Basic mailserver configuration on RHEL10: Difference between revisions

From Fvettore-WIKI
← Older editNewer edit →
No edit summary
Line 3: Line 3:


===change your SSHd config (suggested)===
===change your SSHd config (suggested)===
Not a good idea SSHd listening on default 22 port
   semanage port -l | grep ssh
   semanage port -l | grep ssh
   semanage port -a -t ssh_port_t -p tcp 1997
   semanage port -a -t ssh_port_t -p tcp 1997

Revision as of 13:27, 8 October 2025

Very basic configuration of mailserver with postfix, dovecot and mysql/mariadb.
It is the update of the previous basic_mailserver_configuration_on_RHEL_derivates

change your SSHd config (suggested)

Not a good idea SSHd listening on default 22 port 

  semanage port -l | grep ssh
  semanage port -a -t ssh_port_t -p tcp 1997
  semanage port -l | grep ssh

vi /etc/ssh/sshd_config

Edit SSHD port changing to the above 1997 and restart service 

systemctl restart sshd

SSL certs

dnf install epel-release
dnf install certbot

Create cert with your FQN server name 

certbot certonly -d server08.vettore.org


install Mariadb and set up tables

timedatectl set-timezone Europe/Rome
dnf install mariadb
dnf install mariadb-server
systemctl enable mariadb --now

Enter nariadb console and: 

create database mailserver;
use mailserver;

USERS 

CREATE TABLE `users` ( `email` varchar(200) NOT NULL,
`password` varchar(128) NOT NULL,
`enabled` int(11) NOT NULL DEFAULT '1', 
`username` varchar(45) DEFAULT NULL, 
 PRIMARY KEY (`email`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;

DOMAINS: 

CREATE TABLE
`domains` ( `domain` varchar(200) NOT NULL,
`enabled` int(11) NOT NULL DEFAULT '1', PRIMARY KEY (`domain`))
 ENGINE=MyISAM DEFAULT CHARSET=utf8

ALIAS: 

CREATE TABLE `aliases` ( `email` varchar(128) NOT NULL,
`alias` varchar(255) NOT NULL,
`enabled` int(11) DEFAULT '1',
 PRIMARY KEY (`email`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;

ADD a test user (enter in mariadb console): 

insert into users set email='paperino@274512.xyz', password='segretina412', username='paperino';
insert into domains set domain='274512.xyz';

Grant privileges: 

grant select on mailserver.* to postfix@localhost identified by 'yoursecretpassword'

Postfix

dnf install postfix postfix-mysql
groupadd -g150 vmail
useradd -r  -u150 -d /var/vmail -s /sbin/nologin -g vmail vmail
mkdir /var/vmail
chown vmail:vmail /var/vmail

Edit /etc/postfix/main.cf and change/add the following line accordingly 

inet_protocols = all
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-users.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-aliases.cf
virtual_transport = dovecot
smtpd_tls_cert_file = /etc/letsencrypt/live/server08.vettore.org/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server08.vettore.org/privkey.pem
smtp_tls_CApath = /etc/letsencrypt/live/ 
smtp_tls_CAfile = /etc/letsencrypt/live/server08.vettore.org/fullchain.pem

Setup the connectors configured above

/etc/postfix/mysql-virtual-domains.cf: 

user = postfix
password = yuorsecretpassword
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM domains WHERE domain='%s' AND enabled=1

/etc/postfix/mysql-virtual-users.cf : 

user = postfix
password = yoursecretpassword
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM users where email='%s' and enabled=1 

/etc/postfix/mysql-virtual-aliases.cf 

user = postfix
password = yoursecretpassword
hosts = 127.0.0.1
dbname = mailserver
query = SELECT alias FROM aliases WHERE email='%s' AND enabled=1 

You can check your configuration with postmap (1 returned in case of success) 

postmap q 274512.xyz mysql:/etc/postfix/mysql-virtual-domains.cf
postmap -q paperino@274512.xyz mysql:/etc/postfix/mysql-virtual-users.cf


Add this to your /etc/postfix/master.cf 

dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

Start service 

systemctl enable postfix --now


Dovecot IMAP

dnf install dovecot dovecot-mysql

edit conf.d/10-mail.conf and add/uncomment this 

mail_location = maildir:/var/vmail/%d/%n/Maildir

edit /etc/dovecot/conf.d/auth-sql.conf.ext

comment out the first userdb section

remove comment from the last userdb section end edit as follows: 

userdb {
 driver = static
 args = uid=150 gid=150 home=/var/vmail/%d/%n allow_all_users=yes
}

Rename the above file removing .ext extension

Verify path in the passdb section of the above file. Should be /etc/dovecot/dovecot-sql.conf.ext
You must create this file: 

driver=mysql
default_pass_scheme = PLAIN
connect= host=127.0.0.1 port=3306 dbname=mailserver user=postfix password=yoursecretpassword
password_query = SELECT password, email as user  FROM users where email='%u' AND enabled=1

in conf.d/10-ssl.conf add the certifcate and key replacing with the path of the certificate created above (but not the CA)

in dovecot.conf remove comment from protocol (remove pop3 if not needed) 

protocols = imap lmtp submission

Add to the bottom: 

mail_uid=vmail
mail_gid=vmail

first_valid_uid = 150
last_valid_uid = 150

service stats {
 unix_listener stats-reader {
   group = vmail
   mode = 0666
 }
  unix_listener stats-writer {
    group = vmail
    mode = 0666
  }
}

Start end enable service

systemctl enable dovecot --now

SMTP auth with cyrus-sasl

Not the easiest way: you can use directly dovecot to authenticate SMTP send.
But the advantage of cyrus-sasl is you can use authenticate different users from dovecot or enable/disable active users in order to authorize SMTP. The table structure created above have 2 fields for this purpose.

dnf install cyrus-sasl cyrus-sasl-plain cyrus-sasl-lib cyrus-sasl-sql

edit /etc/sasl2/smtpd.conf 

pwcheck_method: auxprop
mech_list: PLAIN LOGIN
auxprop_plugin: sql
sql_usessl: no
sql_engine: mysql
sql_hostnames: localhost
sql_user: postfix
sql_database: mailserver
sql_passwd: yoursecretpassword
sql_select: select password from users where username = '%u'
log_level: 3

uncomment the following line in /etc/postfix/masters.cf 

submission inet n       -       n       -       -       smtpd

add the following to /etc/postfix/main.cf 

smtpd_use_tls = yes
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes

!!IMPORTANT!! Disable listening dovecot listening on port 587 otherwise there will be a port conflict between dovecot and postfix.
edit /etc/dovecot/conf.d/10-master.conf and set inet_listener submission to 0 or enabled = false 

service submission-login {
 inet_listener submission {
   port = 0
 }
#  inet_listener submissions {
#    port = 465
#  }
}

restart services and start (anable) saslauthd 

systemctl restart postfix
systemctl restart dovecot
systemctl enable saslauthd --now
Retrieved from "http://10.99.0.100:8087/index.php?title=Basic_mailserver_configuration_on_RHEL10&oldid=194"