From 2f01e7a8ce20ee184262001144829bda507921b6 Mon Sep 17 00:00:00 2001 From: Mauricio Baeza Date: Mon, 27 Sep 2021 22:49:33 -0500 Subject: [PATCH] Add mailserver --- source/chuletas.gmi | 1 + source/notes/mailserver.gmi | 170 +++++++++++++++++++++++++++++++--- source/notes/ubuntuserver.gmi | 2 +- 3 files changed, 160 insertions(+), 13 deletions(-) diff --git a/source/chuletas.gmi b/source/chuletas.gmi index 04a103f..f377ecb 100644 --- a/source/chuletas.gmi +++ b/source/chuletas.gmi @@ -10,6 +10,7 @@ => gemini://elmau.net/notes/nebula.gmi • [Nebula VPN Mesh] => gemini://elmau.net/notes/vim.gmi • [Vim] => gemini://elmau.net/notes/postgres.gmi • [Postgres] +=> gemini://elmau.net/notes/mailserver.gmi • [Mail Server] diff --git a/source/notes/mailserver.gmi b/source/notes/mailserver.gmi index 6246b1f..8b86f98 100644 --- a/source/notes/mailserver.gmi +++ b/source/notes/mailserver.gmi @@ -1,18 +1,35 @@ ## Mail Server -DNS +iRedMail es una solución todo en uno para un servidor de correo, esto significa que con solo pasarle unos pocos parámetros de configuración nos instala todos los componentes necesarios para tener tu propio servidor de correo totalmente funcional con buenas practicas de seguridad. + +Antes de empezar planifica correctamente tu servidor con los siguientes datos: + +1] Primer dominio a usar. Para este ejemplo usaremos el dominio: correolibre.org +2] Debes de tener ya configurados con tu proveedor de dominios los siguientes registros: + +2.1] Un registro tipo A a la IP de tu VPS +2.2] Un registro tipo A subdominio "mail" a la misma IP +2.3] Los mismos registros de los puntos 2.1 y 2.2 pero tipo AAAA, solo si tu VPS tiene soporte para IPv6 +2.4] Un registro tipo MX con prioridad 10 al subdominio "mail" +2.5] Un registro TXT con el valor ""v=spf1 ip4:IP_VPS a -all" la IP_VPS debe ser la de tu VPS +2.6] Un registro TXT a "_dmarc" con el valor "v=DMARC1; p=reject; adkim=s; aspf=s; sp=none; rua=mailto:dmarc@correolibre.org; ruf=mailto:dmarc@correolibre.org" +2.7] Un registro TXT a "dkim._domainkey" con el valor "v=DKIM1; p=" este valor será editado más adelante. + +A modo de ejemplo: ``` -@ 86400 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1600703899 10800 3600 604800 10800 -@ 300 IN A 188.68.36.124 -@ 300 IN MX 10 mail -@ 300 IN TXT "v=spf1 ip4:188.68.36.124 a -all" -_dmarc 300 IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; sp=none; rua=mailto:dmarc@correolibre.org; ruf=mailto:dmarc@correolibre.org" -dkim._domainkey 300 IN TXT "v=DKIM1; p=" -mail 300 IN A 188.68.36.124 -mail 300 IN AAAA 2a03:4000:13:a72:d8b7:60ff:fec0:ff2 +@ 10800 IN A 188.68.36.124 +@ 10800 IN AAAA 2a03:4000:13:a72:d8b7:60ff:fec0:ff2 +@ 10800 IN MX 10 mail +@ 10800 IN TXT "v=spf1 ip4:188.68.36.124 a -all" +_dmarc 10800 IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; sp=none; rua=mailto:dmarc@correolibre.org; ruf=mailto:dmarc@correolibre.org" +dkim._domainkey 10800 IN TXT "v=DKIM1; p=" +mail 10800 IN A 188.68.36.124 +mail 10800 IN AAAA 2a03:4000:13:a72:d8b7:60ff:fec0:ff2 ``` +El instalador de iRedMail solo funciona en un servidor limpio, para este ejemplo he usado un VPS con Ubuntu Server 20.04. La mayor parte de los procesos como root. + apt update apt upgrade @@ -60,11 +77,140 @@ cd iRedMail-1.4.2/ bash iRedMail.sh +Pantalla de bienvenida Yes +Directorio de almacenamiento de los buzones de correo: /var/vmail +Instalar servidor web: Nginx +Seleccionar base de datos: PostgreSQL +Contraseña para admin PostgreSQL: +Capturar primer dominio: correolibre.org +Contraseña para el administrador: + + +< Question > Would you like to use firewall rules provided by iRedMail? +< Question > File: /etc/nftables.conf, with SSHD ports: 2274. [Y|n]Y +[ INFO ] Copy firewall sample rules. +< Question > Restart firewall now (with ssh ports: 2274)? [y|N]y +[ INFO ] Restarting firewall ... -***************************** WARNING *********************************** -* Below file contains sensitive infomation (username/password), please * -* do remember to *MOVE* it to a safe place after installation. * /root/iRedMail-1.4.2/config +/root/iRedMail-1.4.2/iRedMail.tips + +- Roundcube webmail: https://mail.correolibre.org/mail/ +- SOGo groupware: https://mail.correolibre.org/SOGo/ +- netdata (monitor): https://mail.correolibre.org/netdata/ +- Web admin panel (iRedAdmin): https://mail.correolibre.org/iredadmin/ + +* Please reboot your system to enable all mail services. + +/etc/nftables.conf + + +reboot + +adduser USER + +gpasswd -a USER sudo + +exit + +ssh-copy-id -i ~/.ssh/mau20.pub mail.correolibre.org + +ssh mail.correolibre.org + +vim .bashrc + + `PS1="┌─[\e[0;32m\H\e[m][\e[1;31m\u\e[m]->{\[\e[34;1m\]\w\[\e[0;1m\]}\n└──> \[\e[0m\]"` + +source .bashrc + +sudo chmod -x /etc/update-motd.d/10-help-text + +sudo vim /etc/ssh/sshd_config + + Port 2274 + AllowUsers USER + PermitRootLogin no + LoginGraceTime 1m + ClientAliveInterval 600 + ClientAliveCountMax 0 + MaxAuthTries 3 + IgnoreRhosts yes + PermitEmptyPasswords no + PasswordAuthentication no + LogLevel INFO + + +sudo vim /etc/postgresql/12/main/pg_hba.conf + + local all postgres trust + +sudo systemctl restart postgresql + + +sudo apt install certbot + +sudo certbot register --agree-tos -m EMAIL + +sudo certbot certonly --standalone --preferred-challenges http-01 -d mail.correolibre.org -d correolibre.org + +sudo rm -f /etc/ssl/private/iRedMail.key + +sudo rm -f /etc/ssl/certs/iRedMail.crt + +sudo ln -s /etc/letsencrypt/live/mail.correolibre.org/privkey.pem /etc/ssl/private/iRedMail.key + +sudo ln -s /etc/letsencrypt/live/mail.correolibre.org/fullchain.pem /etc/ssl/certs/iRedMail.crt + +sudo nginx -t + +sudo systemctl restart nginx + +sudo amavisd-new showkeys + +sudo amavisd-new testkeys + +TESTING#1 correolibre.org: dkim._domainkey.correolibre.org => pass + + +sudo amavisd-new genrsa /var/lib/dkim/cuates.net.pem 2048 +sudo amavisd-new genrsa /var/lib/dkim/amigos.email.pem 2048 + +sudo chown amavis:amavis /var/lib/dkim/cuates.net.pem +sudo chown amavis:amavis /var/lib/dkim/amigos.email.pem + +sudo chmod 400 /var/lib/dkim/cuates.net.pem +sudo chmod 400 /var/lib/dkim/amigos.email.pem + +sudo vim /etc/amavis/conf.d/50-user + + # Add dkim_key here. + dkim_key('correolibre.net', 'dkim', '/var/lib/dkim/correolibre.net.pem'); + dkim_key('cuates.net', 'dkim', '/var/lib/dkim/cuates.net.pem'); + dkim_key('amigos.email', 'dkim', '/var/lib/dkim/amigos.email.pem'); + + @dkim_signature_options_bysender_maps = ({ + # 'd' defaults to a domain of an author/sender address, + # 's' defaults to whatever selector is offered by a matching key + + # Per-domain dkim key + "correolibre.net" => { d => "correolibre.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + "cuates.net" => { d => "cuates.net", a => 'rsa-sha256', ttl => 10*24*3600 }, + "amigos.email" => { d => "amigos.email", a => 'rsa-sha256', ttl => 10*24*3600 }, + + # catch-all (one dkim key for all domains) + #'.' => {d => 'correolibre.net', + # a => 'rsa-sha256', + # c => 'relaxed/simple', + # ttl => 30*24*3600 }, + }); + + + +sudo amavisd-new showkeys +sudo amavisd-new restart +sudo amavisd-new testkeys + + diff --git a/source/notes/ubuntuserver.gmi b/source/notes/ubuntuserver.gmi index d001119..6517841 100644 --- a/source/notes/ubuntuserver.gmi +++ b/source/notes/ubuntuserver.gmi @@ -105,7 +105,7 @@ Instalar certbot ``` sudo apt install certbot -sudo certbot register +sudo certbot register --agree-tos -m EMAIL ```