Installation d'un serveur mail complet Postfix - Postfixadmin - Dovecot - Mysql - Amavisd-new - Spamassassin - Clamav - Roundcube - gestion des filtres Imap ( sieve ) et des quotas ====== Postfix ====== ===== Installation packages ===== # apt-get install postfix postfix-mysql libsasl2-modules sasl2-bin Si vous n'avez pas de serveur MySQL mutualisé, il faut que vous installiez MySQL # apt-get install mysql-server mysql-client ===== Création de la Base de données MySQL ===== # mysql -u root -p Enter password: mysql> create database postfix; Query OK, 1 row affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON postfix.* TO 'postfixadmin'@'localhost' IDENTIFIED BY 'monmotdepasse'; Query OK, 0 rows affected (0.00 sec) mysql> GRANT SELECT ON postfix.* TO 'postfix'@'localhost' IDENTIFIED BY 'monmotdepasse2'; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) ===== Configuration Postfix ===== ==== Création utilisateur/groupe virtuel ==== Nous lui donnerons comme GID/UID le numéro 5000 # groupadd -g 5000 vmail # mkdir /data/mail # useradd -d /data/mail/mboxes -m -u 5000 -g 5000 vmail ==== Création des fichiers qui contiendront les informations de connexions à la base Mysql ==== # vi /etc/postfix/mysql_relay_domains.cf :::::::::::::: hosts = mysql_srv user = postfix password = monmotdepasse2 dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' and active = 1 # vi /etc/postfix/mysql_virtual_alias_maps.cf :::::::::::::: hosts = mysql_srv user = postfix password = monmotdepasse2 dbname = postfix query = SELECT goto FROM alias WHERE address='%s' AND active = 1 # vi /etc/postfix/mysql_virtual_mailbox_domains.cf :::::::::::::: hosts = mysql_srv user = postfix password = monmotdepasse2 dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' and backupmx = 0 and active = 1 # vi /etc/postfix/mysql_virtual_mailbox_maps.cf :::::::::::::: hosts = mysql_srv user = postfix password = monmotdepasse2 dbname = postfix query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1 # vi mysql_virtual_alias_domain_maps.cf :::::::::::::: hosts = mysql_srv user = postfix password = monmotdepasse2 dbname = postfix query = SELECT goto FROM alias WHERE address = ( SELECT CONCAT('%u@', target_domain ) FROM alias_domain WHERE alias_domain = '%d' ) ==== Configuration de l'authentification par sasl ==== # vi /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: PLAIN LOGIN auxprop_plugin: rimap Mettons à jour /etc/default/saslauthd avec ces paramètres (ne touchez pas au reste...) # vi /etc/default/saslauthd START=yes MECHANISMS="rimap" #imap server address MECH_OPTIONS="localhost" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r" Ajoutons postfix au groupe sasl: # adduser postfix sasl Ajout de l'utilisateur « postfix » au groupe « sasl »... Ajout de l'utilisateur postfix au groupe sasl Fait. Et redémarrons le service : # service saslauthd restart Stopping SASL Authentication Daemon: saslauthd. Starting SASL Authentication Daemon: saslauthd. ==== Fichier main.cf ==== smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no append_dot_mydomain = no readme_directory = no smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = mailnew.dm.priv alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = $myhostname mydestination = $myhostname , localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.3.0/24 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_mailbox_base = /data/mail/mboxes virtual_transport = dovecot virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_maps.cf relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_client_hostname, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch, reject_rbl_client bl.spamcop.net, permit smtp_connection_cache_destinations = hotmail.fr, hotmail.com, gmail.com smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth delay_warning_time = 1h dovecot_destination_recipient_limit = 1 content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings transport_maps = hash:/etc/postfix/transport vacation_destination_recipient_limit = 1 ==== Fichier master.cf ==== smtp inet n - - - 1 smtpd -o content_filter=amavis:[127.0.0.1]:10024 -o receive_override_options=no_address_mappings pickup unix n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o local_header_rewrite_clients= ==== Fichier transport ==== autoreply.druidesmetal.net vacation: # postmap /etc/postfix/transport ==== Fichier rejet expéditeurs access ==== yahoo.com REJECT yahoo.com.tw REJECT # postmap /etc/postfix/access ==== Crontab ==== # Supression des MAILER-DAEMON 00 * * * * root /usr/local/bin/rmreturn.sh > /dev/null # Suppression des mails en deferred 00 00 * * * root /usr/sbin/postsuper -d ALL deferred >/dev/null # more /usr/local/bin/rmreturn.sh #!/bin/bash /usr/sbin/postqueue -p | grep MAILER-DAEMON | awk '{print $1}' | /usr/sbin/postsuper -d - ===== Dovecot ===== ==== Installation packages ==== # apt-get install dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-managesieved ==== Fichier configuration générale dovecot.conf ==== auth_debug = yes auth_verbose = yes disable_plaintext_auth = no first_valid_gid = 5000 first_valid_uid = 5000 last_valid_gid = 5000 last_valid_uid = 5000 listen = * log_path = /var/log/dovecot.log mail_debug = yes mail_location = maildir:/data/mail/mboxes/%d/%u protocol lda { mail_plugins = $mail_plugins quota sieve } passdb { args = /etc/dovecot/dovecot-sql2.conf.ext driver = sql } postmaster_address = postmaster@druidesmetal.com protocols = " imap sieve" service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } service_count = 1 process_min_avail = 1 vsz_limit = 64M } service managesieve { process_limit = 1024 } protocol sieve { managesieve_max_line_length = 65536 managesieve_implementation_string = dovecot log_path = /var/log/dovecot-sieve-errors.log info_log_path = /var/log/dovecot-sieve.log } service dict { unix_listener dict { mode = 0775 user = postfix group = vmail } } ssl_cert = > $qwf cat $qwf | /usr/sbin/sendmail -f $FROM "$USER" rm -f $qwf exit 0 ==== Redémarrons les services ==== # service dovecot restart Restarting IMAP/POP3 mail server: dovecotIf you have trouble with authentication failures, enable auth_debug setting. See http://wiki.dovecot.org/WhyDoesItNotWork This message goes away after the first successful login. . # service saslauthd restart Stopping SASL Authentication Daemon: saslauthd. Starting SASL Authentication Daemon: saslauthd. # service postfix restart Stopping Postfix Mail Transport Agent: postfix. Starting Postfix Mail Transport Agent: postfix. ==== Rotation des logs Dovecot ==== Par défaut, dovecot ne fournit pas de rotation de log. Voici ce que j'ai mis en place : # more /etc/logrotate.d/dovecot /var/log/dovecot.log { rotate 6 daily copytruncate compress missingok notifempty } ===== Amavisd-new, SpamAssassin, et Clamav ===== ==== Installation packages ==== # apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop \ cabextract libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl \ libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl p7zip unrar-free libmail-sender-perl \ libdbd-mysql-perl libemail-valid-perl libmime-perl liblog-log4perl-perl liblog-dispatch-perl \ libgetopt-argvfile-perl libmime-charset-perl libmime-encwords-perl ==== Ajout de l'utilisateur Clamav au groupe Amavis ==== # adduser clamav amavis Ajout de l'utilisateur « clamav » au groupe « amavis »... Ajout de l'utilisateur clamav au groupe amavis Fait. ==== Activation filtres ==== # vi /etc/amavis/conf.d/15-content_filter_mode use strict; @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; # ensure a defined return ==== Configuration quarantaine ==== * Modifier le fichier suivant # vi /etc/amavis/conf.d/20-debian_defaults (...) #$sa_spam_subject_tag = '***SPAM*** '; $sa_tag_level_deflt = -999; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5.00; # add 'spam detected' headers at that level $sa_kill_level_deflt = 5.00; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) $final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; # False-positive prone (for spam) @local_domains_maps = ( ['.'] ); (...) * Si vous installer sur une ubuntu, supprimez le fichier **21-ubuntu_defaults** présent dans **/etc/amavis/conf.d** * Modifier le fichier suivant ensuite pour la gestion du hostname # vi /etc/amavis/conf.d/05-node_id use strict; # $myhostname is used by amavisd-new for node identification, and it is # important to get it right (e.g. for ESMTP EHLO, loop detection, and so on). chomp($myhostname = `hostname --fqdn`); # To manually set $myhostname, edit the following line with the correct Fully # Qualified Domain Name (FQDN) and remove the # at the beginning of the line. # #$myhostname = "mail.example.com"; $myhostname = "mailnew.dm.priv"; 1; # ensure a defined return ==== Filtre Sieve Spam ==== Un filtre sieve est crée afin de déplacer automatiquement les mails SPAM dans le répertoire Junk de chaque email. Ce filtre est commun à tout le monde, pour cela on le crée dans le répertoire /var/lib/dovecot/sieve/global qui a été définie dans la conf dovecot. # vi /var/lib/dovecot/sieve/global/spam.sieve require ["fileinto"]; # rule:[SPAM] if header :contains "X-Spam-Flag" "YES" { fileinto "Junk"; } Comme c'est un filtre commun, il faut le précompiler pour que dovecot puisse l'utiliser # sievec /var/lib/dovecot/sieve/global/spam.sieve Dans la conf Doveconf on ajoute cette ligne, afin qu'il prenne en compte d'abord ce filtre avant de prendre ceux crée par email sieve_before = /var/lib/dovecot/sieve/global/spam.sieve ==== Création du répertoire qui va accueillir les mails infectés ==== # mkdir /var/spool/virusmails # chown amavis:amavis /var/spool/virusmails ==== Mise à jour des règles de Spamassassin ==== # sa-update -D ==== Activation du "daemon" de Spamassassin et activation de la mise à jour automatique (Cron) des règles de Spamassassin ==== # vi /etc/default/spamassassin # Change to one to enable spamd ENABLED=1 ... # Cronjob # Set to anything but 0 to enable the cron job to automatically update # spamassassin's rules on a nightly basis CRON=1 ==== Redémarrage des services ==== # service spamassassin start Starting SpamAssassin Mail Filter Daemon: spamd. # service amavis restart Stopping amavisd: amavisd-new. Starting amavisd: amavisd-new. # service clamav-daemon restart Stopping ClamAV daemon: clamd. Starting ClamAV daemon: clamd . # service postfix restart Stopping Postfix Mail Transport Agent: postfix. Starting Postfix Mail Transport Agent: postfix. ====== Postfix.Admin ====== Postfix.Admin sert à créer les domaines, les emails et les alias dans la base de données. ===== Installation ===== Si vous n'avez pas de serveur Web mutualisé, il faut que vous installiez Apache/PHP # apt-get install apache2 php5 php5-mysql php5-imap Téléchargez postfixadmin, ici: http://sourceforge.net/projects/postfixadmin/files/postfixadmin/ La dernière version (2 Janvier 2013) est "postfixadmin-2.3.6" (2 Mio) # wget http://tenet.dl.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.3.6/postfixadmin-2.3.6.tar.gz # tar xzvf postfixadmin-2.3.6.tar.gz -C /var/www/ # mv /var/www/postfixadmin-2.3.6/ /var/www/postfixadmin/ # chown -R www-data:www-data /var/www/postfixadmin/ # cp /var/www/postfixadmin/config.inc.php /var/www/postfixadmin/config.inc.php.sos # sed -i 's/change-this-to-your.domain.tld/druidesmetal.com/g' /var/www/postfixadmin/config.inc.php # vi /var/www/postfixadmin/config.inc.php $CONF['configured'] = true; ... $CONF['default_language'] = 'fr'; ... $CONF['database_type'] = 'mysqli'; $CONF['database_host'] = 'localhost'; $CONF['database_user'] = 'postfixadmin'; $CONF['database_password'] = 'monmotdepasse'; $CONF['database_name'] = 'postfix'; ... $CONF['encrypt'] = 'md5crypt'; # service apache2 restart Restarting web server: apache2 ... waiting . Rendez-vous maintenant à l'adresse suivante: https://votre_IP/postfixadmin/setup.php {{:documentations:snapshot171.jpeg?600|}} Entrez le mot de passe du "setup" afin que le programme génère un HASH de sécurité que vous irez coller dans le fichier /var/www/postfixadmin/config.inc.php {{:documentations:snapshot172.jpeg?600|}} If you want to use the password you entered as setup password, edit config.inc.php and set $CONF['setup_password'] = 'c4861ab90fcf650da20d5d2b6258a7d9:94922063c5569077df0a65dff7ae1e3d349b7732'; # vi /var/www/postfixadmin/config.inc.php Et Remplacez: $CONF['setup_password'] = 'changeme'; Par: $CONF['setup_password'] = 'c4861ab90fcf650da20d5d2b6258a7d9:94922063c5569077df0a65dff7ae1e3d349b7732'; Ensuite, retapez le mot de passe de sécurité, choisissez un administrateur et donnez lui un mot de passe: {{:documentations:snapshot190.jpeg?400|}} Vous pouvez maintenant vous rendre à la page d'accueil https://votre_IP/postfixadmin/ : {{:documentations:snapshot191.jpeg.jpeg?400|}} {{:documentations:snapshot175.jpeg.jpeg?400|}} ===== Ajout des quotas dans Postfix.admin ===== # vi /var/www/postfixadmin/config.inc.php ... // Quota // When you want to enforce quota for your mailbox users set this to 'YES'. $CONF['quota'] = 'YES'; ... // Optional: // Show used quotas from Dovecot dictionary backend in virtual // mailbox listing. // See: DOCUMENTATION/DOVECOT.txt // http://wiki.dovecot.org/Quota/Dict // $CONF['used_quotas'] = 'YES'; // if you use dovecot >= 1.2, set this to yes. // Note about dovecot config: table "quota" is for 1.0 & 1.1, table "quota2" is for dovecot 1.2 and newer $CONF['new_quota_table'] = 'YES'; Création du script chargé d'envoyer les alertes: # vi /usr/local/bin/quota-warning.sh #!/bin/sh PERCENT=$1 FROM="admin@isalo.org" qwf="/tmp/quota.warning.$$" echo "From: $FROM To: $USER To: admin@isalo.org Subject: Votre boite mail est pleine à $PERCENT% Content-Type: text/plain; charset="UTF-8" Votre boite mail est pleine à $PERCENT%+, veuillez effacer des messages et vider le corbeille, ou contactez votre administrateur" >> $qwf cat $qwf | /usr/sbin/sendmail -f $FROM "$USER" rm -f $qwf exit 0 # chown dovecot:vmail /usr/local/bin/quota-warning.sh # chmod +x /usr/local/bin/quota-warning.sh ====== Webmail ====== ===== Installation ===== Il faut que vous téléchargiez l'archive sur le site http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.9.2/roundcubemail-0.9.2.tar.gz Décompressez l'archive dans le DocumentRoot d'Apache # tar xzvf roundcubemail-0.9.2.tar.gz -C /var/www/ # mv /var/www/roundcubemail-0.9.2/ /var/www/roundcubemail # chown -R www-data:www-data /var/www/roundcubemail/ Roundcube à besoin d'une base de donnée, il faut maintenant la créer : # mysql -u root -p Enter password: mysql> create database roundbase; Query OK, 1 row affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON roundbase.* TO 'roundadmin'@'localhost' IDENTIFIED BY 'monmotdepasse'; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.01 sec) mysql> quit Bye Rendez-vous maintenant à l'adresse suivante pour la configuration: http://votre_IP/roundcubemail/installer/ Laissez-vous guider, jusqu’à la page de création de la configuration. Prenez soin de remplir convenablement les questions concernant la base Mysql, le serveur IMAP et SMTP ainsi que les "locales". L'installeur vous proposera ensuite deux fichiers **main.inc.php** et **db.inc.php** qu'il faudra aller copier dans **/var/www/roundcube/config/** Cliquez sur "continuer" (en milieu de page) une fois que vous aurez créé les deux fichiers de configuration pour tester. Quand tous les tests sont "Ok", vous pouvez effacer le répertoire /var/www/roundcubemail/installer/ et vous rendre sur: http://votre_IP/roundcubemail/ # rm -r /var/www/roundcubemail/installer ===== Plugin Managesieve ===== Gestion des filtres Sieves avec Roundcube. Il faut activer le plugin qui est livré par défaut avec roundcube. # vi /var/www/roundcubemail/config/main.inc.php Vers la ligne 324... // ---------------------------------- // PLUGINS // ---------------------------------- // List of active plugins (in plugins/ directory) $rcmail_config['plugins'] = array('managesieve'); Et de le configurer: # cp /var/www/roundcubemail/plugins/managesieve/config.inc.php.dist /var/www/roundcubemail/plugins/managesieve/config.inc.php Remplacez : $rcmail_config['managesieve_port'] = 2000; Par : $rcmail_config['managesieve_port'] = 4190; ====== Vacation - Notification d'absence ====== Cette section sera décrite dans la doc suivante [[Serveur-Messagerie-Vacation]]