This is an old revision of the document!
Table of Contents
Dovecot + Ldap (keycloak) + Rspamd
Dovecot
Let's get Dovecot working.
aptitude install dovecot-core dovecot-imapd dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-sieve dovecot-solr bsd-mailx
Make Dovecot use Ldap
Edit file /etc/dovecot/conf.d/10-auth.conf
uncomment: !include auth-ldap.conf.ext comment: !include auth-system.conf.ext #To strip the domain name from the username before authentication, and make it lowercase auth_username_format = %Ln
Edit file /etc/dovecot/dovecot-ldap.conf.ext uncomment and set:
hosts = 127.0.0.1 auth_bind = yes base = ou=People,dc=example,dc=com pass_attrs = uid=user # only Members of group mail may receive mails and login to see them. pass_filter = (&(objectClass=inetOrgPerson)(uid=%u)(memberof=cn=mail,ou=Group,dc=example,dc=com))
Restart dovecot and test authentification:
servicectl restart dovecot doveadm auth test exampleuser
Edit file /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/mail mail_privileged_group = mail #if we use mail, as owner for the mail directories, we need to #change the frst_valid_uid here, to te uid of mail. otherwise create a new user. e.g. vmail first_valid_uid = 8 # some performance improvement maildir_very_dirty_syncs = yes
edit file /etc/dovecot/conf.d/10-ssl.conf (assuming you've already setup letsencrypt or some other certificates)
ssl = required ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
Edit file /etc/dovecot/conf.d/10-master.conf
# use lmtp for mail delivery from postfix service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { user = postfix group = postfix mode = 0600 } service auth { ... # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } .... }
edit file conf.d/15-mailboxes.conf
add
auto = subscribe
to every mailbox
edit file conf.d/20-lmtp.conf
protocol lmtp {
# Space separated list of plugins to load (default is global mail_plugins). postmaster_address = postmaster@example.com # required # add plugins here which should be supported by lmtp. we use sieve for sorting spam to spam folder mail_plugins = sieve $mail_plugins
}
add solr support for searching in mails:
aptitude install solr-tomcat
make tomcat only listen on localhost
edit file /etc/tomcat8/server.xml and add address attribute to connector directive:
<Connector address=“127.0.0.1” port=“8080” …./>
copy dovecot solr schema
mv /etc/solr/conf/schema.xml /etc/solr/conf/schema.xml.dist
ln -s /usr/share/dovecot/solr-schema.xml /etc/solr/conf/schema.xml
restart tomcat
edit file conf.d/ 90-plugin.conf
plugin {
fts = solr fts_solr = url=http://127.0.0.1:8080/solr/
edit conf.d/10-mail.conf
mail_plugins = fts fts_solr
generate file /etc/cron.d/solr-optimize
# dovecot-solr commits & optimization
# http://wiki2.dovecot.org/Plugins/FTS/Solr
# Commit should be run pretty often, e.g. every two minutes
*/2 * * * * root /usr/bin/curl -s http://localhost:8080/solr/update?commit=true &>/dev/null
# Optimize should be run somewhat rarely, e.g. once a day
23 3 * * * root /usr/bin/curl -s http://localhost:8080/solr/update?optimize=true &>/dev/null
use fail2ban with dovecot, add to
/etc/fail2ban/jail.local
[dovecot]
enabled = true
postfix:
aptitude install postfix
add alias for root
echo root: user@example.com » /etc/aliases
postalias /etc/aliases
edit /etc/postfix/main.cf, comment out mydestination =
delay_warning_time = 4h
smtpd_tls_cert_file=/etc/letsencrypt/live/rmm.li/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/rmm.li/privkey.pem
#remove smtpd_use_tls=yes
smtp_tls_security_level=may
smtpd_tls_security_level=may
smtpd_tls_auth_only = yes
# sasl authentification against dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
# reject_unverified_recipient uses lmtp to verify if receiver exists.
smtpd_recipient_restrictions = reject_unverified_recipient, # ???check_policy_service unix:private/policyd-spf
#allow bigger messages
message_size_limit = 73400320
virtual_mailbox_domaines
# Transport to dovecot
virtual_transport = lmtp:unix:private/dovecot-lmtp
#map with aliases
virtual_alias_maps = hash:/etc/postfix/virtual-alias-map
file /etc/rsyslog.d
change line
*.*;auth,authpriv.none -/var/log/syslog
to
*.*;auth,authpriv.none,mail.none -/var/log/syslog
otherwise postfix will spam syslog with every single connection it made. you get the same information in mail.info anyway….
rspamd
see https://thomas-leister.de/en/mailserver-debian-stretch/
install:
CODENAME=`lsb_release -c -s`
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo “deb http://rspamd.com/apt-stable/ $CODENAME main” > /etc/apt/sources.list.d/rspamd.list
echo “deb-src http://rspamd.com/apt-stable/ $CODENAME main” » /etc/apt/sources.list.d/rspamd.list
aptitude update
aptitude install rspamd redis-server
edite /etc/redis/redis.conf
maxmemory 500mb
maxmemory-policy volatile-lru
files in /etc/rspamd/local.d
options.inc
local_addrs = “127.0.0.0/8, 172.17.0.0/16, ::1”;
greylist.conf
whitelisted_ip=“172.17.0.0/16”
worker-normal.inc
bind_socket = “localhost:11333”;
worker-normal.inc (password webinterface. is a hash, must be generated bz rspamadm pw)
password = “a2oihr4qowaefasiodf”
worker-proxy.inc (milter for postfix)
bind_socket = “localhost:11332”;
milter = yes;
timeout = 120s;
upstream “local” {
default = yes; self_scan = yes;
}
milter_headers.conf
use = [“x-spam-status”, “x-spam-level”, “authentication-results”];
skip_local = false;
authenticated_headers = [“authentication-results”];
logging.inc
level = “warning”;
classifier-bayes.conf
backend = “redis”;
autolearn = true;
rdis.conf
servers = “127.0.0.1”;
create /etc/apache2/rspamd.conf
<Location /rspamd>
ProxyPass http://localhost:11334 ProxyPassReverse http://localhost:11334 ProxyPreserveHost On
</Location>
a2enconf rspamd
/etc/postfix/main.cf
#smtpd_milters = inet:localhost:11332
#unix sockets is not configured correctly yet, use inet sockets
smtpd_milters = unix:/var/lib/rspamd/milter.sock
non_smtpd_milters = unix:/var/lib/rspamd/milter.sock
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
# skip mail without checks if something goes wrong
milter_default_action = accept
add automatic spam movement and spam learning when user moves them:
file /etc/dovecot/sieve/spam.sieve
require “fileinto”;
if header :contains “X-Spam-Flag” “YES” {
fileinto "Junk";
}
if header :is “X-Spam” “Yes” {
fileinto "Junk";
}
file /etc/dovecot/sieve/learn-spam.sieve
require [“vnd.dovecot.pipe”, “copy”, “imapsieve”];
pipe :copy “rspamc” [“learn_spam”];
file /etc/dovecot/sieve/learn-ham.sieve
require [“vnd.dovecot.pipe”, “copy”, “imapsieve”, “environment”, “variables”];
if environment :matches “imap.mailbox” “*” {
set "mailbox" "${1}";
}
if string “${mailbox}” “Trash” {
stop;
}
pipe :copy “rspamc” [“learn_ham”];
edit /etc/dovecot/conf.d/90-plugin.conf
plugin{
…
sieve_plugins = sieve_imapsieve sieve_extprograms sieve_before = /etc/dovecot/sieve/spam.sieve sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/bin # From elsewhere to Spam folder imapsieve_mailbox1_name = Junk imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
# From Spam folder to elsewhere imapsieve_mailbox2_name = * imapsieve_mailbox2_from = Junk imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
…
}
file /conf.d/20-imap.conf
protocol imap {
mail_plugins = $mail_plugins imap_sieve
}
file conf.d/20-lmtp.conf{
mail_plugins = $mail_plugins sieve
}
let rspamd dkim sign our mails:
mkdir /etc/rspamd/dkim
rspamadm dkim_keygen -b 2048 -s 2018 -k 2018.key > 2018.txt
chown _rspamd:_rspamd -R dkim
chmod 440 /etc/rspamd/dkim/*
look at 2018.txt to see how dns entry should look like.
edit file dkim_signing.conf
path = “/etc/rspamd/dkim/$selector.key”;
selector = “2018”;
cp -R /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
setup clamav for use with rspamd
aptitude install clamav-daemon
choose all the defaults during setup (or think a bit yourself )
add user _rspamd to group clamav
adduser _rspamd clamav
/etc/rspamd/local.d/antivirus.conf
clamav {
# if we want to detect fishing mail and stuff we should deactivate that # also if you want to detect a mail with the eicar signature # X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* attachments_only = false; symbol = "CLAM_VIRUS"; type = "clamav"; #log_clean = false; servers = "/var/run/clamav/clamd.ctl";
# patterns {
# symbol_name = "pattern"; # JUST_EICAR = "^Eicar-Test-Signature$";
# }
}
setup unbound for dns caching and forwarding
aptitude install unbound
make localhost main dns server in /etc/resolv.conf
nameserver 127.0.0.1
more fail2ban
[apache-auth]
enabled = true
[apache-badbots]
enabled = true
[apache-noscript]
enabled = true
[apache-overflows]
enabled = true
[roundcube-auth]
enabled = true
[postfix]
enabled = true
[postfix-sasl]
enabled = true
[postfix-rbl]
enabled = true
[sshd-ddos]
enabled = true