tech:draft-monter-son-serveur-mail-sous-debian
Ceci est une ancienne révision du document !
Table des matières
Monter son serveur mail sous Debian
Configuration du serveur SMTP Postfix
serv1
/etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname #smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT. biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = serv1.acme.fr alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = acme.fr, serv1.acme.fr, localhost.localdomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all home_mailbox = Maildir/ mailbox_command = procmail -a "$EXTENSION" #smtpd_sasl_local_domain = #smtpd_sasl_auth_enable = yes #broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_sasl_type = dovecot smtpd_sasl_security_options = noanonymous smtpd_tls_auth_only = yes # Can be an absolute path, or relative to $queue_directory # Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below smtpd_sasl_path = private/auth # On Debian Wheezy path must be relative and queue_directory defined #queue_directory = /var/spool/postfix # and the common settings to enable SASL: smtpd_sasl_auth_enable = yes # With Postfix version before 2.10, use smtpd_recipient_restrictions #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination # virtual_alias_maps = hash:/etc/postfix/virtual # inbound smtpd_tls_security_level = may smtpd_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 # outbound smtp_tls_security_level = may smtp_tls_protocols=!SSLv2,!SSLv3 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
Koala /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname #smtpd_banner = $myhostname ESMTP $mail_name (GNU) smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT. biff = yes # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache myhostname = smtp.acme.fr alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = acme.fr, localhost.localdomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24 172.16.0.0/12 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 10485760 recipient_delimiter = + inet_interfaces = all virtual_alias_maps = hash:/etc/postfix/virtual relay_domains = acme.fr home_mailbox = Maildir/ notify_classes = resource, software, protocol defer_transports = smtp delay_warning_time = 5m #maximal_queue_lifetime = 5d debug_peer_level = 7 #default_transport = smtp:smtp.acme.fr defer_transports = disable_dns_lookups = no
/etc/mailname
acme.fr
/etc/aliases
# See man 5 aliases for format dev-null: /dev/null postmaster: root abuse: root jean: jibe root: jibe # https://arno0x0x.wordpress.com/2016/02/07/postfix-lancer-un-script-sur-reception-dun-e-mail/ bot: "|/path/to/script/mailBot.php"
Puis
/etc/postfix/virtual
emailadresse comptelocal
postmap /etc/postfix/virtual
Puis
vi /etc/aliases newaliases
mkdir /etc/skel/Maildir/ mkdir /etc/skel/Maildir/cur mkdir /etc/skel/Maildir/new mkdir /etc/skel/Maildir/tmp touch /etc/skel/Maildir/Trash touch /etc/skel/Maildir/Drafts touch /etc/skel/Maildir/Sent
/etc/skel/.procmailrc
VERBOSE=Yes SHELL=/bin/bash PATH=$HOME/bin:/usr/bin:/bin:/usr/local/bin:. MAILDIR=$HOME/Maildir/ # You d better make sure it exists DEFAULT=$MAILDIR/$USERNAME LOGFILE=$MAILDIR/.procmail.log LOCKFILE=$HOME/.lockmail LOGNAME=$USERNAME
Configuration Dovecot
/etc/dovecot/dovecot.conf
mail_location = maildir:~/Maildir
/etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
/etc/dovecot/conf.d/15-mailboxes.conf
mailbox Drafts { auto = subscribe # <-- ADD THIS special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Trash { # Fix invisible Trash auto = subscribe # <-- ADD THIS special_use = \Trash }
https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle
/etc/dovecot/conf.d/10-ssl.conf
ssl = required ssl_protocols = !SSLv2 !SSLv3
Debug
doveadm -Dv force-resync -u jibe INBOX
/etc/letsencrypt/cli.ini
# Source : https://gist.github.com/mrothNET/cb6f313e9cbe896f3e0fdec80ad2f3fa # Manage Firewall #pre-hook = ufw allow http #post-hook = ufw deny http # Restart Postfix & Dovecot renew-hook = systemctl restart dovecot.service postfix.service
Dovecot Exploit
Nettoyage cache / log
find ~/Maildir/ -type f \( -iname dovecot.index.cache -o -iname dovecot.index.log \) -delete
Pb
Pb suite à mis-à-jour Wheezy⇒Stretch
/var/log/mail.log
Jan 19 18:42:10 sever1 dovecot[394]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
Solution de contournement provisoir
/etc/dovecot/conf.d/10-ssl.conf
#ssl_protocols = !SSLv2 !SSLv3 ssl_protocols = !SSLv3
systemctl restart dovecot
Postfix authentification avec Dovecot
Vérification compatibilité authentification Docecot
# postconf -a cyrus dovecot
/etc/dovecot/conf.d/10-master.conf
# Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix }
/etc/init.d/dovecot restart
$ ls -l /var/spool/postfix/private/auth srw-rw---- 1 postfix postfix 0 mai 20 12:48 /var/spool/postfix/private/auth
/etc/postfix/main.cf
smtpd_sasl_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_sasl_type = dovecot # Can be an absolute path, or relative to $queue_directory # Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below smtpd_sasl_path = private/auth # On Debian Wheezy path must be relative and queue_directory defined #queue_directory = /var/spool/postfix # and the common settings to enable SASL: smtpd_sasl_auth_enable = yes
Configuration DNS
- champ MX
- SRV (TXT)
Vérification
Vérification sécurité
Avant toute chose nous devons être certain que notre serveur SMTP n'est pas un relais ouvert.
telnet smtp.acme.fr 25
EHLO localhost
Vous devez voir la ligne suivante :
250-STARTTLS
$ echo -ne "\0nom\0MOTDEPASS" |openssl enc -base64 AG5vbQBNT1RERVBBU1M=
openssl s_client -tls1 -starttls smtp -crlf -connect smtp.acme.fr:25 EHLO localhost AUTH PLAIN AG5vbQBNT1RERVBBU1M=
On test que SSLv3 soit bien désactivé
openssl s_client -ssl3 -starttls smtp -crlf -connect smtp.acme.fr:25
Vérification DNS
Champs DNS : SPF DKIM ARC DMARC etc….
Voir :
$ dig acme.fr TXT @8.8.8.8 +short "v=spf1 mx ~all"
$ dig acme.fr MX @8.8.8.8 +short 1 smtp.acme.fr. 100 smtp2.acme.fr.
Pour ne pas être considéré comme un spammer, il faut aussi créer le PTR dans le Reverse DNS.
ip ⇒ smtp.acme.fr
Fail2ban
/etc/fail2ban/jail.local
### SSH [ssh] enabled = true port = 7001 filter = sshd logpath = /var/log/auth.log maxretry = 6 [ssh-ddos] enabled = true port = 7001 filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 ### GENERIC # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = true # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6 ### MAILS [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log [sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log [dovecot] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log
service fail2ban restart service fail2ban status
Webmail avec RoundCube
Si vous avez toujours nom@localhost au lieu de nom@domain.com il peut être nécessaire de supprimer la base de donnée sqlite (par précaution renommer le fichier sqlite (base.db dans notre exemple)
defaults.inc.php
$config['mail_domain'] = '%d';
La base de donnée (ici sqlite)
config.inc.php
$config['db_dsnw'] = 'sqlite:////var/www/roundcubemail/config/base.db?mode=0646';
apt-get install php5-fpm php5-sqlite php5-mcrypt php5-intl
/etc/php5/fpm/php.ini
date.timezone = 'Europe/Paris'
/etc/nginx/sites-available/webmail
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/private/serv1.acme.fr.crt;
ssl_certificate_key /etc/ssl/private/serv1.acme.fr.key;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
ssl_dhparam /etc/ssl/private/dh2048.pem;
add_header Strict-Transport-Security max-age=2678400;
root /var/www/roundcubemail;
index index.html index.htm index.php;
client_max_body_size 20M;
server_name webmail.serv1.acme.fr;
access_log /var/log/nginx/webmail/access.log;
error_log /var/log/nginx/webmail/error.log;
autoindex off;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
ln -s /etc/nginx/sites-available/webmail /etc/nginx/sites-enabled/ nginx -t service nginx reload
cd /etc/ssl/private/ openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 openssl genrsa -des3 -out serv1.acme.fr.key 2048 # Ou : "openssl ecparam -genkey" pour Elliptic Curve key openssl req -new -key serv1.acme.fr.key -out serv1.acme.fr.csr openssl rsa -in serv1.acme.fr.key -out serv1.acme.fr.key.unencrypted mv -f serv1.acme.fr.key.unencrypted serv1.acme.fr.key chmod 600 serv1.acme.fr.key openssl x509 -req -days 3650 -in serv1.acme.fr.csr -signkey serv1.acme.fr.key -out serv1.acme.fr.crt
chown www-data: /var/www/roundcubemail/temp chown www-data: /var/www/roundcubemail/logs chown www-data: /var/www/roundcubemail/config
Après avoir fait la conf sur https://webmail.serv1.acme.fr/installer
rm /var/www/roundcubemail/installer/ -rf
Bloquer les URLS: https://webmail.serv1.acme.fr/logs/errors
ln -s /var/www/roundcubemail/logs /var/log/roundcube
Extension
Tag thunderbird, couleurs en fonction des étiquettes sur les mails
cd /var/www/roundcubemail/plugins git clone https://github.com/mike-kfed/rcmail-thunderbird-labels chmod -R a+rX rcmail-thunderbird-labels mv rcmail-thunderbird-labels thunderbird_labels
config.inc.php
$config['plugins'] = array('thunderbird_labels');
Plugin zipdownload pour télécharger toutes les pièces jointes dans un fichier Zip
php_zip extension (including ZipArchive class)
apt-get install libphp-pclzip
config/config.inc.php
$config['plugins'] = array( 'thunderbird_labels', 'archive', 'zipdownload', );
Note commande postconf
postconf -d ; Affiche les valeurs par défaut à la place de la conf actuelle. -n Print main.cf parameter settings that are explicitly specified in main.cf. Specify -nf to fold long lines for human readability
postconf -n
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no bounce_queue_lifetime = 1d bounce_size_limit = 2000 broken_sasl_auth_clients = no config_directory = /etc/postfix disable_vrfy_command = yes home_mailbox = Maildir/ inet_interfaces = all mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 maximal_queue_lifetime = 1d mydestination = $mydomain, localhost.$mydomain, localhost myhostname = serv1.acme.fr mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12 mynetworks_style = host myorigin = /etc/mailname policy-spf_time_limit = 3600s readme_directory = no recipient_delimiter = + relayhost = show_user_unknown_table_name = no smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT. smtpd_client_message_rate_limit = 3 smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_delay_reject = yes smtpd_error_sleep_time = 10 smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_hard_error_limit = 5 smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, warn_if_reject reject_invalid_hostname smtpd_junk_command_limit = 3 smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_multi_recipient_bounce, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unknown_client, warn_if_reject reject_unknown_hostname, reject_unauth_pipelining, reject_rhsbl_sender dsn.rfc-ignorant.org reject_rhsbl_sender bogusmx.rfc-ignorant.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy-spf, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address smtpd_soft_error_limit = 2 smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom
tech/draft-monter-son-serveur-mail-sous-debian.1748871051.txt.gz · Dernière modification : de Jean-Baptiste