Support #653
Updated by Daniel Curtis over 8 years ago
This is a guide on installing Dovecot and Postfix with Nginx, PostgreSQL, and SpamAssassin on FreeBSD. This guide is adapted from the mail server setup at "purplehat.org":http://www.purplehat.org/?page_id=4 h2. Prepare the System * Make sure the system is up to date: <pre> pkg update && pkg upgrade </pre> * Install portmaster and screen: <pre> pkg install portmaster screen </pre> * Update the ports tree: <pre> portsnap fetch extract pkg2ng </pre> h2. Configure the Ports * This builds ClamAV to allow our “vscan” user access to it. Add ClamAV build options to @/etc/make.conf@ file: <pre> echo "CLAMAVUSER=vscan" >> /etc/make.conf echo "CLAMAVGROUP=vscan" >> /etc/make.conf </pre> * Add BATCH option to @/etc/make.conf@ file: <pre> echo "BATCH=yes" >> /etc/make.conf </pre> * Edit pear-Net_SMTP installation menu: <pre> cd /usr/ports/net/pear-Net_SMTP make config </pre> #* *NOTE*: Make sure *[X]PEAR_AUTH_SASL* is selected. * Edit pear-Auth Options installation menu: <pre> cd /usr/ports/security/pear-Auth make config </pre> #* *NOTE*: Make sure *[X]PEAR_DB* and *[X]PEAR_LOG* are selected. * Edit pear-Log installation menu: <pre> cd /usr/ports/sysutils/pear-Log make config </pre> #* *NOTE*: Make sure *[X]PEAR_DB* is selected. * Edit Dovecot installation menu: <pre> cd /usr/ports/mail/dovecot2 make config </pre> #* *NOTE*: Make sure *[X]PGSQL* is selected. * Edit Postfix installation menu: <pre> cd /usr/ports/mail/postfix make config </pre> #* *NOTE*: Make sure *[X]BDB*, *[X]PGSQL*, *[X]TLS*, *[X]VDA* and *[X]DOVECOT2* are selected. * Edit Postfixadmin installation menu: <pre> cd /usr/ports/mail/postfixadmin make config </pre> *NOTE*: Make sure *[X]PGSQL* is selected. * Edit SpamAssassin installation menu: <pre> cd /usr/ports/mail/spamassassin make config </pre> #* *NOTE*: Make sure *[X]PGSQL*, *[X]DKIM*, *[X]RAZOR*, *[X]RELAY_COUNTRY* and *[X]SPF_QUERY* are selected. * Edit Maia-Mailguard installation menu: <pre> cd /usr/ports/security/maia make config </pre> #* *NOTE*: Make sure the *[X]DOVECOT2*, *[X]FUZZYOCR*, *[X]PGSQL*, *[X]PFA*, *[X]POSTFIX* and *[X]WEBHOST* options are selected. Also make sure to unset the *[ ]MYSQL* option. Feel free to select any additional options you may want. h2. Install Maia Mailguard * Install Maia-Mailguard: <pre> portmaster security/maia </pre> * Set password for “vscan” user to *SuperSecretPassword*: user: <pre> passwd vscan </pre> h2. Install PostgreSQL * This environment will be setup with PostgreSQL 9.4: <pre> portmaster databases/postgresql94-server </pre> * Login to PostgreSQL: <pre> sudo -u postgres psql -d template1 </pre> * Create a user for maiauser: <pre> CREATE USER maiauser CREATEDB; ALTER ROLE maiauser WITH PASSWORD 'SuperSecretPassword'; </pre> * Create the maiadb database & grant all privileges on database <pre> CREATE DATABASE maiadb OWNER maiauser; </pre> * Quit the database session <pre> \q </pre> * Try connecting to the new database with the new user <pre> sudo -u maiauser -H psql -d maiadb </pre> * Quit the database session <pre> \q </pre> * Populate the database: <pre> cd /usr/local/share/doc/maia psql -h pg.example.com -U maiauser -W maiadb < maia-pgsql.sql </pre> h2. Configure Dovecot * Install Dovecot Pigeonhole: <pre> cd /usr/ports/mail/dovecot2-pigeonhole portmaster </pre> * Edit /etc/rc.conf so Dovecot starts at boot: <pre> echo 'dovecot_enable="YES"' >> /etc/rc.conf </pre> * Copy Dovecot configuration files: <pre> cd /usr/local/etc/dovecot/example-config cp -Rp * ../ </pre> * Edit the dovecot auth config file: <pre> vi /usr/local/etc/dovecot/conf.d/10-auth.conf </pre> #* And edit the following: <pre> ... disable_plaintext_auth = no ... auth_mechanisms = plain login ... #!include auth-system.conf.ext !include auth-sql.conf.ext </pre> * Edit the dovecor mail config file: <pre> vi /usr/local/etc/dovecot/conf.d/10-mail.conf </pre> #* And modify the following: <pre> ... mail_location = maildir:/usr/local/virtual/%d/%n ... namespace inbox { type = private separator = / mailbox Sent { auto = subscribe special_use = \Sent } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Trash { auto = subscribe special_use = \Trash } mailbox Spam { auto = subscribe special_use = \Junk } ... first_valid_uid = 110 last_valid_uid = 110 ... first_valid_gid = 110 last_valid_gid = 110 ... mail_plugins = mail_log notify ... </pre> * Edit the dovecot master config file: <pre> vi /usr/local/etc/dovecot/conf.d/10-master.conf </pre> #* And modify the following <pre> ... unix_listener auth-userdb { mode = 0660 user = vscan group = vscan } #Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } ... </pre> * Edit the dovecot ssl config file: <pre> vi /usr/local/etc/dovecot/conf.d/10-ssl.conf </pre> #* And modify the following: <pre> ... ssl = yes ... ssl_cert = </usr/local/etc/ssl/dovecot/cert.pem ssl_key = </usr/local/etc/ssl/dovecot/key.pem ... ssl_ca = </usr/local/etc/ssl/dovecot/cert.pem ... ssl_verify_client_cert = yes ... ssl_protocols = !SSLv2 !SSLv3 ... </pre> * Edit the dovecot lda config file: <pre> vi /usr/local/etc/dovecot/conf.d/15-lda.conf </pre> #* And modify the following: <pre> ... postmaster_address = postmaster@example.com ... hostname = mail.example.com ... sendmail_path = /usr/local/sbin/sendmail ... lda_mailbox_autocreate = yes ... protocol lda { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins sieve ... </pre> * Edit the dovecot imap config file: <pre> vi /usr/local/etc/dovecot/conf.d/20-imap.conf </pre> #* And modify the following: <pre> ... protocol imap { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins quota imap_quota zlib ... </pre> * Edit the dovecot pop3 config file: <pre> vi /usr/local/etc/dovecot/conf.d/20-pop3.conf </pre> #* And modify the following: <pre> ... pop3_client_workarounds = outlook-no-nuls oe-ns-eoh ... mail_plugins = $mail_plugins ... </pre> * Edit the dovecot plugin config file: <pre> vi /usr/local/etc/dovecot/conf.d/90-plugin.conf </pre> #* And modify the following: <pre> ... plugin { #setting_name = value expire = Trash mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size } plugin { sieve = /usr/local/virtual/home/%d/%n/.dovecot.sieve sieve_dir = /usr/local/virtual/home/%d/%n/sieve sieve_global_path = /usr/local/virtual/home/default.sieve mail_home = /usr/local/virtual/home/%d/%n } ... </pre> * Edit the dovecot quota config file: <pre> vi /usr/local/etc/dovecot/conf.d/90-quota.conf </pre> #* And modify the following: <pre> ... service quota-warning { executable = script /usr/local/bin/quota-warning.sh user = dovecot unix_listener quota-warning { user = vscan } } ... (Add to end of file...) plugin { #Where is quota applied ? quota = maildir:User quota # the default quota storage bytes, overrides are fetched from userdb [userdb_quota_ruleX] quota_rule = *:storage=1G #Storage bytes overrides quota_rule2 = Trash:storage=+30%% quota_rule3 = Sent:storage=+30%% quota_warning = storage=90%% quota-warning 90 %u quota_warning2 = storage=75%% quota-warning 75 %u #What message to send to IMAP clients (and SMTP senders) when quota is exceeded? quota_exceeded_message = Storage quota for this account has been exceeded, please try again later. } ... </pre> * Create Sieve home directory: <pre> mkdir -p /usr/local/virtual/home </pre> * Create the default.sieve file: <pre> vi /usr/local/virtual/home/default.sieve </pre> #* And add the following: <pre> require ["fileinto"]; # rule:[Spam] if header :contains "X-Spam-Status" "Yes" { fileinto "Spam"; stop; } </pre> * Run the sievec command against our default sieve file: <pre> sievec /usr/local/virtual/home/default.sieve </pre> * Set proper permissions on our virtual directory: <pre> chown -R vscan:vscan /usr/local/virtual chmod 0750 /usr/local/virtual </pre> * Edit the dovecot sql config file: <pre> vi /usr/local/etc/dovecot/dovecot-sql.conf.ext </pre> #* And modify the following: <pre> ... driver = pgsql ... connect = host=pg.example.com dbname=postfix user=postfix password=postfix_sql_password ... default_pass_scheme = MD5 ... password_query = SELECT password, CONCAT('*:bytes=', quota) AS userdb_quota_rule FROM mailbox WHERE username = '%u' AND active = '1' ... user_query = SELECT CONCAT('/usr/local/virtual/', maildir) as home, 110 AS uid, 110 AS gid, CONCAT('*:bytes=', quota) AS quota_rule \ FROM mailbox WHERE username = '%u' AND active = '1' ... </pre> #* *NOTE*: The user_query line contains a bit in the query to allow Dovecot to return quota usage. If you don’t want or don’t need quota usage returned, you can just remove that bit from the query… * Edit the main dovecot config file: <pre> vi/usr/local/etc/dovecot/dovecot.conf </pre> #* And modify the following: <pre> ... protocols = imap pop3 sieve ... login_greeting = example.com Mail Server Ready... ... </pre> * Add the dovecot user to vscan group for LDA/delivery: <pre> pw usermod dovecot -G vscan </pre> * Create SSL/TLS key and CSR to have signed for a certificate for secure connections: <pre> mkdir -p /usr/local/etc/ssl/dovecot cd /usr/local/etc/ssl/dovecot openssl req -sha512 -out mail.example.com.csr -new -newkey rsa:4096 -nodes -keyout mail.example.com.key </pre> h2. Resources * http://www.purplehat.org/?page_id=4 * http://www.maiamailguard.com/maia/wiki/Install