====== Mail server infrastructure setup on debian wheezy ======
//** This section is being redacted**//


===== Primary Postfix Setup =====

==== MySQL ====
Create a database with a user with appropriate rights

Then go into that database and execute this:

<code>
CREATE TABLE IF NOT EXISTS `domains` (
  `domain` varchar(50) NOT NULL,
  PRIMARY KEY (`domain`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

CREATE TABLE IF NOT EXISTS `forwardings` (
  `source` varchar(80) NOT NULL,
  `destination` text NOT NULL,
  PRIMARY KEY (`source`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

CREATE TABLE IF NOT EXISTS `transport` (
  `domain` varchar(128) NOT NULL DEFAULT '',
  `transport` varchar(128) NOT NULL DEFAULT '',
  UNIQUE KEY `domain` (`domain`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

CREATE TABLE IF NOT EXISTS `users` (
  `email` varchar(80) NOT NULL,
  `password` varchar(20) NOT NULL,
  `quota` bigint(20) DEFAULT '10485760',
  PRIMARY KEY (`email`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
</code>

In the table **domains**, add each domain you want to manage on your server.

In the table **forwardings**, add each email value pair that you want to redirect, no account is needed on the server.

In the table **transport**, add transport directives for each domain you want to configure. For locally hosted domains, add **:** in the transport column.

In the table **users**, add an entry for each managed user you want to give a mailbox. Quota is expressed in bytes, and don't forget to use the **ENCRYPT** function to store the user password.

==== Setup milters ====
Some personnal advices about milters and mail filters: 
  * __DO use Unix sockets instead of Inet ones__: Unix sockets use less ressources and are faster because of the internal components involved (inet sockets uses IP & TCP, which generate some overhead. Even if you use inet socket, you may not sense a difference if you don't generate a lot of trafic).  
  * __Prefer use of milters over classic content filters__: configuration may be more tricky sometimes, but it is worth its weight in gold if you don't have advanced filtering to do. Amavis is heavy, and basic filtering can be handled by maildrop (configuration will be done after this).


=== SPF (Sender Policy Framework) ===
Natively available in the wheezy repository, this milter configuration is a bit tricky. To begin the install process, type the following commands.
<code>apt-get install spf-milter-python
mkdir -p /var/spool/postfix/var/run/spf-milter-python
chown spf-milter-python:spf-milter-python /var/spool/postfix/var/run/spf-milter-python
ln -s /var/spool/postfix/var/run/spf-milter-python /var/run/spf-milter-python
adduser postfix spf-milter-python
</code>
Change the socket name as follow in **/etc/spf-milter-python/spfmilter.cfg**
<code>socketname = /var/run/spf-milter-python/spfmilter.sock</code>
Edit ''/etc/init.d/spf-milter-python'' to add the following lines after the "start-stop-daemon" commands in sections **start** and **restart**. Replace the socket definition by ''SOCKET=$RUNDIR/spfmilter.sock'', and 
<code>        sleep 5
        chmod g+w $SOCKET</code>

Restart the ''spf-milter-python'' service.

Add the milter socket ''unix:/var/run/spf-milter-python/spfmilter.sock'' in **/etc/postfix/main.cf** (an example is given below):
<code>smtpd_milters = unix:/var/run/spf-milter-python/spfmilter.sock</code>
You must put this filter before opendmarc (DMARC validation won't be done if you don't do it), and you should put it before spamass-milter socket (SPF validation contributes to spam flagging).

=== DKIM (DomainKeys Identified Mail) ===
//This part has been inspired by the following tutorial: [[http://blog.tjitjing.com/index.php/2012/03/guide-to-install-opendkim-for-multiple-domains-with-postfix-and-debian.html|
Guide to Install OpenDKIM for multiple domains with Postfix and Debian]]//


To begin with, type
<code>apt-get install opendkim opendkim-tools
adduser postfix opendkim
mkdir -p /var/spool/postfix/var/run/opendkim/
chown opendkim:opendkim /var/spool/postfix/var/run/opendkim/</code>
Edit ''/etc/default/opendkim'' to set the socket as follow:
<code>SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"</code>

Edit ''/etc/opendkim.conf'' and add the following lines:
<code>KeyTable                /etc/opendkim/KeyTable
SigningTable            /etc/opendkim/SigningTable
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts</code>
In the same file, edit the socket permission mask as follow:
<code>UMask 0002</code>
You should uncomment/add the following lines to get some debugging informations.
<code>Syslog yes
LogWhy yes</code>
Check also that the line ''OversignHeaders From'' is uncommented, then save and close the file.

== Domain Keys generation ==
Next step is to generate the DKIM keys that will be used to sign the mails going out of your domains. The following commands are given for ''domain.com'':
<code>mkdir -p /etc/opendkim/keys/mydomain.com
cd /etc/opendkim/keys/mydomain.com
opendkim-genkey -b 3072 -r -d mydomain.com
chown opendkim:opendkim default.private</code>
Then add the following line to ''/etc/opendkim/KeyTable'':
<code>default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default.private</code>
and the following line in ''/etc/opendkim/SigningTable'':
<code>mydomain.com default._domainkey.mydomain.com</code>

== Insert DKIM key into the appropriate DNS Zone ==
You will find the appropriate record in ''/etc/opendkim/keys/mydomain.com/default.txt''. You should secure your DNS zone with DNSSEC to enhance your immunity to DNS records spoofing.
Start opendkim service and double-check that it is started at each reboot.q

== Install the filter socket in postfix ==
Add the milter socket ''unix:/var/run/spf-milter-python/spfmilter.sock'' in **/etc/postfix/main.cf** (an example is given below) in both ''smtpd_milters'' and ''non_smtpd_milters'' section (e.g below):
<code>smtpd_milters = unix:/var/run/spf-milter-python/spfmilter.sock unix:/var/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/var/run/opendkim/opendkim.sock</code>
You must put this filter before opendmarc (DMARC validation won't be done if you don't do it), and you should put it before spamass-milter socket (DKIM validation contributes to spam flagging).

=== DMARC (Domain-based Message Authentication, Reporting & Conformance) ===
[[http://dmarc.org/|DMARC]] is a technical specification that enables you fight the spam more efficiently. It enables:

  * A security policy enforcement (quarantine or reject) when a DMARC-compliant server receives fraudulent email (detected using SPF policy violation or DKIM signature failure) from a DMARC enabled domain. 
  * Collecting feedback data. This is pretty useful to identify from where threats come from, and to set up a mitigation policy.

The stable version of this module is in debian unstable repository. Enable the unstable repository (and pin it to avoid an upgrade to unstable).
<code>apt-get install -t unstable opendmarc</code>

==== Sorting your messages with maildrop ====
Installing maildrop
<code>apt-get install maildrop
chmod +s /usr/bin/maildrop</code>

''/etc/postfix/master.cf''
<code>maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop
   -d ${user}@${domain} ${user} ${domain} ${extension} ${nexthop} ${sender}</code>

''/etc/postfix/main.cf''
<code>virtual_transport = maildrop
maildrop_destination_recipient_limit = 1</code>

''/etc/maildroprc''
<code># /etc/maildroprc - Global maildrop filtering rules
# Luthienstar Networks - 2013
#


####  Logging controls
#
logfile "/var/log/maildrop.log"
#log " Arguments: '$1' '$2' '$3' '$4' '$5' '$6' '$7'"


####  Environment variables definition
# ${user} ${domain} ${extension} ${nexthop} ${sender}
#

SHELL="/bin/sh"
import EXT
import HOST

MAILADDR="$1@$2"
USERNAME="$1"
DOMAIN="$2"
EXTENSION="$3"
NEXTHOP="$4"
SENDER="$5"

####  Environment setup
#
MAILROOT="/home/vmail"
DEFAULT="$MAILROOT/$DOMAIN/$USERNAME"
maildirmake=/usr/bin/maildirmake
mkdir=/bin/mkdir
rmdir=/bin/rmdir

####  Create the base directories if a user has none
#
`test -e $DEFAULT`
if ($RETURNCODE != 0)
{
	`$mkdir -p $DEFAULT`
	`$rmdir $DEFAULT`
	`$maildirmake $DEFAULT`
	`touch $DEFAULT/courierimapsubscribed`
	`$maildirmake "$DEFAULT/.Drafts"`
	`$maildirmake "$DEFAULT/.Junk"`
	`$maildirmake "$DEFAULT/.Sent"`
	`$maildirmake "$DEFAULT/.Trash"`
	`echo INBOX.Drafts >> $DEFAULT/courierimapsubscribed`
	`echo INBOX.Junk >> $DEFAULT/courierimapsubscribed`
	`echo INBOX.Sent >> $DEFAULT/courierimapsubscribed`
	`echo INBOX.Trash >> $DEFAULT/courierimapsubscribed`
}


####  Filtering rules
#

# Mail is a spam
if( /^X-Spam-Status: Yes/)
{
    to "$DEFAULT/.Junk/"
}

# Attempt extension filtering
if( $EXTENSION =~ /^.+/ )
{
    if( $EXTENSION =~ /\.\./)
    {
        log "'..' pattern is forbidden for obvious reasons."
    }
    else
    {
        `test -d $DEFAULT/.$EXTENSION`
        if( $RETURNCODE == 0 )
        {
            to "$DEFAULT/.$EXTENSION/"
        }
    }
}

# Default storage
to "$DEFAULT/"

</code>
===== Emergency Postfix Setup =====