mar
/
container
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
build files for making podman containers
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34 Commits
8 Branches
0 Tags
2.3 MiB
 
 
Tree: 9ecffdb3d9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9ecffdb3d9'
${ noResults }
container/src/mailsrv/docs/Build.md

5.8 KiB
Raw Blame History

build postfix container

notes

add dovecot user to vmail grp

basic setup

create container

build & launch debian-base container:

git clone https://git.brbytes.org/mario/container.git
cd container
./install.sh
cd src/debian
sudo pdm-build
sudo pdm-launch debian postfix
sudo pdm-shell postfix

add user

add vmail user with appropriate UID. Run:

addgroup --gid ${files_uid:?} vmail
adduser vmail --ingroup vmail --uid ${files_uid:?} --disabled-password --gecos "Virtual Mail Owner" --shell /usr/sbin/nologin --home /var/mail/virtual

postfix

Install

install postfix:

apt install postfix

select 2 (internet site) when asked how to configure, and enter your appropriate hostname.

edit config:

cd /etc/postfix/
nano main.cf

main.cf

All of the excerpts in this section should be included in main.cf.

configure the domain:

# domain
myhostname = mailtest.brbytes.org
myorigin = $myhostname
mydestination = $myhostname, localhost.localdomain, localhost

tell postfix where to look for aliases:

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
recipient_delimiter = -

add some sanity checking to block spam/malicious emails:

# anti-spam restrictions
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, permit
smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname

remove the line setting the smtpd_use_tls parameter, and replace it with:

# whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'.
smtpd_tls_security_level=may

we also want to tell postfix where it can find our SSL certificates:

smtpd_tls_cert_file=${path_to_cert:?}
smtpd_tls_key_file=${path_to_key:?}

configure postfix to use Dovecot SASL for user authentication:

#configure Dovecot SASL
smtpd_sasl_type = dovecot
# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
# With Postfix version before 2.10, use smtpd_recipient_restrictions
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# More settings
smtpd_sasl_security_options=noanonymous
smtpd_sasl_local_domain=$myhostname
smtpd_client_restrictions=permit_sasl_authenticated,reject
smtpd_sender_login_maps=hash:/etc/postfix/virtual
smtpd_sender_restrictions=reject_sender_login_mismatch

Configure postfix to use Dovecot LMTP for mail delivery:

mailbox_transport = lmtp:unix:private/dovecot-lmtp
virtual_transport = lmtp:unix:private/dovecot-lmtp

virtual

create virtual aliases file:

postmaster:     root
root:           fernando, juana, mario

then run the following commands to update the aliases list:

newaliases
postfix reload

Dovecot

We also need to configure dovecot. Go to its configuration directory:

cd /etc/dovecot

Edit the file dovecot.conf and add the line:

protocols = imap lmtp

we need to create a users file containing our usernames and passwords. Don't forget to set its permissions properly:

chmod u=rw,g=r,o= users
chown root:dovecot users

create dir for virtual mailboxes:

mkdir -p /var/mail/virtual
chown -R vmail:vmail /var/mail/virtual

conf.d

There are several config files in conf.d that we will also need to edit:

First, we need to enable SASL so that Dovecot can tell postfix whether or not a user is authenticated. Edit the file 10-master.conf, and add/uncomment the following directive to the service auth section:

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix
  }

Next, edit the file 10-auth.conf, and edit the auth_mechanisms directive to be:

# Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN:
auth_mechanisms = plain login

We also want to enable LMTP. Edit 10-master.conf again and add/uncomment the directive:

service lmtp {
  user = vmail
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
  }
}

We also need to configure some settings for LMTP. Edit 20-lmtp.conf and add the directives:

lmtp_save_to_detail_mailbox = no
recipient_delimiter = -
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes

We also need to tell Dovecot what database to look up users in. Edit 10-auth.conf and delete/comment any lines including a .ext file (includes begin with an exclamation point). Then, add the directives:

passdb {
  driver = passwd-file
  # username_format: Set to '%u' to look up full usernames. If you want to enable
  # user@domain logins but have only user in the file, set to %n instead.
  args = username_format=%n /etc/dovecot/users
}

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/virtual/%n
}

We also want to configure where mail is stored and in what format. Edit 10-mail.conf and delete/comment the line setting mail_location. Replace it with:

mail_location = maildir:~/Maildir:LAYOUT=fs

We need to tell Dovecot to listen on the IMAP ports so we can access it with IMAP clients. Add/uncomment the following directives in 10-master.conf:

service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

Tell dovecot where to get its SSL certificates by setting the following directives in 10-ssl.conf:

ssl_cert = <${path_to cert:?}
ssl_key = <${path_to_key:?}