From c518fb042889a1e81331405237bd5bdd52f9708c Mon Sep 17 00:00:00 2001 From: mqr10 Date: Sat, 4 Jul 2020 16:14:30 +0200 Subject: [PATCH 1/4] force minimum TLS1.2 connections, disable weak ciphersuites --- emailwiz.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/emailwiz.sh b/emailwiz.sh index a4750e4..725dfab 100755 --- a/emailwiz.sh +++ b/emailwiz.sh @@ -65,6 +65,14 @@ postconf -e "smtpd_tls_auth_only = yes" postconf -e "smtp_tls_security_level = may" postconf -e "smtp_tls_loglevel = 1" postconf -e "smtp_tls_CAfile=$certdir/cert.pem" +postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "tls_preempt_cipherlist = yes" +postconf -e "smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, + DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, + RSA+AES, eNULL" # Here we tell Postfix to look to Dovecot for authenticating users/passwords. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth @@ -126,6 +134,9 @@ echo "# Dovecot config ssl = required ssl_cert = <$certdir/fullchain.pem ssl_key = <$certdir/privkey.pem +ssl_min_protocol = TLSv1.2 +ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH +ssl_prefer_server_ciphers = yes # Plaintext login. This is safe and easy thanks to SSL. auth_mechanisms = plain login From 30fd2d5d8d71825fb1bbbe4fc9ca01aebcd0f093 Mon Sep 17 00:00:00 2001 From: Darnell Andries Date: Tue, 21 Jul 2020 14:23:38 -0700 Subject: [PATCH 2/4] Fixes for custom subdomain names --- emailwiz.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/emailwiz.sh b/emailwiz.sh index af3ff66..f05d8ef 100755 --- a/emailwiz.sh +++ b/emailwiz.sh @@ -38,7 +38,7 @@ apt install postfix dovecot-imapd dovecot-sieve opendkim spamassassin spamc # Check if OpenDKIM is installed and install it if not. which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools domain="$(cat /etc/mailname)" -subdom="mail" +subdom=${MAIL_SUBDOM:-mail} maildomain="$subdom.$domain" certdir="/etc/letsencrypt/live/$maildomain" @@ -232,7 +232,7 @@ chmod g+r /etc/postfix/dkim/* # Generate the OpenDKIM info: echo "Configuring OpenDKIM..." grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null || -echo "$subdom._domainkey.$domain $domain:mail:/etc/postfix/dkim/mail.private" >> /etc/postfix/dkim/keytable +echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$subdom.private" >> /etc/postfix/dkim/keytable grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null || echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable @@ -272,7 +272,7 @@ for x in dovecot postfix opendkim spamassassin; do service "$x" restart && printf " ...done\\n" done -pval="$(tr -d "\n" Date: Sun, 27 Sep 2020 11:47:39 +0100 Subject: [PATCH 3/4] Add extra troubleshooting, readability changes --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 31846d6..d7deb5f 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ same setup time and time again. I've linked this file on Github to a shorter, more memorable address on my website so you can get it on your machine with this short command: -``` +```sh curl -LO lukesmith.xyz/emailwiz.sh ``` @@ -22,7 +22,7 @@ actually works perfectly. - **Postfix** to send and receive mail. - **Dovecot** to get mail to your email client (mutt, Thunderbird, etc). -- Config files that unique the two above securely with native log-ins. +- Config files that link the two above securely with native log-ins. - **Spamassassin** to prevent spam and allow you to make custom filters. - **OpenDKIM** to validate you so you can send to Gmail and other big sites. @@ -104,7 +104,7 @@ email program. For my domain, the server information will be as follows: - SMTP port: 587 - IMAP server: `mail.lukesmith.xyz` - IMAP port: 993 -- Username `luke` (I.e. *not* `luke@lukesmith.xyz`) +- Username `luke` (i.e. *not* `luke@lukesmith.xyz`) The last point is important. Many email systems use a full email address on login. Since we just simply use local PAM logins, only the user's name is used @@ -115,8 +115,6 @@ login. Since we just simply use local PAM logins, only the user's name is used You're a big boy now if you have your own mail server! -You can tweak Postfix (sending mail - ## Benefited from this? If this script or documentation has saved you some frustration, you can donate @@ -135,3 +133,5 @@ to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html). worry if you are: sometimes especially new domains are automatically assumed to be spam temporaily. If you are blacklisted by one of these, look into it and it will explain why and how to remove yourself. +- Check your DNS settings using [this site](https://intodns.com/), it'll report any issues with your MX records +- Ensure that port 25 is open on your server. [Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance blocks this by default, you need to open a support ticket with them to open it. You can't send mail if 25 is blocked From 1ab9f432df8912e26677935e4d4a26cf278f6a6c Mon Sep 17 00:00:00 2001 From: Luke Smith Date: Sat, 14 Nov 2020 14:18:50 -0500 Subject: [PATCH 4/4] log in with full email addr instead of username documentation changes --- README.md | 42 +++++++++++++++++------------------------- emailwiz.sh | 2 +- 2 files changed, 18 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 228430c..191588a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Email server setup script -I wrote this script during the gruelling process of installing and setting up +I wrote this script during the grueling process of installing and setting up an email server. It perfectly reproduces my successful steps to ensure the same setup time and time again. @@ -14,14 +14,10 @@ curl -LO lukesmith.xyz/emailwiz.sh When prompted by a dialog menu at the beginning, select "Internet Site", then give your full domain without any subdomain, i.e. `lukesmith.xyz`. -Read this readme and peruse the script's comments before running it. Expect it -to fail and you have to do bug testing and you will be very happy when it -actually works perfectly. - ## This script installs - **Postfix** to send and receive mail. -- **Dovecot** to get mail to your email client (mutt, Thunderbird, etc). +- **Dovecot** to get mail to your email client (mutt, Thunderbird, etc.). - Config files that unique the two above securely with native log-ins. - **Spamassassin** to prevent spam and allow you to make custom filters. - **OpenDKIM** to validate you so you can send to Gmail and other big sites. @@ -50,19 +46,19 @@ actually works perfectly. server: (1) an **MX record** pointing to your own main domain/IP and (2) a **CNAME record** for your `mail.` subdomain. 4. **A Reverse DNS entry for your site.** Go to your VPS settings and add an - entry for your IPV4 Reverse DNS that goes from your IP address to - `` (not mail subdomain). If you would like IPV6, you can do + entry for your IPv4 Reverse DNS that goes from your IP address to + `` (not mail subdomain). If you would like IPv6, you can do the same for that. This has been tested on Vultr, and all decent VPS hosts - will have a section on their instance settings page to add a reverse DNS PTR + will have a section on their instance settings page to add a reverse DNS PTR entry. You can use the 'Test Email Server' or ':smtp' tool on [mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) to test if you set up a reverse DNS correctly. This step is not required for everyone, but some - big email services like gmail will stop emails coming from mail servers + big email services like Gmail will stop emails coming from mail servers with no/invalid rDNS lookups. This means your email will fail to even - make it to the receipients spam folder; it will never make it to them. + make it to the recipients spam folder; it will never make it to them. 5. `apt purge` all your previous (failed) attempts to install and configure a - mailserver. Get rid of _all_ your system settings for Postfix, Dovecot, + mail server. Get rid of _all_ your system settings for Postfix, Dovecot, OpenDKIM and everything else. This script builds off of a fresh install. 6. Some VPS providers block port 25 (used to send mail). You may need to request that this port be opened to send mail successfully. Although I have @@ -105,27 +101,23 @@ email program. For my domain, the server information will be as follows: - SMTP port: 587 - IMAP server: `mail.lukesmith.xyz` - IMAP port: 993 -- Username `luke` (I.e. *not* `luke@lukesmith.xyz`) - -The last point is important. Many email systems use a full email address on -login. Since we just simply use local PAM logins, only the user's name is used -(this makes a difference if you're using my -[mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard), etc.). - -## Tweaking things - -You're a big boy now if you have your own mail server! -You can tweak Postfix (sending mail +In previous versions of emailwiz, you also had to log on with *only* your +username (i.e. `luke`) rather than your whole email address (i.e. +`luke@lukesmith.xyz`), which caused some confusion. This is no longer the +case. ## Benefited from this? -If this script or documentation has saved you some frustration, you can donate -to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html). +I am always glad to hear this script is still making life easy for people! If +this script or documentation has saved you some frustration, you can donate to +support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html). ## Troubleshooting -- Can't send mail? - Always check `journalctl -xe` to see the specific problem. +- Check with your VPS host and ask them to enable mail ports. Some providers + disable them by default. It shouldn't take any time. - Go to [this site](https://appmaildev.com/en/dkim) to test your TXT records. If your DKIM, SPF or DMARC tests fail you probably copied in the TXT records incorrectly. diff --git a/emailwiz.sh b/emailwiz.sh index 837ea1c..20685ea 100755 --- a/emailwiz.sh +++ b/emailwiz.sh @@ -130,6 +130,7 @@ ssl_key = <$certdir/privkey.pem ssl_dh = "$HOME/dns_emailwizard" echo " - _ _ | \ | | _____ ___ | \| |/ _ \ \ /\ / (_)