Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
setup_basic_mailserver_with_postfix_dovecot_sieve [01.01.2020 23:40] – [install roundcube] Pascal Suter | setup_basic_mailserver_with_postfix_dovecot_sieve [02.01.2020 08:23] – [proxmox mail gateway] Pascal Suter | ||
---|---|---|---|
Line 312: | Line 312: | ||
swaks --to myuser@yourdomain.ch --server mail.yourdomain.ch | swaks --to myuser@yourdomain.ch --server mail.yourdomain.ch | ||
mutt -f imaps:// | mutt -f imaps:// | ||
+ | | ||
+ | |||
+ | ===== postfix smtp(d) config ===== | ||
+ | < | ||
+ | postconf smtpd_sasl_type=dovecot | ||
+ | postconf smtpd_sasl_path=private/ | ||
+ | postconf smtpd_sasl_auth_enable=yes | ||
+ | postconf smtpd_tls_security_level=may | ||
+ | postconf smtpd_tls_auth_only=yes | ||
+ | postconf smtpd_tls_cert_file=/ | ||
+ | postconf smtpd_tls_key_file=/ | ||
+ | postconf smtp_tls_security_level=may | ||
+ | </ | ||
+ | to enable submission service (port 587 for sending emails from clients) edit ''/ | ||
+ | |||
+ | < | ||
+ | submission inet n | ||
+ | -o syslog_name=postfix/ | ||
+ | -o smtpd_tls_security_level=encrypt | ||
+ | -o smtpd_sasl_auth_enable=yes | ||
+ | -o smtpd_tls_auth_only=yes | ||
+ | -o smtpd_reject_unlisted_recipient=no | ||
+ | # -o smtpd_client_restrictions=$mua_client_restrictions | ||
+ | # -o smtpd_helo_restrictions=$mua_helo_restrictions | ||
+ | # -o smtpd_sender_restrictions=$mua_sender_restrictions | ||
+ | # -o smtpd_recipient_restrictions= | ||
+ | -o smtpd_relay_restrictions=permit_sasl_authenticated, | ||
+ | -o milter_macro_daemon_name=ORIGINATING | ||
+ | </ | ||
+ | |||
+ | systemctl restart postfix | ||
+ | |||
+ | ===== additional postfix settings ===== | ||
+ | ==== mail size limit ==== | ||
+ | i think 10MB is just too small, so i allowed 30mb instead | ||
+ | postconf message_size_limit=31457280 | ||
+ | |||
+ | ==== regex based virtual aliases ==== | ||
+ | i've added [[postfix_virtual_mail_addresses_with_regular_expressions|this]] as well to my config. however, I called the config file / | ||
===== install roundcube ===== | ===== install roundcube ===== | ||
Line 396: | Line 435: | ||
</ | </ | ||
- | ===== postfix smtp(d) config ===== | ||
- | < | ||
- | postconf smtpd_sasl_type=dovecot | ||
- | postconf smtpd_sasl_path=private/ | ||
- | postconf smtpd_sasl_auth_enable=yes | ||
- | postconf smtpd_tls_security_level=may | ||
- | postconf smtpd_tls_auth_only=yes | ||
- | postconf smtpd_tls_cert_file=/ | ||
- | postconf smtpd_tls_key_file=/ | ||
- | postconf smtp_tls_security_level=may | ||
- | </ | ||
- | to enable submission service (port 587 for sending emails from clients) edit ''/ | ||
- | |||
- | < | ||
- | submission inet n | ||
- | -o syslog_name=postfix/ | ||
- | -o smtpd_tls_security_level=encrypt | ||
- | -o smtpd_sasl_auth_enable=yes | ||
- | -o smtpd_tls_auth_only=yes | ||
- | -o smtpd_reject_unlisted_recipient=no | ||
- | # -o smtpd_client_restrictions=$mua_client_restrictions | ||
- | # -o smtpd_helo_restrictions=$mua_helo_restrictions | ||
- | # -o smtpd_sender_restrictions=$mua_sender_restrictions | ||
- | # -o smtpd_recipient_restrictions= | ||
- | -o smtpd_relay_restrictions=permit_sasl_authenticated, | ||
- | -o milter_macro_daemon_name=ORIGINATING | ||
- | </ | ||
- | |||
- | systemctl restart postfix | ||
===== client auto configuration ===== | ===== client auto configuration ===== | ||
postponed.. [[https:// | postponed.. [[https:// | ||
- | ===== additional postfix settings | + | ===== proxmox mail gateway |
- | ==== mail size limit ==== | + | i decided on using proxmox mail gateway (PMG) for spam and virus filtering rather than setting up rspamd or any other mail filter solution i have to maintain myself. |
- | i think 10MB is just too small, so i allowed 30mb instead | + | |
- | postconf message_size_limit=31457280 | + | |
- | ==== regex based virtual aliases ==== | + | i' |
- | i' | + | |
- | ===== proxmox | + | so i've downloaded the latest ISO from [[https:// |
+ | |||
+ | i set a public ip with a hostname filter.yourdomain.ch. | ||
+ | |||
+ | after the installation is complete, you can access the web-interface on https:// | ||
+ | |||
+ | your root password is also your login for the web-interface. i did disable ssh password login and i've blocked all ports except 22 and 25 from the outside world in my firewall, so nobody can access the web-interface and brute-force my password. | ||
+ | |||
+ | once you're logged in to the web-interface, | ||
+ | |||
+ | once this is all set, go ahead and click on the "Mail Proxy" settings. | ||
+ | * under Relaying enter your mailserver' | ||
+ | * leave port 25 | ||
+ | * i've disabled MX lookups, not sure why they should be needed here. | ||
+ | * under "Relay Domains" | ||
+ | * in the Options tab i've enabled " | ||
+ | * i have disabled Greylisting as this delays mail delivery significantly and that's a bit of a pain if you wait for account confirmation emails or booking confirmations etc. i'll re-enable it if the spam detection rate is too low. | ||
+ | * also in Options, i have enabled DNSBL and i've entered the following two blacklists to query: '' | ||
+ | * there is no need to configure any transports. this is only needed if you want to route incoming mails for different domains or addresses to different servers. | ||
+ | * in the networks tab, you can add the network or ip of your mailserver, in case it is not in the same subnet as your filter.. if it's in the same subnet there is no need to add anything here, as the same subnet is allowed to relay through PMG by default. | ||
+ | * since we will be relaying our outgoing emails from our mailserver via PMG as well, we will use PMG's DKIM signing function. to enable this, in the DKIM tab you need to **first add a new selector** before you can enable DKIM .. that's a bit confusing. as selector i've entered the current date like '' | ||
+ | * for DKIM to work you need to add a TXT entry to your domian' | ||
+ | * once all these settings where done, i had to login to the filter via ssh and **manually restart postfix**. otherwise postfix would bind port 25 to 127.0.0.1 only. i guess rebooting the entire filter would fix this issue as well. | ||
+ | |||
+ | ==== adjustments to postfix settings on our mailserver | ||
+ | we can now limit access for incoming mails so that postfix only accepts connections from our mailfilter. to do this, edit the '' | ||
+ | < | ||
+ | smtp inet n | ||
+ | -o smtpd_client_restrictions=permit_mynetworks, | ||
+ | </ | ||
+ | don't forget to restart postfix | ||
+ | |||
+ | further more we can configure our mailserver to send all its mails through our proxmox gateway | ||
+ | postconf relayhost=filter.yourdomain.ch: | ||
+ | note port 26, that's because proxmox mail gatway distinguishes between incoming and outgoing mail by accepting them on different smtp ports. by default port 25 is for incoming and port 26 for outgoing mail. | ||
+ | |||
+ | ==== greylisting ==== | ||
+ | by default PMG uses greylisting. this means, that every email coming from a new sender address will first be rejected for a duration of a couple of minutes. i think 3 minutes is the actual greylist timeout on PMG. however, the delay that occurrs in reality will be dependent also on the sending mail server' | ||
+ | you can see all attempts that where blocked by geylisting if you go to the tracking center and check the " |