export FQDN="mail.example.org"
export DOMAIN="example.org"
export MAILBOX="user"
export DEBIAN_FRONTEND="noninteractive"
export A_RECORD=$(curl -sSL https://icanhazip.com)
$FQDN. 1800 IN A $A_RECORD
$DOMAIN. 1800 IN MX 10 $FQDN
$DOMAIN. 1800 IN TXT v=spf1 mx ~all
_dmarc.$DOMAIN. 1800 IN TXT v=DMARC1; p=none
cat > /etc/mailname << EOF
${FQDN}
EOF
echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list
apt-get update
apt-get install -y postfix dovecot-core dovecot-imapd amavisd-new postgrey opendkim opendkim-tools
apt-get install -y certbot -t jessie-backports
Generate SSL certificate with the Let's Encrypt client:
certbot certonly --register-unsafely-without-email --agree-tos --standalone -d "${FQDN}"
Generate Diffie Hellman Keys:
openssl dhparam -out /etc/postfix/dh_512.pem -2 512
openssl dhparam -out /etc/postfix/dh_2048.pem -2 2048
cat > /etc/postfix/main.cf << EOF
alias_maps = hash:/etc/aliases
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = ${FQDN}, ${FQDN}, localhost, localhost.localdomain
myhostname = ${FQDN}
masquerade_domains = ${DOMAIN}
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:12301
recipient_delimiter = +
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/letsencrypt/live/${FQDN}/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/${FQDN}/privkey.pem
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_milters = inet:localhost:12301
smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:[127.0.0.1]:10023
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/letsencrypt/live/${FQDN}/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/letsencrypt/live/${FQDN}/privkey.pem
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
tls_preempt_cipherlist = yes
EOF
cat >> /etc/postfix/master.cf << EOF
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
amavis unix - - - - 2 smtp
-o smtp_send_xforward_command=yes
-o smtp_tls_security_level=none
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
EOF
cat > /etc/dovecot/dovecot.conf << EOF
listen = *
mail_location = maildir:~/Maildir
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = no
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Spam {
auto = create
special_use = \Junk
}
mailbox Trash {
auto = no
special_use = \Trash
}
prefix =
}
passdb {
args = %s
driver = pam
}
protocols = imap
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
}
}
ssl = required
ssl_cert = </etc/letsencrypt/live/${FQDN}/fullchain.pem
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_dh_parameters_length = 4096
ssl_key = </etc/letsencrypt/live/${FQDN}/privkey.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
driver = passwd
}
EOF
cat >> /etc/amavis/conf.d/20-debian_defaults << EOF
\$inet_socket_bind = '127.0.0.1';
EOF
sed -i 's/inet=10023/inet=10023 --delay=30/' /etc/default/postgrey
cat >> /etc/opendkim.conf << EOF
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:12301@localhost
EOF
(mkdir -p /etc/opendkim/keys/${DOMAIN} && cd /etc/opendkim/keys/${DOMAIN} && opendkim-genkey -s mail -d ${DOMAIN} && chown opendkim:opendkim /etc/opendkim/keys/${DOMAIN}/mail.private )
cat > /etc/opendkim/TrustedHosts << EOF
127.0.0.1
localhost
EOF
cat > /etc/opendkim/KeyTable << EOF
mail._domainkey.${DOMAIN} ${DOMAIN}:mail:/etc/opendkim/keys/${DOMAIN}/mail.private
EOF
cat > /etc/opendkim/SigningTable << EOF
*@${DOMAIN} mail._domainkey.${DOMAIN}
EOF
cat /etc/opendkim/keys/${DOMAIN}/mail.txt
adduser --disabled-password --gecos "" ${MAILBOX}
passwd ${MAILBOX}
cat >> /etc/aliases << EOF
root: ${MAILBOX}
EOF
sudo newaliases
sudo postfix reload
Logs:
sudo nano /var/log/mail.log
Should be opened: 25, 110, 143, 465, 587, 993, 995
openssl s_client -connect ${FQDN}:25 -servername ${FQDN} -starttls smtp
openssl s_client -connect ${FQDN} :587 -servername ${FQDN} -starttls smtp
openssl s_client -connect ${FQDN} :587 -servername ${FQDN}
/etc/postfix/virtual
contact@${FQDN} ${MAILBOX}
admin@${FQDN} ${MAILBOX}
webmaster@${FQDN} ${MAILBOX}
sudo nano /etc/postfix/master.cf
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
Name: ${FQDN} (mail.example.com)
Port: 465
Connection Security: SSL/TLS
Authentication method: Normal password
User Name: ubuntu username
Server Name: ${FQDN} (mail.example.com)
Port: 993
Connection Security: SSL/TLS
Authentication method: Normal password
User Name: ubuntu username
sudo apt install mailutils
root@mail:~#
[apt](https://www.server-world.info/en/command/html/apt.html) -y install dovecot-core dovecot-pop3d dovecot-imapd
root@mail:~#
[vi](https://www.server-world.info/en/command/html/vi.html) /etc/dovecot/dovecot.conf
# line 30 : uncomment
listen = *, ::
root@mail:~#
[vi](https://www.server-world.info/en/command/html/vi.html) /etc/dovecot/conf.d/10-auth.conf
# line 10 : uncomment and change (allow plain text auth)
disable_plaintext_auth =
no
# line 100 : add
auth_mechanisms = plain
login
root@mail:~# vi /etc/dovecot/conf.d/10-mail.conf
# line 30 : change to Maildir
mail_location =
maildir:~/Maildir
root@mail:~#
vi /etc/dovecot/conf.d/10-master.conf
# line 107-109 : uncomment and add
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
root@mail:~#
systemctl restart dovecot