picoenterprise:mta-mailstore-centos
Table of Contents
Postfix + Dovecot on CentOS
- CentOS-7
- Possible on one system, or on two separate systems (all connections between Postfix and Dovecot are over the network).
- One user-database (SASL serviced by Dovecot).
- virtual-users (no unix-users on the system for the users of the mailstore).
- Delivery from Postfix to Dovecot with LMTP over localhost or the public-ip with 24/tcp
- SASL username/pw lookups over localhost or the public-ip with 12345/tcp
- 2 mailboxes (2 mailadresses each).
| - | mailbox1: | mailbox2: |
| username: | sv | ln |
| adresses: | info@example.com | info@example2.com |
| sv@example.com | ln@example2.com |
Postfix
Hostname: vps1.laboratory.local
Software:
yum install postfix
Make x509 certs:
openssl req -utf8 -newkey rsa:2048 -keyout /etc/postfix/tls.key -nodes -x509 -days 3650 -out /etc/postfix/tls.crt -set_serial 0
Firewall ports:
firewall-cmd --add-port={25/tcp,587/tcp} --permanent
firewall-cmd --reload
In: /etc/postfix/master.cf
# smtp inet n - n - - smtpd # 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_client_restrictions=permit_sasl_authenticated,reject # pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache
In: /etc/postfix/main.cf
data_directory = /var/lib/postfix queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no smtpd_tls_cert_file = /etc/postfix/tls.crt smtpd_tls_key_file = /etc/postfix/tls.key smtpd_use_tls = yes smtpd_banner = postoffice.laboratory.local ESMTP disable_vrfy_command = yes biff = no append_dot_mydomain = no myhostname = vps1.laboratory.local myorigin = laboratory.local mydestination = vps1.laboratory.local, localhost mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 virtual_alias_domains = /etc/postfix/virtual-domains virtual_alias_maps = hash:/etc/postfix/virtual transport_maps = hash:/etc/postfix/transport smtpd_sasl_type = dovecot smtpd_sasl_path = inet:vps2.laboratory.local:12345 smtpd_sasl_auth_enable = no smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
In: /etc/postfix/virtual-domains
example.com example2.com
In: /etc/postfix/virtual
# e-mail addr.: username @ servername (of the Dovecot-server): info@example.com sv@vps2.laboratory.local sv@example.com sv@vps2.laboratory.local info@example2.com ln@vps2.laboratory.local ln@example2.com ln@vps2.laboratory.local
After editting:
postmap /etc/postfix/virtual
In: /etc/postfix/transport
sv@vps2.laboratory.local lmtp:vps2.laboratory.local:24 ln@vps2.laboratory.local lmtp:vps2.laboratory.local:24
After editting:
postmap /etc/postfix/transport
Dovecot
The SE-Linux configuration is out of the scope of this howto.
Hostname: vps2.laboratory.local
firewall:
firewall-cmd --add-port={24/tcp,143/tcp,993/tcp,4190/tcp,12345/tcp} --permanent
firewall-cmd --reload
Software:
yum install dovecot
En voeg toe voor Sieve:
yum install dovecot-pigeonhole
Create directories and files:
mkdir /var/dovecot/ mkdir /var/dovecot/mail mkdir /var/dovecot/sieve mkdir /var/dovecot/conf # touch /var/dovecot/conf/users # chown -R dovecot:dovecot /var/dovecot touch /var/log/dovecot.log chown dovecot:dovecot /var/log/dovecot.log
Make x509 certs:
openssl req -utf8 -newkey rsa:2048 -keyout /var/dovecot/conf/tls.key -nodes -x509 -days 3650 -out /var/dovecot/conf/tls.crt -set_serial 0
Create usernames and pw's (for the SASL-db):
The IMAP-users are created by adding a line in the users file. It has two columns, separated by a colon. The first column is the username, the second line contans the sha512-crypt which can be generated by executing:
doveadm pw -s SHA512-CRYPT
The result in /var/dovecot/conf/users will be like:
...
sv:{SHA512-CRYPT}$6$T5tUmkrjF2mAbo9G$3EEvR08UCHb11KCmCHbCaPcd1xv7CylpfdZgu3gv0WddRZGoF1drU62aHHEU9U4VTeTsM/wlxI2svBXsd7auX0
...
ln:{SHA512-CRYPT}$6$RHC1lIs0bS.ggVzR$NRaTNB.SJW7.sTcFbMcbfRZdJwEllNCM4zmROOxhiTBqQr4B4oxFnOAA1I.BknbKbSZ7uuvk5Z6k3JjT1Jonq/
...
In: /etc/dovecot/dovecot.conf
log_path = /var/log/dovecot.log
mail_location = maildir:/var/dovecot/data/%n/mail
auth_mechanisms = plain login
disable_plaintext_auth = no
#ssl_ca = </var/dovecot/conf/
ssl_cert = </var/dovecot/conf/tls.crt
ssl_key = </var/dovecot/conf/tls.key
# Default:
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
#mailbox "Sent Messages" {
# special_use = \Sent
#}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%n /var/dovecot/conf/users
}
first_valid_uid = 2
userdb {
# For static type, LDA verify the user's existence by lookup passdb
# ( http://wiki2.dovecot.org/UserDatabase/Static )
driver = static
args = uid=dovecot gid=dovecot home=/var/dovecot/data/%n/mail
}
protocols = "imap lmtp sieve"
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
service managesieve-login {
inet_listener sieve {
address = 0.0.0.0
port = 4190
}
service_count = 1
process_min_avail = 1
}
service managesieve {
}
#protocol managesieve {
# disable_plaintext_auth = no
#}
protocol sieve {
}
plugin {
sieve = /var/dovecot/data/%n/managesieve/.dovecot.sieve
sieve_dir = /var/dovecot/data/%n/managesieve/sieve
}
# ###############################
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
}
}
protocol imap {
disable_plaintext_auth = no
}
service lmtp {
inet_listener lmtp {
address = 0.0.0.0
port = 24
}
user = dovecot
}
service auth-worker {
# Forbid to access /etc/shadow
user = $default_internal_user
}
service auth {
inet_listener saslauth {
address = 0.0.0.0
port = 12345
}
}
Enable and start the Dovecot:
systemctl start dovecot systemctl enable dovecot
Make a connection with each mailbox with a MUA (mutt or Thunderbird) first before sending mail to the LMTP-connection. This will let Dovecot create the mailfolder structure for the mailbox to be stored. See: /var/dovecot/data/ (each username has it's own directory here).
Connect info for the MUA:
IMAP host:port = vps2.laboratory.local : 993 SMTP host:port = vps1.laboratory.local : 587 loginname = sv
Test with:
telnet vps1.laboratory.local 25
picoenterprise/mta-mailstore-centos.txt · Last modified: 2017/04/07 17:03 by Luc Nieland
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
