Re: Simple virtual user setup with multiple domains
On 26 Sep 15:03, Unicorn wrote:
> > No, it means that unless there is a more specific alias before, all
> > those 4 aliases, whatever is the domain part amongst the domains you
> > receive for, will be delivered to mainu...@maindomain.tld
>
> > No, you need to deliver to vmail for all users, Dovecot will be
> > responsible for placing emails into the right folders.
>
> Now I got it to work and I understood the way it works finally!
> Thank you Archange and Uwe for helping along the way, please let me
> know if there is anything else you would change since I intend to make
> a proper guide for this entire setup as it is pretty basic and
> versatile. I don't want to recommend bad practices so please let me
> know if there is something I should change.
>
> For anybody else who may look at this in the future, here are the
> relevant config files that I ended up with:
>
> /etc/mail/smtpd.conf ##
> pki mail.domain.tld cert "/etc/ssl/mail.domain.org.fullchain.pem"
> pki mail.domain.tld key "/etc/ssl/private/mail.domain.tld.key"
>
> # Junk filters, rspamd also for DKIM signing
> filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*',
> '.*\.dsl\..*' } junk
> filter check_rdns phase connect match !rdns junk
> filter check_fcrdns phase connect match !fcrdns junk
> filter rspamd proc-exec "filter-rspamd"
>
> # Tables
> table usermap file:/etc/mail/usermap
> table credentials file:/etc/mail/credentials
> table domains { domain.tld, second.tld, third.tld }
>
> # Listen for incoming mail and send through filters
> listen on all tls pki mail.domain.tld \
> filter { check_dyndns, check_rdns, check_fcrdns, rspamd }
>
> # Listen for, authenticate and DKIM-sign outgoing mail requests
> listen on all port submission tls-require pki mail.domain.tld \
> auth filter rspamd
>
> action "inbound" lmtp "/var/dovecot/lmtp" rcpt-to virtual
> action "outbound" relay helo mail.domain.tld
>
> # Match incoming mail
> match from any for domain action "inbound"
> match for local action "inbound"
>
> # Match outgoing mail
> match from any auth for any action "outbound"
> match for any action "outbound"
>
>
> /etc/mail/usermap #
> abuseadmin
> hostmaster admin
> postmaster admin
> webmasteradmin
> www admin
> operator admin
> security admin
> root admin
> contact admin
>
> cl...@domain.tld admin
>
> adminad...@domain.tld
>
> ad...@domain.tld vmail
> unic...@third.tldvmail
>
> (This makes practically everything go to the inbox of ad...@domain.tld
> with the exception of unic...@third.tld which also gets its own
> inbox)
>
> /etc/mail/credentials #
> ad...@domain.tld:$2b$09$blahblahhashgoeshereblahblahhashgoeshere
> cl...@domain.tld:$2b$09$blahblahhashgoeshereblahblahhashgoeshere
> ad...@second.tld:$2b$09$blahblahhashgoeshereblahblahhashgoeshere
> cont...@second.tld:$2b$09$blahblahhashgoeshereblahblahhashgoeshere
> ad...@third.tld:$2b$09$blahblahhashgoeshereblahblahhashgoeshere
> unic...@third.tld:$2b$09$blahblahhashgoeshereblahblahhashgoeshere
>
> (Credentials are needed for every inbox and for every sender. In my
> case only ad...@domain.tld and unic...@third.tld have inboxes, so the
> others are just other identities that I can use to send emails from.)
>
> /etc/rsmapd/local.d/dkim-signing.conf #
> allow_username_mismatch = true;
> domain {
> domain.tld {
> path = "/etc/mail/dkim/domain.tld.key";
> selector = "selectorone";
> }
> second.tld {
> path = "/etc/mail/dkim/second.tld.key";
> selector = "selectortwo";
> }
> third.tld {
> path = "/etc/mail/dkim/third.tld.key";
> selector = "selectorthree";
> }
> }
>
> (The allow_username_mismatch can probably be left out for this setup,
> haven't tried yet though)
>
> /etc/dovecot/dovecot.conf #
> protocols = imap lmtp
>
>
> /etc/dovecot/conf.d/10-auth.conf ##
> passdb {
> driver = passwd-file
> args = scheme=CRYPT /etc/mail/credentials
> }
> userdb {
> driver = static
> args = uid=vmail gid=vmail home=/var/maildirs/%d/%n
> }
> ###
Re: Simple virtual user setup with multiple domains
On 24 Sep 11:33, Unicorn wrote:
> Hello everyone,
>
> I apologize in advance if these seem like a trivial question, I am
> quite new to this and the amount of config files and options is a
> little overwhelming. :)
>
> I am currently running three mailservers that each serve one domain
> with real user accounts, which is quite a pain to manage. I would like
> to instead have one server be the MX for all of my domains, with
> virtual users and their maildirs in a strucure like
> /home/vmail/domain/user/Maildir.
>
> In the process of writing my email I have written all my
> configurations to the best of my ability, but I would appreciate your
> feedback on any errors or suggestions for improvements, especially
> since I intend to eventually make this into a guide:
>
>
> /etc/mail/smtpd.conf ###
> pki mx.maildomain.tld cert "/etc/ssl/mx.maildomain.tld.fullchain.pem"
> pki mx.maildomain.tld key "/etc/ssl/private/mx.maildomain.tld.key"
>
> # Junk filters, rspamd also for DKIM signing
> filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*',
> '.*\.dsl\..*' } junk
> filter check_rdns phase connect match !rdns junk
> filter check_fcrdns phase connect match !fcrdns junk
> filter rspamd proc-exec "filter-rspamd"
>
> # Tables
> table aliases file:/etc/mail/custom_aliases
> table accounts file:/etc/mail/accounts
> table domains {firstdomain.tld, seconddomain.tld, maildomain.tld}
>
> # Listen for incoming mail and send through filters
> listen on all tls pki mail.regrow.earth filter { check_dyndns,
> check_rdns, check_fcrdns, rspamd }
>
> # Listen for, authenticate and DKIM-sign outgoing mail requests
> listen on all port submission tls-require pki mx.maildomain.tld auth
> filter rspamd
>
> action "deliver_local" maildir
> /home/vmail/{%dest.domain}/{%dest.user}/Maildir junk alias
> user vmail
> action "outbound" relay helo mx.maildomain.tld
>
I would suggest that you use lmtp for that - so one can use ham/spam with
dovecot to train rspamd.
action "domain1.tld" lmtp "/var/dovecot/lmtp" rcpt-to alias
action "domain2.tld" lmtp "/var/dovecot/lmtp" rcpt-to alias
> # Match incoming mail
> match from any for domain action "deliver_local"
> match for local action "deliver_local"
>
> # Match outgoing mail
> match from any auth for any action "outbound"
> match for any action "outbound"
> #
>
>
> /etc/dovecot/conf.d/10-auth.conf ###
> passdb {
> driver = passwd-file
> args = scheme=BLF-CRYPT /etc/mail/accounts
> }
> userdb {
> driver = static
> args = uid=vmail gid=vmail home=/home/vmail/%d/%u
> }
> #
>
>
> /etc/mail/accounts #
> ad...@fistdomain.tld:passwordhashfromsmtpctl
> ad...@seconddomain.tld:passwordhashfromsmtpctl
> unic...@seconddomain.tld:passwordhashfromsmtpctl
> #
>
> Is it possible to combine virtual users with an alias table as I have
> in action "deliver_local"?
>
> Example entry in alias table:
> cont...@firstdomain.tld: admin+cont...@firstdomain.tld
I guess you can't use an alias table but a table. That's why I have:
table domain1.tld file:/etc/mail/domain1.tld
table domain2.tld file:/etc/mail/domain2.tld
table domain3.tld file:/etc/mail/domain3.tld
and then e.g. in /etc/mail/domain1.tld:
user admin+cont...@domain1.tld
hostmaster hostmas...@domain2.tld
>
> Will this deliver to the folder "contact" of ad...@firstdomain.tld?
> In 'action "deliver_local"', is it correct to use {%dest.user} for
> this purpose?
>
>
> Also, how does dkim signing with rspamd work for multiple domains?
> Right now my /etc/rspamd/local.d/dkim-signing.conf looks like this:
>
> ##
> allow_username_mismatch = true;
>
> domain {
> firstdomain.tld {
> path = "/etc/mail/dkim/firstdomain.tld.key";
> selector = "blah";
> }
> }
> ##
>
> Will it work automatically by simply entering eg. 'seconddomain.tld
> {...}' with its respective keyfile and selector?
You need a current filter for that. I have:
filter "dkimsign" proc-exec "filter-dkimsign -d domain1.tld -d domain2.tld \
-d domain3.tld -s dkim_selector -k /etc/mail/dkim/dkim.key" \
user _dkimsign group _dkimsign
Note that you can specify the selector only once.
See: https://undeadly.org/cgi?action=article;sid=20200920073933
>
> Thanks a lot in advance, I appreciate any answers, even if incomplete!
> :)
>
> Best,
> Unicorn
>
>
>
>
>
--
wq: ~uw
Re: filter-dkims support for multiple domains
On 31 Aug 09:02, Uwe Werler wrote: > On 30 Aug 19:22, Martijn van Duren wrote: > > Hello, > > > > I've always said that I would not add support for multiple domains in > > filter-dkimsign until someone could point me to a good reason to do so. > > Recently this was done by Maarten de Vries who pointed out to me that > > there is such a requirement in DMARC (RFC7489 section 3.1) stating that > > the DKIM signature must be aligned with the From-header. > > Unforunately the from-header is a mailbox-list; I decided to only use > > the first mailbox in the list, which should cover most use-cases. > > > > As expected, this diff is more intrusive then I would've liked, but > > works so far in my testing. It works by using a single selector and > > trying to do a strict match on domain first, falling back to a relaxed > > match if none is found and ultimately going for the first domain in the > > list. > > > > I would like to ask everyone who wants this feature to test this and > > report back to me. I plan to create a new release in a week or 2 turning > > it into a less voluntary test. :-) > > > > Source-code can be found here (svn): > > http://imperialat.at/dev/filter-dkimsign/ > > This is still OpenBSD only, but Maarten can probably supply people with > > an arch-compatible version. > > > > martijn@ > > > > > > Hi Martin, > > just tried it at my server with two domains and it works like a charm. Will > migrate my 3rd domain to the same key/selector later and will test further. > > I'm happy to see that change coming in now. > > Thanks for you effort! > > -- > > With kind regards / Með bestu kveðju / Mit freundlichen Grüßen > > Uwe Werler > Hi Martijn, migrated my 3rd domain now and all works like expected! Thank you very much for your work! -- With kind regards / Með bestu kveðju / Mit freundlichen Grüßen Uwe Werler
Re: filter-dkims support for multiple domains
On 30 Aug 19:22, Martijn van Duren wrote: > Hello, > > I've always said that I would not add support for multiple domains in > filter-dkimsign until someone could point me to a good reason to do so. > Recently this was done by Maarten de Vries who pointed out to me that > there is such a requirement in DMARC (RFC7489 section 3.1) stating that > the DKIM signature must be aligned with the From-header. > Unforunately the from-header is a mailbox-list; I decided to only use > the first mailbox in the list, which should cover most use-cases. > > As expected, this diff is more intrusive then I would've liked, but > works so far in my testing. It works by using a single selector and > trying to do a strict match on domain first, falling back to a relaxed > match if none is found and ultimately going for the first domain in the > list. > > I would like to ask everyone who wants this feature to test this and > report back to me. I plan to create a new release in a week or 2 turning > it into a less voluntary test. :-) > > Source-code can be found here (svn): > http://imperialat.at/dev/filter-dkimsign/ > This is still OpenBSD only, but Maarten can probably supply people with > an arch-compatible version. > > martijn@ > > Hi Martin, just tried it at my server with two domains and it works like a charm. Will migrate my 3rd domain to the same key/selector later and will test further. I'm happy to see that change coming in now. Thanks for you effort! -- With kind regards / Með bestu kveðju / Mit freundlichen Grüßen Uwe Werler
