Basic mailserver configuration on RHEL10: Difference between revisions

From Fvettore-WIKI
← Older editNewer edit →
No edit summary
Line 5: Line 5:
  dnf install epel-release
  dnf install epel-release
  dnf install certbot
  dnf install certbot
Create cert with your FQN server name (server08.vettore.org in the example)
Create cert with your FQDN server name (server08.vettore.org in the example)
  certbot certonly -d server08.vettore.org
  certbot certonly -d server08.vettore.org


Revision as of 06:28, 9 October 2025

Quick and dirty (10 minutes) very basic configuration of mailserver with postfix, dovecot and mysql/mariadb.
It is the update of the previous basic_mailserver_configuration_on_RHEL_derivates

SSL certificates

dnf install epel-release
dnf install certbot

Create cert with your FQDN server name (server08.vettore.org in the example) 

certbot certonly -d server08.vettore.org

install Mariadb and set up tables

timedatectl set-timezone Europe/Rome
dnf install mariadb
dnf install mariadb-server
systemctl enable mariadb --now

Enter mariadb console and: 

create database mailserver;
use mailserver;

USERS

CREATE TABLE `users` (
 `email` varchar(200) NOT NULL,
 `enabled` int(11) DEFAULT 1,
 `password` varchar(128) NOT NULL,
 `imap_enabled` int(11) DEFAULT 1,
 `smtp_enabled` int(11) NOT NULL DEFAULT 1,
 `smtp_username` varchar(45) DEFAULT NULL,
 PRIMARY KEY (`email`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8

There are more fields than in usual tutorials you can retrieve online.

  • enabled: user can receive emails
  • imap_enabled: user can retieve email with IMAPs protocol
  • smtp_enabled: user can use smtp service to send email from a remote client
  • smtp_username: to authenticate SMTP, can be different from the email address


DOMAINS

CREATE TABLE
`domains` ( `domain` varchar(200) NOT NULL,
`enabled` int(11) NOT NULL DEFAULT '1', PRIMARY KEY (`domain`))
 ENGINE=MyISAM DEFAULT CHARSET=utf8

ALIAS

CREATE TABLE `aliases` ( `email` varchar(128) NOT NULL,
`alias` varchar(255) NOT NULL,
`enabled` int(11) DEFAULT '1',
 PRIMARY KEY (`email`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;

ADD a test user (enter in mariadb console): 

insert into users set email='paperino@274512.xyz', password='segretina412', smtp_username='paperino';
insert into domains set domain='274512.xyz';

Grant privileges: 

grant select on mailserver.* to postfix@localhost identified by 'yoursecretpassword'

Postfix

dnf install postfix postfix-mysql
groupadd -g150 vmail
useradd -r  -u150 -d /var/vmail -s /sbin/nologin -g vmail vmail
mkdir /var/vmail
chown vmail:vmail /var/vmail

Edit /etc/postfix/main.cf and change/add the following line accordingly (replace paths of your cerificates) 

inet_protocols = all
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-users.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-aliases.cf
virtual_transport = dovecot
smtpd_tls_cert_file = /etc/letsencrypt/live/server08.vettore.org/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server08.vettore.org/privkey.pem
smtp_tls_CApath = /etc/letsencrypt/live/ 
smtp_tls_CAfile = /etc/letsencrypt/live/server08.vettore.org/fullchain.pem

Setup the connectors configured above

/etc/postfix/mysql-virtual-domains.cf: 

user = postfix
password = yuorsecretpassword
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM domains WHERE domain='%s' AND enabled=1

/etc/postfix/mysql-virtual-users.cf : 

user = postfix
password = yoursecretpassword
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM users where email='%s'AND enabled=1

/etc/postfix/mysql-virtual-aliases.cf 

user = postfix
password = yoursecretpassword
hosts = 127.0.0.1
dbname = mailserver
query = SELECT alias FROM aliases WHERE email='%s' AND enabled=1

You can check your configuration with postmap (1 returned in case of success) 

postmap q 274512.xyz mysql:/etc/postfix/mysql-virtual-domains.cf
postmap -q paperino@274512.xyz mysql:/etc/postfix/mysql-virtual-users.cf


Add this to your /etc/postfix/master.cf 

dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

Enable & start service 

systemctl enable postfix --now


Dovecot IMAP

dnf install dovecot dovecot-mysql

edit conf.d/10-mail.conf and add/uncomment this 

mail_location = maildir:/var/vmail/%d/%n/Maildir

edit /etc/dovecot/conf.d/auth-sql.conf.ext

comment out the first userdb section

remove comment from the last userdb section end edit as follows: 

userdb {
 driver = static
 args = uid=150 gid=150 home=/var/vmail/%d/%n allow_all_users=yes
}

Rename the above file removing .ext extension

Verify path in the passdb section of the above file. Should be /etc/dovecot/dovecot-sql.conf.ext
You must create this file: 

driver=mysql
default_pass_scheme = PLAIN
connect= host=127.0.0.1 port=3306 dbname=mailserver user=postfix password=yoursecretpassword
password_query = SELECT password, email as user  FROM users where email='%u' AND imap_enabled=1

in conf.d/10-ssl.conf add the certifcate and key replacing with the path of the certificate created above (but not the CA)

in dovecot.conf remove comment from protocol. Remove pop3 if not needed. Remove submission if you wish to configure SMTP auth with a different service (see cirus-sasl section below) 

protocols = imap lmtp

Add to the bottom: 

mail_uid=vmail
mail_gid=vmail

first_valid_uid = 150
last_valid_uid = 150

service stats {
 unix_listener stats-reader {
   group = vmail
   mode = 0666
 }
  unix_listener stats-writer {
    group = vmail
    mode = 0666
  }
}

Start end enable service

systemctl enable dovecot --now

SMTP auth with cyrus-sasl

Not the easiest way: you can use directly dovecot to authenticate SMTP users.
But the advantage of cyrus-sasl is you can configure different users for SMTP and IMAP or enable/disable SMTPP for IMAP users. The table structure created above have fields for this purpose.

Setting smtp_enabled=0 means the users cannot use SMTP auth (cannot send email from outside using this server as relay) 

dnf install cyrus-sasl cyrus-sasl-plain cyrus-sasl-lib cyrus-sasl-sql

edit /etc/sasl2/smtpd.conf 

pwcheck_method: auxprop
mech_list: PLAIN LOGIN
auxprop_plugin: sql
sql_usessl: no
sql_engine: mysql
sql_hostnames: localhost
sql_user: postfix
sql_database: mailserver
sql_passwd: yoursecretpassword
sql_select: select password from users where username = '%u' AND smtp_enabled=1
log_level: 3

uncomment the following line in /etc/postfix/masters.cf 

submission inet n       -       n       -       -       smtpd

add the following to /etc/postfix/main.cf 

smtpd_use_tls = yes
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes

restart services and start (anable) saslauthd 

systemctl restart postfix
systemctl restart dovecot
systemctl enable saslauthd --now
Retrieved from "http://10.99.0.100:8087/index.php?title=Basic_mailserver_configuration_on_RHEL10&oldid=220"