1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
apt install postfix dovecot-imapd opendkim postfix-policyd-spf-python maildrop roundcube prayer nginx postfix-mta-sts-resolver hash-slinger
vim /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
vim /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/certifikati/fullchain.pem
ssl_key = </etc/ssl/certifikati/privkey.pem
vim /etc/postfix/header\_checks
/^X-Originating-IP:/ IGNORE
/^Received:.*ESMTPSA/ IGNORE
vim /etc/postfix/command\_filter
/^(.*)šijanec(.*)$/ $1 xn--ijanec-9jb $2
vim /etc/postfix/destinations
if !/seznami/
/ijanec/ ALLOW
/241/ ALLOW
/146/ ALLOW
/235/ ALLOW
/gimb.tk/ ALLOW
/xn--jha/ ALLOW
endif
usermod -aG opendkim postfix
mkdir /var/spool/postfix/opendkim
chown opendkim:opendkim /var/spool/postfix/opendkim
opendkim-genkey -D /etc/dkimkeys -s mail
dodaj vsebino /etc/dkimkeys/mail.txt v DNS zone za domeno
vim /etc/opendkim.conf
LogWhy yes
UserID opendkim:opendkim
Domain sijanec.eu,sijanec.org,sijanec.net,xn--ijanec-9jb.eu in tako dalje
Selector mail
KeyFile /etc/dkimkeys/mail.private
Socket local:/var/spool/postfix/opendkim/opendkim.sock
vim /etc/postfix-policyd-spf-python/policyd-spf.conf
HELO_reject = False
Mail_From_reject = False
vim /etc/postfix/main.cf
smtp_header_checks = regexp:/etc/postfix/header_checks
smtpd_tls_cert_file = /etc/ssl/certifikati/fullchain.pem
smtpd_tls_key_file = /etc/ssl/certifikati/privkey.pem
smtpd_tls_received_header = yes
smtpd_command_filter = pcre:/etc/postfix/command_filter
mydomain = sijanec.eu
mydestination = pcre:/etc/postfix/destinations
smtp_address_preference = ipv4
mailbox_command = /usr/bin/maildrop -d $(USER)
smtp_bind_address = 89.212.146.168
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf
policyd-spf_time_limit = 3600
message_size_limit = 1222333444
milter_protocol = 2
milter_default_action = accept
smtpd_milters = unix:/opendkim/opendkim.sock
non_smtpd_milters = unix:/opendkim/opendkim.sock
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8451:postfix
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
vim /etc/postfix/master.cf
odkomentiraj: smtp, submission, smtps (ostali potrebni so že odkomentirani)
dodaj na konec:
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policy-spf
vim /etc/dovecot/conf.d/10-master.conf
# ta block že obstaja v privzeti konfiguraciji
# https://www.postfix.org/SASL_README.html
service auth {
unix_listener /var/spool/postfix/private/auth {
user = postfix
group = postfix
mode = 0660
}
}
vim /etc/dovecot/conf.d/15-mailboxes.conf
# ti blocki že obstajajo v privzeti konfiguraciji, treba jih je samo dopolniti
namespace inbox {
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Junk {
special_use = \Junk
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = subscribe
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
}
vim ~/.mailfilter
if (/.*librehosting@radiostudent\.si.*/ || /.*kiberpipa\.org.*/ || /.*lugos\.si.*/)
{
to $HOME/Maildir/.liste.lugos
}
if (/.*oss-security.*/ || /.*debian-security-announce.*/)
{
to $HOME/Maildir/.liste.oss-security
}
in tako dalje
iz IMAP klienta je treba **PRED DODAJANJEM MAPE** v ~/.mailfilter izdelati mapo, v nasprotnem primeru bo maildrop naredil mbox datoteko, česar nočemo.
chown $USER:$USER ~/.mailfilter
chmod 0600 ~/.mailfilter
vim /etc/maildroprc
DEFAULT="$HOME/Maildir"
tlsa --create sijanec.eu
dodaj output v DNS domensko zono (nginx mora teči s pravilnim certifikatom!) - spremeni zapis v DNS zoni, ko spremeniš cert
rndc freeze
vim /var/lib/bind/db.sijanec.eu
_mta-sts IN TXT "v=STSv1; id=2"
mta-sts IN CNAME mail
@ IN MX 10 mail
mail IN A 89.212.146.168
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-aggregate@sijanec.eu; ruf=mailto:dmarc-forensic@sijanec.eu; fo=1"
@ IN TXT "v=spf1 mx a ip4:89.212.146.168/32 a:mail.sijanec.eu ~all"
*.sijanec.eu._report._dmarc IN TXT "v=DMARC1"
sijanec.eu._report._dmarc IN TXT "v=DMARC1"
*.sijanec.org._report._dmarc IN TXT "v=DMARC1"
sijanec.org._report._dmarc IN TXT "v=DMARC1" ; in isto za ostale domene
_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:tls@sijanec.eu"
@ IN CAA 128 issue "letsencrypt.org"
@ IN CAA 128 issuewild "letsencrypt.org"
@ IN CAA 128 iodef "mailto:caa-violation@sijanec.eu"
* IN CAA 128 issue "letsencrypt.org"
* IN CAA 128 issuewild "letsencrypt.org"
* IN CAA 128 iodef "mailto:caa-violation@sijanec.eu"
rndc thaw
vim /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
webmaster: root
listmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: a
anton: a
whois: hostmaster
dns: whois
devnull: null
null: |/dev/null
luka: anton
dmarc-aggregate: postmaster
dmrac-forensic: postmaster
caa-violation: hostmaster
tls: postmaster
newaliases
vim /var/www/html/.well-known/mta-sts.txt
version: STSv1
mode: testing
mx: mail.sijanec.eu
mx: mail.sijanec.org
mx: mail.sijanec.net
mx: mail.xn--ijanec-9jb.eu
mx: mail.xn--ijanec-9jb.org
mx: mail.xn--ijanec-9jb.net
mx: mail.xn--ijanec-9jb.si
mx: mail.xn--ijanec-9jb.com
max_age: 31557600
comment: karkoli
systemctl restart postfix dovecot opendkim prayer nginx postfix-mta-sts-resolver bind9
|
