123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355 |
- I'm running a mail server here, at home. So far (May 2015) I'm the only user,
- but I welcome nice people who look for a somewhat safe and friendly place to
- store their e-mail, which also hopefully promotes decentralization by being a
- small home server and not an privacy-abusing corporate giant.
- This pages describes how I configure(d) the mail server, in a format of a
- guide. It helps me remember what to do because I touch the config once in a few
- months, and I hope it can help others with their configuration or with
- launching similar servers.
- I probably didn't list here every single change I made, and being written as a
- guide, the details here aren't exactly identical to my configuration. So if you
- have problems or find inaccuracies or mistakes here, please contact me.
- Details, features and plans:
- - [[!template id=rmtask done=yes text="Dovecot"]]
- - [[!template id=rmtask done=yes text="Exim"]]
- - [[!template id=rmtask done=yes text="SSL"]]
- - [[!template id=rmtask text="DKIM"]]
- - [[!template id=rmtask text="DNS"]]
- - [[!template id=rmtask text="Linux users"]]
- - [[!template id=rmtask done=yes text="Server side sieve mail filtering"]]
- - [[!template id=rmtask prog=yes text="Server side POP and RSS aggregation"]]
- - [[!template id=rmtask prog=yes text="Calendar and contacts on the server"]]
- Contents:
- [[!toc]]
- # Basic Mail Server
- TODO explain DNS records (MX, etc.)
- # apt-get install exim4-daemon-light exim4-config
- Installs packages usual.
- # dpkg-reconfigure exim4-config
- Shows config UI.
- - internet site
- - rel4tion.org
- - empty
- - In the other domains list, add any domains you wish to serve (in my case it's
- just `rel4tion.org` right now, but I did also use I2P and OpenNIC ones until
- recently).
- - If you don't need relaying, leave the relay domain field blank.
- - Same for smarthost IP addresses.
- - For Dial-on-Demand, you probably want to choose No
- - In the mail format screen, I chose "mbox". It seems like a safe default, and
- as the description says - other tools usually expect mbox. Also, "Maildir" is
- in English, and I want to be able to localize folder names (in my case to
- Hebrew). The only "drawback" with mbox is that each folder can either contain
- folders, or contain messages. Never a mix of both. No big deal.
- - I chose not to split the configuration and have a single file. You can read
- about it in Debian's README for the Exim package.
- Done, it restarts Exim.
- Now the SSL support and other stuff. `/etc/exim4/exim4.conf.template`.
- - Place `mail.rel4tion.org.crt` and `mail.rel4tion.org.key` under `/etc/exim4`,
- users `root:Debian-exim` and permission 640
- - Create file `/etc/exim4/exim4.conf.localmacros`:
- MAIN_TLS_ENABLE = true
- MAIN_TLS_CERTIFICATE = /etc/exim4/mail.rel4tion.org.crt
- MAIN_TLS_PRIVATEKEY = /etc/exim4/mail.rel4tion.org.key
- In the config example section at the end of the main config file (remember I
- chose non-split), uncomment the `plain_server` and `login_server`.
- NOTE: the debian README coming with the exim package is amazing. Read it.
- Create file `/etc/exim4/passwd` root:Debian-exim 640. These are users and
- passwords that can be authenticated by Exim and send mail remotely. See manpage
- `exim4_passwd`.
- Have lines of the form `username:encrypted_password`. I make the password using
- mkpasswd from whois package). Manpage suggests not to use MD5. The SHA
- vairiants seem like good candidates.
- To enable port 587 too, put this in the main exim config file:
- daemon_smtp_ports = 25 : 587
- Now dovecot.
- # apt-get install dovecot-core dovecot-imapd dovecot-pop3d
- Refuse self-signed cert - I use my own. Then it just installs.
- In `/etc/dovecot/dovecot.conf`, uncomment:
- listen = *, ::
- In `/etc/dovecot/conf.d/10-auth.conf`:
- disable_plaintext_auth = yes
-
- auth_mechanisms = plain login
-
- #!include auth-system.conf.ext
-
- !include auth-passwdfile.conf.ext
- In `/etc/dovecot/conf.d/auth-passwdfile.conf.ext`:
- passdb {
- driver = passwd-file
- args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/users
- }
-
- userdb {
- driver = passwd-file
- args = username_format=%u /etc/dovecot/users
- }
- mail_privileged_group = mail
- Now put users in `/etc/dovecot/users`. The passwords can probably be identical
- to the ones in Exim (but need to generate using `doveadm pw -s SHA512-CRYPT`),
- but it also needs to specify uid, gid and homedir for each user (can specify
- default values in the file we just edited).
- The full format is:
- user:password:uid:gid:(gecos):home:(shell):extra_fields
- For us what remains is:
- user:password:uid:gid::home
- In `/etc/dovecot/conf.d/10-ssl.conf`, enable SSL and set paths of cert and key.
- Make sure ports 143 (IMAP), 110 (POP) and 25 (SMTP) are not blocked (also 587
- if you use it).
- # Mail Filtering
- Many users have a folder hierarchy in their inbox, and they drop messages into
- folders according to their topic, sender and so on. When you get a lot of
- e-mail or have many folders, this manual filtering work becomes too hard and
- you can ask the computer to do it for you, using filtering rules.
- There are two places filtering can happen: Client side (in your e-mail
- application) and server side (in the remote computer which receives your
- messages for you).
- Many e-mail clients have a filtering feature. You easily define rules using a
- GUI. As long as you read your e-mail from one computer, it works well, but what
- if you want to check e-mail from some other computer, e.g. a public one? Your
- filtering rules aren't there. Messages start coming and filling your main
- inbox. You want the automatic filtering to clean the mess, but it will happen
- only when you come back home and launch the client there, where the rules are
- defined.
- Letting the server filter the messages means you get the same experience,
- independently of the client! Even as you sleep, your mail server receives
- messages sent to you and puts them in the right folders. In the morning, you
- can open your e-mail client and everything is exactly the way you like it. And
- it works even when you read mail from your Replicant phone or a friend's
- computer.
- Install LMTP support for Dovecot:
- # apt-get install dovecot-lmtpd
- Update the Exim router to use LMTP instead of local delivery:
- local_user:
- debug_print = "R: local_user for $local_part@$domain"
- driver = accept
- domains = +local_domains
- check_local_user
- local_parts = ! root
- #transport = LOCAL_DELIVERY
- transport = dovecot_lmtp
- cannot_route_message = Unknown user
- Add an Exim transport for LMTP:
- dovecot_lmtp:
- driver = lmtp
- socket = /var/run/dovecot/lmtp
- #maximum number of deliveries per batch, default 1
- batch_max = 200
- Add `acl_smtp_rcpt` rule that denies recipients not listed in Dovecot:
- # Deny recipients that don't exist in Dovecot
- deny
- message = invalid recipient
- domains = +local_domains
- !verify = recipient/callout=no_cache
- Update Dovecot's `auth-passwordfile.conf.ext` to accept `user@domain`
- usernames. Since this is what Exim does, it seems to be required for LMTP to
- work. Just change `%u` to `%n`:
- passdb {
- driver = passwd-file
- args = scheme=SHA512-CRYPT username_format=%n /etc/dovecot/users
- }
-
- userdb {
- driver = passwd-file
- args = username_format=%n /etc/dovecot/users
- }
- Update Dovecot's `10-mail` config file to use just the local part in inbox file
- paths: (`%n` instead of `%u`)
- mail_location = mbox:/var/mail-dirs/%n:INBOX=/var/mail/%n
- Now restart Dovecot and Exim, try sending an e-mail from the server and to the
- server. Works, in both directions? Great. If not, feel free to ask me! The IRC
- channels of Exim and Dovecot seems not to be very responsive or helpful, or
- maybe it's just my badly phrased questions, but anyway ping me on IRC.
- The logs of Exim (`/var/log/exim4/mainlog`) and Dovecot (`/var/log/mail.log`)
- will help you troubleshoot problems.
- Server side filtering uses the Sieve language (for defining filtering rules)
- and the MANAGESIEVE protocol (for editing filtering rules remotely). Install
- required packages:
- # apt-get install dovecot-sieve dovecot-managesieved
- Enable sieve plugin for LMTP (`20-lmtp`):
- protocol lmtp {
- mail_plugins = $mail_plugins sieve
- }
- Prepare directory for sieve scripts:
- # mkdir -m 770 /var/mail-sieve
- # chown mail: /var/mail-sieve
- Configure sieve in `90-sieve` (unmodified parts omitted for clarity):
- plugin {
- # The path to the user's main active script. If ManageSieve is used, this the
- # location of the symbolic link controlled by ManageSieve.
- #sieve = ~/.dovecot.sieve
- sieve = /var/mail-sieve/%n/active.sieve
-
- # Directory for :personal include scripts for the include extension. This
- # is also where the ManageSieve service stores the user's scripts.
- #sieve_dir = ~/sieve
- sieve_dir = /var/mail-sieve/%n/scripts
- }
- The Dovecot wiki says that `sieve_dir` is deprecated, and it can be specified
- inside the `sieve` variable. But Trisquel's default config (inherited from
- Debian, I imagine) uses `sieve_dir`, so it does work.
- Enable the managesieve servics in `20-managesieve`:
- service managesieve-login {
- #inet_listener sieve {
- # port = 4190
- #}
-
- #inet_listener sieve_deprecated {
- # port = 2000
- #}
-
- # Number of connections to handle before starting a new process. Typically
- # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
- # is faster. <doc/wiki/LoginProcess.txt>
- #service_count = 1
-
- # Number of processes to always keep waiting for more connections.
- #process_min_avail = 0
-
- # If you set service_count=0, you probably need to grow this.
- #vsz_limit = 64M
- }
-
- service managesieve {
- # Max. number of ManageSieve processes (connections)
- #process_limit = 1024
- }
- Time to test. I expect a permission problem with creating the per-user files
- and folders under `/var/mail-sieve`. May require creating them manually, or
- fixing permissions. Use the logs to find error causes.
- How to test? So far I mostly see GUI and web clients which support managesieve,
- and none of them is what I use. If you use such a client, go ahead and try. For
- the command like, you can try to:
- # apt-get install sieve-connect
- Usage example:
- $ sieve-connect --server mail.rel4tion.org --debug --4 --port 4190
- You can also use telnet. The Dovecot wiki explains the commands, it's quite
- simple to test.
- A minimal sieve script to test with is one which keeps every message in the
- inbox, i.e. the same as having no filtering at all. It's a single line:
- keep;
- # POP Aggregation
- If you, as a user, have several email accounts, you can collect all the
- messages from all of them into your local mail server. It can be done by
- downloading e-mail from these accounts using the POP protocol, and deleting it
- from the remote servers.
- TODO explain better how it works?
- This server uses *mpop* for this purpose. I prepared a simple setup which uses
- *mpop* and *msmtp*, to make things easier. See [[!rel4git doar]]. Check out the
- README there. Basically it allows system users to define a list of mail
- accounts, and a cron job runs through these lists and collects messages into
- users' mailboxes.
- # RSS Aggregation
- This server uses *rss2email*, which allows system users to define a list of RSS
- feeds. Then you can use a cron job to collect the users' feeds and send them as
- email messages. *rss2email* is easy to use and there's good documentation.
- TODO explain it anyway?
- # Calendar and Contacts
- Two groupware features commonly used with e-mail are calendars (with events and
- reminders etc.) and contact lists. With these available on the server, you can
- access the calendar and contacts remotely, share calendar items and so on.
- The technologies this server uses for this are [[!wikipedia CalDAV]] and
- [[!wikipedia CardDAV]], for calendars and contacts respectively.
- The server software used is *DAViCal*. There's also a very simple and
- lightweight server named [[calypso|http://keithp.com/Calypso]], but it's made
- for a single user, while what we need here is community server support (i.e.
- should be able to host several users).
- DAViCal uses PHP and PostgreSQL. This server already has PostgreSQL for the
- MediaGoblin instance, and uses the Lighttpd web server. So the following
- installations are needed:
- # apt-get install davical
- TODO continue
|