# mailserver - Mail Server mail.nbit.ch

Als Grundlage soll https://thomas-leister.de/mailserver-debian-buster/ dienen,
jedoch verwenden wir CentOS 8.

Code zum Erstellen des Servers

Spezifikaktion:
- CentOS 8
- Hetzner Cloud Server
- mailcow (Docker-basiert)

## Erstellen des Servers

Mit dem Binary hcloud von:
https://github.com/hetznercloud/cli

Temporaer einen API Key erstellen (nachher wieder loeschen)

```bash
$ hcloud context create nbit.ch
$ hcloud image list                          # zeigt moegliche Images
$ hcloud server-type list                    # zeigt moegliche Typen

$ hcloud server create --name mail --image centos-8 --type cx21 --ssh-key joerg@cinnamon.nbit.ch
$ hcloud server set-rdns mail --hostname mail.nbit.ch
$ IPV6="$(hcloud server ip mail -6)"
$ hcloud server set-rdns mail --ip $IPV6 --hostname mail.nbit.ch
```

DNS Eintraege erstellen:
```bash
$ hcloud server ip mail
$ hcloud server ip mail -6                     
```

Root-Passwort setzen (das machen wir von Hand)

## Ansible Playbook laufen lassen
```bash
$ cd ansible
$ ansible-playbook -i production --ask-vault-pass mailserver.yml
```

## Zertifikate erzeugen
```bash
# curl https://get.acme.sh | sh -s email=postmaster@nbit.ch
# acme.sh --issue -d mail.nbit.ch -d smtp.nbit.ch -d imap.nbit.ch -w /var/www/default_webroot

[Fr Mär  5 10:16:02 CET 2021] Your cert is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.cer 
[Fr Mär  5 10:16:02 CET 2021] Your cert key is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.key 
[Fr Mär  5 10:16:02 CET 2021] The intermediate CA cert is in  /root/.acme.sh/mail.nbit.ch/ca.cer 
[Fr Mär  5 10:16:02 CET 2021] And the full chain certs is there:  /root/.acme.sh/mail.nbit.ch/fullchain.cer 

Install Certificate:
# acme.sh --install-cert -d mail.nbit.ch --key-file /etc/letsencrypt/nbit.ch/mail.nbit.ch.key --fullchain-file /etc/letsencrypt/nbit.ch/fullchain.cer --reloadcmd  "service nginx force-reload"
```

## SELinux Policy for Certificates
```
[root@mail ~]# cat my-mailserver.te 

module my-mailserver 1.0;

require {
        type dovecot_t;
        type postfix_smtpd_t;
        type public_content_t;
        class file read;
        class file open;
        class file getattr;
}

#============= dovecot_t ==============
allow dovecot_t public_content_t:file read;
allow dovecot_t public_content_t:file open;

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t public_content_t:file read;
allow postfix_smtpd_t public_content_t:file open;
allow postfix_smtpd_t public_content_t:file getattr;


[root@mail ~]# checkmodule -M -m -o my-mailserver.mod my-mailserver.te
[root@mail ~]# semodule_package -o my-mailserver.pp -m my-mailserver.mod
[root@mail ~]# semodule -i my-mailserver.pp
```


## DB erstellen
```bash
# mysql
MariaDB [(none)]> create database vmail CHARACTER SET 'utf8';
MariaDB [(none)]> grant select on vmail.* to 'vmail'@'localhost' identified by 'vmaildbpass';    
MariaDB [(none)]> grant  SELECT, UPDATE, INSERT, DELETE on vmail.* to 'mailboxadm'@'localhost' identified by 'mailboxadmdbpass';    
# anderes Passwort waehlen!
MariaDB [(none)]> use vmail;

Folgende Statements durchfuehren:

CREATE TABLE `domains` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `domain` varchar(255) NOT NULL,
    `mailboxadmin` boolean DEFAULT '0',
    PRIMARY KEY (`id`),
    UNIQUE KEY (`domain`)
);

CREATE TABLE `accounts` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `username` varchar(64) NOT NULL,
    `domain` varchar(255) NOT NULL,
    `password` varchar(255) NOT NULL,
    `quota` int unsigned DEFAULT '0',
    `enabled` boolean DEFAULT '0',
    `sendonly` boolean DEFAULT '0',
    `mailboxadmin` boolean DEFAULT '0',
    PRIMARY KEY (id),
    UNIQUE KEY (`username`, `domain`),
    FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
);

CREATE TABLE `aliases` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `source_username` varchar(64),
    `source_domain` varchar(255) NOT NULL,
    `destination_username` varchar(64) NOT NULL,
    `destination_domain` varchar(255) NOT NULL,
    `enabled` boolean DEFAULT '0',
    PRIMARY KEY (`id`),
    UNIQUE KEY (`source_username`, `source_domain`, `destination_username`, `destination_domain`),
    FOREIGN KEY (`source_domain`) REFERENCES `domains` (`domain`)
);

CREATE TABLE `tlspolicies` (
    `id` int unsigned NOT NULL AUTO_INCREMENT,
    `domain` varchar(255) NOT NULL,
    `policy` enum('none', 'may', 'encrypt', 'dane', 'dane-only', 'fingerprint', 'verify', 'secure') NOT NULL,
    `params` varchar(255),
    PRIMARY KEY (`id`),
    UNIQUE KEY (`domain`)
);
```

## Mail Domains und Users einrichten

```bash
MariaDB [(none)]> insert into domains (domain) values ('mysystems.tld');

$ doveadm pw -s SHA512-CRYPT
MariaDB [(none)]> insert into accounts (username, domain, password, quota, enabled, sendonly) values ('user1', 'mysystems.tld', '{SHA512-CRYPT}$6$wHyJsS[...]', 2048, true, false);

MariaDB [(none)]> insert into aliases (source_username, source_domain, destination_username, destination_domain, enabled) values ('alias', 'mysystems.tld', 'user1', 'mysystems.tld', true);
```

## DKIM Signing (manuell einrichten)

```bash
# mkdir /var/lib/rspamd/dkim
# rspamadm dkim_keygen -b 2048 -s 2020 -k /var/lib/rspamd/dkim/2020.key > /var/lib/rspamd/dkim/2020.txt
# chown -R _rspamd:_rspamd /var/lib/rspamd/dkim
# chmod 440 /var/lib/rspamd/dkim/*
```