Debian 11 Bullseye Dovecot Postfix MariaDB Opendkim PHP Letsencrypt Fail2ban mit Userverwaltung in Netxcloud

Nun läuft auch Email und das Editieren von Officedokumenten gut. Für produktiven Einsatz wäre noch die Two-Factor Email App zu installieren.

\
sudo su
apt update && apt upgrade

lindner.eu.org 
mairhofer.eu.org 
mutschlechner.eu.org 
schoenweger.eu.org
schönweger.eu.org XN--SCHNWEGER-27A.EU.ORG 
A Record
mx.domain 193.238.156.135
domain 193.238.158.17
www 193.238.158.17
MX Record
domain 10 domain
mx.domain 50 mx.domain
TXT Record
domain "v=spf1 mx ~all"
2021._domainkey.domain "v=DKIM1; h=sha256;
k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

/etc/hosts
193.238.158.17 mutschlechner.eu.org www

apt install postfix-mysql dovecot-imapd dovecot-lmtpd dovecot-mysql \
mariadb-server sudo wget python3-certbot-apache dovecot-fts-xapian \
apt install libapache2-mod-php php-xml php-cli php-cgi php-mysql \
php-mbstring php-gd php-curl php-zip unzip php-intl php-imagick \
php-bz2 php-imap php-gmp php-bcmath opendkim opendkim-tools \
redis-server php-redis fail2ban	

a2enmod ssl rewrite headers proxy proxy_http
systemctl status apache2
apachectl configtest

/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
 ServerName lindner.eu.org
 ServerAlias www.lindner.eu.org
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 Redirect permanent / https://www.lindner.eu.org
</VirtualHost>
<VirtualHost *:80>
...Je Domain
</VirtualHost>

/etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
 <VirtualHost *:443>
  ServerName lindner.eu.org
  DocumentRoot /var/www/html/nextcloud
   <Directory /var/www/html/nextcloud/>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
   </Directory>
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <IfModule mod_dav.c>
   Dav off
  </IfModule>
   <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000;
includeSubDomains"
   </IfModule>
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile
/etc/letsencrypt/live/mutschlechner.eu.org/fullchain.pem
  SSLCertificateKeyFile
/etc/letsencrypt/live/mutschlechner.eu.org/privkey.pem
  ProxyPass /sites/
https://lindner.eu.org/index.php/apps/cms_pico/pico_proxy/
  ProxyPassReverse /sites/
https://lindner.eu.org/index.php/apps/cms_pico/pico_proxy/
  SSLProxyEngine on
 </VirtualHost>
 <VirtualHost *:443>
  ServerName www.lindner.eu.org
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile
/etc/letsencrypt/live/mutschlechner.eu.org/fullchain.pem
  SSLCertificateKeyFile
/etc/letsencrypt/live/mutschlechner.eu.org/privkey.pem
  RewriteEngine On
  RewriteRule ^/(.*)$ https://lindner.eu.org/sites/lin/$1 [QSA,L]
 </VirtualHost>
 <VirtualHost *:443>
  ServerName mutschlechner.eu.org
  DocumentRoot /var/www/html/nextcloud
   <Directory /var/www/html/nextcloud/>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
   </Directory>
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <IfModule mod_dav.c>
   Dav off
  </IfModule>
   <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000;
includeSubDomains"
   </IfModule>
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile
/etc/letsencrypt/live/mutschlechner.eu.org/fullchain.pem
  SSLCertificateKeyFile
/etc/letsencrypt/live/mutschlechner.eu.org/privkey.pem
  ProxyPass /sites/
https://mutschlechner.eu.org/index.php/apps/cms_pico/pico_proxy/
  ProxyPassReverse /sites/
https://mutschlechner.eu.org/index.php/apps/cms_pico/pico_proxy/
  SSLProxyEngine on
 </VirtualHost>
 <VirtualHost *:443>
  ServerName www.mutschlechner.eu.org
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile
/etc/letsencrypt/live/mutschlechner.eu.org/fullchain.pem
  SSLCertificateKeyFile
/etc/letsencrypt/live/mutschlechner.eu.org/privkey.pem
  RewriteEngine On
  RewriteRule ^/(.*)$ https://mutschlechner.eu.org/sites/mut/$1 [QSA,L]
 </VirtualHost>
 <VirtualHost *:443>
  ServerName XN--SCHNWEGER-27A.eu.org
  DocumentRoot /var/www/html/nextcloud
   <Directory /var/www/html/nextcloud/>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
   </Directory>
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <IfModule mod_dav.c>
   Dav off
  </IfModule>
   <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000;
includeSubDomains"
   </IfModule>
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile
/etc/letsencrypt/live/mutschlechner.eu.org/fullchain.pem
  SSLCertificateKeyFile
/etc/letsencrypt/live/mutschlechner.eu.org/privkey.pem
  ProxyPass /sites/
https://XN--SCHNWEGER-27A.eu.org/index.php/apps/cms_pico/pico_proxy/
  ProxyPassReverse /sites/
https://XN--SCHNWEGER-27A.eu.org/index.php/apps/cms_pico/pico_proxy/
  SSLProxyEngine on
 </VirtualHost>
 <VirtualHost *:443>
  ServerName www.XN--SCHNWEGER-27A.eu.org
  ServerAlias schoenweger.eu.org
  ServerAlias www.schoenweger.eu.org
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile
/etc/letsencrypt/live/mutschlechner.eu.org/fullchain.pem
  SSLCertificateKeyFile
/etc/letsencrypt/live/mutschlechner.eu.org/privkey.pem
  RewriteEngine On
  RewriteRule ^/(.*)$ https://XN--SCHNWEGER-27A.eu.org/sites/sch/$1 [QSA,L]
 </VirtualHost>
</IfModule>

certbot certonly --webroot -w /var/www/html/ \
-d lindner.eu.org -d www.lindner.eu.org \
-d mutschlechner.eu.org -d www.mutschlechner.eu.org \
-d schoenweger.eu.org -d www.schoenweger.eu.org \

/etc/letsencrypt/cli.ini
post-hook = systemctl restart postfix dovecot apache2

mysql_secure_installation
mysql -u root -p
CREATE DATABASE nextcloud;
CREATE USER 'nextclouduser'@'localhost' IDENTIFIED BY 'passwd';
GRANT ALL privileges ON nextcloud.* TO 'nextclouduser'@'localhost'
IDENTIFIED BY 'passwd';
FLUSH PRIVILEGES;
EXIT;

/etc/php/7.4/apache2/php.ini
memory_limit = 512M
upload_max_filesize = 512M
post_max_size = 512M
max_execution_time = 300
#;output_buffering = 4096
file_uploads = On
allow_url_fopen = On
memory_limit = 512M
upload_max_filesize = 500M
post_max_size = 600M
max_execution_time = 300
display_errors = Off
date.timezone = Europe/Amsterdam
[opcache]
opcache.enable = 1
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 10000
opcache.memory_consumption = 128
opcache.save_comments = 1
opcache.revalidate_freq = 1

cd /var/www/html/
wget https://download.nextcloud.com/server/releases/nextcloud-22.2.3.zip
unzip nextcloud-*.zip
chown -R www-data:www-data /var/www/html/nextcloud

Über http://domain Nextcloud einrichten
Apps +PicoCMS +MarkdownEditor +Plaintexteditor +Two-FactorEmail -Text
-Notes
/wwww/mut mai lin sch
/var/www/html/nextcloud/apps/cms_pico/appdata_public/themes/6IgwFEWoXs/default/index.twig
Löschen  <div id="header" und footer
grep -r Pellegrom *

crontab -u www-data -e
*/5 * * * * php -f /var/www/html/nextcloud/cron.php

/var/www/html/nextcloud/config/config.php
  'secret...
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
 'trusted_domains' =>
  array (
    0 => 'lindner.eu.org',
    1 => 'mairhofer.eu.org',
    2 => 'mutschlechner.eu.org',
    3 => 'schoenweger.eu.org',
    4 => 'XN--SCHNWEGER-27A.EU.ORG',
  ),
...

/etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtpd_tls_cert_file=/etc/letsencrypt/live/mutschlechner.eu.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mutschlechner.eu.org/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unlisted_recipient,
        reject_unauth_destination
                reject_rbl_client zen.spamhaus.org,
                reject_rhsbl_reverse_client dbl.spamhaus.org,
                reject_rhsbl_helo dbl.spamhaus.org,
                reject_rhsbl_sender dbl.spamhaus.org
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destination
myhostname = mutschlechner.eu.org
alias_maps = hash:/etc/aliases
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unlisted_recipient,
        reject_unauth_destination
                reject_rbl_client zen.spamhaus.org,
                reject_rhsbl_reverse_client dbl.spamhaus.org,
                reject_rhsbl_helo dbl.spamhaus.org,
                reject_rhsbl_sender dbl.spamhaus.org
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destinationvirtual_alias_maps = hash:/etc/postfix/virtual
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
internal_mail_filter_classes = bounce
milter_default_action = accept
non_smtpd_milters = unix:/opendkim/opendkim.sock
smtpd_milters = unix:/opendkim/opendkim.sock
smtp_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

/etc/postfix/master.cf
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

/etc/postfix/mysql-virtual-mailbox-maps.cf
user = nextclouduser
password = passwd
hosts = 127.0.0.1
dbname = nextcloud
query = SELECT 1 FROM oc_users WHERE uid='%s'

chgrp postfix /etc/postfix/mysql-virtual-mailbox-maps.cf
chmod u=rw,g=r,o= /etc/postfix/mysql-virtual-mailbox-maps.cf

/etc/postfix/virtual
abuse@lindner.eu.org thomas@mutschlechner.eu.org
postmaster@lindner.eu.org thomas@mutschlechner.eu.org
root@@lindner.eu.org thomas@mutschlechner.eu.org
...
postmap /etc/postfix/virtual

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail -m
mkdir -p /var/mail/mutschlechner.eu.org
mkdir -p /var/mail/domain...
chown -R vmail:vmail /var/mail

/etc/dovecot/dovecot.conf
postmaster_address = postmaster at mutschlechner.eu.org

/etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:/var/mail/%d/%n/

/etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
!include auth-system.conf.ext
!include auth-sql.conf.ext

/etc/dovecot/conf.d/auth-sql.conf.ext
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/%d/%n
}

/etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=127.0.0.1 dbname=nextcloud user=nextclouduser
password=passwd
default_pass_scheme = ARGON2I
password_query = SELECT uid as user, replace(password,'3|','') as
password FROM oc_users WHERE uid='%u';

/etc/dovecot/conf.d/10-master.conf
#port = 143
port = 0
...
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
...
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
...

/etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/letsencrypt/live/mutschlechner.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/mutschlechner.org/privkey.pem
ssl_min_protocol = TLSv1.2

/etc/dovecot/conf.d/90-fts.conf
mail_plugins = $mail_plugins fts fts_xapian
plugin {
    fts = xapian
    fts_xapian = partial=3 full=20 verbose=0
    fts_autoindex = yes
    fts_enforced = yes
    fts_autoindex_exclude = \Trash
    fts_decoder = decode2text
}
service indexer-worker {
    # Increase vsz_limit to 2GB or above.
    # Or 0 if you have rather large memory usable on your server, which
is pref>
    vsz_limit = 2G
}
service decode2text {
    executable = script /usr/lib/dovecot/decode2text.sh
    user = dovecot
    unix_listener decode2text {
        mode = 0666
    }
}

cp /usr/share/doc/dovecot-core/examples/decode2text.sh /usr/lib/dovecot/
chown -R vmail:dovecot /etc/dovecot
chmod -R o-rwx /etc/dovecot
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod go= /etc/dovecot/dovecot-sql.conf.ext

sudo -u opendkim opendkim-genkey -D /etc/dkimkeys -d \
mutschlechner.eu.org -s 2021

/etc/opendkim.conf
KeyTable        /etc/dkimkeys/keytable
SigningTable refile:/etc/dkimkeys/signingtable
Syslog                  yes
SyslogSuccess           yes
OversignHeaders         From
Domain                  mutschlechner.eu.org
Selector               2021
KeyFile  /etc/dkimkeys/2021.private
UserID                  opendkim
UMask                   007
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock
PidFile                 /run/opendkim/opendkim.pid
TrustAnchorFile         /usr/share/dns/root.key

/etc/dkimkeys/keytable
2021._domainkey.mutschlechner.eu.org
mutschlechner.eu.org:2021:/etc/dkimkeys/2021.private
...

/etc/dkimkeys/signingtable
*@mutschlechner.eu.org 2021._domainkey.mutschlechner.eu.org
...

sudo mkdir -m o-rwx /var/spool/postfix/opendkim
sudo chown opendkim: /var/spool/postfix/opendkim
sudo adduser postfix opendkim

systemctl restart apache2
systemctl restart postfix
systemctl restart dovecot
systemctl restart opendkim

opendkim-testkey -d lindner.eu.org -s 2021 -vvv
host -t TXT 2021._domainkey.mutschlechner.eu.org
dig 2021._domainkey.mutschlechner.eu.org txt

crontab -e
0 1 * * 2 apt update && apt upgrade -y
0 3 * * 2 certbot renew
0 4 * * 2 systemctl reboot




1 „Gefällt mir“