· 6 years ago · May 09, 2019, 09:14 PM
1# Email server based on Dovecot, Postfix, MySQL, Rspamd and Debian 9 Stretch
2
3## MySQL database setup
4
5Install MariaDB as a database management system DBMS
6```bash
7sudo apt install mariadb-server
8```
9Create a new database named `srvmail` for a mail server:
10```bash
11sudo mysql -e 'create database if not exists srvmail character set "utf8";'
12```
13Create database user `srvmail`, with password `dbpass`.
14This user will be used by Postfix and Dovecot.
15It is granted `select` permissions on this DB.
16```bash
17sudo mysql -e 'grant select on srvmail.* to "srvmail"@"localhost" identified by "dbpass";'
18```
19### Domain table
20The domain table contains all domains, which shall be served by the mail server.
21```sql
22CREATE TABLE `domains` (
23 `id` int unsigned NOT NULL AUTO_INCREMENT,
24 `domain` varchar(255) NOT NULL,
25 PRIMARY KEY (`id`),
26 UNIQUE KEY (`domain`)
27);
28```
29### Account table
30The account table contains all data regarding user mailbox accounts, such as username, domain, password, and quota.
31Quota is in Megabyte (MB).
32If the `enabled` field if set to `true` a mailbox account is active and can be used.
33If `sendonly` is set to `true` this account is not able to receive mails.
34```sql
35CREATE TABLE `accounts` (
36 `id` int unsigned NOT NULL AUTO_INCREMENT,
37 `username` varchar(64) NOT NULL,
38 `domain` varchar(255) NOT NULL,
39 `password` varchar(255) NOT NULL,
40 `quota` int unsigned DEFAULT '0',
41 `enabled` boolean DEFAULT '0',
42 `sendonly` boolean DEFAULT '0',
43 PRIMARY KEY (id),
44 UNIQUE KEY (`username`, `domain`),
45 FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
46);
47```
48### Alias table
49The alias table contains all alias definitions / redirects.
50```sql
51CREATE TABLE `aliases` (
52 `id` int unsigned NOT NULL AUTO_INCREMENT,
53 `source_username` varchar(64) NOT NULL,
54 `source_domain` varchar(255) NOT NULL,
55 `destination_username` varchar(64) NOT NULL,
56 `destination_domain` varchar(255) NOT NULL,
57 `enabled` boolean DEFAULT '0',
58 PRIMARY KEY (`id`),
59 UNIQUE KEY (`source_username`, `source_domain`, `destination_username`, `destination_domain`),
60 FOREIGN KEY (`source_domain`) REFERENCES `domains` (`domain`)
61);
62```
63### TLS Policy table
64The TLS policy table defines policies regarding TLS-encryption to foreign mail servers.
65```sql
66CREATE TABLE `tlspolicies` (
67 `id` int unsigned NOT NULL AUTO_INCREMENT,
68 `domain` varchar(255) NOT NULL,
69 `policy` enum('none', 'may', 'encrypt', 'dane', 'dane-only', 'fingerprint', 'verify', 'secure') NOT NULL,
70 `params` varchar(255),
71 PRIMARY KEY (`id`),
72 UNIQUE KEY (`domain`)
73);
74```
75Place these table definitions into `srvmail-tables.sql` file and import them to the database
76```shell
77sudo mysql srvmail < srvmail-tables.sql
78
79```
80
81## srvmail user and its srvmail home directory
82
83All e-mails and sieve scripts are saved into a special directory `/var/srvmail`.
84Only the associated `srvmail` user has access to it.
85Dovecot will use this user account to do its operations on the file system.
86
87Create `srvmail` home's directory together with some subdirectories:
88
89```bash
90sudo mkdir -p /var/srvmail/mailboxes
91sudo mkdir -p /var/srvmail/sieve/global
92```
93Create `srvmail` user
94```bash
95sudo adduser --system --group --disabled-login --disabled-password --home /var/srvmail srvmail
96```
97Change permissions on `/var/srvmail`:
98```shell
99sudo chown -R srvmail:srvmail /var/srvmail
100sudo chmod -R 770 /var/srvmail
101```
102## Install `unbound` caching DNS resolver
103
104Rspamd, Postfix / Postscreen and more services on your system heavily depend on DNS requests.
105Therefore, it is recommend to install `unbound` as a local DNS resolver and cache!
106Some server providers rate-limit your access to their pre-defined DNS resolvers, which might cause trouble.
107Especially Rspamd does a lot of DNS requests depending on the mail system load.
108Furthermore, Spamhaus blocklists often can be used with own DNS resolvers only.
109
110Install `unbound`
111```shell
112sudo apt install unbound
113```
114
115Update `DNSSEC` Root key and reload Unbound service
116```shell
117su -c "unbound-anchor -a /var/lib/unbound/root.key" - unbound
118systemctl reload unbound
119```
120To use the DNS lookup utility `dig` install `dnsutils`
121```shell
122sudo apt install dnsutils
123```
124Try to use local DSN server:
125```shell
126 dig @127.0.0.1 denic.de +short +dnssec
127```
128which should lead to something like
129```shell
13081.91.170.12
131A 8 2 3600 20190516090000 20190502090000 26155 denic.de. ZenvfYTndSmVHFrrt2klbfjT5bce3TxXtrdZvUKBHh3nsmCGTim67cbk dtQS/G9V2+XIE26I+xbSGl96e1RkHMB
1326KFry5hSr+40eBP9ogUuB7LJV UREmTvb/pd5Pw7KamW0qlK9kGCqETS3sCr/PN3V30cV5I1Xi+cxWW0de XRfcktHmotciedpLtszq3OttlVnzrxD7XGdtMYsSe+9WpUKD3xlUVQqH Bl1j/
133bXRyf84sLTqrfcPLtc6z/jz3set
134```
135If the dig-command worked,
136it's time to double-check that `unbound` is set as the primary DNS resolver for your mail system:
137The result of
138```shell
139nslookup denic.de | grep Server
140```
141should now be:
142```shell
143Server: 127.0.0.1
144```
145By default `openresolv` should be already installed on your system
146
147```shell
148sudo apt install openresolv
149```
150Also, take a look at the `openresolv` configuration file
151which should take into account the existence of `unbound` setup.
152```shell
153sudoedit /etc/resolvconf.conf
154```
155
156## Set up TLS certificates
157A modern email server can’t be operated seriously without TLS certificates.
158We will use Let’s Encrypt certificates for this purpose, as they are free and yet accepted by all browsers, mail clients and operating systems. If you already have valid certificates, you can use them instead.
159### Retrieve new certificates
160Use the official `certbot` command line client to get new certificates for your mail system:
161```shell
162sudo apt install certbot
163sodo certbot certonly --standalone --rsa-key-size 4096 -d mail.example.com -d imap.example.com -d smtp.example.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"