• YouTube
  • LinkedIn
  • Google

Archives for : Devops

Servidor de Email –; Part 4 ; Postfix 3

Part 1 ; Configure file

This is the third part of the process of creating the mail server on a CentOS 7 and the first part of the Postfix configuration. If you came here by accident, better read one of the publications below first:

Part 1 ; Installation of packages

Part 2 ; Configuring MariaDB

Part 3 ; Dovecot configuration

Postfix is the most important part of our mail server. He will be responsible for talking with other MTAs for you to receive and send e-mail messages and so that it can be reached it is necessary that he be identifiable by the name of the server or your hostname.

Continue Reading >>

Servidor de Email –; Part 3 ; Dovecot

This is the third part of the process of creating the mail server on a CentOS 7. If you came here by accident, You should read first the previous publications

Part 1 ; Installation of packages

Part 2 ; Configuring MariaDB

Dovecot is an MDA (Mail Delivery Agent) means is an agent that transport messages from Postfix to virtual message boxes. In this section we will configure the Dovecot installation to force users to use SSL when they connect, in this way never sending passwords in plain text mode.

I always like to keep the original files of any definition for if I end up getting lost while changing settings. I can say that this step is not needed if you are doing this tutorial entirely, However, If you already have a previous configuration and is just improving it I strongly suggest you make copies of your files.

In our case, the configuration files will be in /etc/dovecot/conf.d/. We can then make copies with the command:

Creating user

Dovecot will store messages (and all your content) in a directory defined in the configuration file and for it can do that must run under a user with the appropriate permissions. The following commands will create this user and group. I will use a common standard for these names that make it easy enough to search for solutions to problems on the internet.

Editing configuration Files

First file we configure authentication is. How do we use a table in MariaDB database to store users and passwords we point out that in two files. The first sets the authentication type and second as the Dovecot will do the authentication validation.

Edit the file /etc/dovecot/CONF.d/10-auth file and uncomment (or add) the lines below:

After, Edit the file /etc/dovecot/CONF.d/auth-sql.conf.ext for you to have the following lines:

ATTENTION: The last few lines that differ slightly from the original commentary about the argument Home.

We must also set up the data connection with the MariaDB through file /etc/dovecot/dovecot-sql.conf.ext. This file is not created at the facility so we create.

NOTE: Use the same data as that used in the step to set up the database in MariaDB

We will make several changes to the main configuration file of the Dovecot which is the 10-master file. The number in front of the file indicates the load order (priority). You can user any editor of your choice. I like Vim because I'm so used to your commands, but nothing prevents to use nano for example.

To improve the security of the server and reduce attacks we will disable access unencrypted. For this we assign the door is sufficient 0 for imap and pop3 services. Only imaps and pop3s are available. You will need to use a SSL key that we will create later ahead.

Change also the following settings:

SSL Certificate

So we can use the cryptographic services necessary both in user authentication to access your account and to ensure that the postfixadmin and roundcube are under secure connections create SSL keys valid. At this point we're going to do the configuration by creating a self-signed key (self-signed) which is created during the installation of the Dovecot. This key cannot be used to validate the secure browser connection. Later we will change this setting to use a SSL key obtained by Certbot (Lets Encrypt) in conjunction with Nginx and DNS settings.

If you are following the steps of this tutorial, you do not need to no change in the file /etc/dovecot/conf.d/10-ssl.conf which should contain the following lines

If the files do not exist or alternatively recreate them (must be done if you have changed the hostname, for example) do the following:

Edit the file /etc/pki/dovecot/dovecot-openssl.cnf and change the entries according to the information that you have.

After you have changed the file, If the files already exist /etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem, delete them and then run the script

The output of the script should be something like this:

Other configuration still in the file/etc/dovecot/conf.d/10-ssl.conf related to encryption is the optional attribute ssl_dh. Add or uncomment the line:

and run the following command to generate the file .PEM:

Running the above command usually take a long time, sometimes even near 1 time. You can also use a command below to generate the same file more quickly.

Log file

By default Dovecot will use the log mechanism syslog the CentOS, that usually sends the information to the file /var/log/messages. As later I will show you how to spread several attempts to attack and one of them includes the use of the script fail2ban, that makes analysis of logs is best define a unique file so we don't have to monitor log file that changes constantly.

To define a unique log file, Let's open the Dovecot log configuration /etc/dovecot/CONF.d/10-logging file and change or add the following lines.

Save the file and restart the service

Make sure the file/var/log/dovecot.log has been created and contains information indicating that the service is operating normally.

Firewall rules

If you are following this tutorial from the start in a default installation, It is possible that the connection ports are closed to the outside world. The commands below aim to release the doors imaps (993), pop3s (995) before you can connect an email client like Outlook or Gmail. Even if they are open, later in another publication, I'm going to show you a list of firewall rules to improve safety.

First make sure that the service firewalld is running. If you are stopped, probably all the doors that have a listener service will be open.

Check the line of the State that can be as Active (running) or as inactive (dead). If you're as inactive, There is no need to continue. If you're as active, We will list which ports are open externally.

In the example above, only dhcpv6-client and ssh are allowed. We then add the required ports to receive and send e-mail externally.

As you can see in the example, Add imaps and pop3s services that are being heard by Dovecot service. Later we will also add the smtp ports and submission that will be heard by the Postfix (master). Note that I won't open the imap and pop3 ports unsafe because I want to force the use of SSL/TLS.

To make sure that the doors are open you can even try doing telnet ports 993 and 995 another system on the same network and verify that the file /var/log/dovecot.log Displays the attempts. If you do not have conditions at the time of taking the test in this way check the output of the command below?

And that's all for now. Then We configure Postfix 3.

Correcting modules not loaded error on Centos 6. x

A common problem after upgrading a kernel via yum on Centos is not creating the new kernel modules.
An example of this error happens when you try to use grep as in the print below.

This indicates that the directory 2.6.32-042stab 123.9 and therefore any module in your content can be loaded.

To correct this problem, the simplest way is this recipe:

This will create the directory and dependencies to modules for the kernel currently in use (uname -r).

If the problem is not resolved with the above commands. Try to reinstall the kernel via yum with the commands below.

And then try the commands listed earlier.

I hope you find it useful both when it was for me.

How to clear deferred messages from Postfix Queue

Today I was watching the log file from Postfix (in CentOS 6.X default is /var/log/maillog) and saw a lot of messages being deferred.

and these messages did repeat from time to time.

Continue Reading >>

Servidor de Email –; Part 1 ; Necessary facilities

I have my own mail server using Postfix, Dovecot, MariaDB, SpamAssassin, ClamAV, Amavisd-new, fail2ban, nginx, postfixadmin and RoundCube under CentOS 7.
Although it has several recipes for how to configure this package, It took me many hours to figure out how to keep the service running correctly, each setting in and and in order to achieve in reducing the flood of spam that arrives every minute.
And anti-spam is the focus of this publication. I have suffered and still suffer with the constant attempts to use my services as a zombie or shedding of viruses, fraud and everything else you can.

I lost count of how many times my DNS service stopped by excess of connection attempts to entupiam the memory and forced the s.. cutting processes to conserve resources and the named was chosen for being the weakest link.
So, This article has focus in the proper configuration for private mail services, a few users and few domains. Certainly a lot of what is in this short manual serves to world-class services, but I believe that for these cases the use of tools or dedicated and specialized services should always be taken into consideration.

Continue Reading >>