Last active
October 26, 2016 11:55
-
-
Save mshafiee/a9b9788636c0e5164dc925595b0d6bc6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sudo apt-get install mysql-server | |
sudo mysql_secure_installation | |
CREATE DATABASE mail; | |
GRANT SELECT ON mail.* TO 'mail'@'localhost' IDENTIFIED BY 'mailpassword'; | |
FLUSH PRIVILEGES; | |
USE mail; | |
Tables: | |
CREATE TABLE IF NOT EXISTS `virtual_domains` ( | |
`id` int(11) NOT NULL AUTO_INCREMENT, | |
`name` varchar(50) NOT NULL, | |
PRIMARY KEY (`id`) | |
) ENGINE=InnoDB DEFAULT CHARSET=utf8; | |
CREATE TABLE IF NOT EXISTS `virtual_aliases` ( | |
`id` int(11) NOT NULL AUTO_INCREMENT, | |
`domain_id` int(11) NOT NULL, | |
`source` varchar(254) NOT NULL, | |
`destination` varchar(254) NOT NULL, | |
PRIMARY KEY (`id`), | |
KEY `domain_id` (`domain_id`), | |
CONSTRAINT `virtual_aliases_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `virtual_domains` (`id`) ON DELETE CASCADE | |
) ENGINE=InnoDB DEFAULT CHARSET=utf8; | |
CREATE TABLE IF NOT EXISTS `virtual_users` ( | |
`id` int(11) NOT NULL AUTO_INCREMENT, | |
`domain_id` int(11) NOT NULL, | |
`password` varchar(106) NOT NULL, | |
`email` varchar(254) NOT NULL, | |
PRIMARY KEY (`id`), | |
UNIQUE KEY `email` (`email`), | |
KEY `domain_id` (`domain_id`), | |
CONSTRAINT `virtual_users_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `virtual_domains` (`id`) ON DELETE CASCADE | |
) ENGINE=InnoDB DEFAULT CHARSET=utf8; | |
Virtual domains: | |
INSERT INTO `virtual_domains` | |
(`id`, `name`) | |
VALUES | |
('1', 'mydomain.com'), | |
('2', 'my2nddomain.com'); | |
Virtual mailboxes: | |
INSERT INTO `virtual_users` | |
(`id`, `domain_id`, `password` , `email`) | |
VALUES | |
('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'mail@mydomain.com'), | |
('2', '2', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'mail@my2nddomain.com'); | |
Virtual aliases: | |
INSERT INTO `virtual_aliases` | |
(`id`, `domain_id`, `source`, `destination`) | |
VALUES | |
('1', '1', 'alias@mydomain.com', 'mail@mydomain.com'); | |
sudo apt-get install -y dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql | |
Now we'll enable the protocols we need: | |
sudo vim /etc/dovecot/dovecot.conf | |
!include_try /usr/share/dovecot/protocols.d/*.protocol | |
protocols = imap lmtp | |
we have to make sure the following line is uncommented: | |
!include conf.d/*.conf | |
Mail configuration: | |
sudo groupadd -g 5000 mail | |
sudo useradd -g mail -u 5000 mail -d /var/mail | |
sudo mkdir -p /var/mail/vhosts/{mydomain.com,my2nddomain.com} | |
sudo chown -R mail:mail /var/mail | |
sudo chown -R dovecot:mail /etc/dovecot | |
sudo chmod -R o-rwx /etc/dovecot | |
sudo vim /etc/dovecot/conf.d/10-mail.conf | |
Find the mail_location line, uncomment it and change it to the following: | |
mail_location = maildir:/var/mail/vhosts/%d/%n | |
Find the mail_privileged_group line, uncomment it and change it to the following: | |
mail_privileged_group = mail | |
Finally, find the first_valid_uid line, uncomment it and change it to the following: | |
first_valid_uid = 1 | |
Auth configuration: | |
Now we need to tell dovecot that we're using MySQL to authenticate our users. | |
sudo vim /etc/dovecot/conf.d/10-auth.conf | |
Uncomment the following line: | |
disable_plaintext_auth = yes | |
Find the line containing auth_mechanisms = plain and change it to the following: | |
auth_mechanisms = plain login | |
Comment out this line: | |
#!include auth-system.conf.ext | |
Uncomment this line in order to enable MySQL authentication: | |
!include auth-sql.conf.ext | |
MySQL configuration: | |
To allow dovecot to connect to our MySQL database, we need to give it our MySQL credentials using a driver. | |
sudo vim /etc/dovecot/conf.d/auth-sql.conf.ext | |
Enter the following in the file before saving it: | |
passdb { | |
driver = sql | |
args = /etc/dovecot/dovecot-sql.conf.ext | |
} | |
userdb { | |
driver = static | |
args = uid=mail gid=mail home=/var/mail/vhosts/%d/%n | |
} | |
sudo vim /etc/dovecot/dovecot-sql.conf.ext | |
Find the #driver = line, uncomment it and change it to the following: | |
driver = mysql | |
Find the #connect = line, uncomment it and change it to the following, replacing the highlighted parts with your own MySQL credentials we created here. | |
connect = host=127.0.0.1 dbname=mail user=mail password=mailpassword | |
Find the #default_pass_scheme = line, uncomment it and change it to the following: | |
default_pass_scheme = SHA512-CRYPT | |
Finally, find the #password_query = \ line, uncomment it and change it to the following: | |
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u'; | |
Master configuration: | |
Now we're going to define the services that dovecot will provide. | |
sudo vim /etc/dovecot/conf.d/10-master.conf | |
Find service imap-login and change it to the following: | |
service imap-login { | |
inet_listener imap { | |
port = 143 | |
} | |
inet_listener imaps { | |
port = 993 | |
ssl = yes | |
} | |
} | |
Find service lmtp and change it to the following: | |
service lmtp { | |
unix_listener /var/spool/postfix/private/dovecot-lmtp { | |
mode = 0600 | |
user = postfix | |
group = postfix | |
} | |
} | |
Find service auth and change it to the following: | |
service auth { | |
unix_listener /var/spool/postfix/private/auth { | |
mode = 0666 | |
user = postfix | |
group = postfix | |
} | |
unix_listener auth-userdb { | |
mode = 0600 | |
user = mail | |
} | |
user = dovecot | |
} | |
Finally, find service auth-worker and change it to the following: | |
service auth-worker { | |
user = mail | |
} | |
sudo vim /etc/dovecot/conf.d/10-ssl.conf | |
Change the ssl parameter to required: | |
ssl = required | |
Modify the path for ssl_cert to your full certificate chain minus your CA's certificate and ssl_key to the path to your certificate's private key. | |
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem | |
ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey | |
This will take a very long time to complete, and dovecot will not be functional until it is completed. Alternatively you can use "2048" although that is not as future-proof. | |
Use stronger ssl_dh_parameters_length | |
ssl_dh_parameters_length = 4096 | |
Disable insecure ssl_protocols | |
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 | |
Use a stronger ssl_cipher_list | |
ssl_cipher_list = ALL:HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!MD5:!aNULL:@STRENGTH | |
Prefer server ciphers | |
ssl_prefer_server_ciphers = yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment