hostnamectl set-hostname domain.tld
REBOOT

ufw allow 25,80,443,587,465,110,143,993,995/tcp



_______________
INSTALL MariaDB

apt-get update && apt-get upgrade
apt-get install mariadb-server mariadb-client

systemctl start mariadb
systemctl enable mariadb

mysql_secure_installation
FOLLOW INSTRUCTIONS


__________________
INSTALL MAILSERVER

apt-get update && apt-get upgrade
apt-get install postfix postfix-mysql libsasl2-modules-sql libsasl2-modules
apt-get install dovecot-common dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-managesieved

newaliases


optional TESTING
echo "POSTAUSGANG-Testmail" | sendmail benman2785@hotmail.de


wget https://sourceforge.net/projects/postfixadmin/files/postfixadmin/postfixadmin-3.2/postfixadmin_3.2-1_all.deb
dpkg -i postfixadmin_3.2-1_all.deb
apt-get install -f


_________________
CREATE PFA CONFIG

nano /etc/postfixadmin/config.local.php
FILE-CONTENT:
<?php
//
// contents of this file override defaults in /etc/postfixadmin/config.inc.php
//

$CONF['configured'] = true;
$CONF['postfix_admin_url'] = 'http://pfa.domain.tld/';

$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = 'YOUR_PW';
$CONF['database_name'] = 'postfix';

$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';

// 'md5crypt' is compatible with vpopmail password databases and Dovecot's CRYPT-MD5 setting.
// 'md5' generates raw hexadecimal MD5-sums, compatible with Dovecot's PLAIN-MD5 setting.
// 'cleartext' does not encrypt user passwords at all, compatible with Dovecot's PLAIN setting.
//
// For new installs, only use 'cleartext' if you have users who want you to be able to tell
// them explicitly what their password is - and if you want to support that.  Otherwise 
// 'md5crypt' is probably a better idea.
//
$CONF['encrypt'] = 'md5crypt';

$CONF['admin_email'] = 'postmaster@domain.tld';

$CONF['default_aliases'] = array (
    'abuse' => 'abuse@domain.tld',
    'hostmaster' => 'hostmaster@domain.tld',
    'postmaster' => 'postmaster@domain.tld',
    'webmaster' => 'webmaster@domain.tld'
);

$CONF['vacation_domain'] = 'autoreply.domain.tld';
$CONF['user_footer_link'] = "http://domain.tld/main";
$CONF['footer_text'] = 'Return to domain.tld';
$CONF['footer_link'] = 'http://domain.tld';
FILE-END!


________________
CREATE PFA NGINX

mkdir /etc/nginx/sites-available
nano /etc/nginx/sites-available/pfa.conf
FILE:
server {
        listen 80;
        server_name pfa.domain.tld;
        root /usr/share/postfixadmin/public;
	location /{
                autoindex on;
                autoindex_exact_size off;
                }
        location ~* \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                include       fastcgi.conf;
                fastcgi_pass  127.0.0.1:9000;
                fastcgi_index index.php;
	}
}
FILE-END!


_____________________
CREATE MYSQL DATABASE

mysql -u root -p

create database postfix;
grant all privileges on postfix.* to 'postfix'@'localhost' identified by 'YOUR_PW';
flush privileges;
quit;

________________________
EDIT POSTFIX AND DOVECOT

nano /etc/postfix/main.cf
FILE-EDIT: in # TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem  #fullchain.cer
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key  #YOUR.DOMAIN.TLD.key
smtpd_use_tls=yes
smtp_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = enforce
smtpd_tls_security_level = encrypt

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.2
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA
FILE-END!


FILE-ADD:
inet_protocols = ipv4
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_base = /data/postfix
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = virtual

virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000

broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  reject_unauth_pipelining

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
FILE-END!


optional
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth


nano /etc/postfix/mysql_virtual_alias_maps.cf
FILE-CONTENT:
user = postfix
password = YOUR_PW
hosts = 127.0.0.1
dbname = postfix
table = alias
select_field = goto
where_field = address
FILE-END!


nano /etc/postfix/mysql_virtual_domains_maps.cf
FILE-CONTENT:
user = postfix
password = YOUR_PW
hosts = 127.0.0.1
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
FILE-END!


nano /etc/postfix/mysql_virtual_mailbox_maps.cf
FILE-END:
user = postfix
password = YOUR_PW
hosts = 127.0.0.1
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
FILE-END!


nano /etc/dovecot/dovecot-mysql.conf
FILE-CONTENT:
driver = mysql
connect = dbname=postfix user=postfix host=localhost password=YOUR_PW

# if passwords are stored in the mysql db in plaintext, use PLAIN: 
# but we used 'md5crypt' in postfixadmin, so the correct setting in 
# Dovecot-ese is MD5-CRYPT.
#
# note that this encryption setting is directly compatible with  
#  vpopmail password databases, making migration from Qmail/Vpopmail
# setups possible.
#
default_pass_scheme = MD5-CRYPT
password_query = SELECT password FROM mailbox WHERE username = '%u'

####
#### CHANGE THE UID AND GID below to match those for Postfix in your
#### system!  grep postfix /etc/passwd to find them!
####
user_query = SELECT maildir, 2000 AS uid, 2000 AS gid FROM mailbox WHERE username  = '%u'
FILE-END!


nano /etc/dovecot/local.conf
FILE-CONTENT:
auth_mechanisms = digest-md5 plain login
auth_username_format = %n
disable_plaintext_auth = yes
first_valid_uid = 2000
first_valid_gid = 2000

log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_access_groups = mail
mail_location = maildir:/data/postfix/%d/%n

passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}

protocols = imap
 service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener /var/spool/postfix/private/dovecot-auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = root
}

ssl = yes
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem  #fullchain.cer
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key  #YOUR.DOMAIN.TLD.key
#ssl_key_password = XXXXXX
ssl_protocols = !SSLv3 !SSLv2
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
ssl_dh_parameters_length = 2048

userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
FILE-END!


nano /etc/dovecot/conf.d/auth-system.conf.ext
FILE-REPLACE:
# PAM authentication. Preferred nowadays by most systems.
# PAM is typically used with either userdb passwd or userdb static.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
#passdb {
  # driver = pam
  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
  # [cache_key=<key>] [<service name>]
  #args = dovecot
#}
FILE-END!


usermod -u 2000 postfix && groupmod -g 2000 postfix
mkdir -p /data/postfix
chmod -R 770 /data/postfix
chown -R postfix:postfix /data/postfix
chown -R postfix:postfix /var/lib/postfix

nginx-t

service nginx reload
echo new LOG from "$(date)" > /var/log/mail.log
echo new LOG from "$(date)" > /var/log/mail.err
/etc/init.d/postfix restart
/etc/init.d/dovecot restart


--
http://pfa.domain.tld/setup.php
add domain + a test-user
--


OPTIONAL:
apt-get install clamav clamav-daemon spamassassin spamc
nano /etc/default/spamassassin 
REPLACE: "ENABLED=1" FILE-END!

/etc/init.d/spamassassin start
/etc/init.d/clamav-freshclam start
/etc/init.d/clamav-daemon start


SELF-SIGNED CERT:
openssl req -x509 -newkey rsa:4096 -keyout mail.domain.tld-key.pem -out mail.domain.tld-cert.pem -days 36500 -nodes -sha256 -subj “/C=BE/ST=LUIK/O=example/CN=mail.domain.tld”


nano /etc/php/7.4/fpm/php.ini
REPLACE:
post_max_size = 100M
upload_max_filesize = 100M
max_input_time = 600
FILE-END!


nano /etc/postfix/main.cf
ADD/REPLACE:
mailbox_size_limit = 0
message_size_limit = 52428800
FILE-END!






___________
INSTALL SPF

apt-get install postfix-policyd-spf-python

nano /etc/postfix/main.cf
FILE-ADD:
policy-spf_time_limit = 3600s
smtpd_recipient_restrictions =
check_policy_service unix:private/policy-spf
FILE-END!

FILE-ADD:
smtpd_recipient_restrictions =
check_policy_service unix:private/policy-spf
FILE-END!

nano /etc/postfix/master.cf
FILE-ADD:
policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/bin/policyd-spf
FILE-END!


____________
INSTALL DKIM

apt-get install opendkim opendkim-tools
gpasswd -a postfix opendkim

mkdir /etc/opendkim
mkdir /etc/opendkim/keys
mkdir /var/spool/postfix/opendkim/

nano /etc/opendkim.conf
FILE:
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog          yes

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask           002

# OpenDKIM user
# Remember to add user postfix to group opendkim
UserID		opendkim:postfix
Socket		local:/var/spool/postfix/opendkim/opendkim.sock
PidFile		/var/spool/postfix/opendkim/opendkim.pid

# Commonly-used options; the commented-out versions show the defaults.
Canonicalization	relaxed/simple
Mode			sv
RequireSafeKeys         false
OversignHeaders		From

# Map domains in From addresses to keys used to sign messages
KeyTable	/etc/opendkim/key.table
SigningTable	refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
#ExternalIgnoreList  /etc/opendkim/trusted.hosts
InternalHosts       /etc/opendkim/trusted.hosts
FILE-END!

nano /etc/opendkim/signing.table
FILE:
# Datei /etc/opendkim/signing.table
# für E-Mails von xxx@example1.com den Schlüssel 'mykey1' 
# zum Signieren verwenden
*@example1.com mykey1
*@example2.com mykey2
FILE-END!

nano /etc/opendkim/key.table
FILE:
# Datei /etc/opendkim/key.table
# der Schlüssel 'mykey1' befindet sich in 
# der Datei /etc/opendkim/keys/example1.com/default.private
mykey1 example1.com:YOUR_INFO1:/etc/opendkim/keys/example1.com/default.private
mykey2 example2.com:YOUR_INFO2:/etc/opendkim/keys/example2.com/default.private
FILE-END!

nano /etc/opendkim/trusted.hosts
FILE:
127.0.0.1
localhost

*.example1.com
FILE-END!

mkdir /etc/opendkim/keys/example1.com
opendkim-genkey -b 2048 -d example1.com -D /etc/opendkim/keys/example1.com -s default -v

IF ADDING ANOTHER KEY ALSO DO:
chown opendkim:opendkim /etc/opendkim/keys/example1.com/default.private

nano /etc/postfix/main.cf
FILE-ADD:
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock,
non_smtpd_milters = $smtpd_milters
FILE-END!

nano /etc/systemd/system/opendkim.service.d/override.conf
FILE:
[Service]
PIDFile=/var/spool/postfix/opendkim/opendkim.pid
ExecStart=
ExecStart=/usr/sbin/opendkim -P /var/spool/postfix/opendkim/opendkim.pid -p local:/var/spool/postfix/opendkim/opendkim.sock
FILE-END!

adduser postfix opendkim
chmod go-rw /etc/opendkim/keys
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendkim:opendkim /etc/opendkim

systemctl daemon-reload && systemctl restart opendkim && systemctl restart postfix
systemctl status opendkim

cat /etc/opendkim/keys/example1.com/default.txt
opendkim-testkey -d example1.com -s default -vvv

NOW SET DKIM in DNS TXT


_____________
INSTALL DMARC

apt-get install opendmarc
CHOOSE NO for DB

systemctl status opendmarc
systemctl enable opendmarc

nano /etc/opendmarc.conf
FILE-REPLACE:
AuthservID yourdomain.com
FILE-REPLACE:
TrustedAuthservIDs yourdomain.com
FILE-REPLACE:
# RejectFailures false
WITH:
RejectFailures true
FILE-REPLACE:
Socket local:/var/run/opendmarc/opendmarc.sock
WITH:
Socket local:/var/spool/postfix/opendmarc/opendmarc.sock
FILE-ADD at end of file:
SPFSelfValidate true
IgnoreAuthenticatedClients true
FILE-END!

mkdir -p /var/spool/postfix/opendmarc
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chmod -R 750 /var/spool/postfix/opendmarc/
adduser postfix opendmarc
systemctl restart opendmarc

nano /etc/postfix/main.cf
FILE:
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock
non_smtpd_milters = $smtpd_milters
FILE-END!

systemctl restart postfix




________
TESTING:

netstat -lnpt


telnet localhost 143
a login "user@domain.tld" "user_pw"
login success? if yes -> C logout

telnet localhost 25
EHLO mail.domain.tld
MAIL FROM:<user@domain.tld>
RCPT TO:<your@gmail.com>
DATA
Subject: Testmail
(EMTPY line - press ENTER)
SMTP test.
(EMTPY line - press ENTER)
.
QUIT