Contents
1. Obtaining a certificate for the mail server
Obtain a certificate for the mail server to convert the mail server to SSL/TLS.
Use the certbot that was used when the web server was converted to SSL.
Stop the web server and execute the following command
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# service apache24 stop # certbot certonly --standalone -d mail.<domain name> Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for mail.<domain name> Successfully received certificate. Certificate is saved at: /usr/local/etc/letsencrypt/live/mail.<domain name>/fullchain.pem Key is saved at: /usr/local/etc/letsencrypt/live/mail.<domain name>/privkey.pem This certificate expires on 2024-09-04. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2. advance preparations
2.1 Ports Collection Update
I'll update the Ports Collection first.
|
1 |
# portmaster -a[i] |
2.2 procmail Install
Mail is sorted by procmail.
|
1 2 |
# cd /usr/ports/mail/procmail # make BATCH=yes install clean |
Set parameters that are always set when make is executed
Edit pkgtools.conf
|
1 2 3 4 5 6 7 |
# vi /usr/local/etc/pkgtools.conf Line 404 : Add MAKE_ARGS = { 'security/cyrus-sasl2' => 'WITHOUT_OTP=yes', 'security/cyrus-sasl2-saslauthd' => 'WITH_BDB=yes', 'mail/postfix' => 'WITH_SASL2=yes WITH_TLS=yes', } |
2.3 cyrus-sasl2 , cyrus-sasl2-saslauthd Install
Use SASL for SMTP authentication; install Cyrus SASL2 library
|
1 |
# pkg install cyrus-sasl cyrus-sasl-saslauthd |
3. Postfix
3.1 Install
|
1 2 |
# cd /usr/ports/mail/postfix # make WITH_SASL2=yes WITH_TLS=yes WITH_BDB=yes install clean |
3.2 Postfix Settings
①main.cf edit
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# vi /usr/local/etc/postfix/main.cf Line 100 : Add myhostname = mail.<domain> Line 107 : Add mydomain = <domain> Line 122 : Uncomment myorigin = $mydomain Line 136 : Uncomment inet_interfaces = all Line 184 : Uncomment mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain Line 286 : Uncomment and change to own network mynetworks = 127.0.0.0/8, 192.168.11.0/24 Line 320 : Uncommented and added relay_domains = $mydestination Line 410 : Uncomment alias_maps = hash:/etc/aliases Line 420 : Uncomment alias_database = hash:/etc/aliases Line 442 : Uncomment home_mailbox = Maildir/ #←Maildir Format Line 472 : Add mailbox_command = /usr/local/bin/procmail #←Specify the path to procmail #Add to the end # Cyrus-SASL configuration smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination # TLS configuration smtpd_use_tls = yes smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/mail.<domain>/fullchain.pem smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/mail.<domain>/privkey.pem smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_scache |
➁master.cf edit
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
# vi /usr/local/etc/postfix/master.cf Uncommented part of the submission item after line 19 as follows submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o local_header_rewrite_clients=static:all # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where # "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Uncommented part of the submissions after line 38 as follows submissions inet n - n - - smtpd -o syslog_name=postfix/submissions -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o local_header_rewrite_clients=static:all # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd_<xxx>_restrictions here, # specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions" # here, and specify mua_<xxx>_restrictions in main.cf (where # "<xxx>" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_relay_restrictions= # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING |
➂saslauthd auto-start configuration
|
1 2 3 4 5 6 7 8 |
# vi /etc/rc.conf …Addendum below saslauthd_enable="YES" saslauthd_flags="-a sasldb" Start # /usr/local/etc/rc.d/saslauthd start Starting saslauthd. |
④SMTP AUTH setting
Create the following files
|
1 2 3 |
# vi /usr/local/lib/sasl2/smtpd.conf …following description pwcheck_method: auxprop |
⑤Add SMTP User
Add system user huong as an SMTP user
|
1 2 3 4 5 6 7 |
# saslpasswd2 -c -u <domain> huong Password: Again (for verification): Email User Confirmation # sasldblistusers2 huong@<domain>: userPassword |
⑥/usr/local/etc/sasldb2.db Ownership change
|
1 2 |
# chown cyrus:mail /usr/local/etc/sasldb2.db # chmod 640 /usr/local/etc/sasldb2.db |
⑦Sendmail stopped
FreeBSD has Sendmail running by default, so stop it
|
1 2 3 4 5 6 |
# /etc/rc.d/sendmail stop Stopping sendmail. Waiting for PIDS: 915. sendmail_submit not running? (check /var/run/sendmail.pid). Stopping sendmail_msp_queue. Waiting for PIDS: 933. |
Sendmail Auto-Run Cancel
|
1 2 3 4 5 6 |
# vi /etc/rc.conf …Addendum below sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" |
⑧Other
Create new file below
|
1 2 3 4 5 6 |
# vi /etc/periodic.conf …Addendum below daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" |
|
1 2 3 4 5 6 7 |
# mv /etc/mail/mailer.conf /etc/mail/mailer.conf.org # vi /etc/mail/mailer.conf …Addendum below sendmail /usr/local/sbin/sendmail send-mail /usr/local/sbin/sendmail mailq /usr/local/sbin/sendmail newaliases /usr/local/sbin/sendmail |
|
1 2 3 4 |
# vi /etc/make.conf …Addendum below NO_MAILWRAPPER=YES NO_SENDMAIL=YES |
⑨Postfix 起動
|
1 2 3 4 5 6 |
# vi /etc/rc.conf …Addendum below postfix_enable="YES" # /usr/local/etc/rc.d/postfix start postfix/postfix-script: starting the Postfix mail system |
4. Dovecot
4.1 Install
|
1 2 |
# cd /usr/ports/mail/dovecot # make BATCH=yes install clean |
4.2 dovecot configuration
①Edit dovecot.conf
After installation, the sample dovecot.conf is located in /usr/local/etc/dovecot/example-config/. Copy the entire contents under /usr/local/etc/dovecot/.
Also, set the dovecot.conf permissions to 640.
|
1 2 |
# cp -r /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot/ # chmod 640 /usr/local/etc/dovecot/dovecot.conf |
|
1 2 3 4 5 6 7 |
# vi /usr/local/etc/dovecot/dovecot.conf Line 25 : Add protocols = imap pop3 Line 30 : Uncomment listen = *, :: |
➁Edit 10-ssl.conf
|
1 2 3 4 5 6 7 |
# vi /usr/local/etc/dovecot/conf.d/10-ssl.conf Line 6 : Uncomment ssl = yes Line 12,13 : Change ssl_cert = < /usr/local/etc/letsencrypt/live/mail.<domain>/fullchain.pem ssl_key = < /usr/local/etc/letsencrypt/live/mail.<domain>/privkey.pem |
➂Edit 10-master.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# vi /usr/local/etc/dovecot/conf.d/10-master.conf Line 19 : change service imap-login { inet_listener imap { #port = 143 → port = 0 } Line 23,24 : Uncomment inet_listener imaps { port = 993 ssl = yes } } Line 40 : change service pop3-login { inet_listener pop3 { #port = 110 → port = 0 } Line 43,44 : Uncomment inet_listener pop3s { port = 995 ssl = yes } } Line 110-112 : Uncommented and added service auth { # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } |
④Edit 10-auth.conf
|
1 2 3 4 5 6 7 |
# vi /usr/local/etc/dovecot/conf.d/10-auth.conf Line 10 : Uncomment and change disable_plaintext_auth = no Line 100 : Add auth_mechanisms = plain login |
⑤Edit 10-mail.conf
|
1 2 3 4 |
# vi /usr/local/etc/dovecot/conf.d/10-mail.conf Line 31 : Add mail_location = maildir:~/Maildir |
⑥Dovecot start
|
1 2 3 4 5 6 |
# vi /etc/rc.conf …Addendum below dovecot_enable="YES" # /usr/local/etc/rc.d/dovecot start Starting dovecot. |
⑦Rebuild database for mail alias
Set an address to forward mail addressed to root
|
1 2 3 4 |
# vi /etc/aliases Line 20 : Add # root: me@my.domain root: [own mail address] |
Reflect settings
|
1 |
# postalias /etc/aliases |
5.Create user mail directory
①Create mail directory for existing users (existing user is assumed to be huong)
Once done switch SHELL to bash
|
1 |
# bash |
|
1 2 3 4 |
# mkdir -p /home/huong/Maildir/{cur,new,tmp} # chmod -R 700 /home/huong/Maildir # chmod -R 700 /home/huong/Maildir/{cur,new,tmp} # chown -R huong:huong /home/huong/Maildir |
➁Create mail directory for new users
|
1 2 |
# mkdir -p /usr/share/skel/Maildir/{cur,new,tmp} # chmod -R 700 /usr/share/skel/Maildir/ |
SHELL back to original sh
|
1 |
# sh |
6. Procmail Settings
Set to discard e-mails with "finance" in the subject line.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /usr/local/etc/procmailrc SHELL=/bin/sh PATH=/bin:/usr/bin:/usr/local/bin DROPPRIVS=yes MAILDIR=$HOME/Maildir DEFAULT=$MAILDIR/ #LOGFILE=$MAILDIR/procmail.log #remove finance :0 * ^Subject: .*finance.* /dev/null |
7.Firewall Settings
Allow the following ports in ipfirewall(ipfw)
• 995 port: (POP3S)
• 993 port:(IMAPS)
• 25 port:(SMTP)
• 587 port:(SMTP)
• 465 port: (SMTPS)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /usr/local/etc/ipfw.rules …The following postscript * Appropriate value for XXX $IPF XXX allow tcp from any to any 25 in $IPF XXX allow tcp from any to any 25 out $IPF XXX allow tcp from any to any 465 in $IPF XXX allow tcp from any to any 465 out $IPF XXX allow tcp from any to any 587 in $IPF XXX allow tcp from any to any 587 out $IPF XXX allow tcp from any to any 993 in $IPF XXX allow tcp from any to any 993 out $IPF XXX allow tcp from any to any 995 in $IPF XXX allow tcp from any to any 995 out |
ipfw reload
|
1 2 |
# /etc/rc.d/ipfw restart Firewall rules loaded. |
Port release may be required on the router side
SMTP connection check with Telnet
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.<domain> ESMTP Postfix EHLO localhost 250-mail.<domain> 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING quit 221 2.0.0 Bye Connection closed by foreign host. # telnet localhost 587 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.<domain> ESMTP Postfix EHLO localhost 250-mail.<domain> 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING quit 221 2.0.0 Bye Connection closed by foreign host. |
To set up in your email client Thunderbird
Incoming servers
・IMAP Mail Server Port 993
・Security Settings Connection Protection----SSL/TLS Authentication method ----- normal password authentication
Sending server
・SMTP Server Port 465
・Security Settings Connection Protection----SSL/TLS Authentication method ----- normal password authentication