# build postfix container ## notes add dovecot user to vmail grp ## basic setup ### create container build & launch debian-base container: ``` git clone https://git.brbytes.org/mario/container.git cd container ./install.sh cd src/debian sudo pdm-build sudo pdm-launch debian postfix sudo pdm-shell postfix ``` ### add user add `vmail` user with appropriate UID. Run: ``` addgroup --gid ${files_uid:?} vmail adduser vmail --ingroup vmail --uid ${files_uid:?} --disabled-password --gecos "Virtual Mail Owner" --shell /usr/sbin/nologin --home /var/mail/virtual ``` ### install packages install postfix: ``` apt install postfix ``` select `2 (internet site)` when asked how to configure, and enter your appropriate hostname. install other packages: ``` apt install rsyslog dovecot-imapd dovecot-lmtpd ## postfix ### Install edit config: ``` cd /etc/postfix/ nano main.cf ``` ### main.cf All of the excerpts in this section should be included in `main.cf`. configure the domain: ``` # domain myhostname = mailtest.brbytes.org myorigin = $myhostname mydestination = $myhostname, localhost.localdomain, localhost ``` tell postfix where to look for aliases: ``` alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases recipient_delimiter = - ``` add some sanity checking to block spam/malicious emails: ``` # anti-spam restrictions smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, permit smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname ``` remove the line setting the `smtpd_use_tls` parameter, and replace it with: ``` # whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'. smtpd_tls_security_level=may ``` we also want to tell postfix where it can find our SSL certificates: ``` smtpd_tls_cert_file=${path_to_cert:?} smtpd_tls_key_file=${path_to_key:?} ``` configure postfix to use Dovecot SASL for user authentication: ``` #configure Dovecot SASL smtpd_sasl_type = dovecot # Can be an absolute path, or relative to $queue_directory # Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below smtpd_sasl_path = private/auth # and the common settings to enable SASL: smtpd_sasl_auth_enable = yes # With Postfix version before 2.10, use smtpd_recipient_restrictions smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination # More settings smtpd_sasl_security_options=noanonymous smtpd_sasl_local_domain=$myhostname smtpd_client_restrictions=permit_sasl_authenticated,reject smtpd_sender_login_maps=hash:/etc/postfix/virtual smtpd_sender_restrictions=reject_sender_login_mismatch ``` Configure postfix to use Dovecot LMTP for mail delivery: ``` mailbox_transport = lmtp:unix:private/dovecot-lmtp virtual_transport = lmtp:unix:private/dovecot-lmtp ``` ### virtual create virtual aliases file: ``` postmaster: root root: fernando, juana, mario ``` then run the following commands to update the aliases list: ``` newaliases postfix reload ``` ## Dovecot We also need to configure dovecot. Go to its configuration directory: ``` cd /etc/dovecot ``` Edit the file `dovecot.conf` and add the line: ``` protocols = imap lmtp ``` we need to create a `users` file containing our usernames and passwords. Don't forget to set its permissions properly: ``` chmod u=rw,g=r,o= users chown root:dovecot users ``` create dir for virtual mailboxes: ``` mkdir -p /var/mail/virtual chown -R vmail:vmail /var/mail/virtual ``` ### conf.d There are several config files in `conf.d` that we will also need to edit: First, we need to enable SASL so that Dovecot can tell postfix whether or not a user is authenticated. Edit the file `10-master.conf`, and add/uncomment the following directive to the `service auth` section: ``` # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 # Assuming the default Postfix user and group user = postfix group = postfix } ``` Next, edit the file `10-auth.conf`, and edit the `auth_mechanisms` directive to be: ``` # Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN: auth_mechanisms = plain login ``` We also want to enable LMTP. Edit `10-master.conf` again and add/uncomment the directive: ``` service lmtp { user = vmail unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ``` We also need to configure some settings for LMTP. Edit `20-lmtp.conf` and add the directives: ``` lmtp_save_to_detail_mailbox = no recipient_delimiter = - lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes ``` We also need to tell Dovecot what database to look up users in. Edit `10-auth.conf` and delete/comment any lines including a `.ext` file (includes begin with an exclamation point). Then, add the directives: ``` passdb { driver = passwd-file # username_format: Set to '%u' to look up full usernames. If you want to enable # user@domain logins but have only user in the file, set to %n instead. args = username_format=%n /etc/dovecot/users } userdb { driver = static args = uid=vmail gid=vmail home=/var/mail/virtual/%n } ``` We also want to configure where mail is stored and in what format. Edit `10-mail.conf` and delete/comment the line setting `mail_location`. Replace it with: ``` mail_location = maildir:~/Maildir:LAYOUT=fs ``` We need to tell Dovecot to listen on the IMAP ports so we can access it with IMAP clients. Add/uncomment the following directives in `10-master.conf`: ``` service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } ``` Tell dovecot where to get its SSL certificates by setting the following directives in `10-ssl.conf`: ``` ssl_cert = <${path_to cert:?} ssl_key = <${path_to_key:?} ```