Raspberrypi.mail

Konzept

Internet     |   Raspi 
             |
:25 (smtp)   ->  [ Postfix ] -> Filesystem "/var/mail/user"
             |               -> dovecot User API 
             |
:110 (pop3)  ->  [ dovecot ] -> Filesystem "/var/mail/user"
             |               -> Linux User API

• Mein Ziel ist ein ordentlicher eigenständiger Mailserver (er braucht keinen anderen Mailserver zum versenden der Mail)
• Es soll keine Datenbank nötig sein
• Mail-Accounts sind native Linux-User, über den Kernel läuft somit auch die Authentifizierung
• Mail-Speicherung erfolgt im mbox Format in /var/mail so wie das Linux vorsieht
• eMail-Adressen sind in der Text-Datei "/etc/postfix/virtual" aufgelistet

Vorarbeiten

benötigte Software

apt-get install dovecot-pop3d postfix

Ordentlich starten

• postfix ist von dovecot abhängig, deshalb sollte postfix erst starten wenn dovecot schon Aktiv ist

erst dovecot

joe /lib/systemd/system/dovecot.service

[Unit]
Requires=network-online.target
After=network-online.target

dann postfix

joe /lib/systemd/system/postfix.service

[Unit]
Requires=dovecot.service
After=network-online.target nss-lookup.target dovecot.service

Dienst beim Reboot starten

systemctl enable dovecot
systemctl enable postfix

Konfiguration

Test

noch zu klären ...

Im Moment gibt es noch Datei-Rechte Probleme, dies ist ein Workaround so dass beide Programme miteinander arbeiten können

chmod 777 /var/mail

drwxrwsrwx  2 root mail       4096 Feb 14 11:41 mail

postfix

http://www.postfix.org/features.html

main.cf

virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot

Test

• https://www.thomas-krenn.com/de/wiki/TCP_Port_25_(smtp)_Zugriff_mit_telnet_%C3%BCberpr%C3%BCfen
• https://www.ndchost.com/wiki/mail/test-smtp-auth-telnet

dovecot

Information

https://dovecot.org/

Installation

apt-get install dovecot-pop3d

Konfiguration

/etc/dovecot/conf.d/10-ssl.conf

##
## SSL settings 
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = no

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca = 

# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# DH parameters length to use.
#ssl_dh_parameters_length = 1024

# SSL protocols to use
#ssl_protocols = !SSLv3

# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

# SSL extra options. Currently supported options are:
#   no_compression - Disable compression.
#ssl_options =

/etc/dovecot/conf.d/10-master.conf

#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port = 
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user = 
    #group = 
  }

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
     user = postfix
     group = postfix
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user = 
    #group = 
  }
}

/etc/dovecot/conf.d/10-logging.conf

##
## Log destination.
##

# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
#log_path = syslog

# Log file to use for informational messages. Defaults to log_path.
#info_log_path = 
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path = 

# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
#syslog_facility = mail

##
## Logging verbosity and debugging.
##

# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = yes

# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
#auth_verbose_passwords = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = no

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
mail_debug = yes

# Show protocol level SSL errors.
#verbose_ssl = no

# mail_log plugin provides more event logging for mail processes.
plugin {
  # Events to log. Also available: flag_change append
  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
  # size and vsize are available only for expunge and copy events.
  #mail_log_fields = uid box msgid size
}

##
## Log formatting.
##

# Prefix for each line written to log file. % codes are in strftime(3)
# format.
#log_timestamp = "%b %d %H:%M:%S "

# Space-separated list of elements we want to log. The elements which have
# a non-empty variable value are joined together to form a comma-separated
# string.
#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c

# Login log format. %s contains login_log_format_elements string, %$ contains
# the data we want to log.
#login_log_format = %$: %s
 
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
# possible variables you can use.
#mail_log_prefix = "%s(%u): "

# Format to use for logging mail deliveries. See doc/wiki/Variables.txt for
# list of all variables you can use. Some of the common ones include:
#  %$ - Delivery status message (e.g. "saved to INBOX")
#  %m - Message-ID
#  %s - Subject
#  %f - From address
#  %p - Physical size
#  %w - Virtual size
#deliver_log_format = msgid=%m: %$

/etc/dovecot/conf.d/auth-system.conf.ext

# Authentication for system users. Included from 10-auth.conf.
#
# <doc/wiki/PasswordDatabase.txt>
# <doc/wiki/UserDatabase.txt>

# PAM authentication. Preferred nowadays by most systems.
# PAM is typically used with either userdb passwd or userdb static.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
passdb {
  driver = pam
  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
  # [cache_key=<key>] [<service name>]
  args = failure_show_msg=yes
}

# System users (NSS, /etc/passwd, or similiar).
# In many systems nowadays this uses Name Service Switch, which is
# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
#passdb {
  #driver = passwd
  # [blocking=no]
  #args = 
#}

# Shadow passwords for system users (NSS, /etc/shadow or similiar).
# Deprecated by PAM nowadays.
# <doc/wiki/PasswordDatabase.Shadow.txt>
#passdb {
  #driver = shadow
  # [blocking=no]
  #args = 
#}

# PAM-like authentication for OpenBSD.
# <doc/wiki/PasswordDatabase.BSDAuth.txt>
#passdb {
  #driver = bsdauth
  # [blocking=no] [cache_key=<key>]
  #args =
#}

##
## User databases
##

# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
#userdb {
  # <doc/wiki/AuthDatabase.Passwd.txt>
  # driver = passwd
  # [blocking=no]
  #args = 

  # Override fields from passwd
  #override_fields = home=/home/virtual/%u
#}

# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
#userdb {
  #driver = static
  # Can return anything a userdb could normally return. For example:
  #
  #  args = uid=500 gid=500 home=/var/mail/%u
  #
  # LDA and LMTP needs to look up users only from the userdb. This of course
  # doesn't work with static userdb because there is no list of users.
  # Normally static userdb handles this by doing a passdb lookup. This works
  # with most passdbs, with PAM being the most notable exception. If you do
  # the user verification another way, you can add allow_all_users=yes to
  # the args in which case the passdb lookup is skipped.
  #
  #args =
#}

/etc/dovecot/conf.d/10-auth.conf

##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = no

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm = 

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab = 

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using 
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName. 
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login

##
## Password and user databases
##

#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

/etc/dovecot/conf.d/10-mail.conf

Test

• https://blog.yimingliu.com/2009/01/23/testing-a-pop3-server-via-telnet-or-openssl/

eMail-Konten anlegen

eMail.sh

./eMail.sh user password

#
# create a Postfix Mail Account
#

useradd --gid postfix --create-home --shell /bin/false $1
echo "$1:$2" | chpasswd
chmod 777 /home/$1
touch /var/mail/$1
chown $1 /var/mail/$1
chgrp postfix /var/mail/$1
chmod 0660 /var/mail/$1

offene Probleme

• Wenn ein neuer User angelegt wird und erstmalig mit dovecot per pop3 angefragt wird schafft dovecot es nicht eine leere mbox anzulegen
• Wenn ein neuer user angelegt wird schafft es postfix eine neue mbox anzulegen, diese kann aber Rechtmäßig nicht von dovecot gelesen werden
• dovecot will imap Sachen machen, obwohl ich nur pop3 einsetze.
• dovecort schafft es nicht im home des users das Verzeichnis .imap anzulegen (rechteproblem)

Sep 25 20:30:38 pi3x04 dovecot: pop3(mail-ma1): Error: mkdir_parents(/home/mail-ma1/.imap/INBOX) failed: Permission denied

-> Versuch

#
# die User einfach mal der Gruppe "mail" zuordnen, nicht postfix, das war dumm
#
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin