04Postfixadmin - amagerard/Mail GitHub Wiki
RedHat/Mail
| 1- Network | 2- Postfix | 3- Dovecot | 4- Postfixadmin | 5- PostfixMariaDB | 6- DovecotMariaDB |
|---|---|---|---|---|---|
| 7- RelaySmtp | 8- Troubleshoot | 9- Selinux | 10- GnomeShell | 11- Backup |
4. Postfixadmin
4.1 Part Three (1/3).
Postfixadmin allows you to create virtual accounts independently of local accounts.
These virtual accounts are created from a mysql database (MariaDB).
4.2 MariaDB
Mariadb update.
curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | bash
dnf update
dnf install MariaDB-server
systemctl enable --now mariadb
systemctl status mariadb
Secure mariadb.
Example, the root password is X2m56AB50!.
mariadb-secure-installation
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Switch to unix_socket authentication [Y/n] n
... skipping.
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n] y
New password: X2m56AB50!
... Success!
Remove anonymous users? [Y/n] y
... Success!
Disallow root login remotely? [Y/n] y
... Success!
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done!
4.3 Php.
PHP installation from the remi repository.
dnf install http://fr2.rpmfind.net/linux/remi/enterprise/remi-release-9.5.rpm
Choose php version 8.
PHP module flow reset.
dnf module reset php
Enable PHP module stream: REMI-8.4.
dnf module enable php:remi-8.4
dnf install -y php-fpm php-imap php-mbstring php-mysqlnd php-gd php-opcache php-json php-curl php-zip php-xml php-bz2 php-intl php-gmp php-pgsql
systemctl enable --now php-fpm
4.4 Postfixadmin.
4.4.1 Installation.
Installation nginx.
dnf install nginx
Delete IPv6 .
vi /etc/nginx/nginx.conf
listen 80;
# listen [::]:80;
systemctl enable --now nginx
systemctl status nginx
Change apache group by nginx.
cd /var/lib/php
chgrp -R nginx opcache
chgrp -R nginx session
chgrp -R nginx wsdlcache
Change user and group by nginx.
vi /etc/php-fpm.d/www.conf
user : nginx
group : nginx
Restart php-fpm and nginx services.
systemctl restart php-fpm
systemctl restart nginx
Download Postfixadmin.
https://github.com/postfixadmin/postfixadmin/
Take the most recent version.
https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.15.tar.gz
wget -P /opt https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.15.tar.gz
tar -xvf /opt/postfixadmin-3.3.15.tar.gz -C /var/www/
mv /var/www/postfixadmin-postfixadmin-3.3.15 /var/www/postfixadmin
mkdir /var/www/postfixadmin/templates_c
chmod 775 /var/www/postfixadmin/templates_c
chown -R nginx:nginx /var/www/postfixadmin
4.4.2 Database.
Create the postfixadmin database and its administrator.
Example, the postfixadmin password is "D51mAB49!".
mariadb -u root -p
MariaDB [(none)]> create database postfixadmin;
MariaDB [(none)]> grant all privileges on postfixadmin.* to 'postfixadmin'@'localhost' identified by 'D51mAB49\!';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
4.4.3 Configuration.
vi /var/www/postfixadmin/config.local.php
<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysql';
$CONF['database_host'] = 'localhost';
$CONF['database_port'] = '3306';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'D51mAB49!';
$CONF['database_name'] = 'postfixadmin';
$CONF['encrypt'] = 'dovecot:BLF-CRYPT';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw -r 12";
?>
chown nginx:nginx /var/www/postfixadmin/config.local.php
4.4.4 NGINX (SSL).
4.4.4.1 Add nginx to dovecot group.
gpasswd -a nginx dovecot
4.4.4.2 Certificats.
Certificates are already created.
See Dovecot - Create certificates chapter 3.2
/etc/ssl/certs/hermes.crt
/etc/ssl/private/hermes.key
/etc/ssl/certs/CA.crt
Add permission nginx.
chmod 400 /etc/pki/tls/private/*
chmod 400 /etc/pki/tls/certs/*
setfacl -m u:nginx:r /etc/pki/tls/private/hermes.key
setfacl -m u:nginx:r /etc/pki/tls/certs/hermes.crt
setfacl -m u:nginx:r /etc/pki/tls/certs/CA.crt
4.4.4.3 Configure nginx.
Nginx custom reconfiguration.
-
Site configuration folder.
mkdir /etc/nginx/sites-available -
Folder of sites taken into account by nginx.
mkdir /etc/nginx/sites-enabled -
Configure nginx.conf.
Edit nginx.conf
Before making a backup of your nginx.conf.
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_backup
Erase nginx.conf.
> /etc/nginx/nginx.conf
Edit nginx.conf.
vi /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# -- nginx paranoia--
client_body_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
# Prevent clickjacking attacks
add_header X-Frame-Options "SAMEORIGIN" always;
# Add an HSTS header to your nginx server
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; always";
# Cross-site scripting protection
add_header X-XSS-Protection "1; mode=block";
# Prevention of MIME confusion-based attacks
add_header X-Content-Type-Options "nosniff" always;
# Hide X-Powered-By header
proxy_hide_header X-Powered-By;
# Referrer policy
add_header Referrer-Policy "origin-when-cross-origin" always;
#--End nginx paranoia --
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Edit postfixadmin.conf.
vi /etc/nginx/sites-available/postfixadmin.conf
Be careful,only the subnets 127.0.0.1 , 192.168.20.0/24 and 192.168.80.0/24 are allowed.
server {
listen 80;
# listen [::]:80;
server_name _;
# redirect to https
return 301 https://$host$request_uri;
}
## Settings for a TLS enabled server.
#
server {
listen 443 ssl http2;
# listen [::]:443 ssl http2;
server_name _;
root /var/www/postfixadmin/public;
index index.php index.html;
#
ssl_certificate "/etc/ssl/certs/hermes.crt";
ssl_certificate_key "/etc/ssl/private/hermes.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
#
# Be careful,only the subnets below are allowed.
# restrictions access postfixadmin
location / {
try_files $uri $uri/ /index.php;
allow 127.0.0.1;
allow 192.168.20.0/24;
allow 192.168.80.0/24;
deny all;
}
### Connecting NGINX to PHP FPM
location ~ ^/(.+\.php)$ {
try_files $uri =404;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
# block access to files starting with.
location ~ /\. {
deny all; access_log off;
log_not_found off;
}
error_page 404 /404.html;
location = /40x.html {
}
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
charset utf8;
}
Create the link of the postfixadmin.conf file in the sites-enabled folder.
ln -s /etc/nginx/sites-available/postfixadmin.conf /etc/nginx/sites-enabled/postfixadmin.conf
systemctl enable --now nginx
4.4.5 Url postfixadmin.
Reminder:
Mail server name : mail.ol26modk.com
IP : 192.168.60.41
With a web browser.
https://mail.ol26modk.com/setup.php
Example.Generate setup password: 641fqAB4d
The prompt asks you to enter a password and add
the result in /var/www/postfixadmin/config.local.php.
$CONF['setup_password'] = '$2y$10$cCSbuQYJPIBmEMblC.74buPSaQCoif1pEsryadbH3XArn7nEmD7La';
vi /var/www/postfixadmin/config.local.php
<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysql';
$CONF['database_host'] = 'localhost';
$CONF['database_port'] = '3306';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'D51mAB49!';
$CONF['database_name'] = 'postfixadmin';
$CONF['encrypt'] = 'dovecot:BLF-CRYPT';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw -r 12";
$CONF['setup_password'] = '$2y$10$cCSbuQYJPIBmEMblC.74buPSaQCoif1pEsryadbH3XArn7nEmD7La';
?>
Refresh web browser.
https://mail.ol26modk.com/setup.php
Example. Add SuperAdmin Account.
Setup password: 641fqAB4d.
Administrator: <your username>@ol26modk.com and Password:Animals26.
Beware php-fpm default configuration is apache.
You need to change for nginx.
Go to chapter 4.4.6 Troubleshoots.
Close web browser et reopen it with https://mail.ol26modk.com.
Login:<your username>@ol26modk.com and password :Animals26.