Merge branch 'master' into master

This commit is contained in:
Luke Smith 2020-11-30 18:55:44 -05:00 committed by GitHub
commit 24aa38ec12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 39 deletions

View File

@ -1,28 +1,24 @@
# Email server setup script # Email server setup script
I wrote this script during the gruelling process of installing and setting up I wrote this script during the grueling process of installing and setting up
an email server. It perfectly reproduces my successful steps to ensure the an email server. It perfectly reproduces my successful steps to ensure the
same setup time and time again. same setup time and time again.
I've linked this file on Github to a shorter, more memorable address on my I've linked this file on Github to a shorter, more memorable address on my
website so you can get it on your machine with this short command: website so you can get it on your machine with this short command:
``` ```sh
curl -LO lukesmith.xyz/emailwiz.sh curl -LO lukesmith.xyz/emailwiz.sh
``` ```
When prompted by a dialog menu at the beginning, select "Internet Site", then When prompted by a dialog menu at the beginning, select "Internet Site", then
give your full domain without any subdomain, i.e. `lukesmith.xyz`. give your full domain without any subdomain, i.e. `lukesmith.xyz`.
Read this readme and peruse the script's comments before running it. Expect it
to fail and you have to do bug testing and you will be very happy when it
actually works perfectly.
## This script installs ## This script installs
- **Postfix** to send and receive mail. - **Postfix** to send and receive mail.
- **Dovecot** to get mail to your email client (mutt, Thunderbird, etc). - **Dovecot** to get mail to your email client (mutt, Thunderbird, etc.).
- Config files that unique the two above securely with native log-ins. - Config files that link the two above securely with native log-ins.
- **Spamassassin** to prevent spam and allow you to make custom filters. - **Spamassassin** to prevent spam and allow you to make custom filters.
- **OpenDKIM** to validate you so you can send to Gmail and other big sites. - **OpenDKIM** to validate you so you can send to Gmail and other big sites.
@ -50,18 +46,19 @@ actually works perfectly.
server: (1) an **MX record** pointing to your own main domain/IP and (2) a server: (1) an **MX record** pointing to your own main domain/IP and (2) a
**CNAME record** for your `mail.` subdomain. **CNAME record** for your `mail.` subdomain.
4. **A Reverse DNS entry for your site.** Go to your VPS settings and add an 4. **A Reverse DNS entry for your site.** Go to your VPS settings and add an
entry for your IPV4 Reverse DNS that goes from your IP address to entry for your IPv4 Reverse DNS that goes from your IP address to
`mail.<yourdomain.com>`. If you would like IPV6, you can do the same for `<yourdomain.com>` (not mail subdomain). If you would like IPv6, you can do
that. This has been tested on Vultr, and all decent VPS hosts will have the same for that. This has been tested on Vultr, and all decent VPS hosts
a section on their instance settings page to add a reverse DNS PTR entry. will have a section on their instance settings page to add a reverse DNS PTR
entry.
You can use the 'Test Email Server' or ':smtp' tool on You can use the 'Test Email Server' or ':smtp' tool on
[mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) to test if you set up [mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) to test if you set up
a reverse DNS correctly. This step is not required for everyone, but some a reverse DNS correctly. This step is not required for everyone, but some
big email services like gmail will stop emails coming from mail servers big email services like Gmail will stop emails coming from mail servers
with no/invalid rDNS lookups. This means your email will fail to even with no/invalid rDNS lookups. This means your email will fail to even
make it to the receipients spam folder; it will never make it to them. make it to the recipients spam folder; it will never make it to them.
5. `apt purge` all your previous (failed) attempts to install and configure a 5. `apt purge` all your previous (failed) attempts to install and configure a
mailserver. Get rid of _all_ your system settings for Postfix, Dovecot, mail server. Get rid of _all_ your system settings for Postfix, Dovecot,
OpenDKIM and everything else. This script builds off of a fresh install. OpenDKIM and everything else. This script builds off of a fresh install.
6. Some VPS providers block port 25 (used to send mail). You may need to 6. Some VPS providers block port 25 (used to send mail). You may need to
request that this port be opened to send mail successfully. Although I have request that this port be opened to send mail successfully. Although I have
@ -70,8 +67,9 @@ actually works perfectly.
## Post-install requirement! ## Post-install requirement!
- After the script runs, you'll have to add two *additional DNS TXT records* - After the script runs, you'll have to add additional DNS TXT records which
which involves the OpenDKIM key that it generates during the script. are displayed at the end when the script is complete. They will help ensure
your mail is validated and secure.
## Making new users/mail accounts ## Making new users/mail accounts
@ -89,10 +87,10 @@ Cassie already exists and we want to let her receive mail to. Just run:
usermod -a -G mail cassie usermod -a -G mail cassie
``` ```
A user's mail will appear in `~/.Mail/`. I you want to see your mail while A user's mail will appear in `~/Mail/`. If you want to see your mail while ssh'd
ssh'd in the server, you could just install mutt, add `set spoolfile="+Inbox"` in the server, you could just install mutt, add `set spoolfile="+Inbox"` to
to your `~/.muttrc` and use mutt to view and reply to mail. You'll probably your `~/.muttrc` and use mutt to view and reply to mail. You'll probably want
want to log in remotely though: to log in remotely though:
## Logging in from Thunderbird or mutt (and others) remotely ## Logging in from Thunderbird or mutt (and others) remotely
@ -103,28 +101,24 @@ email program. For my domain, the server information will be as follows:
- SMTP port: 587 - SMTP port: 587
- IMAP server: `mail.lukesmith.xyz` - IMAP server: `mail.lukesmith.xyz`
- IMAP port: 993 - IMAP port: 993
- Username `luke` (I.e. *not* `luke@lukesmith.xyz`)
The last point is important. Many email systems use a full email address on In previous versions of emailwiz, you also had to log on with *only* your
login. Since we just simply use local PAM logins, only the user's name is used username (i.e. `luke`) rather than your whole email address (i.e.
(this makes a difference if you're using my `luke@lukesmith.xyz`), which caused some confusion. This is no longer the
[mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard), etc.). case.
## Tweaking things
You're a big boy now if you have your own mail server!
You can tweak Postfix (sending mail
## Benefited from this? ## Benefited from this?
If this script or documentation has saved you some frustration, you can donate I am always glad to hear this script is still making life easy for people! If
to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html). this script or documentation has saved you some frustration, you can donate to
support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
## Troubleshooting -- Can't send mail? ## Troubleshooting -- Can't send mail?
- Always check `journalctl -xe` to see the specific problem. - Always check `journalctl -xe` to see the specific problem.
- Go to [this site](https://appmaildev.com/en/dkim) to text your TXT records. - Check with your VPS host and ask them to enable mail ports. Some providers
disable them by default. It shouldn't take any time.
- Go to [this site](https://appmaildev.com/en/dkim) to test your TXT records.
If your DKIM, SPF or DMARC tests fail you probably copied in the TXT records If your DKIM, SPF or DMARC tests fail you probably copied in the TXT records
incorrectly. incorrectly.
- If everything looks good and you *can* send mail, but it still goes to Gmail - If everything looks good and you *can* send mail, but it still goes to Gmail
@ -134,3 +128,5 @@ to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
worry if you are: sometimes especially new domains are automatically assumed worry if you are: sometimes especially new domains are automatically assumed
to be spam temporaily. If you are blacklisted by one of these, look into it to be spam temporaily. If you are blacklisted by one of these, look into it
and it will explain why and how to remove yourself. and it will explain why and how to remove yourself.
- Check your DNS settings using [this site](https://intodns.com/), it'll report any issues with your MX records
- Ensure that port 25 is open on your server. [Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance blocks this by default, you need to open a support ticket with them to open it. You can't send mail if 25 is blocked

View File

@ -42,7 +42,9 @@ subdom="mail"
maildomain="$subdom.$domain" maildomain="$subdom.$domain"
certdir="/etc/letsencrypt/live/$maildomain" certdir="/etc/letsencrypt/live/$maildomain"
[ ! -d "$certdir" ] && echo "Note! You must first have a HTTPS/SSL Certificate for $maildomain. [ ! -d "$certdir" ] && certdir="$(dirname "$(certbot certificates 2>/dev/null | grep "$maildomain" -A 2 | awk '/Certificate Path/ {print $3}')")"
[ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain.
Use Let's Encrypt's Certbot to get that and then rerun this script. Use Let's Encrypt's Certbot to get that and then rerun this script.
@ -137,8 +139,10 @@ ssl_key = <$certdir/privkey.pem
ssl_min_protocol = TLSv1.2 ssl_min_protocol = TLSv1.2
ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH
ssl_prefer_server_ciphers = yes ssl_prefer_server_ciphers = yes
ssl_dh = </usr/share/dovecot/dh.pem
# Plaintext login. This is safe and easy thanks to SSL. # Plaintext login. This is safe and easy thanks to SSL.
auth_mechanisms = plain login auth_mechanisms = plain login
auth_username_format = %n
protocols = \$protocols imap protocols = \$protocols imap
@ -262,7 +266,7 @@ sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
sed -e '/Socket/s/^#*/#/' -i /etc/opendkim.conf sed -e '/Socket/s/^#*/#/' -i /etc/opendkim.conf
sed -i '/\local:\/var\/run\/opendkim\/opendkim.sock/a \Socket\t\t\tinet:12301@localhost' /etc/opendkim.conf grep -q "^Socket\s*inet:12301@localhost" /etc/opendkim.conf || echo "Socket inet:12301@localhost" >> /etc/opendkim.conf
# OpenDKIM daemon settings, removing previously activated socket. # OpenDKIM daemon settings, removing previously activated socket.
sed -i "/^SOCKET/d" /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim sed -i "/^SOCKET/d" /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
@ -283,7 +287,7 @@ for x in dovecot postfix opendkim spamassassin; do
service "$x" restart && printf " ...done\\n" service "$x" restart && printf " ...done\\n"
done done
pval="$(tr -d "\n" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")" pval="$(tr -d "\n" </etc/postfix/dkim/$subdom.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval" dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
dmarcentry="_dmarc.$domain TXT v=DMARC1; p=none; rua=mailto:dmarc@$domain; fo=1" dmarcentry="_dmarc.$domain TXT v=DMARC1; p=none; rua=mailto:dmarc@$domain; fo=1"
spfentry="@ TXT v=spf1 mx a:$maildomain -all" spfentry="@ TXT v=spf1 mx a:$maildomain -all"
@ -295,7 +299,6 @@ $dmarcentry
$spfentry" > "$HOME/dns_emailwizard" $spfentry" > "$HOME/dns_emailwizard"
echo " echo "
_ _ _ _
| \ | | _____ ___ | \ | | _____ ___
| \| |/ _ \ \ /\ / (_) | \| |/ _ \ \ /\ / (_)