revsuine/revsuine.xyz
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: add to postfix section

Browse source
This commit is contained in:
revsuine 2024-11-20 02:32:17 +00:00
parent 54a37b2249
commit 5af37eb3c6
Signed by: revsuine
GPG key ID: 3F257B68F5BC9339
1 changed files with 104 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

106
content/blog/mail_server_alpine_postfix_dovecot_tutorial.md
View file

@ -252,8 +252,9 @@ Now run the following command to get your free TLS certificate:
If you have several subdomains in your nginx config that you'd like covered by the same certificate, you can omit `-d If you have several subdomains in your nginx config that you'd like covered by the same certificate, you can omit `-d
mail.domain.com` and get a certificate covering all the domains in your nginx config. On my server, I have one mail.domain.com` and get a certificate covering all the domains in your nginx config. On my server, I have one
certificate at `/etc/letsencrypt/revsuine.xyz/` covering my apex domain and all subdomains. If you go for a certificate certificate at `/etc/letsencrypt/live/revsuine.xyz/` covering my apex domain and all subdomains. If you go for a
with only one domain name, e.g. for `mail.domain.com`, it will be at `/etc/letsencrypt/mail.domain.com/`. certificate with only one domain name, e.g. for `mail.domain.com`, it will be at
`/etc/letsencrypt/live/mail.domain.com/`.
# Postfix # Postfix
@ -307,6 +308,76 @@ one at `/etc/logrotate.d/postfix`:
} }
``` ```
Add the following TLS settings, replacing `your.domain.com` with your mail server's FQDN, [or otherwise where the TLS
certificate we generated would be](#obtain-a-tls-certificate):
```conf
# Enable TLS encryption when Postfix receives incoming emails
smtpd_tls_cert_file = /etc/letsencrypt/live/your.domain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/your.domain.com/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = lmdb:${data_directory}/smtpd_scache
# Enable TLS encryption when Postfix sends outgoing emails
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = lmdb:${data_directory}/smtp_scache
# Enforce TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# only offer authentication after STARTTLS
smtpd_tls_auth_only = yes
# disable SSL compression
tls_ssl_options = NO_COMPRESSION
# Configure the allowed cipher list
smtpd_tls_mandatory_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
tls_preempt_cipherlist = yes
```
The allowed cipher list is from [Mailcow](https://docs.mailcow.email/manual-guides/Postfix/u_e-postfix-harden_ciphers/).
If you're using this as a personal mail server, you may not want to have a mailbox size limit, so you can set:
```conf
mailbox_size_limit = 0
```
By default, `mailbox_size_limit` is `51200000`. This number is in bytes. You can similarly set a `message_size_limit`.
Finally, here are some various hardening settings you can add to your `/etc/postfix/main.conf`:
```conf
# connections rate limit: no of connections allowed per unit
# `postconf anvil_rate_time_unit` will give the time unit; by default it's
# 60 seconds, so 600/60=10 connections allowed per second
smtpd_client_connection_rate_limit = 600
# messages rate limit, again over same time limit
smtpd_client_message_rate_limit = 60
# VRFY command used to check if an email address exists
# not needed and can be used to find spam recipients
disable_vrfy_command = yes
# servers that don't use HELO or EHLO are either not properly configured
# or sending spam usually
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname,
permit
```
## Send your first email ## Send your first email
Have the `postfix` service auto-start upon boot, and start it during this session: Have the `postfix` service auto-start upon boot, and start it during this session:
@ -343,6 +414,37 @@ so ultimately `revsuine` will get `postmaster`'s mail.
You can continue to populate the aliases file with whatever aliases you want. You can continue to populate the aliases file with whatever aliases you want.
## Enable Postfix submission and smtps service
To send emails from email clients, you'll need to enable Postfix's submission service so that Postfix can receive
emails to send via SMTP. Edit `/etc/postfix/master.cf` and ensure that the following lines are present:
```conf
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtp_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
```
They may be commented out, or partially present without some options.
Restart Postfix.
# rc-service postfix restart
# Dovecot # Dovecot
[Dovecot](https://www.dovecot.org/) is a popular IMAP and POP3 server which we'll be using for our MDA. [Dovecot](https://www.dovecot.org/) is a popular IMAP and POP3 server which we'll be using for our MDA.