summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md72
-rwxr-xr-xmailserver215
2 files changed, 287 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b64bc97
--- /dev/null
+++ b/README.md
@@ -0,0 +1,72 @@
+# Email server setup script
+
+*NOTE: If this line is here, I'm still testing this to even it out.*
+
+I wrote this script during the grueling process of installing an setting up a web server.
+It perfectly reproduces my successful steps to ensure the same setup time and time again.
+Deviate from one command and everything might fall apart unless you know better!
+
+I've linked this file on Github to a shorter more memorable address on my LARBS.xyz domain, so you can get it on your machine with this short command:
+
+```
+curl -LO larbs.xyz/mailserver.sh
+```
+
+Read this readme and peruse the script's comments before running it.
+Expect it to fail.
+
+## This script...
+
+- Installs a dovecot/postfix mail server for your domain of choice
+- Sets up sensible default mail boxes located in `~/Mail`
+- Installs and sets up Spam Assassin
+- Installs and sets up OpenDKIM which validates your emails so you can send to Google and other sites with picky spam filters
+
+## This script does _not_
+
+- ...install or use a mySQL databse, instead uses the traditional Unix/PAM/login system where every user can be an email address on the domain.
+- ...set up a graphical interface for mail like Roundcube or Squirrel Mail. If you want that, you'll have to install it yourself. I just use [isync/msmtp/mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard) to have an offline mirror of my email setup and I recommend the same. There are other ways of doing it though, like Thunderbird, etc.
+- ...offer any frills. If you want to change something, open the script up and change some variables.
+
+## Info
+
+These are the main active ingredients:
+
+- Postfix - SMTP server (that's for sending mail)
+- Dovecot - IMAP server (that's for receiving/storing mail)
+- Spam Assassin - does what it sounds like. You can configure the rules you want. Read the manual.
+- OpenDKIM - This authenticates your server so big-name sites like Google won't consider _your_ mail spam.
+
+## Requirements
+
+- `apt purge` all your previous (failed) attempts to install and configure a mailserver. Get rid of _all_ your system settings for Postfix, Dovecot, OpenDKIM and everything else. This script builds off of a fresh install.
+- A Debian *web server*. I suspect the script will run on Ubuntu as well prodided there aren't huge differences in the default setup.
+- An *MX record* in your DNS settings that points to your own main domain/IP. Unless you have your own DNS server, you'll put this setting on your domain registrar's site. Look up their documentation on how to do this, but it's usually really easy.
+- *SSL for your site's mail subdomain*, specifically for mail.yourdomain.tld with Let's Encrypt. the script will look to Let's Encrypt's generated configs. If you have some other SSL system, you can manually change the SSL locations in the script before running it and it should be fine.
+- After the script runs, you'll have to add an *additional DNS TXT record* which involved OpenDKIM key that it generates during the script.
+
+## Don't get offended by this section
+
+My intention is to have this script working for me on my Debian web server which I have with Vultr.
+Different VPS hosts or distros might have a startup config that's a little different and I'm sure as heck not going to make sure everything works on every possible machine out there, please do not even ask.
+If a lot of people try this script and see that it werks as expected everywhere, then I might try to label it as such and try to make it universal, but think of this script as a script that works on my exact setup than has some educational comments for the uninitiated and only might work as intended.
+
+Configuring an email server is a living nightmare and that's why I made this script so I wouldn't have to do it again.
+Don't ask me to configure your email server unless you are paying me big bucks to do it.
+With this script and the comments in it, I've given you way more than I owe you.
+
+If something is broken, start a PR to fix it, but *do not* open Issues about some problem you have unless you have figured out a solution and are offering a way for me to add a small change that will make this script more robust.
+Your mindset in running this script should be "oh, look, it puts all the commands in a bash-readable format, so I can run it and troubleshoot errors as they come up.".
+The script works for me and if it works for you without a problem, be thankful and feel lucky because setting up email is usually just so much less forgiving.
+
+If you decide to start a VPS, specifically Vultr since I made this script and have tempered it most on their default setup,
+use [this referal link of mine](https://www.vultr.com/?ref=7914655-4F) because you get a free $50 credit, and if you stay on the site, eventually I get a kickback too.
+I honestly have to really strong preference of Vultr over other VPS providers, but they're about as cheap and reliable as it gets and if we can get free money, lol whatever click the link 👏👏.
+
+## Details
+
+- A user's mail is in `~/Mail`. Want a new email address? Create a new user and just add them to the mail group. Now they can send and receive mail. Look up using aliases too if you want for more cool stuff. Dovecot should autocreate the directories as needed.
+- All dovecot configuration is just in `/etc/dovecot/dovecot.conf` instead of a dozen little config files. You can read those in `/etc/dovecot/conf.d/` for more info, but they are not called by default after running this script and the needed settings are edited into the main config.
+- Your IMAP/SMTP server will me `mail.yourdomain.tld` and your ports will be the typical ones: 993 for IMAP and 587 for SMTP.
+- Using non-encypted ports is not allowed for safety! The login is with plaintext because that's simpler and more robust given SSL's security.
+- As is, you will use your name, not full email to log in. E.g., for my `luke@lukesmith.xyz` address, `luke` is my login. It seems that `luke` has to be my From: address in `msmtp` too, which is weird (it appears as a full address once I send mail though). I might look into changing this. Tell me if you know what to change.
diff --git a/mailserver b/mailserver
new file mode 100755
index 0000000..e7dfd63
--- /dev/null
+++ b/mailserver
@@ -0,0 +1,215 @@
+#!/bin/sh
+
+# Put your website in the $domain variable.
+domain="lukesmith.xyz"
+subdom="mail"
+maildomain="$subdom.$domain"
+
+# THE SETUP
+
+# - Mail will be stored in non-retarded Maildirs because it's $currentyear. This makes it easier for use with isync, which is what I care about so I can have an offline repo of mail.
+# - Mail boxes will be sensible: Inbox, Sent, Drafts, Archive, Junk, Trash
+# - Use the typical unix login system for mail users. Users will log into their email with their passnames on the server. No usage of a redundant mySQL database to do this.
+
+
+# BEFORE YOU RUN THIS
+# - Have a Debian system with a static IP and all that. Pretty much any default VPS offered by a company will have all the basic stuff you need. This script might run on Ubuntu as well. Haven't tried it.
+# - Have a Let's Encrypt SSL certificate for $maildomain. You might need one for $domain as well, but they're free with Let's Encypt so you should have them anyway.
+# - If you've been toying around with your server settings trying to get postfix/dovecot/etc. working before running this, I recommend you `apt purge` everything first because this script is build on top of only the defaults. Clearr out /etc/postfix and /etc/dovecot yourself if needbe.
+
+
+# On installation of Postfix, select "Internet Site" and put in TLD (without before it mail.)
+
+echo "Installing programs..."
+apt install postfix dovecot-imapd opendkim spamassassin spamc
+
+
+# NOTE ON POSTCONF COMMANDS
+
+# The `postconf` command literally just adds the line in question to /etc/postfix/main.cf so if you need to debug something, go there.
+# It replaces any other line that sets the same setting, otherwise it is appended to the end of the file.
+
+echo "Configuring Postfix's main.cf..."
+
+# Change the cert/key files to the default locations of the Let's Encrypt cert/key
+postconf -e smtpd_tls_key_file=/etc/letsencrypt/live/$maildomain/privkey.pem
+postconf -e smtpd_tls_cert_file=/etc/letsencrypt/live/$maildomain/fullchain.pem
+postconf -e "smtpd_use_tls = yes"
+postconf -e "smtpd_tls_auth_only = yes"
+
+# Here we tell Postfix to look to Dovecot for authenticating users/passwords.
+# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
+postconf -e "smtpd_sasl_auth_enable = yes"
+postconf -e "smtpd_sasl_type = dovecot"
+postconf -e "smtpd_sasl_path = private/auth"
+
+#postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination"
+
+
+# NOTE: the trailing slash here, or for any directory name in the home_mailbox command, is necessary as it distinguishes a maildir (which is the actual directories that what we want) from a spoolfile (which is what old unix boomers want and no one else).
+postconf -e "home_mailbox = Mail/Inbox/"
+
+# Research this one:
+#postconf -e "mailbox_command ="
+
+
+# master.cf
+
+echo "Configuring Postfix's master.cf..."
+
+sed -i "/^\s*o/d;/^\s*submission/d;/^\s*smtp/d" /etc/postfix/master.cf
+
+echo "submission inet n - y - - smtpd
+ -o syslog_name=postfix/submission
+ -o smtpd_tls_security_level=encrypt
+ -o content_filter=spamassassin
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_tls_auth_only=yes
+smtps inet n - y - - smtpd
+ -o syslog_name=postfix/smtps
+ -o content_filter=spamassassin
+ -o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
+spamassassin unix - n n - - pipe
+ user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" >> /etc/postfix/master.cf
+
+
+# By default, dovecot has a bunch of configs in /etc/dovecot/conf.d/
+# These files have nice documentation if you want to read it, but it's a huge pain to go through them to organize.
+# Instead, we simply overwrite /etc/dovecot/dovecot.conf because it's easier to manage. You can get a backup of the original in /usr/share/dovecot if you want.
+
+echo "Creating Dovecot config..."
+
+echo "# Dovecot config
+# Note that in the dovecot conf, you can use:
+# %u for username
+# %n for the name in name@domain.tld
+# %d for the domain
+# %h the user's home directory
+
+# If you're not a brainlet, SSL must be set to required.
+ssl = required
+ssl_cert = </etc/letsencrypt/live/$maildomain/fullchain.pem
+ssl_key = </etc/letsencrypt/live/$maildomain/privkey.pem
+# Plaintext login. This is safe and easy thanks to SSL.
+auth_mechanisms = plain
+
+protocols = \$protocols imap
+
+# Search for valid users in /etc/passwd
+userdb {
+ driver = passwd
+}
+# Use plain old PAM to find user passwords
+passdb {
+ driver = pam
+}
+
+# Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox
+# The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
+mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
+namespace inbox {
+ inbox = yes
+ mailbox Drafts {
+ special_use = \\Drafts
+ auto = subscribe
+}
+ mailbox Junk {
+ special_use = \\Junk
+ auto = subscribe
+ autoexpunge = 30d
+}
+ mailbox Sent {
+ special_use = \\Sent
+ auto = subscribe
+}
+ mailbox Trash {
+ special_use = \\Trash
+}
+ mailbox Archive {
+ special_use = \\Archive
+}
+}
+
+# Here we let Postfix use Dovecot's authetication system.
+
+service auth {
+ unix_listener /var/spool/postfix/private/auth {
+ mode = 0660
+ user = postfix
+ group = postfix
+}
+}
+" > /etc/dovecot/dovecot.conf
+
+echo "Preparing user authetication..."
+grep nullok /etc/pam.d/dovecot >/dev/null ||
+echo "auth required pam_unix.so nullok
+account required pam_unix.so" >> /etc/pam.d/dovecot
+
+
+# OpenDKIM
+
+# A lot of the big name email services, like Google, will automatically rejectmark as spam unfamiliar and unauthenticated email addresses. As in, the server will flattly reject the email, not even deliverring it to someone's Spam folder.
+
+# OpenDKIM is a way to authenticate your email so you can send to such services without a problem.
+
+# add opendkim-tools ?
+
+# Create an OpenDKIM key and put in in the proper place with proper permissions.
+echo "Generating OpenDKIM keys..."
+mkdir -p /etc/postfix/dkim
+opendkim-genkey -D /etc/postfix/dkim/ -d $ "$domain" -s "$subdom"
+chgrp opendkim /etc/postfix/dkim/*
+chmod g+r /etc/postfix/dkim/*
+
+# Generate the OpenDKIM info:
+echo "Configuring OpenDKIM..."
+grep "$domain" >/dev/null 2>&1 /etc/postfix/dkim/keytable ||
+echo "$subdom._domainkey.$domain $domain:mail:/etc/postfix/dkim/mail.private" >> /etc/postfix/dkim/keytable
+
+grep "$domain" >/dev/null 2>&1 /etc/postfix/dkim/signingtable ||
+echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
+
+grep "127.0.0.1" >/dev/null 2>&1 /etc/postfix/dkim/trustedhosts ||
+ echo "127.0.0.1
+10.1.0.0/16
+1.2.3.4/24" >> /etc/postfix/dkim/trustedhosts
+
+# ...and source it from opendkim.conf
+grep KeyTable /etc/opendkim.conf >/dev/null || echo "KeyTable file:/etc/postfix/dkim/keytable
+SigningTable refile:/etc/postfix/dkim/signingtable
+InternalHosts refile:/etc/postfix/dkim/trustedhosts" >> /etc/opendkim.conf
+
+# OpenDKIM daemon settings, removing previously activated socket.
+sed -i "/^SOCKET/d" /etc/default/opendkim && echo "SOCKET=\"inet:8891@localhost" >> /etc/default/opendkim
+
+# Here we add to postconf the needed settings for working with OpenDKIM
+echo "Configuring Postfix with OpenDKIM settings..."
+postconf -e "milter_default_action = accept"
+postconf -e "milter_protocol = 2"
+postconf -e "smtpd_milters = inet:localhost:8891"
+postconf -e "non_smtpd_milters = inet:localhost:8891"
+
+
+echo "Restarting Dovecot..."
+service dovecot restart && "Dovecot restarted."
+echo "Restarting Postfix..."
+service postfix restart && "Postfix restarted."
+echo "Restarting OpenDKIM..."
+service opendkim restart && "OpenDKIM restarted."
+echo "Restarting Spam Assassin..."
+service spamassassin restart && "Spamassassin restarted."
+
+pval="$(tr -d "\n" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o p=.*)"
+echo "Here is your TXT entry:"
+echo
+echo
+echo
+printf "Record Name\\tRecord Type\\tText of entry\\n"
+printf "%s._domainkey\\tTXT\\t\\tv=DKIM1; k=rsa; %s\\n" "$subdom" "$pval"
+echo
+echo
+echo "$pval"
+
+