• Créer une mailbox virtuelle sur Ubuntu avec Postfix

    image de l'aticle Créer une mailbox virtuelle sur Ubuntu avec Postfix

    Après avoir installer un OS Ubuntu sur un serveur dédié ou sur son propre serveur il serait intéressant de pouvoir créer un serveur de messagerie virtuel avec plusieures adresses email et plusieurs domaines afin d'envoyer et recevoir des mails. Ce tutoriel vous explique comment faire cela. 

    Entre autres, seront abordé ici comment installer postfix, dovecot, sasl et comment les configurer pour avoir un serveur de messagerie fonctionnel.

    Postfix

    Mettez vous en root une bonne fois pour toute pour passer toutes les commandes puis installez postfix :

    sudo -i
    apt-get install postfix

    Ensuite éditez le fichier de config postfix après en avoir fait une copie. (Toujours garder une copie des fichiers de config pour les programmes installés, cela vous permet de retourner à la config par défaut facilement en cas de problème).

    cp /etc/postfix/main.cf /etc/postfix/main.cf.dist && nano /etc/postfix/main.cf

    Si la commande nano n'est pas reconnu faite sudo apt-get install nano ou utilisez vi à la place.
    Voici mon fichier main.cf, c'est une bonne base pour cet exemple.

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    readme_directory = no

    # TLS parameters
    smtpd_tls_cert_file=/etc/ssl/certs/mail-cert.pem
    smtpd_tls_key_file=/etc/ssl/private/mail-key.pem
    smtpd_use_tls = yes
    smtp_use_tls = yes
    smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
    smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = localhost
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = votredomaine.com, , localhost
    relayhost =
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    #mynetworks = 127.0.0.0/8
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all

    virtual_mailbox_domains = /etc/postfix/vhosts
    virtual_mailbox_base = /home/vmail
    virtual_mailbox_maps = hash:/etc/postfix/vmaps
    virtual_minimum_uid = 1000
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000

    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noplaintext,noanonymous
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth-client
    smtpd_client_restrictions = permit_sasl_authenticated
    broken_sasl_auth_clients = yes

    Dans cet exemple vous devez seulement remplacer votredomaine.com par votre domaine réel et tout cela devrait suffir pour l'instant.

    Création des groupes, utilisateurs postfix

    groupadd -g 5000 vmail
    useradd -m -u 5000 -g 5000 -s /bin/bash vmail

    Ajout des domaines à Postfix

    nano /etc/postfix/vhosts

    et ajoutez y tous les domaines qui seront utilisés via postfix :

    votredomaine.com
    votredomaine2.com
    votredomaine3.com
    ...

    Ajouter les chemin d'accès aux boites mail. (c'est la ou seront stockés vos message).

    nano /etc/postfix/vmaps

    Et ajoutez vos différents comptes mails comme ceci :

    contact@votredomaine.com votredomaine.com/contact/
    info@votredomaine.com votredomaine.com/info/
    contact@votredomaine2.com votredomaine2.com/contact/
    contact@votredomaine3.com votredomaine3.com/contact/
    ...

    Vous pouvez ici mettre n'importe quel chemin que vous souhaitez, à vous ensuite de mettre la bonne config nécessaire.
    Il vous faut ensuite convertir ce fichier en fichier "hash db" pour que Postfix puisse l'utiliser.

    postmap /etc/postfix/vmaps

    SASL: L'AUTHENTIFICATION

    Installons les paquets nécessaires :

    apt-get install apt-get install libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql

    Ensuite :

    cp /etc/default/saslauthd /etc/default/saslauthd.dist && nano /etc/default/saslauthd

    Votre fichier devrait ressembler à ceci :

    #
    # Settings for saslauthd daemon
    # Please read /usr/share/doc/sasl2-bin/README.Debian for details.
    #

    # Should saslauthd run automatically on startup? (default: no)
    START=yes

    PWDIR="/var/spool/postfix/var/run/saslauthd"
    PARAMS="-m ${PWDIR}"
    PIDFILE="${PWDIR}/saslauthd.pid"

    # Description of this saslauthd instance. Recommended.
    # (suggestion: SASL Authentication Daemon)
    DESC="SASL Authentication Daemon"

    # Short name of this saslauthd instance. Strongly recommended.
    # (suggestion: saslauthd)
    NAME="saslauthd"

    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"

    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""

    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5

    # Other options (default: -c -m /var/run/saslauthd)
    # Note: You MUST specify the -m option or saslauthd won't run!
    #
    # WARNING: DO NOT SPECIFY THE -d OPTION.
    # The -d option will cause saslauthd to run in the foreground instead of as
    # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
    # to run saslauthd in debug mode, please run it by hand to be safe.
    #
    # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
    # See the saslauthd man page and the output of 'saslauthd -h' for general
    # information about these options.
    #
    # Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    # Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
    #
    # To know if your Postfix is running chroot, check /etc/postfix/master.cf.
    # If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
    # then your Postfix is running in a chroot.
    # If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
    # running in a chroot.
    # OPTIONS="-c -m /var/run/saslauthd"
    #OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
    OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"

    Si ce n'est pas le case faite les changements nécessaires.

    Éditez le fichier suivant :

    nano /etc/postfix/sasl/smtpd.conf

    Et copiez y ceci : mech_list: cram-md5
    CRAM-MD5 est un mécanisme de cryptage qui permet de chiffrer les informations d'identification. Très utile car il permet de ne pas envoyer en clair les mots de passe à travers le réseau et limite ainsi la captation des informations d'authentification.
    Important! Créez le lien symbolique vers /var/spool/postfix/var/run/saslauthd. Si le dossier n'existe pas créez-le et ensuite tapez dans la console :

    rm -rf /var/run/saslauthd
    ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd
    

    Ensuite redémarrez les programmes :

    service saslauthd start (ou restart)
    service postfix restart

    SMPTD

    Copiez le fichier /etc/postfix/master.cf en /etc/postfix/master.cf.dist et éditez le.
    Normalement il n'y a que 2 ligne qui devrait différer avec votre fichier :

    smtp      inet  n       -       n       -       -       smtpd

    et

    submission inet n       -       n       -       -       smtpd
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master" or
    # on-line: http://www.postfix.org/master.5.html).
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       n       -       -       smtpd
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
    submission inet n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #smtps     inet  n       -       -       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    unix  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    #qmgr     unix  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}

    Redémarrez Postfix :

    /etc/init.d/postfix restart

    Installer Dovecot pour les serveurs IMAP et POP3

    Tapez la commande :

    apt-get install dovecot-common dovecot-imapd dovecot-pop3d

    Et :

    cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.dist

    Copiez en bas du fichier :

    auth_mechanisms = plain cram-md5
    auth_verbose = yes
    base_dir = /var/run/dovecot/
    info_log_path = /var/log/dovecot.info
    log_path = /var/log/dovecot
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    mail_location = maildir:/home/vmail/%d/%n
    passdb {
      args = /etc/dovecot/passwd
      driver = passwd-file
    }
    protocols = imap pop3
    service auth {
      executable = /usr/lib/dovecot/auth
      user = root
    }
    service imap-login {
      chroot = login
      executable = /usr/lib/dovecot/imap-login
      user = dovecot
    }
    service imap {
      executable = /usr/lib/dovecot/imap
    }
    service pop3-login {
      chroot = login
      executable = /usr/lib/dovecot/pop3-login
      user = dovecot
    }
    service pop3 {
      executable = /usr/lib/dovecot/pop3
    }
    ssl = no
    userdb {
      args = /etc/dovecot/users
      driver = passwd-file
    }
    valid_chroot_dirs = /var/spool/vmail
    protocol pop3 {
      pop3_uidl_format = XuXv
    }
    auth default {
      mechanisms = plain cram-md5
      passdb passwd-file {
        args = /etc/dovecot/passwd
      }
      userdb passwd-file {
        args = /etc/dovecot/users
      }
      user = root
      socket listen {
        client {
          # The client socket is generally safe to export to everyone. Typical use
          # is to export it to your SMTP server so it can do SMTP AUTH lookups
          # using it.
          path = /var/spool/postfix/private/auth-client
          mode = 0660
          user = postfix
          group = postfix
        }
      }
    }

    Créer un utilisateur Dovecot

    Pour créer un utilisateur Dovecot simplement sans avoir à modifier le fichier vmaps etc... Créez un nouveau fichier nano /usr/local/sbin/adddovecotuser et ajoutez-y ceci :

     #!/bin/sh
    if [ ! $# = 1 ]
     then
      echo "Usage: $0 username@domain"
      exit 1
     else
      user=`echo "$1" | cut -f1 -d "@"`
      domain=`echo "$1" | cut -s -f2 -d "@"`
      if [ -x $domain ]
       then
        echo "No domain given\nUsage: $0 username@domain"
        exit 2
      fi
      echo "Adding user $user@$domain to /etc/dovecot/users"
      echo "$user@$domain::5000:5000::/home/vmail/$domain/$user/:/bin/false::" >> /etc/dovecot/users

      # Create the needed Maildir directories
      echo "Creating user directory /home/vmail/$domain/$user"
      # maildirmake.dovecot does only chown on user directory, we'll create domain directory instead
      if [ ! -x /home/vmail/$domain ]
       then
        mkdir /home/vmail/$domain
        chown 5000:5000 /home/vmail/$domain
        chmod 700 /home/vmail/$domain
      fi
      /usr/bin/maildirmake.dovecot /home/vmail/$domain/$user 5000:5000
      # Also make folders for Drafts, Sent, Junk and Trash
      /usr/bin/maildirmake.dovecot /home/vmail/$domain/$user/.Drafts 5000:5000
      /usr/bin/maildirmake.dovecot /home/vmail/$domain/$user/.Sent 5000:5000
      /usr/bin/maildirmake.dovecot /home/vmail/$domain/$user/.Junk 5000:5000
      /usr/bin/maildirmake.dovecot /home/vmail/$domain/$user/.Trash 5000:5000

      # To add user to Postfix virtual map file and relode Postfix
      echo "Adding user to /etc/postfix/vmaps"
      echo $1  $domain/$user/ >> /etc/postfix/vmaps
      postmap /etc/postfix/vmaps
      postfix reload
    fi
    echo "\nCreate a password for the new email user"
    #SWAP THE FOLLOWING passwd LINES IF USING A UBUNTU VERSION PRIOR TO 12.04
    #passwd=`dovecotpw`
    passwd=`doveadm pw -u $user`
    echo "Adding password for $user@$domain to /etc/dovecot/passwd"
    if [ ! -x /etc/dovecot/passwd ]
     then
      touch /etc/dovecot/passwd
      chmod 640 /etc/dovecot/passwd
    fi
    echo  "$user@$domain:$passwd" >> /etc/dovecot/passwd

    exit 0

    Ensuite le rendre exécutable :

    chmod +x /usr/local/sbin/adddovecotuser 

    Pour ajouter un nouveau mail à votre boite rien de plus simple :

    sudo adddovecotuser info@votredomaine.com

    Supprimer un utilisateur :

    Créez le fichier nano /usr/local/sbin/deldovecotuser et ajoutez-y ceci :

     #!/bin/bash
    #
    # deldovecotuser - for deleting virtual dovecot users
    #
    if [ ! $# = 1 ]
     then
      echo -e "Usage: $0 username@domain"
      exit 1
     else
      user=`echo "$1" | cut -f1 -d "@"`
      domain=`echo "$1" | cut -s -f2 -d "@"`
      if [ -x $domain ]
       then
        echo -e "No domain given\nUsage: $0 username@domain: "
        exit 2
      fi
    fi
    read -n 1 -p "Delete user $user@$domain from dovecot? [Y/N]? "
    echo
    case $REPLY in
     y | Y)
      new_users=`grep -v $user@$domain /etc/dovecot/users`
      new_passwd=`grep -v $user@$domain /etc/dovecot/passwd`
      new_vmaps=`grep -v $user@$domain /etc/postfix/vmaps`
      echo "Deleting $user@$domain from /etc/dovecot/users"
      echo "$new_users" > /etc/dovecot/users
      echo "Deleting $user@$domain from /etc/dovecot/passwd"
      echo "$new_passwd" > /etc/dovecot/passwd
      echo "Deleting $user@$domain from /etc/postfix/vmaps"
      echo "$new_vmaps" > /etc/postfix/vmaps
      postmap /etc/postfix/vmaps
      postfix reload
      read -n1 -p "Delete all files in /home/vmail/$domain/$user? [Y/N]? " DELETE
      echo
      case $DELETE in
       y | Y)
        echo "Deleting files in /home/vmail/$domain/$user"
        rm -fr /home/vmail/$domain/$user
       ;;
       * )
        echo "Not deleting files in /home/vmail/$domain/$user"
       ;;
      esac
     ;;
     * )
      echo "Aborting..."
     ;;
    esac

    Rendez-le exécutable :

    sudo chmod +x /usr/local/sbin/deldovecotuser 

    Pour supprimer un utilisateur :

    sudo deldovecotuser info@votredomaine.com

    Ensuite :

    service dovecot restart (ou start)

    Créer les certificats Dovecot

    openssl req -new -x509 -days 3650 -nodes -out /etc/dovecot/dovecot.pem -keyout /etc/dovecot/private/dovecot.pem

    Modifier les fichiers de configuration Dovecot. D'abord copiez ces 2 fichiers :

    cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.dist
    cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.dist

    Copiez ce contenu dans /etc/dovecot/conf.d/10-auth.conf

    ##
    ## Authentication processes
    ##

    # Disable LOGIN command and all other plaintext authentications unless
    # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
    # matches the local IP (ie. you're connecting from the same computer), the
    # connection is considered secure and plaintext authentication is allowed.
    # See also ssl=required setting.
    disable_plaintext_auth = no

    # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
    # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
    #auth_cache_size = 0
    # Time to live for cached data. After TTL expires the cached record is no
    # longer used, *except* if the main database lookup returns internal failure.
    # We also try to handle password changes automatically: If user's previous
    # authentication was successful, but this one wasn't, the cache isn't used.
    # For now this works only with plaintext authentication.
    #auth_cache_ttl = 1 hour
    # TTL for negative hits (user not found, password mismatch).
    # 0 disables caching them completely.
    #auth_cache_negative_ttl = 1 hour

    # Space separated list of realms for SASL authentication mechanisms that need
    # them. You can leave it empty if you don't want to support multiple realms.
    # Many clients simply use the first one listed here, so keep the default realm
    # first.
    #auth_realms =

    # Default realm/domain to use if none was specified. This is used for both
    # SASL realms and appending @domain to username in plaintext logins.
    #auth_default_realm =

    # List of allowed characters in username. If the user-given username contains
    # a character not listed in here, the login automatically fails. This is just
    # an extra check to make sure user can't exploit any potential quote escaping
    # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
    # set this value to empty.
    #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

    # Username character translations before it's looked up from databases. The
    # value contains series of from -> to characters. For example "#@/@" means
    # that '#' and '/' characters are translated to '@'.
    #auth_username_translation =
    # Username formatting before it's looked up from databases. You can use
    # the standard variables here, eg. %Lu would lowercase the username, %n would
    # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
    # "-AT-". This translation is done after auth_username_translation changes.
    #auth_username_format = %Lu

    # If you want to allow master users to log in by specifying the master
    # username within the normal username string (ie. not using SASL mechanism's
    # support for it), you can specify the separator character here. The format
    # is then <username><separator><master username>. UW-IMAP uses "*" as the
    # separator, so that could be a good choice.
    #auth_master_user_separator =

    # Username to use for users logging in with ANONYMOUS SASL mechanism
    #auth_anonymous_username = anonymous

    # Maximum number of dovecot-auth worker processes. They're used to execute
    # blocking passdb and userdb queries (eg. MySQL and PAM). They're
    # automatically created and destroyed as needed.
    #auth_worker_max_count = 30
    # Host name to use in GSSAPI principal names. The default is to use the
    # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
    # entries.
    #auth_gssapi_hostname =

    # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
    # default (usually /etc/krb5.keytab) if not specified. You may need to change
    # the auth service to run as root to be able to read this file.
    #auth_krb5_keytab =

    # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
    # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
    #auth_use_winbind = no

    # Path for Samba's ntlm_auth helper binary.
    #auth_winbind_helper_path = /usr/bin/ntlm_auth

    # Time to delay before replying to failed authentications.
    #auth_failure_delay = 2 secs

    # Require a valid SSL client certificate or the authentication fails.
    #auth_ssl_require_client_cert = no

    # Space separated list of wanted authentication mechanisms:
    #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
    #   gss-spnego
    # NOTE: See also disable_plaintext_auth setting.
    auth_mechanisms = plain

    ##
    ## Password and user databases
    ##

    #
    # Password database is used to verify user's password (and nothing more).
    # You can have multiple passdbs and userdbs. This is useful if you want to
    # allow both system users (/etc/passwd) and virtual users to login without
    # duplicating the system users into virtual database.
    #
    # <doc/wiki/PasswordDatabase.txt>
    #
    # User database specifies where mails are located and what user/group IDs
    # own them. For single-UID configuration use "static" userdb.
    #
    # <doc/wiki/UserDatabase.txt>

    #!include auth-deny.conf.ext
    #!include auth-master.conf.ext

    !include auth-system.conf.ext
    #!include auth-sql.conf.ext
    #!include auth-ldap.conf.ext
    #!include auth-passwdfile.conf.ext
    #!include auth-checkpassword.conf.ext
    #!include auth-vpopmail.conf.ext
    #!include auth-static.conf.ext

    Copiez ce contenu dans /etc/dovecot/conf.d/10-ssl.conf

    ##
    ## SSL settings
    ##

    # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
    ssl = yes

    # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
    # dropping root privileges, so keep the key file unreadable by anyone but
    # root. Included doc/mkcert.sh can be used to easily generate self-signed
    # certificate, just make sure to update the domains in dovecot-openssl.cnf
    ssl_cert = </etc/dovecot/dovecot.pem
    ssl_key = </etc/dovecot/private/dovecot.pem

    # If key file is password protected, give the password here. Alternatively
    # give it when starting dovecot with -p parameter. Since this file is often
    # world-readable, you may want to place this setting instead to a different
    # root owned 0600 file by using ssl_key_password = <path.
    #ssl_key_password =

    # PEM encoded trusted certificate authority. Set this only if you intend to use
    # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
    # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
    #ssl_ca =

    # Require that CRL check succeeds for client certificates.
    #ssl_require_crl = yes

    # Directory and/or file for trusted SSL CA certificates. These are used only
    # when Dovecot needs to act as an SSL client (e.g. imapc backend). The
    # directory is usually /etc/ssl/certs in Debian-based systems and the file is
    # /etc/pki/tls/cert.pem in RedHat-based systems.
    #ssl_client_ca_dir =
    #ssl_client_ca_file =

    # Request client to send a certificate. If you also want to require it, set
    # auth_ssl_require_client_cert=yes in auth section.
    #ssl_verify_client_cert = no

    # Which field from certificate to use for username. commonName and
    # x500UniqueIdentifier are the usual choices. You'll also need to set
    # auth_ssl_username_from_cert=yes.
    #ssl_cert_username_field = commonName

    # DH parameters length to use.
    #ssl_dh_parameters_length = 1024

    # SSL protocols to use
    #ssl_protocols = !SSLv2

    # SSL ciphers to use
    #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

    # Prefer the server's order of ciphers over client's.
    #ssl_prefer_server_ciphers = no

    # SSL crypto device to use, for valid values run "openssl engine"
    #ssl_crypto_device =

    Redémarrez Dovecot service dovecot restart.

    Créer les certificats Postfix

    Idem que pour Dovecot. Les chemins des cléés doivent être renseignés à l'identique dans /etc/postfix/main.cf

    openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/mail-cert.pem -keyout /etc/ssl/private/mail-key.pem

    Redémarrez postfix et dovecot

    service dovecot restart
    service saslauthd restart service postfix restart

    Les liens utiles pour ce tutoriel :
    https://help.ubuntu.com/community/Postfix
    https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto
    http://sheebypanda.com/autoriser-le-port-587-dans-postfix/
    https://workaround.org/ispmail/squeeze/ssl-certificates
    http://gogs.info/books/debian-mail/chunked/postfix.sasl.html

    Allez plus loin en installant spamassassin : https://www.digitalocean.com/community/articles/how-to-install-and-setup-spamassassin-on-ubuntu-12-04

Laissez un commentaire

* Votre e-mail ne sera jamais utilisé ou donné à un tiers

Recherche

Catégories

Newsletters

Archives