Contents
1. Obtaining a certificate for the mail server
Obtain a certificate for the mail server to convert the mail server to SSL/TLS.
Use the certbot that was used when the web server was converted to SSL.
Stop the web server and execute the following command
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# service apache24 stop # certbot certonly --standalone -d mail.<domain name> Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for mail.<domain name> Successfully received certificate. Certificate is saved at: /usr/local/etc/letsencrypt/live/mail.<domain name>/fullchain.pem Key is saved at: /usr/local/etc/letsencrypt/live/mail.<domain name>/privkey.pem This certificate expires on 2026-03-05. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2. advance preparations
2.1 procmail Install
Mail is sorted by procmail.
|
1 2 |
# cd /usr/ports/mail/procmail # make BATCH=yes install clean |
※ If you cannot install with the above, install with the following
|
1 |
# pkg install procmail |
Set parameters that are always set when make is executed
Edit pkgtools.conf
|
1 2 3 4 5 6 7 |
# vi /usr/local/etc/pkgtools.conf Added on line 404 MAKE_ARGS = { 'security/cyrus-sasl2' => 'WITHOUT_OTP=yes', 'security/cyrus-sasl2-saslauthd' => 'WITH_BDB=yes', 'mail/postfix' => 'WITH_SASL2=yes WITH_TLS=yes', } |
2.2 cyrus-sasl2 , cyrus-sasl2-saslauthd Install
Use SASL for SMTP authentication; install Cyrus SASL2 library
|
1 |
# pkg install cyrus-sasl cyrus-sasl-saslauthd |
3. Postfix
3.1 Install
|
1 2 |
# cd /usr/ports/mail/postfix # make WITH_SASL2=yes WITH_TLS=yes WITH_BDB=yes install clean |
3.2 Postfix Settings
①main.cf edit
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# vi /usr/local/etc/postfix/main.cf Add to line 100 myhostname = mail.<domain> Add to line 107 mydomain = <domain> Uncomment line 122 myorigin = $mydomain Uncomment line 136 inet_interfaces = all Uncomment line 184 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain Uncomment line 286 and change to your own network. mynetworks = 127.0.0.0/8, 192.168.11.0/24 Uncomment line 320 and add the following relay_domains = $mydestination Uncomment around line 410 alias_maps = hash:/etc/aliases Uncomment around line 420 alias_database = hash:/etc/aliases Uncomment around line 442 home_mailbox = Maildir/ #←Maildir形式 Add around line 472 mailbox_command = /usr/local/bin/procmail #←Specify the procmail path #Add to the end # Cyrus-SASL configuration smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination # TLS Settings # TLS configuration smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/mail.<domain>/fullchain.pem smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/mail.<domain>/privkey.pem smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_scache |
➁master.cf edit
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
# vi /usr/local/etc/postfix/master.cf Starting from line 19, uncomment the following sections in the submission items: submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_forbid_unauth_pipelining=no -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o local_header_rewrite_clients=static:all # -o smtpd_hide_client_session=yes # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where # "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Starting from line 40, uncomment the following sections in the submissions item: submissions inet n - n - - smtpd -o syslog_name=postfix/submissions # -o smtpd_forbid_unauth_pipelining=no -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o local_header_rewrite_clients=static:all # -o smtpd_hide_client_session=yes # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where # "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_relay_restrictions= # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING |
➂saslauthd automatic startup configuration
|
1 2 3 4 5 6 7 8 |
# vi /etc/rc.conf …The following is added as a postscript. saslauthd_enable="YES" saslauthd_flags="-a sasldb" start # /usr/local/etc/rc.d/saslauthd start Starting saslauthd. |
④SMTP AUTH setting
Create the following files
|
1 2 3 |
# vi /usr/local/lib/sasl2/smtpd.conf …The following description pwcheck_method: auxprop |
⑤Add SMTP User
Add system user huong as an SMTP user
|
1 2 3 4 5 6 7 8 |
# saslpasswd2 -c -u [domain] huong Password: Again (for verification): Email User Verification # sasldblistusers2 huong@[domain]: cmusaslsecretOTP huong@[domain]: userPassword |
⑥/usr/local/etc/sasldb2.db Ownership change
|
1 2 |
# chown cyrus:mail /usr/local/etc/sasldb2.db # chmod 640 /usr/local/etc/sasldb2.db |
⑦Stop Sendmail
If Sendmail is running, stop it.
|
1 2 3 4 5 6 |
# /etc/rc.d/sendmail stop Stopping sendmail. Waiting for PIDS: 915. sendmail_submit not running? (check /var/run/sendmail.pid). Stopping sendmail_msp_queue. Waiting for PIDS: 933. |
Sendmail Auto-Start Disable
|
1 2 3 4 5 6 |
# vi /etc/rc.conf …The following is added as a postscript. sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" |
⑧Other
Create new file below
|
1 2 3 4 5 6 |
# vi /etc/periodic.conf …The following description daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" |
|
1 2 3 4 5 6 7 |
# mv /etc/mail/mailer.conf /etc/mail/mailer.conf.org # vi /etc/mail/mailer.conf …The following description sendmail /usr/local/sbin/sendmail send-mail /usr/local/sbin/sendmail mailq /usr/local/sbin/sendmail newaliases /usr/local/sbin/sendmail |
|
1 2 3 4 |
# vi /etc/make.conf …The following description NO_MAILWRAPPER=YES NO_SENDMAIL=YES |
⑨Postfix start
|
1 2 3 4 5 6 |
# vi /etc/rc.conf …The following description postfix_enable="YES" # /usr/local/etc/rc.d/postfix start postfix/postfix-script: starting the Postfix mail system |
4. Dovecot
4.1 Install
|
1 2 |
# cd /usr/ports/mail/dovecot # make BATCH=yes install clean |
4.2 dovecot configuration
①Edit dovecot.conf
After installation, the sample dovecot.conf is located in /usr/local/etc/dovecot/example-config/. Copy the entire contents under /usr/local/etc/dovecot/
Also, set the dovecot.conf permissions to 640.
|
1 2 |
# cp -r /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot/ # chmod 640 /usr/local/etc/dovecot/dovecot.conf |
|
1 2 3 4 5 6 7 |
# vi /usr/local/etc/dovecot/dovecot.conf Line 25 : Add protocols = imap pop3 Line 30 : Uncomment listen = *, :: |
➁Edit 10-ssl.conf
|
1 2 3 4 5 6 7 |
# vi /usr/local/etc/dovecot/conf.d/10-ssl.conf Line 6 : Uncomment ssl = yes Line 12,13 : Change ssl_cert = < /usr/local/etc/letsencrypt/live/mail.<domain>/fullchain.pem ssl_key = < /usr/local/etc/letsencrypt/live/mail.<domain>/privkey.pem |
➂Edit 10-master.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# vi /usr/local/etc/dovecot/conf.d/10-master.conf Line 19 : change service imap-login { inet_listener imap { #port = 143 → port = 0 } Line 22,23 : Uncomment inet_listener imaps { port = 993 ssl = yes } } Line 40 : change service pop3-login { inet_listener pop3 { #port = 110 → port = 0 } Line 43,44 : Uncomment inet_listener pop3s { port = 995 ssl = yes } } Line 110-112 : Uncommented and added service auth { # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } |
④Edit 10-auth.conf
|
1 2 3 4 5 6 7 |
# vi /usr/local/etc/dovecot/conf.d/10-auth.conf Line 10 : Uncomment and change disable_plaintext_auth = no Line 100 : Add auth_mechanisms = plain login |
⑤Edit 10-mail.conf
|
1 2 3 4 |
# vi /usr/local/etc/dovecot/conf.d/10-mail.conf Line 31 : Add mail_location = maildir:~/Maildir |
⑥Dovecot Automatic Startup Configuration and Startup
|
1 2 3 4 5 6 |
# vi /etc/rc.conf …Addendum below dovecot_enable="YES" # /usr/local/etc/rc.d/dovecot start Starting dovecot. |
⑦Rebuild database for mail alias
Set an address to forward mail addressed to root
|
1 2 3 4 |
# vi /etc/aliases Added on line 18 # root: me@my.domain root: [Your email address] |
Reflect settings
|
1 |
# postalias /etc/aliases |
5.Create user mail directory
①Create mail directory for existing users (existing user is assumed to be huong)
Once done switch SHELL to bash
|
1 |
# bash |
|
1 2 3 4 |
# mkdir -p /home/huong/Maildir/{cur,new,tmp} # chmod -R 700 /home/huong/Maildir # chmod -R 700 /home/huong/Maildir/{cur,new,tmp} # chown -R huong:huong /home/huong/Maildir |
➁Create mail directory for new users
|
1 2 |
# mkdir -p /usr/share/skel/Maildir/{cur,new,tmp} # chmod -R 700 /usr/share/skel/Maildir/ |
SHELL back to original sh
|
1 |
# sh |
6. Procmail Settings
As an example, let's say you want to discard e-mails with the word “finance” in the subject line.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /usr/local/etc/procmailrc SHELL=/bin/sh PATH=/bin:/usr/bin:/usr/local/bin DROPPRIVS=yes MAILDIR=$HOME/Maildir DEFAULT=$MAILDIR/ #LOGFILE=$MAILDIR/procmail.log #remove finance :0 * ^Subject: .*finance.* /dev/null |
7.Firewall Settings
Allow the following ports in ipfirewall(ipfw)
• 995 port: (POP3S)
• 993 port:(IMAPS)
• 25 port:(SMTP)
• 587 port:(SMTP)
• 465 port: (SMTPS)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /usr/local/etc/ipfw.rules …Addendum: Replace XXX with an appropriate value. $IPF XXX allow tcp from any to any 25 in $IPF XXX allow tcp from any to any 25 out $IPF XXX allow tcp from any to any 465 in $IPF XXX allow tcp from any to any 465 out $IPF XXX allow tcp from any to any 587 in $IPF XXX allow tcp from any to any 587 out $IPF XXX allow tcp from any to any 993 in $IPF XXX allow tcp from any to any 993 out $IPF XXX allow tcp from any to any 995 in $IPF XXX allow tcp from any to any 995 out |
ipfw reload
|
1 2 |
# /etc/rc.d/ipfw restart Firewall rules loaded. |
Port release may be required on the router side
SMTP connection check with Telnet
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.<domain> ESMTP Postfix EHLO localhost 250-mail.<domain> 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING quit 221 2.0.0 Bye Connection closed by foreign host. # telnet localhost 587 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.<domain> ESMTP Postfix EHLO localhost 250-mail.<domain> 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING quit 221 2.0.0 Bye Connection closed by foreign host. |
set up in your email client Thunderbird
set as
Incoming servers
・IMAP Mail Server Port 993
・Security Settings Connection Protection----SSL/TLS Authentication method ----- normal password authentication
Sending server
・SMTP Server Port 465
・Security Settings Connection Protection----SSL/TLS Authentication method ----- normal password authentication
