209 lines
6.3 KiB
Markdown
209 lines
6.3 KiB
Markdown
# mailserver - Mail Server mail.nbit.ch
|
|
|
|
Als Grundlage soll https://thomas-leister.de/mailserver-debian-buster/ dienen,
|
|
jedoch verwenden wir CentOS 8.
|
|
|
|
Code zum Erstellen des Servers
|
|
|
|
Spezifikaktion:
|
|
- CentOS 8
|
|
- Hetzner Cloud Server
|
|
- mailcow (Docker-basiert)
|
|
|
|
## Erstellen des Servers
|
|
|
|
Mit dem Binary hcloud von:
|
|
https://github.com/hetznercloud/cli
|
|
|
|
Temporaer einen API Key erstellen (nachher wieder loeschen)
|
|
|
|
```bash
|
|
$ hcloud context create nbit.ch
|
|
$ hcloud image list # zeigt moegliche Images
|
|
$ hcloud server-type list # zeigt moegliche Typen
|
|
|
|
$ hcloud server create --name mail --image centos-8 --type cx21 --ssh-key joerg@cinnamon.nbit.ch
|
|
$ hcloud server set-rdns mail --hostname mail.nbit.ch
|
|
$ IPV6="$(hcloud server ip mail -6)"
|
|
$ hcloud server set-rdns mail --ip $IPV6 --hostname mail.nbit.ch
|
|
```
|
|
|
|
DNS Eintraege erstellen:
|
|
```bash
|
|
$ hcloud server ip mail
|
|
$ hcloud server ip mail -6
|
|
```
|
|
|
|
Root-Passwort setzen (das machen wir von Hand)
|
|
|
|
## Ansible Playbook laufen lassen
|
|
```bash
|
|
$ cd ansible
|
|
$ ansible-playbook -i production --ask-vault-pass mailserver.yml
|
|
```
|
|
|
|
## Zertifikate erzeugen
|
|
```bash
|
|
# curl https://get.acme.sh | sh -s email=postmaster@nbit.ch
|
|
# acme.sh --issue -d mail.nbit.ch -d smtp.nbit.ch -d imap.nbit.ch -w /var/www/default_webroot
|
|
|
|
[Fr Mär 5 10:16:02 CET 2021] Your cert is in /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.cer
|
|
[Fr Mär 5 10:16:02 CET 2021] Your cert key is in /root/.acme.sh/mail.nbit.ch/mail.nbit.ch.key
|
|
[Fr Mär 5 10:16:02 CET 2021] The intermediate CA cert is in /root/.acme.sh/mail.nbit.ch/ca.cer
|
|
[Fr Mär 5 10:16:02 CET 2021] And the full chain certs is there: /root/.acme.sh/mail.nbit.ch/fullchain.cer
|
|
|
|
Install Certificate:
|
|
# acme.sh --install-cert -d mail.nbit.ch --key-file /etc/letsencrypt/nbit.ch/mail.nbit.ch.key --fullchain-file /etc/letsencrypt/nbit.ch/fullchain.cer --reloadcmd "service nginx force-reload"
|
|
```
|
|
|
|
## SELinux Policy for Certificates
|
|
```
|
|
[root@mail ~]# cat my-mailserver.te
|
|
|
|
module my-mailserver 1.0;
|
|
|
|
require {
|
|
type dovecot_t;
|
|
type postfix_smtpd_t;
|
|
type public_content_t;
|
|
class file read;
|
|
class file open;
|
|
class file getattr;
|
|
}
|
|
|
|
#============= dovecot_t ==============
|
|
allow dovecot_t public_content_t:file read;
|
|
allow dovecot_t public_content_t:file open;
|
|
|
|
#============= postfix_smtpd_t ==============
|
|
allow postfix_smtpd_t public_content_t:file read;
|
|
allow postfix_smtpd_t public_content_t:file open;
|
|
allow postfix_smtpd_t public_content_t:file getattr;
|
|
|
|
|
|
[root@mail ~]# checkmodule -M -m -o my-mailserver.mod my-mailserver.te
|
|
[root@mail ~]# semodule_package -o my-mailserver.pp -m my-mailserver.mod
|
|
[root@mail ~]# semodule -i my-mailserver.pp
|
|
```
|
|
|
|
|
|
## DB erstellen
|
|
```bash
|
|
# mysql
|
|
MariaDB [(none)]> create database vmail CHARACTER SET 'utf8';
|
|
MariaDB [(none)]> grant select on vmail.* to 'vmail'@'localhost' identified by 'vmaildbpass';
|
|
MariaDB [(none)]> grant SELECT, UPDATE, INSERT, DELETE on vmail.* to 'mailboxadm'@'localhost' identified by 'mailboxadmdbpass';
|
|
# anderes Passwort waehlen!
|
|
MariaDB [(none)]> use vmail;
|
|
|
|
Folgende Statements durchfuehren:
|
|
|
|
CREATE TABLE `domains` (
|
|
`id` int unsigned NOT NULL AUTO_INCREMENT,
|
|
`domain` varchar(255) NOT NULL,
|
|
`mailboxadmin` boolean DEFAULT '0',
|
|
PRIMARY KEY (`id`),
|
|
UNIQUE KEY (`domain`)
|
|
);
|
|
|
|
CREATE TABLE `accounts` (
|
|
`id` int unsigned NOT NULL AUTO_INCREMENT,
|
|
`username` varchar(64) NOT NULL,
|
|
`domain` varchar(255) NOT NULL,
|
|
`password` varchar(255) NOT NULL,
|
|
`quota` int unsigned DEFAULT '0',
|
|
`enabled` boolean DEFAULT '0',
|
|
`sendonly` boolean DEFAULT '0',
|
|
`mailboxadmin` boolean DEFAULT '0',
|
|
PRIMARY KEY (id),
|
|
UNIQUE KEY (`username`, `domain`),
|
|
FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
|
|
);
|
|
|
|
CREATE TABLE `aliases` (
|
|
`id` int unsigned NOT NULL AUTO_INCREMENT,
|
|
`source_username` varchar(64),
|
|
`source_domain` varchar(255) NOT NULL,
|
|
`destination_username` varchar(64) NOT NULL,
|
|
`destination_domain` varchar(255) NOT NULL,
|
|
`enabled` boolean DEFAULT '0',
|
|
PRIMARY KEY (`id`),
|
|
UNIQUE KEY (`source_username`, `source_domain`, `destination_username`, `destination_domain`),
|
|
FOREIGN KEY (`source_domain`) REFERENCES `domains` (`domain`)
|
|
);
|
|
|
|
CREATE TABLE `tlspolicies` (
|
|
`id` int unsigned NOT NULL AUTO_INCREMENT,
|
|
`domain` varchar(255) NOT NULL,
|
|
`policy` enum('none', 'may', 'encrypt', 'dane', 'dane-only', 'fingerprint', 'verify', 'secure') NOT NULL,
|
|
`params` varchar(255),
|
|
PRIMARY KEY (`id`),
|
|
UNIQUE KEY (`domain`)
|
|
);
|
|
```
|
|
|
|
## Mail Domains und Users einrichten
|
|
|
|
```bash
|
|
MariaDB [(none)]> insert into domains (domain) values ('mysystems.tld');
|
|
|
|
$ doveadm pw -s SHA512-CRYPT
|
|
MariaDB [(none)]> insert into accounts (username, domain, password, quota, enabled, sendonly) values ('user1', 'mysystems.tld', '{SHA512-CRYPT}$6$wHyJsS[...]', 2048, true, false);
|
|
|
|
MariaDB [(none)]> insert into aliases (source_username, source_domain, destination_username, destination_domain, enabled) values ('alias', 'mysystems.tld', 'user1', 'mysystems.tld', true);
|
|
```
|
|
|
|
## DKIM Signing (manuell einrichten)
|
|
|
|
```bash
|
|
# mkdir /var/lib/rspamd/dkim
|
|
# rspamadm dkim_keygen -b 2048 -s 2020 -k /var/lib/rspamd/dkim/2020.key > /var/lib/rspamd/dkim/2020.txt
|
|
# chown -R _rspamd:_rspamd /var/lib/rspamd/dkim
|
|
# chmod 440 /var/lib/rspamd/dkim/*
|
|
```
|
|
|
|
|
|
# MQTT Server
|
|
|
|
Auf dem Server befindet sich auch ein MQTT Server (Docker Compose)
|
|
|
|
Einrichten:
|
|
```bash
|
|
# groupadd mqtt
|
|
# usermod -a -G docker mqtt
|
|
# useradd -m -g mqtt -s /bin/bash mqtt
|
|
# ufw allow 1883 # MQTT
|
|
mqtt$
|
|
|
|
|
|
root@mail:/etc/systemd/system# cat /etc/systemd/system/mqtt.service
|
|
[Unit]
|
|
Description=docker-compose mqtt service
|
|
Requires=docker.service network-online.target
|
|
After=docker.service network-online.target
|
|
|
|
[Service]
|
|
WorkingDirectory=/home/mqtt
|
|
Type=simple
|
|
TimeoutStartSec=15min
|
|
Restart=always
|
|
User=mqtt
|
|
Group=mqtt
|
|
|
|
ExecStartPre=/usr/bin/docker-compose pull --quiet --ignore-pull-failures
|
|
ExecStartPre=/usr/bin/docker-compose build --pull
|
|
|
|
ExecStart=/usr/bin/docker-compose up --remove-orphans --no-color
|
|
|
|
ExecStop=/usr/bin/docker-compose down --remove-orphans
|
|
|
|
ExecReload=/usr/bin/docker-compose pull --quiet --ignore-pull-failures
|
|
ExecReload=/usr/bin/docker-compose build --pull
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
# systemctl enable mqtt.service
|
|
# systemctl start mqtt.service
|
|
```
|