Postfix

Information de la plateforme.

• Domain : oowy.fr
• Hostname : mailing.oowy.fr
• IP publique : 52.211.230.251
• IP Private : 172.31.5.254/20

On mets à jour le serveur

root@ip-172-31-5-254:~# apt-get update 
root@ip-172-31-5-254:~# apt-get upgrade 

on installe les packages de base

root@ip-172-31-5-254:~# apt-get install curl net-tools bash-completion wget lsof nano
Reading package lists... Done
Building dependency tree       
Reading state information... Done
bash-completion is already the newest version (1:2.1-4.3).
nano is already the newest version (2.7.4-1).
net-tools is already the newest version (1.60+git20161116.90da8a0-1).
net-tools set to manually installed.
wget is already the newest version (1.18-5+deb9u2).
curl is already the newest version (7.52.1-5+deb9u7).
Suggested packages:
  perl
The following NEW packages will be installed:
  lsof
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 313 kB of archives.
After this operation, 451 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://cdn-aws.deb.debian.org/debian stretch/main amd64 lsof amd64 4.89+dfsg-0.1 [313 kB]
Fetched 313 kB in 0s (4,401 kB/s)
Selecting previously unselected package lsof.
(Reading database ... 38285 files and directories currently installed.)
Preparing to unpack .../lsof_4.89+dfsg-0.1_amd64.deb ...
Unpacking lsof (4.89+dfsg-0.1) ...
Setting up lsof (4.89+dfsg-0.1) ...
Processing triggers for man-db (2.7.6.1-2) ...

On définie le Hostname, on désactive la réécriture AWS

root@ip-172-31-5-254:~# hostnamectl set-hostname mailing.oowy.fr
root@ip-172-31-5-254:~# nano /etc/cloud/cloud.cfg.d/01_debian_cloud.cfg 
 ...
 manage_etc_hosts: false

root@ip-172-31-5-254:~# nano /etc/host.conf
order hosts,bind
multi on

root@ip-172-31-5-254:~# nano /etc/hosts
root@ip-172-31-5-254:~# echo "172.31.5.254 oowy.fr mailing.oowy.fr" >> /etc/hosts
root@ip-172-31-5-254:~# init 6

Vérifier du serveur

root@mailing:~# hostname
mailing.oowy.fr
 
root@mailing:~# hostname -s
mailing
 
root@mailing:~# hostname -f
oowy.fr
 
root@mailing:~# hostname -A
oowy.fr 
 
root@mailing:~# hostname -i
172.31.12.184
 
root@mailing:~# getent ahosts mailing.oowy.fr
172.31.5.254    STREAM oowy.fr
172.31.5.254    DGRAM  
172.31.5.254    RAW

Installation du package POSTFIX

root@mailing:~# apt-get install postfix
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  postfix-sqlite ssl-cert
Suggested packages:
  procmail postfix-mysql postfix-pgsql postfix-ldap postfix-pcre postfix-lmdb sasl2-bin dovecot-common resolvconf
  postfix-cdb mail-reader ufw postfix-doc openssl-blacklist
The following NEW packages will be installed:
  postfix postfix-sqlite ssl-cert
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,776 kB of archives.
After this operation, 4,442 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://cdn-aws.deb.debian.org/debian stretch/main amd64 ssl-cert all 1.0.39 [20.8 kB]
Get:2 http://cdn-aws.deb.debian.org/debian stretch/main amd64 postfix-sqlite amd64 3.1.8-0+deb9u1 [318 kB]
Get:3 http://cdn-aws.deb.debian.org/debian stretch/main amd64 postfix amd64 3.1.8-0+deb9u1 [1,437 kB]
Fetched 1,776 kB in 0s (20.8 MB/s)
Preconfiguring packages ...
Selecting previously unselected package ssl-cert.
(Reading database ... 38311 files and directories currently installed.)
Preparing to unpack .../ssl-cert_1.0.39_all.deb ...
Unpacking ssl-cert (1.0.39) ...
Selecting previously unselected package postfix-sqlite.
Preparing to unpack .../postfix-sqlite_3.1.8-0+deb9u1_amd64.deb ...
Unpacking postfix-sqlite (3.1.8-0+deb9u1) ...
Selecting previously unselected package postfix.
Preparing to unpack .../postfix_3.1.8-0+deb9u1_amd64.deb ...
Unpacking postfix (3.1.8-0+deb9u1) ...
Setting up ssl-cert (1.0.39) ...
Processing triggers for systemd (232-25+deb9u4) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up postfix-sqlite (3.1.8-0+deb9u1) ...
grep: /etc/postfix/dynamicmaps.cf: No such file or directory
Adding sqlite map entry to /etc/postfix/dynamicmaps.cf
Processing triggers for rsyslog (8.24.0-1) ...
Setting up postfix (3.1.8-0+deb9u1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/postfix.service → /lib/systemd/system/postfix.service.
Adding group `postfix' (GID 114) ...
Done.
Adding system user `postfix' (UID 109) ...
Adding new user `postfix' (UID 109) with group `postfix' ...
Not creating home directory `/var/spool/postfix'.
Adding group `postdrop' (GID 115) ...
Done.
setting myhostname: oowy.fr
setting alias maps
setting alias database
changing /etc/mailname to oowy.fr
setting myorigin
setting destinations: $myhostname, oowy.fr, localhost.fr, , localhost
setting relayhost: 
setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
setting mailbox_size_limit: 0
setting recipient_delimiter: +
setting inet_interfaces: all
setting inet_protocols: all
/etc/aliases does not exist, creating it.
WARNING: /etc/aliases exists, but does not have a root alias.
 
Postfix (main.cf) is now set up with a default configuration.  If you need to 
make changes, edit /etc/postfix/main.cf (and others) as needed.  To view 
Postfix configuration values, see postconf(1).
 
After modifying main.cf, be sure to run 'service postfix reload'.
 
Running newaliases
Processing triggers for systemd (232-25+deb9u4) ...
Processing triggers for rsyslog (8.24.0-1) ...

Configuration de POSTFIX

root@mailing:~# cp /etc/postfix/main.cf{,.backup}
root@mailing:~# nano /etc/postfix/main.cf
 
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
smtpd_banner = $myhostname ESMTP
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
 
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
 
# TLS parameters
smtp_tls_ciphers=high
smtpd_tls_ciphers=high
smtp_tls_fingerprint_digest=sha1
smtpd_tls_fingerprint_digest=sha1
smtp_tls_loglevel=1
smtpd_tls_loglevel=1
smtp_tls_mandatory_ciphers=high
smtp_tls_security_level=may
smtpd_tls_security_level=may
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
tls_high_cipherlist = ECDH+aRSA+AES256:ECDH+aRSA+AES128:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
 
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
 
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mailing.oowy.fr
 
mydomain = oowy.fr
 
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
 
#myorigin = /etc/mailname
myorigin = $mydomain
 
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 172.31.5.254/32
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#inet_protocols = all
inet_protocols = ipv4
 
home_mailbox = Maildir/
 
# SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject

On affiche la config

root@mailing:~# postconf -n
 
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = oowy.fr
myhostname = mailing.oowy.fr
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 172.31.5.254/20
myorigin = $mydomain
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_ciphers = high
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_ciphers = high
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist = ECDH+aRSA+AES256:ECDH+aRSA+AES128:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes

On redémarre le service et on vérifie les ports.

# systemctl restart postfix
# systemctl status postfix
# netstat -tlpn

On installe les packages nécessaires pour faire des tests d'envoie.

root@mailing01:~# apt-get install mailutils
 
root@mailing01:~# echo "mail body"| mail -s "test mail" root
root@mailing01:~# mailq
Mail queue is empty
root@mailing01:~# mail
No mail for root
root@mailing01:~# ls Maildir/
cur  new  tmp
root@mailing01:~# ls Maildir/new/
1539957223.Vca01I81816M945801.mailing.oowy.fr
root@mailing01:~# cat Maildir/new/1539957223.Vca01I81816M945801.mailing.oowy.fr 
Return-Path: <root@mailing.oowy.fr>
X-Original-To: root@mailing.oowy.fr
Delivered-To: root@mailing.oowy.fr
Received: by mailing.oowy.fr (Postfix, from userid 0)
	id E418381813; Fri, 19 Oct 2018 13:53:43 +0000 (UTC)
Subject: test mail
To: <root@mailing.oowy.fr>
X-Mailer: mail (GNU Mailutils 3.1.1)
Message-Id: <20181019135343.E418381813@mailing.oowy.fr>
Date: Fri, 19 Oct 2018 13:53:43 +0000 (UTC)
From: root@mailing.oowy.fr (root)
 
mail body

Vérification des logs

root@mailing:~# tailf /var/log/mail.log
Oct 19 13:46:00 mailing postfix/master[1479]: daemon started -- version 3.1.8, configuration /etc/postfix
Oct 19 13:52:39 mailing postfix/postfix-script[1554]: stopping the Postfix mail system
Oct 19 13:52:39 mailing postfix/master[1479]: terminating on signal 15
Oct 19 13:52:39 mailing postfix/postfix-script[1715]: starting the Postfix mail system
Oct 19 13:52:39 mailing postfix/master[1717]: daemon started -- version 3.1.8, configuration /etc/postfix
Oct 19 13:53:43 mailing postfix/pickup[1718]: E418381813: uid=0 from=<root@mailing.oowy.fr>
Oct 19 13:53:43 mailing postfix/cleanup[2014]: E418381813: message-id=<20181019135343.E418381813@mailing.oowy.fr>
Oct 19 13:53:43 mailing postfix/qmgr[1720]: E418381813: from=<root@mailing.oowy.fr>, size=354, nrcpt=1 (queue active)
Oct 19 13:53:43 mailing postfix/local[2016]: E418381813: to=<root@mailing.oowy.fr>, relay=local, delay=0.02, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Oct 19 13:53:43 mailing postfix/qmgr[1720]: E418381813: removed

Install package

root@mailing:~# apt-get install postfix-policyd-spf-python postfix-pcre

Ajouter un enregistrement SPF records au DNS

Ajouter la SPF policy agent to Postfix et Ajouter à la fin

root@mailing:~# nano /etc/postfix/master.cf
 
policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

Ouvrir le fichier main.cf de postfix et ajouter à la fin

root@mailing:~# nano /etc/postfix/main.cf
 policyd-spf_time_limit = 3600

Modifier l'entrée “smtpd_recipient_restrictions” et ajouter “check_policy_service”:

root@mailing:~# nano /etc/postfix/main.cf
 
    smtpd_recipient_restrictions =
        ...
        reject_unauth_destination,
        check_policy_service unix:private/policyd-spf,
        ...

On redémarre postfix

root@mailing:~# systemctl restart postfix

https://dmarcian.com/spf-survey/

pour l'envoie d'email (Outbound) ils nous souffira de créer un enregistrement :

Domain    DNS Record Location     DMARC record
oowy.fr   _dmarc.oowy.fr          v=DMARC1; p=none; sp=none; fo=; ri=3600; rua=mailto:support@oowy.fr; ruf=mailto:security@oowy.fr

https://dmarcian.com/dmarc-inspector/

To do ⇒ une fois cette partie validé avec une batterie de test !!!!

(local recipient)

Pour générer le l'identifiant et le mot de passe encodé a utiliser lors de la connexion SMTP:

[ ~] perl -MMIME::Base64 -e 'print encode_base64("identifiant");'
aWRlbnRpZmlhbnQ=
[ ~] perl -MMIME::Base64 -e 'print encode_base64("mot de passe");'
bW90IGRlIHBhc3Nl

Test du serveur SMTP (là ça ne fonctionne pas):

[ ~] telnet mailing.oowy.fr 25
Trying 52.211.230.251...
Connected to mailing.oowy.fr.
Escape character is '^]'.
220 mailing.oowy.fr
EHLO mailing.oowy.fr         <<<<<----- A saisir 
250-mailing.oowy.fr
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
AUTH LOGIN                   <<<<<----- A saisir
503 5.5.1 Error: authentication not enabled
421 4.4.2 mailing.oowy.fr Error: timeout exceeded
Connection closed by foreign host.

Test du serveur SMTP (là ça fonctionne):

Trying 52.211.230.251...
Connected to mailing.oowy.fr.
Escape character is '^]'.
220 mailing.oowy.fr
EHLO mailing.oowy.fr         <<<<<----- A saisir 
250-mailing.oowy.fr
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
AUTH LOGIN                   <<<<<----- A saisir
334 VXNlcm5hbWU6
aWRlbnRpZmlhbnQ=             <<<<<----- A saisir, correspond a l'identifiant
334 UGFzc3dvcmQ6
bW90IGRlIHBhc3Nl             <<<<<----- A saisir, correspond au mot de passe
 
235 2.7.0 Authentication successful

Pour l'installation de roundcube, téléchargez la dernière version stable sur le site de roundcube. (Site Roundcube)

Décompressez le contenu de l'archive a la racine de votre serveur web.
Créer une base de données (MySql ou un moteur supporté de votre choix) avec un utilisateur autorisé a accéder a cette même base. Dans mon cas, une base MySql.

Lancer la page d'installation, dans mon cas http://webmail.oowy.fr/installer

L'installer s'effectue en 3 étapes:

• Check environment
• Create config
• Test config

1ére étape:

Récapitulatif des pré-requis, tous ce qui est optionnel peux-être ignoré, sauf si vous en avez absolument besoin, dans ce cas vérifier avec attention ce qui est disponible et ce qui ne l'est pas.

Dans le cas des BDD, au moins un moteur de base est nécessaire pour le bon fonctionnement de Roundcube (perso: je conseille MySql)
En bas de page, cliquez sur Next pour passer a l'étape suivante:

2éme étape:

Création du fichier de configuration, pour cela remplissez les champs nécessaire pour votre utilisation.
La plupart du temps, seule les champs suivants sont nécessaires:

• General configuration → product_name: le nom que vous donnez a votre webmail
• Database setup → db_dsnw: les paramètres de connexion a votre base de données (MySql dans mon cas)

• IMAP Settings → default_host: Serveur IMAP a utilisé
• IMAP Settings → username_domain: Domaine de l'utilisateur a utilisé si connexion a un serveur IMAP multidomaine (dans notre cas, laissez vide)

• SMTP Settings → smtp_server: Serveur SMTP a utilisé
• SMTP Settings → smtp_user/smtp_pass: ne rien mettre, mais bien coché la case à cocher juste en dessous “Use the current IMAP username and password for SMTP authentication” pour utiliser l'identifiant/mot de passe de l'utilisateur IMAP utilisé pour se connecter.

Le reste des paramètres peux-être personnalisé si besoin plus tard, soit en éditant le fichier /config/config.inc.php, soit en revenant a cette étape après l'étape finale de test.

En bas de page, cliquez sur “Create config” pour créer le fichier de configuration:

Pour passer a l'étape finale qui consiste a tester l'accés au serveur de mail, cliquez ensuite sur “Continue”:

1ére chose a faire, initialiser la base de données en cliquant sur “Initialize database”:

Une fois fait, tout passe au vert:

3éme étape:

Test de la connexion IMAP dans la section “Test IMAP config”, remplir l'identifiant et le mot de passe a utilisé du serveur et cliquer sur “Check login”:

Test de la connexion SMTP dans la section “Test SMTP config”, remplir l'identifiant et le mot de passe a utilisé du serveur, ainsi que l'adresse d'expéditeur et le destinataire, puis cliquer sur “send test mail”:

En cas d'échec (ce qui est notre cas là):

En cas de réussite (en cours de résolution)