Système de base : Ubuntu server 18.04

• Postfix (SMTP)
• Dovecot (IMAP)
• Rspamd (Antispam)
• Rainloop (Webmail)
• Dkim
• Filtres Sieve

# apt-get update && apt-get upgrade

# service sendmail stop; update-rc.d -f sendmail remove

"Failed to stop sendmail.service: Unit sendmail.service not loaded"

# groupadd -g 5000 vmail
# useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail

# apt install mc screen htop vim-nox curl git unzip ntp ntpdate nginx mariadb-server openssl /
php7.2-fpm php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-imap php7.2-cli php7.2-cgi /
php-pear mcrypt imagemagick libruby php7.2-curl php7.2-intl php7.2-pspell php7.2-recode /
php7.2-sqlite3 php7.2-tidy php7.2-xmlrpc php7.2-xsl memcached php-memcache php-imagick /
php-gettext php7.2-zip php7.2-mbstring

####### MYSQL #######

# mysql_secure_installation

• Enter current password for root (enter for none): ENTREE
• Set root password? [Y/n] Tapez Y
• New password: Entrez le mot de passe pour le user root
• Re-enter new password: mot de passe de nouveau...
• Remove anonymous users? [Y/n] Tapez Y
• Disallow root login remotely? [Y/n] Tapez Y
• Remove test database and access to it? [Y/n] Tapez Y
• Reload privilege tables now? [Y/n] Tapez Y

####### POSTFIXADMIN #######

# wget https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.2/postfixadmin-3.2.tar.gz
# tar xzf postfixadmin-3.2.tar.gz

# mv postfixadmin-3.2/ /var/www/postfixadmin
# rm -f postfixadmin-3.2.tar.gz
# mkdir /var/www/postfixadmin/templates_c

# chown -R www-data: /var/www/postfixadmin

# mysql -u root -p
CREATE DATABASE postfixadmin;
GRANT ALL ON postfixadmin.* TO 'postfixadmin'@'localhost' IDENTIFIED BY 'your_secret_password';
FLUSH PRIVILEGES;
exit

<?php
$CONF['configured'] = true;

$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'your_secret_password';
$CONF['database_name'] = 'postfixadmin';

$CONF['default_aliases'] = array (
   'abuse'      => 'abuse@example.com',
   'hostmaster' => 'hostmaster@example.com',
   'postmaster' => 'postmaster@example.com',
   'webmaster'  => 'webmaster@example.com'
);
$CONF['fetchmail'] = 'NO';
$CONF['show_footer_text'] = 'NO';
$CONF['quota'] = 'YES';
$CONF['domain_quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';
$CONF['aliases'] = '0';
$CONF['mailboxes'] = '0';
$CONF['maxquota'] = '0';
$CONF['domain_quota_default'] = '0';
?>

sudo -u www-data php /var/www/postfixadmin/public/upgrade.php

sudo bash /var/www/postfixadmin/scripts/postfixadmin-cli admin add

Welcome to Postfixadmin-CLI v0.2
---------------------------------------------------------------

Admin:  
> postmaster@example.com

Password:  
> your_secret_password

Password (again):  
> your_secret_password

Super admin:
(Super admins have access to all domains, can manage domains and admin accounts.) (y/n)
> y

Domain:  
> example.com

Active: (y/n)
> y

The admin postmaster@example.com has been added!

# apt install software-properties-common lsb-release
# add-apt-repository ppa:certbot/certbot
# apt update
# apt install python-certbot-nginx

server {   
   listen 80;   
   listen [::]:80;   
   server_name mail.example.com;   
   root /var/www/postfixadmin/public;   
   index index.php;   
   location / {      
      try_files $uri $uri/ /index.php;   
   }   
   location ~* .php$ {        
      fastcgi_split_path_info ^(.+?.php)(/.*)$;        
      if (!-f $document_root$fastcgi_script_name) {return 404;}        
      fastcgi_pass  unix:/run/php/php7.2-fpm.sock;        
      fastcgi_index index.php;        
      include fastcgi_params;        
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;   
   }
}

# certbot --nginx -d mail.example.com

../..
    listen [::]:443 ssl http2; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
../..

# service nginx restart

 

####### POSTFIX & DOVECOT #######

# wget -O- https://repo.dovecot.org/DOVECOT-REPO-GPG | sudo apt-key add -
# echo "deb https://repo.dovecot.org/ce-2.3-latest/ubuntu/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/dovecot.list
# apt update
# debconf-set-selections <<< "postfix postfix/mailname string $(hostname -f)"
# debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
# apt install postfix postfix-mysql dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysql

# mkdir -p /etc/postfix/sql

# nano /etc/postfix/sql/mysql_virtual_domains_maps.cf
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'

# nano /etc/postfix/sql/mysql_virtual_alias_maps.cf
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

# nano /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

# nano /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query  = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

# nano /etc/postfix/sql/mysql_virtual_mailbox_maps.cf
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

# nano /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
user = postfixadmin
password = P4ssvv0rD
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active='1'

# postconf -e "virtual_mailbox_domains = mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf"
# postconf -e "virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf"
# postconf -e "virtual_mailbox_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf"

# postconf -e "virtual_transport = lmtp:unix:private/dovecot-lmtp"
# postconf -e 'smtp_tls_security_level = may'
# postconf -e 'smtpd_tls_security_level = may'
# postconf -e 'smtp_tls_note_starttls_offer = yes'
# postconf -e 'smtpd_tls_loglevel = 1'
# postconf -e 'smtpd_tls_received_header = yes'

# postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/mail.exampple.com/fullchain.pem'
# postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem'

# postconf -e 'smtpd_sasl_type = dovecot'
# postconf -e 'smtpd_sasl_path = private/auth'
# postconf -e 'smtpd_sasl_local_domain ='
# postconf -e 'smtpd_sasl_security_options = noanonymous'
# postconf -e 'broken_sasl_auth_clients = yes'
# postconf -e 'smtpd_sasl_auth_enable = yes'
# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

submission inet n       -       y       -       -       smtpd 
-o syslog_name=postfix/submission 
-o smtpd_tls_security_level=encrypt 
-o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no 
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject 
-o milter_macro_daemon_name=ORIGINATING

smtps     inet  n       -       y       -       -       smtpd 
-o syslog_name=postfix/smtps 
-o smtpd_tls_wrappermode=yes 
-o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no 
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject 
-o milter_macro_daemon_name=ORIGINATING

# service postfix restart

####### DOVECOT CONFIG #######

# nano /etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=127.0.0.1 dbname=postfixadmin user=postfixadmin password=your_secret_password
default_pass_scheme = MD5-CRYPT
iterate_query = SELECT username AS user FROM mailbox
user_query = SELECT CONCAT('/var/mail/vmail/',maildir) AS home,   CONCAT('maildir:/var/mail/vmail/',maildir) AS mail,   5000 AS uid, 5000 AS gid, CONCAT('*:bytes=',quota) AS quota_rule   FROM mailbox WHERE username = '%u' AND active = 1
password_query = SELECT username AS user,password FROM mailbox   WHERE username = '%u' AND active='1'

# nano /etc/dovecot/conf.d/10-mail.conf
...
mail_location = maildir:/var/mail/vmail/%d/%n
...
mail_uid = vmail
mail_gid = vmail

...
first_valid_uid = 5000
last_valid_uid = 5000

...
mail_privileged_group = mail
...
mail_plugins = quota
...

# nano /etc/dovecot/conf.d/10-auth.conf
...
disable_plaintext_auth = yes
...
auth_mechanisms = plain login
...
#!include auth-system.conf.ext
!include auth-sql.conf.ext
...

# nano /etc/dovecot/conf.d/10-master.conf
...
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
...
}
...
service auth {
  ...
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
    group = vmail
  }
  ...
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
  ...
}
...

service auth-worker {
  user = vmail
}

...

service dict {
  unix_listener dict {
    mode = 0660
    user = vmail
    group = vmail
  }
}
...

# nano /etc/dovecot/conf.d/10-ssl.conf
...
ssl = yes

...
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
ssl_dh = </etc/letsencrypt/ssl-dhparams.pem
...
ssl_cipher_list = EECDH+AES:EDH+AES+aRSA
...
ssl_prefer_server_ciphers = yes
...

# nano /etc/dovecot/conf.d/20-imap.conf
...
protocol imap { 
...

  mail_plugins = $mail_plugins imap_quota
  ...
}
...

 # nano /etc/dovecot/conf.d/20-lmtp.conf
...
protocol imap {
  postmaster_address = postmaster@example.com
  mail_plugins = $mail_plugins
}
...

# nano /etc/dovecot/conf.d/15-mailboxes.conf
...
mailbox Drafts {
  special_use = Drafts
}
mailbox Spam {
  special_use = Junk
  auto = subscribe
}
mailbox Junk {
  special_use = Junk
}
...

# nano /etc/dovecot/conf.d/90-quota.conf
plugin {
quota = dict:User quota::proxy::sqlquota
quota_rule = *:storage=5GB
quota_rule2 = Trash:storage=+100M
quota_grace = 10%%
quota_exceeded_message = Quota exceeded, please contact your system administrator.
}

plugin {
quota_warning = storage=100%% quota-warning 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
}

service quota-warning {
executable = script /usr/local/bin/quota-warning.sh
user = vmail

unix_listener quota-warning {
  group = vmail
  mode = 0660
  user = vmail
}
}

dict {
sqlquota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}

# nano /etc/dovecot/dovecot-dict-sql.conf.ext
...
connect = host=127.0.0.1 dbname=postfixadmin user=postfixadmin password=your_secret_password
...
map {
  pattern = priv/quota/storage
  table = quota2
  username_field = username
  value_field = bytes
}
map {
  pattern = priv/quota/messages
  table = quota2
  username_field = username
  value_field = messages
}
...
# map {
#   pattern = shared/expire/$user/$mailbox
#   table = expires
#   value_field = expire_stamp
#
#   fields {
#     username = $user
#     mailbox = $mailbox
#   }
# }
...

# nano /usr/local/bin/quota-warning.sh
#!/bin/sh
PERCENT=$1
USER=$2
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=dict:User quota::noenforcing:proxy::sqlquota"
From: postmaster@example.com
Subject: Quota warning

Your mailbox is $PERCENT% full. Don't forget to make a backup of old messages to remain able to receive mails.
EOF

# sudo chmod +x /usr/local/bin/quota-warning.sh

# service dovecot restart

####### RSPAMD #######

# apt install redis-server

# apt install software-properties-common lsb-release
# apt install lsb-release wget
# wget -O- https://rspamd.com/apt-stable/gpg.key | sudo apt-key add -
# echo "deb http://rspamd.com/apt-stable/ $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/rspamd.listsudo
# apt update
# apt install rspamd

# nano /etc/rspamd/local.d/worker-normal.inc
bind_socket = "127.0.0.1:11333";

# nano /etc/rspamd/local.d/worker-proxy.inc
bind_socket = "127.0.0.1:11332";
milter = yes;
timeout = 120s;
upstream "local" {
  default = yes;
  self_scan = yes;
}

# rspamadm pw --encrypt -p P4ssvv0rD

# nano /etc/rspamd/local.d/worker-controller.inc
password = "CLE_GENEREE_PLUS_HAUT"

# nano /etc/rspamd/local.d/classifier-bayes.conf
servers = "127.0.0.1";
backend = "redis";

# nano /etc/rspamd/local.d/milter_headers.conf
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];

# systemctl restart rspamd

# nano /etc/nginx/conf.d/spam.example.com.conf
server {
listen 80;  
listen [::]:80;  
server_name spam.example.com;  

location / {  
   proxy_pass http://127.0.0.1:11334/;     
   proxy_set_header Host $host;     
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;     
}  

}

# certbot --nginx -d spam.example.com

# postconf -e "milter_protocol = 6"
# postconf -e "milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}"
# postconf -e "milter_default_action = accept"
# postconf -e "smtpd_milters = inet:127.0.0.1:11332"
# postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"

# systemctl restart postfix

####### DOVECOT 2 #######

# apt install dovecot-sieve dovecot-managesieved

# nano /etc/dovecot/conf.d/20-lmtp.conf
protocol lmtp {
postmaster_address = postmaster@example.com
mail_plugins = $mail_plugins sieve
}

# nano /etc/dovecot/conf.d/20-imap.conf
...
protocol imap {
...
mail_plugins = $mail_plugins imap_quota imap_sieve
...
}
...

# nano /etc/dovecot/conf.d/20-managesieve.conf
...
service managesieve-login {
inet_listener sieve {
port = 4190  
}
...
}
..

service managesieve {
process_limit = 1024
}
...

# nano /etc/dovecot/conf.d/90-sieve.conf
plugin {
...  
# sieve = file:~/sieve;active=~/.dovecot.sieve  
sieve_plugins = sieve_imapsieve sieve_extprograms  
sieve_before = /var/mail/vmail/sieve/global/spam-global.sieve  
sieve = file:/var/mail/vmail/sieve/%d/%n/scripts;active=/var/mail/vmail/sieve/%d/%n/active-script.sieve  

imapsieve_mailbox1_name = Spam  
imapsieve_mailbox1_causes = COPY  
imapsieve_mailbox1_before = file:/var/mail/vmail/sieve/global/report-spam.sieve  

imapsieve_mailbox2_name = *  
imapsieve_mailbox2_from = Spam  
imapsieve_mailbox2_causes = COPY  
imapsieve_mailbox2_before = file:/var/mail/vmail/sieve/global/report-ham.sieve  

sieve_pipe_bin_dir = /usr/bin  
sieve_global_extensions = +vnd.dovecot.pipe  
....  
}

# mkdir -p /var/mail/vmail/sieve/global

# nano /var/mail/vmail/sieve/global/spam-global.sieve
require ["fileinto","mailbox"];

if anyof(
header :contains ["X-Spam-Flag"] "YES",  
header :contains ["X-Spam"] "Yes",  
header :contains ["Subject"] "*** SPAM ***"  
)  
{
fileinto :create "Spam";  
stop;  
}

# nano /var/mail/vmail/sieve/global/report-spam.sieve
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];

# nano /var/mail/vmail/sieve/global/report-ham.sieve
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_ham"];

# systemctl restart dovecot

# sievec /var/mail/vmail/sieve/global/spam-global.sieve
# sievec /var/mail/vmail/sieve/global/report-spam.sieve
# sievec /var/mail/vmail/sieve/global/report-ham.sieve
# chown -R vmail: /var/mail/vmail/sieve/

####### DKIM #######

# mkdir /var/lib/rspamd/dkim/

# rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key /var/lib/rspamd/dkim/mail.pub

# chown -R _rspamd: /var/lib/rspamd/dkim
# chmod 440 /var/lib/rspamd/dkim/*

# nano /etc/rspamd/local.d/dkim_signing.conf
selector = "mail";
path = "/var/lib/rspamd/dkim/$selector.key";
allow_username_mismatch = true;

# cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf

# systemctl restart rspamd

####### DNS #######

# cat /var/lib/rspamd/dkim/mail.pub
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdBRCqYzshc4LmmkxUkCH/rcIpSe/QdNIVmBrgqZmZ5zzWQi7ShdFOH7V32/VM1VRk2pkjDV7tmfbwslsymsfxgGhVHbU0R3803uRfxAiT2mYu1hCc9351YpZF4WnrdoA3BT5juS3YUo5LsDxvZCxISnep8VqVSAZOmt8wFsZKBXiIjWuoI6XnWrzsAfoaeGaVuUZBmi4ZTg0O4yl"   
"nVlIz11McdZTRe1FlONOzO7ZkQFb7O6ogFepWLsM9tYJ38TFPteqyO3XBjxHzp1AT0UvsPcauDoeHUXgqbxU7udG1t05f6ab5h/Kih+jisgHHF4ZFK3qRtawhWlA9DtS35DlwIDAQAB"   
) ;

####### RAINLOOP WEBMAIL #######

cd /tmp
wget http://www.rainloop.net/repository/webmail/rainloop-community-latest.zip

# mkdir /var/www/webmail
# unzip rainloop-community-latest.zip -d /var/www/webmail
# chown -R www-data:www-data /var/www/webmail

# nano /etc/nginx/conf.d/webmail.example.com.conf
server {
listen 80;  
listen [::]:80;  
root /var/www/webmail;  
index index.php index.html index.htm;   
server_name webmail.example.com;  

client_max_body_size 100M;  

location / {  
   try_files $uri $uri/ /index.php?$query_string;  
}       

location ~ .php$ {  
   include snippets/fastcgi-php.conf;       
   fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;       
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;       
   include fastcgi_params;       
}  

location ^~ /data {   
   deny all;       
}    

}

# certbot --nginx -d webmail.example.com

# nano /etc/rspamd/override.d/classifier-bayes.conf
autolearn = true;

systemctl restart rspamd

2 - Installation d'Ubuntu