Iredmail

From aldeid
Jump to navigation Jump to search

Description

iRedMail is an installer that automates the installation of a complete mail solution (postfix, dovecot, clamav, amavis, spamassassin, roundcube, sogo, ...). For a more accurate list of components, refer to this page.

Additions

Prosody

$ wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install prosody

apticron

Apticron will tell you whenever updates are available. To install it:

$ sudo aptitude install apticron

Then modify the email that should be notified:

$ grep EMAIL /etc/apticron/apticron.conf
EMAIL="[email protected]"

Security

iptables rules

Rules are located in /etc/default/iptables. You can restrict the access to given IPs for some services with the -s parameter:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Keep state.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loop device.
-A INPUT -i lo -j ACCEPT

# Allow PING from remote hosts.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# ssh
-A INPUT -p tcp -s 123.45.67.89 -j ACCEPT
-A INPUT -p tcp -s 1.2.3.0/24 -j ACCEPT

# http, https
-A INPUT -p tcp --dport 80 -s 123.45.67.89 -j ACCEPT
-A INPUT -p tcp --dport 80 -s 1.2.3.0/24 -j ACCEPT
-A INPUT -p tcp --dport 443 -s 123.45.67.89 -j ACCEPT
-A INPUT -p tcp --dport 443 -s 1.2.3.0/24 -j ACCEPT

...

To apply changes, restart iptables and fail2ban services:

$ sudo systemctl restart iptables
$ sudo systemctl restart fail2ban

Restrict access to web resources

To restrict access to web resources to only some IPs/subnets in Nginx, do as follows:

$ cat /etc/nginx/nginx.conf
...
http {
    include acl-ip.conf;
    ...
}
$ cat /etc/nginx/acl-ip.conf
allow 1.2.3.4/32;
allow 2.4.6.0/24;
deny all;

fail2ban

Add support for prosody

To add prosody in fail2ban, we will use a module named mod_log_auth:

$ cd /usr/lib/prosody/modules/
$ sudo wget https://hg.prosody.im/prosody-modules/raw-file/tip/mod_log_auth/mod_log_auth.lua

Then add the module to your configuration file:

$ cat /etc/prosody/prosody.cfg.lua
modules_enabled = {
    [...SNIP...]
    "log_auth";
    [...SNIP...]
};

Now, create a filter in fail2ban:

$ cat prosody-auth.conf 
# Fail2Ban configuration file for prosody authentication
[Definition]
failregex = Failed authentication attempt \(not-authorized\) for user .* from IP: <HOST>
ignoreregex =
Warning
The filter mentioned in https://modules.prosody.im/mod_log_auth.html is incorrect because it lacks from the "for user .*" string

Now, add this filter to your jail conf:

$ cat /etc/fail2ban/jail.local

[...SNIP...]

[prosody]
enabled = true
port    = 5222
filter  = prosody-auth
logpath = /var/log/prosody/prosody*.log
maxretry = 6

And restart both prosody and fail2ban:

$ sudo systemctl restart prosody
$ sudo systemctl restart fail2ban

Unban an IP

To see whether an IP has been banned by fail2ban, do as follows:

$ sudo iptables -L -n

To get the name of the jails:

$ sudo fail2ban-client status
Status
|- Number of jail:	7
`- Jail list:		roundcube-iredmail, sshd, postfix-iredmail, dovecot-iredmail, sogo-iredmail, sshd-ddos, prosody

Unban an IP:

$ sudo fail2ban-client set <fail_name> unbanip <ip_to_unban>

Whitelist an IP

Warning
In order to work in iRedMail, the IP has to be in jail.local and not jail.conf.

To add an IP in the whitelist (allowed IP, will never be blocked), add it to jail.local:

$ grep ignoreip /etc/fail2ban/jail.conf 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
ignoreip = 127.0.0.1/8 123.45.67.89

Letsencrypt

Installation & certificate generation

$ cd /data/src/
$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt/

LetsEncrypt will need a connection to port 80/tcp. Either use your own server of use the --standalone parameter to start a temporary web server. If you do so, you will first need to free port 80/tcp.

$ sudo systemctl stop nginx
$ sudo letsencrypt-auto certonly --standalone -d domain.tld -d mx.domain.tld -d www.domain.tld

Once done, don't forget to backup /etc/letsencrypt/

Renewal

You can use the following script to automate the renewal of your certificate (valid 90 days).

#!/bin/sh
service nginx stop  # or whatever your webserver is
/path/to/letsencrypt-auto renew -nvv --standalone > /var/log/letsencrypt/renew.log 2>&1
LE_STATUS=$?
service nginx start # or whatever your webserver is
if [ "$LE_STATUS" != 0 ]; then
    echo Automated renewal failed:
    cat /var/log/letsencrypt/renew.log
    exit 1
fi

Use certificate

Nginx

# cat /etc/nginx/conf.d/default.conf 
...
server {
    listen 443;
    server_name _;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ...
}

Postfix

# postconf -e smtpd_use_tls='yes' 
# postconf -e smtpd_tls_cert_file='/etc/letsencrypt/live/domain.tld/cert.pem' 
# postconf -e smtpd_tls_key_file='/etc/letsencrypt/live/domain.tld/privkey.pem' 
# postconf -e smtpd_tls_CAfile='/etc/letsencrypt/live/domain.tld/chain.pem' 

Dovecot

# cat /etc/dovecot/dovecot.conf
...
ssl = required
ssl_cert = </etc/letsencrypt/live/domain.tld/fullchain.pem
ssl_key = </etc/letsencrypt/live/domain.tld/privkey.pem
...

prosody

$ sudo chgrp -R ssl-cert /etc/letsencrypt
$ sudo chmod -R g=rX /etc/letsencrypt
$ sudo adduser prosody ssl-cert
$ cat /etc/prosody/conf.d/domain.tld.cfg.lua 
VirtualHost "domain.tld"
        ssl = {
                key = "/etc/letsencrypt/live/domain.tld/privkey.pem";
                certificate = "/etc/letsencrypt/live/domain.tld/fullchain.pem";
        }

SPF

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

DKIM

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

DMARC

The support for OpenDMARC is not included in iRedMail. If you want to add it, proceed as follows:

$ sudo aptitude install opendmarc

Modify /etc/opendmarc.conf as follows:

$ grep ^[^#] /etc/opendmarc.conf 
ForensicReports true
PidFile /var/run/opendmarc.pid
RejectFailures false
Syslog true
UMask 0002
UserID opendmarc:opendmarc

Then uncomment the following line in /etc/default/opendmarc:

$ cat opendmarc
...
SOCKET="inet:12345@localhost" # listen on loopback on port 12345
...

Add the following lines at the end of /etc/postfix/main.cf:

$ cat /etc/postfix/main.cf
...
#opendmarc
smtpd_milters = inet:127.0.0.1:12345
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Restart both opendmarc and postfix:

$ sudo systemctl restart opendmarc
$ sudo systemctl restart postfix

iredadmin & iredapd

Add an email account

To add a mail account, connect to iredadmin (https://domain.tld/iredadmin/) and go to Add > User. Then fill in the form.

Aliases

To make an alias, connect to your MySQL/MariaDB database and execute the following request:

$ mysql -u root -p
mysql> use vmail
mysql> UPDATE alias SET goto='[email protected]' WHERE address='[email protected]';

Grey listing

Greylisting is enabled by default.

Disabled greylisting

To disable greylisting completely, remove plugin name greylisting in iRedAPD config file (/opt/iredapd/settings.py, parameter plugins:

plugins = [..., 'greylisting', ...]

Restarting iRedAPD service is required:

$ sudo systemctl restart iredapd.service

List

To list existing rules, run the following command:

mx:/opt/iredapd/tools# python greylisting_admin.py --list
Sender                             -> Local Account                  Status  
------------------------------------------------------------------------------
@whitelisteddomain.tld             -> @. (anyone)                    disabled
@. (anyone)                        -> @. (anyone)                    enabled 

Whitelisting

You can whitelist a domain or a specific email. The below example shows how to whitelist all emails from whitelisteddomain.tld:

mx:/opt/iredapd/tools# python greylisting_admin.py --disable --from '@whitelisteddomain.tld' '
* Disable greylisting: @whitelisteddomain.tld -> @.

Upgrade

CardDAV / CalDAV

You can use both CardDAV /CalDAV with the SOGo connector. Download it here: http://sogo.nu/download.html#/frontends

Note
Notice that this plugin is only required if you're using Thunderbird since Evolution is natively supporting CardDAV/CalDAV.

Then configure with following URLs:

calendar
https://<server>/SOGo/dav/<fullemail>/Calendar/personal/
addressbook
https://<server>/SOGo/dav/<fullemail>/Contacts/personal/

Testing & Troubleshooting

Testing

You can send a mail to following services to get a report:

Service Email Checks
AllAboutSpam test [at] allaboutspam [dot] com
  • HELO Greeting
  • Reverse DNS
  • DNSBL (RBL)
  • SPF
  • Domain Keys
  • SPAMAssassin Content Checks
  • BATV (Bounce Address Tag Validation)
  • Greylisting
  • URIBL
mail-tester (dynamically generated)
Port25
  • check-auth [at] verifier [dot] port25 [dot] com
  • check-auth2 [at] verifier [dot] port25 [dot] com
IsNotSpam (dynamically generated)
  • SPF Check
  • Sender-ID Check
  • DomainKeys Check
  • DKIM Check
  • SpamAssassin Check
UnlockTheInbox mailtest [at] unlocktheinbox [dot] com

Troubleshooting

Mail queue

To check mails in the mailqueue, enter:

$ mailq

Remove a mail from the queue:

$ postsuper -d <ID>

Remove all mails from the queue:

$ postsuper -d ALL

Read a mail in the queue:

$ postcat -q <ID>

Fix root mail

$ cat /etc/postfix/aliases
...
root: [email protected]
...
$ postalias /etc/postfix/aliases


Comments

Keywords: iredmail postfix spf dkim dmarc email