image-center

Server Configuration - Part 1

Introduction

This is a multi-part guide for configuring a full-featured mailserver. At the end of this guide you will have a mailserver capable of providing standard email services to multiple domains. I will be using Postfix, Dovecot, ViMbAdmin, and Roundcube. The mailserver will include Anti-Virus (AV) and Anti-Spam (AS) protection including real-time blacklist (RBL) checks. I am going to be using StartSSL to get valid certificates. After the configuration is complete I will go over which files you will want to be backing up on a regular basis to minimize downtime in the event of failure.

For this guide I will assume you have your own server or a Virtual Private Server (VPS) with CentOS 7 minimal. I also assume you have your own domain name. You will need to forward email for your domain somewhere as well to prove you own the domain and get the SSL Certificates. Alternatively you can go back and add the certificates later, but I’m not going to cover that process.

What do these applications do?

Postfix is the Mail Transfer Agent (MTA) it controls the flow of email and gets messages to where they belong. Postfix is the SMTP server. Covered in Part 2.

PostgreSQL is the database server that will hold all the information about users and domains. Covered in Part 3.

ViMbAdmin stands for “Virtual Mailbox Admin” it provides a web interface to configure Postifx users and domain names. Covered in Part 4.

AV and AS do what their name says, they stop spam and viruses. I will be using ClamAV and Spamassassin to provide these services. Covered in Part 5.

Dovecot gets the email from the mailserver to the user. It can do multiple protocols, we will focus on IMAP for this guide. Covered in Part 6.

Roundcube is the web-based mail client, allowing users to access their email using nothing more than a web browser. Covered in Part 7.

Finally RBL provides a list of IP addresses that are known spam senders. Using the Blacklist we can block email from these servers in an effort to fight spam.

Get Started

There are a few things we need to do prior to diving into Postfix. First of all, install some common tools that will be used for this setup:

yum install -y nano wget unzip

Updates

First of all, make sure that your CentOS 7 install is up to date with yum.

yum update -y

Set the Hostname

You will want to set your hostname right away, there are multiple occasions where you will need the FQDN (Fully Qualified Domain Name) of your mailserver. You will use the “hostnamectl” command to set this:

hostnamectl set-hostname "hostname" --pretty
hostnamectl set-hostname hostname.domain.com --static
hostnamectl set-hostname hostname --transient

To verify that your changes were effective:

hostnamectl status

As long as everything looks good, we can now move onto disabling selinux before rebooting the host.

Disable selinux

The next step is to turn off selinux, you can do this by editing “/etc/selinux/config” or the symlink to this file at “/etc/sysconfig/selinux”:

nano /etc/selinux/config

Change “enforcing” to disabled, your file will look like this after the edits:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

#

After your system is updated, hostname is changed, and selinux is disabled, go ahead and reboot the host.

SSL Certificate

Now is not Trusted CA. Mozilla and Google decided to distrust all StartCom root certificates as of 21st of October, 2016, meaning that since January all the SSL certificates issued from that date will no longer be trusted in Firefox and Chrome newest releases. Besides, Google has gone further and as explained here: https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html will not trust even those SSL certificates issued before that date until the final disruption. Apple’s decision announced on Nov 30th, 2016 was to distrust all StartCom root certificates as of 1st of December, meaning that SSL cert issued after December 1st, 2016 will no longer be trusted in Apple’s systems.

Now your system is up to date and prepared. I recommend you go over to StartSSL and register for an account. You will get a certificate to login to your account. Don’t loose your certificate and make sure you put it on any private computer you will be using to manage your account. After you have registered for an account, the next step is to verify your domain. This is where you need “hostmaster@yourdomain.com” forwarded to and email account you can access. StartSSL sends a verification code to the email address to verify you own your domain. Once your domain is verified, you can begin requesting your free certificate.

Choosing the URLs for your mailserver certificate

The free certificate allows you to have 5 addresses configured, and does NOT allow *.domain.com addresses so you need to choose wisely. Although you are limited to 5 addresses on this particular certificate, they don’t stop you from signing up for another certificate on the same domain. I recommend using this certificate for your mailserver and requesting a separate one for your webserver if you want to use HTTPS on your website. Here are the addresses I recommend you use: (hostname.domain.com is the FQDN name of your mailserver.)

hostname.domain.com
mail.domain.com
smtp.domain.com
imap.domain.com
pop3.domain.com

These addresses should cover the most common URLs used to connect to your mailserver.

Generate a signing request

Now its time to generate the key and the signing request on your mailserver. I usually make a directory for these in “/root”:

mkdir /root/certs && cd certs

Now lets generate the key and the signing request. Use a good passphrase and DO NOT LOOSE IT! Remember to alter this command to reflect your hostname/domain name:

openssl req -newkey rsa:2048 -keyout hostname.domain.com.enc.key -out hostname.domain.com.csr

Now we need to send the signing request to StartSSL and get a certificate. Use the following command to view the request:

cat hostname.domain.com.csr

Be sure to copy everything between and including the following two lines:

-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----

Submit the signing request

Choose “Generated by Myself” under “Please submit your Certificate Signing Request” Paste the copied data into the box that appears:

CSR_Submit

Click “submit” and you will be taken to a page with a link to download your new certificate. Download the .zip file containing certificate. After you download the file, upload it to your “/root/certs/” folder. If you are using Windows, I have found the easiest way to copy things to a remote server is to use MobaXterm it has a built-in sftp client, and you can drag-and-drop files to your mailserver. On Linux you should be able to simply use the “scp” command to move the file.

Make an unencrypted copy of your .key file

While we are working with certificates, there is one more thing to do. We can remove the encryption from the key file to prevent having to input the passphrase every time the server uses the certificate. You may have noticed that the command I gave you earlier created a “hostname.domain.com.enc.key”. I did this so we know this is the encrypted version of the key. Use the following command and your pasphrase you created earlier to make an unencrypted version of the key:

openssl rsa -in hostname.domain.com.enc.key -out hostname.domain.com.key

Keep your new .key file safe, don’t put it anywhere that users can access.

Conclusion

Your mailserver should be ready to install Postfix. You should have selinux disabled. The mailserver’s hostname should be set, and your domain should be verified on StartSSL. You should have your valid and signed certificates in a .zip file. You should also have an unencrypted .key file to will avoid having to provide the passphrase every time the service restarts.

In the next section I will cover installing Postfix. Your mailserver may already have Postfix installed, but we are going to need to install a different version. We need to install the version of Postfix that supports using PostgreSQL for virtual domains and users.

Continue to Part 2 where we install Postfix.