dev-libre-is/docs/_source/mail-libre-is.rst

=============
mail.libre.is
=============
Documentation for Libre mail server.

Setting up Internet mail servers is a pain.
It's nothing like just setting up a web server...


Main Components
===============

This install is based on this guide:

  `<https://workaround.org/ispmail-bookworm/>`_

For more information and details about what is what,
refer to that site.

Dovecot

  `<https://dovecot.org/>`_


MariaDB


OpenDKIM

  `<http://www.opendkim.org/>`_

OpenDMARC

  `<http://www.trusteddomain.org/opendmarc/>`_

  `<https://github.com/trusteddomainproject/OpenDMARC>`_

Postfix

  `<https://www.postfix.org/>`_


Debian
======
Install Debian stable (bookworm).
Install rsyslog for old school convenience:

.. code-block:: sh

  sudo apt install rsyslog


Apache
======
The Apache webserver is used out of laziness as it allows easy
certificate updates with certbot. A webmail server won't be
running on the main mail server.

.. code-block:: sh

  sudo apt install apache2
  echo "mail.libre.is" | sudo tee /var/www/html/index.html

Open up firewall ports 80 and 443.


MariaDB
=======
The main database server.

.. code-block:: sh

  sudo apt install mariadb-server
  sudo mariadb-admin password
  mariadb -uroot -p

Add databases.
Change password to something secure.

.. code-block:: sql

  CREATE DATABASE mailserver;

  GRANT ALL ON mailserver.* TO 'mailadmin'@'localhost' IDENTIFIED BY 'password';

  GRANT SELECT ON mailserver.* TO 'mailserver'@'127.0.0.1' IDENTIFIED BY 'password';

  USE mailserver;

  CREATE TABLE IF NOT EXISTS `virtual_domains` (
   `id` int(11) NOT NULL auto_increment,
   `name` varchar(50) NOT NULL,
   PRIMARY KEY (`id`)
   ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

  CREATE TABLE IF NOT EXISTS `virtual_users` (
   `id` int(11) NOT NULL auto_increment,
   `domain_id` int(11) NOT NULL,
   `email` varchar(100) NOT NULL,
   `password` varchar(150) NOT NULL,
   `quota` bigint(11) NOT NULL DEFAULT 0,
   PRIMARY KEY (`id`),
   UNIQUE KEY `email` (`email`),
   FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
   ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

  CREATE TABLE IF NOT EXISTS `virtual_aliases` (
   `id` int(11) NOT NULL auto_increment,
   `domain_id` int(11) NOT NULL,
   `source` varchar(100) NOT NULL,
   `destination` varchar(100) NOT NULL,
   PRIMARY KEY (`id`),
   FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
   ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

  EXIT


Postfix
=======
The main SMTP mail server.

.. code-block:: sh

  sudo apt install postfix
  sudo apt install postfix-mysql

Set up postfix to use MariaDB.
Edit /etc/postfix/mysql-virtual-mailbox-domains.cf
and add below, using the mailserver password used in MariaDB.

.. code-block:: cfg

  user = mailserver
  password = password
  hosts = 127.0.0.1
  dbname = mailserver
  query = SELECT 1 FROM virtual_domains WHERE name='%s'


Edit /etc/postfix/mysql-virtual-mailbox-maps.cf and add below contents:

.. code-block:: cfg

  user = mailserver
  password = password
  hosts = 127.0.0.1
  dbname = mailserver
  query = SELECT 1 FROM virtual_users WHERE email='%s'

Edit /etc/postfix/mysql-virtual-alias-maps.cf and add below:

.. code-block:: cfg

  user = mailserver
  password = password
  hosts = 127.0.0.1
  dbname = mailserver
  query = SELECT destination FROM virtual_aliases WHERE source='%s'

Edit /etc/postfix/mysql-email2email.cf and add:

.. code-block:: cfg

  user = mailserver
  password = password
  hosts = 127.0.0.1
  dbname = mailserver
  query = SELECT email FROM virtual_users WHERE email='%s'

Then run these commands:

.. code-block:: sh

  sudo postconf \
    virtual_mailbox_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
  sudo postconf \
    virtual_mailbox_maps=mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
  sudo postconf \
    virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf
  sudo postconf \
    virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
  sudo chgrp postfix /etc/postfix/mysql-*.cf
  sudo chmod 640 /etc/postfix/mysql-*.cf


Redis
=====
Note, the licensing of Redis has gone bad. The version in Debian
is OK. But in the future, probably replace with a fork.

.. code-block:: sh

  sudo apt install redis-server


rspamd
======
Spam control.

.. code-block:: sh

  sudo apt install rspamd


Certbot
=======
Encryption certificates with Let's Encrypt.
Not using an Apache webserver on the mail server makes getting
new certificates a bit more complex.

.. code-block:: sh

  sudo apt install certbot ca-certificates python3-certbot-apache
  sudo certbot -d mail.libre.is
  sudo systemctl restart apache2
  echo "post-hook = systemctl restart postfix dovecot apache2" | \
    sudo tee /etc/letsencrypt/cli.ini


Dovecot
=======
Just using encrypted IMAPS, not POP.

.. code-block:: sh

  sudo apt install dovecot-mysql dovecot-pop3d dovecot-imapd \
    dovecot-managesieved dovecot-lmtpd

Note, since IPv6 isn't being used, the dovecot install barfs.
Edit /etc/dovecot/dovecot.conf and add this line, where appropriate:

.. code-block:: sh

  listen = *

Note, this is removing the "::" from listen, which using IPv6.
Then re-run the install so the packages are happy. Note, the re-install
won't overwrite the "listen" change.

.. code-block:: sh

  sudo apt install --reinstall dovecot-mysql dovecot-pop3d dovecot-imapd \
    dovecot-managesieved dovecot-lmtpd

Add user and set up configs

.. code-block:: sh

  sudo groupadd -g 5000 vmail
  sudo useradd -g vmail -u 5000 vmail -d /var/vmail -m
  sudo chown -R vmail:vmail /var/vmail

  sudo sed -i -e \
    's/auth_mechanisms = plain/auth_mechanisms = plain login/g' \
    /etc/dovecot/conf.d/10-auth.conf

  sudo sed -i -e \
    's/!include auth-system.conf.ext/#!include auth-system.conf.ext/g' \
    /etc/dovecot/conf.d/10-auth.conf

  sudo sed -i -e \
    's/#!include auth-sql.conf.ext/!include auth-sql.conf.ext/g' \
    /etc/dovecot/conf.d/10-auth.conf

  sudo sed -i -e \
    's/^mail_location.*/mail_location = maildir:~\/Maildir/g' \
    /etc/dovecot/conf.d/10-mail.conf

  sudo sed -i -e \
    's/#mail_plugins =/mail_plugins = quota/g' \
    /etc/dovecot/conf.d/10-mail.conf
  
Edit /etc/dovecot/conf.d/10-master.conf and add:

.. code-block:: cfg

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }

Edit /etc/dovecot/conf.d/10-ssl.conf, set key locations, and make it
required.

.. code-block:: cfg

  ssl = required
  ssl_cert = </etc/letsencrypt/live/mail.libre.is/fullchain.pem
  ssl_key = </etc/letsencrypt/live/mail.libre.is/privkey.pem

Edit /etc/dovecot/dovecot-sql.conf.ext file and add these lines at
the bottom, changing the password to the mailserver database password.

.. code-block:: cfg

  driver = mysql
  
  connect = \
    host=127.0.0.1 \
    dbname=mailserver \
    user=mailserver \
    password=password
  
  user_query = SELECT email as user, \
    concat('*:bytes=', quota) AS quota_rule, \
    '/var/vmail/%d/%n' AS home, \
    5000 AS uid, 5000 AS gid \
    FROM virtual_users WHERE email='%u'
  
  password_query = SELECT password FROM virtual_users WHERE email='%u'
  
  iterate_query = SELECT email AS user FROM virtual_users

Set file permissions.

.. code-block:: sh

  sudo chown root:root /etc/dovecot/dovecot-sql.conf.ext
  sudo chmod 600 /etc/dovecot/dovecot-sql.conf.ext

Edit /etc/dovecot/conf.d/10-master.conf and change to:

.. code-block:: cfg

  service lmtp {
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
      group = postfix
      mode = 0600
      user = postfix
    }
  }


Restart dovecot server.

.. code-block:: sh

  sudo systemctl restart dovecot

Run this to tell postfix to deliver to dovecot:

.. code-block:: sh

  sudo postconf virtual_transport=lmtp:unix:private/dovecot-lmtp

Edit /etc/dovecot/conf.d/20-lmtp.conf and change line like this:

.. code-block:: cfg

  mail_plugins = $mail_plugins sieve


Restart dovecot again....

.. code-block:: sh

  sudo systemctl restart dovecot


More postfix
============
More postfix configuration, now that the above is set up.

Set postfix to use dovecot for authentication:

.. code-block:: sh

  sudo postconf smtpd_sasl_type=dovecot
  sudo postconf smtpd_sasl_path=private/auth
  sudo postconf smtpd_sasl_auth_enable=yes

  sudo postconf smtpd_tls_security_level=may
  sudo postconf smtpd_tls_auth_only=yes
  sudo postconf smtpd_tls_cert_file=/etc/letsencrypt/live/mail.libre.is/fullchain.pem
  sudo postconf smtpd_tls_key_file=/etc/letsencrypt/live/mail.libre.is/privkey.pem
  sudo postconf smtp_tls_security_level=may

Edit /etc/postfix/master.cf and change thusly:

.. code-block:: cfg

  submission inet n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_auth_only=yes
    -o smtpd_reject_unlisted_recipient=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_relay_restrictions=
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING


Restart postfix:

.. code-block:: sh

  sudo systemctl restart postfix

Make sure all is good:

.. code-block:: sh

  sudo postfix check


OpenDKIM
========

.. code-block:: sh

  sudo apt install opendkim


OpenDMARC
=========
Requires database setup.


.. code-block:: sh

  sudo apt install opendmarc


SPF
===
Set up SPF.


DNS
===
Set up DNS.


Other
=====
Perhaps these too.

.. code-block:: sh

  apt install postfix-policyd-spf-python rspamd
  apt install fail2ban spamassassin sqlgrey opendkim-tools make