TastyPancakes
/
emailwiz
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cleanup

This commit is contained in:
Chang, Chu-Kuan 2021-02-12 11:17:23 +08:00
parent d898a78c5f
commit 46441bb33e
2 changed files with 26 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
README.md
View File

@ -1,124 +0,0 @@
# Email server setup script
This is a heavily modified version of
[LukeSmith's emailwiz](https://github.com/LukeSmithxyz/emailwiz). Basically
everything (except comments) in the original script is rewrited to suit OpenBSD.
I wrote this script during the gruelling process of installing and setting up
an email server. It perfectly reproduces my successful steps to ensure the
same setup time and time again.
Read this readme and peruse the script's comments before running it. Expect it
to fail and you have to do bug testing and you will be very happy when it
actually works perfectly.
## This script installs
- **OpenSMTPD** to send and receive mail.
- **Dovecot** to get mail to your email client (mutt, Thunderbird, etc).
- Config files that unique the two above securely with native log-ins.
- **Rspamd** to prevent spam and allow you to make custom filters.
- **opensmtpd-filter-dkimsign** to validate you so you can send to Gmail and
other big sites.
## This script does _not_
- use a SQL database or anything like that.
- set up a graphical interface for mail like Roundcube or Squirrel Mail. If you
want that, you'll have to install it yourself. I just use
[isync/msmtp/mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard) to
have an offline mirror of my email setup and I recommend the same. There are
other ways of doing it though, like Thunderbird, etc.
## Requirements
1. A **OpenBSD server**. I've tested this on a
[Vultr](https://www.vultr.com/?ref=8608122) OpenBSD server and their setup
works, but I suspect other VPS hosts will have similar/possibly identical
default settings which will let you run this on them. Note that the affiliate
link there to Vultr gives you a $100 credit for the first month to play
around.
2. **A Let's Encrypt SSL certificate for your site's `mta` subdomain**.
Create a `httpd(1)` site at `mta.domain.tld` and get a certificate
for it with `acme-client(1)`.
3. You need two little DNS records set on your domain registrar's site/DNS
server: (1) an **MX record** pointing to your own main domain/IP and (2) a
**CNAME record** for your `mta.` subdomain.
4. **A Reverse DNS entry for your site.** Go to your VPS settings and add an
entry for your IPV4 Reverse DNS that goes from your IP address to
`mta.domain.tld`. If you would like IPV6, you can do the same for
that. This has been tested on Vultr, and all decent VPS hosts will have
a section on their instance settings page to add a reverse DNS PTR entry.
You can use the 'Test Email Server' or ':smtp' tool on
[mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) to test if you set up
a reverse DNS correctly. This step is not required for everyone, but some
big email services like gmail will stop emails coming from mail servers
with no/invalid rDNS lookups. This means your email will fail to even
make it to the receipients spam folder; it will never make it to them.
6. Some VPS providers block port 25 (used to send mail). You may need to
request that this port be opened to send mail successfully. Although I have
never had to do this on a Vultr VPS, others have had this issue so if you
cannot send, contact your VPS provider.
7. Edit parameter section in emailwiz script. For example, change `${domain}` to
`changchukuan.name` and `${subdom}` to `mta`.
## Post-install requirement!
- After the script runs, you'll have to add additional DNS TXT records which
are displayed at the end when the script is complete. They will help ensure
your mail is validated and secure.
- Modify rspamd whitelists/blacklists in `/etc/rspamd/local.d` to yout need.
## Making new users/mail accounts
Let's say we want to add a user Billy and let him receive mail, run this:
```
useradd -m billy
passwd billy
```
A user's mail will appear in `~/Maildir/`. If you want to see your mail while
ssh'd in the server, you could just install mutt, add `set spoolfile="+Inbox"`
to your `~/.muttrc` and use mutt to view and reply to mail. You'll probably want
to log in remotely though:
## Logging in from Thunderbird or mutt (and others) remotely
Let's say you want to access your mail with Thunderbird or mutt or another
email program. For my domain, the server information will be as follows:
- SMTP server: `mta.domain.tld`
- SMTP port: 465
- IMAP server: `mta.domain.tld`
- IMAP port: 993
- Username `user` (I.e. *not* `user@domain.tld`)
The last point is important. Many email systems use a full email address on
login. Since we just simply use local BSDAuth logins, only the user's name is
used (this makes a difference if you're using luke's
[mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard), etc.).
## Tweaking things
You're a big boy now if you have your own mail server!
You can tweak smtpd (sending mail
## Furthur reading
- [poolp's guide](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/)
## Troubleshooting -- Can't send mail?
- Always check `/var/log/maillog` and `/var/log/rspamd` to see the specific
problem.
- Go to [this site](https://appmaildev.com/en/dkim) to test your TXT records.
If your DKIM, SPF or DMARC tests fail you probably copied in the TXT records
incorrectly.
- If everything looks good and you *can* send mail, but it still goes to Gmail
or another big provider's spam directory, your domain (especially if it's a
new one) might be on a public spam list. Check
[this site](https://mxtoolbox.com/blacklists.aspx) to see if it is. Don't
worry if you are: sometimes especially new domains are automatically assumed
to be spam temporaily. If you are blacklisted by one of these, look into it
and it will explain why and how to remove yourself.

46
emailwiz
View File

@ -10,41 +10,43 @@
# IMAPs server: mta.domain.tld (${subdom}.${domain})
# IMAPs Setting: port 993, SSL/TLS, PLAIN
# User: user name w/o '@domain.tld'
#
# Firewall setting, open following port:
# SMPT port 25
# SMTPs port 465
# IMAPs port 993
# smtp port 25
# smtps port 465
# imaps port 993
#
# Mail will be stored in non-retarded Maildirs because it's ${current_year}.
# This makes it easier for use with isync, which is what I care about so I can
# have an offline repo of mail.
#
# The mailbox names are: Inbox, Sent, Drafts, Archive, Spam, Trash
#
# Use the typical unix login system for mail users. Users will log into their
# email with their passnames on the server. No usage of a redundant mySQL
# database to do this.
# Rspamd whitelists and blacklists are in /etc/rspamd/.local.d. Modify them to
# your own need.
#
# Rspamd whitelists and blacklists are in /etc/rspamd/.local.d
# Modify them to your own need.
#
# DEPENDENCIES BEFORE RUNNING
#
#
# 1. Modify "Paramater" section to your need.
# 2. Have a OpenBSD 6.8 system with a static IP and all that. Pretty much any
#
# 2. Have a OpenBSD system with a static IP and all that. Pretty much any
# default VPS offered by a company will have all the basic stuff you need.
#
# 3. Have a Let's Encrypt SSL certificate for mx.domain.tld
# (${subdom}.${domain}) using httpd(1) and acme-client(1).
#
# 4. If you've been toying around with your server settings trying to get
# smtpd/dovecot/rspamd/etc. I recommend you to clear out /etc/mail, /etc/dovecot
# , and /etc/rspamd/local.d yourself if needbe, because this script is build on
# top of only the defaults.
#
# 5. Setup doas(1) so we can act as _dkimsign user
#
# Parameters
@ -52,11 +54,12 @@
# Modify this section to your need
readonly domain='domain.tld'
readonly subdom='mta'
readonly subdom='mta0'
# DO NOT modify this part
readonly maildomain="${subdom}.${domain}"
readonly progname="$(basename "$0")"
# Certificate for smtp
readonly certfile="/etc/ssl/${maildomain}.fullchain.pem"
readonly keyfile="/etc/ssl/private/${maildomain}.key"
@ -79,7 +82,8 @@ fi
printf '%s: Installing programs...\n' "${progname}"
pkg_add opensmtpd-filter-dkimsign dovecot dovecot-pigeonhole rspamd opensmtpd-filter-rspamd
pkg_add opensmtpd-filter-dkimsign dovecot dovecot-pigeonhole rspamd \
opensmtpd-filter-rspamd
if test ! -f '/etc/doas.conf'; then
printf '%s: doas(1) not configured.\n' "${progname}" 2>&1
@ -316,9 +320,7 @@ if ! grep -q 'dovecot' /etc/login.conf; then
cp -f /etc/login.conf /etc/login.conf.def
cat << EOF >> /etc/login.conf
#
# Dovecot entry
#
dovecot:\\
:openfiles-cur=1024:\\
:openfiles-max=2048:\\
@ -360,7 +362,9 @@ for x in 'local_bl_from.map.inc' 'local_bl_ip.map.inc' 'local_bl_rcpt.map.inc' \
done
cat << EOF > /etc/rspamd/local.d/multimap.conf
#
# Blacklists
#
local_bl_ip {
type = "ip";
@ -386,7 +390,9 @@ local_bl_rcpt {
score = 5;
}
#
# Whitelists
#
local_wl_ip {
type = "ip";
@ -426,7 +432,7 @@ doas -u _dkimsign openssl genrsa -out "${dkimkey}" 2048
# Restart daemons
#
for x in 'smtpd' 'dovecot' 'rspamd'; do
for x in 'smtpd' 'dovecot' 'rspamd' 'redis'; do
printf '%s: Enabling %s...' "${progname}" "${x}"
rcctl enable "${x}" 2>&1 > /dev/null && printf ' Done\n' || printf ' Failed\n'
printf '%s: Restarting %s...' "${progname}" "${x}"