8 minutes
Email Server Setup
For my second VPS server, I wanted to setup my own email server. Why? Because it was there. As of now, I am following a guide for this one over at ars technica. I am sure, I will end up making some changes and/or finding some newer security options that I want to implement, so I am documenting my whole process here…
Setup and Installation
So the first thing the guide has you doing is buying a name, setting up a 12.04 Ubuntu server (I am going for 14.04), and installing mail-stack-delivery (a postfix/dovecot combo package). I already setup the server the way I like it following my vps setup post, which incidentally includes postfix due to logwatch.
sudo apt-get install mail-stack-delivery
Either way, this seemed to work. Dovecot asked for a cert on install, but I don’t want to create one for it yet, so I choose no understanding that I will need to edit /etc/dovecot/conf.d/10-ssl.conf, once I figure this out. Postfix didn’t prompt me for configuration options and I need to get into change them, so I went ahead and ran
sudo dpkg-reconfigure postfix
This allowed me to tell it that it is an internet mail delivery agent responsible for my domain name. Specifically, I choose the following options
General Config: Internet Site
System mail name: mail.aptprojects.net
Root and postmaster mail recipient: aaron
Other destinations to accept mail for:
Force synchronous updates on mail queue: no
Local networks: 127.0.0.0//8 /[::ffff:127.0.0.0/]//104 /[::1/]//128
Use procmail for local delivery: Yes
Mailbox size limit (bytes): 0
Local address extension character: +
Internet protocols to use: all
Certifiable
So the next part went through the process of getting a valid cert for your server. As such, I went ahead and installed nginx on the server following my nginx post and then installed let’s encrypt following my let’s encrypt post. All this work simply gave me a valid server certificate to use in authenticating this email server on the web.
Postfix setup
The next part goes over a standard postfix setup. For now, I am going with the suggested configuration that they are suggesting. Obviously I may change this in the future, but this is a really good start here.
sudo nano /etc/postfix/main.cf
My postfix was not defaulted to all the settings they said it would be. This could be because I installed a slightly different version, but I think it was because I had it installed prior to installing mail-stack-delivery. As I was already using it on this server for logwatch, I had some slightly different things setup here that I had to change. Also, lets encrypt puts your keys in particular folders, so I had to change some obvious settings here accordingly.
The next thing they have you edit is the master config file to allow submissions and to setup the dovecot connection.
sudo nano /etc/postfix/master.cf
Next edit the alias file to assign the normal roles of postmaster, root, etc to a particular mailbox.
sudo nano /etc/aliases
Then run the newaliases program to hash it appropriately.
sudo newaliases
Canonical Map - I skipped this part for now. I may come back to this section if I need it, but for now I don’t have any services that have this issue emailing me. And then it stated throwing errors later, so I just created one…
sudo nano /etc/postfix/canonical
www-data@www.aptprojects.net poster@aptprojects.net
sudo postmap /etc/postfix/canonical
Virtual User configuration - This part I followed along exactly as they were doing it.
sudo nano /etc/postfix/virtual-mailbox-domains
aptprojects.net OK
sudo postmap /etc/postfix/virtual-mailbox-domains
sudo nano /etc/postfix/virtual-mailbox-users
you@yourdomain.com you@yourdomain.com
postbot@yourdomain.com postbot@yourdomain.com
webmaster@yourdomain.com webmaster@yourdomain.com
sudo postmap /etc/postfix/virtual-mailbox-users
sudo nano /etc/postfix/virtual
you@yourdomain.com you@yourdomain.com
postbot@yourdomain.com postbot@yourdomain.com
webmaster@yourdomain.com webmaster@yourdomain.com
postmaster@yourdomain.com webmaster@yourdomain.com
root@mail.yourdomain.com webmaster@yourdomain.com
root@yourdomain.com webmaster@yourdomain.com
abuse@yourdomain.com webmaster@yourdomain.com
hostmaster@yourdomain.com webmaster@yourdomain.com
sudo postmap /etc/postfix/virtual
That’s it for postfix for now. Restart the server (and fix whatever typo’s you made in main.cf - I really wanted to spell helo as help)
sudo service postfix restart
Mailboxes and Dovecot Config
So now we need to create a place to store mail. First things first is adding a user to manage it.
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail/vmail -m
Firstly, my package of dovecot was newer than theirs, so I didn’t bother with the repository and update.
I easily enough commented out the cert lines on lines 12 and 13:
sudo nano /etc/dovecot/conf.d/10-ssl.conf
Then I went through and made all of the changes they mentioned in the following files:
sudo nano /etc/dovecot/conf.d/99-mail-stack-delivery.conf
sudo nano /etc/dovecot/conf.d/10-mail.conf
sudo nano /etc/dovecot/conf.d/10-auth.conf
sudo nano /etc/dovecot/conf.d/auth-system.conf.ext
Next I created my three user passwords and created a passwd.db file to store the hashes in.
doveadm pw -s SSHA512
sudo nano /etc/dovecot/passwd.db
And lastly edited the mailbox config to auto create folders.
sudo nano /etc/dovecot/conf.d/15-mailboxes.conf
Then restarting the dovecot services…
sudo service dovecot restart
Opendkim
I went ahead and installed this tool as per the instructions
sudo apt-get install opendkim opendkim-tools
and then created directories and keys in the correct spots
sudo mkdir /etc/opendkim
sudo chown opendkim:opendkim /etc/opendkim
sudo cd /etc/opendkim
sudo opendkim-genkey -r -h sha256 -d mail.aptprojects.net -s mail
mv sudo mv mail.private mail
and then went to town on the config files….
sudo nano /etc/opendkim/KeyTable
mail.aptprojects.net mail.aptprojects.net:mail:/etc/opendkim/mail
sudo nano /etc/opendkim/SigningTable
*@aptprojects.net mail.aptprojects.net
sudo nano /etc/opendkim/TrustedHosts
127.0.0.1
sudo chown -R opendkim:opendkim /etc/opendkim
sudo nano /etc/opendkim.conf
Then I need to create the socket in the postfix spool as per the config file I just changed and restart the service.
sudo mkdir /var/spool/postfix/opendkim
sudo chown opendkim:root /var/spool/postfix/opendkim
sudo service opendkim restart
Lastly I added postfix to the opendkim group so that it could write to the spool correctly.
usermod -G opendkim postfix
SpamAssasin
They have me installing some much needed anti-spam tools now and setting this up. This
sudo apt-get install spamass-milter pyzor razor libmail-dkim-perl
and then adding a user to run the spam detection
sudo adduser --shell /bin/false --home /var/lib/spamassassin --disabled-password --disabled-login --gecos "" spamd
sudo usermod -a -G spamd spamass-milter
More configuration editing here and creating the socket directory and permissions.
sudo nano /etc/default/spamassassin
sudo mkdir /var/spool/postfix/spamassassin
sudo chown -R spamd:root /var/spool/postfix/spamassassin/
sudo nano /etc/default/spamass-milter
sudo nano /etc/spamassassin/init.pre
sudo nano /etc/spamassassin/local.cf
Next run -lint to make sure there are no typos in these configs. Then run the update tool to update our definitions and change permissions so that spamd can modify them on its own.
sudo spamassassin --lint
sudo sa-update
sudo chown -R spamd:spamd /var/lib/spamassassin
Before restarting the service we need to create the filter directory we specified in the config and set permissions as well the socket and permissions.
sudo chown spamd:spamd /var/lib/spamassassin/.spamassassin
sudo usermod -a -G spamd spamass-milter
sudo service spamassassin restart && sudo service spamass-milter restart
I started getting errors here around the socket I was using for spamass-milter (/var/spool/postfix/spamass/spamass.sock). It wouldn’t start the spamass-milter service due to a problem trying to remove that file. I rebooted and then got a much cleaner error message about the spamass-milter user not having permissions to that folder, so I did the following. This seemed to clear it up and the service started ok.
sudo chown -R spamass-milter:root /var/spool/postfix/spamass/
Install AV
Omg ClamAV looks burdensome on my cheap little VPS. Well we are going to try it and perhaps remove it later… There were two unzipping tools that were not available at this point (LHA and RAR). I just skipped over them.
sudo apt-get install clamav-milter arj bzip2 cabextract cpio file gzip lzop nomarch p7zip pax rpm unrar unzip zip zoo
And onto configuring, creating sockets, and restarting services…
sudo nano /etc/clamav/clamav-milter.conf
sudo mkdir /var/spool/postfix/clamav
sudo chown -R clamav:root /var/spool/postfix/clamav/
sudo nano /etc/default/clamav-milter
sudo service clamav-daemon restart && sudo service clamav-milter restart
Double check to make sure virus def’s are up to date:
sudo cat /var/log/clamav/freshclam.log
Add filters to postfix
So now we are just going back into the postfix config and uncommenting the filters we put in earlier and restarting.
sudo nano /etc/postfix/main.cf
sudo service postfix reload
Setup DNS
This one is very user specific, I use namecheap for my dns records and there setup was pretty straightforward. My hostmada vps server had no options for setting up a PTR record, but the support guy was very friendly and took care of it in minutes of me logging a ticket.
Setup Sieve
So this is the actual filtering agent we are going to use.
sudo mkdir /var/mail/vmail/sieve-before
sudo mkdir /var/mail/vmail/sieve-after
sudo chown -R vmail:vmail /var/mail/vmail/sieve-before
sudo chown -R vmail:vmail /var/mail/vmail/sieve-after
Then I simply create a ruleset in the before directory. I used his script for now, but commented out the bills and twitter stuff - I will probably address this further later.
sudo nano /var/mail/vmail/sieve-before/myfilter.sieve
sudo sievec /var/mail/vmail/sieve-before/myfilter.sieve
sudo chown vmail:vmail /var/mail/vmail/sieve-before/myfilter.svbin
Lastly, I opened up some ports on ufw and then connected my client to it and started sending some emails…
sudo ufw allow smtp
sudo ufw allow smtps
sudo ufw allow imap
sudo ufw allow imaps
sudo ufw allow 587
Some Minor Fixes
So the first thing that went wrong is that the spamassassin daily cron job started throwing errors every night. After a little googling, I found that the shell script it is running /etc/cron.daily/spamassassin was hardcoded to use the user debian-spamd. This guide had us create an account called spamd instead, so I went ahead and edited all four locations in the shell script to stop the errors.
gpg: WARNING: unsafe ownership on homedir `/var/lib/spamassassin/sa-update-keys'
gpg: failed to create temporary file `/var/lib/spamassassin/sa-update-keys/.#lk0x2483120: Permission denied
gpg: keyblock resource `/var/lib/spamassassin/sa-update-keys/secring.gpg': general error
gpg: failed to create temporary file `/var/lib/spamassassin/sa-update-keys/.#lk0x2483120': Permission denied
gpg: keyblock resource `/var/lib/spamassassin/sa-update-keys/pubring.gpg': general error
gpg: no writable keyring found: eof
gpg: error reading `/usr/share/spamassassin/sa-update-pubkey.txt': general error
gpg: import from `/usr/share/spamassassin/sa-update-pubkey.txt' failed: general error
gpg: process '/usr/bin/gpg --homedir='/var/lib/spamassassin/sa-update-keys'