postfix dovecot in Debian 8

  • Category: 電腦相關
  • Last Updated: Friday, 16 October 2015 16:56
  • Published: Friday, 09 October 2015 14:46
  • Written by sam
  • Print

My mail system is postfix on centos 5.5, it's too old, and I can't update now.

Build new mail system on day of unemployment.

The new one is is Debian8.

When you have done by Debian installed.

root at debian:~# netstat -ntulp |grep :25
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      654/exim4  
tcp6       0      0 ::1:25                  :::*                    LISTEN      654/exim4
root at debian:~# lsof -Pni :25
COMMAND PID        USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
exim4   654 Debian-exim    4u  IPv4  11812      0t0  TCP localhost:smtp (LISTEN)
exim4   654 Debian-exim    5u  IPv6  11813      0t0  TCP localhost:smtp (LISTEN)

remove exim4*

root at debian:~# dpkg --get-selections |grep exim4
exim4                                           install
exim4-base                                      install
exim4-config                                    install
exim4-daemon-light                              install
root at debian:~# apt-get --purge remove exim4 exim4-base exim4-config exim4-daemon-light
apt-get update
apt-get upgrade
apt-get dist-upgrade

prepare key

openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout myla.key -out myla.crt
chmod 640 myla.key
chmod 644 myla.crt
chown :ssl-cert myla.crt
mv myla.key /etc/ssl/private/
mv myla.crt /etc/ssl/certs/

install dovecot and postfix

apt-get install dovecot-imapd dovecot-lmtpd postfix

General type of mail configuration: Internet Site and system mail name: YOUS

root at myla:~# vi /etc/postfix/master.cf

unmark line 17 # to like this

submission inet n       -       -       -       -       smtpd
root at myla:~# vi /etc/postfix/main.cf

find # TLS parameters

insert

smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt

modify

smtpd_tls_cert_file=/etc/ssl/certs/myla.crt
smtpd_tls_key_file=/etc/ssl/private/myla.key

replace

smtpd_use_tls = yes to smtpd_tls_security_level=may
root at myla:~# vi /etc/dovecot/dovecot.conf

insert

insert into
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
  }
}

ssl = required

ssl_ca = </etc/ssl/certs/ca-certificates.crt

ssl_cert = </etc/ssl/certs/myla.crt
ssl_key = </etc/ssl/private/myla.key

disable port IMAP :143 to force use 993 so set imap port ==0 not 143

prevent error for systemd alert

cp /lib/systemd/system/dovecot.socket /etc/systemd/system/
systemctl reenable dovecot.socket
sed -i '/:143$/s/^/#/' /etc/systemd/system/dovecot.socket

then restart to test

# systemctl restart postfix
# systemctl restart dovecot

use another client to test

openssl s_client -starttls smtp -crlf -connect 192.168.8.66:587 -debug
openssl s_client -connect 192.168.8.66:993 -debug

check the verify returen code must both be

Verify return code: 18 (self signed certificate)

off authentication to dovecot

vi /etc/postfix/main.cf

insert

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_tls_auth_only = yes
vi /etc/dovecot/dovecot.conf

insert

auth_mechanisms = plain login
disable_plaintext_auth = yes
service auth-worker {
  # Forbid to access /etc/shadow
  user = $default_internal_user
}
service auth {
  # IMPORTANT: Match the path to smtpd_sasl_path of Postfix
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    user = postfix
    mode = 0666
  }
}
mail_location = maildir:/var/vmail/%d/%n

passdb {
  driver = passwd-file
  # The entire email address will be used as the username for email client.
  # Don't bother about the scheme here, will be overwritten by a strong scheme from file.
  #    (http://wiki2.dovecot.org/AuthDatabase/PasswdFile)
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
}

userdb {
  # For static type, LDA verify the user's existence by lookup passdb
  #   ( http://wiki2.dovecot.org/UserDatabase/Static )
  driver = static
  args = uid=postfix gid=postfix home=/var/vmail/%d/%n
}

ok, then we need to test 

doveadm pw -s SHA512-CRYPT
cat << EOF >> /etc/dovecot/users
sam at myla.gotdns.com:{SHA512-CRYPT}$6$VaEOcV5mzsbP1q2H9$Ctaz1HzJCZGXmlXxJDluXEFjGdEwjDKIZ80I0KhG6YD4c2X13YDX/dIb1kGPLAwo7.fTnRaQpcsN5O5O9QjaJ0
EOF
chmod 640 /etc/dovecot/users
chown root:dovecot /etc/dovecot/users
systemctl restart postfix
systemctl restart dovecot
check file created
ls -l /var/spool/postfix/private/auth

mkdir /var/vmail
modify auth for /var/vmail
root at myla:/etc/ddclient# openssl s_client -connect 192.168.8.66:993

CONNECTED(00000003)
depth=0 C = AU, ST = Some-State, L = tw, O = myla, CN = myla.gotdns.com, emailAddress = sam at myla.gotdns.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, L = tw, O = myla, CN = myla.gotdns.com, emailAddress = sam at myla.gotdns.com
verify return:1
---
Certificate chain......
vi /etc/postfix/main.cf

modify to yours

mydomain = myla.gotdns.com
myhostname = $mydomain
myorigin = $mydomain
mydestination = localhost
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual_aliases
postmap /etc/postfix/virtual_aliases
postmap is to bulid db
vi /etc/dovecot/dovecot.conf

insert

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0666
   user = postfix
   group = postfix
  }
}
systemctl restart postfix
systemctl restart dovecot
check the file
ls -l /var/spool/postfix/private/dovecot-lmtp

then.....finish.

########################

tips

########################

#if you see Oct  8 13:55:38 debian dovecot: imap: Error: user test0 at myla.gotdns.com: Mail access for users with UID 110 not permitted (see first_valid_uid in config file, uid from userdb lookup).

vi /etc/dovecot/conf.d/10-mail.conf or add to /var/dovecot/dovecot.conf

first_valid_uid = 100

#if you see mail_max_userip_connections

vi /etc/dovecot/dovecot.conf

mail_max_userip_connections = 50

#if you see postmaster_address not setup

vi /etc/dovecot/dovecot.conf

postmaster_address=postmaster at myla

####################################################

my use ddclient to update my ip to domainname

####################################################

here is my config

vi ddclient.conf
## ddclient configuration file
daemon=600
# check every 600 seconds
syslog=yes
# log update msgs to syslog
mail-failure=batista.sam at gmail.com # Mail failed updates to user
pid=/var/run/ddclient.pid
# record PID in file.
## Detect IP with our CheckIP server
use=web, web=checkip.dyndns.com/, web-skip='IP Address'
## DynDNS username and password here
login=YOURS
password=##YOUR PASSWORD##
## Default options
protocol=dyndns2
server=members.dyndns.org
## Dynamic DNS hosts
myla.gotdns.com

below are my config file if you want to use

root at myla:/etc/ddclient# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = localhost
mydomain = myla.gotdns.com
myhostname = $mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $mydomain
readme_directory = no
recipient_delimiter = +
relayhost = 168.95.4.211
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/myla.crt
smtpd_tls_key_file = /etc/ssl/private/myla.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
virtual_mailbox_domains = $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual_aliases
virtual_transport = lmtp:unix:private/dovecot-lmtp
root at myla:/etc/ddclient# dovecot -n
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.2 ext4
auth_mechanisms = plain login
first_valid_uid = 100
mail_location = maildir:/var/vmail/%d/%n
mail_max_userip_connections = 50
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
postmaster_address = postmaster at myla
protocols = " imap lmtp"
service auth-worker {
  user = $default_internal_user
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0666
    user = postfix
  }
}
ssl = required
ssl_ca = </etc/ssl/certs/ca-certificates.crt
ssl_cert = </etc/ssl/certs/myla.crt
ssl_key = </etc/ssl/private/myla.key
userdb {
  driver = passwd
}
userdb {
  args = uid=postfix gid=postfix home=/var/vmail/%d/%n
  driver = static
}

Now, I can move old Centos 5.5 mail.tar to my new Debian 8, everything is good.