is going to cause breakage - most mail servers
# don't offer it and so delivery will fail, both incoming and outgoing. This is
# unfortunate given what various governmental agencies are up to these days.
#
# Enable (but don't force) all incoming smtp connections to use TLS.
smtpd_tls_security_level = may
# Enable (but don't force) all outgoing smtp connections to use TLS.
smtp_tls_security_level = may

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

# SMTPD parameters
# ---------------------------------

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# will it be a permanent error or temporary
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed.
# some have 3 days, I have 16 days as I am backup server for some people
# whom go on holiday with their server switched off.
maximal_queue_lifetime = 7d
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list
# but may restrict intentional mail shots.
smtpd_recipient_limit = 16
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12

# This next set are important for determining who can send mail and relay mail
# to other servers. It is very important to get this right - accidentally producing
# an open relay that allows unauthenticated sending of mail is a Very Bad Thing.
#
# You are encouraged to read up on what exactly each of these options accomplish.

# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
# Requirements for the sender details
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
# Requirements for the connecting server
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client bl.spamcop.net, reject_unknown_client_hostname
# Requirement for the recipient address. Note that the entry for
# "check_policy_service inet:127.0.0.1:10023" enables Postgrey.
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
smtpd_data_restrictions = reject_unauth_pipelining
# This is a new option as of Postfix 2.10, and is required in addition to
# smtpd_recipient_restrictions for things to work properly in this setup.
smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit

# require proper helo at connections
smtpd_helo_required = yes
# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes

# General host and delivery info
# ----------------------------------

myhostname = mail.example.com
myorigin = /etc/hostname
# Some people see issues when setting mydestination explicitly to the server
# subdomain, while leaving it empty generally doesn't hurt. So it is left empty here.
# mydestination = mail.example.com, localhost
mydestination =
# If you have a separate web server that sends outgoing mail through this
# mailserver, you may want to add its IP address to the space-delimited list in
# mynetworks, e.g. as 10.10.10.10/32.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host

# This specifies where the virtual mailbox folders will be located.
virtual_mailbox_base = /var/vmail
# This is for the mailbox location for each user. The domainaliases
# map allows us to make use of Postfix Admin's domain alias feature.
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
# and their user id
virtual_uid_maps = static:150
# and group id
virtual_gid_maps = static:8
# This is for aliases. The domainaliases map allows us to make 
# use of Postfix Admin's domain alias feature.
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
# This is for domain lookups.
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf

# Integration with other packages
# ---------------------------------------

# Tell postfix to hand off mail to the definition for dovecot in master.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

# Use amavis for virus and spam scanning
content_filter = amavis:[127.0.0.1]:10024

# Header manipulation
# --------------------------------------

# Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
header_checks = regexp:/etc/postfix/header_checks
# getting rid of x-original-to
enable_original_recipient = no

/etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

# SMTP on port 25, unencrypted.
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy

# SMTP with TLS on port 587. Currently commented.
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_enforce_tls=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
#  -o smtpd_sasl_tls_security_options=noanonymous

# SMTP over SSL on port 465.
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous

#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
  -o content_filter=
  -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

# The next two entries integrate with Amavis for anti-virus/spam checks.
amavis      unix    -       -       -       -       3       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
127.0.0.1:10025 inet    n       -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

# Integration with Dovecot - hand mail over to it for local delivery, and
# run the process under the vmail user and mail group.
dovecot      unix   -        n      n       -       -   pipe
  flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d $(recipient)

Vu qu'Amavis consomme pas mal de ressource mémoire, il est limité à 3 processus concurent, libre à vous d'augmenter cette valeur si vous avez beaucoup de traffic, pour un serveur mail petit à moyen celà suffit (en gros pour du personnel ou pour une petite société).

DKIM signature pour un ou plusieurs domaine

Allez, histoire de vraiment bien faire les choses, on va aborder rapidement la création d'une clé DKIM pour signer les vos mails, elle permettra au serveur qui receptionne votre mail de savoir que c'est bien notre serveur qui l'a envoyé. J'utilise une methode qui n'est pas tout à fait habituelle pour générer la clé, l'avantage est que vous pouvez choisir de génerer une clé par domaine ou une seule pour plusieurs domaine utilisant le même serveur mail, le nom du domaine n'étant pas inclus dans la clé avec cette manipulation. On installe les paquets nécessaire :

apt-get install --assume-yes opendkim \
opendkim-tools

On crée les dossiers qui vont bien et on règle les permissions:

mkdir /etc/opendkim /var/log/opendkim
chmod 0700 /etc/opendkim /var/log/opendkim
chown opendkim:opendkim /etc/opendkim /var/log/opendkim

On édite le fichier /etc/default/opendkim et on s'assure que le socket
est le bon :

SOCKET="inet:8891@localhost"

On modifie ou on ajoute les options suivantes au fichier
/etc/opendkim.conf

Syslog yes
SyslogSuccess yes
LogWhy yes
UMask 002
KeyFile /etc/opendkim/dkim.key
Selector mail
OversignHeaders From
AutoRestart yes
Background yes
Canonicalization relaxed/relaxed
DNSTimeout 5
Mode sv
SignatureAlgorithm rsa-sha256
SubDomains no
Statistics /var/log/opendkim/dkim-stats
KeyTable /etc/opendkim/dkim-keytable
SigningTable refile:/etc/opendkim/dkim-signingtable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts

L'option selector peut être modifiée, si c'est le cas il faudra adapter les exemples de ce tutos. L'option "refile" pour les différentes tables permet d'indiquer quel fichier contient les informations nécessaires et offre la possibilité d'utiliser des expressions complètes (avec des notamment). On crée la table /etc/opendkim/TrustedHosts* :

127.0.0.1
localhost

ensuite la table /etc/opendkim/dkim-keytable

mail._domainkey.exmaple.com example.com:mail:/etc/opendkim/dkim-example.com.key

puis la table /etc/opendkim/dkim-signingtable

*@example.com mail._domainkey.example.com

Vous noterez l'avantage d'utiliser l'option refile ;), maintenant tous les mails seront signé avec cette unique ligne :) La configuration est maintenant complète, on va donc générer les clés adéquates, les clés sont généré par OpenSSl en 1024 bits. La clé générée contrairement au X.509-certificates n'est pas lié au host, donc vous n'avez pas besoin de la signer et elle peut être utilisé par plusieurs domaines du moment qu'ils utilisent le même serveur mail.

openssl genrsa -out /etc/opendkim/dkim.key 1024
openssl genrsa -out /etc/opendkim/example.com.key 1024
openssl rsa -in /etc/opendkim/dkim-example.com.key -out /etc/opendkim/rsa-example.com.public -pubout -outform PEM

On mets à jours les permissions :

chown opendkim:opendkim /etc/opendkim/*.key
chmod 0600 /etc/opendkim/*.key

Plus qu'a proceder à l'enregistrement TXT de votre clé dans vos DNS sous
la forme suivante

"v=DKIM1; p=...Votre clé super longue...."

le contenu de la clé se trouve dans le fichier
/etc/opendkim/rsa-example.com.public

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfZ3exZs28OKZ2fQwXE14kHYW1
FhS0YAVz2JWldWvlBl32adgDByYaRIyhRG4QParwaaeQwS+6/nlEFJEZmqliUqYh
oVl2qIuyk2I5g19HCEcqoR/a6NyQ5qxOakOUjnC7EkNplEpoqh/HBlOBlyMgxt/Z
7yZboyw8inIa3w5jQwIDAQAB
-----END PUBLIC KEY-----

On ajoute ce qu'il faut dans la configuration de Postfix en éditant
/etc/postfix/main.cf

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

idem dans la configuration d'amavis en éditant
/etc/amavis/conf.d/50-user

$enable_dkim_verification = 1;

Test et détails importants

Ca y est on arrive à la fin, on redemarre tout :

service postfix restart
service spamassassin restart
service clamav-daemon restart
service amavis restart
service dovecot restart
service opendkim restart

Les fichiers /var/log/mail.log et /var/log/mail.err vont être vos amis pour vérifier que tout va bien Pour tester la configuration de mon serveur de "l'exterieur", j'utilise deux site :

  • Mx Toolbox qui permet de
    tester pas mal de petite chose au niveau de votre configuration DNS
    / Serveur
  • Mail tester qui permet
    de tester la cote d'amour de vos mails, en gros il vous permet de
    savoir combien de chance à votre mail de terminer dans les spams ou
    pas

Si vous n'avez pas bien configurer vos enregistrement DNS, vous allez vite le voir et surtout vite vous faire blacklister, Il y a quatre élément important :

  • L'enregisrement reverse DNS, normalement, c'est à définir dans votre interface de gestion du serveur, si votre enregistrement est ok, en admettant que mail.example.com est sur l'adresse Ip 001.002.003.004, vous devriez obtenir quelque chose comme ça 004.003.002.001.in-addr.arpa name = mail.example.com, vous pouvez tester ça ici
  • L'enregistrement MX de "example.com." devrait pointer vers "mail.example.com." priorité 0 (Vous noterez les points en fin de domaine, c'est pas une faute)
  • L'enregistrement DKIM qui est abordé au paragraphe précédent.
  • Pour le SenderID ou SPF je vous conseille d'utiliser l'outil Sender
    ID Framework SPF Record Wizard
    de microsoft qui rend la création de cet enregistrement TXT moins fastidueuse. Une fois le wizard terminé vous obtenez une ligne ressemblant à ceci :
v=spf1 ptr:mail.example.com mx:mail.example.com ip4:XXX.XXX.XXX.XXX a:mail.example.com -all

Et voila, maintenant que ça c'est fait, on va voir dans le prochain article comment accéder à nos mails via horde, comment installer phpmyadmin avec suphp et suexec, webmin (facile!!) et héberger un site avec cette méthode. Comme d'habitude, si vous avez des questions,n'hésitez pas...

Previous Post Next Post