Merge branch 'master' into master
This commit is contained in:
commit
24aa38ec12
66
README.md
66
README.md
@ -1,28 +1,24 @@
|
|||||||
# Email server setup script
|
# Email server setup script
|
||||||
|
|
||||||
I wrote this script during the gruelling process of installing and setting up
|
I wrote this script during the grueling process of installing and setting up
|
||||||
an email server. It perfectly reproduces my successful steps to ensure the
|
an email server. It perfectly reproduces my successful steps to ensure the
|
||||||
same setup time and time again.
|
same setup time and time again.
|
||||||
|
|
||||||
I've linked this file on Github to a shorter, more memorable address on my
|
I've linked this file on Github to a shorter, more memorable address on my
|
||||||
website so you can get it on your machine with this short command:
|
website so you can get it on your machine with this short command:
|
||||||
|
|
||||||
```
|
```sh
|
||||||
curl -LO lukesmith.xyz/emailwiz.sh
|
curl -LO lukesmith.xyz/emailwiz.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
When prompted by a dialog menu at the beginning, select "Internet Site", then
|
When prompted by a dialog menu at the beginning, select "Internet Site", then
|
||||||
give your full domain without any subdomain, i.e. `lukesmith.xyz`.
|
give your full domain without any subdomain, i.e. `lukesmith.xyz`.
|
||||||
|
|
||||||
Read this readme and peruse the script's comments before running it. Expect it
|
|
||||||
to fail and you have to do bug testing and you will be very happy when it
|
|
||||||
actually works perfectly.
|
|
||||||
|
|
||||||
## This script installs
|
## This script installs
|
||||||
|
|
||||||
- **Postfix** to send and receive mail.
|
- **Postfix** to send and receive mail.
|
||||||
- **Dovecot** to get mail to your email client (mutt, Thunderbird, etc).
|
- **Dovecot** to get mail to your email client (mutt, Thunderbird, etc.).
|
||||||
- Config files that unique the two above securely with native log-ins.
|
- Config files that link the two above securely with native log-ins.
|
||||||
- **Spamassassin** to prevent spam and allow you to make custom filters.
|
- **Spamassassin** to prevent spam and allow you to make custom filters.
|
||||||
- **OpenDKIM** to validate you so you can send to Gmail and other big sites.
|
- **OpenDKIM** to validate you so you can send to Gmail and other big sites.
|
||||||
|
|
||||||
@ -50,18 +46,19 @@ actually works perfectly.
|
|||||||
server: (1) an **MX record** pointing to your own main domain/IP and (2) a
|
server: (1) an **MX record** pointing to your own main domain/IP and (2) a
|
||||||
**CNAME record** for your `mail.` subdomain.
|
**CNAME record** for your `mail.` subdomain.
|
||||||
4. **A Reverse DNS entry for your site.** Go to your VPS settings and add an
|
4. **A Reverse DNS entry for your site.** Go to your VPS settings and add an
|
||||||
entry for your IPV4 Reverse DNS that goes from your IP address to
|
entry for your IPv4 Reverse DNS that goes from your IP address to
|
||||||
`mail.<yourdomain.com>`. If you would like IPV6, you can do the same for
|
`<yourdomain.com>` (not mail subdomain). If you would like IPv6, you can do
|
||||||
that. This has been tested on Vultr, and all decent VPS hosts will have
|
the same for that. This has been tested on Vultr, and all decent VPS hosts
|
||||||
a section on their instance settings page to add a reverse DNS PTR entry.
|
will have a section on their instance settings page to add a reverse DNS PTR
|
||||||
|
entry.
|
||||||
You can use the 'Test Email Server' or ':smtp' tool on
|
You can use the 'Test Email Server' or ':smtp' tool on
|
||||||
[mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) to test if you set up
|
[mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) to test if you set up
|
||||||
a reverse DNS correctly. This step is not required for everyone, but some
|
a reverse DNS correctly. This step is not required for everyone, but some
|
||||||
big email services like gmail will stop emails coming from mail servers
|
big email services like Gmail will stop emails coming from mail servers
|
||||||
with no/invalid rDNS lookups. This means your email will fail to even
|
with no/invalid rDNS lookups. This means your email will fail to even
|
||||||
make it to the receipients spam folder; it will never make it to them.
|
make it to the recipients spam folder; it will never make it to them.
|
||||||
5. `apt purge` all your previous (failed) attempts to install and configure a
|
5. `apt purge` all your previous (failed) attempts to install and configure a
|
||||||
mailserver. Get rid of _all_ your system settings for Postfix, Dovecot,
|
mail server. Get rid of _all_ your system settings for Postfix, Dovecot,
|
||||||
OpenDKIM and everything else. This script builds off of a fresh install.
|
OpenDKIM and everything else. This script builds off of a fresh install.
|
||||||
6. Some VPS providers block port 25 (used to send mail). You may need to
|
6. Some VPS providers block port 25 (used to send mail). You may need to
|
||||||
request that this port be opened to send mail successfully. Although I have
|
request that this port be opened to send mail successfully. Although I have
|
||||||
@ -70,8 +67,9 @@ actually works perfectly.
|
|||||||
|
|
||||||
## Post-install requirement!
|
## Post-install requirement!
|
||||||
|
|
||||||
- After the script runs, you'll have to add two *additional DNS TXT records*
|
- After the script runs, you'll have to add additional DNS TXT records which
|
||||||
which involves the OpenDKIM key that it generates during the script.
|
are displayed at the end when the script is complete. They will help ensure
|
||||||
|
your mail is validated and secure.
|
||||||
|
|
||||||
## Making new users/mail accounts
|
## Making new users/mail accounts
|
||||||
|
|
||||||
@ -89,10 +87,10 @@ Cassie already exists and we want to let her receive mail to. Just run:
|
|||||||
usermod -a -G mail cassie
|
usermod -a -G mail cassie
|
||||||
```
|
```
|
||||||
|
|
||||||
A user's mail will appear in `~/.Mail/`. I you want to see your mail while
|
A user's mail will appear in `~/Mail/`. If you want to see your mail while ssh'd
|
||||||
ssh'd in the server, you could just install mutt, add `set spoolfile="+Inbox"`
|
in the server, you could just install mutt, add `set spoolfile="+Inbox"` to
|
||||||
to your `~/.muttrc` and use mutt to view and reply to mail. You'll probably
|
your `~/.muttrc` and use mutt to view and reply to mail. You'll probably want
|
||||||
want to log in remotely though:
|
to log in remotely though:
|
||||||
|
|
||||||
## Logging in from Thunderbird or mutt (and others) remotely
|
## Logging in from Thunderbird or mutt (and others) remotely
|
||||||
|
|
||||||
@ -103,28 +101,24 @@ email program. For my domain, the server information will be as follows:
|
|||||||
- SMTP port: 587
|
- SMTP port: 587
|
||||||
- IMAP server: `mail.lukesmith.xyz`
|
- IMAP server: `mail.lukesmith.xyz`
|
||||||
- IMAP port: 993
|
- IMAP port: 993
|
||||||
- Username `luke` (I.e. *not* `luke@lukesmith.xyz`)
|
|
||||||
|
|
||||||
The last point is important. Many email systems use a full email address on
|
In previous versions of emailwiz, you also had to log on with *only* your
|
||||||
login. Since we just simply use local PAM logins, only the user's name is used
|
username (i.e. `luke`) rather than your whole email address (i.e.
|
||||||
(this makes a difference if you're using my
|
`luke@lukesmith.xyz`), which caused some confusion. This is no longer the
|
||||||
[mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard), etc.).
|
case.
|
||||||
|
|
||||||
## Tweaking things
|
|
||||||
|
|
||||||
You're a big boy now if you have your own mail server!
|
|
||||||
|
|
||||||
You can tweak Postfix (sending mail
|
|
||||||
|
|
||||||
## Benefited from this?
|
## Benefited from this?
|
||||||
|
|
||||||
If this script or documentation has saved you some frustration, you can donate
|
I am always glad to hear this script is still making life easy for people! If
|
||||||
to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
|
this script or documentation has saved you some frustration, you can donate to
|
||||||
|
support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
|
||||||
|
|
||||||
## Troubleshooting -- Can't send mail?
|
## Troubleshooting -- Can't send mail?
|
||||||
|
|
||||||
- Always check `journalctl -xe` to see the specific problem.
|
- Always check `journalctl -xe` to see the specific problem.
|
||||||
- Go to [this site](https://appmaildev.com/en/dkim) to text your TXT records.
|
- Check with your VPS host and ask them to enable mail ports. Some providers
|
||||||
|
disable them by default. It shouldn't take any time.
|
||||||
|
- Go to [this site](https://appmaildev.com/en/dkim) to test your TXT records.
|
||||||
If your DKIM, SPF or DMARC tests fail you probably copied in the TXT records
|
If your DKIM, SPF or DMARC tests fail you probably copied in the TXT records
|
||||||
incorrectly.
|
incorrectly.
|
||||||
- If everything looks good and you *can* send mail, but it still goes to Gmail
|
- If everything looks good and you *can* send mail, but it still goes to Gmail
|
||||||
@ -134,3 +128,5 @@ to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
|
|||||||
worry if you are: sometimes especially new domains are automatically assumed
|
worry if you are: sometimes especially new domains are automatically assumed
|
||||||
to be spam temporaily. If you are blacklisted by one of these, look into it
|
to be spam temporaily. If you are blacklisted by one of these, look into it
|
||||||
and it will explain why and how to remove yourself.
|
and it will explain why and how to remove yourself.
|
||||||
|
- Check your DNS settings using [this site](https://intodns.com/), it'll report any issues with your MX records
|
||||||
|
- Ensure that port 25 is open on your server. [Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance blocks this by default, you need to open a support ticket with them to open it. You can't send mail if 25 is blocked
|
11
emailwiz.sh
11
emailwiz.sh
@ -42,7 +42,9 @@ subdom="mail"
|
|||||||
maildomain="$subdom.$domain"
|
maildomain="$subdom.$domain"
|
||||||
certdir="/etc/letsencrypt/live/$maildomain"
|
certdir="/etc/letsencrypt/live/$maildomain"
|
||||||
|
|
||||||
[ ! -d "$certdir" ] && echo "Note! You must first have a HTTPS/SSL Certificate for $maildomain.
|
[ ! -d "$certdir" ] && certdir="$(dirname "$(certbot certificates 2>/dev/null | grep "$maildomain" -A 2 | awk '/Certificate Path/ {print $3}')")"
|
||||||
|
|
||||||
|
[ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain.
|
||||||
|
|
||||||
Use Let's Encrypt's Certbot to get that and then rerun this script.
|
Use Let's Encrypt's Certbot to get that and then rerun this script.
|
||||||
|
|
||||||
@ -137,8 +139,10 @@ ssl_key = <$certdir/privkey.pem
|
|||||||
ssl_min_protocol = TLSv1.2
|
ssl_min_protocol = TLSv1.2
|
||||||
ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH
|
ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH
|
||||||
ssl_prefer_server_ciphers = yes
|
ssl_prefer_server_ciphers = yes
|
||||||
|
ssl_dh = </usr/share/dovecot/dh.pem
|
||||||
# Plaintext login. This is safe and easy thanks to SSL.
|
# Plaintext login. This is safe and easy thanks to SSL.
|
||||||
auth_mechanisms = plain login
|
auth_mechanisms = plain login
|
||||||
|
auth_username_format = %n
|
||||||
|
|
||||||
protocols = \$protocols imap
|
protocols = \$protocols imap
|
||||||
|
|
||||||
@ -262,7 +266,7 @@ sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
|
|||||||
sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
|
sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
|
||||||
|
|
||||||
sed -e '/Socket/s/^#*/#/' -i /etc/opendkim.conf
|
sed -e '/Socket/s/^#*/#/' -i /etc/opendkim.conf
|
||||||
sed -i '/\local:\/var\/run\/opendkim\/opendkim.sock/a \Socket\t\t\tinet:12301@localhost' /etc/opendkim.conf
|
grep -q "^Socket\s*inet:12301@localhost" /etc/opendkim.conf || echo "Socket inet:12301@localhost" >> /etc/opendkim.conf
|
||||||
|
|
||||||
# OpenDKIM daemon settings, removing previously activated socket.
|
# OpenDKIM daemon settings, removing previously activated socket.
|
||||||
sed -i "/^SOCKET/d" /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
|
sed -i "/^SOCKET/d" /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
|
||||||
@ -283,7 +287,7 @@ for x in dovecot postfix opendkim spamassassin; do
|
|||||||
service "$x" restart && printf " ...done\\n"
|
service "$x" restart && printf " ...done\\n"
|
||||||
done
|
done
|
||||||
|
|
||||||
pval="$(tr -d "\n" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
|
pval="$(tr -d "\n" </etc/postfix/dkim/$subdom.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
|
||||||
dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
|
dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
|
||||||
dmarcentry="_dmarc.$domain TXT v=DMARC1; p=none; rua=mailto:dmarc@$domain; fo=1"
|
dmarcentry="_dmarc.$domain TXT v=DMARC1; p=none; rua=mailto:dmarc@$domain; fo=1"
|
||||||
spfentry="@ TXT v=spf1 mx a:$maildomain -all"
|
spfentry="@ TXT v=spf1 mx a:$maildomain -all"
|
||||||
@ -295,7 +299,6 @@ $dmarcentry
|
|||||||
$spfentry" > "$HOME/dns_emailwizard"
|
$spfentry" > "$HOME/dns_emailwizard"
|
||||||
|
|
||||||
echo "
|
echo "
|
||||||
|
|
||||||
_ _
|
_ _
|
||||||
| \ | | _____ ___
|
| \ | | _____ ___
|
||||||
| \| |/ _ \ \ /\ / (_)
|
| \| |/ _ \ \ /\ / (_)
|
||||||
|
Loading…
Reference in New Issue
Block a user