Dedicated Mail Server Hosting Multiple Domains – Step 4 – Further Configurations
Firewall CentOS 7 now uses FirewallD, which is not bad, but I don’t think it’s mature enough. So to just disable it and get back to the classic iptables service there are some steps:
systemctl stop firewalld systemctl disable firewalld yum -y install iptables-services systemctl enable iptables systemctl restart iptables
If you run dual stack, you could also enable and run ip6tables.
Now you have to edit your iptables configuration file, mine looks like this:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -m comment --comment "ALREADY ESTABLISHED" -j ACCEPT -A INPUT -p icmp -m comment --comment "ICMP" -j ACCEPT -A INPUT -i lo -m comment --comment "localhost" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m comment --comment "SSH" -j ACCEPT -A INPUT -m state --state NEW -m multiport -p tcp --dports 80,443 -m comment --comment "HTTP" -j ACCEPT -A INPUT -m state --state NEW -p tcp -m multiport --dports 25,465,587 -m comment --comment "SMTP" -j ACCEPT -A INPUT -m state --state NEW -m multiport -p tcp --dports 110,143,993,995 -m comment --comment "POP3/IMAP" -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Further Postfix configuration To make sure that your server respects some rules and rejects the lowest rate spamers we need to setup some extra SMTP parameters. In main.cf we add some lines:
inet_interfaces = all smtp_sasl_type = dovecot smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client rbl.abuse.ro, reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client dnsbl-2.uceprotect.net, reject_rbl_client b.barracudacentral.org, check_client_access cidr:/etc/postfix/ips, check_sender_access hash:/etc/postfix/sender_checks, check_policy_service unix:postgrey/socket, check_policy_service unix:private/policyd-spf smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unknown_address, reject_rhsbl_sender dsn.rfc-ignorant.org, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org
Now touch the files called and /etc/postfix/ips and /etc/postfix/sender_checks, and run postmap /etc/postfix/sender_checks. These files will help you later on, when administering the mail server, to block known spammers, by IP or by domain name.
For instance /etc/postfix/ips could contain informations like theese:
205.201.128.0/20 REJECT 89.32.124.0/24 REJECT 31.215.203.0/24 REJECT 88.198.111.205/32 REJECT 91.211.240.0/23 REJECT 86.107.197.0/24 REJECT 70.38.0.0/17 REJECT 176.223.202.15/32 REJECT 199.187.172.0/22 REJECT 89.36.199.0/24 REJECT 188.210.91.0/24 REJECT
And /etc/postfix/sender_checks something like:
serveftp.com 554 To much spam from your domain mandrillapp.com 554 To much spam from your domain mlsend2.com 554 To much spam from your domain doublelife.biz 554 To much spam from your domain delosmail.com 554 To much spam from your domai
Every time you add something to ips file you need to restart Postfix and every time you add something to sender_checks you need to run postmap it.
SPF For some reason CentOS 7 does not include a SPF checking daemon that could be integrated with Postfix. To make SPF records checking possible we sadly need to manually compile some packages.
First we need to install some extra python packages (yum install python-dns python-pydns python-ipaddr python-iptools), then download another two’s sources: pyspf and pypolicyd-spf.
wget https://pypi.python.org/packages/source/p/pyspf/pyspf-2.0.10.tar.gz tar xzvf pyspf-2.0.10.tar.gz cd pyspf-2.0.10/ ./setup.py build ./setup.py install wget https://pypi.python.org/packages/source/p/pypolicyd-spf/pypolicyd-spf-1.3.1.tar.gz tar xzvf pypolicyd-spf-1.3.1.tar.gz cd pypolicyd-spf-1.3.1/ python ./setup.py build python ./setup.py install
Now try running /usr/bin/policyd-spf and make sure it does not stop with any error. Here you might need to install some extra python modules, normally they are all available thru Yum. To quit just press Ctrl+Z or Ctrl+C.
Now you need to add two extra lines to Postfix’s master.cf
policyd-spf unix - n n - 0 spawn user=mails argv=/usr/bin/policyd-spf
And if you opened master.cf you might just uncomment some lines:
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
These will enable Submission (587) and SMTPS(465) ports on your server.
SSL When using SSL you need a digital certificate. You can either chose a trusted certification authority and create a new digital certificate. The procedure is the same as if you would create/sign it for your web server, except it will be used by your mail server.
If you prefer using a “self signed” certificate the most comprehensive way to do it is using EasyRSA (a part of OpenVPN). To get started you need to download and unpack it.
wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip unzip 2.x.zip cd easy-rsa-release-2.x/easy-rsa/2.0/
Now edit the file called vars with your information then load it and create the certificates.
source vars ./clean-all ./build-ca ./build-key-server $YOUR_SERVER_HOSTNAME cd keys cat $YOUR_SERVER_HOSTNAME.crt $YOUR_SERVER_HOSTNAME.key ca.crt >$YOUR_SERVER_HOSTNAME.pem cp $YOUR_SERVER_HOSTNAME.pem /etc/postfix cp $YOUR_SERVER_HOSTNAME.pem /etc/dovecot
Now configure Postfix to use that certificate, in /etc/postfix/main.cf just put:
smtpd_tls_CAfile=/etc/postfix/$YOUR_SERVER_HOSTNAME.pem smtpd_tls_cert_file=/etc/postfix/$YOUR_SERVER_HOSTNAME.pem smtpd_tls_key_file=/etc/postfix/$YOUR_SERVER_HOSTNAME.pem smtpd_use_tls=yes
And Dovecot, in /etc/dovecot/conf.d/10-ssl.conf configure:
ssl_cert = </etc/dovecot/$YOUR_SERVER_HOSTNAME.pem ssl_key = </etc/dovecot/$YOUR_SERVER_HOSTNAME.pem ssl_ca = /etc/dovecot/$YOUR_SERVER_HOSTNAME.pem
Don’t forget to restart both daemons (systemctl restart postfix and systemctl restart dovecot).
If you want to use Thunderbird with your “self-signed” setup, you need to locally download the ca.crt file and import it into Thunderbird. To do that go to Options, Advanced, Certificates, click on View certificates, go to Authorities and click on Import, browse to the file and click on at leas the first two boxes than OK, and close “Certificate Manager” and “Options” windows. Now you can setup your new account. Repeat the same thing for your Firefox browser, it will help accessing your webmail.
yum –enablerepo=epel info pypolicyd-spf