CentOS 7 Mail Server Configuration

By | September 6, 2015

In this post we will see a CentOS 7 mail server configuration using postfix, dovecot, opendkim, spamassassin, amavisd and clamav. Our test domain is ‘example.com’ and the FQDN of our mail server is ‘mail.example.com’. Selinux is disabled.

1) Generate self signed ssl certificates

cd /etc/ssl
openssl genrsa -out mail.example.com.key 2048
openssl req -new -key mail.example.com.key -out mail.example.com.csr
openssl x509 -req -days 365 -in mail.example.com.csr -signkey mail.example.com.key -out mail.example.com.crt

2) Install postfix and dovecot

yum install postfix dovecot -y

3) Configure dovecot, backup the ‘/etc/dovecot.conf’  file

cd /etc/dovecot
cp -R dovecot.conf dovecot.conf.bak

Open th file ‘/etc/dovecot.conf’  and Uncomment the following line in it (Remove the # symbol) and save the file

protocols = imap pop3 lmtp 

Next, change directory to  ‘/etc/dovecot/conf.d’ and backup the file ’10-auth.conf’

cd /etc/dovecot/conf.d
cp -R 10-auth.conf 10-auth.conf.bak

In ‘10-auth.conf’, file, enable plain and login authentication mechanisms:

auth_mechanisms = plain login

Backup ’10-mail.conf’  file first,

cp  -R  10-mail.conf 10-mail.conf.bak

and then edit it to uncomment the following  ‘mail_location’ line

mail_location = maildir:~/Maildir 

Backup ’10-ssl.conf ‘ file first

cp -R 10-ssl.conf 10-ssl.conf.bak

and edit it in order to insert the correct ssl cert and key file path

ssl = yes
ssl_cert = </etc/ssl/mail.example.com.crt
ssl_key = </etc/ssl/mail.example.com.key

Backup ‘ 10-master.conf’ file and then edit it so that we can use dovecot’s SMTP authentication service in postfix to authenticate the email accounts

cp -R 10-master.conf 10-master.conf.bak

change the existing commented dovecot SMTP authentication lines to the ones silmilar to ones mentioned below

 # Postfix smtp-auth
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 }

Start the dovecot service now.

 systemctl start dovecot
 systemctl enable dovecot

Open the pop3 and imap ports from firewall.

 firewall-cmd --zone=public --add-port=110/tcp --permanent
 firewall-cmd --zone=public --add-port=143/tcp --permanent
 firewall-cmd --zone=public --add-port=993/tcp --permanent
 firewall-cmd --zone=public --add-port=995/tcp --permanent
 firewall-cmd --reload

4) Configure postfix

Backup the files ‘/etc/postfix/main.cf’ and ‘/etc/postfix/master.cf’

 cp -R /etc/postfix/main.cf /etc/postfix/main.cf.bak
 cp -R /etc/postfix/master.cf /etc/postfix/master.cf.bak

Edit the ‘/etc/postfix/main.cf’ file and make the following changes in it (Replace example.com and mail.example.com with the your domain specific values)

 myhostname = mail.example.com
 mydomain = example.com
 myorigin = $mydomain
 inet_interfaces = all
 #inet_interfaces = localhost
 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
 home_mailbox = Maildir/

Also at the end of the above mentioned file(‘/etc/postfix/main.cf’), add the following lines

 # The basic spam blocking
 smtpd_helo_required = yes
 disable_vrfy_command = yes
 message_size_limit = 20480000
 # for SMTP-Auth settings
 broken_sasl_auth_clients = yes
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_security_options = noanonymous
 smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
 smtpd_use_tls = yes
 smtpd_tls_received_header = yes
 smtpd_tls_session_cache_timeout = 3600s
 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 smtpd_tls_key_file = /etc/ssl/mail.example.com.key
 smtpd_tls_cert_file = /etc/ssl/mail.example.com.crt
 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
 tls_random_source = dev:/dev/urandom

Now edit the file ‘/etc/postfix/master.conf’ and uncomment the following lines and save the file

 submission inet n       -       n       -       -       smtpd
 smtps     inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes

Start/Restart  the postfix service and open the required ports in firewall

 systemctl restart postfix
 systemctl enable postfix
 firewall-cmd --zone=public --add-port=25/tcp --permanent
 firewall-cmd --zone=public --add-port=587/tcp --permanent
 firewall-cmd --zone=public --add-port=465/tcp --permanent
 firewall-cmd --reload

Create an email account

 useradd -s /sbin/nologin jake
 echo 'abc123' | passwd jake --stdin

 

Connect to the new email account ‘jake@example.com’ using mozilla thunderbird email client

Email_client_1

Email_client_2

Email_client_3

5) Install and configure OpenDKIM

 yum install epel-release
 yum install opendkim

Backup the ‘/etc/opendkim.conf’ file

 cp -R /etc/opendkim.conf /etc/opendkim.conf.bak

Edit ‘/etc/opendkim.conf’ and make the following changes:

 Mode  sv
 #KeyFile      /etc/opendkim/keys/default.private
 KeyTable     /etc/opendkim/KeyTable
 SigningTable refile:/etc/opendkim/SigningTable
 ExternalIgnoreList   refile:/etc/opendkim/TrustedHosts
 InternalHosts        refile:/etc/opendkim/TrustedHosts

Create the necessary DKIM private key and public keys

 mkdir /etc/opendkim/keys/example.com
 opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s mail
 chown -R opendkim: /etc/opendkim/keys/example.com
 mv /etc/opendkim/keys/example.com/mail.private /etc/opendkim/keys/example.com/mail

Edit the KeyTable file ‘/etc/opendkim/KeyTable’ and add the following line at the end of the file

 mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail

Edit the SigningTable file ‘/etc/opendkim/SigningTable’ and add the following line at the end of the file

 *@example.com mail._domainkey.example.com

Add the trusted hosts in the file ‘/etc/opendkim/TrustedHosts’ as shown below. Make sure you change example.com with your actual domain name.

 example.com
 mail.example.com

View the entries that are needed to populate your DNS TXT records

 cat /etc/opendkim/keys/example.com/mail.txt

You will see something similar to this:

mail._domainkey IN      TXT     ( "v=DKIM1; k=rsa; "
    "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNXvo4vuFYyVP97tyMvG49HNYrlANp7caAnllyeeT2oVV0omNt17bS8cejUFD5Ng3pw/lfLO338VGeVFQ6iEV2nyGzr3HTVM7VtUJGh3YiWoE4PHI8Fy2chmndNFFhNNtZ6qdpVIY+oDLevV8vM+wjwSjZDY2v/a6qjKZ/akO+pQIDAQAB" )  ; ----- DKIM key mail for example.com

Integrate OpenDKIM in postfix by adding the following lines at the end of ‘/etc/postfix/main.cf’ file

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2

Start the OpenDKIM service

systemctl start opendkim
systemclt enable opendkim
systemctl restart postfix

6) Install spam and virus filtration modules

yum install amavisd-new spamassassin clamav clam-update

Backup the file ‘/etc/freshclam.conf’

cp -R /etc/freshclam.conf /etc/freshclam.conf.bak

Edit the fle ‘/etc/freshclam.conf’ and comment the line ‘Example’ in it

#Example

Update the clamav database

freshclam

Backup the file ‘/etc/sysconfig/freshclam’

cp -R /etc/sysconfig/freshclam /etc/sysconfig/freshclam.bak

Clam AV database auto-updation is already set up, but to make it work properly, edit the file ‘/etc/sysconfig/freshclam’ and comment ‘FRESHCLAM_DELAY’ line

#FRESHCLAM_DELAY=disabled-warn   ## REMOVE ME

Backup the file ‘/etc/amavisd/amavisd.conf’

cp -R /etc/amavisd/amavisd.conf /etc/amavisd/amavisd.conf.bak

Edit the file ‘/etc/amavisd/amavisd.conf’ and update ‘$mydomain’ and ‘$myhostname’ parameters (Uncomment if these lines are commented)

$mydomain = 'example.com';
$myhostname = 'mail.example.com';

Edit the file ‘/etc/postfix/master.cf’ and add the following lines at the bottom of it to connect postfix to Amavisd-new

amavisfeed unix    -       -       n        -      2     lmtp
      -o lmtp_data_done_timeout=1200
      -o lmtp_send_xforward_command=yes
      -o lmtp_tls_note_starttls_offer=no
127.0.0.1:10025 inet n    -       n       -       -     smtpd
     -o content_filter=
     -o smtpd_delay_reject=no
     -o smtpd_client_restrictions=permit_mynetworks,reject
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o smtpd_data_restrictions=reject_unauth_pipelining
     -o smtpd_end_of_data_restrictions=
     -o smtpd_restriction_classes=
     -o mynetworks=127.0.0.0/8
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtpd_client_connection_count_limit=0
     -o smtpd_client_connection_rate_limit=0
     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
     -o local_header_rewrite_clients=
     -o smtpd_milters=
     -o local_recipient_maps=
     -o relay_recipient_maps=

Edit the file ‘/etc/postfix/main.cf‘ and add the following lines at the bottom of the file

#use amavisd as filter on port 10024
content_filter=amavisfeed:[127.0.0.1]:10024

Start the spam filteration services and restart postfix

systemctl start spamassassin
systemctl start amavisd
Starting the amavisd service will also run ClamAV
 
 systemctl enable spamassassin
 systemctl enable amavisd
 systemctl restart postfix

That is it. We have a secure CentOS based mail server ready

3 thoughts on “CentOS 7 Mail Server Configuration

  1. Mukesh

    Hi sir, its very easy to keep track of all the relevent points in mail server. Thanx a lot for giving this update in centos 7.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *