Voir Gérer ses courriels en ligne de commande

Tester la conf : https://www.mail-tester.com/

serv1

/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
 
# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
 
#smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT.
biff = no
 
# appending .domain is the MUA's job.
append_dot_mydomain = no
 
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
 
readme_directory = no
 
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
 
myhostname = serv1.acme.fr
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = acme.fr, serv1.acme.fr, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
 
home_mailbox = Maildir/
mailbox_command = procmail -a "$EXTENSION"
 
#smtpd_sasl_local_domain =
#smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
 
smtpd_sasl_type = dovecot
 
smtpd_sasl_security_options = noanonymous
 
smtpd_tls_auth_only = yes
 
# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth
 
# On Debian Wheezy path must be relative and queue_directory defined
#queue_directory = /var/spool/postfix
 
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
# With Postfix version before 2.10, use smtpd_recipient_restrictions
#smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 
# virtual_alias_maps = hash:/etc/postfix/virtual
 
# inbound
smtpd_tls_security_level = may
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
# outbound
smtp_tls_security_level = may
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3

Koala /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
 
# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
 
#smtpd_banner = $myhostname ESMTP $mail_name (GNU)
smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT.
biff = yes
 
# appending .domain is the MUA's job.
append_dot_mydomain = no
 
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
 
readme_directory = no
 
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 
myhostname = smtp.acme.fr
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = acme.fr, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24 172.16.0.0/12
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 10485760
recipient_delimiter = +
inet_interfaces = all
 
virtual_alias_maps = hash:/etc/postfix/virtual
relay_domains = acme.fr
 
home_mailbox = Maildir/
notify_classes = resource, software, protocol
 
defer_transports = smtp
delay_warning_time = 5m
#maximal_queue_lifetime = 5d
 
debug_peer_level = 7
#default_transport = smtp:smtp.acme.fr
defer_transports =
disable_dns_lookups = no

/etc/mailname

acme.fr

/etc/aliases

# See man 5 aliases for format
dev-null:       /dev/null
postmaster:     root
abuse:          root
jean:           jibe
root:           jibe

# https://arno0x0x.wordpress.com/2016/02/07/postfix-lancer-un-script-sur-reception-dun-e-mail/
bot: "|/path/to/script/mailBot.php"

Puis

/etc/postfix/virtual

emailadresse   comptelocal

postmap /etc/postfix/virtual

Puis

vi /etc/aliases
newaliases

mkdir /etc/skel/Maildir/
mkdir /etc/skel/Maildir/cur
mkdir /etc/skel/Maildir/new
mkdir /etc/skel/Maildir/tmp
touch /etc/skel/Maildir/Trash
touch /etc/skel/Maildir/Drafts
touch /etc/skel/Maildir/Sent

/etc/skel/.procmailrc

VERBOSE=Yes
SHELL=/bin/bash
PATH=$HOME/bin:/usr/bin:/bin:/usr/local/bin:.
MAILDIR=$HOME/Maildir/ # You d better make sure it exists
DEFAULT=$MAILDIR/$USERNAME
LOGFILE=$MAILDIR/.procmail.log
LOCKFILE=$HOME/.lockmail
LOGNAME=$USERNAME

/etc/dovecot/dovecot.conf

mail_location = maildir:~/Maildir

/etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes

/etc/dovecot/conf.d/15-mailboxes.conf

  mailbox Drafts {
    auto = subscribe          # <-- ADD THIS
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Trash {
    # Fix invisible Trash
    auto = subscribe         # <-- ADD THIS
    special_use = \Trash
  }

https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle

/etc/dovecot/conf.d/10-ssl.conf

ssl = required
ssl_protocols = !SSLv2 !SSLv3

Debug

doveadm -Dv force-resync -u jibe INBOX

/etc/letsencrypt/cli.ini

# Source : https://gist.github.com/mrothNET/cb6f313e9cbe896f3e0fdec80ad2f3fa
 
# Manage Firewall
#pre-hook = ufw allow http
#post-hook = ufw deny http
 
# Restart Postfix & Dovecot
renew-hook = systemctl restart dovecot.service postfix.service

Nettoyage cache / log

find ~/Maildir/ -type f \( -iname dovecot.index.cache -o -iname dovecot.index.log \) -delete

Pb suite à mis-à-jour Wheezy⇒Stretch

/var/log/mail.log

Jan 19 18:42:10 sever1 dovecot[394]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'

Solution de contournement provisoir

/etc/dovecot/conf.d/10-ssl.conf

#ssl_protocols = !SSLv2 !SSLv3
ssl_protocols = !SSLv3

systemctl restart dovecot

Vérification compatibilité authentification Docecot

# postconf -a
cyrus
dovecot

/etc/dovecot/conf.d/10-master.conf

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
}

/etc/init.d/dovecot restart

$ ls -l /var/spool/postfix/private/auth
srw-rw---- 1 postfix postfix 0 mai   20 12:48 /var/spool/postfix/private/auth

/etc/postfix/main.cf

smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
 
smtpd_sasl_type = dovecot
 
# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth
 
# On Debian Wheezy path must be relative and queue_directory defined
#queue_directory = /var/spool/postfix
 
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes

• champ MX
• SRV (TXT)

Avant toute chose nous devons être certain que notre serveur SMTP n'est pas un relais ouvert.

telnet smtp.acme.fr 25
EHLO localhost

Vous devez voir la ligne suivante :

250-STARTTLS

$ echo -ne "\0nom\0MOTDEPASS" |openssl enc -base64
AG5vbQBNT1RERVBBU1M=

openssl s_client -tls1 -starttls smtp -crlf -connect smtp.acme.fr:25
EHLO localhost
AUTH PLAIN
AG5vbQBNT1RERVBBU1M=

On test que SSLv3 soit bien désactivé

openssl s_client -ssl3 -starttls smtp -crlf -connect smtp.acme.fr:25

http://mxtoolbox.com/diagnostic.aspx

Champs DNS : SPF DKIM ARC DMARC etc….

Voir :

• https://support.google.com/mail/?p=IPv6AuthError
• https://support.google.com/mail/answer/81126?visit_id=638143306072056339-3415253875&p=IPv6AuthError&rd=1#authentication
• https://www.gmx.net/mail/senderguidelines/
• https://www.spamhaus.org/faq/section/ISP%20Spam%20Issues

$ dig acme.fr TXT @8.8.8.8 +short
"v=spf1 mx ~all"

$ dig acme.fr MX @8.8.8.8 +short
1 smtp.acme.fr.
100 smtp2.acme.fr.

Pour ne pas être considéré comme un spammer, il faut aussi créer le PTR dans le Reverse DNS.
ip ⇒ smtp.acme.fr

/etc/fail2ban/jail.local

### SSH
 
[ssh]
 
enabled  = true
port     = 7001
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
 
[ssh-ddos]
 
enabled  = true
port     = 7001
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6
 
### GENERIC
 
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
 
enabled  = true
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter   = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6
 
### MAILS
 
[postfix]
 
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
 
 
[sasl]
 
enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log
 
[dovecot]
 
enabled = true
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log

service fail2ban restart
service fail2ban status

Si vous avez toujours nom@localhost au lieu de nom@domain.com il peut être nécessaire de supprimer la base de donnée sqlite (par précaution renommer le fichier sqlite (base.db dans notre exemple)

defaults.inc.php

$config['mail_domain'] = '%d';

La base de donnée (ici sqlite)

config.inc.php

$config['db_dsnw'] = 'sqlite:////var/www/roundcubemail/config/base.db?mode=0646';

apt-get install php5-fpm php5-sqlite php5-mcrypt php5-intl

/etc/php5/fpm/php.ini

date.timezone = 'Europe/Paris'

/etc/nginx/sites-available/webmail

server {
        listen 443;

        ssl on;
        ssl_certificate /etc/ssl/private/serv1.acme.fr.crt;
        ssl_certificate_key /etc/ssl/private/serv1.acme.fr.key;
        ssl_session_timeout 5m;
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
        ssl_dhparam /etc/ssl/private/dh2048.pem;
        add_header Strict-Transport-Security max-age=2678400;

        root /var/www/roundcubemail;
        index index.html index.htm index.php;

        client_max_body_size 20M;
        server_name webmail.serv1.acme.fr;
        access_log  /var/log/nginx/webmail/access.log;
        error_log   /var/log/nginx/webmail/error.log;
        autoindex off;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-cgi alone:
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }

}

ln -s /etc/nginx/sites-available/webmail /etc/nginx/sites-enabled/
nginx -t
service nginx reload

cd /etc/ssl/private/
openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
 
openssl genrsa -des3 -out serv1.acme.fr.key 2048
# Ou : "openssl ecparam -genkey" pour Elliptic Curve key
openssl req -new -key serv1.acme.fr.key -out serv1.acme.fr.csr
openssl rsa -in serv1.acme.fr.key  -out  serv1.acme.fr.key.unencrypted
mv -f serv1.acme.fr.key.unencrypted serv1.acme.fr.key
chmod 600 serv1.acme.fr.key
openssl x509 -req -days 3650 -in serv1.acme.fr.csr -signkey serv1.acme.fr.key -out serv1.acme.fr.crt

chown www-data: /var/www/roundcubemail/temp
chown www-data: /var/www/roundcubemail/logs
chown www-data: /var/www/roundcubemail/config

Après avoir fait la conf sur https://webmail.serv1.acme.fr/installer

rm /var/www/roundcubemail/installer/ -rf

Bloquer les URLS: https://webmail.serv1.acme.fr/logs/errors

ln -s /var/www/roundcubemail/logs /var/log/roundcube

cd /var/www/roundcubemail/plugins
git clone https://github.com/mike-kfed/rcmail-thunderbird-labels
chmod -R  a+rX rcmail-thunderbird-labels
mv rcmail-thunderbird-labels thunderbird_labels

config.inc.php

$config['plugins'] = array('thunderbird_labels');

php_zip extension (including ZipArchive class)

apt-get install libphp-pclzip

config/config.inc.php

$config['plugins'] = array(
    'thunderbird_labels',
    'archive',
    'zipdownload',
);

postconf -d ; Affiche les valeurs par défaut à la place de la conf actuelle. -n Print main.cf parameter settings that are explicitly specified in main.cf. Specify -nf to fold long lines for human readability

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
bounce_size_limit = 2000
broken_sasl_auth_clients = no
config_directory = /etc/postfix
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
maximal_queue_lifetime = 1d
mydestination = $mydomain, localhost.$mydomain, localhost
myhostname = serv1.acme.fr
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12
mynetworks_style = host
myorigin = /etc/mailname
policy-spf_time_limit = 3600s
readme_directory = no
recipient_delimiter = +
relayhost =
show_user_unknown_table_name = no
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT.
smtpd_client_message_rate_limit = 3
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, warn_if_reject reject_invalid_hostname
smtpd_junk_command_limit = 3
smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_multi_recipient_bounce, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unknown_client, warn_if_reject reject_unknown_hostname, reject_unauth_pipelining, reject_rhsbl_sender dsn.rfc-ignorant.org reject_rhsbl_sender bogusmx.rfc-ignorant.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy-spf, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address
smtpd_soft_error_limit = 2
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom