dokuro Posté(e) le 21 janvier 2015 Signaler Share Posté(e) le 21 janvier 2015 This is a tutorial on how to install an email server on Debian Wheezy 7. We are going to install the following components: E-mail server: Postfix Dovecot Sasl library MySQL Milters: SpamAssassin Clamav Greylist Webserver: Nginx PHP5 phpMyAdmin PostfixAdmin RoundCube Please replace any text in red with your info. Here is a scheme about the internals, click on image to get a clear view: 1. Install Debian Wheezy 7 When installing Debian 7 itself, only select ‘SSH server’ when prompted to select software. If Debian is ready, install the following packages: apt-get install sudo mc vim 2. Install MySQL server and client apt-get install mysql-server mysql-client Enter a MySQL root password when prompted. Check that mysqld is running: ps aux 3. Install PHP5 and Nginx At this point I use the Dotdeb repo to install PHP version 5.5.x Add Dotdeb repositories to /etc/apt/sources.list file: deb http://packages.dotdeb.org wheezy-php55 all deb-src http://packages.dotdeb.org wheezy-php55 all Add Dotdeb key: wget http://www.dotdeb.org/dotdeb.gpg sudo apt-key add dotdeb.gpg Update apt cache: apt-get update Install PHP5 and Nginx: apt-get install php5-fpm php5-imap php5-mysql php5-mcrypt php5-intl nginx openssl ssl-cert Make sure php5-fpm and nginx are running: service php5-fpm start service nginx start Create a folders to store web files: mkdir /home/clients_ssl mkdir /home/clients_ssl/<subdomain.domain.tld> mkdir /home/clients_ssl/<subdomain.domain.tld>/logs mkdir /home/clients_ssl/<subdomain.domain.tld>/tmp mkdir /home/clients_ssl/<subdomain.domain.tld>/www Create nginx config for this site: vi /etc/nginx/sites-available/<subdomain.domain.tld>_ssl Press ‘i’ and paste the following in vim, replace <yourip> and <subdomain.domain.tld> with your info: server { listen <yourip>:443; server_name <subdomain.domain.tld>; ssl on; ssl_certificate /etc/nginx/certs/<subdomain.domain.tld>.combined.crt; ssl_certificate_key /etc/nginx/certs/<subdomain.domain.tld>.key; root /home/clients_ssl/<subdomain.domain.tld>/www; index index.php index.html index.htm; location ~ .php$ { fastcgi_pass unix:/etc/php5/fpm/socks/ssl_<subdomain.domain.tld>.sock; include fastcgi_params; fastcgi_param HTTPS on; } location ~ /. { deny all; } access_log /home/clients_ssl/<subdomain.domain.tld>/logs/access.log; error_log /home/clients_ssl/<subdomain.domain.tld>/logs/error.log; error_page 404 /404.html; } Remove the default site and put your site online: rm /etc/nginx/sites-available/default ln -s /etc/nginx/sites-available/<subdomain.domain.tld>_ssl /etc/nginx/sites-enabled/<subdomain.domain.tld>_ssl Create the certs folder. mkdir /etc/nginx/certs Put your cerificates in there. Get a valid certificate from a certificate authority or create a self signed certificate. You can google on how to make one. Make sure to edit your Nginx config file to match the certificate filenames. Restart Nginx service nginx restart Create a php5-fpm config file: vi /etc/php5/fpm/pool.d/ssl_<subdomain.domain.tld>.conf Press ‘i’ and paste the following in vim, replace <subdomain.domain.tld> with your info: [ssl_<subdomain.domain.tld>] listen = /etc/php5/fpm/socks/ssl_<subdomain.domain.tld>.sock user = u1001 group = g1001 listen.owner = www-data listen.group = www-data listen.mode = 0666 pm = dynamic pm.max_children = 50 pm.start_servers = 1 pm.min_spare_servers = 1 pm.max_spare_servers = 5 pm.max_requests = 0 php_admin_value[open_basedir]=/ php_admin_value[session.save_path]=/home/clients_ssl/<subdomain.domain.tld>/tmp php_admin_value[upload_tmp_dir]=/home/clients_ssl/<subdomain.domain.tld>/tmp php_admin_value[disable_functions]=dl Create a user for this virtualhost: groupadd -g 1001 g1001 useradd --no-create-home -g 1001 -u 1001 u1001 Create socks folder: mkdir /etc/php5/fpm/socks Remove the default php pool: rm /etc/php5/fpm/pool.d/www.conf Add timezone info to php ini file /etc/php5/fpm/php.ini: date.timezone = Europe/Tallinn Restart php5-fpm service php5-fpm restart 4. Install phpMyAdmin cd /home/clients_ssl/<subdomain.domain.tld>/www wget 'http://downloads.sourceforge.net/project/phpmyadmin/phpMyAdmin/4.0.8/phpMyAdmin-4.0.8-english.tar.gz?use_mirror=netcologne' mv phpMyAdmin-4.0.8-english.tar.gz?use_mirror=netcologne pma.tar.gz tar -zxvf pma.tar.gz Hide pma or bots will try to hack into it: mv phpMyAdmin-4.0.8-english pma_763773 cd pma_763773cp config.sample.inc.php config.inc.php Set the right owner for www and tmp folder: cd /home/clients_ssl/<subdomain.domain.tld> chown -R 1001.1001 www tmp Now you should be able to access pma at: https://<subdomain.domain.tld>/pma_763773/ Now open phpMyAdmin and click on ‘SQL’ on the top menubar. Paste the following SQL queries to create a database and user, replace <password> as you see fit: CREATE DATABASE postfix;GRANT ALL PRIVILEGES ON postfix.* TO 'postfix_admin'@'%' IDENTIFIED BY '<dbpassword1>';GRANT SELECT ON postfix.* TO 'postfix'@'%' IDENTIFIED BY '<dbpassword2>'; FLUSH PRIVILEGES; 5. Install PostfixAdmin Although you can install it from a standard Debian package I am going to download it directly instead so I can put it under my custom path immediately. cd /home/clients_ssl/<subdomain.domain.tld>/www wget 'http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.3.6/postfixadmin-2.3.6.tar.gz?use_mirror=garr' mv postfixadmin-2.3.6.tar.gz?use_mirror=garr pfa.tar.gz tar -zxvf pfa.tar.gz mv postfixadmin-2.3.6 pfa_746338 chown -R 1001.1001 pfa_746338 cd pfa_746338 sed -i 's/change-this-to-your.domain.tld/<subdomain.domain.tld>/g' config.inc.php Now edit configuration file config.inc.php and change these values: $CONF['configured'] = true;$CONF['postfix_admin_url'] = 'https://<subdomain.domain.tld>/pfa_746338';$CONF['database_type'] = 'mysqli';$CONF['database_host'] = 'localhost';$CONF['database_user'] = 'postfix_admin';$CONF['database_password'] = '<dbpassword1>';$CONF['database_name'] = 'postfix';$CONF['domain_path'] = 'YES';$CONF['domain_in_mailbox'] = 'NO';$CONF['fetchmail'] = 'NO'; Go to https://<subdomain.domain.tld>/pfa_746338/setup.php This setup script should create the nesessary tables to postfix database. At the bottom of setup.php enter your admin password and click ‘Gererate password hash’. Edit config.inc.php and add the hash: $CONF['setup_password'] = '<hash>'; Now enter superadmin account info. You can use this to access PostfixAdmin and configure domains, e-mail accounts, aliases etc. Try to log in with the admin account here: https://<subdomain.domain.tld>/pfa_746338 6. Install Postfix and Sasl library apt-get install postfix postfix-mysql libsasl2-modules libsasl2-modules-sql When prompted, choose ‘Internet Site’. Use yor domain name as ‘System mail name': <subdomain.domain.tld> For example use ‘mail.yourdomain.tld’. Do not use ‘yourdomain.tld’ here if it is going to be one of your virtual mailbox domains. Create virtual mail user and group: groupadd -g 3000 vmail useradd -d /home/vmail -m -u 3000 -g 3000 vmail Edit /etc/postfix/main.cf: mydestination = <subdomain.domain.tld>, localhost and add the following lines: virtual_uid_maps = static:3000virtual_gid_maps = static:3000virtual_mailbox_base = /home/vmailvirtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_mailbox_domains.cfvirtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cfvirtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cfrelay_domains = mysql:/etc/postfix/mysql_relay_domains.cfvirtual_transport = lmtp:unix:private/dovecot-lmtpsmtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostnamesmtpd_sasl_auth_enable = yessmtpd_sasl_security_options = noanonymoussmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authmilter_default_action = accept Create the following files: /etc/postfix/mysql_virtual_mailbox_domains.cf hosts = 127.0.0.1 user = postfix password = <dbpassword2> dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' and backupmx = 0 and active = 1 /etc/postfix/mysql_virtual_mailbox_maps.cf hosts = 127.0.0.1user = postfixpassword = <dbpassword2>dbname = postfixquery = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1 /etc/postfix/mysql_virtual_alias_maps.cf hosts = 127.0.0.1 user = postfix password = <dbpassword2> dbname = postfix query = SELECT goto FROM alias WHERE address='%s' AND active = 1 /etc/postfix/mysql_relay_domains.cf hosts = 127.0.0.1user = postfixpassword = <dbpassword2>dbname = postfixquery = SELECT domain FROM domain WHERE domain='%s' and backupmx = 1 /etc/postfix/sasl/smtpd.conf pwcheck_method: auxpropmech_list: plain loginauxprop_plugin: sqlsql_engine: mysqlsql_hostnames: 127.0.0.1sql_user: postfixsql_passwd: <dbpassword2>sql_database: postfixsql_select: SELECT password FROM mailbox WHERE username = '%u@%r' AND active = 1 Add postfix user to sasl group: adduser postfix sasl Enable secure smtp ports, edit /etc/postfix/master.cf and uncomment: submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING 7. Install Dovecot apt-get install dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-lmtpd Create file /etc/dovecot/dovecot-mysql.conf.ext: driver = mysql connect = host=127.0.0.1 dbname=postfix user=postfix password=<dbpassword2> default_pass_scheme = MD5-CRYPT user_query = SELECT '/home/vmail/%d/%n' as home, 3000 AS uid, 3000 AS gid FROM mailbox WHERE username = '%u' password_query = SELECT password FROM mailbox WHERE username = '%u' Edit /etc/dovecot/conf.d/10-auth.conf disable_plaintext_auth = no auth_mechanisms = plain login#!include auth-system.conf.ext !include auth-sql.conf.ext Edit /etc/dovecot/conf.d/10-mail.conf mail_location = maildir:/home/vmail/%d/%n:INDEX=/home/vmail/%d/%n/indexes Edit /etc/dovecot/conf.d/10-ssl.conf ssl = yes Edit /etc/dovecot/conf.d/20-imap.conf mail_max_userip_connections = 10 Edit /etc/dovecot/conf.d/auth-sql.conf.ext passdb { driver = sql# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext args = /etc/dovecot/dovecot-mysql.conf.ext } userdb { driver = sql args = /etc/dovecot/dovecot-mysql.conf.ext } Edit /etc/dovecot/conf.d/10-master.conf service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfixgroup = postfix } } service auth {# Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 } } Restart services: service dovecot restart service postfix restart You can now add a domain with PostfixAdmin and test your e-mail server. Any errors are found in logfiles: /var/log/auth.log /var/log/mail.log /var/log/syslog 8. Install Milters apt-get install clamav-milter clamav-unofficial-sigs milter-greylist spamass-milter clamav-milter: Update ClamAv database and start the daemon: freshclam /etc/init.d/clamav-daemon start Edit /etc/default/clamav-milter and uncomment the last line: SOCKET_RWGROUP=postfix Create a socket folder inside Postfix chroot environment: mkdir /var/spool/postfix/clamav chown clamav /var/spool/postfix/clamav Configure ClamAv milter: dpkg-reconfigure clamav-milter Answer questions as follows: Handle configuration automatically --> yes User for daemon --> clamav Additional groups --> none (empty field) path to socket --> /var/spool/postfix/clamav/clamav-milter.ctl group owner for the socket --> clamav permissions (mode) for socket --> 660 remove stale socket --> yeswait timeout for clamd --> 120 foreground --> no chroot --> none (empty field) pid file --> /var/run/clamav/clamav-milter.pid temporary path --> /tmp clamd socket --> unix:/var/run/clamav/clamd.ctl hosts excluded for scanning --> none (empty field) mail whitelist --> none (empty field) action for "infected" mail --> reject action on error --> defer reason for rejection --> Rejecting harmful e-mail: %v found. headers -> replacelog file --> /var/log/clamav/clamav-milter.log disable log file locking --> no maximum log file size --> 0log time --> yes use syslog --> nolog facility (type of syslog message) --> LOG_LOCAL6 verbose logging --> nolog level when infected --> offlog level when no threat --> off size limit for scanned messages --> 25 Tell Postfix to use this new milter: postconf -e 'smtpd_milters = unix:/clamav/clamav-milter.ctl' postfix reload spamass-milter: Edit /etc/default/spamass-milter: Add ‘-m’ so it won’t change the subject header. Add ‘-r -1′ so Postfix rejects what SpamAssassin flags as spam. Add ‘-l’ to avoid scanning e-mails sent by logged in users. OPTIONS="-u spamass-milter -i 127.0.0.1 -m -r -1 -I" Restart milter: service spamass-milter restart Add a dedicated user for SpamAssassin daemon: adduser --shell /bin/false --home /var/lib/spamassassin --disabled-password --disabled-login --gecos "" spamd Edit /etc/default/spamassassin: ENABLED=1OPTIONS="--create-prefs --max-children 5 --helper-home-dir=/var/lib/spamassassin -u spamd -g spamd"CRON=1 Update rules and restart the daemon: sa-update service spamassassin restart Tell Postfix to use new milter: postconf -e 'smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock' postfix reload milter-greylist: Edit /etc/milter-greylist/greylist.conf: # For sendmail use the following two lines#socket "/var/run/milter-greylist/milter-greylist.sock"#user "smmsp"# For Postfix uncomment the following two lines and comment out the# sendmail ones above. socket "/var/spool/postfix/milter-greylist/milter-greylist.sock" 660 user "greylist" Edit /etc/default/milter-greylist: ENABLED=1SOCKET="/var/spool/postfix/milter-greylist/milter-greylist.sock" Make a folder for the socket and restart milter: mkdir /var/spool/postfix/milter-greylist chmod 2755 /var/spool/postfix/milter-greylist chown greylist:postfix /var/spool/postfix/milter-greylist service milter-greylist restart Tell Postfix to use the new milter: postconf -e 'milter_connect_macros = i b j _ {daemon_name} {if_name} {client_addr}' postconf -e 'smtpd_milters = unix:/milter-greylist/milter-greylist.sock, unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock' postfix reload 9. Install RoundCube wget 'http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/0.9.4/roundcubemail-0.9.4.tar.gz?use_mirror=heanet' mv roundcubemail-0.9.4.tar.gz?use_mirror=heanet roundcubemail-0.9.4.tar.gz tar -zxvf roundcubemail-0.9.4.tar.gz mv roundcubemail-0.9.4 rcb_733621 chown -R 1001.1001 rcb_733621 Open phpMyAdmin SQL window and paste: CREATE DATABASE roundcube;GRANT ALL PRIVILEGES ON roundcube.* TO roundcube@localhost IDENTIFIED BY '<rcpassword>'; FLUSH PRIVILEGES; Add initial tables and data: cd /home/clients_ssl/<subdomain.domain.tld>/www/rcb_733621 mysql -u roundcube -p roundcube < SQL/mysql.initial.sql Go to https://<subdomain.domain.tld>/rcb_733621/installer/ See that your environment is ok and click Next. On the ‘Create config’ page, you may want to change the following values: product_name: <yourproductname>support_url: <yoururl> database name: roundcube database password: <rcpassword>default_host: localhostsmtp_server: localhostlanguage: en_US Click Continue Change the value in textarea to: $rcmail_config['use_https'] = true; Then copy all from textarea and paste the contents to main.inc.php and db.inc.php under /home/clients_ssl/<subdomain.domain.tld>/www/rcb_733621/config Remove installer folder: mv installer ../../ Open RoundCube at https://<subdomain.domain.tld>/rcb_733621/ Citer Lien vers le commentaire Partager sur d’autres sites More sharing options...
Messages recommandés
Rejoindre la conversation
Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.