Mailserver mit Rspamd, ClamAV und DKIM: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „= Mailserver komplett = = Installation = ;Pakete installieren *apt update *apt install postfix dovecot-core dovecot-imapd dovecot-lmtpd mailutils *apt install…“) |
(kein Unterschied)
|
Aktuelle Version vom 9. Juni 2026, 14:57 Uhr
Mailserver komplett
Installation
- Pakete installieren
- apt update
- apt install postfix dovecot-core dovecot-imapd dovecot-lmtpd mailutils
- apt install rspamd redis clamav clamav-daemon
- apt install roundcube roundcube-core php-net-smtp
- Bei der Postfix-Abfrage Internet Site wählen
Benutzer anlegen
- useradd -m -s /bin/bash martha
- useradd -m -s /bin/bash leroy
- passwd martha
- passwd leroy
- Maildir-Struktur für neue Benutzer
- mkdir -p /etc/skel/Maildir/{cur,new,tmp}
- Für bestehende Benutzer
- mkdir -p /home/martha/Maildir/{cur,new,tmp}
- mkdir -p /home/leroy/Maildir/{cur,new,tmp}
Zertifikate
- Privkey und Zertifikat erstellen und ablegen unter
- /etc/ssl/own.crt
- /etc/ssl/own.key
Postfix
/etc/postfix/main.cf
- vi /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
compatibility_level = 3.6
# TLS
smtpd_tls_cert_file=/etc/ssl/own.crt
smtpd_tls_key_file=/etc/ssl/own.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Relay
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.it213.int
myorigin = it213.int
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost, it213.int
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Maildir
home_mailbox = Maildir/
mailbox_command =
# SASL über Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
# Rspamd Milter
smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
milter_default_action = accept
/etc/postfix/master.cf
- SMTPS auf Port 465 aktivieren – mit Milter
- vi /etc/postfix/master.cf
smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_milters=inet:127.0.0.1:11332
- Ohne die -o smtpd_milters Zeile ruft Postfix Rspamd für Roundcube-Mails (Port 465) nicht auf – DKIM-Signing findet dann nicht statt
Dovecot
/etc/dovecot/conf.d/10-mail.conf
- vi /etc/dovecot/conf.d/10-mail.conf
mail_driver = maildir
mail_home = /home/%{user | username}
mail_path = %{home}/Maildir
namespace inbox {
inbox = yes
}
mail_privileged_group = mail
protocol !indexer-worker {
}
/etc/dovecot/conf.d/10-ssl.conf
- vi /etc/dovecot/conf.d/10-ssl.conf
ssl = yes ssl_server_cert_file = /etc/ssl/own.crt ssl_server_key_file = /etc/ssl/own.key ssl_min_protocol = TLSv1.2
/etc/dovecot/conf.d/10-master.conf
- vi /etc/dovecot/conf.d/10-master.conf
service imap-login {
inet_listener imap { }
inet_listener imaps { }
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
service auth-worker {
}
Rspamd
Redis
- systemctl enable --now redis
/etc/rspamd/local.d/redis.conf
- vi /etc/rspamd/local.d/redis.conf
servers = "127.0.0.1:6379";
DKIM Key generieren
- mkdir -p /etc/rspamd/dkim
- rspamadm dkim_keygen -b 2048 -s mail -d it213.int -k /etc/rspamd/dkim/mail.key
- chown -R _rspamd:_rspamd /etc/rspamd/dkim
- chmod 600 /etc/rspamd/dkim/mail.key
- DNS-Eintrag auslesen
- cat /etc/rspamd/dkim/mail.txt
- In der DNS-Zone eintragen
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=<public key>"
- Prüfen
- dig TXT mail._domainkey.it213.int
/etc/rspamd/local.d/dkim_signing.conf
- vi /etc/rspamd/local.d/dkim_signing.conf
enabled = true;
domain {
it213.int {
selector = "mail";
path = "/etc/rspamd/dkim/mail.key";
}
}
use_domain = "header";
allow_username_mismatch = true;
sign_authenticated = true;
sign_local = true;
sign_inbound = false;
use_esld = true;
check_pubkey = true;
- allow_username_mismatch = true ist notwendig wenn SASL-User ohne Domain-Suffix authentifiziert werden (z.B. martha statt martha@it213.int)
ClamAV
- systemctl enable --now clamav-daemon
- freshclam
/etc/rspamd/override.d/antivirus.conf
- vi /etc/rspamd/override.d/antivirus.conf
enabled = true;
clamav {
type = "clamav";
symbol = "CLAM_VIRUS";
servers = "/var/run/clamav/clamd.ctl";
scan_text_mime = true;
scan_mime_parts = true;
min_size = 0;
scan_unauthenticated = true;
stream = true;
score = 20.0;
}
Roundcube
/var/www/roundcube/config/config.inc.php
- vi /var/www/roundcube/config/config.inc.php
$config['imap_host'] = 'ssl://mail.it213.int:993'; $config['smtp_host'] = 'ssl://mail.it213.int:465';
Dienste starten
- systemctl restart postfix
- systemctl restart dovecot
- systemctl restart rspamd
- systemctl restart clamav-daemon
Kontrolle
Ports
- ss -4lntp | egrep "25|465|993|143"
DKIM
- Nach dem Versand einer Mail prüfen ob der DKIM-Signature Header gesetzt ist
- grep DKIM_SIGNED /var/log/rspamd/rspamd.log | tail -5
Rspamd Webinterface
Logging
- journalctl -f -u postfix
- tail -f /var/log/rspamd/rspamd.log
- tail -f /var/log/mail.log