[code] [blog]

mail serverSeptember 14 2015 02:33:43

In the previous post I covered setting up a server that allows the entire system to be encrypted. Today I will cover further setup of this system, including traffic shaping, a webserver and a mailserver.


Before you start reading this article, I'd urge you to read the following:
Setting up a mailserver
Traffic shaping
Setting up iptables
Code for /etc/init.d/shape_traffic was borrowed from the above article


For this article, i used the following use flags.
$cat /etc/portage/make.conf | grep USE
 USE="bindist ssl php cgi curl postgres threads sasl maildir
  imap vhosts bzip2 urandom authdaemond crypt spell geoip
  spamassasin clamdtop -X -mysql mbox dovecot-sasl ipv6 iptables"


Furthermore I disabled sql support for our mail daemon, as I use system accounts.
$cat /etc/portage/package.use | grep cyrus-sasl
 >=dev-libs/cyrus-sasl-2.1.26-r9 -postgres


After editing your useflags, it is imperative to update your system:
emerge --quiet --verbose --deep --update --newuse --autounmask-write --with-bdeps=y world


Now we'll need to emerge the following packages:
  app-antivirus/clamav
  dev-lang/php
  mail-filter/amavisd-new
  mail-filter/dovecot-antispam
  mail-filter/spamassassin
  mail-mta/postfix
  net-mail/dovecot
  sys-apps/ethtool
  www-servers/hiawatha


While these packages are emerging, you can take your time to download and extract the set of configuration files provided at the bottom of the page. You should read them, and get familiar with their settings, and adjust them where indicated.


The files in www go in a folder in /var/www of your choosing. Remember to set the correct permissions, and to change /etc/hiawatha/hiawatha.conf to point to this folder. These PHP files constitute a trap page (error.php) and a rather simple blog (index.php). I hacked these up because I desperately wanted to avoid using wordpress, which is basically an open shell at port 80. The settings for this blog are at the top of each php file, and configuring them should be self explanatory.


You will need to generate a SSL certificate for your mailserver. I prefer self-signed certificates, as major CAs are compromised, and thus less secure. You can generate one with the following command:
 $openssl req -x509 -nodes -days 3650 -newkey rsa:4096
   -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.pem


Edit the scripts provided for /etc/init.d/ before continuing. One script you might not need is /etc/init.d/probe_all_net. I included it because the VPS that hosts this site has no transfer cap, but starts throttling your connection once you use over 60mbit for a few days. This script hopefully prevents that from happening.


If everything is configured to your liking, you can start each installed service using the following command:
$/etc/init.d/[command] start
  dovecot
  dropbear
  hiawatha
  iptables
  postfix
  probe_all_net
  saslauthd
  spamd
  shape_traffic


If in the previous paragraph everything worked correctly, you can add all services to your system init using the following command:
 $rc-update add [service] default


Now that everything is installed you can start adding users for mailboxes, spamasassin and the like. You can find information on how to do this here .Each email user should have no permissions outside of it's home folder, and /bin/false or /bin/nologin as shell.


File config.tar.xz
Size 37.2KiB
Sha512sum 6c9b34ec8d91e8d305698da23d558e02c79f8745d0f7af1fc94e7d4342c831f
ade323bbf5d83c61cfab605bc6544a8d7931ab2d1f5f523925d6526dd5c9a1e68