diff --git a/src/debian/assets/bash.bashrc b/src/debian/assets/bash.bashrc index 4ca3e5d..e2f1090 100644 --- a/src/debian/assets/bash.bashrc +++ b/src/debian/assets/bash.bashrc @@ -83,4 +83,4 @@ fi alias ls='ls --color=auto' alias dir='ls -lFAh' -alias rsy='rsync -vaSH' +alias rsyn='rsync -vaSH' diff --git a/src/mailsrv/assets/bin/mkvirt b/src/mailsrv/assets/bin/mkvirt index 607f1ef..975ec5d 100755 --- a/src/mailsrv/assets/bin/mkvirt +++ b/src/mailsrv/assets/bin/mkvirt @@ -15,17 +15,7 @@ postmap /etc/postfix/users ### Aliases ### -# make self-referential users list -# this is needed for the reject_sender_login_mismatch restriction to work, -# otherwise users cannot send emails as their own address -mkdir -p /vol/db/aliases_out.d -cd /vol/db/aliases_out.d -echo "# This file is autogenerated by mkvirt. Don't edit it manually." > self.list -cat /vol/db/users | cut -d':' -f1 | perl -pe 's/(.*)/\1\@brbytes.org \1\n\1\@mail.brbytes.org \1/' >> self.list - # copy aliases to postifx config cd /etc/postfix -cat /vol/db/aliases_out.d/*.list > aliases_out -postmap aliases_out -cat /vol/db/aliases_in.d/*.list > aliases_in -postmap aliases_in +cat /vol/db/aliases.d/*.list > aliases +postmap aliases diff --git a/src/mailsrv/assets/postfix/main.cf b/src/mailsrv/assets/postfix/main.cf index 9e1d182..40cd54b 100644 --- a/src/mailsrv/assets/postfix/main.cf +++ b/src/mailsrv/assets/postfix/main.cf @@ -17,18 +17,18 @@ compatibility_level = 2 ### Domains ### # primary name of server -myhostname = mail.brbytes.org +myhostname = mail.alemor.org myorigin = $mydomain # domains to consider primary (local) endpoints mydestination = $myhostname, $mydomain, localhost.localdomain, localhost # domains to consider secondary (virtual) endpoints -#virtual_alias_domains = info.brbytes.org +virtual_alias_domains = epic.alemor.org, mail.alemor.org, home.alemor.org, alegre.alemor.org, daniel.alemor.org, fernando.alemor.org, juana.alemor.org, mario.alemor.org, moreno.alemor.org, mbox.alemor.org, pirealps.org ### Users ### # get list of valid users from here instead of /etc/passwd local_recipient_maps = hash:/etc/postfix/users # get list of user aliases from this file -virtual_alias_maps = hash:/etc/postfix/aliases_in +virtual_alias_maps = hash:/etc/postfix/aliases # Address tag delimiter. If an email is sent to ${user}${delimiter}*, # the email is sent to ${user} if that address is not already explicitly defined. recipient_delimiter = - diff --git a/src/mailsrv/assets/postfix/master.cf b/src/mailsrv/assets/postfix/master.cf index 9f516ed..1705474 100644 --- a/src/mailsrv/assets/postfix/master.cf +++ b/src/mailsrv/assets/postfix/master.cf @@ -16,8 +16,6 @@ submission inet n - y - - smtpd -o smtpd_sasl_security_options=noanonymous -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject - -o smtpd_sender_login_maps=hash:/etc/postfix/aliases_out - -o smtpd_sender_restrictions=reject_sender_login_mismatch # Local services # ========================================================================== diff --git a/src/mailsrv/docs/Deploy.md b/src/mailsrv/docs/Deploy.md index 1c2cf54..f72b0e5 100644 --- a/src/mailsrv/docs/Deploy.md +++ b/src/mailsrv/docs/Deploy.md @@ -3,25 +3,41 @@ ## create dirs ``` -mkdir -p /srv/volumes/mailserver/{db,mail,ssl} -chown -R 5000:5000 /srv/volumes/mailserver -chmod go-rwx /srv/volumes/mailserver/ssl +sudo mkdir -p /srv/vol/mailsrv/{db,mail,ssl} +sudo chown -R 5000:5000 /srv/vol/mailsrv +sudo chmod go-rwx /srv/vol/mailsrv/ssl ``` put your `users` and `aliases.d` in the `db` directory. Mail will go in the `mail` directory. +``` +sudo -i +cd /srv/vol/mailsrv/db +mkdir aliases.d +``` + +create aliases as needed + +``` +vi /srv/vol/mailsrv/db/users +``` + +format is like a passwd file with user:passwd (no spaces between) + +make sure that all files are owned by 5000:5000 + ## make sure mail ports are open -add the following directives to the `myfirewall` chain in `/etc/nftables`: +add the following directives to the `myfirewall` chain in `/etc/nftables.conf`: ``` # accept incoming SMTP(s) connections - tcp dport {25, 465, 587} accept + tcp dport {25, 587} accept # accept incoming IMAP(s) connections tcp dport {143, 993} accept ``` then make sure configuration has taken place by running: ``` -nft -f /etc/nftables +nft -f /etc/nftables.conf ``` ## set up domain name @@ -33,18 +49,26 @@ ping ${dnsname:?} ## get SSL certificates from letsencrypt -install certbot: +install acme.sh + ``` -apt install certbot +apt install socat +git clone https://github.com/acmesh-official/acme.sh.git +cd acme.sh +./acme.sh --install --home /usr/local/lib/acme-sh \ + --config-home /etc/acme-sh \ + --accountemail letsencrypt@mail.alemor.org ``` -if you are using a firewall, you need to figure out how to define a temporary rule allowing http access. For nftables, the rule would be `nft insert rule inet myfilter myfirewall tcp dport 80 accept`. +Then exit and relogin to refresh the bash hash -Get a certificate for your domain by running: ``` -certbot certonly --standalone --pre-hook "nft insert rule inet myfilter myfirewall tcp dport 80 accept" --post-hook "nft -f /etc/nftables.conf" --deploy-hook "rsync -vaSHL /etc/letsencrypt/live/${domain:?}/ /srv/volumes/mailsrv/ssl/; chown -R 5000:5000 /srv/volumes/mailsrv/ssl" -d ${domain:?} +acme.sh --issue --alpn --pre-hook 'systemctl stop haproxy' \ + --post-hook 'systemctl start haproxy' -d mailtest.alemor.org +acme.sh --install-cert -d mailtest.alemor.org \ + --fullchain-file /srv/vol/mailsrv/ssl/fullchain.pem \ + --key-file /srv/vol/mailsrv/ssl/key.pem ``` -the application may ask you a few questions. Answer them as you would like. Including the appropriate hooks in the issue command should ensure that those hooks are also included in subsequent renew commands. ## make users and aliases