Benutzer-Werkzeuge

Webseiten-Werkzeuge


friedhof:eigener_mailserver
Walkthrough:
 How to install an email-server (e.g. on a vserver) with debian 6.0
  -> snd/rcv mails by exim4
  -> virtual users by dovecot (imap server)

Goal (FIXME):
 Use vserver as tunnel endpoint and deploy arm-email-server at home (DSL) behind NAT

Author:
 chf, your-name-here

--------------------------------------------------------------------------
READ
--------------------------------------------------------------------------
http://wiki.dovecot.org/HowTo/EximAndDovecotSASL
http://wiki.dovecot.org/HowTo/VirtualhostingWithExim
http://wiki.dovecot.org/AuthDatabase/PasswdFile

--------------------------------------------------------------------------
vserver setup
--------------------------------------------------------------------------
config DNS, reverse DNS, ... (FIXME)

--------------------------------------------------------------------------
install exim4
--------------------------------------------------------------------------
aptitude install exim4-daemon-heavy

dpkg-reconfigure exim4-config
	internet site; mail is sent and received directly using SMTP
	System mail name:
	IP-addresses to listen on for incoming SMTP connections:
	Other destinations for which mail is accepted: example-domain.org
	Domains to relay mail for:
	Machines to relay mail for:
	Keep number of DNS-queries minimal (Dial-on-Demand)?: N
	Split configuration into small files?: Y

so that /etc/exim4/update-exim4.conf.conf will be generated with these values:

dc_eximconfig_configtype='internet'
dc_other_hostnames=''
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

-----------------------
enable TLS
-----------------------

modify /usr/share/doc/exim4-base/examples/exim-gencert for 4096 bit long cert
and execute it. It'll copy the self-signed-cert/key accordingly.

create /etc/exim4/conf.d/main/000_localmacros
add
	MAIN_TLS_ENABLE = 1


--------------------------------------------------------------------------
install dovecot
--------------------------------------------------------------------------
aptitude install dovecot-imapd


- add user and group vmail as no-login-able without a shell
- create dir /var/mail/vmail and set rights to vmail for this dir, this will
  hold all virtual users imap-maildirs
- create a 4096 bit long cert with a modified version of
  /usr/share/doc/exim4-base/examples/exim-gencert and copy the generated
  server.crt and server.key to /etc/ssl/certs/dovecot.pem and 
  /etc/ssl/private/dovecot.pem


--------------------------------------------------------------------------
create: /etc/dovecot/dovecot.conf
--------------------------------------------------------------------------
protocols = imap imaps managesieve
disable_plaintext_auth = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl = required
mail_location = maildir:/var/mail/vmail/%u
mail_uid = vmail
mail_gid = vmail
mail_privileged_group = mail
protocol imap {
}
protocol managesieve {
}
protocol lda {
  #set file-rights for log accordingly
  #log_path = /var/log/dovecot-deliver-errors.log
  postmaster_address = root@example-domain.org
  hostname = example-domain.org
  mail_plugins = sieve 
}
auth default {
  mechanisms = plain
  passdb passwd-file {
    args = /etc/dovecot/passwd
  }
  userdb passwd-file {
    args = /etc/dovecot/passwd
  }
  user = root
  socket listen {
    master {
      path = /var/run/dovecot/auth-master
      mode = 0600
      user = vmail
      group = vmail
    }
    client {
      group = Debian-exim
      path = /var/run/dovecot/auth-client
      mode = 0660
    }
  }
}
plugin {
  sieve=/var/mail/vmail/%u/.dovecot.sieve
  sieve_dir=/var/mail/vmail/%u/sieve
}

--------------------------------------------------------------------------
create: /etc/exim4/conf.d/auth/35_exim4-config_dovecot
--------------------------------------------------------------------------
dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
# setting server_set_id might break several headers in mails sent by authenticated smtp. So be careful.
  server_set_id = $auth1

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

--------------------------------------------------------------------------
create: /etc/dovecot/passwd
--------------------------------------------------------------------------
testuser:{plain}add_super_secret_PASSWORD_here::::::
ant_hilde:{plain}add_super_secret_PASSWORD_here::::::
grandpa_john:{plain}add_super_secret_PASSWORD_here::::::

--------------------------------------------------------------------------
create: /etc/exim4/conf.d/router/860_exim4-config_dovecot
--------------------------------------------------------------------------
# Routers are evaluated in order of configuration.                                                                                                      
# You will want to place this after the remote router and before the
# localuser router in the default configuration.
# If you want to allow + addressing (ie having an address extension)
# then uncomment the suffix stanzas
dovecot_router:
  driver = accept
  #local_part_suffix = +*
  #local_part_suffix_optional
  require_files = +/var/mail/vmail/${local_part}/
  #transport = dovecot_transport
  transport = dovecot_virtual_delivery 

--------------------------------------------------------------------------
create: /etc/exim4/conf.d/transport/30_exim4-config_dovecot
--------------------------------------------------------------------------
# Transport to send any mail for who a dovecot user exists to the appropriate maildir box
# Transports definitions are not order dependant - you just call a named transport
dovecot_transport:
  driver = appendfile
  user = vmail
  group = vmail
  mode = 0600
  directory=/var/mail/vmail/${lc:$local_part}/
  maildir_format = true
  mode_fail_narrower = false
  envelope_to_add = true
  return_path_add = true

dovecot_virtual_delivery:                                                                                                                               
  driver = pipe
  #command = /usr/lib/dovecot/deliver -d $local_part@$domain  -f $sender_address -c /etc/dovecot/dovecot.conf
  # v1.1+: command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain  -f $sender_address -a $original_local_part@$original_domain
  command = /usr/lib/dovecot/deliver -d $local_part -f $sender_address -a $original_local_part@$original_domain
  message_prefix =
  message_suffix =
  delivery_date_add
  envelope_to_add
  return_path_add
  log_output
  user = vmail
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

-----------------------
enable SPAMASSASIN
-----------------------
aptitude install sa-exim spamassassin

edit /etc/exim4/sa-exim.conf and comment out SAEximRunCond to enable sa-exim checks

-----------------------
CONFIGURE CLIENT
-----------------------
Receiving Email:
	IMAP Server: example-domain.org
	Username: testuser
	SSL-Encryption
	Authentication Type: Password
Sending EMail:
	SMTP Server: example-domain.org
	Username: testuser
	TLS-Encryption
	Authentication: PLAIN
Sieve:
	Port: 2000
	use strict rfc

example sieve script:

	require ["fileinto"];

	##Move spam to spam folder
	if header :contains "X-Spam-Flag" ["YES"] {
	  fileinto "spam";
	  stop;
	}

	if header :contains "Subject" "Linux" { fileinto "s2"; }


you could maybe setup:
http://wiki.dovecot.org/HowTo/RefilterMail

--------------------------------------------------------------------------
DOVECOT ANTISPAM   --- DOES NOT WORK because we have virtual users   FIXME
--------------------------------------------------------------------------
aptitude install dovecot-antispam  -- will be installed from backports
man dovecot-antispam

add
 mail_plugins = antispam
to protocol imap{}, like this in /etc/dovecot/dovecot.conf:

protocol imap {
    mail_plugins = antispam
}

Now we want to use "sa-learn" to mark mails as spam oder ham. So we need
the folders SPAM and HAM for every user.

In the "plugin {}" section of /etc/dovecot/dovecot.conf we add following
lines:

 # antispam_debug_target = syslog
 # antispam_debug_target = stderr
 # antispam_verbose_debug = 1
 antispam_backend = pipe
 antispam_spam = SPAM
 antispam_pipe_program = /usr/bin/sa-learn
 antispam_pipe_program_spam_arg = --spam
 antispam_pipe_program_notspam_arg = --ham
 antispam_pipe_tmpdir = /tmp


--------------------------------------------------------------------------
KEEP IN MIND --- SUPPORTING OUTLOOK and THUNDERBIRD
--------------------------------------------------------------------------
from: /usr/share/doc/exim4-daemon-heavy/README.Debian.gz
	2.2.2. Enabling TLS support for Exim as server

   After this configuration, Exim will advertise STARTTLS when connected
   to on the normal SMTP ports. Some broken clients (most prominent
   example being nearly all versions of Microsoft Outlook and Outlook
   Express, and Incredimail) insist on doing TLS on connect on Port 465.
   If you need to support these, set SMTPLISTENEROPTIONS='-oX 465:25 -oP
   /var/run/exim4/exim.pid' in /etc/default/exim4 and
   "tls_on_connect_ports=465" in the main configuration section.

--------------------------------------------------------------------------
EXTRA CHECKS
--------------------------------------------------------------------------
add CHECK_DATA_VERIFY_HEADER_SENDER = 1 to /etc/exim4/conf.d/main/000_localmacros

http://lists.alioth.debian.org/pipermail/pkg-exim4-users/2011-September/001970.html


On Mon, Sep 12, 2011 at 08:27:19AM +0200, Johann Spies wrote:
> Hallo Hans,
>  
> 
> On Sat, Sep 10, 2011 at 01:08:41PM +0200, Hans Ekbrand wrote:
> > Dear exim users,
> > 
> > I want to reject mail when Reverse DNS lookup fails, currently I only
> > get a warning - like this:
> > 
> > X-Host-Lookup-Failed: Reverse DNS lookup failed for 203.211.146.24 (failed)
> > 
> > I have
> > CHECK_RCPT_REVERSE_DNS = yes
> > CHECK_RCPT_SPF = yes
> > 
> > in /etc/exim4/conf.d/main/00_local_options
> > 
> > How do I configure exim to reject instead of warn?
> 
> I did this to find the answer:
> 
> % sudo rgrep CHECK_RCPT_REVERSE_DNS /etc/exim4
> /etc/exim4/exim4.conf.template:  .ifdef CHECK_RCPT_REVERSE_DNS
> /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  .ifdef
> CHECK_RCPT_REVERSE_DNS 
> % vim /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt 
> 
> You can change the 'warn' in the section where CHECK_RCPT_REVERSE_DNS is
> used to 'deny' 

Thanks, Johann and Akihiro!
friedhof/eigener_mailserver.txt · Zuletzt geändert: 2017-06-15 17:02 von rixx