mail.mdwn 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355
  1. I'm running a mail server here, at home. So far (May 2015) I'm the only user,
  2. but I welcome nice people who look for a somewhat safe and friendly place to
  3. store their e-mail, which also hopefully promotes decentralization by being a
  4. small home server and not an privacy-abusing corporate giant.
  5. This pages describes how I configure(d) the mail server, in a format of a
  6. guide. It helps me remember what to do because I touch the config once in a few
  7. months, and I hope it can help others with their configuration or with
  8. launching similar servers.
  9. I probably didn't list here every single change I made, and being written as a
  10. guide, the details here aren't exactly identical to my configuration. So if you
  11. have problems or find inaccuracies or mistakes here, please contact me.
  12. Details, features and plans:
  13. - [[!template id=rmtask done=yes text="Dovecot"]]
  14. - [[!template id=rmtask done=yes text="Exim"]]
  15. - [[!template id=rmtask done=yes text="SSL"]]
  16. - [[!template id=rmtask text="DKIM"]]
  17. - [[!template id=rmtask text="DNS"]]
  18. - [[!template id=rmtask text="Linux users"]]
  19. - [[!template id=rmtask done=yes text="Server side sieve mail filtering"]]
  20. - [[!template id=rmtask prog=yes text="Server side POP and RSS aggregation"]]
  21. - [[!template id=rmtask prog=yes text="Calendar and contacts on the server"]]
  22. Contents:
  23. [[!toc]]
  24. # Basic Mail Server
  25. TODO explain DNS records (MX, etc.)
  26. # apt-get install exim4-daemon-light exim4-config
  27. Installs packages usual.
  28. # dpkg-reconfigure exim4-config
  29. Shows config UI.
  30. - internet site
  31. - rel4tion.org
  32. - empty
  33. - In the other domains list, add any domains you wish to serve (in my case it's
  34. just `rel4tion.org` right now, but I did also use I2P and OpenNIC ones until
  35. recently).
  36. - If you don't need relaying, leave the relay domain field blank.
  37. - Same for smarthost IP addresses.
  38. - For Dial-on-Demand, you probably want to choose No
  39. - In the mail format screen, I chose "mbox". It seems like a safe default, and
  40. as the description says - other tools usually expect mbox. Also, "Maildir" is
  41. in English, and I want to be able to localize folder names (in my case to
  42. Hebrew). The only "drawback" with mbox is that each folder can either contain
  43. folders, or contain messages. Never a mix of both. No big deal.
  44. - I chose not to split the configuration and have a single file. You can read
  45. about it in Debian's README for the Exim package.
  46. Done, it restarts Exim.
  47. Now the SSL support and other stuff. `/etc/exim4/exim4.conf.template`.
  48. - Place `mail.rel4tion.org.crt` and `mail.rel4tion.org.key` under `/etc/exim4`,
  49. users `root:Debian-exim` and permission 640
  50. - Create file `/etc/exim4/exim4.conf.localmacros`:
  51. MAIN_TLS_ENABLE = true
  52. MAIN_TLS_CERTIFICATE = /etc/exim4/mail.rel4tion.org.crt
  53. MAIN_TLS_PRIVATEKEY = /etc/exim4/mail.rel4tion.org.key
  54. In the config example section at the end of the main config file (remember I
  55. chose non-split), uncomment the `plain_server` and `login_server`.
  56. NOTE: the debian README coming with the exim package is amazing. Read it.
  57. Create file `/etc/exim4/passwd` root:Debian-exim 640. These are users and
  58. passwords that can be authenticated by Exim and send mail remotely. See manpage
  59. `exim4_passwd`.
  60. Have lines of the form `username:encrypted_password`. I make the password using
  61. mkpasswd from whois package). Manpage suggests not to use MD5. The SHA
  62. vairiants seem like good candidates.
  63. To enable port 587 too, put this in the main exim config file:
  64. daemon_smtp_ports = 25 : 587
  65. Now dovecot.
  66. # apt-get install dovecot-core dovecot-imapd dovecot-pop3d
  67. Refuse self-signed cert - I use my own. Then it just installs.
  68. In `/etc/dovecot/dovecot.conf`, uncomment:
  69. listen = *, ::
  70. In `/etc/dovecot/conf.d/10-auth.conf`:
  71. disable_plaintext_auth = yes
  72. auth_mechanisms = plain login
  73. #!include auth-system.conf.ext
  74. !include auth-passwdfile.conf.ext
  75. In `/etc/dovecot/conf.d/auth-passwdfile.conf.ext`:
  76. passdb {
  77. driver = passwd-file
  78. args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/users
  79. }
  80. userdb {
  81. driver = passwd-file
  82. args = username_format=%u /etc/dovecot/users
  83. }
  84. mail_privileged_group = mail
  85. Now put users in `/etc/dovecot/users`. The passwords can probably be identical
  86. to the ones in Exim (but need to generate using `doveadm pw -s SHA512-CRYPT`),
  87. but it also needs to specify uid, gid and homedir for each user (can specify
  88. default values in the file we just edited).
  89. The full format is:
  90. user:password:uid:gid:(gecos):home:(shell):extra_fields
  91. For us what remains is:
  92. user:password:uid:gid::home
  93. In `/etc/dovecot/conf.d/10-ssl.conf`, enable SSL and set paths of cert and key.
  94. Make sure ports 143 (IMAP), 110 (POP) and 25 (SMTP) are not blocked (also 587
  95. if you use it).
  96. # Mail Filtering
  97. Many users have a folder hierarchy in their inbox, and they drop messages into
  98. folders according to their topic, sender and so on. When you get a lot of
  99. e-mail or have many folders, this manual filtering work becomes too hard and
  100. you can ask the computer to do it for you, using filtering rules.
  101. There are two places filtering can happen: Client side (in your e-mail
  102. application) and server side (in the remote computer which receives your
  103. messages for you).
  104. Many e-mail clients have a filtering feature. You easily define rules using a
  105. GUI. As long as you read your e-mail from one computer, it works well, but what
  106. if you want to check e-mail from some other computer, e.g. a public one? Your
  107. filtering rules aren't there. Messages start coming and filling your main
  108. inbox. You want the automatic filtering to clean the mess, but it will happen
  109. only when you come back home and launch the client there, where the rules are
  110. defined.
  111. Letting the server filter the messages means you get the same experience,
  112. independently of the client! Even as you sleep, your mail server receives
  113. messages sent to you and puts them in the right folders. In the morning, you
  114. can open your e-mail client and everything is exactly the way you like it. And
  115. it works even when you read mail from your Replicant phone or a friend's
  116. computer.
  117. Install LMTP support for Dovecot:
  118. # apt-get install dovecot-lmtpd
  119. Update the Exim router to use LMTP instead of local delivery:
  120. local_user:
  121. debug_print = "R: local_user for $local_part@$domain"
  122. driver = accept
  123. domains = +local_domains
  124. check_local_user
  125. local_parts = ! root
  126. #transport = LOCAL_DELIVERY
  127. transport = dovecot_lmtp
  128. cannot_route_message = Unknown user
  129. Add an Exim transport for LMTP:
  130. dovecot_lmtp:
  131. driver = lmtp
  132. socket = /var/run/dovecot/lmtp
  133. #maximum number of deliveries per batch, default 1
  134. batch_max = 200
  135. Add `acl_smtp_rcpt` rule that denies recipients not listed in Dovecot:
  136. # Deny recipients that don't exist in Dovecot
  137. deny
  138. message = invalid recipient
  139. domains = +local_domains
  140. !verify = recipient/callout=no_cache
  141. Update Dovecot's `auth-passwordfile.conf.ext` to accept `user@domain`
  142. usernames. Since this is what Exim does, it seems to be required for LMTP to
  143. work. Just change `%u` to `%n`:
  144. passdb {
  145. driver = passwd-file
  146. args = scheme=SHA512-CRYPT username_format=%n /etc/dovecot/users
  147. }
  148. userdb {
  149. driver = passwd-file
  150. args = username_format=%n /etc/dovecot/users
  151. }
  152. Update Dovecot's `10-mail` config file to use just the local part in inbox file
  153. paths: (`%n` instead of `%u`)
  154. mail_location = mbox:/var/mail-dirs/%n:INBOX=/var/mail/%n
  155. Now restart Dovecot and Exim, try sending an e-mail from the server and to the
  156. server. Works, in both directions? Great. If not, feel free to ask me! The IRC
  157. channels of Exim and Dovecot seems not to be very responsive or helpful, or
  158. maybe it's just my badly phrased questions, but anyway ping me on IRC.
  159. The logs of Exim (`/var/log/exim4/mainlog`) and Dovecot (`/var/log/mail.log`)
  160. will help you troubleshoot problems.
  161. Server side filtering uses the Sieve language (for defining filtering rules)
  162. and the MANAGESIEVE protocol (for editing filtering rules remotely). Install
  163. required packages:
  164. # apt-get install dovecot-sieve dovecot-managesieved
  165. Enable sieve plugin for LMTP (`20-lmtp`):
  166. protocol lmtp {
  167. mail_plugins = $mail_plugins sieve
  168. }
  169. Prepare directory for sieve scripts:
  170. # mkdir -m 770 /var/mail-sieve
  171. # chown mail: /var/mail-sieve
  172. Configure sieve in `90-sieve` (unmodified parts omitted for clarity):
  173. plugin {
  174. # The path to the user's main active script. If ManageSieve is used, this the
  175. # location of the symbolic link controlled by ManageSieve.
  176. #sieve = ~/.dovecot.sieve
  177. sieve = /var/mail-sieve/%n/active.sieve
  178. # Directory for :personal include scripts for the include extension. This
  179. # is also where the ManageSieve service stores the user's scripts.
  180. #sieve_dir = ~/sieve
  181. sieve_dir = /var/mail-sieve/%n/scripts
  182. }
  183. The Dovecot wiki says that `sieve_dir` is deprecated, and it can be specified
  184. inside the `sieve` variable. But Trisquel's default config (inherited from
  185. Debian, I imagine) uses `sieve_dir`, so it does work.
  186. Enable the managesieve servics in `20-managesieve`:
  187. service managesieve-login {
  188. #inet_listener sieve {
  189. # port = 4190
  190. #}
  191. #inet_listener sieve_deprecated {
  192. # port = 2000
  193. #}
  194. # Number of connections to handle before starting a new process. Typically
  195. # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  196. # is faster. <doc/wiki/LoginProcess.txt>
  197. #service_count = 1
  198. # Number of processes to always keep waiting for more connections.
  199. #process_min_avail = 0
  200. # If you set service_count=0, you probably need to grow this.
  201. #vsz_limit = 64M
  202. }
  203. service managesieve {
  204. # Max. number of ManageSieve processes (connections)
  205. #process_limit = 1024
  206. }
  207. Time to test. I expect a permission problem with creating the per-user files
  208. and folders under `/var/mail-sieve`. May require creating them manually, or
  209. fixing permissions. Use the logs to find error causes.
  210. How to test? So far I mostly see GUI and web clients which support managesieve,
  211. and none of them is what I use. If you use such a client, go ahead and try. For
  212. the command like, you can try to:
  213. # apt-get install sieve-connect
  214. Usage example:
  215. $ sieve-connect --server mail.rel4tion.org --debug --4 --port 4190
  216. You can also use telnet. The Dovecot wiki explains the commands, it's quite
  217. simple to test.
  218. A minimal sieve script to test with is one which keeps every message in the
  219. inbox, i.e. the same as having no filtering at all. It's a single line:
  220. keep;
  221. # POP Aggregation
  222. If you, as a user, have several email accounts, you can collect all the
  223. messages from all of them into your local mail server. It can be done by
  224. downloading e-mail from these accounts using the POP protocol, and deleting it
  225. from the remote servers.
  226. TODO explain better how it works?
  227. This server uses *mpop* for this purpose. I prepared a simple setup which uses
  228. *mpop* and *msmtp*, to make things easier. See [[!rel4git doar]]. Check out the
  229. README there. Basically it allows system users to define a list of mail
  230. accounts, and a cron job runs through these lists and collects messages into
  231. users' mailboxes.
  232. # RSS Aggregation
  233. This server uses *rss2email*, which allows system users to define a list of RSS
  234. feeds. Then you can use a cron job to collect the users' feeds and send them as
  235. email messages. *rss2email* is easy to use and there's good documentation.
  236. TODO explain it anyway?
  237. # Calendar and Contacts
  238. Two groupware features commonly used with e-mail are calendars (with events and
  239. reminders etc.) and contact lists. With these available on the server, you can
  240. access the calendar and contacts remotely, share calendar items and so on.
  241. The technologies this server uses for this are [[!wikipedia CalDAV]] and
  242. [[!wikipedia CardDAV]], for calendars and contacts respectively.
  243. The server software used is *DAViCal*. There's also a very simple and
  244. lightweight server named [[calypso|http://keithp.com/Calypso]], but it's made
  245. for a single user, while what we need here is community server support (i.e.
  246. should be able to host several users).
  247. DAViCal uses PHP and PostgreSQL. This server already has PostgreSQL for the
  248. MediaGoblin instance, and uses the Lighttpd web server. So the following
  249. installations are needed:
  250. # apt-get install davical
  251. TODO continue