Postfix, Dovecot and roundcube – Part 3

postfix dovecot logo

postfix, dovecot and roundcube on CentOS 6

This is part 3 in this series and the last one. Once you have finished this part, you should have a very robust email server which is battle ready for any small to middle size enterprises as in this tutorial, we will add DKIM signatures and add a roundcube plugin called ‘Seive’ to fight against SPAM messages easily as it will allow you to add rules to emails directly from your mailbox settings in roundcube instead of adding them from command line, which is a complex task for most of the normal users. Let’s first start by configuring the openDKIM and integrate it with your postfix installation.

Configuring openDKIM:

A word: DKIM is short for ‘Domain keys Identified Mail’ which is used widely to sign and verify an email. Basically it works in a way that receiving SMTP server check the DKIM signatures for verification that the message was actually sent/originated from the domain in question and is not a spam. Configuring OpenDKIM with your postfix server is pretty straight forward and should not take more than 10 – 15 minutes. So, let’s dive in.

Steps involved are as follows:

1. Install EPEL repo if you have not done so already:

rpm -Uvh http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm

2. Install opendkim package:

# yum install opendkim

3. Configure openDKIM: The main configuration file is located at: /etc/opendkim.conf and we need to edit it, before we do so, make sure you have the backup of this file.

# cp /etc/opendkim.conf /etc/opendkim.conf.bak

# vim /etc/opendkim.conf

AutoRestart				Yes
AutoRestartRate			10/1h
LogWhy					Yes
Syslog					Yes
SyslogSuccess			Yes
Mode					sv
Canonicalization		relaxed/simple
ExternalIgnoreList		refile:/etc/opendkim/TrustedHosts
InternalHosts			refile:/etc/opendkim/TrustedHosts
KeyTable				refile:/etc/opendkim/KeyTable
SigningTable			refile:/etc/opendkim/SigningTable
SignatureAlgorithm		rsa-sha256
Socket					inet:8891@localhost
PidFile					/var/run/opendkim/opendkim.pid
UMask					022
UserID					opendkim:opendkim
TemporaryDirectory		/var/tmp

Setup Public and Private Keys:

We will need to define the domain name at a couple of places in this section, hence we will create a simple variable with domain name in it. It is nothing but less typing 🙂


# DOMAIN="domain.com"

NOTE: This ‘domain.com’ parameter here is the one that you will be using to send out emails, for example, if you will be using email address in format: abc@example.com, then ‘domain.com’ here will be ‘example.com’.

1. We will first need to generate the keys for your domain name as follows:


# mkdir /etc/opendkim/keys/"$DOMAIN"

opendkim-genkey -D /etc/opendkim/keys/"$DOMAIN"/ -d "$DOMAIN" -s default

chown -R opendkim: /etc/opendkim/keys/$DOMAIN

mv /etc/opendkim/keys/"$DOMAIN"/default.private /etc/opendkim/keys/"$DOMAIN"/default

2. Add the domain name in key table by editing the file at: /etc/opendkim/KeyTable


# echo "default._domainkey."$DOMAIN" "$DOMAIN":default:/etc/opendkim/keys/"$DOMAIN"/default" >> /etc/opendkim/KeyTable

3. Add the following record in the file /etc/opendkim/SigningTable as:


echo "*@$DOMAIN default._domainkey.$DOMAIN" >> /etc/opendkim/SigningTable

4. Edit the file at /etc/opendkim/TrustedHosts and add/append the following (this must include the loopback address, the domain name and the hostname of your server):


# vim /etc/opendkim/TrustedHosts

127.0.0.1
mydomain.com
host.mydomain.com

5. It is time to edit/update the DNS zone file from your DNS manager. Open up the file at: /etc/opendkim/keys/mydomain.com/default.txt and copy the contents. In this file, you should find something similar to:


default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" ) ; ----- DKIM key default for domain.com

In your DNS manager, the should go in a similar way as depicted in the following image. DNS managers differ from provider to provider but the DKIM records should be TXT records and nothing else.

dkim entry in DNS manager
dkim entry in DNS manager

 

6. In addition to DKIM, it is advisable to add SPF records as well which is a mechanism to check which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain. An SPF record is also a TXT record and should be updated from your DNS manager as well. In order to generate an SPF record for your domain, you can refer to the links here and here.

Integrate OpenDKIM with Postfix:

In order to make recently configured OpenDKIM with Postfix, you need to add the following lines to configuration file of postfix (/etc/postfix/main.cf):


smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

That is it, the configuration is updated and not it’s time to test it. Try to send an email and keep an eye on the maillog file at: /var/log/maillog. When you send an email, the DKIM should do it’s magic and add the signatures. You should see something similar to following:

dkim signatures
dkim signatures

 

Also, in the mailbox of receiving end, you should see that the email that we sent is signed:

dkim signatures
dkim signatures

 

To test yet again if the setup is configured correctly, you can send in a test email to “check-auth@verifier.port25.com”. After few minutes, you will receive a detailed report in following format:


......

......

==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
DKIM check: pass

......

......

Next, we will configure server-side email filtering with dovecot’s seive using roundcube.

Getting Sieve setup and running:

The Seive plugin is a part of a project called “Pigeonhole” which makes use of the Sieve language and ManageSieve protocol and also adds to the Dovecot. These rules can be managed easily using roundcube for adding/managing server side filter rules.

Let’s get our hands dirty and configure this yet another add-on to your setup:

1. ManageSieve protocol in Dovecot is enabled by a package called dovecot-pigeonhole which we will install:


# yum install dovecot-pigeonhole

2. Next, we need to edit the main configuration file for Dovecot which is at: /etc/dovecot/dovecot.conf:


# vim /etc/dovecot/dovecot.conf

protocols = imap lmtp sieve

add auth-master unix-listener to service auth

service auth {
 unix_listener auth-client {
 group = postfix
 mode = 0660
 user = postfix
 }

unix_listener auth-master {
 group = virtmail
 mode = 0660
 user = virtmail
 }

user = root
}

and add the following to the end of the configuration file:

service managesieve-login {
 inet_listener sieve {
 port = 4190
 }
}
service managesieve {
}
protocol sieve {
 managesieve_max_line_length = 65536
 managesieve_implementation_string = dovecot
 log_path = /var/log/dovecot-sieve-errors.log
 info_log_path = /var/log/dovecot-sieve.log
}
plugin {
 sieve = ~/.dovecot.sieve
 sieve_global_path = /etc/dovecot/sieve/default.sieve
 sieve_dir = ~/sieve
 sieve_global_dir = /etc/dovecot/sieve/global/
}
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
protocol lda {
 mail_plugins = $mail_plugins autocreate sieve quota
 postmaster_address = postmaster@domain.com
 hostname = mail.domain.com
 auth_socket_path = /var/run/dovecot/auth-master
 log_path = /var/log/dovecot-lda-errors.log
 info_log_path = /var/log/dovecot-lda.log
}
protocol lmtp {
 mail_plugins = $mail_plugins autocreate sieve quota
 log_path = /var/log/dovecot-lmtp-errors.log
 info_log_path = /var/log/dovecot-lmtp.log
}

3. Add/create the files that are necessary which are mentioned in the above configuration:


# touch /var/log/dovecot-lda-errors.log
# touch /var/log/dovecot-lda.log
# touch /var/log/dovecot-sieve-errors.log
# touch /var/log/dovecot-sieve.log
# touch /var/log/dovecot-lmtp-errors.log
# touch /var/log/dovecot-lmtp.log

# mkdir -p /etc/dovecot/sieve/global
# chown virtmail: -R /etc/dovecot/sieve
# chown virtmail:mail /var/log/dovecot-*

4. This is the point where we restart dovecot service:


# service dovecot restart

5. Make sure that sieve is running on port number 4190


# netstat -tunlp | grep :4190

6. Next, we will create a SPAM rule such that anything that match this up, should be marked as SPAM by SpamAssassin, also it will be moved to ‘spam’ directory automatically. For this to happen, we need to add this rule to the file at /etc/dovecot/sieve/default.sieve:


# vim /etc/dovecot/sieve/default.sieve

require ["fileinto"];
# rule:[SPAM]
if header :contains "X-Spam-Flag" "YES" {
fileinto "Spam";
}
# rule:[SPAM2]
elsif header :matches "Subject" ["*money*","*Viagra*","Cialis"] {
fileinto "Spam";
}

7. To make these rules work, we need to make few entries in the two main configuration files for postfix (/etc/postfix/main.cf and /etc/postfix/master.cf):


# vim /etc/postfix/main.cf

virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

 

# vim /etc/postfix/master.cf

dovecot unix - n n - - pipe
flags=DRhu user=virtmail:virtmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

8. Restart postfix service to make the changes effective:


# service postfix restart

Enable Sieve in roundcube configuration:

In order to use Sieve, we need to enable this plugin for sieve in roundcube configuration. Luckily, there is already a plugin available for roundcube and all that needs to be done is to enable it. Steps for roundcube > 1.x are different than 1.x versions. If you are using older version of roundcube, then you need to consult the documentation for that version only. It is not at all hard if you have reached this far ;).

Configuring Sieve plugin for roundcube:

Steps are as follows:

1. Edit the file “config/main.inc.php” which should in the document root of your roundcube installation:


# vim main.inc.php

## search for the string "plugins" and enable managesieve

$config['plugins'] = array(
'archive',
# 'plugin_manager',
'zipdownload',
'managesieve',
);

2. That is it! Now log into your mailbox account using roundcube and when you browse to Settings, you will see another option added there by the name of ‘Filters’. You can have a look into it and add new rules or delete old ones according to your wish. This filter setting will be enabled to all of your clients who log into their mailboxes using roundcube.

Postfix, Dovecot, RoundCube and Sieve along with SSL certificates configured makes a very strong, enterprise level SMTP server which you can configure using the documentation here. This was part 3 and last in the series of these postfix tutorials.

You can find the previous two parts in this series below:

Postfix, Dovecot and roundcube – Part 1

Postfix, Dovecot and roundcube – Part 2

I hope you enjoyed reading this documentation as much as I enjoyed writing them.

Adios till next time!

Leave a Reply

Your email address will not be published. Required fields are marked *