diff --git a/README.md b/README.md index d4ffae8..e69de29 100644 --- a/README.md +++ b/README.md @@ -1,124 +0,0 @@ -# Email server setup script - -This is a heavily modified version of -[LukeSmith's emailwiz](https://github.com/LukeSmithxyz/emailwiz). Basically -everything (except comments) in the original script is rewrited to suit OpenBSD. - -I wrote this script during the gruelling process of installing and setting up -an email server. It perfectly reproduces my successful steps to ensure the -same setup time and time again. - -Read this readme and peruse the script's comments before running it. Expect it -to fail and you have to do bug testing and you will be very happy when it -actually works perfectly. - -## This script installs - -- **OpenSMTPD** to send and receive mail. -- **Dovecot** to get mail to your email client (mutt, Thunderbird, etc). -- Config files that unique the two above securely with native log-ins. -- **Rspamd** to prevent spam and allow you to make custom filters. -- **opensmtpd-filter-dkimsign** to validate you so you can send to Gmail and - other big sites. - -## This script does _not_ - -- use a SQL database or anything like that. -- set up a graphical interface for mail like Roundcube or Squirrel Mail. If you - want that, you'll have to install it yourself. I just use - [isync/msmtp/mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard) to - have an offline mirror of my email setup and I recommend the same. There are - other ways of doing it though, like Thunderbird, etc. - -## Requirements - -1. A **OpenBSD server**. I've tested this on a - [Vultr](https://www.vultr.com/?ref=8608122) OpenBSD server and their setup - works, but I suspect other VPS hosts will have similar/possibly identical - default settings which will let you run this on them. Note that the affiliate - link there to Vultr gives you a $100 credit for the first month to play - around. -2. **A Let's Encrypt SSL certificate for your site's `mta` subdomain**. - Create a `httpd(1)` site at `mta.domain.tld` and get a certificate - for it with `acme-client(1)`. -3. You need two little DNS records set on your domain registrar's site/DNS - server: (1) an **MX record** pointing to your own main domain/IP and (2) a - **CNAME record** for your `mta.` subdomain. -4. **A Reverse DNS entry for your site.** Go to your VPS settings and add an - entry for your IPV4 Reverse DNS that goes from your IP address to - `mta.domain.tld`. If you would like IPV6, you can do the same for - that. This has been tested on Vultr, and all decent VPS hosts will have - a section on their instance settings page to add a reverse DNS PTR entry. - You can use the 'Test Email Server' or ':smtp' tool on - [mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) to test if you set up - a reverse DNS correctly. This step is not required for everyone, but some - big email services like gmail will stop emails coming from mail servers - with no/invalid rDNS lookups. This means your email will fail to even - make it to the receipients spam folder; it will never make it to them. -6. Some VPS providers block port 25 (used to send mail). You may need to - request that this port be opened to send mail successfully. Although I have - never had to do this on a Vultr VPS, others have had this issue so if you - cannot send, contact your VPS provider. -7. Edit parameter section in emailwiz script. For example, change `${domain}` to -`changchukuan.name` and `${subdom}` to `mta`. - -## Post-install requirement! - -- After the script runs, you'll have to add additional DNS TXT records which - are displayed at the end when the script is complete. They will help ensure - your mail is validated and secure. -- Modify rspamd whitelists/blacklists in `/etc/rspamd/local.d` to yout need. - -## Making new users/mail accounts - -Let's say we want to add a user Billy and let him receive mail, run this: - -``` -useradd -m billy -passwd billy -``` - -A user's mail will appear in `~/Maildir/`. If you want to see your mail while -ssh'd in the server, you could just install mutt, add `set spoolfile="+Inbox"` -to your `~/.muttrc` and use mutt to view and reply to mail. You'll probably want -to log in remotely though: - -## Logging in from Thunderbird or mutt (and others) remotely - -Let's say you want to access your mail with Thunderbird or mutt or another -email program. For my domain, the server information will be as follows: - -- SMTP server: `mta.domain.tld` -- SMTP port: 465 -- IMAP server: `mta.domain.tld` -- IMAP port: 993 -- Username `user` (I.e. *not* `user@domain.tld`) - -The last point is important. Many email systems use a full email address on -login. Since we just simply use local BSDAuth logins, only the user's name is -used (this makes a difference if you're using luke's -[mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard), etc.). - -## Tweaking things - -You're a big boy now if you have your own mail server! - -You can tweak smtpd (sending mail - -## Furthur reading -- [poolp's guide](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) - -## Troubleshooting -- Can't send mail? - -- Always check `/var/log/maillog` and `/var/log/rspamd` to see the specific - problem. -- Go to [this site](https://appmaildev.com/en/dkim) to test your TXT records. - If your DKIM, SPF or DMARC tests fail you probably copied in the TXT records - incorrectly. -- If everything looks good and you *can* send mail, but it still goes to Gmail - or another big provider's spam directory, your domain (especially if it's a - new one) might be on a public spam list. Check - [this site](https://mxtoolbox.com/blacklists.aspx) to see if it is. Don't - worry if you are: sometimes especially new domains are automatically assumed - to be spam temporaily. If you are blacklisted by one of these, look into it - and it will explain why and how to remove yourself. diff --git a/emailwiz b/emailwiz index 063501a..c4b84a2 100755 --- a/emailwiz +++ b/emailwiz @@ -10,41 +10,43 @@ # IMAPs server: mta.domain.tld (${subdom}.${domain}) # IMAPs Setting: port 993, SSL/TLS, PLAIN # User: user name w/o '@domain.tld' - +# # Firewall setting, open following port: -# SMPT port 25 -# SMTPs port 465 -# IMAPs port 993 - +# smtp port 25 +# smtps port 465 +# imaps port 993 +# # Mail will be stored in non-retarded Maildirs because it's ${current_year}. # This makes it easier for use with isync, which is what I care about so I can # have an offline repo of mail. - +# # The mailbox names are: Inbox, Sent, Drafts, Archive, Spam, Trash - +# # Use the typical unix login system for mail users. Users will log into their # email with their passnames on the server. No usage of a redundant mySQL # database to do this. - -# Rspamd whitelists and blacklists are in /etc/rspamd/.local.d. Modify them to -# your own need. +# +# Rspamd whitelists and blacklists are in /etc/rspamd/.local.d +# Modify them to your own need. # # DEPENDENCIES BEFORE RUNNING # - +# # 1. Modify "Paramater" section to your need. - -# 2. Have a OpenBSD 6.8 system with a static IP and all that. Pretty much any +# +# 2. Have a OpenBSD system with a static IP and all that. Pretty much any # default VPS offered by a company will have all the basic stuff you need. - +# # 3. Have a Let's Encrypt SSL certificate for mx.domain.tld # (${subdom}.${domain}) using httpd(1) and acme-client(1). - +# # 4. If you've been toying around with your server settings trying to get # smtpd/dovecot/rspamd/etc. I recommend you to clear out /etc/mail, /etc/dovecot # , and /etc/rspamd/local.d yourself if needbe, because this script is build on # top of only the defaults. +# +# 5. Setup doas(1) so we can act as _dkimsign user # # Parameters @@ -52,11 +54,12 @@ # Modify this section to your need readonly domain='domain.tld' -readonly subdom='mta' +readonly subdom='mta0' # DO NOT modify this part readonly maildomain="${subdom}.${domain}" readonly progname="$(basename "$0")" + # Certificate for smtp readonly certfile="/etc/ssl/${maildomain}.fullchain.pem" readonly keyfile="/etc/ssl/private/${maildomain}.key" @@ -79,7 +82,8 @@ fi printf '%s: Installing programs...\n' "${progname}" -pkg_add opensmtpd-filter-dkimsign dovecot dovecot-pigeonhole rspamd opensmtpd-filter-rspamd +pkg_add opensmtpd-filter-dkimsign dovecot dovecot-pigeonhole rspamd \ + opensmtpd-filter-rspamd if test ! -f '/etc/doas.conf'; then printf '%s: doas(1) not configured.\n' "${progname}" 2>&1 @@ -316,9 +320,7 @@ if ! grep -q 'dovecot' /etc/login.conf; then cp -f /etc/login.conf /etc/login.conf.def cat << EOF >> /etc/login.conf -# # Dovecot entry -# dovecot:\\ :openfiles-cur=1024:\\ :openfiles-max=2048:\\ @@ -360,7 +362,9 @@ for x in 'local_bl_from.map.inc' 'local_bl_ip.map.inc' 'local_bl_rcpt.map.inc' \ done cat << EOF > /etc/rspamd/local.d/multimap.conf +# # Blacklists +# local_bl_ip { type = "ip"; @@ -386,7 +390,9 @@ local_bl_rcpt { score = 5; } +# # Whitelists +# local_wl_ip { type = "ip"; @@ -426,7 +432,7 @@ doas -u _dkimsign openssl genrsa -out "${dkimkey}" 2048 # Restart daemons # -for x in 'smtpd' 'dovecot' 'rspamd'; do +for x in 'smtpd' 'dovecot' 'rspamd' 'redis'; do printf '%s: Enabling %s...' "${progname}" "${x}" rcctl enable "${x}" 2>&1 > /dev/null && printf ' Done\n' || printf ' Failed\n' printf '%s: Restarting %s...' "${progname}" "${x}"