Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- sudo apt-get install mysql-server
- sudo mysql_secure_installation
- CREATE DATABASE mail;
- GRANT SELECT ON mail.* TO 'mail'@'localhost' IDENTIFIED BY 'mailpassword';
- FLUSH PRIVILEGES;
- USE mail;
- Tables:
- CREATE TABLE IF NOT EXISTS `virtual_domains` (
- `id` int(11) NOT NULL AUTO_INCREMENT,
- `name` varchar(50) NOT NULL,
- PRIMARY KEY (`id`)
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- CREATE TABLE IF NOT EXISTS `virtual_aliases` (
- `id` int(11) NOT NULL AUTO_INCREMENT,
- `domain_id` int(11) NOT NULL,
- `source` varchar(254) NOT NULL,
- `destination` varchar(254) NOT NULL,
- PRIMARY KEY (`id`),
- KEY `domain_id` (`domain_id`),
- CONSTRAINT `virtual_aliases_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `virtual_domains` (`id`) ON DELETE CASCADE
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- CREATE TABLE IF NOT EXISTS `virtual_users` (
- `id` int(11) NOT NULL AUTO_INCREMENT,
- `domain_id` int(11) NOT NULL,
- `password` varchar(106) NOT NULL,
- `email` varchar(254) NOT NULL,
- PRIMARY KEY (`id`),
- UNIQUE KEY `email` (`email`),
- KEY `domain_id` (`domain_id`),
- CONSTRAINT `virtual_users_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `virtual_domains` (`id`) ON DELETE CASCADE
- ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
- Virtual domains:
- INSERT INTO `virtual_domains`
- (`id`, `name`)
- VALUES
- ('1', 'mydomain.com'),
- ('2', 'my2nddomain.com');
- Virtual mailboxes:
- INSERT INTO `virtual_users`
- (`id`, `domain_id`, `password` , `email`)
- VALUES
- ('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'mail@mydomain.com'),
- ('2', '2', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'mail@my2nddomain.com');
- Virtual aliases:
- INSERT INTO `virtual_aliases`
- (`id`, `domain_id`, `source`, `destination`)
- VALUES
- ('1', '1', 'alias@mydomain.com', 'mail@mydomain.com');
- sudo apt-get install -y dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql
- Now we'll enable the protocols we need:
- sudo vim /etc/dovecot/dovecot.conf
- !include_try /usr/share/dovecot/protocols.d/*.protocol
- protocols = imap lmtp
- we have to make sure the following line is uncommented:
- !include conf.d/*.conf
- Mail configuration:
- sudo groupadd -g 5000 mail
- sudo useradd -g mail -u 5000 mail -d /var/mail
- sudo mkdir -p /var/mail/vhosts/{mydomain.com,my2nddomain.com}
- sudo chown -R mail:mail /var/mail
- sudo chown -R dovecot:mail /etc/dovecot
- sudo chmod -R o-rwx /etc/dovecot
- sudo vim /etc/dovecot/conf.d/10-mail.conf
- Find the mail_location line, uncomment it and change it to the following:
- mail_location = maildir:/var/mail/vhosts/%d/%n
- Find the mail_privileged_group line, uncomment it and change it to the following:
- mail_privileged_group = mail
- Finally, find the first_valid_uid line, uncomment it and change it to the following:
- first_valid_uid = 1
- Auth configuration:
- Now we need to tell dovecot that we're using MySQL to authenticate our users.
- sudo vim /etc/dovecot/conf.d/10-auth.conf
- Uncomment the following line:
- disable_plaintext_auth = yes
- Find the line containing auth_mechanisms = plain and change it to the following:
- auth_mechanisms = plain login
- Comment out this line:
- #!include auth-system.conf.ext
- Uncomment this line in order to enable MySQL authentication:
- !include auth-sql.conf.ext
- MySQL configuration:
- To allow dovecot to connect to our MySQL database, we need to give it our MySQL credentials using a driver.
- sudo vim /etc/dovecot/conf.d/auth-sql.conf.ext
- Enter the following in the file before saving it:
- passdb {
- driver = sql
- args = /etc/dovecot/dovecot-sql.conf.ext
- }
- userdb {
- driver = static
- args = uid=mail gid=mail home=/var/mail/vhosts/%d/%n
- }
- sudo vim /etc/dovecot/dovecot-sql.conf.ext
- Find the #driver = line, uncomment it and change it to the following:
- driver = mysql
- Find the #connect = line, uncomment it and change it to the following, replacing the highlighted parts with your own MySQL credentials we created here.
- connect = host=127.0.0.1 dbname=mail user=mail password=mailpassword
- Find the #default_pass_scheme = line, uncomment it and change it to the following:
- default_pass_scheme = SHA512-CRYPT
- Finally, find the #password_query = \ line, uncomment it and change it to the following:
- password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
- Master configuration:
- Now we're going to define the services that dovecot will provide.
- sudo vim /etc/dovecot/conf.d/10-master.conf
- Find service imap-login and change it to the following:
- service imap-login {
- inet_listener imap {
- port = 143
- }
- inet_listener imaps {
- port = 993
- ssl = yes
- }
- }
- Find service lmtp and change it to the following:
- service lmtp {
- unix_listener /var/spool/postfix/private/dovecot-lmtp {
- mode = 0600
- user = postfix
- group = postfix
- }
- }
- Find service auth and change it to the following:
- service auth {
- unix_listener /var/spool/postfix/private/auth {
- mode = 0666
- user = postfix
- group = postfix
- }
- unix_listener auth-userdb {
- mode = 0600
- user = mail
- }
- user = dovecot
- }
- Finally, find service auth-worker and change it to the following:
- service auth-worker {
- user = mail
- }
- sudo vim /etc/dovecot/conf.d/10-ssl.conf
- Change the ssl parameter to required:
- ssl = required
- Modify the path for ssl_cert to your full certificate chain minus your CA's certificate and ssl_key to the path to your certificate's private key.
- ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
- ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey
- This will take a very long time to complete, and dovecot will not be functional until it is completed. Alternatively you can use "2048" although that is not as future-proof.
- Use stronger ssl_dh_parameters_length
- ssl_dh_parameters_length = 4096
- Disable insecure ssl_protocols
- ssl_protocols = !SSLv2 !SSLv3 !TLSv1
- Use a stronger ssl_cipher_list
- ssl_cipher_list = ALL:HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!MD5:!aNULL:@STRENGTH
- Prefer server ciphers
- ssl_prefer_server_ciphers = yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement