# build postfix container

## notes

add dovecot user to vmail grp

## basic setup

### create container

build & launch debian-base container:
```
git clone https://git.brbytes.org/mario/container.git
cd container
./install.sh
cd src/debian
sudo pdm-build
sudo pdm-launch debian postfix
sudo pdm-shell postfix
```

### add user

add `vmail` user with appropriate UID. Run:
```
addgroup --gid ${files_uid:?} vmail
adduser vmail --ingroup vmail --uid ${files_uid:?} --disabled-password --gecos "Virtual Mail Owner" --shell /usr/sbin/nologin --home /var/mail/virtual
```

### install packages

install postfix:
```
apt install postfix
```
select `2 (internet site)` when asked how to configure, and enter your appropriate hostname.

install other packages:
```
apt install rsyslog dovecot-imapd dovecot-lmtpd

## postfix

### Install

edit config:
```
cd /etc/postfix/
nano main.cf
```

### main.cf

All of the excerpts in this section should be included in `main.cf`.

configure the domain:
```
# domain
myhostname = mailtest.brbytes.org
myorigin = $myhostname
mydestination = $myhostname, localhost.localdomain, localhost
```

tell postfix where to look for aliases:
```
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
recipient_delimiter = -
```

add some sanity checking to block spam/malicious emails:
```
# anti-spam restrictions
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, permit
smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
```

remove the line setting the `smtpd_use_tls` parameter, and replace it with:
```
# whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'.
smtpd_tls_security_level=may
```
we also want to tell postfix where it can find our SSL certificates:
```
smtpd_tls_cert_file=${path_to_cert:?}
smtpd_tls_key_file=${path_to_key:?}
```
configure postfix to use Dovecot SASL for user authentication:
```
#configure Dovecot SASL
smtpd_sasl_type = dovecot
# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
# With Postfix version before 2.10, use smtpd_recipient_restrictions
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# More settings
smtpd_sasl_security_options=noanonymous
smtpd_sasl_local_domain=$myhostname
smtpd_client_restrictions=permit_sasl_authenticated,reject
smtpd_sender_login_maps=hash:/etc/postfix/virtual
smtpd_sender_restrictions=reject_sender_login_mismatch
```
Configure postfix to use Dovecot LMTP for mail delivery:
```
mailbox_transport = lmtp:unix:private/dovecot-lmtp
virtual_transport = lmtp:unix:private/dovecot-lmtp
```

### virtual

create virtual aliases file:
```
postmaster:     root
root:           fernando, juana, mario
```

then run the following commands to update the aliases list:
```
newaliases
postfix reload
```

## Dovecot

We also need to configure dovecot. Go to its configuration directory:
```
cd /etc/dovecot
```

Edit the file `dovecot.conf` and add the line:
```
protocols = imap lmtp
```
we need to create a `users` file containing our usernames and passwords. Don't forget to set its permissions properly:
```
chmod u=rw,g=r,o= users
chown root:dovecot users
```
create dir for virtual mailboxes:
```
mkdir -p /var/mail/virtual
chown -R vmail:vmail /var/mail/virtual
```

### conf.d

There are several config files in `conf.d` that we will also need to edit:

First, we need to enable SASL so that Dovecot can tell postfix whether or not a user is authenticated. Edit the file `10-master.conf`, and add/uncomment the following directive to the `service auth` section:
```
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix
  }
```

Next, edit the file `10-auth.conf`, and edit the `auth_mechanisms` directive to be:
```
# Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN:
auth_mechanisms = plain login
```

We also want to enable LMTP. Edit `10-master.conf` again and add/uncomment the directive:
```
service lmtp {
  user = vmail
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
  }
}
```
We also need to configure some settings for LMTP. Edit `20-lmtp.conf` and add the directives:
```
lmtp_save_to_detail_mailbox = no
recipient_delimiter = -
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
```

We also need to tell Dovecot what database to look up users in. Edit `10-auth.conf` and delete/comment any lines including a `.ext` file (includes begin with an exclamation point). Then, add the directives:
```
passdb {
  driver = passwd-file
  # username_format: Set to '%u' to look up full usernames. If you want to enable
  # user@domain logins but have only user in the file, set to %n instead.
  args = username_format=%n /etc/dovecot/users
}

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/virtual/%n
}
```
We also want to configure where mail is stored and in what format. Edit `10-mail.conf` and delete/comment the line setting `mail_location`. Replace it with:
```
mail_location = maildir:~/Maildir:LAYOUT=fs
```
We need to tell Dovecot to listen on the IMAP ports so we can access it with IMAP clients. Add/uncomment the following directives in `10-master.conf`:
```
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
```
Tell dovecot where to get its SSL certificates by setting the following directives in `10-ssl.conf`:
```
ssl_cert = <${path_to cert:?}
ssl_key = <${path_to_key:?}
```