Email, ISP style

The Stage

My setup requires a bit more than the original setup of the guide that I will be following.

I’m going to use multiple SSL certificates to denote the same server, on different IPs what this does, is let me tell postfix and dovecot, that yes, I do in fact really want multiple ssl-certificates.

 

I’ve set up an email server before. Last time, I ended up with a secure strict email-server that couldn’t send emails. Now I know why. And it’s one of those reasons you want to bang your head through the wall for.

I’ll get to that later. Right now, let’s start with finding the guides to follow. I used Lee Hutchinson‘s 2014 guide. It’s two years old, “so what?” I thought.

Now, Lee suggests we use a package that is named mail-stack-delivery, only problem is that this is a Ubuntu package. Now, that might not be too bad. It’s just that I quite like the Debian system structure.

Startup checklist: Domain(s): got em; DNS-service: got that too, though won’t change to amazons system..;SSL Certificates: Got them;

Installing stuff in debian is a system call as root away:

sudo apt-get  install postfix dovecot-imapd SpamAssassin spamass-milter Nginx PHP5-FPM

Postfix will ask you questions covered in the guide.

On to guide two! I’ll intersperse the guide with my changes.

First difference, the guide for getting a SSL certificate needs a slight update.
I can’t re-evaluate myself, however this is where you find the validation guide.
Domain validation

You’ll want to go through this guide, which will show StartSSL that you actually own that domain.

After that, you can go through the guide to get the SSL certificate. (pics below)
552

553

 

554

That’s it! Click “here” to download the certificates and you can do the rest. Back to Lee for a few lines, we’re going to go a different way with the placement of the certificates. We’re going to put them inside the master.cf-file in stead of Lees usage of main.cf

We’ll be using this fella’s short blog-post for making postfix submit to our strange multi SSL certificate ways.

I will however, leave the smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt line there, as it can be global for my tastes. I’ll add another thing here, that’ll make more sense when we’ve played around with the master.cf-file.
smtpd_tls_wrappermode=yes
smtpd_sasl_auth_enable=yes

These two will work out for us, since we’re going with adding a

-o smtpd_tls_wrappermode=no

on our smtp-servers in master.cf

If you have a single key for every domain, you need the lines

-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

under both your smtps and submission servers. If you have a single key-file for every of the domains you want to use, you can set it globally in the main.cf file.

A complete set of IPV6/4 servers look like this:

# localhost
127.0.0.1:smtp      inet  n       -       y       -       20      smtpd
  -o smtpd_tls_wrappermode=no
  -o syslog_name=postfix-smtp
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain


127.0.0.1:smtps   inet    n       -       y       -       -       smtpd
  -o syslog_name=postfix-smtps
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

127.0.0.1:submission  inet  n     -       y       -       -       smtpd
  -o syslog_name=postfix-submission
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain


# IPv4 Your domain servers
yourIP:smtp      inet  n       -       y       -       20      smtpd
  -o smtpd_tls_wrappermode=no
  -o syslog_name=postfix-smtp
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

yourIP:smtps   inet    n       -       y       -       -       smtpd
  -o syslog_name=postfix-smtps
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

yourIP:submission  inet  n     -       y       -       -       smtpd
  -o syslog_name=postfix-submission
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

# IPv6 Your Domain IPV6
[fe80::]:smtp      inet  n       -       y       -       20      smtpd
  -o smtpd_tls_wrappermode=no
  -o syslog_name=postfix-smtp
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

[fe80::]:smtps   inet    n       -       y       -       -       smtpd
  -o syslog_name=postfix-smtps
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

[fe80::]:submission  inet  n     -       y       -       -       smtpd
  -o syslog_name=postfix-submission
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

This allows our server the ability to have differing certificates depending on the IPs connections come from. REMEMBER to rename all the instances of “yourdomain” with your domain, the first three entries are for calls to localhost, these require your main server certificates. The next six, are two lists of three servers, and the needed options. One of the sets come from IPV4, and the other comes from IPV6, if you prefer one of them, you can leave the other out. Speaking of which. advised to replace YourIP with the IP for that domain. As well as “fe80::” to whatever your servers IPV6-IP is.

That’s it for Postfix, Oh wait. There’s one super-needed line you need to uncomment. In the middle of the list of commented stuff, you’ll find the line:

#smtp      unix  -       -       -       -       -       smtp

If you don’t uncomment that line, you’ll get the fantastically helpful message:
postfix/qmgr[]: warning: connect to transport private/smtp: Connection refused
postfix/error[]: : to=<emailhere@gmail.com>, relay=none, delay=0.07, delays=0.03/0/0/0.03, dsn=4.3.0, status=deferred (mail transport unavailable)

What it’s trying to tell us, is that the private unix smtp socket that runs the smtpd command is unavailable. Sending will not happen.

(THIS IS WHAT MADE MY LAST SERVER NOT SEND EMAILS.) And what made my current setup not ship emails for a week. Dedication is what ended up landing me with an answer.

Let’s go back to Lee for a bit but skip “Master control”  and head right to “Mappity-map, then hash back”.

“A home for your virtual users’ mail” I wanted to slap the virtual mail files in /home/vmail

We’re also going to do something funny for dovecot and the SSL certificates, and config. You see, first of all don’t uncomment line #12 and 13 in /etc/dovecot/conf.d/10-ssl.conf  We’ll need to recreate /etc/dovecot/conf.d/01-mail-stack-delivery.conf  since the package this comes from doesn’t exist for debian, just go nano the file and paste the contents.

You’ll need to change the /var/mail/ references to /home/vmail not only here, but all the places in Lees guide will you need to do this.

Let’s leave lee’s trail for a bit, we’ll get back to it in a little while. We’ll need to follow the official dovecot WIKI to get dovecot to conform. The file in question is: /etc/dovecot/conf.d/01-mail-stack-delivery.conf

local 192.0.2.10 { # instead of IP you can also use hostname, which will be resolved
  protocol imap {
    ssl_cert = </etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
    ssl_key  = </etc/ssl/private/ssl-key-decrypted-mail.key
  }
}

local 192.0.2.20 {
  protocol imap {
    ssl_cert = </etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
    ssl_key  = </etc/ssl/private/ssl-key-decrypted-mail.key
  }
}

You’ll still need a main certificate and key file set up, otherwise beautiful error messages show up:
doveconf: Error: ssl enabled, but ssl_cert not set

Buggar on with SpamAssassin, ClamAV, and OpenDKim. Not much has changed till now from when Lee wrote the article. If you did go move your domain to another service for management, then go fiddle with it. And get it right. Most systems I’ve seen has been a bit fiddly. But play a round with it, and you’ll get it right.

Remember that you don’t NEED to carry the same spam filters that Lee uses in his guide. These are there to show you what a regular setup will look like.  I didn’t throw away mail above 10 points of “spam assuredness” from spamassassin, mostly because I don’t trust it yet.

Now, we’ve gotten to number four of the guides that  wrote. And I’ll start off with saying that we’ll skip his “Postscreen and additional filtering” step. In fact, we’ll actually open master.cf and comment away the two that were originally uncommented, the field will look like so:

#smtp       inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet  n       -       -       -       -       smtpd

I’m sure I could replace some of my servers with postscreen, however at this point, I was REALLY REALLY TIRED of the entire deal. You see, I didn’t really learn about the commented line further down until six, yeah, you read that right six days after I first finished this step.

I did follow through with the security tip. And this is where I’ve currently dropped out. I’ll be looking into the remainder of the guide. I’ll be doing a similar thing with my nginx/php5-fpm-setup. Suffice to say, that as far as I can read, getting different ssl-certificates in Nginx is about as hard as Dovecot…

I’d like to thank the contributors to this experience, specifically Lee Hutchinson, and WPKG