Difference between revisions of "Email server setup"

Line 36: Line 36:
 
=Create Linux mail user=
 
=Create Linux mail user=
  
It's a common good practice to create a dedicated user to send email. That's the user POSTFIX will use.
+
* It's a common good practice to create a dedicated user to send email. That's the user POSTFIX will use. As usual in Linux, that user should be UID > 1000 so it has more restrictions.
 
+
* All the emails will be saved into "/var/vmail/"
As usual in Linux, that user should be UID > 1000 so it has more restrictions.
 
  
  
Line 47: Line 46:
 
# New user
 
# New user
 
groupadd --system virtualMail -g 5000
 
groupadd --system virtualMail -g 5000
useradd --system virtualMail -u 5000 -g 5000  
+
useradd --system virtualMail -u 5000 -g 5000 -d /var/vmail -m
chown -R virtualMail:virtualMail /var/spool/mail/virtualMail
+
chown -R virtualMail:virtualMail /var/vmail
 +
chmod u+w /var/vmail
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 85: Line 85:
  
 
<syntaxhighlight lang="sql">
 
<syntaxhighlight lang="sql">
 
CREATE TABLE `aliases` (
 
    `pkid` smallint(3) NOT NULL auto_increment,
 
    `mail` varchar(120) NOT NULL default '',
 
    `destination` varchar(120) NOT NULL default '',
 
    `enabled` tinyint(1) NOT NULL default '1',
 
    PRIMARY KEY (`pkid`),
 
    UNIQUE KEY `mail` (`mail`) ) ;
 
  
 
CREATE TABLE `domains` (  
 
CREATE TABLE `domains` (  
   `pkid` smallint(6) NOT NULL auto_increment,  
+
   `id` smallint(6) NOT NULL auto_increment,  
   `domain` varchar(120) NOT NULL default '',
+
   `name` varchar(120) NOT NULL default '',  
  `transport` varchar(120) NOT NULL default 'virtual:',  
 
 
   `enabled` tinyint(1) NOT NULL default '1',  
 
   `enabled` tinyint(1) NOT NULL default '1',  
   PRIMARY KEY (`pkid`) ) ;  
+
   PRIMARY KEY (`id`)  
 +
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 +
 
  
 
CREATE TABLE `users` (  
 
CREATE TABLE `users` (  
 
   `id` varchar(128) NOT NULL default '',  
 
   `id` varchar(128) NOT NULL default '',  
   `name` varchar(128) NOT NULL default '',  
+
   `email` varchar(120) NOT NULL,
   `uid` smallint(5) unsigned NOT NULL default '5000',
+
   `name` varchar(120) NOT NULL default '',  
  `gid` smallint(5) unsigned NOT NULL default '5000',  
+
   `password` varchar(32) NOT NULL,
   `home` varchar(255) NOT NULL default '/var/spool/mail/virtual',  
+
   `domain_id`smallint(6) NOT NULL,
   `maildir` varchar(255) NOT NULL default 'blah/',  
 
 
   `enabled` tinyint(3) unsigned NOT NULL default '1',  
 
   `enabled` tinyint(3) unsigned NOT NULL default '1',  
   `change_password` tinyint(3) unsigned NOT NULL default '1',  
+
   PRIMARY KEY (`id`),
  `clear` varchar(128) NOT NULL default 'ChangeMe',  
+
  UNIQUE KEY `email` (`email`),
  `crypt` varchar(128) NOT NULL default 'sdtrusfX0Jj66',  
+
  FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
  `quota` varchar(255) NOT NULL default '',  
+
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
  PRIMARY KEY (`id`),  
+
 
  UNIQUE KEY `id` (`id`) ) ;
+
 
 +
CREATE TABLE `aliases` (
 +
    `id` smallint(3) NOT NULL auto_increment,
 +
    `domain_id` smallint(6) NOT NULL,  
 +
    `source` varchar(120) NOT NULL default '',  
 +
    `destination` varchar(100) NOT NULL,
 +
    `enabled` tinyint(1) NOT NULL default '1',  
 +
    PRIMARY KEY (`id`),  
 +
    FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
 +
) ENGINE=InnoDB DEFAULT CHARSET=utf8;  
  
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
  
 
Source: http://flurdy.com/docs/postfix/  
 
Source: http://flurdy.com/docs/postfix/  
Line 259: Line 262:
  
 
## MySQL settings
 
## MySQL settings
# Mailbox location for each user
 
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
 
# List of virtual mailboxes
 
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
 
 
# Domain lookups
 
# Domain lookups
 
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
 
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
 +
# List of available mailboxes
 +
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailboxes.cf
 +
# List of virtual mailboxes
 +
virtual_alias_maps = mysql:/etc/postfix/mysql_aliases.cf,mysql:/etc/postfix/mysql_mailboxes.cf
  
  
Line 295: Line 298:
 
** virtual_uid_maps
 
** virtual_uid_maps
 
** virtual_gid_maps
 
** virtual_gid_maps
 +
 +
 +
 +
==MySQL domain config==
 +
 +
How to find the domains.
 +
 +
<syntaxhighlight lang="bash">
 +
vim /etc/postfix/mysql_domains.cf
 +
</syntaxhighlight>
 +
 +
 +
Put the following content, replace ''mailDbPASSWORD'' by your own database password:
 +
 +
<syntaxhighlight lang="bash">
 +
user = maildb
 +
password = mailPASSWORD
 +
hosts = 127.0.0.1
 +
dbname = maildb
 +
query = SELECT name FROM domains WHERE name='%s' AND enabled = 1
 +
</syntaxhighlight>
 +
 +
 +
''Notes:''
 +
* Do not use "localhost" instead of "127.0.0.1". Since Postfix and MySQL are chroot in different places Postfix must use network (127.0.0.1) communication instead of file (localhost).
 +
* The '%s' will be replace dynamically on runtime by the requested domain
  
  
Line 303: Line 332:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/postfix/mysql_mailbox.cf
+
vim /etc/postfix/mysql_mailboxes.cf
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 310: Line 339:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
user=maildb
+
user = maildb
password=mailDbPASSWORD
+
password = mailDbPASSWORD
dbname=maildb  
+
dbname = maildb  
table=users
+
hosts = 127.0.0.1
select_field=maildir
+
query = SELECT email FROM users WHERE email = '%s' AND enabled = 1
  where_field=id
 
  hosts=127.0.0.1  
 
  additional_conditions = and
 
  enabled = 1
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 328: Line 353:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/postfix/mysql_alias.cf
+
vim /etc/postfix/mysql_aliases.cf
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 335: Line 360:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
user=maildb  
+
user = maildb  
password=mailDbPASSWORD
+
password = mailDbPASSWORD
dbname=maildb  
+
dbname = maildb  
table=aliases
+
hosts = 127.0.0.1
select_field=destination
+
query = SELECT destination FROM aliases WHERE source='%s' AND enabled = 1
  where_field=mail
 
  hosts=127.0.0.1  
 
  additional_conditions = and
 
  enabled = 1
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
 +
--------
  
==MySQL domain config==
 
  
How to find the domains.
+
Trick:
 +
 
 +
In case of catch-all addresses such as @dev.daxiongmao.eu (to get everything) you need another file to allow (bob@dev.daxiongmao.eu).
 +
 
 +
In that case the Postfix "virtual_alias_map" will use 2 scripts.
  
<syntaxhighlight lang="bash">
 
vim /etc/postfix/mysql_domains.cf
 
</syntaxhighlight>
 
  
  
Put the following content, replace ''mailDbPASSWORD'' by your own database password:
+
==Set rights==
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
user=maildb
+
chgrp postfix /etc/postfix/mysql*.cf
password=mailPASSWORD
+
​chmod u=rw,g=r,o= /etc/postfix/mysql*.cf
dbname=maildb
 
table=domains
 
select_field=domain
 
  where_field=domain
 
  hosts=127.0.0.1
 
  additional_conditions = and
 
  enabled = 1
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 414: Line 429:
  
 
2 options:
 
2 options:
- Create a new server certificate using your root Authority of Certification
+
# Create a new server certificate using your root Authority of Certification
- Create a self-signed certificate (only if no other choice)
+
# Create a self-signed certificate (only if no other choice)
 +
 
 +
 
 +
===Sign server certificate using your own AC===
 +
 
 +
See [[SSL server#Server certificate]] for more details.
 +
 
 +
 
 +
Create the private key + certificate request on the email server
 +
<syntaxhighlight lang="bash">
 +
cd /etc/ssl
 +
# Encrypted private key
 +
openssl genrsa -aes256 -out private/mail.daxiongmao.eu.key -rand ./ 4096
 +
# Decipher it for Apache2
 +
openssl rsa -in private/mail.daxiongmao.eu.key -out private/mail.daxiongmao.eu.nopass.key
 +
</syntaxhighlight>
 +
 
 +
 
 +
Generate server certificate's request
 +
<syntaxhighlight lang="bash">
 +
openssl req -config openssl.cnf -new -nodes -key private/mail.daxiongmao.eu.key -out certs/mail.daxiongmao.eu.req
 +
</syntaxhighlight>
 +
 
 +
* Country Name (2 letter code) [AU]: '''SE'''
 +
* State or Province Name (full name) [Some-State]:'''Vastra Goteland'''
 +
* Locality Name (eg, city) []:'''Goteborg'''
 +
* Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Daxiongmao.eu'''
 +
* Common Name (e.g. server FQDN or YOUR name) []:'''mail.daxiongmao.eu'''
 +
 
 +
 
 +
Send the .req file to the AC server, into ''/srv/ssl/certs/'' then run:
 +
<syntaxhighlight lang="bash">
 +
cd /srv/ssl
 +
openssl ca -config openssl.cnf \
 +
-in certs/mail.daxiongmao.eu.req \
 +
-out certs/mail.daxiongmao.eu.cert.pem \
 +
-cert cacerts.pem \
 +
-days 3600
 +
</syntaxhighlight>
 +
 
 +
Then send back the "mail.daxiongmao.cert.pem" to the mail server.
 +
 
 +
 
 +
===Create a self-signed certificate===
 +
 
 +
 
 +
 
 +
===Copy the certificate for Apache2===
 +
 
 +
<syntaxhighlight lang="bash">
 +
cp /etc/ssl/private/mail.daxiongmao.eu.nopass.key /etc/apache2/webServer.key
 +
cp /etc/ssl/certs/mail.daxiongmao.eu.cert.pem /etc/apache2/webServer.key
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
==Apache2 Virtual host==
 +
 
 +
 
 +
===Create a new VHost===
 +
 
 +
Create a new vHost:
 +
 
 +
<syntaxhighlight lang="bash">
 +
vim /etc/apache2/sites-available/mail.daxiongmao.eu.conf
 +
</syntaxhighlight>
 +
 
 +
 
 +
Put the following content:
 +
 
 +
<syntaxhighlight lang="bash">
 +
</syntaxhighlight>
 +
 
 +
 
 +
===Disable the default VHOST===
 +
 
 +
<syntaxhighlight lang="bash">
 +
a2dissite 000-default
 +
</syntaxhighlight>
 +
 
 +
 
 +
===Enable the new VHOST===
 +
 
 +
<syntaxhighlight lang="bash">
 +
a2ensite mail.daxiongmao.eu
 +
</syntaxhighlight>
 +
 
 +
 
 +
===Enable Apache2 modules===
 +
 
 +
<syntaxhighlight lang="bash">
 +
a2enmod ssl rewrite
 +
</syntaxhighlight>
 +
 
 +
 
 +
===Restart and test===
 +
 
 +
<syntaxhighlight lang="bash">
 +
service apache2 restart
 +
</syntaxhighlight>
 +
 
 +
 
 +
Go to: https://mail.daxiongmao.eu
  
  

Revision as of 10:49, 12 August 2014


Note

All that follow is the sum of different how-to. I've based my research on Christoph Haas' how-to and FLURDY therefore a lot of commands are similar.


I'm not an expert of mail server, therefore most of the following content is not mine. I've just aggregate data to make it easier to work with. Please check out the #Sources if you want to know more.


This content is provided under the same license as my sources: GNU General Public License.



Overview

Requirements

An email server requires a lot of components:

  • Send / Receive emails [SMTP, POP3, IMAP, ...]
  • Tools to check the email content against virus, spam
  • Tools to encrypt the communication
  • (optional) Database to manage users and emails


Therefore, before going on you need to have:



Create Linux mail user

  • It's a common good practice to create a dedicated user to send email. That's the user POSTFIX will use. As usual in Linux, that user should be UID > 1000 so it has more restrictions.
  • All the emails will be saved into "/var/vmail/"


# Server root folder, where all the mails will be stored
mkdir -p /var/spool/mail/virtualMail 

# New user
groupadd --system virtualMail -g 5000
useradd --system virtualMail -u 5000 -g 5000 -d /var/vmail -m
chown -R virtualMail:virtualMail /var/vmail
chmod u+w /var/vmail


MySQL database

Create and initialize a new database and user for email.


Create database

I assume that:

  • Database name: maildb
  • Db user: maildb


# log in as root 
mysql -u root -p 

# Create the mail database 
create database maildb; 

# Create a new user and grant rights upon mail database
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO 'maildb'@'localhost' IDENTIFIED by 'mailDbPASSWORD'; 
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO 'maildb'@'%' IDENTIFIED by 'mailDbPASSWORD'; 
exit;


Schema

Create the following schema using MySQL workbench:

CREATE TABLE `domains` ( 
   `id` smallint(6) NOT NULL auto_increment, 
   `name` varchar(120) NOT NULL default '', 
   `enabled` tinyint(1) NOT NULL default '1', 
   PRIMARY KEY (`id`) 
) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `users` ( 
   `id` varchar(128) NOT NULL default '', 
   `email` varchar(120) NOT NULL,
   `name` varchar(120) NOT NULL default '', 
   `password` varchar(32) NOT NULL,
   `domain_id`smallint(6) NOT NULL,
   `enabled` tinyint(3) unsigned NOT NULL default '1', 
   PRIMARY KEY (`id`),
   UNIQUE KEY `email` (`email`),
   FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `aliases` ( 
    `id` smallint(3) NOT NULL auto_increment, 
    `domain_id` smallint(6) NOT NULL, 
    `source` varchar(120) NOT NULL default '', 
    `destination` varchar(100) NOT NULL,
    `enabled` tinyint(1) NOT NULL default '1', 
    PRIMARY KEY (`id`), 
    FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;


Source: http://flurdy.com/docs/postfix/


POSTFIX (SMTP server - to send/receive emails)

Installation

POSTFIX SMTP server:

apt-get install postfix postfix-mysql 

mkdir -p /var/spool/mail/virtual


Basic configuration

vim /etc/postfix/mail.cf


Put the following configuration:


##########################
#      MISC settings     #
##########################
# Server name
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# Use external SMTP relay?
relayhost = 
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

# Bind interfaces
inet_interfaces = all
# Restrict to IPv4 (= avoid IPv6 errors and log spam)
inet_protocols=ipv4


###########################
#  Email global settings  #
###########################
# Email server name
myhostname = smartcard-mail.smartcards.vehco.com
# Domain name for emails originated from this server
#myorigin = /etc/mailname
myorigin = smartcards.vehco.com
# Local destination (= email server local alias)
mydestination = smartcard-mail.smartcards.vehco.com, localhost.smartcards.vehco.com, , localhost
# Trusted senders
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.50.0/24 172.16.60.0/24


##############################
#          Commands          #
##############################
mailbox_command = procmail -a "$EXTENSION"


###################################
#  Email accounts / msg settings  #
###################################
# Max mailbox size
mailbox_size_limit = 0
# Max number of mailboxes 
virtual_mailbox_limit = 0
# Max message size
message_size_limit = 0
# Misc settings
recipient_delimiter = +


###########################
#   Connection settings   #
###########################
# how long to keep message on queue before return as failed
maximal_queue_lifetime = 1h
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 5m
maximal_backoff_time = 10m
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list but may restrict intentional mail shots.
smtpd_recipient_limit = 16
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12


####################################
#  Security: protocol enforcement  #
####################################
# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit

# Requirements for the sender details
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit

# Requirements for the connecting server 
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl

# Requirement for the recipient address
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_data_restrictions = reject_unauth_pipelining


# require proper helo at connections 
smtpd_helo_required = yes

# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes


############################
#      Email accounts      #
############################
# Alias definitions
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Location of the virtual mailbox folder (= Global server mailbox)
# ... This must match the folder you created in [[#Create Linux mail user]]
virtual_mailbox_base = /var/spool/mail/virtualMail

## MySQL settings
# Domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# List of available mailboxes
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailboxes.cf
# List of virtual mailboxes
virtual_alias_maps = mysql:/etc/postfix/mysql_aliases.cf,mysql:/etc/postfix/mysql_mailboxes.cf


############################
#         Security         #
############################
## Mail user / group
# Good practice: you should create a dedicated Linux user to send mails. That one is called "virtualMail"
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

## TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Don't forget to adjust:

  • Email global settings
    • myhostname
    • myorigin
    • mydestination
    • mynetworks
  • Email accounts
    • virtual_mailbox_base
  • Security
    • virtual_uid_maps
    • virtual_gid_maps


MySQL domain config

How to find the domains.

vim /etc/postfix/mysql_domains.cf


Put the following content, replace mailDbPASSWORD by your own database password:

user = maildb
password = mailPASSWORD 
hosts = 127.0.0.1
dbname = maildb 
query = SELECT name FROM domains WHERE name='%s' AND enabled = 1


Notes:

  • Do not use "localhost" instead of "127.0.0.1". Since Postfix and MySQL are chroot in different places Postfix must use network (127.0.0.1) communication instead of file (localhost).
  • The '%s' will be replace dynamically on runtime by the requested domain


MySQL mailbox config

How to select a mailbox from MySQL.

vim /etc/postfix/mysql_mailboxes.cf


Put the following content, replace mailDbPASSWORD by your own database password:

user = maildb
password = mailDbPASSWORD
dbname = maildb 
hosts = 127.0.0.1
query = SELECT email FROM users WHERE email = '%s' AND enabled = 1


MySQL alias config

How to find the email alias from MySQL

vim /etc/postfix/mysql_aliases.cf


Put the following content, replace mailDbPASSWORD by your own database password:

user = maildb 
password = mailDbPASSWORD
dbname = maildb 
hosts = 127.0.0.1
query = SELECT destination FROM aliases WHERE source='%s' AND enabled = 1




Trick:

In case of catch-all addresses such as @dev.daxiongmao.eu (to get everything) you need another file to allow (bob@dev.daxiongmao.eu).

In that case the Postfix "virtual_alias_map" will use 2 scripts.


Set rights

chgrp postfix /etc/postfix/mysql*.cf
​chmod u=rw,g=r,o= /etc/postfix/mysql*.cf



DOVECOT (POP3 and IMAP - to manage emails address and deliver emails)

Installation

apt-get install dovecot-mysql dovecot-pop3d dovecot-imapd dovecot-managesieved


RoundCube WebMail

There are many webmail clients available: horde, squirrelMail, roundCube, etc.


Installation

apt-get install roundcube roundcube-plugins


Reply to the following questions:

  • Use dbconfig-common? YES
  • Database type? mysql
  • Database's administrative user's password? root password
  • Application's password? new password


Security

Even if your email server is already protect by an Apache2 proxy using HTTPS, you should NOT trust the network as default assumption.

=> You have to create a new server certificate and enable Apache2 SSL module.


2 options:

  1. Create a new server certificate using your root Authority of Certification
  2. Create a self-signed certificate (only if no other choice)


Sign server certificate using your own AC

See SSL server#Server certificate for more details.


Create the private key + certificate request on the email server

cd /etc/ssl
# Encrypted private key
openssl genrsa -aes256 -out private/mail.daxiongmao.eu.key -rand ./ 4096
# Decipher it for Apache2
openssl rsa -in private/mail.daxiongmao.eu.key -out private/mail.daxiongmao.eu.nopass.key


Generate server certificate's request

openssl req -config openssl.cnf -new -nodes -key private/mail.daxiongmao.eu.key -out certs/mail.daxiongmao.eu.req
  • Country Name (2 letter code) [AU]: SE
  • State or Province Name (full name) [Some-State]:Vastra Goteland
  • Locality Name (eg, city) []:Goteborg
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daxiongmao.eu
  • Common Name (e.g. server FQDN or YOUR name) []:mail.daxiongmao.eu


Send the .req file to the AC server, into /srv/ssl/certs/ then run:

cd /srv/ssl
openssl ca -config openssl.cnf \
-in certs/mail.daxiongmao.eu.req \
-out certs/mail.daxiongmao.eu.cert.pem \
-cert cacerts.pem \
-days 3600

Then send back the "mail.daxiongmao.cert.pem" to the mail server.


Create a self-signed certificate

Copy the certificate for Apache2

cp /etc/ssl/private/mail.daxiongmao.eu.nopass.key /etc/apache2/webServer.key
cp /etc/ssl/certs/mail.daxiongmao.eu.cert.pem /etc/apache2/webServer.key


Apache2 Virtual host

Create a new VHost

Create a new vHost:

vim /etc/apache2/sites-available/mail.daxiongmao.eu.conf


Put the following content:


Disable the default VHOST

a2dissite 000-default


Enable the new VHOST

a2ensite mail.daxiongmao.eu


Enable Apache2 modules

a2enmod ssl rewrite


Restart and test

service apache2 restart


Go to: https://mail.daxiongmao.eu



Other

## Security libraries
# SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.
apt-get install libsasl2-modules libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl sasl2-bin

# Authentication using MySQL
apt-get install libpam-mysql

## Anti-virus
apt-get install clamav-base libclamav6 clamav-daemon clamav-freshclam

## SPAM killer
apt-get install  spamassassin spamc

## Interface to scan emails for virus & spam
apt-get install amavisd-new

## Utility to SEND emails
apt-get install postfix postfix-mysql 

## Utility to RECEIVE emails
apt-get install courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl



Sources

Fabulous guide from Christoph Haas: https://workaround.org/ispmail/wheezy .This also explain each step in detail: WHY and HOW do to it.