Is this because mail servers attract "attention" that that may affect other services?
Is this because mail servers attract "attention" that that may affect other services?
wlanboy
Content Contributer
My personal reasons are:
- If one goes down - everything is not available.
What to restore first?
What if the backup is old? Database, email accounts and websites are changed in different timespans.
Mail server got hacked / spam-a-lot - one problem and all services have to be shut down (by firewall).
IP address got banned - same problem.
- Migration is a big bang - upgrades too.
Package dependencies are quite a hell.
You cannot upgrade php because your webmailer depends on an older version.
If something fails you have to rollback everything.
Have to move some services to a new host? Good luck if your configs/services do depend on each other (sendmail localhost).
- Cloudflare can hide web traffic but cannot hide smtp/imap traffic.
So all reverse proxies are useless if the mail server has the same ip and leacks it (MX records, smtp protocol).
- Performance
Email servers run quite a lot of threads. Per imap connection, for spam check, virus check, smtp processes.
Easily a lot of XX MB RAM per connection. Thinking about bandwith problems too. Someone downloading a 300MB attachment and your website loading times go up.
- Local forwards
I have a mail server that is responsible for about 8 domains. All that notifiers, mailing lists, forwarders are done through localhost - saves a lot of bandwidth.
Only ssh, postfix, dovecot, sa and fail2ban. No other services. Keep things simple.
souen
Active Member
Thanks for the excellent tutorial. I followed it on a CentOS 7 vps sometime back, most of it still applies except for a few commands and config locations.
5. Setup your mail server
sudo yum install postfix dovecot
Postfix and Dovecot configuration files are in the same location. I skipped 9-12 so no input there, sorry.
14. DKIM
opendkim is available in the EPEL repository.
sudo yum install epel-release
sudo yum install opendkim
Configuration is done in /etc/opendkim.conf, including the socket setting (no "/etc/default/opendkim").
After "cp mail.private /etc/mail/dkim.key" (or wherever the key is stored), I checked the ownership of the key file and assign ownership to the opendkim user given in /etc/opendkim.conf if the user is different:
ls -la /etc/mail/dkim.key
chown opendkim
pendkim dkim.key16. I started the services instead of restarting the vps -- is that a problem? Everything seems to work fine.
// Start Postfix and Dovecot, add to startup services
systemctl start postfix
systemctl start dovecot
systemctl enable postfix
systemctl enable dovecot
// After installing DKIM, restart Postfix
systemctl start opendkim
systemctl enable opendkim
systemctl restart postfix
// For CentOS 6
service postfix start
service dovecot start
chkconfig postfix on
chkconfig dovecot on
service opendkim start
chkconfig opendkim on
service postfix restart
Hope that helps ... sort of?
Last edited by a moderator:
souen
Active Member
Tried some more ...
9. Install postgrey
postgrey is available in the EPEL repository.
sudo yum epel-release
sudo yum install postgrey
sudo nano /etc/sysconfig/postgrey
add (default delay is 60):
POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=55"
After Postfix configuration, start and enable the service:
systemctl start postgrey
systemctl enable postgrey
10. Install spamassassin
Having a little trouble locating the packages, not entirely sure if the list is correct. I couldn't find perl-Geo-IPfree and perl-Net-Ident, RPMforge doesn't have them for CentOS 7. Does anyone know a reputable repository that carries them for CentOS 7?
// (CentOS 6) Install RPMforge repo to fetch some Perl modules
// 32-bit
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.i686.rpm
// 64-bit
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rm -rf rpmforge*.rpm
sudo yum install perl-Net-DNS pyzor perl-Razor-Agent perl-Digest-SHA perl-Encode-Detect perl-DBI perl-Geo-IPfree perl-Net-Ident
sudo yum install spamassassin
There is no /etc/default/spamassassin, so I just started it up like other services:
systemctl start spamassassin
systemctl enable spamassassin
Minor note when updating the rules, there wasn't a /etc/spamassassin directory, I just download the GPG key somewhere and import. Before "sa-update -D -v", download and import the GPG key from Apache servers (or it returns "error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG ...")
wget http://spamassassin.apache.org/updates/GPG.KEY
sa-update --import GPG.KEY
sa-update -D -v
Additional note -- if running into the error below during install and can't find the kernel-headers in the main repo:
Error: Package: glibc-headers-2.17-106.el7_2.1.x86_64 (updates)
Requires: kernel-headers
Error: Package: glibc-headers-2.17-106.el7_2.1.x86_64 (updates)
Requires: kernel-headers >= 2.2.1
This is due to kernel packages being excluded in /etc/yum.conf on some systems. Run the following command to grab the headers:
sudo yum --disableexcludes=main install kernel-headers
11. Install fail2ban
fail2ban is available in the EPEL repository.
sudo yum install epel-release
sudo yum install fail2ban
/etc/fail2ban/jail.conf recommends having a separate config file instead (/etc/fail2ban/jail.local or placed in /etc/fail2ban/jail.d) instead of editing jail.conf directly. Followed the config from there. The only thing was I couldn't find [sasl], but [postfix-sasl] (and there's no corresponding filter named sasl.conf in /etc/fail2ban/filter.d):
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
[postfix-sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
Check that the log files exist or fail2ban won't start. Create them if needed:
touch /var/log/mail.log /var/log/secure
Start it up:
systemctl start fail2ban
systemctl enable fail2ban
Additional note -- as when installing spamassassin, if the ipset package requires the kernel package not yet installed, do:
sudo yum --disableexcludes=main install kernel
12. Own SSL configuration
Sorry, I don't have certificates on hand to test it. There's no /etc/dovecot/conf.d/01-mail-stack-delivery.conf file on CentOS 7. Dovecot certificate paths are /etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem (self-signed certs are stored in /etc/pki/tls/certs), so I'm not sure where the 3rd step goes, if there's a 3rd step. The old (and possibly outdated) howto on the CentOS wiki adds it to /etc/dovecot/dovecot.conf:
ssl_cert_file = /etc/pki/tls/certs/mail.domain.com.cert
ssl_key_file = /etc/pki/tls/private/mail.domain.com.key
14. DKIM
Forgot to mention in my previous post -- there is no /etc/mail directory by default, but I suppose it could be created, as long as the KeyFile path in the config file is correct (I generated the key in /etc/opendkim/keys and linked to it there).
9. Install postgrey
postgrey is available in the EPEL repository.
sudo yum epel-release
sudo yum install postgrey
sudo nano /etc/sysconfig/postgrey
add (default delay is 60):
POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=55"
After Postfix configuration, start and enable the service:
systemctl start postgrey
systemctl enable postgrey
10. Install spamassassin
Having a little trouble locating the packages, not entirely sure if the list is correct. I couldn't find perl-Geo-IPfree and perl-Net-Ident, RPMforge doesn't have them for CentOS 7. Does anyone know a reputable repository that carries them for CentOS 7?
// (CentOS 6) Install RPMforge repo to fetch some Perl modules
// 32-bit
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.i686.rpm
// 64-bit
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rm -rf rpmforge*.rpm
sudo yum install perl-Net-DNS pyzor perl-Razor-Agent perl-Digest-SHA perl-Encode-Detect perl-DBI perl-Geo-IPfree perl-Net-Ident
sudo yum install spamassassin
There is no /etc/default/spamassassin, so I just started it up like other services:
systemctl start spamassassin
systemctl enable spamassassin
Minor note when updating the rules, there wasn't a /etc/spamassassin directory, I just download the GPG key somewhere and import. Before "sa-update -D -v", download and import the GPG key from Apache servers (or it returns "error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG ...")
wget http://spamassassin.apache.org/updates/GPG.KEY
sa-update --import GPG.KEY
sa-update -D -v
Additional note -- if running into the error below during install and can't find the kernel-headers in the main repo:
Error: Package: glibc-headers-2.17-106.el7_2.1.x86_64 (updates)
Requires: kernel-headers
Error: Package: glibc-headers-2.17-106.el7_2.1.x86_64 (updates)
Requires: kernel-headers >= 2.2.1
This is due to kernel packages being excluded in /etc/yum.conf on some systems. Run the following command to grab the headers:
sudo yum --disableexcludes=main install kernel-headers
11. Install fail2ban
fail2ban is available in the EPEL repository.
sudo yum install epel-release
sudo yum install fail2ban
/etc/fail2ban/jail.conf recommends having a separate config file instead (/etc/fail2ban/jail.local or placed in /etc/fail2ban/jail.d) instead of editing jail.conf directly. Followed the config from there. The only thing was I couldn't find [sasl], but [postfix-sasl] (and there's no corresponding filter named sasl.conf in /etc/fail2ban/filter.d):
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
[postfix-sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
Check that the log files exist or fail2ban won't start. Create them if needed:
touch /var/log/mail.log /var/log/secure
Start it up:
systemctl start fail2ban
systemctl enable fail2ban
Additional note -- as when installing spamassassin, if the ipset package requires the kernel package not yet installed, do:
sudo yum --disableexcludes=main install kernel
12. Own SSL configuration
Sorry, I don't have certificates on hand to test it. There's no /etc/dovecot/conf.d/01-mail-stack-delivery.conf file on CentOS 7. Dovecot certificate paths are /etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem (self-signed certs are stored in /etc/pki/tls/certs), so I'm not sure where the 3rd step goes, if there's a 3rd step. The old (and possibly outdated) howto on the CentOS wiki adds it to /etc/dovecot/dovecot.conf:
ssl_cert_file = /etc/pki/tls/certs/mail.domain.com.cert
ssl_key_file = /etc/pki/tls/private/mail.domain.com.key
14. DKIM
Forgot to mention in my previous post -- there is no /etc/mail directory by default, but I suppose it could be created, as long as the KeyFile path in the config file is correct (I generated the key in /etc/opendkim/keys and linked to it there).
Last edited by a moderator:
Thanks for your good tutorial....
ZenithHosting
New Member
Thank you for the tutorial
This is a really good guide. I've always wondered though if there is a good control panel for just email servers. I know of the collab suites like Zimbra and OpenXChange but I haven't found anything for just the email without all the additional features - really just mailbox management and settings GUI.
drmike
100% Tier-1 Gogent
Licensecart
Active Member
Licensecart
Active Member
Theres roundcube.net but I couldn't get it working myself but I was following rubbish online ones, might be able to get it to work by following wlanboy's. There's PostfixAdmin too I looked into: http://postfixadmin.sourceforge.net
Last edited by a moderator:
@River Virtualmin is my choice for managing mail servers. Not a user focused panel, but good enough for administrators. Handles the mess of multiple domains and quotas pretty well and some other neat features too. Disable all the unwanted services and modules and it still works fine. The default username format is a nuisance though.
Have thought of writing a wrapper around Virtualmin for just mail management but haven't found the time for it. Need to complete the billing panel before I move to other stuffs.
Have thought of writing a wrapper around Virtualmin for just mail management but haven't found the time for it. Need to complete the billing panel before I move to other stuffs.
Last edited by a moderator:
TheLinuxBug
New Member
Last edited by a moderator:
Licensecart
Active Member
I tried using your tutorial on Centos 7 changing apt-get to yum and I couldn't get it working so maybe that's why
I did have to use yum install dovecot postfix -y
Last edited by a moderator:
WiredBlade
New Member
Great tutorial. I have been hosting my own email server in Windows and found it to be very hard to manage. I have always want to move to a Linux mail server and this tutorial would help me enormously.