Debian 10 Buster Dovecot Postfix Opendkim MariaDB PHP7.3 Letsencrypt Fail2ban mit Userverwaltung in Horde


#1

Die Email-App in Nextcloud ist sehr Bescheiden. Das hier könnte eine gute Alternative sein. Anlegen der EMailkonten geht dann ganz einfach in Horde unter Administration- Users. Synchronisation zum Handy funktioniert mit der App DAVx5 auf F-Droid.

English Austria en_US.UTF-8 German Hostname:mx.domain.org root:. user:. GuidedUseEntireDisk-AllFilesInOne 10GBExt4/1SWAP deb.debian.org SSH/OhneStandard

ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"
ssh-copy-id user@IPServer
/etc/ssh/sshd_config PasswordAuthentication no
ssh user@IPServer
apt update && apt upgrade
apt install certbot python-certbot-apache dovecot-mysql postfix postfix-mysql fail2ban opendkim opendkim-tools mariadb-server php-mysql sudo dovecot-lmtpd dovecot-imapd php-gd php-imap php-memcache php-mysql php-pear php-tidy php-imagick php-intl php-gettext imagemagick tidy gettext php-curl
Nicht notwendige Pakete: apt install ckeditor3 fonts-glyphicons-halflings javascript-common libjs-bootstrap libjs-excanvas libjs-jquery libjs-prototype libjs-scriptaculous libxmlrpc-epi0 php-apcu php-apcu-bc php-auth-sasl php-bz2 php-codecoverage php-console-table php-deepcopy php-doctrine-instantiator php-file-iterator php-geoip php-http php-http-request php-igbinary php-ldap php-memcached php-msgpack php-net-dns2 php-net-imap php-net-smtp php-net-socket php-net-url php-net-url2 php-nrk-predis php-pecl-http php-phar-io-manifest php-phar-io-version php-phpdocumentor-reflection-common php-phpdocumentor-reflection-docblock php-phpdocumentor-type-resolver php-phpspec-prophecy php-propro php-raphf php-sabre-dav php-sabre-vobject php-seclib php-soap php-ssh2 php-text-figlet php-text-languagedetect php-text-template php-timer php-token-stream php-tokenizer php-webmozart-assert php-xml-svg php-xmlrpc php7.3-ldap php7.3-bz2 php7.3-soap php7.3-xmlrpc phpunit phpunit-code-unit-reverse-lookup phpunit-comparator phpunit-diff phpunit-environment phpunit-exporter phpunit-global-state phpunit-object-enumerator phpunit-object-reflector phpunit-recursion-context phpunit-resource-operations phpunit-version
https://linode.com/docs/security/using-fail2ban-for-security/
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
/etc/fail2ban/jail.local
ignoreip = 127.0.0.1/8 IPServer
bantime = 100000m
findtime = 100000m
maxretry = 2
#logpath = /var/log/horde/horde.log
logpath = /var/log/syslog
/etc/fail2ban/jail.d/defaults-debian.local
[sshd]
enabled = true
[postfix]
enabled = true
[postfix-rbl]
enabled = true
[dovecot]
enabled = true
[horde]
enabled = true
sudo mkdir -p /var/www/domain.org/public_html
sudo mkdir -p /var/www/domain.com/public_html
/var/www/domain.org/public_html/index.html
/var/www/domain.com/public_html/index.html
sudo chown -R www-data: /var/www/domain.org
sudo chown -R www-data: /var/www/domain.com
/etc/apache2/sites-available/domain.org.conf
/etc/apache2/sites-available/domain.com.conf
<VirtualHost :80>
ServerName domain.org
ServerAlias www.domain.org
ServerAdmin webmaster@domain.org
DocumentRoot /var/www/domain.org/public_html
<Directory /var/www/domain.org/public_html>
Options -Indexes +FollowSymLinks
AllowOverride All

ErrorLog ${APACHE_LOG_DIR}/domain.org-error.log
CustomLog ${APACHE_LOG_DIR}/domain.org-access.log combined

sudo ln -s /etc/apache2/sites-available/domain.org.conf /etc/apache2/sites-enabled/
sudo ln -s /etc/apache2/sites-available/domain.com.conf /etc/apache2/sites-enabled/
certbot --apache --register-unsafely-without-email
mx.domain.org domain.org www.domain.org www.domain.com 2
non-interactively “certbot renew”
sudo ln -s /etc/apache2/sites-available/domain.org-le-ssl.conf /etc/apache2/sites-enabled/
sudo ln -s /etc/apache2/sites-available/domain.com-le-ssl.conf /etc/apache2/sites-enabled/
RewriteCond %{SERVER_NAME} =www.domain.org [OR]
RewriteCond %{SERVER_NAME} =mx.domain.org [OR]
RewriteCond %{SERVER_NAME} =domain.org
RewriteRule ^ https://www.domain.org%{REQUEST_URI} [END,NE,R=permanent]
rm /var/www/html 000-default-le-ssl.conf 000-default.conf default-ssl.conf
https://wiki.horde.org/DebJessieHorde5
-https://wiki.horde.org/DebianHowTo
-https://www.horde.org/apps/horde/docs/INSTALL 3:
-https://wiki.horde.org/SQLAuthHowTo?referrer=FAQ%2FAdmin%2FConfig
pear upgrade PEAR
mysql_secure_installation
mysql --user=root -p …
create database horde;
grant ALL on horde.
to ‘horde’ identified by ‘…’;
quit
pear channel-discover pear.horde.org
pear install -a -B --force horde/groupware
pear run-scripts horde/horde_role /var/www/horde
chown -R www-data /var/www/horde
pecl upgrade -a -B --force channel://pecl.php.net/sasl-0.1.0
pear upgrade -a -B --force channel://pear.php.net/Text_LanguageDetect-0.3.0
pecl upgrade -a -B --force channel://pecl.php.net/idn-0.2.0
pecl upgrade -a -B --force channel://pecl.php.net/ssh2-0.12
pear upgrade -a -B --force channel://pear.php.net/SOAP-0.13.0
pear upgrade -a -B --force channel://pear.php.net/XML_Serializer-0.20.2
pear upgrade -a -B --force channel://pear.php.net/Console_Color2-0.1.2
pear upgrade -a -B --force channel://pecl.php.net/msgpack-0.5.7
pear upgrade -a -B --force channel://pear.php.net/Numbers_Words-0.18.1
pear upgrade -a -B --force channel://pear.php.net/Image_Text-0.7.0
pear list -c horde
pear uninstall Services_Weather
pear uninstall file_Fstab
/etc/apache2/conf-enabled/php-horde.conf
Alias /horde /var/www/horde
ln -s /etc/apache2/conf-available/php-horde.conf /etc/apache2/conf-enabled/php-horde.conf
cp /var/www/horde/imp/config/backends.php /var/www/horde/imp/config/backends.local.php
‘hordeauth’ => ‘full’, //‘port’ => 143, ‘secure’ => ‘ssl’,
cp /var/www/horde/config/conf.php.dist /var/www/horde/config/conf.php
/horde/ Update all configuration, Update DB schema, Check for newer versions
Database mysqli horde pw horde
Authentication admin:user@domain.org driver:SQLauth driverconfig:Horde encryption:crypt-sha512 count_bad_logins:X login_block:X login_block_count: 2
Spell Checker driver:aspell
Image Manipulation driver:PECL Imagick
Problem Reporting email:user@domain.org maildomain:domain.org
horde-db-migrate
Update all configuration, Update DB schema, Check for newer versions
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql/
/etc/hosts IPserver mx.domain.org mx
/etc/postfix/main.cf
smtpd_tls_cert_file=/etc/letsencrypt/live/domain.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/domain.org/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
reject_unauth_destination
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
myhostname = domain.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydomain = domain.org
myorigin = $mydomain
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = domain.org domain.com
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = hash:/etc/postfix/virtual
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
/etc/postfix/master.cf
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
/etc/postfix/mysql-virtual-mailbox-maps.cf
user = horde
password = …
hosts = 127.0.0.1
dbname = horde
query = SELECT 1 FROM horde_users WHERE user_uid=’%s’
/etc/postfix/virtual
info@domain.org user@domain.org
abuse@domain.org user@domain.org
root@domain.org user@domain.org
postmaster@domain.org user@domain.org
user123@domain.org 1234@gmail.org
sudo postmap /etc/postfix/virtual
sudo postmap -q user@domain.org mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
mkdir -p /var/mail/vhosts/domain.org
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail
chown -R vmail:vmail /var/mail
chown -R vmail:dovecot /etc/dovecot
chmod -R 755 /etc/postfix
-chmod -R o-rwx /etc/postfix
chmod -R o-rwx /etc/dovecot
/etc/dovecot/dovecot.conf
protocols = imap lmtp
postmaster_address = postmaster at domain.org
/etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:/var/mail/vhosts/%d/%n/
mail_privileged_group = mail
/etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain login
/etc/dovecot/conf.d/auth-sql.conf.ext
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
#userdb {

driver = sql

args = /etc/dovecot/dovecot-sql.conf.ext

#}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
/etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=127.0.0.1 dbname=horde user=horde password=
default_pass_scheme = SHA512-CRYPT
nano /etc/dovecot/conf.d/10-master.conf
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}

service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
#mode = 0666i
mode = 0600
user = postfix
group = postfix
}
service auth {

unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}

user = dovecot
}

service auth-worker {

user = vmail
}
/etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/letsencrypt/live/domain.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/domain.org/privkey.pem
atp imstall getmail
mkdir /root/.getmail/
chmod 700 /root/.getmail/
/root/.getmail/getmailrcuser
/root/.getmail/getmailrcuser123
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.gmail.com
port = 993
username = user123@gmail.com
password =
[destination]
type = Maildir
path = /var/mail/vhosts/domain.org/user/
user = vmail
[options]
verbose = 2
message_log = ~/.getmail/log
read_all = false
delete = true
crontab -e
/10 * * * * getmail -r /root/.getmail/getmailrcuser --quiet #60/10min
/10 * * * * getmail -r /root/.getmail/getmailrcuser123 --quiet
0 2 * * * apt update && apt upgrade # 2:00 Täglich
0 3 * * * pear upgrade -a -B horde/groupware # 3:00 Täglich
0 4 * * 2 crontab certbot renew #4:00 DI
https://wiki.debian.org/opendkim
mkdir /etc/postfix/dkim/
opendkim-genkey -D /etc/postfix/dkim/ -d domainorg -s mail
chgrp opendkim /etc/postfix/dkim/

chmod g+r /etc/postfix/dkim/

/etc/opendkim.conf
Mode sv
Socket inet:8891@localhost
KeyTable file:/etc/postfix/dkim/keytable
InternalHosts refile:/etc/postfix/dkim/trustedhosts
SigningTable refile:/etc/postfix/dkim/signingtable
/etc/postfix/dkim/keytable
mail._domainkey.domain.org domain.org:mail:/etc/postfix/dkim/mail.private
/etc/postfix/dkim/signingtable
*@domain.org mail._domainkey.domain.org
p=MI… (take it from /etc/postfix/dkim/mail.txt file; remove the >"< and connect the lines after p= to one key.)
mail._domainkey TXT v=DKIM1; k=rsa;
p=MIjksdfjhsdjghghdfjkgKCAQEA6G05c2aUOoAZOOle5XjrKm3tH7ydsdjhgiERGJERKLJgkldagkölqwJKJKFHDJkhdkoqOVeXQ5tJ38N5QMWnTjbtx7bgrk0QruvVNZDrSqyiUDIYBUjakoXxE3YqihGdw9rxpArWALkwDEAYU6nIYQZFc7uxmZhvINwiamnLplad9NUbbFLHlE3n
opendkim-testkey -d domain.org -s mail -vvv