blog.monogatari.pl

Posftix i Dovecot – Idealny duet tworzący serwer poczty

SpamAssasin to ostatnia broń w naszym arsenale przygotowanym na wszelki spam jaki może się pojawić na naszym serwerze poczty.

Zainstalujmy więc wymagane paczki:

apt-get install spamassassin spamc

1	apt-get install spamassassin spamc

Dodajmy użytkownika, który będzie uruchamiał spammassassin-a

groupadd spamd
useradd -g spamd -s /bin/false spamd
chown spamd:spamd -R /etc/spamassassin/

groupadd spamd

useradd -g spamd -s /bin/false spamd

chown spamd:spamd -R /etc/spamassassin/

Użytkownika już mamy, teraz czas skonfigurować SA:

#vim /etc/default/spamassassin

# If you're using systemd (default for jessie), the ENABLED setting is
# not used. Instead, enable spamd by issuing:
# systemctl enable spamassassin.service
# Change to "1" to enable spamd on systems using sysvinit:
ENABLED=1
SPAMD_HOME="/home/spamd/"
OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir /home/spamd/ -s /home/spamd/spamd.log"
PIDFILE="/home/spamd/spamd.pid"
CRON=1

#vim /etc/default/spamassassin

# If you're using systemd (default for jessie), the ENABLED setting is

# not used. Instead, enable spamd by issuing:

# systemctl enable spamassassin.service

# Change to "1" to enable spamd on systems using sysvinit:

ENABLED=1

SPAMD_HOME="/home/spamd/"

OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir /home/spamd/ -s /home/spamd/spamd.log"

PIDFILE="/home/spamd/spamd.pid"

CRON=1

Uruchommy SA:

service spamassassin start

1	service spamassassin start

Dodajmy SpamAssassin-a do postfixa:

#vim /etc/postfix/master.cf

#na dole pliku dodajmy:
spamassassin unix -     n       n       -       -       pipe
        user=spamd argv=/usr/bin/spamc -f -e  
        /usr/sbin/sendmail -oi -f ${sender} ${recipient}

#w każdym protokole, z którego korzystamy (np. smtps, submission) dodajmy opcję kierowania poczty do spamassassina:
-o content_filter=spamassassin

#vim /etc/postfix/master.cf

#na dole pliku dodajmy:

spamassassin unix - n n - - pipe

user=spamd argv=/usr/bin/spamc -f -e

/usr/sbin/sendmail -oi -f ${sender} ${recipient}

#w każdym protokole, z którego korzystamy (np. smtps, submission) dodajmy opcję kierowania poczty do spamassassina:

-o content_filter=spamassassin

Zrestartujmy postfix-a:

service postfix restart

1	service postfix restart

Musimy jeszcze utworzyć reguły filtrowania:

#/etc/spamassassin/local.cf

rewrite_header Subject ***** SPAM _SCORE_ *****
report_safe             0
required_score          5.0
use_bayes               1
use_bayes_rules         1
bayes_auto_learn        1
skip_rbl_checks         0
use_razor2              0
use_dcc                 0
use_pyzor               0

#Adjust scores for SPF FAIL
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_HELO_SOFTFAIL 3.0
score SPF_SOFTFAIL 3.0

#adjust DKIM scores
score DKIM_ADSP_ALL 3.0
score DKIM_ADSP_DISCARD  10.0
score DKIM_ADSP_NXDOMAIN 3.0

#/etc/spamassassin/local.cf

rewrite_header Subject ***** SPAM _SCORE_ *****

report_safe 0

required_score 5.0

use_bayes 1

use_bayes_rules 1

bayes_auto_learn 1

skip_rbl_checks 0

use_razor2 0

use_dcc 0

use_pyzor 0

#Adjust scores for SPF FAIL

score SPF_FAIL 4.0

score SPF_HELO_FAIL 4.0

score SPF_HELO_SOFTFAIL 3.0

score SPF_SOFTFAIL 3.0

#adjust DKIM scores

score DKIM_ADSP_ALL 3.0

score DKIM_ADSP_DISCARD 10.0

score DKIM_ADSP_NXDOMAIN 3.0

Restart SA dla pewności, że korzysta z naszych nowych reguł:

service spamassassin restart

1	service spamassassin restart

Aby przetestować SpamAssassin-a można z obcego serwera wysłać maila na swoją skrzynkę w postfix-ie i przeglądnąć nagłówek wiadomości.

Aktualizacja 11/05/2016:

Zauważyłem, że spamassassin informuje o błędzie

warn: config: failed to parse line, skipping, in "/etc/spamassassin/local.cf": use_dcc 0

1	warn: config: failed to parse line, skipping, in "/etc/spamassassin/local.cf": use_dcc 0

Można to łatwo naprawić komentując use_dcc lub instalując paczkę z dcc i nie używać tego modułu (bezcelowe).

spamassassin --lint

1	spamassassin --lint

Pozostałe wpisy dotyczące tego cyklu:

Posftix i Dovecot – Idealny duet tworzący serwer poczty

Walka ze spamem cz.3 – Postfix DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. It provides a mechanism which allows a receiving organization to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport – Wikipedia

Wpis ten jest kontynuacją postów dotyczących walki ze spamem, poprzednio skonfigurowaliśmy SPF oraz DKIM, korzystaliśmy z serwera postfix-a, którzy uwcześnie skonfigurowaliśmy.

Zainstalujmy paczkę, która będzie niezbędna:

#debian/ubuntu
apt-get install opendmarc

1 2	#debian/ubuntu apt-get install opendmarc

Skonfigurujmy nowo zainstalowany soft:

#vim /etc/opendmarc.conf

AuthservID mail.example.com
PidFile /var/run/opendmarc.pid #Debian default
RejectFailures false
Syslog true
TrustedAuthservIDs mail.example.com,mail2.example.com
UMask 0002
UserID opendmarc:opendmarc
IgnoreHosts /etc/opendmarc/ignore.hosts
HistoryFile /var/run/opendmarc/opendmarc.dat
#w celu debugowania można dodać poniższą linię ale wyłączymy ją potem
SoftwareHeader true

#vim /etc/opendmarc.conf

AuthservID mail.example.com

PidFile /var/run/opendmarc.pid #Debian default

RejectFailures false

Syslog true

TrustedAuthservIDs mail.example.com,mail2.example.com

UMask 0002

UserID opendmarc:opendmarc

IgnoreHosts /etc/opendmarc/ignore.hosts

HistoryFile /var/run/opendmarc/opendmarc.dat

#w celu debugowania można dodać poniższą linię ale wyłączymy ją potem

SoftwareHeader true

To nie wszystko

mkdir /etc/opendmarc/

1	mkdir /etc/opendmarc/

Dodajmy hosty, których nie skanujemy – nas ?!

#vim /etc/opendmarc/ignore.hosts

localhost
adress_ip_naszego_serwera

#vim /etc/opendmarc/ignore.hosts

localhost

adress_ip_naszego_serwera

Zakładając, że korzystaliście z poprzednich wpisów na porcie 12301 posiadamyt DKIM, więc śmiało możemy dla DMARC wykorzystać port 54321:

#vim /etc/default/opendmarc
...
SOCKET="inet:54321@localhost"
...

#vim /etc/default/opendmarc

...

SOCKET="inet:54321@localhost"

...

Możemy uruchomić opendmarc, przy okazji sprawdzają czy nie mamy typo 🙂 lub czy coś nie siedzi na wybranym przez nas porcie:

/etc/init.d/opendmarc start

1	/etc/init.d/opendmarc start

Powiadommy postfixa, że chcemy korzystać z kolejnego rozwiązania dla wyłapywania spamu:

#vim /etc/postfix/main.cf

...
smtpd_milters=inet:localhost:12345,inet:localhost:54321
non_smtpd_milters=inet:localhost:12345,inet:localhost:54321
...

#vim /etc/postfix/main.cf

...

smtpd_milters=inet:localhost:12345,inet:localhost:54321

non_smtpd_milters=inet:localhost:12345,inet:localhost:54321

...

Pamiętajmy, że pierwsza pozycja obu wpisów dotyczy DKIM, a druga naszego DMARC-a 🙂

Zrestartujmy postfixa, niech biedak już nie czeka na nowy config 😉

/etc/init.d/postfix reload

1	/etc/init.d/postfix reload

Jako, że DMARC korzysta z DKIM i SPF, musimy mieć odpowiedni wpis DNS, w internecie jest pełno „wizardów”, które wygenerują wam wpis ja polecam takowy:

_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400"

1	_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400"

Teoretycznie można by tutaj zakończyć, jednak pełna implementacja DMARC wymaga generowania i wysyłania raportów – o czym administratorzy zapominają.

#vim /usr/share/doc/opendmarc/schema.mysql
...
CREATE USER 'opendmarc'@'localhost' IDENTIFIED BY 'changeme';
GRANT ALL ON opendmarc.* to 'opendmarc'@'localhost';
...

#vim /usr/share/doc/opendmarc/schema.mysql

...

CREATE USER 'opendmarc'@'localhost' IDENTIFIED BY 'changeme';

GRANT ALL ON opendmarc.* to 'opendmarc'@'localhost';

...

Wpis ten widnieje w pliku ale jest zakomentowany, dzięki niemu utworzony zostanie użytkownik opendmarc, jego hasło oraz baza 🙂

Wczytajmy schemat:

mysql -u root -p < schema.mysql

1	mysql -u root -p < schema.mysql

Utwórzmy skrypt do generowania raportów:

#vim /etc/opendmarc/report_script

#!/bin/bash

DB_SERVER='database.example.com'
DB_USER='opendmarc'
DB_PASS='password
DB_NAME='opendmarc'
WORK_DIR='/var/run/opendmarc'
REPORT_EMAIL='dmarc@example.com'
REPORT_ORG=example.com'

mv ${WORK_DIR}/opendmarc.dat ${WORK_DIR}/opendmarc_import.dat -f
cat /dev/null > ${WORK_DIR}/opendmarc.dat

/usr/sbin/opendmarc-import --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose < ${WORK_DIR}/opendmarc_import.dat
/usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose --interval=86400 --report-email $REPORT_EMAIL --report-org $REPORT_ORG
/usr/sbin/opendmarc-expire --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose

#vim /etc/opendmarc/report_script

#!/bin/bash

DB_SERVER='database.example.com'

DB_USER='opendmarc'

DB_PASS='password

DB_NAME='opendmarc'

WORK_DIR='/var/run/opendmarc'

REPORT_EMAIL='dmarc@example.com'

REPORT_ORG=example.com'

mv ${WORK_DIR}/opendmarc.dat ${WORK_DIR}/opendmarc_import.dat -f

cat /dev/null > ${WORK_DIR}/opendmarc.dat

/usr/sbin/opendmarc-import --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose < ${WORK_DIR}/opendmarc_import.dat

/usr/sbin/opendmarc-reports --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose --interval=86400 --report-email $REPORT_EMAIL --report-org $REPORT_ORG

/usr/sbin/opendmarc-expire --dbhost=${DB_SERVER} --dbuser=${DB_USER} --dbpasswd=${DB_PASS} --dbname=${DB_NAME} --verbose

Sam skrypt na niewiele się zda jeżeli nie bedzie wykonywał się w harmonogramie:

chmod +x /etc/opendmarc/report_script

#przetestujmy skrypt zanim dodamy go do crona
su -c "/etc/opendmarc/report_script" -s /bin/bash opendmarc

#vim /etc/crontab

1 0 * * * opendmarc /etc/opendmarc/report_script

chmod +x /etc/opendmarc/report_script

#przetestujmy skrypt zanim dodamy go do crona

su -c "/etc/opendmarc/report_script" -s /bin/bash opendmarc

#vim /etc/crontab

1 0 * * * opendmarc /etc/opendmarc/report_script

Warto było by przeglądać maile z raportami jakie wysyłamy do innych administratorów korzystających z DMARC-a, zrobimy to poprzez mały wpis do postfixa:

#vim /etc/postfix/main.cf

...
sender_bcc_maps = hash:/etc/postfix/bcc_map
...

#vim /etc/postfix/bcc_map
dmarc@example.com mailboxforbcc@example.com


postmap /etc/postfix/bcc_map

#vim /etc/postfix/main.cf

...

sender_bcc_maps = hash:/etc/postfix/bcc_map

...

#vim /etc/postfix/bcc_map

dmarc@example.com mailboxforbcc@example.com

postmap /etc/postfix/bcc_map

Jeszcze tylko restart postfix-a, w celu wczytania nowego configa:

/etc/init.d/postfix restart

1	/etc/init.d/postfix restart

W celu przetestowania naszego nowego narzędzia możemy wysłać na inną skrzynkę maila testowego (mail musi być na zewnątrz naszego serwera, ale także musi obsługiwać DMARC np. gmail).

W nagłówku powinniśmy widzieć wpis od DMARCu. Jeżeli już skończymy testy pamiętajmy o usunięciu wpisu z config-a, który był dodany w celu testu:

#vim /etc/opendmarc.conf

#SoftwareHeader true

#vim /etc/opendmarc.conf

#SoftwareHeader true

Szybki restart:

/etc/init.d/opendmarc restart

1	/etc/init.d/opendmarc restart

W ten sposób ludzie otrzymujący maile z domeny, która obsługujesz powinni mieć pewność, że maile są legalne 🙂

Pozostałe wpisy dotyczące tego cyklu:

Posftix i Dovecot – Idealny duet tworzący serwer poczty

Walka ze spamem cz.2 – Postfix DKIM

DomainKeys Identified Mail (DKIM) – metoda łączenia domeny internetowej z wiadomością email, przez to pozwalająca organizacji brać odpowiedzialność za treść emaila. Sygnatura DKIM zabezpiecza przed podszywaniem się pod nadawcę (e-mail spoofing) z innych domen. – Wikipedia

Jest to kontynuacją ciągu postów na temat walki z spamem na własnych serwerach poczty opartych o Postfix.

Instalujemy niezbędne paczki:

#debian/ubuntu
apt-get install opendkim opendkim-tools

1 2	#debian/ubuntu apt-get install opendkim opendkim-tools

Konfigurujemy opendkim, jeżeli port 12301 jest zajęty zmieńmy go tutaj i pamiętajmy by w innych miejscach zrobić to także:

#vim /etc/opendkim.conf

OversignHeaders         From
AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost

#vim /etc/opendkim.conf

OversignHeaders From

AutoRestart Yes

AutoRestartRate 10/1h

UMask 002

Syslog yes

SyslogSuccess Yes

LogWhy Yes

Canonicalization relaxed/simple

ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

InternalHosts refile:/etc/opendkim/TrustedHosts

KeyTable refile:/etc/opendkim/KeyTable

SigningTable refile:/etc/opendkim/SigningTable

Mode sv

PidFile /var/run/opendkim/opendkim.pid

SignatureAlgorithm rsa-sha256

UserID opendkim:opendkim

Socket inet:12301@localhost

#vim /etc/default/opendkim

SOCKET="inet:12301@localhost"

#vim /etc/default/opendkim

SOCKET="inet:12301@localhost"

Poinformujmy postfix-a, że ma kolejne narzędzie do zwalczania spamu:

#vim /etc/postfix/main.cf

milter_protocol = 2
milter_default_action = accept

smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

#vim /etc/postfix/main.cf

milter_protocol = 2

milter_default_action = accept

smtpd_milters = inet:localhost:12301

non_smtpd_milters = inet:localhost:12301

Jeżeli w smtpd_milters i/lub non_smtpd_milters mamy już jakieś wpisy można dodać nowe po przecinku

Utwórzmy teraz foldery i pliku konfiguracyjne, które wskazaliśmy jako tablice źródłowe:

mkdir -p /etc/opendkim/keys

#vim /etc/opendkim/TrustedHosts

127.0.0.1
localhost
192.168.0.1/24
*.example.com


#vim /etc/opendkim/KeyTable

mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

#vim /etc/opendkim/SigningTable

example.com mail._domainkey.example.com

mkdir -p /etc/opendkim/keys

#vim /etc/opendkim/TrustedHosts

127.0.0.1

localhost

192.168.0.1/24

*.example.com

#vim /etc/opendkim/KeyTable

mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

#vim /etc/opendkim/SigningTable

example.com mail._domainkey.example.com

Teraz musimy wygenerować klucze, które posłużą do mechanizmu DKIM:

mkdir /etc/opendkim/keys/example.com
cd /etc/opendkim/keys/example.com
opendkim-genkey -s mail -d example.com
chown opendkim:opendkim mail.private

mkdir /etc/opendkim/keys/example.com

cd /etc/opendkim/keys/example.com

opendkim-genkey -s mail -d example.com

chown opendkim:opendkim mail.private

Teraz będziemy musieli dodać klucz do wpisu domeny w rekordzie TXT, aby to zrobić musimy wyświetlicz klucz i dodać następujący wpis:

cat /etc/opendkim/keys/example.com/mail.txt

#bind9
mail._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=WARTOSC_WYSWIETLONA_ZOSTALA_POLECENIEM_WYZEJ"

cat /etc/opendkim/keys/example.com/mail.txt

#bind9

mail._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=WARTOSC_WYSWIETLONA_ZOSTALA_POLECENIEM_WYZEJ"

Zrestartujmy teraz wszystkie usługi, w których zmienialiśmy konfigurację:

service postfix restart
service opendkim restart
service bind9 restart

service postfix restart

service opendkim restart

service bind9 restart

Aby przetestować czy udało nam sie dodać mechanizm DKIM można wysłać mail na adres: check-auth(at)verifier.port25.com

Pozostałe wpisy dotyczące tego cyklu:

Posftix i Dovecot – Idealny duet tworzący serwer poczty

Walka ze spamem cz.1 – Postfix SPF

Sender Policy Framework (SPF) – niekomercyjny projekt mający na celu wprowadzenie zabezpieczenia serwerów SMTP przed przyjmowaniem poczty z niedozwolonych źródeł. Ma to pozytywnie wpłynąć na ograniczenie liczby wiadomości mailowych będących spamem. – Wikipedia

Zakładam, że macie już uruchomiony serwer postfix. Wszelkie konfiguracje oparte są o założenie, że korzystaliście z tego tutoriala: Posftix i Dovecot – Idealny duet tworzący serwer poczty i korzystacie z Debiana/Ubuntu.

Zainstalujmy potrzebne paczki:

#debina/ubuntu
apt-get install postfix-policyd-spf-python

1 2	#debina/ubuntu apt-get install postfix-policyd-spf-python

Domyślna polityka spf jest prawie wystarczającą ale sprawmy, żeby było lepiej:

#vim /etc/postfix-policyd-spf-python/policyd-spf.conf

#  For a fully commented sample config file see policyd-spf.conf.commented

debugLevel = 1
defaultSeedOnly = 1

HELO_reject = False
Mail_From_reject = False

PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

#vim /etc/postfix-policyd-spf-python/policyd-spf.conf

# For a fully commented sample config file see policyd-spf.conf.commented

debugLevel = 1

defaultSeedOnly = 1

HELO_reject = False

Mail_From_reject = False

PermError_reject = False

TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

Powiadommy postfix-a, żeby korzystał z nowego wspólnika w walce ze spamem:

#vim /etc/postfix/main.cf

policy-spf_time_limit = 3600s

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policy-spf

#vim /etc/postfix/main.cf

policy-spf_time_limit = 3600s

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policy-spf

#vim /etc/postfix/master.cf

policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/bin/policyd-spf

#vim /etc/postfix/master.cf

policy-spf unix - n n - - spawn

user=nobody argv=/usr/bin/policyd-spf

Zrestartujmy posfix, żeby wczytał nowy plik konfigurayjny i gotowe

/etc/init.d/postfix restart

1	/etc/init.d/postfix restart

Pozostałe wpisy dotyczące tego cyklu:

Postfix i Dovecot – Idealny duet tworzący serwer poczty

Własny serwer email? Było by super! Jeżeli pytasz po co to nie projekt dla Ciebie 😉

Założenia:

własny postfix i dovecot
obsługa kont wirtualnych
wyłączenie obsługi kont systemowych
wykorzystanie bazy danych jako backendu dla kont

1. Instalacja

#debian/ubuntu
apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql sasl2-bin

1 2	#debian/ubuntu apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql sasl2-bin

General type of mail configuration: Internet Site

System mail name: domian.name

2. Mysql/MariaDB backend

Przygotujmy backend:

mysqladmin -p create mailserver
mysql -p mailserver

GRANT SELECT ON mailserver.* TO 'mailuser'@'127.0.0.1' IDENTIFIED BY 'mailuserpass';
FLUSH PRIVILEGES;
CREATE TABLE `virtual_domains` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(50) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_users` (
  `id` int(11) NOT NULL auto_increment,
  `domain_id` int(11) NOT NULL,
  `password` varchar(106) NOT NULL,
  `email` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`),
  FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_aliases` (
  `id` int(11) NOT NULL auto_increment,
  `domain_id` int(11) NOT NULL,
  `source` varchar(100) NOT NULL,
  `destination` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

INSERT INTO `mailserver`.`virtual_domains`
  (`id` ,`name`)
VALUES
  ('1', 'example.com'),
  ('2', 'mail.example.com');

INSERT INTO `mailserver`.`virtual_users`
  (`id`, `domain_id`, `password` , `email`)
VALUES
  ('1', '1', ENCRYPT('123456', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'mail@example.com');

INSERT INTO `mailserver`.`virtual_aliases`
  (`id`, `domain_id`, `source`, `destination`)
VALUES
  ('1', '1', 'admin@example.com', 'mail@example.com'),
  ('2', '1', 'webmaster@example.com', 'mail@example.com'),
  ('3', '1', 'root@example.com', 'mail@example.com');

mysqladmin -p create mailserver

mysql -p mailserver

GRANT SELECT ON mailserver.* TO 'mailuser'@'127.0.0.1' IDENTIFIED BY 'mailuserpass';

FLUSH PRIVILEGES;

CREATE TABLE `virtual_domains` (

`id` int(11) NOT NULL auto_increment,

`name` varchar(50) NOT NULL,

PRIMARY KEY (`id`)

) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_users` (

`id` int(11) NOT NULL auto_increment,

`domain_id` int(11) NOT NULL,

`password` varchar(106) NOT NULL,

`email` varchar(100) NOT NULL,

PRIMARY KEY (`id`),

UNIQUE KEY `email` (`email`),

FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE

) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_aliases` (

`id` int(11) NOT NULL auto_increment,

`domain_id` int(11) NOT NULL,

`source` varchar(100) NOT NULL,

`destination` varchar(100) NOT NULL,

PRIMARY KEY (`id`),

FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE

) ENGINE=InnoDB DEFAULT CHARSET=utf8;

INSERT INTO `mailserver`.`virtual_domains`

(`id` ,`name`)

VALUES

('1', 'example.com'),

('2', 'mail.example.com');

INSERT INTO `mailserver`.`virtual_users`

(`id`, `domain_id`, `password` , `email`)

VALUES

('1', '1', ENCRYPT('123456', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'mail@example.com');

INSERT INTO `mailserver`.`virtual_aliases`

(`id`, `domain_id`, `source`, `destination`)

VALUES

('1', '1', 'admin@example.com', 'mail@example.com'),

('2', '1', 'webmaster@example.com', 'mail@example.com'),

('3', '1', 'root@example.com', 'mail@example.com');

Najważniejszy plik konfiguracyjny main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/dovecot/dovecot.pem
smtpd_tls_key_file=/etc/dovecot/private/dovecot.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes

#Enabling SMTP for authenticated users, and handing off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = hostname.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = example.com, hostname.example.com, localhost.example.com, localhost
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

#Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp

#Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
        mysql:/etc/postfix/mysql-virtual-email2email.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first

# line of that file to be used as the name. The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

biff = no

# appending .domain is the MUA's job.

append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

readme_directory = no

# TLS parameters

smtpd_tls_cert_file=/etc/dovecot/dovecot.pem

smtpd_tls_key_file=/etc/dovecot/private/dovecot.pem

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

#Enabling SMTP for authenticated users, and handing off authentication to Dovecot

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =

permit_sasl_authenticated,

permit_mynetworks,

reject_unauth_destination

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.

myhostname = hostname.example.com

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

#mydestination = example.com, hostname.example.com, localhost.example.com, localhost

mydestination = localhost

relayhost =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

#Handing off local delivery to Dovecot's LMTP, and telling it where to store mail

virtual_transport = lmtp:unix:private/dovecot-lmtp

#Virtual domains, users, and aliases

virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf

virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,

mysql:/etc/postfix/mysql-virtual-email2email.cf

Następnie utwórzmy pliki z konfiguracją skrzynek wirtualnych:

#vim /etc/postfix/mysql-virtual-mailbox-domains.cf
user = mailuser
password = mailuserpass
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_domains WHERE name='%s'

#vim /etc/postfix/mysql-virtual-mailbox-maps.cf
user = mailuser
password = mailuserpass
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_users WHERE email='%s'

#vim /etc/postfix/mysql-virtual-alias-maps.cf
user = mailuser
password = mailuserpass
hosts = 127.0.0.1
dbname = mailserver
query = SELECT destination FROM virtual_aliases WHERE source='%s'

#vim /etc/postfix/mysql-virtual-email2email.cf
user = mailuser
password = mailuserpass
hosts = 127.0.0.1
dbname = mailserver
query = SELECT email FROM virtual_users WHERE email='%s'

#vim /etc/postfix/mysql-virtual-mailbox-domains.cf

user = mailuser

password = mailuserpass

hosts = 127.0.0.1

dbname = mailserver

query = SELECT 1 FROM virtual_domains WHERE name='%s'

#vim /etc/postfix/mysql-virtual-mailbox-maps.cf

user = mailuser

password = mailuserpass

hosts = 127.0.0.1

dbname = mailserver

query = SELECT 1 FROM virtual_users WHERE email='%s'

#vim /etc/postfix/mysql-virtual-alias-maps.cf

user = mailuser

password = mailuserpass

hosts = 127.0.0.1

dbname = mailserver

query = SELECT destination FROM virtual_aliases WHERE source='%s'

#vim /etc/postfix/mysql-virtual-email2email.cf

user = mailuser

password = mailuserpass

hosts = 127.0.0.1

dbname = mailserver

query = SELECT email FROM virtual_users WHERE email='%s'

Należy zrestartować teraz posftixa:

service postfix restart

1	service postfix restart

Przetestujmy czy nasz backend działa poprawnie:

postmap -q example.com mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
postmap -q mail@example.com mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
postmap -q webmaster@example.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf

postmap -q example.com mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

postmap -q mail@example.com mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf

postmap -q webmaster@example.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf

Następne operacje wykonywać będziemy na master.cf

vim /etc/postfix/master.cf 

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

#628       inet  n       -       -       -       -       qmqpd
pickup    unix  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

vim /etc/postfix/master.cf

# Postfix master process configuration file. For details on the format

# of the file, see the master(5) manual page (command: "man 5 master").

# Do not forget to execute "postfix reload" after editing this file.

# ==========================================================================

# service type private unpriv chroot wakeup maxproc command + args

# (yes) (yes) (yes) (never) (100)

# ==========================================================================

smtp inet n - - - - smtpd

#smtp inet n - - - 1 postscreen

#smtpd pass - - - - - smtpd

#dnsblog unix - - - - 0 dnsblog

#tlsproxy unix - - - - 0 tlsproxy

submission inet n - - - - smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

smtps inet n - - - - smtpd

-o syslog_name=postfix/smtps

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

#628 inet n - - - - qmqpd

pickup unix n - - 60 1 pickup

cleanup unix n - - - 0 cleanup

qmgr unix n - n 300 1 qmgr

#qmgr unix n - n 300 1 oqmgr

tlsmgr unix - - - 1000? 1 tlsmgr

rewrite unix - - - - - trivial-rewrite

bounce unix - - - - 0 bounce

defer unix - - - - 0 bounce

trace unix - - - - 0 bounce

verify unix - - - - 1 verify

flush unix n - - 1000? 0 flush

proxymap unix - - n - - proxymap

proxywrite unix - - n - 1 proxymap

smtp unix - - - - - smtp

relay unix - - - - - smtp

# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq unix n - - - - showq

error unix - - - - - error

retry unix - - - - - error

discard unix - - - - - discard

local unix - n n - - local

virtual unix - n n - - virtual

lmtp unix - - - - - lmtp

anvil unix - - - - 1 anvil

scache unix - - - - 1 scache

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

# Many of the following services use the Postfix pipe(8) delivery

# agent. See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

maildrop unix - n n - - pipe

flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

# ====================================================================

# Recent Cyrus versions can use the existing "lmtp" master.cf entry.

# Specify in cyrus.conf:

# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4

# Specify in main.cf one or more of the following:

# mailbox_transport = lmtp:inet:localhost

# virtual_transport = lmtp:inet:localhost

# ====================================================================

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

#cyrus unix - n n - - pipe

# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

# ====================================================================

# Old example of delivery via Cyrus.

#old-cyrus unix - n n - - pipe

# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

# ====================================================================

# See the Postfix UUCP_README file for configuration details.

uucp unix - n n - - pipe

flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

# Other external delivery methods.

ifmail unix - n n - - pipe

flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp unix - n n - - pipe

flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient

scalemail-backend unix - n n - 2 pipe

flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

mailman unix - n n - - pipe

flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

${nexthop} ${user}

Wygląda to przerażająco, ale dla pewności podaje wam całe pliki, zamiast co w nich zmienić gdyż z kolejnymi wersjami plik referencyujny konfiguracji może różnić się.

Zrestartujmy teraz postfix-a bo z nim już skończyliśmy 🙂

service postfix restart

1	service postfix restart

3. Dovecot

Tutaj warto zrobić kopię plików, na których pracujemy

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.orig
cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig
cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig

cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig

cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig

cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.orig

cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig

cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig

Edytujemy dovecot.conf

vim /etc/dovecot/dovecot.conf
---
## Dovecot configuration file

# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration

# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.

# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace  "

# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var

# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap lmtp

# A comma separated list of IPs or hosts where to listen in for connections. 
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::

# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Name of this instance. Used to prefix all Dovecot processes in ps output.
#instance_name = dovecot

# Greeting message for clients.
#login_greeting = Dovecot ready.

# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify the IMAP proxy servers here.
#login_trusted_networks =

# Sepace separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets = 

# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no

# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes

# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server

# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ

##
## Dictionary server settings
##

# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".

dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

vim /etc/dovecot/dovecot.conf

---

## Dovecot configuration file

# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration

# "doveconf -n" command gives a clean output of the changed settings. Use it

# instead of copy&pasting files when posting to the Dovecot mailing list.

# '#' character and everything after it is treated as comments. Extra spaces

# and tabs are ignored. If you want to use either of these explicitly, put the

# value inside quotes, eg.: key = "# char and trailing whitespace "

# Default values are shown for each setting, it's not required to uncomment

# those. These are exceptions to this though: No sections (e.g. namespace {})

# or plugin settings are added by default, they're listed only as examples.

# Paths are also just examples with the real defaults being based on configure

# options. The paths listed here are for configure --prefix=/usr

# --sysconfdir=/etc --localstatedir=/var

# Enable installed protocols

!include_try /usr/share/dovecot/protocols.d/*.protocol

protocols = imap lmtp

# A comma separated list of IPs or hosts where to listen in for connections.

# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.

# If you want to specify non-default ports or anything more complex,

# edit conf.d/master.conf.

#listen = *, ::

# Base directory where to store runtime data.

#base_dir = /var/run/dovecot/

# Name of this instance. Used to prefix all Dovecot processes in ps output.

#instance_name = dovecot

# Greeting message for clients.

#login_greeting = Dovecot ready.

# Space separated list of trusted network ranges. Connections from these

# IPs are allowed to override their IP addresses and ports (for logging and

# for authentication checks). disable_plaintext_auth is also ignored for

# these networks. Typically you'd specify the IMAP proxy servers here.

#login_trusted_networks =

# Sepace separated list of login access check sockets (e.g. tcpwrap)

#login_access_sockets =

# Show more verbose process titles (in ps). Currently shows user name and

# IP address. Useful for seeing who are actually using the IMAP processes

# (eg. shared mailboxes or if same uid is used for multiple accounts).

#verbose_proctitle = no

# Should all processes be killed when Dovecot master process shuts down.

# Setting this to "no" means that Dovecot can be upgraded without

# forcing existing client connections to close (although that could also be

# a problem if the upgrade is e.g. because of a security fix).

#shutdown_clients = yes

# If non-zero, run mail commands via this many connections to doveadm server,

# instead of running them directly in the same process.

#doveadm_worker_count = 0

# UNIX socket or host:port used for connecting to doveadm server

#doveadm_socket_path = doveadm-server

# Space separated list of environment variables that are preserved on Dovecot

# startup and passed down to all of its child processes. You can also give

# key=value pairs to always set specific settings.

#import_environment = TZ

## Dictionary server settings

# Dictionary can be used to store key=value lists. This is used by several

# plugins. The dictionary can be accessed either directly or though a

# dictionary server. The following dict block maps dictionary names to URIs

# when the server is used. These can then be referenced using URIs in format

# "proxy::<name>".

dict {

#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext

#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext

}

# Most of the actual configuration gets included below. The filenames are

# first sorted by their ASCII value and parsed in that order. The 00-prefixes

# in filenames are intended to make it easier to understand the ordering.

!include conf.d/*.conf

# A config file can also tried to be included without giving an error if

# it's not found:

!include_try local.conf

Następnie od/komentowujemy linie zgodnie z poniższą zawartością

vim /etc/dovecot/conf.d/10-mail.conf
---
mail_location = maildir:/var/mail/vhosts/%d/%n
...
mail_privileged_group = mail
---

vim /etc/dovecot/conf.d/10-auth.conf
--
disable_plaintext_auth = yes
...
auth_mechanisms = plain login
...
#!include auth-system.conf.ext
!include auth-sql.conf.ext
--

vim /etc/dovecot/conf.d/auth-sql.conf.ext
---
passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
---

vim /etc/dovecot/dovecot-sql.conf.ext
---
driver = mysql
connect = host=127.0.0.1 dbname=mailserver user=mailuser password=mailuserpass
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
---

vim /etc/dovecot/conf.d/10-master.conf
---
#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    #port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = 64M
}

service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
  }
  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port = 
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = 256M

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
  # permissions make it readable only by root, but you may need to relax these
  # permissions. Users that have access to this socket are able to get a list
  # of all usernames and get results of everyone's userdb lookups.
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

  unix_listener auth-userdb {
    mode = 0600
    user = vmail
    #group = vmail
  }

  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

  # Auth process is run as this user.
  user = dovecot
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  user = vmail
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user = 
    #group = 
  }
}
---

vim /etc/dovecot/conf.d/10-ssl.conf 
---
ssl = required
...
ssl_cert = </etc/ssl/certs/mail.crt
ssl_key = </etc/ssl/private/mail.key
---

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

vim /etc/dovecot/conf.d/10-mail.conf

---

mail_location = maildir:/var/mail/vhosts/%d/%n

...

mail_privileged_group = mail

---

vim /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes

...

auth_mechanisms = plain login

...

#!include auth-system.conf.ext

!include auth-sql.conf.ext

vim /etc/dovecot/conf.d/auth-sql.conf.ext

---

passdb {

driver = sql

args = /etc/dovecot/dovecot-sql.conf.ext

}

userdb {

driver = static

args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n

}

---

vim /etc/dovecot/dovecot-sql.conf.ext

---

driver = mysql

connect = host=127.0.0.1 dbname=mailserver user=mailuser password=mailuserpass

default_pass_scheme = SHA512-CRYPT

password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';

---

vim /etc/dovecot/conf.d/10-master.conf

---

#default_process_limit = 100

#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly

# intended to catch and kill processes that leak memory before they eat up

# everything.

#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted

# user in Dovecot system. It shouldn't have access to anything at all.

#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from

# login user, so that login processes can't disturb other processes.

#default_internal_user = dovecot

service imap-login {

inet_listener imap {

#port = 0

}

inet_listener imaps {

port = 993

ssl = yes

}

# Number of connections to handle before starting a new process. Typically

# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0

# is faster. <doc/wiki/LoginProcess.txt>

#service_count = 1

# Number of processes to always keep waiting for more connections.

#process_min_avail = 0

# If you set service_count=0, you probably need to grow this.

#vsz_limit = 64M

}

service pop3-login {

inet_listener pop3 {

port = 0

}

inet_listener pop3s {

#port = 995

#ssl = yes

}

service lmtp {

unix_listener /var/spool/postfix/private/dovecot-lmtp {

mode = 0600

user = postfix

group = postfix

}

# Create inet listener only if you can't use the above UNIX socket

#inet_listener lmtp {

# Avoid making LMTP visible for the entire internet

#address =

#port =

}

service imap {

# Most of the memory goes to mmap()ing files. You may need to increase this

# limit if you have huge mailboxes.

#vsz_limit = 256M

# Max. number of IMAP processes (connections)

#process_limit = 1024

}

service pop3 {

# Max. number of POP3 processes (connections)

#process_limit = 1024

}

service auth {

# auth_socket_path points to this userdb socket by default. It's typically

# used by dovecot-lda, doveadm, possibly imap process, etc. Its default

# permissions make it readable only by root, but you may need to relax these

# permissions. Users that have access to this socket are able to get a list

# of all usernames and get results of everyone's userdb lookups.

unix_listener /var/spool/postfix/private/auth {

mode = 0666

user = postfix

group = postfix

}

unix_listener auth-userdb {

mode = 0600

user = vmail

#group = vmail

}

# Postfix smtp-auth

#unix_listener /var/spool/postfix/private/auth {

# mode = 0666

# Auth process is run as this user.

user = dovecot

}

service auth-worker {

# Auth worker process is run as root by default, so that it can access

# /etc/shadow. If this isn't necessary, the user should be changed to

# $default_internal_user.

user = vmail

}

service dict {

# If dict proxy is used, mail processes should have access to its socket.

# For example: mode=0660, group=vmail and global mail_access_groups=vmail

unix_listener dict {

#mode = 0600

#user =

#group =

}

---

vim /etc/dovecot/conf.d/10-ssl.conf

---

ssl = required

...

ssl_cert = </etc/ssl/certs/mail.crt

ssl_key = </etc/ssl/private/mail.key

---

Utwórzmy wymaganego użytkownika vmail

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail
mkdir -p /var/mail/vhosts/example.com/
chown -R vmail:vmail /var/mail
chown -R vmail:dovecot /etc/dovecot
chmod -R o-rwx /etc/dovecot

groupadd -g 5000 vmail

useradd -g vmail -u 5000 vmail -d /var/mail

mkdir -p /var/mail/vhosts/example.com/

chown -R vmail:vmail /var/mail

chown -R vmail:dovecot /etc/dovecot

chmod -R o-rwx /etc/dovecot

Resetujemy dovecot-a

service dovecot restart

1	service dovecot restart

4. Dodawanie nowych kont mailowych

mysql -u root -p mailserver

#domena
INSERT INTO `mailserver`.`virtual_domains`
  (`name`)
VALUES
  ('newdomain.com');

#konto
INSERT INTO `mailserver`.`virtual_users`
  (`domain_id`, `password` , `email`)
VALUES
  ('5', ENCRYPT('newpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))) , 'email3@newdomain.com');

#alias
INSERT INTO `mailserver`.`virtual_aliases`
  (`domain_id`, `source`, `destination`)
VALUES
  ('5', 'alias@newdomain.com', 'myemail@gmail.com');

#alias łapiący wszystko dla domeny
INSERT INTO `mailserver`.`virtual_aliases`
  (`domain_id`, `source`, `destination`)
VALUES
  ('5', '@newdomain.com', 'myemail@gmail.com');

mysql -u root -p mailserver

#domena

INSERT INTO `mailserver`.`virtual_domains`

(`name`)

VALUES

('newdomain.com');

#konto

INSERT INTO `mailserver`.`virtual_users`

(`domain_id`, `password` , `email`)

VALUES

('5', ENCRYPT('newpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))) , 'email3@newdomain.com');

#alias

INSERT INTO `mailserver`.`virtual_aliases`

(`domain_id`, `source`, `destination`)

VALUES

('5', 'alias@newdomain.com', 'myemail@gmail.com');

#alias łapiący wszystko dla domeny

INSERT INTO `mailserver`.`virtual_aliases`

(`domain_id`, `source`, `destination`)

VALUES

('5', '@newdomain.com', 'myemail@gmail.com');

5. SPAM

Zapraszam także do zapoznania się z wpisamy dotyczącymi walki ze spam-em: