Creating an IMAP & webmail server: Difference between revisions
(Created page with "First follow instructions from here: [https://docswiki.newro.co/index.php/Creating_a_simple_mail_server Creating a simple mail server] ==Dovecot== Install the following packa...") |
|||
| (10 intermediate revisions by 2 users not shown) | |||
| Line 5: | Line 5: | ||
<pre>apt-get install dovecot-ldap dovecot-lmtpd</pre> | <pre>apt-get install dovecot-ldap dovecot-lmtpd</pre> | ||
Generate a certificate for dovecot like this [https://docswiki.newro.co/index.php/Certbot Certbot], if using a proxy you can copy it from there using a crontab and a script: | |||
<pre>#!/bin/bash | |||
/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" user-on-proxy@proxy-ip:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log | |||
service dovecot restart</pre> | |||
Or you can generate your own self-signed certificate like this (note: self-signed certificates are untrusted) | |||
<pre>openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/imap.key -out /etc/ssl/certs/imap.crt</pre> | <pre>openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/imap.key -out /etc/ssl/certs/imap.crt</pre> | ||
Add certificate for dovecot in file /etc/dovecot/conf.d/10-ssl.conf | Add certificate for dovecot in file /etc/dovecot/conf.d/10-ssl.conf | ||
<pre>ssl = yes | <pre>ssl = yes | ||
ssl_cert = </ | ssl_cert = </path/to/certificate | ||
ssl_key = </ | ssl_key = </path/to/private/key</pre> | ||
Create a samba/ldap user for dovecot to use, more info can be found here [https://docswiki.newro.co/index.php/Samba Samba]. Copy the certificate from samba server found in /var/lib/samba/private/tls/cert.pem to the mail server in /opt/bin/samba-cert.pem | Create a samba/ldap user for dovecot to use, more info can be found here [https://docswiki.newro.co/index.php/Samba Samba]. Copy the certificate from samba server found in /var/lib/samba/private/tls/cert.pem to the mail server in /opt/bin/samba-cert.pem | ||
| Line 48: | Line 53: | ||
driver = ldap | driver = ldap | ||
args = /etc/dovecot/dovecot-ldap.conf.ext | args = /etc/dovecot/dovecot-ldap.conf.ext | ||
default_fields = home=/var/mail/vmail/% | default_fields = home=/var/mail/vmail/%Ln | ||
}</pre> | }</pre> | ||
The '''L''' in '''%Ln''' will make all username letters lowercase. This is good in case emails are sent to John.Doe when the username is actually john.doe | |||
You should also set this in file /etc/dovecot/conf.d/10-auth.conf | |||
<pre>auth_username_format = %Lu</pre> | |||
You should have this in /etc/dovecot/conf.d/10-master.conf so postfix can send the emails to dovecot | You should have this in /etc/dovecot/conf.d/10-master.conf so postfix can send the emails to dovecot | ||
| Line 62: | Line 72: | ||
And this in /etc/dovecot/dovecot.conf | And this in /etc/dovecot/dovecot.conf | ||
<pre>protocols = imap lmtp</pre> | <pre>protocols = imap lmtp</pre> | ||
And finally restart dovecot | And finally restart dovecot | ||
| Line 76: | Line 87: | ||
Restart postfix | Restart postfix | ||
<pre>service postfix restart</pre> | <pre>service postfix restart</pre> | ||
===Postfix auth=== | |||
If you want to use the mail service from outside your network using an IMAP client, and want to send email out through the same SMTP instance (so that emails sent from the IMAP client use the same outgoing server as emails from webmail) it is highly advisable to enable authentication. The neatest way is via SASL auth using Dovecot. To enable this you must first ensure Dovecot is listening for the auth connections | |||
# vi /etc/dovecot/conf.d/10-master.conf | |||
ensuring that within the ''service auth'' section the following lines are present and uncommented | |||
<pre>unix_listener /var/spool/postfix/private/auth { | |||
mode = 0666 | |||
}</pre> | |||
If changes were required, reload Dovecot | |||
# dovecot reload | |||
Then for postfix | |||
# vi /etc/postfix/main.cf | |||
Adding the following lines | |||
<pre>smtpd_sasl_auth_enable = yes | |||
smtpd_sasl_type = dovecot | |||
smtpd_sasl_path = private/auth</pre> | |||
And reloading postfix | |||
# postfix reload | |||
Depending on your scenario, you may need to forward a port on your firewall to make Postfix available from the outside. This should be to port 25. | |||
===Postfix encrypted auth=== | |||
To ensure the user/password is sent over an encrypted connection, you need to enable and configure TLS/SSL. This can be with a self-signed certificate, which will work with most email clients but will require the user to accept the certificate authority, or you can use an officially issued one e.g by using [https://docswiki.newro.co/index.php/Certbot Let's Encrypt] | |||
Open postfix main.cf | |||
# vi /etc/postfix/main.cf | |||
and uncomment/add/modify the following lines | |||
<pre># TLS parameters | |||
smtpd_tls_security_level = may | |||
smtpd_tls_cert_file=/path/to/fullchain.pem | |||
smtpd_tls_key_file=/path/to/privkey.pem | |||
smtpd_use_tls=yes | |||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache | |||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache</pre> | |||
The above enables TLS but still allows mail clients that don't support TLS to connect. To enforce encryption change "may" to "encrypt": | |||
smtpd_tls_security_level = encrypt | |||
When finished, reload postfix | |||
# postfix reload | |||
==Roundcube== | ==Roundcube== | ||
Roundcube is a webmail app. | Roundcube is a webmail app. | ||
Install a lamp server | Install a lamp server | ||
<pre>apt-get install lamp-server^</pre> | <pre>apt-get install lamp-server^</pre> | ||
Install php extensions | Install php extensions | ||
<pre>apt-get install php-xml | <pre>apt-get install php-xml php-mbstring php-intl</pre> | ||
Set your timezone in /etc/php/7.0/apache2/php.ini | Set your timezone in /etc/php/7.0/apache2/php.ini | ||
| Line 111: | Line 167: | ||
Import roundcube database into mysql | Import roundcube database into mysql | ||
<pre>mysql -u root -p roundcubedb < /var/www/ | <pre>mysql -u root -p roundcubedb < /var/www/roundcube/SQL/mysql.initial.sql</pre> | ||
Add the domain used for dovecot certificate(and the one you want to use for your mails) in /etc/hosts on the same line with 127.0.1.1 | Add the domain used for dovecot certificate(and the one you want to use for your mails) in /etc/hosts on the same line with 127.0.1.1 | ||
| Line 120: | Line 176: | ||
$config['default_host'] = 'imaps://example.com'; | $config['default_host'] = 'imaps://example.com'; | ||
$config['default_port'] = 993; | $config['default_port'] = 993; | ||
$config['smtp_server'] = 'localhost'; | |||
$config['smtp_port'] = 25; | |||
#if using self-signed sertificate you need the following lines too | |||
$config['imap_conn_options'] = array( | $config['imap_conn_options'] = array( | ||
'ssl' => array( | 'ssl' => array( | ||
'verify_peer' => true, | 'verify_peer' => true, | ||
'verify_depth' => 3, | 'verify_depth' => 3, | ||
'cafile' => '/ | 'cafile' => '/path/to/certificate', | ||
), | ), | ||
) | );</pre> | ||
Edit /etc/apache2/sites-available/000-default.conf to point apache to the right directory | Edit /etc/apache2/sites-available/000-default.conf to point apache to the right directory | ||
| Line 135: | Line 193: | ||
Finally restart apache | Finally restart apache | ||
<pre>service apache2 restart</pre> | <pre>service apache2 restart</pre> | ||
===Filters plugin=== | |||
Install dovecot plugins | |||
<pre>apt-get install dovecot-sieve dovecot-managesieved</pre> | |||
Configure dovecot | |||
/etc/dovecot/dovecot.conf: | |||
<pre>protocols = imap lmtp pop3 sieve</pre> | |||
/etc/dovecot/conf.d/20-lmtp.conf: | |||
<pre>protocol lmtp { | |||
mail_plugins = $mail_plugins sieve | |||
}</pre> | |||
/etc/dovecot/conf.d/20-managesieve.conf: | |||
<pre>protocols = $protocols sieve | |||
service managesieve-login { | |||
inet_listener sieve { | |||
port = 4190 | |||
} | |||
}</pre> | |||
/etc/dovecot/conf.d/15-lda.conf: | |||
<pre>protocol lda { | |||
mail_plugins = $mail_plugins quota sieve | |||
}</pre> | |||
/etc/dovecot/conf.d/90-sieve.conf: | |||
<pre>sieve = ~/.dovecot.sieve | |||
sieve_global_path = /var/lib/dovecot/sieve/default.sieve | |||
sieve_dir = ~/sieve | |||
sieve_global_dir = /var/lib/dovecot/sieve/</pre> | |||
Restart dovecot | |||
<pre>service dovecot restart</pre> | |||
Enable the plugin from /var/www/roundcube/config/config.inc.php | |||
<pre>$config['plugins'] = array( | |||
'managesieve', | |||
);</pre> | |||
Latest revision as of 10:29, 2 February 2022
First follow instructions from here: Creating a simple mail server
Dovecot
Install the following packages
apt-get install dovecot-ldap dovecot-lmtpd
Generate a certificate for dovecot like this Certbot, if using a proxy you can copy it from there using a crontab and a script:
#!/bin/bash /usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" user-on-proxy@proxy-ip:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log service dovecot restart
Or you can generate your own self-signed certificate like this (note: self-signed certificates are untrusted)
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/imap.key -out /etc/ssl/certs/imap.crt
Add certificate for dovecot in file /etc/dovecot/conf.d/10-ssl.conf
ssl = yes ssl_cert = </path/to/certificate ssl_key = </path/to/private/key
Create a samba/ldap user for dovecot to use, more info can be found here Samba. Copy the certificate from samba server found in /var/lib/samba/private/tls/cert.pem to the mail server in /opt/bin/samba-cert.pem
Modify file /etc/ldap/ldap.conf like this
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_CACERT /opt/samba/samba-cert.pem
Add a line in /etc/hosts with the samba domain
<samba-server-ip> hostname.domain.local
Add/modify following lines in /etc/dovecot/dovecot-ldap.conf.ext
hosts = hostname.domain.local dn = cn=<samba-user>,cn=Users,dc=DOMAIN,dc=LOCAL dnpass = <samba-user-password> tls = yes tls_ca_cert_file = /opt/samba/samba-cert.pem auth_bind = yes ldap_version = 3 base = dc=DOMAIN,dc=LOCAL scope = subtree user_attrs = dNumber=uid,gidNumber=gid user_filter = (&(&(objectClass=Person)(sAMAccountName=%n))) pass_attrs = sAMAccountName=user,userPassword=password pass_filter = (&(&(objectClass=Person)(sAMAccountName=%n)))
Uncomment this line from /etc/dovecot/conf.d/10-auth.conf
!include auth-ldap.conf.ext
File /etc/dovecot/conf.d/auth-ldap.conf.ext should look like this
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
default_fields = home=/var/mail/vmail/%Ln
}
The L in %Ln will make all username letters lowercase. This is good in case emails are sent to John.Doe when the username is actually john.doe
You should also set this in file /etc/dovecot/conf.d/10-auth.conf
auth_username_format = %Lu
You should have this in /etc/dovecot/conf.d/10-master.conf so postfix can send the emails to dovecot
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
And this in /etc/dovecot/dovecot.conf
protocols = imap lmtp
And finally restart dovecot
service dovecot restart
Postfix
To make postfix send the emails to dovecot add these lines to /etc/postfix/main.cf
local_transport = lmtp:unix:private/dovecot-lmtp local_recipient_maps =
And if using a relay add this to the same file
relayhost = <relay-ip>
Restart postfix
service postfix restart
Postfix auth
If you want to use the mail service from outside your network using an IMAP client, and want to send email out through the same SMTP instance (so that emails sent from the IMAP client use the same outgoing server as emails from webmail) it is highly advisable to enable authentication. The neatest way is via SASL auth using Dovecot. To enable this you must first ensure Dovecot is listening for the auth connections
# vi /etc/dovecot/conf.d/10-master.conf
ensuring that within the service auth section the following lines are present and uncommented
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
If changes were required, reload Dovecot
# dovecot reload
Then for postfix
# vi /etc/postfix/main.cf
Adding the following lines
smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
And reloading postfix
# postfix reload
Depending on your scenario, you may need to forward a port on your firewall to make Postfix available from the outside. This should be to port 25.
Postfix encrypted auth
To ensure the user/password is sent over an encrypted connection, you need to enable and configure TLS/SSL. This can be with a self-signed certificate, which will work with most email clients but will require the user to accept the certificate authority, or you can use an officially issued one e.g by using Let's Encrypt
Open postfix main.cf
# vi /etc/postfix/main.cf
and uncomment/add/modify the following lines
# TLS parameters
smtpd_tls_security_level = may
smtpd_tls_cert_file=/path/to/fullchain.pem
smtpd_tls_key_file=/path/to/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
The above enables TLS but still allows mail clients that don't support TLS to connect. To enforce encryption change "may" to "encrypt":
smtpd_tls_security_level = encrypt
When finished, reload postfix
# postfix reload
Roundcube
Roundcube is a webmail app.
Install a lamp server
apt-get install lamp-server^
Install php extensions
apt-get install php-xml php-mbstring php-intl
Set your timezone in /etc/php/7.0/apache2/php.ini
date.timezone = "UTC"
Connect to mysql
mysql -u root -p
And create a database and a user for roundcube
create database roundcubedb; create user 'roundcubeuser' identified by 'password'; grant all privileges on roundcubedb.* to 'roundcubeuser'; flush privileges; exit
Download roundcube (latest version can be found here: roundcube)
wget https://github.com/roundcube/roundcubemail/releases/download/1.2.5/roundcubemail-1.2.5-complete.tar.gz
Extract and move to /var/www
tar -xzf roundcubemail-1.2.5-complete.tar.gz mv roundcubemail-1.2.5 /var/www/roundcube
Change ownership
chown -R www-data:www-data /var/www/roundcube
Import roundcube database into mysql
mysql -u root -p roundcubedb < /var/www/roundcube/SQL/mysql.initial.sql
Add the domain used for dovecot certificate(and the one you want to use for your mails) in /etc/hosts on the same line with 127.0.1.1
127.0.1.1 example.com etc.
Add/modify following lines in /var/www/roundcube/config/config.inc.php
$config['db_dsnw'] = 'mysql://roundcubeuser:password@localhost/roundcubedb';
$config['default_host'] = 'imaps://example.com';
$config['default_port'] = 993;
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 25;
#if using self-signed sertificate you need the following lines too
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
'verify_depth' => 3,
'cafile' => '/path/to/certificate',
),
);
Edit /etc/apache2/sites-available/000-default.conf to point apache to the right directory
DocumentRoot /var/www/roundcube
Finally restart apache
service apache2 restart
Filters plugin
Install dovecot plugins
apt-get install dovecot-sieve dovecot-managesieved
Configure dovecot
/etc/dovecot/dovecot.conf:
protocols = imap lmtp pop3 sieve
/etc/dovecot/conf.d/20-lmtp.conf:
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
/etc/dovecot/conf.d/20-managesieve.conf:
protocols = $protocols sieve
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
/etc/dovecot/conf.d/15-lda.conf:
protocol lda {
mail_plugins = $mail_plugins quota sieve
}
/etc/dovecot/conf.d/90-sieve.conf:
sieve = ~/.dovecot.sieve sieve_global_path = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_global_dir = /var/lib/dovecot/sieve/
Restart dovecot
service dovecot restart
Enable the plugin from /var/www/roundcube/config/config.inc.php
$config['plugins'] = array( 'managesieve', );
