|
myhostname=mail.wmirchi.com
mydomain=wmirchi.com
myorigin=$mydomain
home_mailbox=mail/
mynetworks=127.0.0.0/8
inet_interfaces=all
mydestination=$myhostname,localhost.$mydomain,localhost,$mydomain
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_local_domain=
smtpd_sasl_security_options=noanonymous
broken_sasl_auth_clients=yes
smtpd_sasl_auth_enable=yes
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level=may
smtpd_tls_security_level=may
smtp_tls_note_starttls_offer=yes
smtpd_tls_loglevel=1
smtpd_tls_key_file=/etc/postfix/ssl/server.key
smtpd_tls_cert_file=/etc/postfix/ssl/server.crt
smtpd_tls_received_header=yes
smtpd_tls_session_cache_timeout=3600s
tls_random_source=dev:/dev/urandom
|
Step 6 » Open /etc/postfix/master.cf file, add the below lines after “smtp inet n – n – – smtpd” line.
|
submission inet n - n - - smtpd
-osyslog_name=postfix/submission
-osmtpd_sasl_auth_enable=yes
-osmtpd_recipient_restrictions=permit_sasl_authenticated,reject
-omilter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-osyslog_name=postfix/smtps
-osmtpd_sasl_auth_enable=yes
-osmtpd_recipient_restrictions=permit_sasl_authenticated,reject
-omilter_macro_daemon_name=ORIGINATING
|
Now check the configuration using postfix check command.
Step 7 » Now configure Dovecot SASL for SMTP Auth. Open /etc/dovecot/conf.d/10-master.conffile, find “# Postfix smtp-auth” line ( line no:95 ) and add the below lines.
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
Step 8 » Open /etc/dovecot/conf.d/10-auth.conf file, find “auth_mechanisms = plain” ( Line no: 100 ) and add login to the value like below.
auth_mechanisms = plain login
Step 9 » Postfix configuration is over. Now restart both postfix and dovecot services and enable auto start.
[root@mail ~]# systemctl restart postfix
[root@mail ~]# systemctl enable postfix
[root@mail ~]# systemctl restart dovecot
[root@mail ~]# systemctl enable dovecot
Step 10 » Add the firewall rules to allow 25, 587 and 465 ports.
[root@mail ~]# firewall-cmd --permanent --add-service=smtp
[root@mail ~]# firewall-cmd --permanent --add-port=587/tcp
[root@mail ~]# firewall-cmd --permanent --add-port=465/tcp
[root@mail ~]# firewall-cmd --reload
Now start testing connectivity for each ports 25,587 and 465 using telnet and make sure you are getting AUTH PLAIN LOGIN line after issuing ehlo mail.wmirchi.com command in telnet.
[root@mail ~]# telnet mail.wmirchi.com 465
Trying 172.27.0.51...
Connected to mail.wmirchi.com.
Escape character is '^]'.
220 mail.wmirchi.com ESMTP Postfix
ehlo mail.wmirchi.com <------- Type this command 250-mail.wmirchi.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Dovecot configuration
Start configuring Dovecot .
Step 11 » Open /etc/dovecot/conf.d/10-mail.conf file, find #mail_location = (line no : 30 ) and add the same directory which is given to home_mailbox in the postfix config file ( Step 5).
mail_location = maildir:~/mail
Step 12 » Open /etc/dovecot/conf.d/20-pop3.conf file, find and uncomment the below line ( line no : 50 ) .
pop3_uidl_format = %08Xu%08Xv
Step 13 » Restart dovecot service.
[root@mail ~]# systemctl restart dovecot
Step 14 » Add firewall rules to allow 100.00.00.01 and 995.
[root@mail ~]# firewall-cmd --permanent --add-port=110/tcp
[root@mail ~]# firewall-cmd --permanent --add-service=pop3s
[root@mail ~]# firewall-cmd --permanent --add-port=143/tcp
[root@mail ~]# firewall-cmd --permanent --add-service=imaps
[root@mail ~]# firewall-cmd --reload
Check the connectivity for the ports 100.00.00.01 and 995 using telnet.
User creation
Now create user for testing .
Step 15 » Create user with /sbin/nologin shell to restrict login access.
[root@mail ~]# useradd -m john -s /sbin/nologin
[root@mail ~]# passwd john
IP ROTATION VIA IP TABLES
First we need creating Interface aliases for your public IPs.
Let's say you have 5 ips
#ifup eth0:1
#ifup eth0:2
#ifup eth0:3
#ifup eth0:4
Now the iptables part.make sure your iptables support for statistic match module.
# iptables -m statistic -h
......
......
......
statistic match options:
--mode mode Match mode (random, nth)
random mode:
--probability p Probability
nth mode:
--every n Match every nth packet
--packet p Initial counter value (0 <= p <= n-1, default 0)
Next continue with iptables rule for rotating source IP addresses.
# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.2
# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.3
# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.4
# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.5
# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.6
done
REVERSE DNS
The easiest way to get rDNS is to buy a domain with your VPS and ask you hosted to set up rDNS with your VPS, they will do it for free, a domain is not really expensive and it will save you some time
.