104Postfixadmin - amagerard/Mail GitHub Wiki
RedHat10/Mail
| 1- Network | 2- Postfix | 3- Dovecot | 4- Postfixadmin | 5- PostfixMariaDB | 6- DovecotMariaDB |
|---|---|---|---|---|---|
| 7- RelaySmtp | 8- Troubleshoot | 9- Selinux | 10- GnomeShell | 11- Maintenance |
4. Postfixadmin
4.1 Part Three (1/3).
Postfixadmin allows you to create virtual accounts independently of local accounts.
These virtual accounts are created from a mysql database (MariaDB).
4.2 MariaDB.
Mariadb update added to the repositories.
curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | bash
The mariadb-masxcale url is out of service.
Put enabled = 0 .
vi /etc/yum.repos.d/mariadb.repo
[mariadb-maxscale]
# To use the latest stable release of MaxScale, use "latest" as the version
# To use the latest beta (or stable if no current beta) release of MaxScale, use "beta" as the version
name = MariaDB MaxScale
baseurl = https://dlm.mariadb.com/repo/maxscale/latest/yum/rhel/10/x86_64
gpgkey = file:///etc/pki/rpm-gpg/MariaDB-MaxScale-GPG-KEY
gpgcheck = 1
enabled = 0
dnf update
dnf install MariaDB-server
systemctl enable --now mariadb
It is the version MariaDB 12.0.2.
The mysql command is replaced by mariadb.
If you want to use the MySQL command, you must install MariaDB-client-compat.
Secure mariadb.
Example, the root password is X2m56AB50!.
mariadb-secure-installation
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Switch to unix_socket authentication [Y/n] n
... skipping.
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n] y
New password: X2m56AB50!
... Success!
Remove anonymous users? [Y/n] y
... Success!
Disallow root login remotely? [Y/n] y
... Success!
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done!
Root password required.
mariadb -u root -p mysql
Enter.
MariaDB [mysql]> alter user 'root'@'localhost' identified by 'X2m56db50!';
exit
4.3 Php.
PHP installation from the remi repository.
dnf install http://fr2.rpmfind.net/linux/remi/enterprise/remi-release-10.0.rpm
Choose php version 8.
PHP module flow reset.
dnf module reset php
Enable PHP module stream: REMI-8.4.
dnf module enable php:remi-8.4
dnf install -y php-fpm php-imap php-mbstring php-mysqlnd php-gd php-opcache php-json php-curl php-zip php-xml php-bz2 php-intl php-gmp php-pgsql php-cli
systemctl enable --now php-fpm
4.4 Postfixadmin.
4.4.1 Installation.
Installation nginx.
dnf install nginx
Delete IPv6 .
vi /etc/nginx/nginx.conf
listen 80;
# listen [::]:80;
systemctl enable --now nginx
systemctl status nginx
Change apache group by nginx.
cd /var/lib/php
chgrp -R nginx opcache
chgrp -R nginx session
chgrp -R nginx wsdlcache
Change user and group by nginx.
vi /etc/php-fpm.d/www.conf
user : nginx
group : nginx
Restart php-fpm and nginx services.
systemctl restart php-fpm
systemctl restart nginx
Download Postfixadmin.
https://github.com/postfixadmin/postfixadmin/
https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-4.0.1.tar.gz
wget -P /opt https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-4.0.1.tar.gz
tar -xvf /opt/postfixadmin-4.0.1.tar.gz -C /var/www/
mv /var/www/postfixadmin-postfixadmin-4.0.1 /var/www/postfixadmin
mkdir /var/www/postfixadmin/templates_c
chmod 775 /var/www/postfixadmin/templates_c
chown -R nginx:nginx /var/www/postfixadmin
Installing libraries
cd /var/www/postfixadmin
chmod +x install.sh
./install.sh
chown -R nginx:nginx /var/www/postfixadmin
4.4.2 Database.
Create the postfixadmin database and its administrator.
Example, the postfixadmin password is "D51mAB49!".
mariadb -u root -p
MariaDB [(none)]> create database postfixadmin;
MariaDB [(none)]> grant all privileges on postfixadmin.* to 'postfixadmin'@'localhost' identified by 'D51mAB49!';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
Check password.
mariadb -u postfixadmin -p postfixadmin
4.4.3 Configuration.
vi /var/www/postfixadmin/config.local.php
<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysql';
$CONF['database_host'] = 'localhost';
$CONF['database_port'] = '3306';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'D51mAB49!';
$CONF['database_name'] = 'postfixadmin';
$CONF['encrypt'] = 'dovecot:BLF-CRYPT';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw -r 12";
$CONF['configured'] = true;
?>
chown nginx:nginx /var/www/postfixadmin/config.local.php
SELinux.
semanage fcontext -a -t httpd_sys_content_t "/var/www/postfixadmin(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/postfixadmin/templates_c(/.*)?"
restorecon -R /var/www/postfixadmin
semanage boolean -m --on httpd_can_network_connect_db
Generate the setup superadmin password.
Example:
Ip mail server: 192.168.60.41.
Name server: mail.ol26modk.com.
Admin password: 641fqAB4d.
https://mail.ol26modk.com/setup.php
Generate setup_password.
Setup password : 641fqAB4d
Setup Password : 641fqAB4d
$CONF['setup_password'] = '$2y$12$FaaL/8RkWOtz45YPj0Irqebkds2miG1.0YFdipASVQzmgvBCAKpX.';
Add this line in /var/www/postfixadmin/config.local.php
vi /var/www/postfixadmin/config.local.php
<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysql';
$CONF['database_host'] = 'localhost';
$CONF['database_port'] = '3306';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'D51mAB49!';
$CONF['database_name'] = 'postfixadmin';
$CONF['encrypt'] = 'dovecot:BLF-CRYPT';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw -r 12";
$CONF['configured'] = true;
$CONF['setup_password'] = '$2y$12$FaaL/8RkWOtz45YPj0Irqebkds2miG1.0YFdipASVQzmgvBCAKpX.';
?>
4.4.4 NGINX (SSL).
4.4.4.1 Add nginx to dovecot group.
gpasswd -a nginx dovecot
4.4.4.2 Certificats.
Certificates are already created.
See Dovecot - Create certificates chapter 3.2
/etc/ssl/certs/hermes-ecc.crt
/etc/ssl/private/hermes-ecc.key
/etc/ssl/certs/CA-ecc.crt
Add permission nginx.
chmod 400 /etc/pki/tls/private/CA-ecc.key
chmod 400 /etc/pki/tls/private/hermes-ecc.key
chmod 400 /etc/pki/tls/certs/CA-ecc.crt
chmod 400 /etc/pki/tls/certs/hermes-ecc.crt
setfacl -m u:nginx:rx /etc/pki/tls/private/hermes-ecc.key
setfacl -m u:nginx:rx /etc/pki/tls/certs/hermes-ecc.crt
setfacl -m u:nginx:rx /etc/pki/tls/certs/CA-ecc.crt
4.4.4.3 Configure nginx.
Nginx custom reconfiguration.
-
Site configuration folder.
mkdir /etc/nginx/sites-available -
Folder of sites taken into account by nginx.
mkdir /etc/nginx/sites-enabled -
Configure nginx.conf.
Edit nginx.conf
Before making a backup of your nginx.conf.
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_backup
Erase nginx.conf.
> /etc/nginx/nginx.conf
Edit nginx.conf.
vi /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# -- nginx paranoia--
client_body_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
# Prevent clickjacking attacks
add_header X-Frame-Options "SAMEORIGIN" always;
# Add an HSTS header to your nginx server
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; always";
# Cross-site scripting protection
add_header X-XSS-Protection "1; mode=block";
# Prevention of MIME confusion-based attacks
add_header X-Content-Type-Options "nosniff" always;
# Hide X-Powered-By header
proxy_hide_header X-Powered-By;
# Referrer policy
add_header Referrer-Policy "origin-when-cross-origin" always;
#--End nginx paranoia --
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Edit postfixadmin.conf.
vi /etc/nginx/sites-available/postfixadmin.conf
Be careful,only the subnets 127.0.0.1 , 192.168.20.0/24 and 192.168.80.0/24 are allowed.
server {
listen 80;
# listen [::]:80;
server_name _;
# redirect to https
return 301 https://$host$request_uri;
}
## Settings for a TLS enabled server.
#
server {
listen 443 ssl;
http2 on;
# listen [::]:443 ssl;
server_name _;
root /var/www/postfixadmin/public;
index index.php index.html;
#
ssl_certificate "/etc/ssl/certs/hermes-ecc.crt";
ssl_certificate_key "/etc/ssl/private/hermes-ecc.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
#
# Be careful,only the subnets below are allowed.
# restrictions access postfixadmin
location / {
try_files $uri $uri/ /index.php;
allow 127.0.0.1;
allow 192.168.20.0/24;
allow 192.168.80.0/24;
allow 192.168.60.41; # IP mail server
deny all;
}
### Connecting NGINX to PHP FPM
location ~ ^/(.+\.php)$ {
try_files $uri =404;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
# block access to files starting with.
location ~ /\. {
deny all; access_log off;
log_not_found off;
}
error_page 404 /404.html;
location = /40x.html {
}
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
charset utf8;
}
Create the link of the postfixadmin.conf file in the sites-enabled folder.
ln -s /etc/nginx/sites-available/postfixadmin.conf /etc/nginx/sites-enabled/postfixadmin.conf
systemctl enable --now nginx
4.4.5 Url postfixadmin.
Reminder:
Mail server name : mail.ol26modk.com
IP : 192.168.60.41
With a web browser.
https://mail.ol26modk.com/setup.php
Example: superadmin password: 641fqAB4d
Login with setup_password
Setup password: 641fqAB4d.
Add Superadmin Account.
Administrator: <your username>@ol26modk.com and Password:Animals26.
Close web browser et reopen it with https://mail.ol26modk.com.
Login:<your username>@ol26modk.com and password :Animals26.
4.4.6 admin mail.
Choose an local user.
Example : [email protected]
This user will receive all messages from root.
vi /etc/aliases
# Person who should get root's mail
root: teacher
For valid aliases.
newaliases
systemctl restart postfix
Check:
echo "test mail" |mail -s "Hello me again" root@localhost
Add the administrator's email address to config.local.php.
vi /var/www/postfixadmin/config.local.php
$CONF["admin_email"] = "teacher <[email protected]>";