Creating an IMAP & webmail server

From Newroco Tech Docs
Jump to navigationJump to search

First follow instructions from here: Creating a simple mail server

Dovecot

Install the following packages

apt-get install dovecot-ldap dovecot-lmtpd

Generate a certificate for dovecot like this Certbot, if using a proxy you can copy it from there using a crontab and a script:

#!/bin/bash
/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" user-on-proxy@proxy-ip:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log
service dovecot restart

Or you can generate your own self-signed certificate like this (note: self-signed certificates are untrusted)

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/imap.key -out /etc/ssl/certs/imap.crt

Add certificate for dovecot in file /etc/dovecot/conf.d/10-ssl.conf

ssl = yes
ssl_cert = </path/to/certificate
ssl_key = </path/to/private/key

Create a samba/ldap user for dovecot to use, more info can be found here Samba. Copy the certificate from samba server found in /var/lib/samba/private/tls/cert.pem to the mail server in /opt/bin/samba-cert.pem

Modify file /etc/ldap/ldap.conf like this

#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
TLS_CACERT      /opt/samba/samba-cert.pem

Add a line in /etc/hosts with the samba domain

<samba-server-ip> hostname.domain.local

Add/modify following lines in /etc/dovecot/dovecot-ldap.conf.ext

hosts = hostname.domain.local
dn = cn=<samba-user>,cn=Users,dc=DOMAIN,dc=LOCAL
dnpass = <samba-user-password>
tls = yes
tls_ca_cert_file = /opt/samba/samba-cert.pem
auth_bind = yes
ldap_version = 3
base = dc=DOMAIN,dc=LOCAL
scope = subtree
user_attrs = dNumber=uid,gidNumber=gid
user_filter = (&(&(objectClass=Person)(sAMAccountName=%n)))
pass_attrs = sAMAccountName=user,userPassword=password
pass_filter = (&(&(objectClass=Person)(sAMAccountName=%n)))

Uncomment this line from /etc/dovecot/conf.d/10-auth.conf

!include auth-ldap.conf.ext

File /etc/dovecot/conf.d/auth-ldap.conf.ext should look like this

passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
  default_fields = home=/var/mail/vmail/%n
}

You should have this in /etc/dovecot/conf.d/10-master.conf so postfix can send the emails to dovecot

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}

And this in /etc/dovecot/dovecot.conf

protocols = imap lmtp

If you want case sensitive usernames then uncomment and modify as below this line in /etc/dovecot/conf.d/10-auth.conf

auth_username_format = %u

And finally restart dovecot

service dovecot restart

Postfix

To make postfix send the emails to dovecot add these lines to /etc/postfix/main.cf

local_transport = lmtp:unix:private/dovecot-lmtp
local_recipient_maps =

And if using a relay add this to the same file

relayhost = <relay-ip>

Restart postfix

service postfix restart

Postfix auth

If you want to use the mail service from outside your network using an IMAP client, and want to send email out through the same SMTP instance (so that emails sent from the IMAP client use the same outgoing server as emails from webmail) it is highly advisable to enable authentication. The neatest way is via SASL auth using Dovecot. To enable this you must first ensure Dovecot is listening for the auth connections

# vi /etc/dovecot/conf.d/10-master.conf

ensuring that within the service auth section the following lines are present and uncommented

unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }

If changes were required, reload Dovecot

# dovecot reload

Then for postfix

# vi /etc/postfix/main.cf

Adding the following lines

smtpd_sasl_auth_enable              = yes
smtpd_sasl_type                     = dovecot
smtpd_sasl_path                     = private/auth

And reloading postfix

# postfix reload

Depending on your scenario, you may need to forward a port on your firewall to make Postfix available from the outside. This should be to port 25.

Postfix encrypted auth

To ensure the user/password is sent over an encrypted connection, you need to enable and configure TLS/SSL. This can be with a self-signed certificate, which will work with most email clients but will require the user to accept the certificate authority, or you can use an officially issued one e.g by using Let's Encrypt

Open postfix main.cf

# vi /etc/postfix/main.cf

and uncomment/add/modify the following lines

# TLS parameters
smtpd_tls_security_level = may
smtpd_tls_cert_file=/path/to/fullchain.pem
smtpd_tls_key_file=/path/to/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

The above enables TLS but still allows mail clients that don't support TLS to connect. To enforce encryption change "may" to "encrypt":

smtpd_tls_security_level = encrypt

When finished, reload postfix

# postfix reload

Roundcube

Roundcube is a webmail app.

Install a lamp server

apt-get install lamp-server^

Install php extensions

apt-get install php-xml php7.0-mbstring

Set your timezone in /etc/php/7.0/apache2/php.ini

date.timezone = "UTC"

Connect to mysql

mysql -u root -p

And create a database and a user for roundcube

create database roundcubedb;
create user 'roundcubeuser' identified by 'password';
grant all privileges on roundcubedb.* to 'roundcubeuser';
flush privileges;
exit

Download roundcube (latest version can be found here: roundcube)

wget https://github.com/roundcube/roundcubemail/releases/download/1.2.5/roundcubemail-1.2.5-complete.tar.gz

Extract and move to /var/www

tar -xzf roundcubemail-1.2.5-complete.tar.gz
mv roundcubemail-1.2.5 /var/www/roundcube

Change ownership

chown -R www-data:www-data /var/www/roundcube

Import roundcube database into mysql

mysql -u root -p roundcubedb < /var/www/roundcube/SQL/mysql.initial.sql

Add the domain used for dovecot certificate(and the one you want to use for your mails) in /etc/hosts on the same line with 127.0.1.1

127.0.1.1 example.com etc.

Add/modify following lines in /var/www/roundcube/config/config.inc.php

$config['db_dsnw'] = 'mysql://roundcubeuser:password@localhost/roundcubedb';
$config['default_host'] = 'imaps://example.com';
$config['default_port'] = 993;
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 25;

#if using self-signed sertificate you need the following lines too
$config['imap_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => true,
     'verify_depth' => 3,
     'cafile'       => '/path/to/certificate',
   ),
);

Edit /etc/apache2/sites-available/000-default.conf to point apache to the right directory

DocumentRoot /var/www/roundcube

Finally restart apache

service apache2 restart