Differences
This shows you the differences between two versions of the page.
— | tech:linux:mail_server_setup [2023/10/19 11:33] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Mail Server Setup ====== | ||
+ | This is how I set up my mail server on | ||
+ | * Ubuntu Ubuntu 14.04.5 LTS | ||
+ | * Dovecot 2.2.9 (dovecot --version) | ||
+ | * Postfix 2.11.0 (postconf mail_version) | ||
+ | * Postfix Admin 2.3.5 | ||
+ | * Squirrel Mail 1.4.22 | ||
+ | * MySQL Ver 14.14 Distrib 5.5.57 (mysql --version) | ||
+ | * PHP 5.5.9 (php --version) | ||
+ | * pflogsumm.pl - Produce Postfix MTA logfile summary | ||
+ | * Fail2Ban v0.8.11 (/ | ||
+ | * [[doveadm_scripting|Automatic email processing using Doveadm]] | ||
+ | ===== Supporting Packages to Install ===== | ||
+ | * postfix-mysql | ||
+ | * dovecot-core | ||
+ | * dovecot-postfix (not valid anymore in 2022) | ||
+ | * dovecot-mysql | ||
+ | * dovecot-imapd | ||
+ | * php5-mysql | ||
+ | |||
+ | ===== Server configuration ===== | ||
+ | ==== vmail user configuration ==== | ||
+ | <code bash> | ||
+ | groupadd -g 5000 vmail | ||
+ | useradd -d /home/vmail -g 5000 -m -s /bin/bash -u 5000 -p somepassword vmail | ||
+ | id vmail | ||
+ | </ | ||
+ | uid=5000(vmail) gid=5000(vmail) groups=5000(vmail) | ||
+ | |||
+ | ===== Postfix configuration ===== | ||
+ | / | ||
+ | |||
+ | <file ini main.cf> | ||
+ | # See / | ||
+ | |||
+ | |||
+ | # Debian specific: | ||
+ | # line of that file to be used as the name. The Debian default | ||
+ | # is / | ||
+ | myorigin = / | ||
+ | |||
+ | smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) | ||
+ | biff = no | ||
+ | |||
+ | # appending .domain is the MUAs job. | ||
+ | append_dot_mydomain = no | ||
+ | |||
+ | # Uncomment the next line to generate " | ||
+ | delay_warning_time = 4h | ||
+ | |||
+ | readme_directory = no | ||
+ | |||
+ | # TLS parameters | ||
+ | smtpd_tls_cert_file = / | ||
+ | smtpd_tls_key_file = / | ||
+ | smtpd_tls_loglevel = 1 | ||
+ | smtpd_tls_security_level = may | ||
+ | smtpd_tls_session_cache_database = btree: | ||
+ | smtp_tls_session_cache_database = btree: | ||
+ | tls_random_source = dev:/ | ||
+ | tls_random_bytes = 32 | ||
+ | tls_random_reseed_period = 3600s | ||
+ | # | ||
+ | home_mailbox = Maildir/ | ||
+ | smtpd_sasl_auth_enable = yes | ||
+ | smtpd_sasl_type = dovecot | ||
+ | smtpd_sasl_path = private/ | ||
+ | smtpd_sasl_authenticated_header = yes | ||
+ | smtpd_sasl_security_options = noanonymous | ||
+ | smtpd_sasl_local_domain = $myhostname | ||
+ | broken_sasl_auth_clients = yes | ||
+ | smtpd_use_tls = yes | ||
+ | smtpd_tls_received_header = yes | ||
+ | smtpd_tls_mandatory_protocols = SSLv3, TLSv1 | ||
+ | smtpd_tls_mandatory_ciphers = medium | ||
+ | # | ||
+ | # | ||
+ | smtp_tls_cert_file=/ | ||
+ | smtp_tls_key_file=$smtp_tls_cert_file | ||
+ | smtp_tls_loglevel = 1 | ||
+ | smtp_tls_security_level = may | ||
+ | smtp_tls_note_starttls_offer = yes | ||
+ | smtp_use_tls = yes | ||
+ | # | ||
+ | |||
+ | # See / | ||
+ | # information on enabling SSL in the smtp client. | ||
+ | |||
+ | myhostname = example.org | ||
+ | alias_maps = hash:/ | ||
+ | alias_database = hash:/ | ||
+ | myorigin = / | ||
+ | # | ||
+ | mydestination = | ||
+ | relayhost = smtp-server.example.com | ||
+ | # This was commented out as it gives a " | ||
+ | # | ||
+ | mynetworks_style = subnet | ||
+ | #mynetworks = 127.0.0.0/8 [:: | ||
+ | mailbox_command = / | ||
+ | mailbox_size_limit = 0 | ||
+ | recipient_delimiter = + | ||
+ | inet_interfaces = all | ||
+ | owner_request_special = no | ||
+ | message_size_limit = 32768000 | ||
+ | # | ||
+ | # Virtual Mailbox Domain Settings | ||
+ | virtual_alias_maps = mysql:/ | ||
+ | virtual_mailbox_domains = mysql:/ | ||
+ | virtual_mailbox_maps = mysql:/ | ||
+ | virtual_mailbox_limit = 51200000 | ||
+ | virtual_minimum_uid = 5000 | ||
+ | virtual_uid_maps = static:5000 | ||
+ | virtual_gid_maps = static:5000 | ||
+ | virtual_mailbox_base = /home/vmail | ||
+ | virtual_transport = virtual | ||
+ | # Additional for quota support | ||
+ | # This was commented out as it gives a " | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # Spam reduction parameters. May be aggresive for some, but seems to work well. | ||
+ | access_map_reject_code = 554 | ||
+ | invalid_hostname_reject_code = 554 | ||
+ | maps_rbl_reject_code = 554 | ||
+ | multi_recipient_bounce_reject_code = 554 | ||
+ | non_fqdn_reject_code = 554 | ||
+ | plaintext_reject_code = 554 | ||
+ | reject_code = 554 | ||
+ | relay_domains_reject_code = 554 | ||
+ | unknown_local_recipient_reject_code = 550 | ||
+ | unknown_address_reject_code = 550 | ||
+ | unknown_client_reject_code = 550 | ||
+ | unknown_hostname_reject_code = 550 | ||
+ | unknown_relay_recipient_reject_code = 550 | ||
+ | unknown_virtual_alias_reject_code = 550 | ||
+ | unknown_virtual_mailbox_reject_code = 550 | ||
+ | unverified_recipient_reject_code = 550 | ||
+ | unverified_sender_reject_code = 550 | ||
+ | # | ||
+ | default_process_limit = 20 | ||
+ | smtpd_client_connection_count_limit = 10 | ||
+ | # Value of 60 should translate to 1 per second limit | ||
+ | smtpd_client_connection_rate_limit = 60 | ||
+ | smtpd_client_message_rate_limit = 60 | ||
+ | smtpd_client_new_tls_session_rate_limit = 60 | ||
+ | # | ||
+ | smtpd_helo_required = yes | ||
+ | smtpd_delay_reject = yes | ||
+ | address_verify_map = btree: | ||
+ | smtpd_reject_unlisted_sender=yes | ||
+ | # | ||
+ | smtpd_recipient_restrictions = | ||
+ | check_client_access hash:/ | ||
+ | permit_sasl_authenticated, | ||
+ | permit_mynetworks, | ||
+ | # | ||
+ | reject_invalid_hostname, | ||
+ | reject_non_fqdn_hostname, | ||
+ | reject_non_fqdn_sender, | ||
+ | reject_non_fqdn_recipient, | ||
+ | reject_unknown_sender_domain, | ||
+ | reject_unknown_recipient_domain, | ||
+ | reject_unverified_sender, | ||
+ | reject_unauth_destination, | ||
+ | reject_rbl_client zen.spamhaus.org, | ||
+ | reject_rbl_client cbl.abuseat.org, | ||
+ | check_client_access hash:/ | ||
+ | permit | ||
+ | smtpd_data_restrictions = | ||
+ | permit_sasl_authenticated, | ||
+ | permit_mynetworks, | ||
+ | reject_unauth_pipelining, | ||
+ | permit | ||
+ | # Added for trying to send email from PDA | ||
+ | smtpd_client_restrictions = | ||
+ | permit_sasl_authenticated | ||
+ | smtpd_helo_restrictions = | ||
+ | check_helo_access hash:/ | ||
+ | permit_mynetworks, | ||
+ | permit_sasl_authenticated, | ||
+ | reject_non_fqdn_hostname, | ||
+ | reject_invalid_hostname, | ||
+ | permit | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | |||
+ | / | ||
+ | <file ini mailname> | ||
+ | example.org | ||
+ | </ | ||
+ | |||
+ | ==== Client TLS Support ==== | ||
+ | Follow this for [[postfix_client_tls|Postfix Client TLS Support]] setup | ||
+ | |||
+ | ===== Postfix MySql (maps) configuration ===== | ||
+ | * Create directory / | ||
+ | * Please the following files under / | ||
+ | |||
+ | <file ini mysql_uid.cf> | ||
+ | user=< | ||
+ | password=< | ||
+ | dbname=< | ||
+ | table=mailbox | ||
+ | select_field=username | ||
+ | where_field=username | ||
+ | hosts=127.0.0.1:< | ||
+ | </ | ||
+ | |||
+ | <file ini mysql_gid.cf> | ||
+ | user=< | ||
+ | password=< | ||
+ | dbname=< | ||
+ | table=mailbox | ||
+ | select_field=username | ||
+ | where_field=username | ||
+ | hosts=127.0.0.1:< | ||
+ | </ | ||
+ | |||
+ | <file ini mailbox_maps.cf> | ||
+ | user=< | ||
+ | password=< | ||
+ | dbname=< | ||
+ | table=mailbox | ||
+ | select_field=maildir | ||
+ | where_field=username | ||
+ | hosts=127.0.0.1:< | ||
+ | additional_conditions = and active = 1 | ||
+ | </ | ||
+ | |||
+ | <file ini mailbox_limit_maps.cf> | ||
+ | user=< | ||
+ | password=< | ||
+ | dbname=< | ||
+ | table=mailbox | ||
+ | select_field=quota | ||
+ | where_field=username | ||
+ | hosts=127.0.0.1:< | ||
+ | additional_conditions = and active = 1 | ||
+ | </ | ||
+ | |||
+ | <file ini alias_maps.cf> | ||
+ | user=< | ||
+ | password=< | ||
+ | dbname=< | ||
+ | table=alias | ||
+ | select_field=goto | ||
+ | where_field=address | ||
+ | hosts=127.0.0.1:< | ||
+ | additional_conditions = and active = 1 | ||
+ | </ | ||
+ | |||
+ | <file ini domains_maps.cf> | ||
+ | user=< | ||
+ | password=< | ||
+ | dbname=< | ||
+ | table=domain | ||
+ | select_field=domain | ||
+ | where_field=domain | ||
+ | hosts=127.0.0.1:< | ||
+ | additional_conditions = and backupmx = 0 and active = 1 and transport = ' | ||
+ | </ | ||
+ | |||
+ | <file ini relay_domains.cf> | ||
+ | user=< | ||
+ | password=< | ||
+ | dbname=< | ||
+ | table=domain | ||
+ | select_field=domain | ||
+ | where_field=domain | ||
+ | hosts=127.0.0.1:< | ||
+ | additional_conditions = and active = 1 and backupmx = 0 and transport = ' | ||
+ | </ | ||
+ | |||
+ | The below two settings (alias_alias_maps.cf & mailbox_alias_maps.cf) are for alias domains: | ||
+ | <file ini alias_alias_maps.cf> | ||
+ | user=< | ||
+ | password=< | ||
+ | dbname=< | ||
+ | hosts=127.0.0.1:< | ||
+ | query = SELECT goto FROM alias, | ||
+ | WHERE alias_domain.alias_domain = ' | ||
+ | AND alias.address=concat(' | ||
+ | AND alias.active = 1 AND alias_domain.active = 1 | ||
+ | </ | ||
+ | |||
+ | <file ini mailbox_alias_maps.cf> | ||
+ | user=< | ||
+ | password=< | ||
+ | dbname=< | ||
+ | hosts=127.0.0.1:< | ||
+ | query = SELECT maildir FROM mailbox, alias_domain | ||
+ | WHERE alias_domain.alias_domain = ' | ||
+ | AND mailbox.username=concat(' | ||
+ | AND mailbox.active = 1 AND alias_domain.active = 1 | ||
+ | </ | ||
+ | ===== Dovecot Configuration ===== | ||
+ | Change the following files at / | ||
+ | |||
+ | The files in / | ||
+ | * dovecot.conf | ||
+ | * dovecot-db.conf.ext | ||
+ | * dovecot-dict-sql.conf.ext | ||
+ | * dovecot-sql.conf.ext | ||
+ | |||
+ | File(s) requiring change | ||
+ | |||
+ | <file ini dovecot-sql.conf.ext> | ||
+ | driver = mysql | ||
+ | connect = host=127.0.0.1 port=3306 user=root password=rootpassword dbname=postfixadmindbname | ||
+ | default_pass_scheme = CRAM-MD5 | ||
+ | user_query = \ | ||
+ | | ||
+ | concat('/ | ||
+ | 5000 as uid, 5000 as gid \ | ||
+ | FROM mailbox \ | ||
+ | WHERE username = ' | ||
+ | password_query = \ | ||
+ | | ||
+ | concat('/ | ||
+ | concat(' | ||
+ | 5000 as userdb_uid, 5000 as userdb_gid \ | ||
+ | FROM mailbox \ | ||
+ | WHERE username = ' | ||
+ | </ | ||
+ | |||
+ | |||
+ | The following files in / | ||
+ | * 01-mail-stack-delivery.conf | ||
+ | * 10-director.conf | ||
+ | * 10-master.conf | ||
+ | * 10-ssl.conf | ||
+ | * 15-lda.conf | ||
+ | * 20-imap.conf | ||
+ | * 20-managesieve.conf | ||
+ | * 20-pop3.conf | ||
+ | * 90-acl.conf | ||
+ | * 90-plugin.conf | ||
+ | * 90-quota.conf | ||
+ | * 90-sieve.conf | ||
+ | * auth-deny.conf.ext | ||
+ | * auth-master.conf.ext | ||
+ | * auth-passwdfile.conf.ext | ||
+ | * auth-static.conf.ext | ||
+ | * auth-vpopmail.conf.ext | ||
+ | |||
+ | |||
+ | File(s) requiring change | ||
+ | |||
+ | <file ini 10-logging.conf> | ||
+ | auth_verbose = yes | ||
+ | auth_debug = yes | ||
+ | plugin { | ||
+ | # Events to log. Also available: flag_change append | ||
+ | # | ||
+ | # Available fields: uid, box, msgid, from, subject, size, vsize, flags | ||
+ | # size and vsize are available only for expunge and copy events. | ||
+ | # | ||
+ | } | ||
+ | |||
+ | </ | ||
+ | |||
+ | <file ini 10-auth.conf> | ||
+ | auth_mechanisms = plain cram-md5 | ||
+ | !include auth-system.conf.ext | ||
+ | </ | ||
+ | |||
+ | <file ini auth-system.conf.ext> | ||
+ | passdb { | ||
+ | driver = sql | ||
+ | args = / | ||
+ | # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=< | ||
+ | # [cache_key=< | ||
+ | #args = dovecot | ||
+ | } | ||
+ | userdb { | ||
+ | # < | ||
+ | driver = sql | ||
+ | args = / | ||
+ | # [blocking=no] | ||
+ | #args = | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | <file ini 10-mail.conf> | ||
+ | mail_location = maildir:/ | ||
+ | mail_uid = vmail | ||
+ | mail_gid = vmail | ||
+ | maildir_copy_with_hardlinks = yes | ||
+ | </ | ||
+ | |||
+ | ===== Postfix Admin ===== | ||
+ | All changes from the default go in config.local.php | ||
+ | <file ini config.local.php> | ||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | $CONF[' | ||
+ | $CONF[' | ||
+ | $CONF[' | ||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ); | ||
+ | |||
+ | $CONF[' | ||
+ | $CONF[' | ||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | $CONF[' | ||
+ | $CONF[' | ||
+ | |||
+ | $CONF[' | ||
+ | $CONF[' | ||
+ | </ | ||
+ | |||
+ | ===== Migration from Courier to Postfix ===== | ||
+ | If you are moving to a new machine make sure that you tar and untar files to preserver permissions and most importantly timestamps. Or all your old mail will have the same date/time! | ||
+ | ==== Resource ==== | ||
+ | [[http:// | ||
+ | ==== Command ==== | ||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | Sample output: | ||
+ | < | ||
+ | Converting to Dovecot format | ||
+ | Finding maildirs under / | ||
+ | |||
+ | Total: 70 mailboxes / 38 users | ||
+ | 0 errors | ||
+ | 46 dovecot-uidlist files written | ||
+ | |||
+ | WARNING: Badly done migration will cause your IMAP and/or POP3 clients to re-download all mails. Read http:// | ||
+ | </ | ||
+ | ==== Folder between courier and dovecot ==== | ||
+ | One way to get the courier subfolders to show up in dovecot is to add this to the configuration: | ||
+ | <file ini 10-mail.conf> | ||
+ | namespace private { | ||
+ | prefix = INBOX. | ||
+ | separator = . | ||
+ | inbox = yes | ||
+ | } | ||
+ | </ | ||
+ | Alternatively, | ||
+ | < | ||
+ | mv .INBOX.SomeSubFolder/ | ||
+ | mv .SomeSubFolder .INBOX.SomeSubFolder | ||
+ | </ | ||
+ | Here I moved the newly created folder to a " | ||
+ | |||
+ | ===== Squirrel Mail configuration ===== | ||
+ | Follow this [[tech: | ||
+ | |||
+ | ===== Some dovecot commands ===== | ||
+ | < | ||
+ | dovecot --build-options | ||
+ | find / | ||
+ | doveconf -a | ||
+ | </ | ||
+ | |||
+ | ===== pflogsumm.pl - Produce Postfix MTA logfile summary ===== | ||
+ | The pflogsumm.pl produces a daily summary of mail activity. | ||
+ | |||
+ | Install '' | ||
+ | |||
+ | Daily cron job shell wrapper | ||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | # | ||
+ | # Daily Postfix Log report | ||
+ | # | ||
+ | TS=$(date +%Y%m%d_%H%M%S); | ||
+ | LOGFILEDIR="/ | ||
+ | LOGFILE=" | ||
+ | PFLOGSUMM="/ | ||
+ | PFMAILINF="/ | ||
+ | PFMAILINF="/ | ||
+ | REMAIL=" | ||
+ | REPSUB=" | ||
+ | # | ||
+ | #$PFLOGSUMM $PFMAILINF > $LOGFILE | ||
+ | $PFLOGSUMM --detail 10 --problems_first --verbose_msg_detail $PFMAILINF > $LOGFILE | ||
+ | cat $LOGFILE | mailx -s " | ||
+ | # | ||
+ | # Delete log files older than 40 days | ||
+ | / | ||
+ | # | ||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Fail2ban configuration ===== | ||
+ | Fail2ban is optional but highly recommended to reduce thrashing of the servers from brute-force attempts | ||
+ | |||
+ | * Install fail2ban (and iptables) using apt-get (I use aptitude!) | ||
+ | * Changes to ''/ | ||
+ | * Enable postfix, sasl, dovecot by setting '' | ||
+ | * Optionally also enable '' | ||
+ | * Enable dovecot for IMAP login attemps | ||
+ | * Add local LAN to '' | ||
+ | * Believe you may also want to include your WAN IP as I sometimes see it in the logs | ||
+ | * Optionally increase bantime from 60 to 3600 | ||
+ | * Optionally increase findtime from 60 to 3600 | ||
+ | * Optionally decrease maxretry from 3 to 2 | ||
+ | * Set destemail to a valid email | ||
+ | * Update Files in / | ||
+ | |||
+ | Notice the '' | ||
+ | |||
+ | ==== SMTP Configuration ==== | ||
+ | |||
+ | <file ini postfix.conf> | ||
+ | # Fail2Ban filter for selected Postfix SMTP rejections | ||
+ | # | ||
+ | # | ||
+ | |||
+ | [INCLUDES] | ||
+ | |||
+ | # Read common prefixes. If any customizations available -- read them from | ||
+ | # common.local | ||
+ | before = common.conf | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | _daemon = postfix/ | ||
+ | |||
+ | failregex = ^%(__prefix_line)sNOQUEUE: | ||
+ | ^%(__prefix_line)sNOQUEUE: | ||
+ | ^%(__prefix_line)sNOQUEUE: | ||
+ | ^%(__prefix_line)s\S+\: | ||
+ | ^%(__prefix_line)sNOQUEUE: | ||
+ | ^%(__prefix_line)swarning: | ||
+ | ^%(__prefix_line)swarning: | ||
+ | |||
+ | ignoreregex = | ||
+ | |||
+ | [Init] | ||
+ | |||
+ | journalmatch = _SYSTEMD_UNIT=postfix@-.service | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | <file ini postfix-sasl.conf> | ||
+ | # Fail2Ban filter for postfix authentication failures | ||
+ | # | ||
+ | |||
+ | [INCLUDES] | ||
+ | |||
+ | before = common.conf | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | _daemon = postfix/ | ||
+ | |||
+ | failregex = ^%(__prefix_line)swarning: | ||
+ | |||
+ | ignoreregex = | ||
+ | |||
+ | [Init] | ||
+ | |||
+ | journalmatch = _SYSTEMD_UNIT=postfix@-.service | ||
+ | |||
+ | </ | ||
+ | |||
+ | '' | ||
+ | |||
+ | ==== Dovecot/ | ||
+ | Below are the list of failures that need to be checked | ||
+ | < | ||
+ | Jul 9 07:19:39 inthostname dovecot: imap-login: Disconnected: | ||
+ | Jul 9 00:23:02 inthostname dovecot: imap-login: Aborted login (no auth attempts in 4 secs): user=<>, | ||
+ | Jul 9 07:57:35 inthostname dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, | ||
+ | Jul 9 11:15:15 inthostname dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=< | ||
+ | Jul 9 14:37:38 inthostname dovecot: imap-login: Disconnected (tried to use disallowed plaintext auth): user=<>, | ||
+ | Oct 6 23:17:35 inthostname dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, | ||
+ | Oct 5 04:33:07 inthostname dovecot: imap-login: Disconnected (tried to use unsupported auth mechanism): user=<>, | ||
+ | Sep 25 04:55:41 inthostname dovecot: imap-login: Disconnected (client didn't finish SASL auth, waited 19 secs): user=<>, | ||
+ | |||
+ | |||
+ | hackerip=x.x.x.x | ||
+ | internalip=y.y.y.y | ||
+ | </ | ||
+ | |||
+ | ==== Testing Fail2ban configuration ==== | ||
+ | <code bash> | ||
+ | fail2ban-regex systemd-journal / | ||
+ | fail2ban-regex systemd-journal / | ||
+ | </ | ||
+ | |||
+ | ==== Other Fail2ban related configuration ==== | ||
+ | rsyslog filters duplicate messages as '' | ||
+ | |||
+ | Edit ''/ | ||
+ | < | ||
+ | $RepeatedMsgReduction off | ||
+ | </ | ||
+ | |||
+ | Restart rsyslog | ||
+ | <code bash> | ||
+ | service rsyslog restart | ||
+ | </ | ||
+ | |||
+ | ==== Other Fail2ban related commands ==== | ||
+ | == Currently banned IPs == | ||
+ | Run as root: | ||
+ | <code bash> | ||
+ | fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk ' | ||
+ | </ | ||
+ | |||
+ | === Permanently ban == | ||
+ | Refer [[senthil: | ||
+ | ==== Other Fail2ban resources ==== | ||
+ | https:// | ||
+ | |||
+ | ===== Post Configuration Steps ===== | ||
+ | ==== white_lists file ==== | ||
+ | To avoid error that there is no white list file. | ||
+ | |||
+ | The '' | ||
+ | <code bash> | ||
+ | cd / | ||
+ | touch white_lists | ||
+ | postmap white_lists | ||
+ | # | ||
+ | touch check_helo_access | ||
+ | postmap check_helo_access | ||
+ | </ | ||
+ | |||
+ | ==== Restart ==== | ||
+ | < | ||
+ | service postfix restart | ||
+ | service dovecot restart | ||
+ | </ | ||
+ | |||
+ | ===== Dovecot debug ===== | ||
+ | To turn on auth debug in dovecot. | ||
+ | < | ||
+ | auth_verbose = no | ||
+ | auth_debug = no | ||
+ | </ | ||
+ | Remember to turn if off once done. | ||
+ | |||
+ | ===== / | ||
+ | Optionally update aliases so mail delivered to root (or someuser) at localhost can be forwarded to a remote mail user. | ||
+ | < | ||
+ | # See man 5 aliases for format | ||
+ | postmaster: | ||
+ | someuser: | ||
+ | root: | ||
+ | </ | ||
+ | Run the below after changing ''/ | ||
+ | <code bash> | ||
+ | postalias / | ||
+ | # Alternative to postalias you can also run ' | ||
+ | service postfix restart | ||
+ | </ | ||
+ | |||
+ | ===== Logs ===== | ||
+ | Update '' | ||
+ | |||
+ | ===== Satellite hosts ===== | ||
+ | The above setup is for Postfix smart host. For the rest of the servers in the network, it is preferred to set them up as a Satellite host and route mail through the local host. The Postfix main.cf configuration for Postfix Satellite host aka Send-only, Relay, Forwarded host is below. | ||
+ | Note: | ||
+ | * Replace '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | / | ||
+ | <file ini main.cf> | ||
+ | # See / | ||
+ | |||
+ | # Debian specific: | ||
+ | # line of that file to be used as the name. The Debian default | ||
+ | # is / | ||
+ | myorigin = / | ||
+ | |||
+ | smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) | ||
+ | biff = no | ||
+ | |||
+ | # appending .domain is the MUA's job. | ||
+ | append_dot_mydomain = no | ||
+ | |||
+ | # Uncomment the next line to generate " | ||
+ | # | ||
+ | |||
+ | readme_directory = no | ||
+ | |||
+ | # TLS parameters | ||
+ | smtpd_tls_cert_file=/ | ||
+ | smtpd_tls_key_file=/ | ||
+ | smtpd_use_tls=yes | ||
+ | smtpd_tls_session_cache_database = btree: | ||
+ | smtp_tls_session_cache_database = btree: | ||
+ | |||
+ | # See / | ||
+ | # information on enabling SSL in the smtp client. | ||
+ | |||
+ | smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination | ||
+ | myhostname = your-host-name | ||
+ | alias_maps = hash:/ | ||
+ | alias_database = hash:/ | ||
+ | mydomain = example.org | ||
+ | mydestination = $myhostname.$mydomain, | ||
+ | relayhost = mainsmtp | ||
+ | smtp_host_lookup = native | ||
+ | mynetworks = 127.0.0.0/8 [:: | ||
+ | mailbox_size_limit = 0 | ||
+ | recipient_delimiter = + | ||
+ | inet_interfaces = loopback-only | ||
+ | # Address rewriting | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | <file ini mailname> | ||
+ | your-host-name.example.org | ||
+ | </ | ||
+ | |||
+ | / | ||
+ | <file ini aliases> | ||
+ | # See man 5 aliases for format | ||
+ | postmaster: | ||
+ | user: | ||
+ | root: | ||
+ | </ | ||
+ | |||
+ | ===== Related ===== | ||
+ | * [[squirrelmail|Additional SquirrelMail Notes]] | ||
+ | * [[setup_postfix_relay|Setup Postfix to act as Relay Host]] | ||
+ | * [[postfix_client_tls|Postfix Client TLS Support]] | ||
+ | * [[postfix_important_settings|Important Postfix settings]] | ||
+ | * [[postfix_relay_on_recipient_domain|Postfix - Choose a different SMTP relay based on sender domain]] |