Skip to content

Home Lab

Notes from my learning sessions

Menu
Menu

Preparing for configuring secure mail server using Postfix, Dovecot, Spamassassin and OpenDKIM

Posted on December 28, 2019 by sandeep

My requirements

Have registered domain and a web server is already hosted for the same. Need is to add a ‘mail’ subdomain associated with a different public IP and set up a mail server. Have access to DNS management and will be configuring mail server on a VM on my server (hosted in a datacenter) to which I have root access. Updated firewall rules to forward HTTP (80), HTTPS(443), IMAP (993), SMTP (587) to be forwarded to the VM IP 10.1.x.x

Note : Replace all occurrences of example.com with the registered domain if you plan to follow the how-to given here.

DNS Configurations

Added a A record with name as mail, value as the 103.x.x.x the public IP planned to be used for mail server.

Added a MX record with name as mail, value as mail.example.com and since being the only mail server set priority to 0.

Added a TXT entry with name as @ and value as v=spf1 mx ~all for SPF purposes.

Added a TXT entry with name as mail.example.com and value as v=DMARC1; p=none – Planned to update as needed after installation.

Requested the data center team to have PTR record for 103.x.x.x (public IP assigned to mail server) so that reverse DNS lookup succeeds.

SSL certificates from Let’s Encrypt

Installed Debian Buster (minimal install). To generate a SSL certificate signed by Let’s Encrypt we need to have a web server running online for the domain name, in our case mail.example.com.

Install apache2

#apt install -y apache2

Remove all configuration files from /etc/apache2/sites-available and add mail.example.com.conf in that folder with following contents

<VirtualHost *:80>
   ServerName mail.example.com

   DirectoryIndex index.html
   DocumentRoot /var/www/mail.example.com

   ErrorLog ${APACHE_LOG_DIR}/mail-error.log
   CustomLog ${APACHE_LOG_DIR}/mail-access.log combined

   Options FollowSymLinks
   <Directory "/var/www/mail.example.com">
     AllowOverride All
     Require all granted
   </Directory>
</VirtualHost>

Create a folder /var/www/mail.example.com. Create a simple index.html file in the folder. Change the ownership of the /var/www/mail.example.com

#chown www-data:www-data -R /var/www/mail.example.com

Add a soft link in sites-enabled folder

#cd /etc/apache2/sites-enabled
#ln -fs /etc/apache2/sites-available/mail.example.com.conf mail.example.com.conf

Enable modssl and modrewrite and restart apache2

#a2enmod ssl rewrite
#systemctl restart apache2

Add a few port-fowrading rule in the firewall to forward all HTTP and HTTPS requests received for public IP 103.x.x.x (allocated to mail.example.com) to the VM IP.

Restart apache and verify you can access http://mail.example.com

Install certbot

#apt-get install certbot python-certbot-apache
a2enmod ssl
 Considering dependency setenvif for ssl:
 Module setenvif already enabled
 Considering dependency mime for ssl:
 Module mime already enabled
 Considering dependency socache_shmcb for ssl:
 Enabling module socache_shmcb.
 Enabling module ssl.
 See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
 To activate the new configuration, you need to run:
   systemctl restart apache2

Generate certificate – No updates to Vritual host configuration files (certonly)

root@vm:~# certbot certonly --apache -d example.com
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator apache, Installer apache
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to
 cancel): xxxx@xx.in
 
 Please read the Terms of Service at
 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
 agree in order to register with the ACME server at
 https://acme-v02.api.letsencrypt.org/directory
 
 (A)gree/(C)ancel: A
 
 Would you be willing to share your email address with the Electronic Frontier
 Foundation, a founding partner of the Let's Encrypt project and the non-profit
 organization that develops Certbot? We'd like to send you email about our work
 encrypting the web, EFF news, campaigns, and ways to support digital freedom.
 
 (Y)es/(N)o: N
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for example.com
 Waiting for verification…
 Cleaning up challenges
 IMPORTANT NOTES:
 Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/example.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/example.com/privkey.pem
 Your cert will expire on 2020-04-10. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew all of your certificates, run
 "certbot renew"
 Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le 
 root@vm:~# 

Verify the SSL certificate works. Add a Virtual host section for handling https requests and test.

<VirtualHost *:443>
   ServerName example.com

   DirectoryIndex index.html
   DocumentRoot /var/www/example.com

   SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf

   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined

   Options FollowSymLinks
   <Directory /var/www/example.com>
     AllowOverride All
     Require all granted
  </Directory>
</VirtualHost>

Restart apache.

#service apache2 restart

Certificate renewal cron jobs are added on generation of certificate.

#ls -ltr /etc/cron.d
-rw-r--r-- 1 root root 775 Sep 15  2018 certbot
# cat /etc/cron.d/certbot 
 /etc/cron.d/certbot: crontab entries for the certbot package
 #
 Upstream recommends attempting renewal twice a day
 #
 Eventually, this will be an opportunity to validate certificates
 haven't been revoked, etc.  Renewal will only occur if expiration
 is within 30 days.
 #
 Important Note!  This cronjob will NOT be executed if you are
 running systemd as your init system.  If you are running systemd,
 the cronjob.timer function takes precedence over this cronjob.  For
 more details, see the systemd.timer manpage, or use systemctl show
 certbot.timer.
 SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Recent Posts

  • Openstack Xena on Ubuntu 20.04 – Cinder
  • Preparing custom Debian 11 MATE image
  • Setup Ubuntu 20.04 repository mirror server
  • Preparing custom Debian 11 server cloud image
  • Complile Linux Kernel (on Debian 11)
  • Openstack Xena – Test Home Lab
  • Openstack Xena on Ubuntu 20.04 – Horizon
  • Openstack Xena on Ubuntu 20.04 -Home Lab
  • Openstack Xena on Ubuntu 20.04 – Neutron
  • Openstack Xena on Ubuntu 20.04 – Nova

Archives

  • April 2022
  • March 2022
  • February 2022
  • December 2021
  • October 2021
  • September 2021
  • October 2020
  • February 2020
  • January 2020
  • December 2019
© 2023 Home Lab | Powered by Minimalist Blog WordPress Theme