non-communicative commit message

This commit is contained in:
Luke Smith 2020-06-20 15:43:27 -04:00
parent dad17776e4
commit ff9f5c7456
No known key found for this signature in database
GPG Key ID: 4C50B54A911F6252
2 changed files with 114 additions and 50 deletions

118
README.md
View File

@ -1,57 +1,107 @@
# Email server setup script
I wrote this script during the gruelling process of installing and setting up an email server.
It perfectly reproduces my successful steps to ensure the same setup time and time again.
I wrote this script during the gruelling process of installing and setting up
an email server. It perfectly reproduces my successful steps to ensure the
same setup time and time again.
I've linked this file on Github to a shorter, more memorable address on my website so you can get it on your machine with this short command:
I've linked this file on Github to a shorter, more memorable address on my
website so you can get it on your machine with this short command:
```
curl -LO lukesmith.xyz/emailwiz.sh
```
When prompted by a dialog menu at the beginning, select "Internet Site", then give your full domain without any subdomain, i.e. `lukesmith.xyz`.
When prompted by a dialog menu at the beginning, select "Internet Site", then
give your full domain without any subdomain, i.e. `lukesmith.xyz`.
Read this readme and peruse the script's comments before running it.
Expect it to fail and you have to do bug testing and you will be very happy when it actually works perfectly.
Read this readme and peruse the script's comments before running it. Expect it
to fail and you have to do bug testing and you will be very happy when it
actually works perfectly.
## This script...
## This script installs
- Installs a **Dovecot/Postfix mail server** for your domain of choice
- Sets up **sensible default mailboxes** located in `~/Mail`
- Installs and sets up **Spam Assassin**
- Installs and sets up **OpenDKIM** which validates your emails so you can send to Google and other sites with picky spam filters
- **Postfix** to send mail.
- **Dovecot** to receive mail.
- Config files that unique the two above securely with native log-ins.
- **Spamassassin** to prevent spam and allow you to make custom filters.
- **OpenDKIM** to validate you so you can send to Gmail and other big sites.
## This script does _not_
- ...install or use a mySQL databse, instead uses the traditional Unix/PAM/login system where every user can be an email address on the domain.
- ...set up a graphical interface for mail like Roundcube or Squirrel Mail. If you want that, you'll have to install it yourself. I just use [isync/msmtp/mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard) to have an offline mirror of my email setup and I recommend the same. There are other ways of doing it though, like Thunderbird, etc.
- ...offer any frills. If you want to change something, open the script up and change some variables.
- use a SQL database or anything like that.
- set up a graphical interface for mail like Roundcube or Squirrel Mail. If you
want that, you'll have to install it yourself. I just use
[isync/msmtp/mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard) to
have an offline mirror of my email setup and I recommend the same. There are
other ways of doing it though, like Thunderbird, etc.
## Requirements
- `apt purge` all your previous (failed) attempts to install and configure a mailserver. Get rid of _all_ your system settings for Postfix, Dovecot, OpenDKIM and everything else. This script builds off of a fresh install.
- A **Debian or Ubuntu server**. I've tested this on a [Vultr](https://www.vultr.com/?ref=7914655-4F) Debian server and their setup works, but I suspect other VPS hosts will have similar/possibly identical default settings which will let you run this on them.
- An **MX record** in your DNS settings that points to your own main domain/IP. Unless you have your own DNS server, you'll put this setting on your domain registrar's site. Look up their documentation on how to do this, but it's usually really easy.
- **SSL for your site's mail subdomain**, specifically for mail.yourdomain.tld with Let's Encrypt. The script will look to Let's Encrypt's generated configs. If you have some other SSL system, you can manually change the SSL locations in the script before running it and it should be fine. You might want to create a dummy Apache/nginx record for your mail domain as this makes running Let's Encrypt's Certbot easier.
- After the script runs, you'll have to add an *additional DNS TXT record* which involves the OpenDKIM key that it generates during the script.
1. A **Debian or Ubuntu server**. I've tested this on a
[Vultr](https://www.vultr.com/?ref=8384069-6G) Debian server and one running
Ubuntu and their setup works, but I suspect other VPS hosts will have
similar/possibly identical default settings which will let you run this on
them. Note that the affiliate link there to Vultr gives you a $100 credit
for the first month to play around.
2. **A Let's Encrypt SSL certificate for your site's `mail.` subdomain**.
Create a nginx/apache site at `mail.<yourdomain.com>` and get a certificate
for it with Let's Encrypt's [Certbot](https://certbot.eff.org/).
3. - You need two little DNS records set on your domain registrar's site/DNS
server: (1) an **MX record** pointing to your own main domain/IP and (2) a
**CNAME record** for your `mail.` subdomain.
4. `apt purge` all your previous (failed) attempts to install and configure a
mailserver. Get rid of _all_ your system settings for Postfix, Dovecot,
OpenDKIM and everything else. This script builds off of a fresh install.
## Caveats
## Post-install requirement!
My intention is to have this script working for me on my Debian web server which I have with Vultr.
Different VPS hosts or distros might have a startup config that's a little different and I'm sure as heck not going to make sure everything works on every possible machine out there, please do not even ask.
If a lot of people try this script and see that it works as expected everywhere, then I might try to label it as such and try to make it universal, but think of this script as a script that works on my exact setup that has some educational comments for the uninitiated and only _might_ work as intended.
- After the script runs, you'll have to add two *additional DNS TXT records*
which involves the OpenDKIM key that it generates during the script.
If you decide to start a VPS, specifically Vultr since I made this script and have tempered it most on their default setup,
use [this referal link of mine](https://www.vultr.com/?ref=8384069-6G) because you get a free $100 credit for a month, and if you stay on the site, eventually I get a smaller kickback too.
I honestly have no really strong preference of Vultr over other VPS providers, but they're about as cheap and reliable as it gets and if we can get free money, lol whatever click the link 👏👏.
## Making new users/mail accounts
## Details
Let's say we want to add a user Billy and let him receive mail, run this:
- A user's mail is in `~/Mail`. Want a new email address? Create a new user and just add them to the mail group, be sure to give them a password with `passwd <name>` as well. Now they can send and receive mail. Look up using aliases too if you want for more cool stuff. Dovecot should autocreate the directories as needed.
- All dovecot configuration is just in `/etc/dovecot/dovecot.conf` instead of a dozen little config files. You can read those in `/etc/dovecot/conf.d/` for more info, but they are not called by default after running this script and the needed settings are edited into the main config.
- Your IMAP/SMTP server will be `mail.yourdomain.tld` and your ports will be the typical ones: 993 for IMAP and 587 for SMTP.
- Using non-encrypted ports is not allowed for safety! The login is with plaintext because that's simpler and more robust given SSL's security.
- As is, you will use your name, not full email to log in. E.g., for my `luke@lukesmith.xyz` address, `luke` is my login.
```
useradd -m -G mail billy
passwd billy
```
If this script or documentation has saved you some frustration, you can donate to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
No refunds if the process of having a mail server causes you another kind of frustration! 😉
Any user added to the `mail` group will be able to receive mail. Suppose a user
Cassie already exists and we want to let her receive mail to. Just run:
```
usermod -a -G mail cassie
```
A user's mail will appear in `~/.Mail/`. I you want to see your mail while
ssh'd in the server, you could just install mutt, add `set spoolfile="+Inbox"`
to your `~/.muttrc` and use mutt to view and reply to mail. You'll probably
want to log in remotely though:
## Logging in from Thunderbird or mutt (and others) remotely
Let's say you want to access your mail with Thunderbird or mutt or another
email program. For my domain, the server information will be as follows:
- SMTP server: `mail.lukesmith.xyz`
- SMTP port: 587
- IMAP server: `mail.lukesmith.xyz`
- IMAP port: 993
- Username `luke` (I.e. *not* `luke@lukesmith.xyz`)
The last point is important. Many email systems use a full email address on
login. Since we just simply use local PAM logins, only the user's name is used
(this makes a difference if you're using my
[mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard), etc.).
## Tweaking things
You're a big boy now if you have your own mail server!
You can tweak Postfix (sending mail
## Benefited from this?
If this script or documentation has saved you some frustration, you can donate
to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).

View File

@ -40,11 +40,13 @@ which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools
domain="$(cat /etc/mailname)"
subdom="mail"
maildomain="$subdom.$domain"
certdir="/etc/letsencrypt/live/$maildomain"
# Determine location of ssl certificate from common names.
for x in /etc/letsencrypt/live/$maildomain /etc/letsencrypt/live/mail /etc/letsencrypt/live/$domain; do
[ -d "$x" ] && certdir="$x" && break
done
[ ! -d "$certdir" ] && echo "Note! You must first have a HTTPS/SSL Certificate for $maildomain.
Use Let's Encrypt's Certbot to get that and then rerun this script.
You may need to set up a dummy $maildomain site in nginx or Apache for that to work."
# NOTE ON POSTCONF COMMANDS
@ -271,15 +273,27 @@ for x in dovecot postfix opendkim spamassassin; do
done
pval="$(tr -d "\n" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
echo "Here is your TXT entry:"
echo
echo
echo
printf "Record Name\\tRecord Type\\tText of entry\\n"
# the DKIM record is this one
printf "%s._domainkey\\tTXT\\t\\tv=DKIM1; k=rsa; %s\\n" "$subdom" "$pval"
# the SPF record is this one
printf "%s\\tTXT\\t\\tv=spf1 mx a:%s -all\\n" "@" "$maildomain"
echo
echo
echo "$pval"
dkimentry="$subdom._domainkey.$domain\\tTXT\\tv=DKIM1; k=rsa; $pval"
dmarcentry="_dmarc.$domain\\tTXT\\tv=DMARC1; p=none; rua=mailto:dmarc@$domain; fo=1"
spfentry="@\\tTXT\\ttv=spf1 mx a:$maildomain -all"
useradd -m -G mail dmarc
echo "$dkimentry
$spfentry" > "$HOME/dns_emailwizard"
echo " _ _
| \ | | _____ ___
| \| |/ _ \ \ /\ / (_)
| |\ | (_) \ V V / _
|_| \_|\___/ \_/\_/ (_)
Add these three records to your DNS TXT records on either your registrar's site
or your DNS server:
$dkimentry
$dmarcentry
$spfentry
Also saving these to ~/dns_emailwizard in case you want them in a file.
Once you do that, you're done! Check the README for how to add users/accounts and how to log in."