Postfix, Dovecot and roundcube – Part 02

postfix dovecot logo

postfix, dovecot and roundcube on CentOS 6

 

This is the follow up of previous tutorial in the series where we configured postfix, dovecot with roundcube webmail interface. You can find the first part here. In this part, we will configure SSL certificates for webmail and dovecot so that all your traffic will be encrypted. In this setup, I will first be generating self signed SSL certificates and then incorporate them with roundcube webmail interface along with dovecot for encrypted IMAP/POP3 connections. So let’s get to work.

 

Configure SSL certificates:

I will generate SSL certificates in a temporary directory and then move them to appropriate location.


# mkdir -p /tmp/ssl/domain.com
# cd /tmp/ssl/domain.com
# openssl genrsa -des3 -out domain.com.key 2048
# openssl req -new -key mydomain.com.key -out domain.com.csr
# openssl x509 -req -days 365 -in domain.com.csr -signkey domain.com.key -out domain.com.crt
# cp -v domain.com.key domain.com.key.original
# openssl rsa -in domain.com.key.original -out domain.com.key

# chmod 0400 domain.com.key
# cp -v domain.com.crt /etc/pki/tls/certs
# cp -v domain.com.key domain.com.csr /etc/pki/tls/private

Next, will use these generated SSL certificates in webmail configuration, SMTP and IMAP/POP3.

Setup roundcube over SSL:

Installing SSL certificates differs from web server to web server, as I am using nginx as web server, I will be adding the necessary details in my webmail configuration file under nginx. The entries below should go under the server block directly in webmail configuration file.


# vim /etc/nginx/conf.d/webmail.conf
.........
.........
ssl on;
ssl_certificate /etc/pki/tls/certs/domain.com.crt;
ssl_certificate_key /etc/pki/tls/private/domain.com.key;
ssl_session_timeout 5m;
.........
.........

Really, that is it, reload the nginx service and you have your webmail running on port number 80 and 443 (/etc/init.d/nginx reload). If you want to redirect plain requests (port 80) to SSL enabled ones (port 443) automatically, then you need to add a rewrite rule in your nginx configuration file such that any request received at port 80 should be forwarded automatically to port 443. For this, you would need to add following rule in server block in your webmail configuration which is catering plain requests:


server {
listen 80;
servername mail.domain.com;
return 301 https://$host$request_uri;
}
.......
.......

Setup SMTP over SSL:

In order to send emails using SMTP over SSL, you would need to enable SSL support in postfix. Edit the two files below, start with /etc/postfix/main.cf and add the following towards the end:


# vim /etc/postfix/main.cf

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/tls/private/domain.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/domain.com.crt

smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

after that edit /etc/postfix/master.cf and add/append the following:


# vim /etc/postfix/master.cf

smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

Restart the Postfix service so that the changes made above could be in effect using: /etc/init.d/postfix restart

Setup IMAPs and POP3s:

In order to enable SSL with IMAP and POP3, edit configuration file for dovecot and add/append the following:


# vim /etc/dovecot/dovecot.conf

protocols = imap pop3
ssl = yes
ssl_cert = </etc/pki/tls/certs/domain.com.crt
ssl_key = </etc/pki/tls/private/domain.com.key

restart the dovecot service as: /etc/init.d/dovecot restart. You can check if the IMAPs and POP3s services are up by doing lsof as:


# lsof -i:993
# lsof -i:995

Install Spamassassin:

Spamassassin is an application (more of a tool) which is used for e-mail spam filtering. It does so by matching the content in an email and the rules defined. We will go ahead and install it first, followed by some configurations.


# yum install spamassassin

Next, we will create a group and user which will be used to start/stop/restart the spamassassin service:


# groupadd spamfilter
useradd -g spamfilter -s /bin/false -d /usr/local/spamassassin spamfilter
chown spamfilter. /usr/local/spamassassin

Configure the SPAM rules by editing the following file:


# vim /etc/mail/spamassassin/local.cf

required_hits 5
report_safe 0
rewrite_header Subject [***SPAM***]
required_score 5.0

Next, change the user under which the spamassassin service should run, if not defined, then it will be run as root but as we have already added a new dedicated user for this, let’s change that in the following file:


# vim /etc/sysconfig/spamassassin

SAHOME="/usr/local/spamassassin"
SPID_DIR="/var/run/spamassassin"
SUSER="spamfilter"
SPAMDOPTIONS="-d -c -m5 --username ${SUSER} -H ${SAHOME} -s ${SAHOME}/spamfilter.log"

It’s time to start the spamassassin service: /etc/init.d/spamassassin start and make it start it on every boot as: chkconfig spamassassin on.

Postfix Configuration for Spamassassin:

This is necessary in order to incorporate the newly configured spamassassin with postfix such that postfix will receive an email and then it will be passed onto spamassassin to check if the received email is a SPAM or not, based on the rule-matching criteria. Edit master.cf file which is placed at /etc/postfix:


# vim /etc/postfix/master.cf

smtp inet n - n - - smtpd -o content_filter=spamassassin
spamassassin unix - n n - - pipe user=spamfilter argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

restart the postfix service as: /etc/init.d/postfix restart.

Testing the setup:

In order to test the spamassassin setup, you would first need to create a rule for content-matching. You can create a rule in file /etc/mail/spamassassin/local.cf or if you face any issues, you may head over to Dave Taylor’s tutorial on how to do this by clicking here.

Once you have the desired rules added, try to send in a test email with the same words that you have blocked and check your mailbox, that particular email should’ve landed in SPAM folder automatically.

In the next part, we will be adding OpenDKIM signatures to your emails along with configuration of Dovecot Sieve so that you can add spam rules directly from roundcube web interface instead of making entries in the files manually.

For previous tutorial, please click the below:

Postfix, Dovecot and roundcube – Part 1

I hope this was informative for, if you have any queries or comments, leave them below in the comments section. Bye for now!

Leave a Reply

Your email address will not be published. Required fields are marked *