I had a VPS at Server Mule (www.servermule.com.au) and wanted to setup a pop3 mail server. I will configure a catchall account to get all email, and include DNSBL to prevent spam.
Begin my provisioning the server at Server Mule.
Setup the firewall at server mule:
Allow inbound 22 tcp from your IP address
Allow inbound 80, 443, 995, 587 and 25 tcp from all
Set the default rule to block
Save the firewall
Apply the firewall
Logon to the server via SSH
apt-get -y remove apt-listchanges
To generate the SSL certificate using certbot, we need to edit /etc/apt/sources.list and add
deb http://ftp.debian.org/debian jessie-backports main
Run the command apt-get update && apt-get -y upgrade
Change the timezone by the command dpkg-reconfigure tzdata
install the required packages:
apt-get -y install certbot -t jessie-backports
apt-get -y install postfix dovecot-core dovecot-pop3d dovecot-lmtpd mailutils
During the postfix install, select Internet site and enter your domain name (not FQDN)
Stop postfix while being configured: postfix stop
Backup /etc/postfix/master.cf
cp /etc/postfix/master.cf /etc/postfix/master.cf.old
edit /etc/postfix/master.cf
uncomment “submission inet n – – – – smtpd”
Under submission, uncomment “-o smtpd_sasl_auth_enable=yes”
Under submission, add “-o smtpd_sasl_auth_only=yes”, “-o smtpd_sasl_type=dovecot”, and “-o smtpd_sasl_path=private/auth”
Generate the SSL certificate using the command certbot certonly
Choose the options standalone, enter a valid email address, and agree to the terms and conditions. Enter your fully qualified domain name (not just domain name).
Take note of the location of the certificate
Backup /etc/postfix/main.cf
cp /etc/postfix/main.cf /etc/postfix/main.cf.old
edit /etc/postfix/main.cf
Add the following to enable SSL, ensuring you modify the directory location to the one indciated from the steps above
smtpd_tls_cert_file = /etc/letsencrypt/live/mail5.anonit.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail5.anonit.net/privkey.pem
smtpd_tls_security_level = may
smtp_tls_security_level = may
Edit the mydestination line so it is blank
mydestination=
Ensure the “myhostname” section is the FQDN
Comment out the following lines if they exist by putting a hash as the first character:
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Backup /etc/dovecot/dovecot.conf
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.old
Add the following to enable pop3s, again modifying the directory the certificate location noted above.
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
}
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail5.anonit.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail5.anonit.net/privkey.pem
Restart postfix and dovecot
service postfix restart && service dovecot restart
Test SSL connections locally
openssl s_client -starttls smtp -connect mail5.anonit.net:587
openssl s_client -connect mail5.anonit.net:995
Both tests should return “Verify return code: 0 (ok)”
You may need to CTRL-C from the pop3s test (2nd command)
Test external access to port 25.
Run an open relay test http://www.mailradar.com/openrelay/
Create a user vmail that will own all virtual mailboxes:
groupadd -g 2000 vmail
useradd -g vmail -u 2000 vmail -d /var/vmail -m
Edit /etc/dovecot/dovecot.conf
Add the following
auth_mechanisms = plain login
disable_plaintext_auth = yes
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
user = postfix
mode = 0666
}
}
mail_location = maildir:/var/vmail/%d/%n
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/userdb-file
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}
Create the user account for pop3
doveadm pw -s SHA512-CRYPT
Enter a password and take not of the hash provided
Create a new file /etc/dovecot/userdb-file and enter the hash provided by the previous command, in the format:
EmailAddress:HASH
EG:
Add to /etc/postfix/main.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual_aliases
Create a file /etc/postfix/virtual_aliases and add
@anonit.net anonit
postmaster root
webmaster root
info root
abuse root
# redirect to the user that should get root’s mails
root anonit
The first line should be the catch all domain, and the account to deliver to.
Update postfix config and restart postfix
postmap /etc/postfix/virtual_aliases
service postfix restart
Modify /etc/dovecot/dovecot.conf to enable local mail delivery and add
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0666
user = postfix
group = postfix
}
}
protocol lmtp {
postmaster_address = anonit@anonit.net
}
Create a new SSH session to the server, and view mail.log by the following command
tail -f /var/log/mail.log
In the original session, run the commands and check the logs for errors:
service postfix restart
service dovecot restart
echo test | mail anonit@anonit.net
Perform another open relay test http://www.mailradar.com/openrelay/
Test that local delivery and remote delivery works.
You should be able to view the emails in /var/vmail/domainname/user/new
EG:
Add the DNSBL, edit /etc/postfix/main.cf
smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net
permit
References
https://www.servermule.com.au/help/servermule-articles/how-do-configure-my-servermule-firewall/
http://www.almost-working.com/how-to-setup-a-mail-server-on-debian-8-jessie-using-postfix-dovecot-and-lmtp/
http://www.almost-working.com/foundational-setup-on-a-debian-8-7-jessie-virtual-server/
https://www.faqforge.com/linux/how-to-enable-port-587-submission-in-postfix/
https://certbot.eff.org/#debianjessie-nginx
https://stackoverflow.com/questions/18377813/postfix-status-bounced-unknown-user-myuser
https://tecadmin.net/setup-catch-all-email-account-in-postfix/#
http://www.iredmail.org/docs/enable.dnsbl.html
https://serverfault.com/questions/474133/configure-postfix-with-a-threshold-for-reject-rbl-client