164 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Markdown
		
	
	
	
			
		
		
	
	
			164 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Markdown
		
	
	
	
| # mailserver - Mail Server mail.nbit.ch
 | |
| 
 | |
| Als Grundlage soll https://thomas-leister.de/mailserver-debian-buster/ dienen,
 | |
| jedoch verwenden wir CentOS 8.
 | |
| 
 | |
| Code zum Erstellen des Servers
 | |
| 
 | |
| Spezifikaktion:
 | |
| - CentOS 8
 | |
| - Hetzner Cloud Server
 | |
| - mailcow (Docker-basiert)
 | |
| 
 | |
| ## Erstellen des Servers
 | |
| 
 | |
| Mit dem Binary hcloud von:
 | |
| https://github.com/hetznercloud/cli
 | |
| 
 | |
| Temporaer einen API Key erstellen (nachher wieder loeschen)
 | |
| 
 | |
| ```bash
 | |
| $ hcloud context create nbit.ch
 | |
| $ hcloud image list                          # zeigt moegliche Images
 | |
| $ hcloud server-type list                    # zeigt moegliche Typen
 | |
| 
 | |
| $ hcloud server create --name mail --image centos-8 --type cx21 --ssh-key joerg@cinnamon.nbit.ch
 | |
| $ hcloud server set-rdns mail --hostname mail.nbit.ch
 | |
| $ IPV6="$(hcloud server ip mail -6)"
 | |
| $ hcloud server set-rdns mail --ip $IPV6 --hostname mail.nbit.ch
 | |
| ```
 | |
| 
 | |
| DNS Eintraege erstellen:
 | |
| ```bash
 | |
| $ hcloud server ip mail
 | |
| $ hcloud server ip mail -6                     
 | |
| ```
 | |
| 
 | |
| Root-Passwort setzen (das machen wir von Hand)
 | |
| 
 | |
| ## Ansible Playbook laufen lassen
 | |
| ```bash
 | |
| $ cd ansible
 | |
| $ ansible-playbook -i production --ask-vault-pass mailserver.yml
 | |
| ```
 | |
| 
 | |
| ## Zertifikate erzeugen
 | |
| ```bash
 | |
| # curl https://get.acme.sh | sh -s email=postmaster@nbit.ch
 | |
| # acme.sh --issue -d mail.nbit.ch -d smtp.nbit.ch -d imap.nbit.ch -w /var/www/default_webroot
 | |
| 
 | |
| [Fr Mär  5 10:16:02 CET 2021] Your cert is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.cer 
 | |
| [Fr Mär  5 10:16:02 CET 2021] Your cert key is in  /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.key 
 | |
| [Fr Mär  5 10:16:02 CET 2021] The intermediate CA cert is in  /root/.acme.sh/mail.nbit.ch/ca.cer 
 | |
| [Fr Mär  5 10:16:02 CET 2021] And the full chain certs is there:  /root/.acme.sh/mail.nbit.ch/fullchain.cer 
 | |
| 
 | |
| Install Certificate:
 | |
| # acme.sh --install-cert -d mail.nbit.ch --key-file /etc/letsencrypt/nbit.ch/mail.nbit.ch.key --fullchain-file /etc/letsencrypt/nbit.ch/fullchain.cer --reloadcmd  "service nginx force-reload"
 | |
| ```
 | |
| 
 | |
| ## SELinux Policy for Certificates
 | |
| ```
 | |
| [root@mail ~]# cat my-mailserver.te 
 | |
| 
 | |
| module my-mailserver 1.0;
 | |
| 
 | |
| require {
 | |
|         type dovecot_t;
 | |
|         type postfix_smtpd_t;
 | |
|         type public_content_t;
 | |
|         class file read;
 | |
|         class file open;
 | |
|         class file getattr;
 | |
| }
 | |
| 
 | |
| #============= dovecot_t ==============
 | |
| allow dovecot_t public_content_t:file read;
 | |
| allow dovecot_t public_content_t:file open;
 | |
| 
 | |
| #============= postfix_smtpd_t ==============
 | |
| allow postfix_smtpd_t public_content_t:file read;
 | |
| allow postfix_smtpd_t public_content_t:file open;
 | |
| allow postfix_smtpd_t public_content_t:file getattr;
 | |
| 
 | |
| 
 | |
| [root@mail ~]# checkmodule -M -m -o my-mailserver.mod my-mailserver.te
 | |
| [root@mail ~]# semodule_package -o my-mailserver.pp -m my-mailserver.mod
 | |
| [root@mail ~]# semodule -i my-mailserver.pp
 | |
| ```
 | |
| 
 | |
| 
 | |
| ## DB erstellen
 | |
| ```bash
 | |
| # mysql
 | |
| MariaDB [(none)]> create database vmail CHARACTER SET 'utf8';
 | |
| MariaDB [(none)]> grant select on vmail.* to 'vmail'@'localhost' identified by 'vmaildbpass';    
 | |
| MariaDB [(none)]> grant  SELECT, UPDATE, INSERT, DELETE on vmail.* to 'mailboxadm'@'localhost' identified by 'mailboxadmdbpass';    
 | |
| # anderes Passwort waehlen!
 | |
| MariaDB [(none)]> use vmail;
 | |
| 
 | |
| Folgende Statements durchfuehren:
 | |
| 
 | |
| CREATE TABLE `domains` (
 | |
|     `id` int unsigned NOT NULL AUTO_INCREMENT,
 | |
|     `domain` varchar(255) NOT NULL,
 | |
|     `mailboxadmin` boolean DEFAULT '0',
 | |
|     PRIMARY KEY (`id`),
 | |
|     UNIQUE KEY (`domain`)
 | |
| );
 | |
| 
 | |
| CREATE TABLE `accounts` (
 | |
|     `id` int unsigned NOT NULL AUTO_INCREMENT,
 | |
|     `username` varchar(64) NOT NULL,
 | |
|     `domain` varchar(255) NOT NULL,
 | |
|     `password` varchar(255) NOT NULL,
 | |
|     `quota` int unsigned DEFAULT '0',
 | |
|     `enabled` boolean DEFAULT '0',
 | |
|     `sendonly` boolean DEFAULT '0',
 | |
|     `mailboxadmin` boolean DEFAULT '0',
 | |
|     PRIMARY KEY (id),
 | |
|     UNIQUE KEY (`username`, `domain`),
 | |
|     FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
 | |
| );
 | |
| 
 | |
| CREATE TABLE `aliases` (
 | |
|     `id` int unsigned NOT NULL AUTO_INCREMENT,
 | |
|     `source_username` varchar(64),
 | |
|     `source_domain` varchar(255) NOT NULL,
 | |
|     `destination_username` varchar(64) NOT NULL,
 | |
|     `destination_domain` varchar(255) NOT NULL,
 | |
|     `enabled` boolean DEFAULT '0',
 | |
|     PRIMARY KEY (`id`),
 | |
|     UNIQUE KEY (`source_username`, `source_domain`, `destination_username`, `destination_domain`),
 | |
|     FOREIGN KEY (`source_domain`) REFERENCES `domains` (`domain`)
 | |
| );
 | |
| 
 | |
| CREATE TABLE `tlspolicies` (
 | |
|     `id` int unsigned NOT NULL AUTO_INCREMENT,
 | |
|     `domain` varchar(255) NOT NULL,
 | |
|     `policy` enum('none', 'may', 'encrypt', 'dane', 'dane-only', 'fingerprint', 'verify', 'secure') NOT NULL,
 | |
|     `params` varchar(255),
 | |
|     PRIMARY KEY (`id`),
 | |
|     UNIQUE KEY (`domain`)
 | |
| );
 | |
| ```
 | |
| 
 | |
| ## Mail Domains und Users einrichten
 | |
| 
 | |
| ```bash
 | |
| MariaDB [(none)]> insert into domains (domain) values ('mysystems.tld');
 | |
| 
 | |
| $ doveadm pw -s SHA512-CRYPT
 | |
| MariaDB [(none)]> insert into accounts (username, domain, password, quota, enabled, sendonly) values ('user1', 'mysystems.tld', '{SHA512-CRYPT}$6$wHyJsS[...]', 2048, true, false);
 | |
| 
 | |
| MariaDB [(none)]> insert into aliases (source_username, source_domain, destination_username, destination_domain, enabled) values ('alias', 'mysystems.tld', 'user1', 'mysystems.tld', true);
 | |
| ```
 | |
| 
 | |
| ## DKIM Signing (manuell einrichten)
 | |
| 
 | |
| ```bash
 | |
| # mkdir /var/lib/rspamd/dkim
 | |
| # rspamadm dkim_keygen -b 2048 -s 2020 -k /var/lib/rspamd/dkim/2020.key > /var/lib/rspamd/dkim/2020.txt
 | |
| # chown -R _rspamd:_rspamd /var/lib/rspamd/dkim
 | |
| # chmod 440 /var/lib/rspamd/dkim/*
 | |
| ```
 |