Debian 10 Buster Dovecot Postfix Opendkim MariaDB PHP7.3 Letsencrypt Fail2ban mit Userverwaltung in Horde

Die Email-App in Nextcloud ist sehr Bescheiden. Das hier könnte eine gute Alternative sein. Anlegen der EMailkonten geht dann ganz einfach in Horde unter Administration- Users. Synchronisation zum Handy funktioniert mit der App DAVx5 auf F-Droid.

English Austria en_US.UTF-8 German Hostname:mx.domain.org root:. user:. GuidedUseEntireDisk-AllFilesInOne 10GBExt4/1SWAP deb.debian.org SSH/OhneStandard

ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"
ssh-copy-id user@IPServer
/etc/ssh/sshd_config PasswordAuthentication no
ssh user@IPServer
apt update && apt upgrade
apt install certbot python-certbot-apache dovecot-mysql postfix postfix-mysql fail2ban opendkim opendkim-tools mariadb-server php-mysql sudo dovecot-lmtpd dovecot-imapd php-gd php-imap php-memcache php-mysql php-pear php-tidy php-imagick php-intl php-gettext imagemagick tidy gettext php-curl
Nicht notwendige Pakete: apt install ckeditor3 fonts-glyphicons-halflings javascript-common libjs-bootstrap libjs-excanvas libjs-jquery libjs-prototype libjs-scriptaculous libxmlrpc-epi0 php-apcu php-apcu-bc php-auth-sasl php-bz2 php-codecoverage php-console-table php-deepcopy php-doctrine-instantiator php-file-iterator php-geoip php-http php-http-request php-igbinary php-ldap php-memcached php-msgpack php-net-dns2 php-net-imap php-net-smtp php-net-socket php-net-url php-net-url2 php-nrk-predis php-pecl-http php-phar-io-manifest php-phar-io-version php-phpdocumentor-reflection-common php-phpdocumentor-reflection-docblock php-phpdocumentor-type-resolver php-phpspec-prophecy php-propro php-raphf php-sabre-dav php-sabre-vobject php-seclib php-soap php-ssh2 php-text-figlet php-text-languagedetect php-text-template php-timer php-token-stream php-tokenizer php-webmozart-assert php-xml-svg php-xmlrpc php7.3-ldap php7.3-bz2 php7.3-soap php7.3-xmlrpc phpunit phpunit-code-unit-reverse-lookup phpunit-comparator phpunit-diff phpunit-environment phpunit-exporter phpunit-global-state phpunit-object-enumerator phpunit-object-reflector phpunit-recursion-context phpunit-resource-operations phpunit-version
https://linode.com/docs/security/using-fail2ban-for-security/
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
/etc/fail2ban/jail.local
ignoreip = 127.0.0.1/8 IPServer
bantime = 100000m
findtime = 100000m
maxretry = 2
#logpath = /var/log/horde/horde.log
logpath = /var/log/syslog
/etc/fail2ban/jail.d/defaults-debian.local
[sshd]
enabled = true
[postfix]
enabled = true
[postfix-rbl]
enabled = true
[dovecot]
enabled = true
[horde]
enabled = true
sudo mkdir -p /var/www/domain.org/public_html
sudo mkdir -p /var/www/domain.com/public_html
/var/www/domain.org/public_html/index.html
/var/www/domain.com/public_html/index.html
sudo chown -R www-data: /var/www/domain.org
sudo chown -R www-data: /var/www/domain.com
/etc/apache2/sites-available/domain.org.conf
/etc/apache2/sites-available/domain.com.conf
<VirtualHost :80>
ServerName domain.org
ServerAlias www.domain.org
ServerAdmin webmaster@domain.org
DocumentRoot /var/www/domain.org/public_html
<Directory /var/www/domain.org/public_html>
Options -Indexes +FollowSymLinks
AllowOverride All

ErrorLog ${APACHE_LOG_DIR}/domain.org-error.log
CustomLog ${APACHE_LOG_DIR}/domain.org-access.log combined

sudo ln -s /etc/apache2/sites-available/domain.org.conf /etc/apache2/sites-enabled/
sudo ln -s /etc/apache2/sites-available/domain.com.conf /etc/apache2/sites-enabled/
certbot --apache --register-unsafely-without-email
mx.domain.org domain.org www.domain.org www.domain.com 2
non-interactively “certbot renew”
sudo ln -s /etc/apache2/sites-available/domain.org-le-ssl.conf /etc/apache2/sites-enabled/
sudo ln -s /etc/apache2/sites-available/domain.com-le-ssl.conf /etc/apache2/sites-enabled/
RewriteCond %{SERVER_NAME} =www.domain.org [OR]
RewriteCond %{SERVER_NAME} =mx.domain.org [OR]
RewriteCond %{SERVER_NAME} =domain.org
RewriteRule ^ https://www.domain.org%{REQUEST_URI} [END,NE,R=permanent]
rm /var/www/html 000-default-le-ssl.conf 000-default.conf default-ssl.conf
https://wiki.horde.org/DebJessieHorde5
-https://wiki.horde.org/DebianHowTo
-https://www.horde.org/apps/horde/docs/INSTALL 3:
-https://wiki.horde.org/SQLAuthHowTo?referrer=FAQ%2FAdmin%2FConfig
pear upgrade PEAR
mysql_secure_installation
mysql --user=root -p …
create database horde;
grant ALL on horde.
to ‘horde’ identified by ‘…’;
quit
pear channel-discover pear.horde.org
pear install -a -B --force horde/groupware
pear run-scripts horde/horde_role /var/www/horde
chown -R www-data /var/www/horde
pecl upgrade -a -B --force channel://pecl.php.net/sasl-0.1.0
pear upgrade -a -B --force channel://pear.php.net/Text_LanguageDetect-0.3.0
pecl upgrade -a -B --force channel://pecl.php.net/idn-0.2.0
pecl upgrade -a -B --force channel://pecl.php.net/ssh2-0.12
pear upgrade -a -B --force channel://pear.php.net/SOAP-0.13.0
pear upgrade -a -B --force channel://pear.php.net/XML_Serializer-0.20.2
pear upgrade -a -B --force channel://pear.php.net/Console_Color2-0.1.2
pear upgrade -a -B --force channel://pecl.php.net/msgpack-0.5.7
pear upgrade -a -B --force channel://pear.php.net/Numbers_Words-0.18.1
pear upgrade -a -B --force channel://pear.php.net/Image_Text-0.7.0
pear list -c horde
pear uninstall Services_Weather
pear uninstall file_Fstab
/etc/apache2/conf-enabled/php-horde.conf
Alias /horde /var/www/horde
ln -s /etc/apache2/conf-available/php-horde.conf /etc/apache2/conf-enabled/php-horde.conf
cp /var/www/horde/imp/config/backends.php /var/www/horde/imp/config/backends.local.php
‘hordeauth’ => ‘full’, //‘port’ => 143, ‘secure’ => ‘ssl’,
cp /var/www/horde/config/conf.php.dist /var/www/horde/config/conf.php
/horde/ Update all configuration, Update DB schema, Check for newer versions
Database mysqli horde pw horde
Authentication admin:user@domain.org driver:SQLauth driverconfig:Horde encryption:crypt-sha512 count_bad_logins:X login_block:X login_block_count: 2
Spell Checker driver:aspell
Image Manipulation driver:PECL Imagick
Problem Reporting email:user@domain.org maildomain:domain.org
horde-db-migrate
Update all configuration, Update DB schema, Check for newer versions
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql/
/etc/hosts IPserver mx.domain.org mx
/etc/postfix/main.cf
smtpd_tls_cert_file=/etc/letsencrypt/live/domain.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/domain.org/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
reject_unauth_destination
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
myhostname = domain.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydomain = domain.org
myorigin = $mydomain
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = domain.org domain.com
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = hash:/etc/postfix/virtual
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
/etc/postfix/master.cf
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
/etc/postfix/mysql-virtual-mailbox-maps.cf
user = horde
password = …
hosts = 127.0.0.1
dbname = horde
query = SELECT 1 FROM horde_users WHERE user_uid=’%s’
/etc/postfix/virtual
info@domain.org user@domain.org
abuse@domain.org user@domain.org
root@domain.org user@domain.org
postmaster@domain.org user@domain.org
user123@domain.org 1234@gmail.org
sudo postmap /etc/postfix/virtual
sudo postmap -q user@domain.org mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
mkdir -p /var/mail/vhosts/domain.org
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail
chown -R vmail:vmail /var/mail
chown -R vmail:dovecot /etc/dovecot
chmod -R 755 /etc/postfix
-chmod -R o-rwx /etc/postfix
chmod -R o-rwx /etc/dovecot
/etc/dovecot/dovecot.conf
protocols = imap lmtp
postmaster_address = postmaster at domain.org
/etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:/var/mail/vhosts/%d/%n/
mail_privileged_group = mail
/etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain login
/etc/dovecot/conf.d/auth-sql.conf.ext
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
#userdb {

driver = sql

args = /etc/dovecot/dovecot-sql.conf.ext

#}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
/etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=127.0.0.1 dbname=horde user=horde password=
default_pass_scheme = SHA512-CRYPT
nano /etc/dovecot/conf.d/10-master.conf
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}

service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
#mode = 0666i
mode = 0600
user = postfix
group = postfix
}
service auth {

unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}

user = dovecot
}

service auth-worker {

user = vmail
}
/etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/letsencrypt/live/domain.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/domain.org/privkey.pem
atp imstall getmail
mkdir /root/.getmail/
chmod 700 /root/.getmail/
/root/.getmail/getmailrcuser
/root/.getmail/getmailrcuser123
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.gmail.com
port = 993
username = user123@gmail.com
password =
[destination]
type = Maildir
path = /var/mail/vhosts/domain.org/user/
user = vmail
[options]
verbose = 2
message_log = ~/.getmail/log
read_all = false
delete = true
crontab -e
/10 * * * * getmail -r /root/.getmail/getmailrcuser --quiet #60/10min
/10 * * * * getmail -r /root/.getmail/getmailrcuser123 --quiet
0 2 * * * apt update && apt upgrade # 2:00 Täglich
0 3 * * * pear upgrade -a -B horde/groupware # 3:00 Täglich
0 4 * * 2 crontab certbot renew #4:00 DI
https://wiki.debian.org/opendkim
mkdir /etc/postfix/dkim/
opendkim-genkey -D /etc/postfix/dkim/ -d domainorg -s mail
chgrp opendkim /etc/postfix/dkim/

chmod g+r /etc/postfix/dkim/

/etc/opendkim.conf
Mode sv
Socket inet:8891@localhost
KeyTable file:/etc/postfix/dkim/keytable
InternalHosts refile:/etc/postfix/dkim/trustedhosts
SigningTable refile:/etc/postfix/dkim/signingtable
/etc/postfix/dkim/keytable
mail._domainkey.domain.org domain.org:mail:/etc/postfix/dkim/mail.private
/etc/postfix/dkim/signingtable
*@domain.org mail._domainkey.domain.org
p=MI… (take it from /etc/postfix/dkim/mail.txt file; remove the >"< and connect the lines after p= to one key.)
mail._domainkey TXT v=DKIM1; k=rsa;
p=MIjksdfjhsdjghghdfjkgKCAQEA6G05c2aUOoAZOOle5XjrKm3tH7ydsdjhgiERGJERKLJgkldagkölqwJKJKFHDJkhdkoqOVeXQ5tJ38N5QMWnTjbtx7bgrk0QruvVNZDrSqyiUDIYBUjakoXxE3YqihGdw9rxpArWALkwDEAYU6nIYQZFc7uxmZhvINwiamnLplad9NUbbFLHlE3n
opendkim-testkey -d domain.org -s mail -vvv

Debian 10 Buster Dovecot Postfix Opendkim MariaDB PHP7.3 Letsencrypt Fail2ban mit Userverwaltung in Nextcloud

Statt Horde kann auch Nextcloud verwendet werden.
Mit Nextcloud Talk funktionieren auch Viedeokonferenzen.
Eventuell statt der Nextcloud Mail die Nextcloud Rainloop App verwenden.

Für die Userverwaltung in Nextcloud ist die Konfig anzupassen:

/etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=127.0.0.1 dbname=nextclouddb user=nextclouduser
password=…
default_pass_scheme = ARGON2I
password_query = SELECT uid as user, replace(password,‚3|‘,’’) as
password FROM oc_users WHERE uid=’%u’;