Set up a Mail server postfix/dovecot/roundcubemail Linux/Debian
04 Feb 2021 #mail serverCreate a new user:
adduser user
usermod -aG sudo userInstall postfix/dovecot
apt install postfix dovecot-core dovecot-imapdInstall Cerbot and letsencrypt
apt install certbot
certbot certonly --standalone -d mail.example.com
postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/<your.domain>/fullchain.pem'
postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/<your.domain>/privkey.pem'nano /etc/postfix/master.cf
uncomment the following lines:
submission inet n - n - - smtpd
syslog_name=postfix/submission
mtpd_tls_security_level=encrypt
smtpd_sasl_auth_enable=yes
smtpd_recipient_restrictions=permit_sasl_authenticated,reject
milter_macro_daemon_name=ORIGINATINGnano /etc/postfix/main.cf
add the following
mydomain = staffieri.co.uk
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
$icated,rejectnano /etc/dovecot/dovecot.conf
uncomment
listen = *, ::
nano /etc/dovecot/conf.d/10-auth.yconf
update the following line as below:
disable_plaintext_auth = no
auth_mechanisms = plain login
nano /etc/dovecot/conf.d/10-master.conf
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
systemctl restart postfix
systemctl restart dovecot.service
Install PHP
apt install php php-cli php-gd php-intl php-fpm php-curl php-imagick
php-mysql php-zip php-xml php-mbstring php-bcmath -yCreate database
mysql -u root -p
create database roundcube_db;
grant all on roundcube_db.* to roundcube_user@localhost identified by 'roundcube_db_password';
quitInstall Roundcubemail
cd /var/www/
wget https://github.com/roundcube/roundcubemail/releases/download/1.4.10/roundcubemail-1.4.10-complete.tar.gz
tar -xvf roundcubemail-1.4.10-complete.tar.gz
rm roundcubemail-1.4.10-complete.tar.gz
mv roundcubemail-1.4.10/ roundcubemail
chown www-data:www-data -R /var/www/roundcubemailInstall Nginx
apt install nginxserver {
listen 80;
server_name webmail.DOMAIN.com;
return 301 https://$host$request_uri;
root /var/www/html/roundcubemail;
}
server {
listen 443 ssl http2;
server_name webmail.DOMAIN.com;
root /var/www/html/roundcubemail;
index index.php index.htm index.html;
ssl_certificate /etc/letsencrypt/live/mail.staffieri.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.staffieri.co.uk/privkey.pem;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php(?:$|/) {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
fastcgi_intercept_errors on;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
}
}Install Roundcube Open https://webmail.DOMAIN.com/installer on web browser
then remove the installer folder
rm -fr /var/www/roundcubemail/installer/
Harden Your Mail Configuration
SPF (Sender Policy Framework)
You create an SPF record that identifies your mail servers via their IP addresses and then publish the SPF record to your domain’s overall DNS.
TXT record - domain
v=spf1 a mx ~all
DKIM (DomainKeys Identified Mail)
DKIM involves adding a cryptographic key to your domain’s DNS.
TXT record default._domainkey
KEY
Test key
opendkim-testkey -d your-domain.com -s default -vvv
DMARC (Domain-based Message Authentication, Reporting and Conformance)
s used along with SPF and/or DKIM. DMARC, like SPF and DKIM, involves adding a record to your DNS, indicating that you are using SPF and/or DKIM for authentication.
TXT record - _dmarc
v=DMARC1; p=reject; rua=mailto:dmarc@domain; ruf=mailto:dmarc@domain; pct=100; adkim=s; aspf=s;
Hardening Postfix Web link