ibqn/mailserver-howto.md

## mailserver-howto.md

      
    Raw
  

              mailserver-howto.md
            
          
    Email server based on Dovecot, Postfix, MySQL, Rspamd and Debian 9 Stretch

MySQL database setup

Install MariaDB as a database management system DBMS
sudo apt install mariadb-server
Create a new database named srvmail for a mail server:
sudo mysql -e 'create database if not exists srvmail character set "utf8";'
Create database user srvmail, with password dbpass.
This user will be used by Postfix and Dovecot.
It is granted select permissions on this DB.
sudo mysql -e 'grant select on srvmail.* to "srvmail"@"localhost" identified by "dbpass";'
Domain table

The domain table contains all domains, which shall be served by the mail server.
CREATE TABLE `domains` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `domain` varchar(255) NOT NULL,
    PRIMARY KEY (`id`),
    UNIQUE KEY (`domain`)
);
Account table

The account table contains all data regarding user mailbox accounts, such as username, domain, password, and quota.
Quota is in Megabyte (MB).
If the enabled field if set to true a mailbox account is active and can be used.
If sendonly is set to true this account is not able to receive mails.
CREATE TABLE `accounts` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `username` varchar(64) NOT NULL,
    `domain` varchar(255) NOT NULL,
    `password` varchar(255) NOT NULL,
    `quota` int unsigned DEFAULT '0',
    `enabled` boolean DEFAULT '0',
    `sendonly` boolean DEFAULT '0',
    PRIMARY KEY (id),
    UNIQUE KEY (`username`, `domain`),
    FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
);
Alias table

The alias table contains all alias definitions / redirects.
CREATE TABLE `aliases` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `source_username` varchar(64) NOT NULL,
    `source_domain` varchar(255) NOT NULL,
    `destination_username` varchar(64) NOT NULL,
    `destination_domain` varchar(255) NOT NULL,
    `enabled` boolean DEFAULT '0',
    PRIMARY KEY (`id`),
    UNIQUE KEY (`source_username`, `source_domain`, `destination_username`, `destination_domain`),
    FOREIGN KEY (`source_domain`) REFERENCES `domains` (`domain`)
);
TLS Policy table

The TLS policy table defines policies regarding TLS-encryption to foreign mail servers.
CREATE TABLE `tlspolicies` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `domain` varchar(255) NOT NULL,
    `policy` enum('none', 'may', 'encrypt', 'dane', 'dane-only', 'fingerprint', 'verify', 'secure') NOT NULL,
    `params` varchar(255),
    PRIMARY KEY (`id`),
    UNIQUE KEY (`domain`)
);
Place these table definitions into srvmail-tables.sql file and import them to the database
sudo mysql srvmail < srvmail-tables.sql

srvmail user and its srvmail home directory

All e-mails and sieve scripts are saved into a special directory /var/srvmail.
Only the associated srvmail user has access to it.
Dovecot will use this user account to do its operations on the file system.
Create srvmail home's directory together with some subdirectories:
sudo mkdir -p /var/srvmail/mailboxes
sudo mkdir -p /var/srvmail/sieve/global
Create srvmail user
sudo adduser --system --group --disabled-login --disabled-password --home /var/srvmail srvmail
Change permissions on /var/srvmail:
sudo chown -R srvmail:srvmail /var/srvmail
sudo chmod -R 770 /var/srvmail
Install unbound caching DNS resolver

Rspamd, Postfix / Postscreen and more services on your system heavily depend on DNS requests.
Therefore, it is recommend to install unbound as a local DNS resolver and cache!
Some server providers rate-limit your access to their pre-defined DNS resolvers, which might cause trouble.
Especially Rspamd does a lot of DNS requests depending on the mail system load.
Furthermore, Spamhaus blocklists often can be used with own DNS resolvers only.
Install unbound
sudo apt install unbound
Update DNSSEC Root key and reload Unbound service
su -c "unbound-anchor -a /var/lib/unbound/root.key" - unbound
systemctl reload unbound
To use the DNS lookup utility dig install dnsutils
sudo apt install dnsutils
Try to use local DSN server:
 dig @127.0.0.1 denic.de +short +dnssec
which should lead to something like
81.91.170.12
A 8 2 3600 20190516090000 20190502090000 26155 denic.de. ZenvfYTndSmVHFrrt2klbfjT5bce3TxXtrdZvUKBHh3nsmCGTim67cbk dtQS/G9V2+XIE26I+xbSGl96e1RkHMB
6KFry5hSr+40eBP9ogUuB7LJV UREmTvb/pd5Pw7KamW0qlK9kGCqETS3sCr/PN3V30cV5I1Xi+cxWW0de XRfcktHmotciedpLtszq3OttlVnzrxD7XGdtMYsSe+9WpUKD3xlUVQqH Bl1j/
bXRyf84sLTqrfcPLtc6z/jz3set
If the dig-command worked,
it's time to double-check that unbound is set as the primary DNS resolver for your mail system:
The result of
nslookup denic.de | grep Server 
should now be:
Server:     127.0.0.1
By default openresolv should be already installed on your system
sudo apt install openresolv
Also, take a look at the openresolv configuration file
which should take into account the existence of unbound setup.
sudoedit /etc/resolvconf.conf
Set up TLS certificates

A modern email server can’t be operated seriously without TLS certificates.
We will use Let’s Encrypt certificates for this purpose, as they are free and yet accepted by all browsers, mail clients and operating systems. If you already have valid certificates, you can use them instead.
Retrieve new certificates

Use the official certbot command line client to get new certificates for your mail system:
sudo apt install certbot
sodo certbot certonly --standalone --rsa-key-size 4096 -d mail.example.com -d imap.example.com -d smtp.example.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
Install and configure Dovecot

Install the following Dovecot components
sudo apt install dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-sieve dovecot-managesieved
SQL configuration file dovecot-sql.conf.ext

driver=mysql
connect = "host=127.0.0.1 dbname=srvmail user=vmail password=dbpass"
default_pass_scheme = SHA512-CRYPT

password_query = SELECT username AS user, domain, password FROM accounts WHERE username = '%n' AND domain = '%d' and enabled = true;
user_query = SELECT concat('*:storage=', quota, 'M') AS quota_rule FROM accounts WHERE username = '%n' AND domain = '%d' AND sendonly = false;
iterate_query = SELECT username, domain FROM accounts where sendonly = false;
Global sieve filter to move marked spam mails

Create a new Sieve filter script spam-global.sieve in /var/srvmail/sieve/global/
require "fileinto";

if header :contains "X-Spam-Flag" "YES" {
    fileinto "Spam";
}

if header :is "X-Spam" "Yes" {
    fileinto "Spam";
}
Spam learning with Rspamd

Rspamd shall learn from its mistakes if you move a mail out of your “Spam” folder and vice versa. Sieve recognizes the moving process and triggers a Rspam learning process. Create to following two sieve config files in /var/srvmail/sieve/global/:
learn-spam.sieve

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];
Install and configure Postfix

sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'No configuration'" # optional
sudo apt install postfix postfix-mysql
During installation of the Postfix packages you will be asked what type of configuration you want to create. Select “No configuration”. Then stop Postfix:
sudo systemctl stop postfix
Although you selected “No configuration” there will be configuration files in /etc/postfix. Delete some of them:
cd /etc/postfix
rm -r sasl
rm master.cf main.cf.proto master.cf.proto
Then create the following new config files in /etc/postfix:
Configuration of main.cf file

##
## Network settings
##

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = 127.0.0.1, ::1, 212.86.55.94
myhostname = mail.zyfron.com


##
## Mail queue settings
##

maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m


##
## TLS settings
##

tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

### Outbound SMTP connections (Postfix as sender)

smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt


### Inbound SMTP connections

smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.zyfron.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.zyfron.com/privkey.pem


##
## Local mail delivery to Dovecot via LMTP
##

virtual_transport = lmtp:unix:private/dovecot-lmtp


##
## Spam filter and DKIM signatures via Rspamd
##

smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept

##
## Server Restrictions for clients, cecipients and relaying
## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)
##

### Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =      reject_non_fqdn_recipient
                                reject_unknown_recipient_domain
                                permit_mynetworks
                                reject_unauth_destination


### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)
### check_recipient_access checks if an account is "sendonly"
smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf


### Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =     permit_mynetworks
                                check_client_access hash:/etc/postfix/without_ptr
                                reject_unknown_client_hostname


### Foreign mail servers must present a valid "HELO"
smtpd_helo_required = yes
smtpd_helo_restrictions =   permit_mynetworks
                            reject_invalid_helo_hostname
                            reject_non_fqdn_helo_hostname
                            reject_unknown_helo_hostname

# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining


##
## Restrictions for MUAs (Mail user agents)
##

mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject


##
## Postscreen Filter
##

### Postscreen Whitelist / Blocklist
postscreen_access_list =        permit_mynetworks
                                cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop


# Drop connections if other server is sending too quickly
postscreen_greet_action = drop


### DNS blocklists
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites =    ix.dnsbl.manitu.net*2
                            zen.spamhaus.org*2
postscreen_dnsbl_action = drop


##
## MySQL queries
##

virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
local_recipient_maps = $virtual_mailbox_maps


##
## Miscellaneous
##

### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0

### Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800

### Do not notify system users on new e-mail
biff = no

### Users always have to provide full e-mail addresses
append_dot_mydomain = no

### Delimiter for "Address Tagging"
recipient_delimiter = +
Settings to adjust:

inet_interfaces: IP addresses of your server. 212.86.55.94, 2a00:f820:417::7647:b2c2 must be replaced by your own IPv4- and IPv6-address.
myhostname: Replace by your own hostname
smtpd_tls_cert_file: Path to certificate file
smtpd_tls_key_file: Path to certificate key

Configuration of master.cf file

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       1       postscreen
    -o smtpd_sasl_auth_enable=no
smtpd     pass  -       -       y       -       -       smtpd
dnsblog   unix  -       -       y       -       0       dnsblog
tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_relay_restrictions=$mua_relay_restrictions
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
    -o smtpd_helo_required=no
    -o smtpd_helo_restrictions=
    -o cleanup_service_name=submission-header-cleanup
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
submission-header-cleanup unix n - n    -       0       cleanup
    -o header_checks=regexp:/etc/postfix/submission_header_cleanup
Header cleanup rules

Create a new file /etc/postfix/submission_header_cleanup with this content:
### Removes headers of MUAs for privacy reasons

/^Received:/            IGNORE
/^X-Originating-IP:/    IGNORE
/^X-Mailer:/            IGNORE
/^User-Agent:/          IGNORE
SQL configuration

SQL queries for Postfix sit in the /etc/postfix/sql/ subdirectory:
sudo mkdir /etc/postfix/sql && cd $_
Create these files with their corresponding content:
accounts.cf

user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = select 1 as found from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;

aliases.cf

user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = select concat(destination_username, '@', destination_domain) as destinations from aliases where source_username = '%u' and source_domain = '%d' and enabled = true;

domains.cf

user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = SELECT domain FROM domains WHERE domain='%s'
recipient-access.cf

user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = select if(sendonly = true, 'REJECT', 'OK') AS access from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
sender-login-maps.cf

user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = select concat(username, '@', domain) as 'owns' from accounts where username = '%u' AND domain = '%d' and enabled = true union select concat(destination_username, '@', destination_domain) AS 'owns' from aliases where source_username = '%u' and source_domain = '%d' and enabled = true;

tls-policy.cf

user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = SELECT policy, params FROM tlspolicies WHERE domain = '%s';
Don’t forget to modify dbpass in all of the above files, in case you are using another password!
Set proper permissions for /etc/postfix/sql:
sudo chmod -R 640 /etc/postfix/sql
More Postfix configuration files

Create two new files in /etc/postfix. You can leave them empty.
sudo touch /etc/postfix/without_ptr
sudo touch /etc/postfix/postscreen_access
In without_ptr you can define entries like this:
1.2.3.4 OK
This will result in a policy, which allows server 1.2.3.4 to send e-mails to this host even if it does not have a valid PTR-record. After every change, without_ptr has to be converted into a database file and Postfix must be reloaded:
sudo postmap /etc/postfix/without_ptr
sudo systemctl reload postfix
In postscreen_access file you can define exceptions for the postscreen filter. If any mail server is blocked by postscreen and you want to grant access for any reason, add an entry similar to the following:
1.2.3.4 permit
You can do the opposite, too: If you always want to block a certain server, add “reject” instead of “permit”.
Execute
sudo newaliases
to create the alias database file /etc/aliases.db. This file is expected by Postfix by default.
Rspamd

The official Debian repositories contain an outdated version of Rspamd, so use the Rspamd-Repository for installation instead:
sudo apt install -y lsb-release wget
wget -O- https://rspamd.com/apt-stable/gpg.key | sudo apt-key add -
echo "deb http://rspamd.com/apt-stable/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src http://rspamd.com/apt-stable/ $(lsb_release -c -s) main" >> /etc/apt/sources.list.d/rspamd.list
Update package sources and install Rspamd:
sudp apt update
sudo apt install rspamd
Build from source

On raspbian, there is no deb up to date package available. To build it from source install the following packages
sudo apt install devscripts fakeroot debhelper libcurl4-openssl-dev dh-systemd libjemalloc-dev libunwind-dev ragel libevent-dev lua5.1 liblua5.1-dev cmake sqlite3 libmagic-dev libsqlite3-dev libicu-dev libglib2.0-dev libssl-dev libsodium-dev
Clone the sourse code
git clone --recursive https://github.com/vstakhov/rspamd.git
#git checkout tags/1.9.4 #optionally

To build rspamd it's recommended to create a separate build directory:
cd rspamd
mkdir build
cd build
cmake ..
If you decide to install it from source run
make
sudo make install
The prefered way is to create a package:
tar xvf rspamd-2.0.tar.xz
cd rspamd-2.0
debuild -uc -us
cd ..
dpkg -i *.deb
Configuration

Following files are now created in /etc/rspamd/local.d/:
/etc/rspamd/local.d/options.inc: Network settings and definition of the DNS resolver to use.
local_addrs = "127.0.0.0/8, ::1";

dns {
    nameserver = ["127.0.0.1:53:10"];
}

/etc/rspamd/local.d/worker-normal.inc: Settings for the normal Rspamd worker
bind_socket = "localhost:11333";
### Anzahl der zu nutzenden Worker. Standard: Anzahl der virtuellen Prozessorkerne.
# count = 1

/etc/rspamd/local.d/worker-controller.inc: Worker controller settings: Password for web interface access, e.g.:
password = "$2$91sbzekafgbaew494epqfsm1bziewza4$wmdqdgjt4ehet7i5i9sczmpbsow7s7g3eo47obuzp8aieb6bzduy";
The password hash (“$2$ …”) must be generated by
rspamadm pw
Enter a password you would like to set, copy the hash and paste it into the configuration file above.
/etc/rspamd/local.d/worker-proxy.inc: Worker proxy (Milter-Module for Postfix)
bind_socket = "localhost:11332";
milter = yes;
timeout = 120s;
upstream "local" {
    default = yes;
    self_scan = yes;
}
/etc/rspamd/local.d/logging.inc: Error logging
type = "file";
filename = "/var/log/rspamd/rspamd.log";
level = "error";
debug_modules = [];
Milter Headers /etc/rspamd/local.d/milter_headers.conf
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
authenticated_headers = ["authentication-results"];
Use Redis for Bayesian filter: /etc/rspamd/local.d/classifier-bayes.conf
backend = "redis";
Redis

Rspamd uses Redis as a data cache. Installation is simple:
sudo apt install redis-server
/etc/rspamd/local.d/redis.conf

servers = "127.0.0.1";
Start Rspamd

sudo systemctl start rspamd
Nginx Proxy for Rspamd web interface (optional)

So get easy and secure access to the Rspamd web interface, you can install Nginx as a HTTP proxy with TLS-termination. As an alternative, access via a SSH tunnel is sufficient in some cases (see below).
Installation:
sudo apt install nginx
sudoedit /etc/nginx/sites-available/mail.zyfron.com
Config file /etc/nginx/sites-available/mail.zyfron.com
server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/mail.zyfron.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.zyfron.com/privkey.pem;

    server_name mail.zyfron.com;

    # root /var/www/default;

    if ($ssl_protocol = "") {
        return 301 https://$server_name$request_uri;
    }

    location /rspamd/ {
        proxy_pass http://localhost:11334/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
Settings to adapt:

ssl_certificate: Path to certificate
ssl_certificate_key: Path to certificate key
server_name

Activate site configuration, reload and start nginx:
sudo ln -s /etc/nginx/sites-available/mail.zyfron.com /etc/nginx/sites-enabled/mail.zyfron.com
sudo nginx -t
sudo systemctl reload nginx
Access web interface via webbrowser

You should now be able to access the Rspamd web interface via https://mail.zyfron.com/rspamd/ . Then enter the password you chose during rspamd configuration.
Access Rspamd web interface via SSH tunnel (alternative to nginx)

If your local machine is a Linux or MAC computer, enter the following command to bind the webinterface to your local TCP port 8080:
ssh -L 8080:localhost:11334 benutzer@mail.zyfron.com -N
The web interface can then be browsed via http://localhost:8080. CTRL+C cancels the connection.
Train Rspamd with existing spam mail (optional)

If you have mailboxes in Maildir-format with spam e-mails and normal e-mails, you can use them to train Rspamd on some real world examples. Copy those mailbox folders to your new server and execute commands like this:
Train e-mails in ./oldserver/var/srvmail/mailboxes/*/*/mail/Spam/cur as spam:
find ./oldserver/var/srvmail/mailboxes/*/*/mail/Spam/cur -type f -exec /usr/bin/rspamc learn_spam {} \;
Train e-mails as “ham”:
find ./oldserver/var/srvmail/mailboxes/*/*/mail/cur -type f -exec /usr/bin/rspamc learn_ham {} \;
find ./oldserver/var/srvmail/mailboxes/*/*/mail/Sent/cur -type f -exec /usr/bin/rspamc learn_ham {} \;
Create domains, accounts, aliases and TLS-policies in database

Before the mailserver can be used reasonably, at least one domain and a corresponding user account must be existent. Fire up your mysql command shell one more time:
sudo mysql
change to the srvmail database:
use srvmail;
Create a new domain data record

New user accounts can only be created for already existing domains, so create a new data set for your primary domain:
insert into domains (domain) values ('zyfron.com');
Create a new user account

Now that the corresponding domains exists, a new user account for this domain can be created. Create a new password hash shell via:
doveadm pw -s SHA512-CRYPT
A password hash looks similar to this:
{SHA512-CRYPT}$6$fzigcyORcWEpHdBQ$oK6.FpBs9aiylKOn.Zp6LRE/qAScbYHqTzaDORdlHOZVFxaG/OCqgMjrD51LWSzvxDDtd7ktvDIUCCmV73mdb0
Create a new user account based on this hash value:
insert into accounts (username, domain, password, quota, enabled, sendonly) values ('hello', 'zyfron.com', '{SHA512-CRYPT}$6$fzigcyORcWEpHdBQ$oK6.FpBs9aiylKOn.Zp6LRE/qAScbYHqTzaDORdlHOZVFxaG/OCqgMjrD51LWSzvxDDtd7ktvDIUCCmV73mdb0', 2048, true, false);
The value for the password field must now be replaced with the individual hash you’ve created before. In this example, an account for hello@zyfron.com is created, with a storage quota of 2 GB, and the account is able to send and receive messages.
Create new alias address

Creating an alias address for another address is pretty streight forward:
insert into aliases (source_username, source_domain, destination_username, destination_domain, enabled) values ('hallo', 'zyfron.com', 'hello', 'zyfron.com', true);
This would result in a re-direction of e-mails from hallo@zyfron.com to hello@zyfron.com.