Centos 7 – Postfix, Devocot, RoundCube, PostfixAdmin, PhpMyadmin

Last updated on March 29th, 2018 at 02:38 pm

First of all Set hostname in CentOS 7 with nmtui and DNS

Set your host with nmtui

Set dns name in /etc/hosts with nano /etc/hosts

127.0.0.1 mail.domain.com mail

 


Install PHP 7.0

rpm -Uvh http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum -y install yum-utils
yum -y update
wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
rpm -Uvh remi-release-7*.rpm
yum-config-manager –enable remi-php70
yum install php php-opcache php-cli php-common php-gd php-ldap php-mysql php-odbc php-pdo php-pear php-pecl-apc php-pecl-memcache php-pgsql php-soap php-xml php-xmlrpc php-mbstring php-mcrypt  -y

yum install epel-release*
yum install php-imap*

Install MariaDB, HTTPD, MariaDB-Server, Mod_SSL

yum install httpd mariadb mariadb-server systemctl start httpd 
yum install mod_ssl
systemctl enable httpd
systemctl start mariadb
systemctl enable mariadb

Disable Selinux 

nano /etc/selinux/config

For disable:

SELINUX=disabled

If you prefer to let SELinux prints warnings instead of enforcing, you can set below value instead:

SELINUX=permissive

Disable it immediately without rebooting your server:

setenforce 0

Open FireWall Ports

firewall-cmd –zone=public –add-port=443/tcp –permanent
firewall-cmd –zone=public –add-port=143/tcp –permanent
firewall-cmd –zone=public –add-port=993/tcp –permanent
firewall-cmd –zone=public –add-port=465/tcp –permanent
firewall-cmd –zone=public –add-port=587/tcp –permanent
firewall-cmd –zone=public –add-port=25/tcp –permanent
firewall-cmd –zone=public –add-port=80/tcp –permanent
firewall-cmd –reload

Check the updated rules with
firewall-cmd --list-all

Secure mariaDB + Create root password

mysql_secure_installation

Create User in MySQL

*Note* MySQL user cann be authenticated by password or withot password on localhost!!!

——Create user With Password for specific DB ———-

mysql_secure_installation
mysql -uroot -p
CREATE USER ‘beckup’@’%’ IDENTIFIED BY ‘Your_pass’;
GRANT ALL ON wiki.* TO ‘beckup’@’localhost’;
GRANT ALL ON wiki.* TO ‘beckup’@’%’;
GRANT ALL ON wiki.* TO ‘beckup’@’hostname’;
GRANT ALL ON wiki.* TO ‘beckup’@’127.0.0.1’;
GRANT ALL ON wiki.* TO ‘beckup’@’::1′;
FLUSH PRIVILEGES;

——Create user Without Password for specific DB———-

mysql_secure_installation
mysql -uroot -p
CREATE USER ‘beckup’@’%’;
GRANT ALL ON wiki.* TO ‘beckup’@’localhost’;
GRANT ALL ON wiki.* TO ‘beckup’@’%’;
GRANT ALL ON wiki.* TO ‘beckup’@’hostname’;
GRANT ALL ON wiki.* TO ‘beckup’@’127.0.0.1’;
GRANT ALL ON wiki.* TO ‘beckup’@’::1′;
FLUSH PRIVILEGES;

This should be ran only if you need create User With High Privileges My SQL

GRANT ALL PRIVILEGES ON *.* TO 'beckup'@'%' WITH GRANT OPTION;

 

Install And Config PHPMYADMIN

 

mysql_secure_installation
yum install -y phpmyadmin

****BackUp the original file****

cp /etc/httpd/conf.d/phpMyAdmin.conf /etc/httpd/conf.d/phpMyAdmin.conf.orig

By default access to phpmyadmin is allowed only from 127.0.0.1 we will remove all from nano /etc/httpd/conf.d/phpMyAdmin.conf and insert below:

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
Require all granted
</Directory>

<Directory /usr/share/phpMyAdmin/setup/>
Require all granted
</Directory>

<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

systemctl restart httpd

 

Visit www address http://your_ip_address/phpmyadmin 

Login with MySQL root user and Password

Create database 

Install PostfixAdmin

Download from here: postfixadmin-3.1.tar

put a folder to /var/www/postfixadmin-3.1

chown -R apache. /var/www/postfixadmin

Change config file  nano /var/www/html/postfixadmin/config.inc.phpwith this:
config.inc.php

Create new file in /var/www/html/postfixadmin/config.inc.php   same directory copy all data from this file to  /var/www/html/postfixadmin/config.local.php

$CONF['configured'] = true;
$CONF['default_language'] = 'en';
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = 'your_pass';
$CONF['database_name'] = 'postfix';
$CONF['admin_email'] = '[email protected]_domain.com';
$CONF['encrypt'] = 'md5crypt';
$CONF['default_aliases'] = array (
'abuse' => 'root',
'hostmaster' => 'root',
'postmaster' => 'root',
'webmaster' => 'root'
);
$CONF['/mail/domain/your_domain.com'] = 'YES';
$CONF['/mail/mailboxes/your_domain.com''] = 'YES';

 

Run http://192.168.9.20/postfixadmin/setup.php

!!Important!!! If you have this ERROR:

ERROR: the templates_c directory doesn't exist or isn't writeable for the webserver

Just create folder in postfixadmin root directory with 777

Refresh your brouzer or run http://192.168.9.20/postfixadmin/setup.php to finish instalation

 

Add hash $CONF['setup_password'] = 'd5b49f60b33c602582e1dcac4fd640f8:01568c3ba5abf83dc30dd45ad622f1229a63001c'; to your config file /var/www/postfixadmin/config.local.php

PostfixAdmin Hardening (Allow ip list)

Add to end of this file nano /etc/httpd/conf/httpd.conf:

Attached httpd.conf: httpd.conf

You can set this by ip or by subnets allow from 192.168.7.0/24

Secure Cookies

Secure Cookies with edit this line Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure to head of httpd.conf or download from hear: httpd.conf

<VirtualHost 192.168.9.20:80>
<Directory "/var/www/postfixadmin/">
order deny,allow
deny from all
allow from 192.168.7.5 192.168.7.6
Options -Indexes
</Directory>
</VirtualHost>

Postfix Configuration

Postfix coming built in Centos 7

First of all backup /etc/postfix/>main.cf file

Now we will change all content to this you must change the bold words:

soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix

# Change to your own domain mail.your_domain.com & mail.your_domain.com
myhostname = mail.your_domain.com
mydomain = your_domain.com
myorigin = $myhostname

inet_interfaces = all
inet_protocols = ipv4

mydestination = localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
#mynetworks = 127.0.0.0/8
mynetworks = 0.0.0.0

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

smtpd_banner = $myhostname ESMTP $mail_name

debug_peer_level = 2
# This PATH and ddd must be stay as is with tabulation 
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf,
 mysql:/etc/postfix/mysql/virtual_alias_domain_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf

smtpd_discard_ehlo_keywords = etrn, silent-discard
smtpd_forbidden_commands = CONNECT GET POST
broken_sasl_auth_clients = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
disable_vrfy_command = yes

smtpd_helo_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_helo_hostname,
 reject_invalid_helo_hostname

smtpd_data_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_pipelining,
 reject_multi_recipient_bounce,

smtpd_sender_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain

smtpd_recipient_restrictions = reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,
 reject_multi_recipient_bounce,
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination,

smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_tls_key_file = /etc/postfix/certs/key.pem
smtpd_tls_cert_file = /etc/postfix/certs/cert.pem
tls_random_source = dev:/dev/urandom

# Massage size limit
message_size_limit = 20000000
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 15
smtpd_error_sleep_time = 20
anvil_rate_time_unit = 60s
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 30
smtpd_client_message_rate_limit = 30
smtpd_client_event_limit_exceptions = 127.0.0.0/8
smtpd_client_connection_limit_exceptions = 127.0.0.0/8

maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth

# Folder to store mailboxes
virtual_mailbox_base = /mail/domain/your_domain.com
virtual_minimum_uid = 1000
virtual_uid_maps = static:1000
virtual_gid_maps = static:1000
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

sender_bcc_maps = hash:/etc/postfix/sender_bcc_maps
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc_maps

Now we make dir /etc/postfix/mysql && cd /etc/postfix/mysql add all files below!!!

 mkdir /etc/postfix/mysql && cd /etc/postfix/mysql
# nano relay_domains.cf

hosts = localhost
user = postfix
password = 12345678
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1'
# nano  virtual_alias_domain_maps.cf

hosts = localhost
user = postfix
password = 12345678
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1
# nano virtual_alias_maps.cf

hosts = localhost
user = postfix
password = 12345678
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
# nano virtual_mailbox_domains.cf

hosts = localhost
user = postfix
password = 12345678
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'
# mcedit virtual_mailbox_maps.cf

hosts = localhost
user = postfix
password = 12345678
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

Now Backup /etc/postfix/master.cf and change below lines:

submission inet n - n - - smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_wrappermode=no
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
 -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
 -o milter_macro_daemon_name=ORIGINATING

In this file we will add below line for dovecot in the end of the file:

dovecot unix - n n - - pipe
 flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

Create folder for Postfix sertificates

mkdir /etc/postfix/certs
openssl req -new -x509 -days 3650 -nodes -out /etc/postfix/certs/cert.pem -keyout /etc/postfix/certs/key.pem

This you need to run every time after  some changes!!!

postmap /etc/postfix/recipient_bcc_maps /etc/postfix/sender_bcc_maps

 

Now create two mailboxes [email protected]_domain.com and [email protected]_domain.com through postfixadmin.

I will explain a little about these boxes – what they are for. Initially, I did them when users used the pop3 protocol without saving messages on the server. This made it possible to organize a backup of all correspondence. These boxes are very quickly filled and occupy a huge volume, so they must be cleaned. I just scripts regularly collected all mail in archives with names in the form of dates. If you needed to find a letter, then you just unpacked the required archive.

In the case of imap, the backup role disappears, since all mail is stored on the server. But these boxes are still useful when the user, for example, deleted some important letter and then pretends that it was not. If this letter came only today and has not yet managed to fly to the backup, then in addition to logging about this letter, you will not see the content itself. And with such boxes all at once it will be clear, and questions will disappear. The last application is the security service. If you have someone who is supposed to read all the correspondence, then this functionality can be implemented in such a simple way.
All the basic settings for postfix we made. Some of them are tied to work with dovecot, which we have not yet configured. Therefore, we do not touch postfix anymore, we do not restart it. We are going to configure the dovecot – imap server of our mail system.

 

Dovecot Configuration

Let’s get busy setting up dovecot – the server for delivering mail to the user using the pop3 and imap protocols. I see no reason to use pop3. It is inconvenient compared to imap. Most often pop3 disable at all. But this is up to you. Let me give an example of setting up both protocols. In addition to the basic functionality for the delivery of mail, I will configure several useful plug-ins. I’ll tell you more about them:

Sieve – performs mail filtering according to the specified rules at the time of local delivery on the mail server. The convenience of this approach is that once you can set up a sorting rule, and it will work in all the clients that you will receive mail on imap. Rules are created, stored and executed on the server itself.
Acl – allows users to share folders in their mailbox and give access to these folders to other users. I did not often see this customized and used. I think it’s because of ignorance. For me, this is a very convenient and useful functional.
I often see that people configure the quota plugin, which allows you to limit the maximum size of the mailbox. I personally do not use it in my work. Perhaps, when you have hundreds and thousands of clients, it matters and you must set a limit. When there are less boxes, it makes no sense to strain people with constant cleaning. Now the drives are not so expensive. I think it’s easier and cheaper to increase the server space, rather than constantly worrying users about the need to clean the box. It is better to limit the maximum size of the message, say 20 megabytes. Then it is hard to hammer the box, even with a big desire, it will not happen quickly. And mail is still an important tool in the work. I think it’s better to keep it as long as possible.

There is another useful expire plugin that allows you to delete obsolete emails in specific folders. For example, delete all emails older than 30 days in the trash can and folder. But it is impossible to really use it for a simple reason. Different e-mail clients create different folders for the recycle bin and spam. Thunderbird creates folders with Latin names trash and spam, outlook with Russians, which on the mail server are converted to UTF7 encoding, mobile clients also use different folder names. As a result, there is no uniformity, the plug-in does not work fully.

I told about these plug-ins for aiming. I do not configure them myself, but if you want to implement the described functionality, you can understand and configure yourself.

I gave a small theory, now we turn to practice. We install packages necessary for dovecot.

*After mailbox creation you can find mailboxes in /mail/domain

 

yum install dovecot dovecot-mysql dovecot-pigeonhole

Edit this config with code below nano /etc/dovecot/dovecot.conf

listen = * [::]

mail_plugins = mailbox_alias acl

protocols = imap pop3 sieve lmtp

mail_uid = 1000
mail_gid = 1000

first_valid_uid = 1000
last_valid_uid = 1000

log_path = /var/log/dovecot/main.log
info_log_path = /var/log/dovecot/info.log
debug_log_path = /var/log/dovecot/debug.log

ssl_protocols = !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_cert = </etc/postfix/certs/cert.pem
ssl_key = </etc/postfix/certs/key.pem

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_dh_parameters_length = 2048
ssl_prefer_server_ciphers = yes

disable_plaintext_auth = yes

mail_location = maildir:/mail/domain/your_domain.com/%d/%u/

auth_default_realm = your_domain.com

auth_mechanisms = PLAIN LOGIN

service auth {
 unix_listener /var/spool/postfix/private/dovecot-auth {
 user = postfix
 group = postfix
 mode = 0666
 } 
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
 }
unix_listener auth-master {
 user = vmail
 group = vmail
 mode = 0666
 }

unix_listener auth-userdb {
 user = vmail
 group = vmail
 mode = 0660
 }
}

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
 user = postfix
 group = postfix
 mode = 0600
 }

 inet_listener lmtp {
 address = 127.0.0.1
 port = 24
 }
}

userdb {
 args = /etc/dovecot/dovecot-mysql.conf
 driver = sql
 }

passdb {
 args = /etc/dovecot/dovecot-mysql.conf
 driver = sql
 }

auth_master_user_separator = *
 
plugin {
 auth_socket_path = /var/run/dovecot/auth-master

 acl = vfile
 acl_shared_dict = file:/mail/domain/your_domain.com/shared-folders/shared-mailboxes.db
 sieve = /mail/domain/your_domain.com/sieve/%u.sieve
 mailbox_alias_old = Sent
 mailbox_alias_new = Sent Messages
 mailbox_alias_old2 = Sent
 mailbox_alias_new2 = Sent Items
}

protocol lda {
 mail_plugins = $mail_plugins sieve
 auth_socket_path = /var/run/dovecot/auth-master
 deliver_log_format = mail from %f: msgid=%m %$
 log_path = /var/log/dovecot/lda-errors.log
 info_log_path = /var/log/dovecot/lda-deliver.log
 lda_mailbox_autocreate = yes
 lda_mailbox_autosubscribe = yes
 postmaster_address = root
}

protocol lmtp {
 info_log_path = /var/log/dovecot/lmtp.log
 mail_plugins = quota sieve
 postmaster_address = postmaster
 lmtp_save_to_detail_mailbox = yes
 recipient_delimiter = +
}

protocol imap {
 mail_plugins = $mail_plugins imap_acl
 imap_client_workarounds = tb-extra-mailbox-sep
 mail_max_userip_connections = 30
}

protocol pop3 {
 mail_plugins = $mail_plugins
 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
 pop3_uidl_format = %08Xu%08Xv
 mail_max_userip_connections = 30
}

service imap-login {
 service_count = 1
 process_limit = 500
 }

service pop3-login {
 service_count = 1
 }

service managesieve-login {
 inet_listener sieve {
 port = 4190
 }
}

namespace {
 type = private
 separator = /
 prefix =
 inbox = yes

 mailbox Sent {
 auto = subscribe
 special_use = \Sent
 }
 mailbox "Sent Messages" {
 auto = no
 special_use = \Sent
 }
 mailbox "Sent Items" {
 auto = no
 special_use = \Sent
 }
 mailbox Drafts {
 auto = subscribe
 special_use = \Drafts
 }
 mailbox Trash {
 auto = subscribe
 special_use = \Trash
 }
 mailbox "Deleted Messages" {
 auto = no
 special_use = \Trash
 }
 mailbox Junk {
 auto = subscribe
 special_use = \Junk
 }
 mailbox Spam {
 auto = no
 special_use = \Junk
 }
 mailbox "Junk E-mail" {
 auto = no
 special_use = \Junk
 }
 mailbox Archive {
 auto = no
 special_use = \Archive
 }
 mailbox Archives {
 auto = no
 special_use = \Archive
 }
}

namespace {
 type = shared
 separator = /
 prefix = Shared/%%u/
 location = maildir:%%h:INDEX=%h/shared/%%u
 subscriptions = yes
 list = children
}
# groupadd  -g 1000 vmail
# useradd -d /mail/domain/your_domain.com -g 1000 -u 1000 vmail
# chown vmail. /mail/domain/your_domain.com

Connection to MySQL

nano /etc/dovecot/dovecot-mysql.conf

Create folder for Logs

# mkdir /var/log/dovecot
# cd /var/log/dovecot && touch main.log info.log debug.log lda-errors.log lda-deliver.log lmtp.log
# chown -R vmail:dovecot /var/log/dovecot
# mkdir /mail/domain/your_domain.com/sieve && mkdir /mail/domain/your_domain.com/shared-folders
# chown -R vmail. /mail/domain/your_domain.com
# chown vmail. /var/run/dovecot/auth-master
# systemctl restart postfix
# systemctl start dovecot
# systemctl enable dovecot

Useful command to check configuration

tail -f /var/log/maillog
You can see successful sasl_method=PLAIN, [email protected]_domain.com
/var/log/dovecot/info.log
You can see who connected from where imap-login: Info: Login: user=<[email protected]_domain.com >, method=PLAIN, rip=75.37.235.139, lip=188.35.19.125, mpid=28790, TLS, session=<3tDeHGVKpQBNJeCL>
/var/log/dovecot/lda-deliver.log
You can fine all mail trafic

systemctl restart postfix
systemctl restart dovecot
ls -l /var/spool/postfix/private

RoundCube Instalation

First of all download roundcube from https://roundcube.net/download/ full version or this attachment roundcubemail.tar and extract to /var/www/webmail

# tar -xzvf roundcubemail-*
# mv roundcubemail-1.2.3 /var/www/webmail
# chown -R apache. /var/www/webmail

Create Database and User for roundcube. I created DB: roundcube and User roundcube. Do this or from phpmyadmin or from cli
CLI:

CREATE DATABASE roundcube;
GRANT ALL PRIVILEGES ON roundcube.* TO [email protected] IDENTIFIED BY 'password';
FLUSH PRIVILEGES;

Now access server on web http://Your_server_ip/webmail/installer/ and config the setup:
You must see many different options but you need only few of them:

    • smtp_server — nothing leave as is
    • language — en_EN
    • Checkbox Plugins must! — managesieve, userinfo, acl. Other plugins on your discretion

Config DB:

Now Access http://Your_server_ip/webmail

  • You can create custom binding in httpd.conf

Create Rulles with sieve

You can do this in “settings”

 

*After rule creation you can find mailboxes in /mail/domain/sieve/your_username

 

Config “Out Of Office”

# mcedit /var/www/html/webmail/plugins/managesieve/config.inc.php

Do Changes in:

$config['managesieve_vacation'] = 1;

Create Shared Folders in MailBox

First of all create folder in web interface and after then give permissions to aliases that you need.

Now we ca see in mailbox of [email protected]_domain.com new shared folder:

Configure DKIM and SPF

DKIM

Domain Keys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam.

yum install opendkim
mkdir -p /etc/postfix/dkim && cd /etc/postfix/dkim

Now we generate keys for domain

opendkim-genkey -D /etc/postfix/dkim/ -d your_domain.com -s mail
your_domain.com Your domain name
mail Name of your server

 

Ru- На выходе получаете пару файлов — закрытый (приватный) и открытый ключ. Закрытый останется на сервере, открытый будет опубликован в dns. Переименуем их сразу, чтобы не путаться, если у вас будет несколько доменов. Ключи нужно будет делать для каждого домена.

EN- On the output you get a couple of files – private (private) and public key. The private remains on the server, the public will be published in dns. Rename them immediately so that you do not get confused if you have multiple domains. Keys will need to be done for each domain.

mv mail.private mail.your_domain.com.private
mv mail.txt mail.your_domain.com.txt

Ru- Создаем файл с таблицей ключей, в которой будут описаны все домены. В данном случае только один

EN- Create a file with a table of keys, in which all domains will be described. In this case, only one

cd /etc/postfix/dkim
nano /keytable
mail._domainkey.your_domain.com your_domain.com:mail:/etc/postfix/dkim/mail.your_domain.com.private

Ru- Тут же создаем еще один файл, в котором будет описано, каким ключом подписывать письма каждого домена. У нас один домен, поэтому только одна запись.

EN- Immediately create another file, which will describe which key to sign the letters of each domain. We have one domain, so only one entry.

cd /etc/postfix/dkim
nano signingtable
*@your_domain.com mail._domainkey.your_domain.com

EN- We set access rights to all files

chown root:opendkim *
chmod u=rw,g=r,o= *

EN- Create Config file.

nano /etc/opendkim.conf
AutoRestart Yes
AutoRestartRate 10/1h
PidFile /var/run/opendkim/opendkim.pid
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
UserID opendkim:opendkim
Socket inet:[email protected]
Umask 022
Canonicalization relaxed/relaxed
Selector default
MinimumKeyBits 1024
KeyFile /etc/postfix/dkim/mail.your_domain.com.private
KeyTable /etc/postfix/dkim/keytable
SigningTable refile:/etc/postfix/dkim/signingtable

EN- Add the following parameters to the postfix configuration file at the very end:

nano /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

EN- Restart postfix & dkim and enable dkim after server reboot.

systemctl restart postfix
systemctl restart opendkim.service
systemctl enable opendkim.service

EN- Now we need to add the public key to dns. Go to the dns management console and add a new txt entry. We take its contents from the file /etc/postfix/dkim/mail.your_domain.com.txt

cat /etc/postfix/dkim/mail.your_domain.com.txt
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
 "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClZX2xWRDISlVLF4b4pUiinY5N9WN7VXEHeyPw8smHTamXh35wJoh+j0+MIQD754T2WXBjz7O/uHL+vK58LhJsm4TGyhUN6ZBit+w22jG92zdeybSZeU/g7hQdkaAAi0I+0nIkUwIDAQAB" ) ; ----- DKIM key mail for your_domain.com

EN- We remove quotes, superfluous problems and we interpose. It should look like this:

 

EN- I check the work. I send the letter to gmail and look at the mail server’s log:

cat /var/log/maillog
or
tail -f /var/log/maillog

EN- Additionally, check the correctness of the dkim entry in dns by using the online service – http://dkimcore.org/c/keycheck.

SPF

 

EN- The spf record is added as a txt entry in the dns of your domain. With this record you specify which IP addresses have the right to send mail on your behalf. If one of the spammers uses your domain name when sending spam, it will not pass the spf check and will most likely be identified as spam.

You can specify the specific ip addresses in the record, but you can tell that the ip addresses are checked against the lists of A and MX records. At us a simple case and only 1 server with one ip, therefore we will specify this ip address. Go to the dns control panel and add a new txt entry.

your_domain.com. TXT v=spf1 ip4:your_ip_address ~all

 

Problems

NOQUEUE: reject: RCPT from [127.0.0.1]: 454 4.7.1: Relay access denied;

Add line below to /etc/pstfix/main.cf

mynetworks = 127.0.0.0/8 [::1]/128 192.168.9.20