How to Install and configure mail-server (Postfix, Dovecot, MariaDB/MySQL) in CentOS/RHEL 7

Содержание


It is assumed that you have already installed and configured Apache, PHP/MySQL and MariaDB. Instructions for setting up can be read at this link.

 

Installing PostfixAdmin

Download archive with PostfixAdmin, unpack and let its contents in different folders:

$ wget http://sourceforge.net/projects/postfixadmin/files/latest/download?source=files -O postfixadmin.tar.gz
$ tar zxvf postfixadmin.tar.gz --no-same-owner --no-same-permissions --directory=/usr/share
$ rm -f postfixadmin.tar.gz
$ ln -s /usr/share/postfixadmin-2.92 /usr/share/postfixadmin
$ chcon -u system_u /usr/share/postfixadmin* -R
$ mkdir /usr/share/doc/postfixadmin-2.92
$ chcon -u system_u /usr/share/doc/postfixadmin-2.92
$ mv /usr/share/postfixadmin/{ADDITIONS,DOCUMENTS,VIRTUAL_VACATION} /usr/share/doc/postfixadmin-2.92
$ rm -rf /usr/share/postfixadmin/debian
$ chcon -t httpd_sys_rw_content_t /usr/share/postfixadmin/templates_c
$ chown root:apache /usr/share/postfixadmin/templates_c
$ chmod g+w /usr/share/postfixadmin/templates_c
$ mkdir /etc/postfixadmin
$ touch /etc/postfixadmin/config.local.php
$ chown root:apache /etc/postfixadmin/config.local.php
$ chmod 0640 /etc/postfixadmin/config.local.php
$ chcon -u system_u /etc/postfixadmin -R
$ chcon -t httpd_sys_content_t /etc/postfixadmin/config.local.php
$ ln -s /etc/postfixadmin/config.local.php /usr/share/postfixadmin/
$ chcon -u system_u /usr/share/postfixadmin/config.local.php -R

Now let’s create the MySQL database which will store information on postal users:

$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 5.5.40-MariaDB MariaDB Server

Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE `%VMailDB%` DEFAULT CHARACTER SET utf8;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> CREATE USER '%VMailUser%'@'localhost' IDENTIFIED BY '%VMailPassWord%';
Query OK, 0 rows affected (0.03 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON `%VMailDB%`.* TO '%VMailUser%'@'localhost';
Query OK, 0 rows affected (0.03 sec)

MariaDB [(none)]> \q
Bye

Let’s agree that here and below instead of %VMailDB% and %VMailUser% and %VMailPassWord% to enter the database name, user name, and password. No percent sign!

Write the data to the created database in the configuration file and make a few extra PostfixAdmin settings:

$ nano -w /etc/postfixadmin/config.local.php
<?php
$CONF['configured'] = true;
$CONF['setup_password'] = 'changeme';
$CONF['default_language'] = 'en';
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = '%VMailUser%';
$CONF['database_password'] = '%VMailPassWord%';
$CONF['database_name'] = '%VMailDB%';
$CONF['admin_email'] = 'postmaster@example.com';
$CONF['page_size'] = '50';
$CONF['default_aliases'] = array (
    'MAILER-DAEMON' => 'postmaster@example.com',
    'abuse' => 'postmaster@example.com',
    'postmaster' => 'hostmaster@example.com',
    'webmaster' => 'hostmaster@example.com',
    'hostmaster' => 'root@example.com',
    'root' => 'admin@example.com'
);
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['transport'] = 'YES';
$CONF['transport_options'] = array (
    'dovecot',  // for virtual accounts
    'virtual',  // for virtual accounts
    'local',    // for system accounts
    'relay'     // for backup mx
);
$CONF['transport_default'] = 'dovecot';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] = 'NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['backup'] = 'YES';
$CONF['sendmail'] = 'YES';
$CONF['logging'] = 'YES';
$CONF['fetchmail'] = 'YES';
$CONF['fetchmail_extra_options'] = 'YES';
$CONF['footer_text'] = 'Return to mail.example.com';
$CONF['footer_link'] = 'http://mail.example.com';
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

Connect PostfixAdmin to Apache Web server:

$ nano -w /etc/httpd/conf.d/postfixadmin.conf
# postfixadmin - Web based Management tool created for Postfix.
# 
# Allows only localhost by default
#
# But allowing postfixadmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL

Alias /postfixadmin /usr/share/postfixadmin

<Directory /usr/share/postfixadmin/>
   AddDefaultCharset UTF-8

   <IfModule mod_authz_core.c>
     # Apache 2.4
     <RequireAny>
       Require ip 127.0.0.1
       Require ip ::1
       Require ip 192.168.0.0/16
     </RequireAny>
   </IfModule>
   <IfModule !mod_authz_core.c>
     # Apache 2.2
     Order Deny,Allow
     Deny from All
     Allow from 127.0.0.1
     Allow from ::1
     Allow from 192.168.0.0/16
   </IfModule>
</Directory>
$ chcon -u system_u /etc/httpd/conf.d/postfixadmin.conf
$ systemctl reload httpd.service

Open the link in your browser https://mail.example.com/postfixadmin/setup.php
Check whether written anytime OK in requirements. Next, set the password to change settings and save to the file hash of the resulting /etc/postfixadmin/config.local.php

$ nano -w /etc/postfixadmin/config.local.php
$CONF['setup_password'] = 'd2aec49ec9b65d5e606ea7ddcdb78d3a:831aa5735816eb6480232a93e859a1de84aec174';

Now open the browser again link https://mail.example.com/postfixadmin/setup.php, enter a password and create the Admin account.

The administrator account has been created, open the PostfixAdmin at https://mail.example.com/postfixadmin/ and enter the administrators data. Our goal is to create a domain and user mailboxes.
To create a domain, choose «Domain List» and click «New Domain». Fill in the form (in the «Transport» you should choose «dovecot») and click on the «Add Domain» button.
After you create a domain-create users and aliases. To do this, choose «Virtual List» and click «Add Mailbox». Fill in the form and click on the button «Add Mailbox». The default domain is created, a number of system aliases, mail with which eventually redirect to the address admin@example.com. You must now create a redirect with the name admin@example.com to e-mail the administrator. To do this, choose «Virtual List» and click «Add Alias». Enter admin in the Alias field, in the «To» box, enter the full address to redirect, and click on the button «Add Alias».
Now open the list of mailboxes and aliases created by selecting «Virtual List» in menu «Virtual List». If everything is OK, proceed to further configure your mail system.

 

Fix PostfixAdmin work with Russian symbols

  • Firstly correct character set in MySQL tables:
    $ echo "ALTER DATABASE \`%VMailDB%\` CHARACTER SET utf8;" >temp.txt
    $ echo "ALTER TABLE \`%VMailDB%\`.\`quota\` DROP PRIMARY KEY, ADD PRIMARY KEY (`username`) COMMENT '';" >>temp.txt
    $ mysql -u root -p --database=%VMailDB% -B -N -e "SHOW TABLES" | awk '{print "SET foreign_key_checks = 0; ALTER TABLE", $1, "CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci; SET foreign_key_checks = 1; "}' >>temp.txt
    $ mysql -u root -p --database=%VMailDB% <temp.txt
    $ rm -f temp.txt
    
  • And now the correct php scripts PostfixAdmin to work properly with UTF-8:
    Fix to all calls to the function htmlentities in the directories /usr/share/postfixadmin and /usr/share/postfixadmin/templates, you need to add the two arguments |, ENT_QUOTES, 'UTF-8'|.

 

Fix bug with saving extra-options for fetchmail

  • In the file fetchmail.php function escape_string runs twice, so slashes are stored in MySQL.
  • $ nano -w /usr/share/postfixadmin/fetchmail.php
    #		$formvars[$key]= escape_string( function_exists($func) ?$func($val) :$val);
    		$formvars[$key]= function_exists($func) ?$func($val) :$val;
    

 

Installing postfix

To determine where they will physically be user mailboxes. If you plan to leave them in the default folder, skip this item. I have the mail physically rests with the special section, which mounted as well in /srv. To do so is Mount section and do the following:

$ mv /var/spool/mail/ /srv/
$ ln -s /srv/mail/ /var/spool/mail
$ chcon -u system_u -t mail_spool_t /var/spool/mail -R

In CentOS 7 the default mailer is a postfix, in previous CentOS versions you had to run the command:

$ yum -y install postfix && yum -y remove sendmail

Edit the main configuration file postfix:

$ nano -w /etc/postfix/main.cf
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
mynetworks_style = host
mynetworks = $config_directory/mynetworks
smtpd_banner = $myhostname ESMTP $mail_name

# ---------------------- VIRTUAL DOMAINS START ----------------------
virtual_alias_maps		= proxy:mysql:$config_directory/sql/virtual_alias_maps.cf
virtual_mailbox_domains		= proxy:mysql:$config_directory/sql/virtual_domains_maps.cf
virtual_mailbox_maps		= proxy:mysql:$config_directory/sql/virtual_mailbox_maps.cf
#virtual_mailbox_limit_maps	= proxy:mysql:$config_directory/sql/virtual_mailbox_limit_maps.cf
virtual_mailbox_base		= /var/spool/mail
virtual_uid_maps		= static:8
virtual_gid_maps		= static:12
mailbox_size_limit		= 104857600
message_size_limit		= 104857600
relay_domains			= proxy:mysql:$config_directory/sql/relay_domains.cf
relay_recipient_maps		= proxy:mysql:$config_directory/sql/relay_recipient_maps.cf
transport_maps			= proxy:mysql:$config_directory/sql/transport_maps.cf
#transport_maps			= hash:$config_directory/transport
#virtual_transport		= dovecot
dovecot_destination_recipient_limit = 1
# ----------------------- VIRTUAL DOMAINS END -----------------------

# ------------------------- SASL PART START -------------------------
broken_sasl_auth_clients	= yes
smtpd_helo_required		= yes
smtpd_client_restrictions	= permit_sasl_authenticated
smtpd_sender_restrictions	= permit_sasl_authenticated
smtpd_sasl_auth_enable		= yes
smtpd_sasl_security_options	= noanonymous
smtpd_sasl_tls_security_options	= $smtpd_sasl_security_options
smtpd_sasl_type			= dovecot
# Can be an absolute path, or relative to $queue_directory
smtpd_sasl_path			= private/auth
# -------------------------- SASL PART END --------------------------

# -------------------------- TLS PART START -------------------------
smtpd_use_tls			= yes
smtpd_tls_auth_only		= yes
smtpd_tls_CAfile		= /etc/pki/tls/certs/sub.class2.server.ca.pem
smtpd_tls_cert_file		= /etc/pki/tls/certs/mail.example.com.crt
smtpd_tls_key_file		= /etc/pki/tls/private/mail.example.com.key
smtpd_tls_mandatory_protocols	= !SSLv2,!SSLv3
smtpd_tls_received_header	= yes
smtpd_tls_loglevel		= 1
tls_random_source		= dev:/dev/urandom
# --------------------------- TLS PART END --------------------------

# ------------------ SMTPD RESTRICTIONS PART START ------------------
disable_vrfy_command		= yes
non_fqdn_reject_code		= 450
invalid_hostname_reject_code	= 450
maps_rbl_reject_code		= 450
unverified_sender_reject_code	= 550
#header_checks			= pcre:$config_directory/header_checks
#body_checks			= pcre:$config_directory/body_checks
#warning: the restrictions reject_unknown_(sender|recipient)_domain
#will trigger if your DNS becomes unavailable
smtpd_recipient_restrictions =
	permit_mynetworks
	permit_sasl_authenticated
	reject_unauth_destination
	reject_invalid_helo_hostname
	warn_if_reject reject_non_fqdn_helo_hostname
	warn_if_reject reject_unknown_helo_hostname
	warn_if_reject reject_unknown_client
	reject_non_fqdn_sender
	reject_non_fqdn_recipient
	reject_unknown_sender_domain
	reject_unknown_recipient_domain
	check_client_access hash:$config_directory/rbl_override
	reject_rbl_client zen.spamhaus.org
	reject_rbl_client bl.spamcop.net
	reject_rbl_client dnsbl.sorbs.net=127.0.0.2
	reject_rbl_client dnsbl.sorbs.net=127.0.0.3
	reject_rbl_client dnsbl.sorbs.net=127.0.0.4
	reject_rbl_client dnsbl.sorbs.net=127.0.0.5
	reject_rbl_client dnsbl.sorbs.net=127.0.0.7
	reject_rbl_client dnsbl.sorbs.net=127.0.0.9
	reject_rbl_client dnsbl.sorbs.net=127.0.0.11
	reject_rbl_client dnsbl.sorbs.net=127.0.0.12
	permit

smtpd_data_restrictions =
	permit_mynetworks,
	reject_unauth_pipelining,
	reject_multi_recipient_bounce,
	permit
# ------------------- SMTPD RESTRICTIONS PART END --------------------

«VIRTUAL DOMAINS» unit is responsible for our accepted domains and users that we tended to PostfixAdmin. Unit «SASL» need to authenticate users on the Simple Mail Transfer Protocol (SMTP) to send mail through our servers. In the «TRANSPORT LAYER SECURITY» set our SSL certificates so that all communication with the mail server in encrypted form. A block of «RESTRICTIONS» SMTPD need to trim away the lion’s share of spam.

Create a list of exceptions to the RBL list. In order to be able to receive mail from those servers even if they somehow get into RBL list.

$ nano -w /etc/postfix/rbl_override
mail.example.com	OK
1.2.3.4			OK
mail.example.org	OK
2.3.4.5			OK
$ postmap /etc/postfix/rbl_override
$ chcon -u system_u /etc/postfix/rbl_override*

Create a list of hosts that can without authorization to send mail via our mail service (a very dangerous thing, to my memory really is needed for only one blade center who couldn’t log in, everything else is authenticated on the smtp quietly and no problems sending mail).

$ nano -w /etc/postfix/mynetworks
# localhost
127.0.0.0/8
# sw01.example.com
192.168.255.123/32
$ chcon -u system_u /etc/postfix/mynetworks

Configure the dovecot as mail transport:

$ nano -w /etc/postfix/master.cf
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}

Create extra configuration files with data for connection to SQL tables with data on our domains and users:

$ mkdir /etc/postfix/sql

$ nano -w /etc/postfix/sql/virtual_alias_maps.cf
hosts		= localhost
dbname		= %VMailDB%
user		= %VMailUser%
password	= %VMailPassWord%
table		= alias
select_field	= goto
where_field	= address
additional_conditions = AND active = '1'

$ nano -w /etc/postfix/sql/virtual_domains_maps.cf
hosts		= localhost
dbname		= %VMailDB%
user		= %VMailUser%
password	= %VMailPassWord%
table		= domain
select_field	= description
where_field	= domain
additional_conditions = AND backupmx = '0' AND active = '1'

$ nano -w /etc/postfix/sql/virtual_mailbox_maps.cf
hosts		= localhost
dbname		= %VMailDB%
user		= %VMailUser%
password	= %VMailPassWord%
table		= mailbox
select_field	= maildir
where_field	= username
additional_conditions = AND active = '1'

$ nano -w /etc/postfix/sql/virtual_mailbox_limit_maps.cf
hosts		= localhost
dbname		= %VMailDB%
user		= %VMailUser%
password	= %VMailPassWord%
table		= mailbox
select_field	= quota
where_field	= username
additional_conditions = AND active = '1'

$ nano -w /etc/postfix/sql/relay_domains.cf
hosts		= localhost
dbname		= %VMailDB%
user		= %VMailUser%
password	= %VMailPassWord%
table		= domain
select_field	= domain
where_field	= domain
additional_conditions = AND backupmx = '1' AND active = '1'

$ nano -w /etc/postfix/sql/relay_recipient_maps.cf
hosts		= localhost
dbname		= %VMailDB%
user		= %VMailUser%
password	= %VMailPassWord%
table		= alias
select_field	= goto
where_field	= address
additional_conditions = AND active = '1'

$ nano -w /etc/postfix/sql/transport_maps.cf
hosts		= localhost
dbname		= %VMailDB%
user		= %VMailUser%
password	= %VMailPassWord%
table		= domain
select_field	= transport
where_field	= domain
additional_conditions = AND active = '1'

$ chown root:postfix /etc/postfix/sql/ -R
$ chcon -u system_u /etc/postfix/sql -R
$ chmod 0640 /etc/postfix/sql/*.cf
$ chmod 0750 /etc/postfix/sql/
$ newaliases

Postfix is configured, but it will not run until you configure the dovecot.

 

Installing dovecot

Install dovecot server and associated plugins to work with database MySQL and Sieve filters:

$ yum -y install dovecot dovecot-mysql dovecot-pigeonhole

$ nano -w /etc/dovecot/dovecot.conf
protocols = imap

$ nano -w /etc/dovecot/conf.d/10-auth.conf
#!include auth-system.conf.ext
!include auth-sql.conf.ext

$ nano -w /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:/var/spool/mail/%d/%n
mail_privileged_group = mail
mail_access_groups = mail
mmap_disable = yes
first_valid_uid = 8
first_valid_gid = 12

$ nano -w /etc/dovecot/conf.d/10-master.conf
service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = mail
    group = mail
  }
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

$ nano -w /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/tls/certs/mail.example.com.crt
ssl_key = </etc/pki/tls/private/mail.example.com.key
ssl_ca = </etc/pki/tls/certs/sub.class2.server.ca.pem
ssl_protocols = !SSLv2 !SSLv3

$ nano -w /etc/dovecot/conf.d/15-lda.conf
postmaster_address = postmaster@example.com
hostname = mail.example.com
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
protocol lda {
  mail_plugins = sieve
}

$ nano -w /etc/dovecot/conf.d/20-managesieve.conf
protocols = $protocols sieve

$ nano -w /etc/dovecot/conf.d/90-sieve.conf
plugin {
  sieve = /var/spool/mail/%Ld/%Ln.sieve/.dovecot.sieve
  sieve_dir = /var/spool/mail/%Ld/%Ln.sieve/
  sieve_extensions = +notify +imapflags
}

$ nano -w /etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=localhost dbname=%VMailDB% user=%VMailUser% password=%VMailPassWord%
user_query = \
  SELECT CONCAT("/var/spool/mail/", domain) AS home, 8 AS uid, 12 AS gid, \
    'maildir:/var/spool/mail/%d/%n' AS mail, CONCAT("dirsize:storage=", quota) AS quota \
  FROM mailbox WHERE username = '%u' AND active = '1'
password_query = \
  SELECT username AS user, password, \
    CONCAT("/var/spool/mail/", domain) AS userdb_home, 8 AS userdb_uid, 12 AS userdb_gid \
  FROM mailbox WHERE username = '%u' AND active='1'
iterate_query = SELECT username AS user FROM mailbox WHERE active='1'
$ chcon -u system_u /etc/dovecot/dovecot-sql.conf.ext
$ chmod 0600 /etc/dovecot/dovecot-sql.conf.ext

 

Starting services

Run the dovecot and postfix and add them to the startup:

$ systemctl enable dovecot
$ systemctl start dovecot
$ dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
   Active: active (running) since Wed 2014-11-26 15:58:44 MSK; 3min 41s ago
 Main PID: 20380 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─20380 /usr/sbin/dovecot -F
           ├─20384 dovecot/anvil
           ├─20385 dovecot/log
           └─20387 dovecot/config

Nov 26 15:58:44 example.com systemd[1]: Started Dovecot IMAP/POP3 email server.
Nov 26 15:58:44 example.com dovecot[20380]: master: Dovecot v2.2.10 starting up for imap, sieve (core dumps disabled)

$ systemctl enable postfix
$ systemctl restart postfix
$ systemctl status postfix
postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled)
   Active: active (running) since Wed 2014-11-26 16:01:53 MSK; 1s ago
  Process: 20542 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
  Process: 20558 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
  Process: 20555 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 20552 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
 Main PID: 20630 (master)
   CGroup: /system.slice/postfix.service
           ├─20630 /usr/libexec/postfix/master -w
           ├─20631 pickup -l -t unix -u
           ├─20632 qmgr -l -t unix -u
           └─20633 proxymap -t unix -u

Nov 26 16:01:52 example.com systemd[1]: Starting Postfix Mail Transport Agent...
Nov 26 16:01:53 example.com postfix/postfix-script[20628]: starting the Postfix mail system
Nov 26 16:01:53 example.com postfix/master[20630]: daemon started -- version 2.10.1, configuration /etc/postfix
Nov 26 16:01:53 example.com systemd[1]: Started Postfix Mail Transport Agent.

 

Checking SMTP service

Now let’s check whether postfix accept mail for our domain:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
EHLO localhost
250-mail.example.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: wakko@example.org
250 2.1.0 Ok
RCPT TO: admin@example.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Hi, Admin!

It's only test and nothing else.
.
250 2.0.0 Ok: queued as 43A7A209ED22
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

Thus check the TLS connection and authorization:

$ echo -ne "\0test@example.com\0testpassword" | base64
AHRlc3RAZXhhbXBsZS5jb20AdGVzdHBhc3N3b3Jk
$ openssl s_client -starttls smtp -connect localhost:25 -crlf -ign_eof
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 C = RU, CN = mail.example.com, emailAddress = hostmaster@example.com
verify return:1
---
Certificate chain
 0 s:/C=RU/CN=mail.example.com/emailAddress=hostmaster@example.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=RU/CN=mail.example.com/emailAddress=hostmaster@example.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2450 bytes and written 410 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ...
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - ...

    Start Time: 1417022108
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN
EHLO localhost
250-mail.example.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3RAZXhhbXBsZS5jb20AdGVzdHBhc3N3b3Jk
235 2.7.0 Authentication successful
MAIL FROM: test@example.com
250 2.1.0 Ok
RCPT TO: test@example.org
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
It's only test message.
.
250 2.0.0 Ok: queued as 8078F20A8F43
QUIT
221 2.0.0 Bye
closed

 

Configuring the firewall

Checking that postfix is functioning and ready to accept mail and open it to the world:

$ firewall-cmd --permanent --zone=public --add-service=smtp
$ firewall-cmd --permanent --zone=public --add-service=imaps
$ firewall-cmd --permanent --zone=public --add-port=465/tcp
$ firewall-cmd --permanent --zone=public --add-port=4190/tcp
$ firewall-cmd --reload

 

Configuration of FetchMail

First of all install the needed packages:

$ yum -y install fetchmail perl-LockFile-Simple perl-Sys-Syslog

Now let’s create the config file for fetchmail:

$ nano -w /etc/postfix/fetchmail.conf
$db_type = "mysql";
$db_host="localhost";
$db_name="%VMailDB%";
$db_username="%VMailUser%";
$db_password="%VMailPassWord%";

$ chcon -u system_u /etc/postfixadmin/fetchmail.conf
$ chown root:postfix /etc/postfixadmin/fetchmail.conf
$ chmod 0640 /etc/postfixadmin/fetchmail.conf

Then we will prepare a script that will be run by cron at certain times and pick up for us mail:

$ cp /usr/share/doc/postfixadmin-*/ADDITIONS/fetchmail.pl /usr/libexec/postfix/
$ chmod 0755 /usr/libexec/postfix/fetchmail.pl
$ sed -i 's/\/etc\/mail\/postfixadmin/\/etc\/postfixadmin/g' /usr/libexec/postfix/fetchmail.pl
$ sed -i 's/-f \$filename -i/-s -f \$filename --pidfile/g' /usr/libexec/postfix/fetchmail.pl
$ nano -w /usr/libexec/postfix/fetchmail.pl
	$mda =~ s/\${mailbox}/${mailbox}/;
#	syslog("info","fetch ${src_user}@${src_server} for ${mailbox}");

$ chcon -u system_u /usr/libexec/postfix/fetchmail.pl
$ mkdir /var/run/fetchmail
$ chcon -u system_u /var/run/fetchmail
$ chown postfix:mail /var/run/fetchmail
$ chmod 0775 /var/run/fetchmail

Add this script in cron:

$ crontab -u postfix -e
MAILTO=root
*/1 * * * *	/usr/libexec/postfix/fetchmail.pl

Now we need to login to our PostfixAdmin and configure email accounts, from which mail will be collected. To do this, open the Web interface PostfixAdmin and menu, then choose the «Fetch Email» click «New Entry». Select the Mailbox where you want to be mail, enter the remote server name, user name, and password, just choose the Protocol that will be picked up mail (IMAP/POP3). If the IMAP server with multiple folders for each folder you will need to create a separate entry for mail collection, and in each entry in the field «Folder» to indicate its location. If the mail is collected using Secure Sockets Layer (SSL) encryption, you must tick the «SSL active», just as it is desirable to complete the «SSL fingerpring (md5)» to Fetchmail is used for Secure Sockets Layer (SSL) certificate. Then, save the record by clicking on the «Save Changes».
And to get the fingerprint you need to run the following command:

$ echo "QUIT" | openssl s_client -connect mail.example.org:993 -showcerts | sed -ne '/BEGIN/,/END/p' >/tmp/temp.crt
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 907535-Ri93n22WJHt0psNK, CN = mail.example.org, emailAddress = postmaster@example.org
verify return:1
notAfter=Oct 13 05:50:16 2015 GMT
verify return:1
depth=0 description = 907535-Ri93n22WJHt0psNK, CN = mail.example.org, emailAddress = postmaster@example.org
notAfter=Oct 13 05:50:16 2015 GMT
verify return:1
DONE
$ openssl x509 -in /tmp/temp.crt -fingerprint -noout -md5 | sed "s/MD5 Fingerprint=//"
4F:80:51:CD:B5:1C:6A:37:74:3A:46:4B:E1:02:A7:BC
$ rm -f /tmp/temp.crt

In this article you can read about configuring spam filter DSpam. There is a sample file with Sieve rules. And in this article you can read about the installation and customization of the Web interface for mail – RoundCube.

Comments

  1. realmadrider
    11.03.2015 - 12:51

    I have mistakenly deleted mail user and group. I’ve tried to recreate them, but seems like something’s wrong as I get lots of “access denied” and “Relay access denied” in my logs. Another point is that the line “bad uid 8 in virtual_uid_maps” shows up a lot in logs even though the “mail” user obviously has the uid 8. What am I doing wrong?

  2. Hi,
    please write manual to enable quota with dovecot & mysql.
    Thx

Leave a Reply