It is the 22nd of September 2017

How to setup a Debian Wheezy mail and DNS server using SaltStack - Exim4 + Dovecot

In the last chapter I have setup ssh access. The current directory structure is:

  • /path/to/master.prograssing.com
    • ./pillar/top.sls
    • ./pillar/common/init.sls
    • ./pillar/ssh/init.sls
    • ./salt/common
      • ./init.sls
      • ./bash.bashrc
      • ./bash_aliases
      • ./iptables.rules
      • ./vagrant_iptables.rules
    • ./salt/ssh
      • ./init.sls
      • ./sshd_config
      • ./ssh_config
      • ./vagrant_sshd_config
      • ./motd
      • ./issue.net
    • ./salt/top.sls
    • ./Vagrantfile (optional)
    • ./vagrantconfig.yaml (optional)

Mail server setup with exim and dovecot

In this chapter I will setup a tld exim mail server with virtual domains and spamassassin and a dovecot IMAP server using the following salt configuration files. I also install The Swiss Army Knife for SMTP to test the connection. Sending mails and imap access will be restricted to a vpn which is left out of this tutorial for now so you will have to make some adjustments. However it should be easy for you to write a state file for that following an OpenVPN setup tutorial for example or using a different approach like exim auth mechanisms.

mail-pkgs:
  pkg.installed:
    - pkgs:
      - exim4
      - exim4-daemon-heavy
      - dovecot-imapd
      - spamassassin
      - spamc
      - sa-exim
      - swaks

/etc/mailname:
  file.managed:
    - mode: 644
    - source: salt://mail/mailname

############
# exim4

/etc/exim4/update-exim4.conf.conf:
  file.managed:
    - source: salt://mail/exim4/update-exim4.conf.conf

/etc/exim4/virtual:
  file.recurse:
    - source: salt://mail/exim4/virtual

/home/herbert/.forward:
  file.managed:
    - user: herbert
    - group: herbert
    - mode: 644
    - source: salt://mail/.forward

/etc/exim4/exim.crt:
  file.managed:
    - source: salt://mail/exim4/exim.crt
    - require:
      - pkg: mail-pkgs

/etc/exim4/exim.key:
  file.managed:
    - source: salt://mail/exim4/exim.key
    - require:
      - pkg: mail-pkgs


/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:
  file.managed:
    - source: salt://mail/exim4/conf.d/main/03_exim4-config_tlsoptions
    - require:
      - pkg: mail-pkgs

/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:
  file.managed:
    #- text: 'av_scanner = clamd:/var/run/clamav/clamd.ctl'
    #- unless: grep "av_scanner = clamd:" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs
    - source: salt://mail/exim4/conf.d/main/01_exim4-config_listmacrosdefs
    - require:
      - pkg: mail-pkgs

/etc/exim4/conf.d/router/350_exim4-config_vdom_aliases:
  file.managed:
    - source: salt://mail/exim4/conf.d/router/350_exim4-config_vdom_aliases
    - require:
      - pkg: mail-pkgs

/etc/exim4/conf.d/acl/40_exim4-config_check_data:
  file.patch:
    - source: salt://mail/exim4/conf.d/acl/40_exim4-config_check_data-deny-virus.patch
    - hash: md5=c135c02ff77bda88be1852724e1be50c
    - require:
      - pkg: mail-pkgs

/etc/default/spamassassin:
  file.managed:
    - source: salt://mail/spamassassin
    - require: 
      - pkg: mail-pkgs

clamav:
  user.present:
    - optional_groups:
      - Debian-exim
    - require:
      - pkg: mail-pkgs

/var/run/clamav:
  file.directory:
    - group: Debian-exim
    - require:
      - pkg: mail-pkgs

update-exim4.conf:
  cmd.run:
    - require:
      - file: /etc/exim4/virtual
      - file: /etc/exim4/update-exim4.conf.conf

exim4:
  service.running:
    - require:
      - cmd: update-exim4.conf

##########
# dovecot

maildirmake.dovecot Maildir:
  cmd.run:
    - user: herbert
    - cwd: /home/herbert
    - unless: test -e Maildir
    - require:
      - pkg: mail-pkgs

{% for folder in pillar.get('mailfolders', {}) %}
maildirmake.dovecot /home/herbert/Maildir/.{{folder}}:
  cmd.run:
    - user: herbert
    - unless: test -e /home/herbert/Maildir/.{{folder}}
{% endfor %}

/etc/dovecot/conf.d/10-mail.conf:
  file.managed:
    - user: root
    - group: root
    - mode: 644
    - source: salt://mail/dovecot/conf.d/10-mail.conf

dovecot:
  service.running:
    - require:
      - cmd: maildirmake.dovecot Maildir
      - file: /etc/dovecot/conf.d/10-mail.conf

Configuration files

./salt/mail/exim4/update-exim4.conf.conf:

dc_eximconfig_configtype='internet'
dc_other_hostnames=''
dc_local_interfaces='0.0.0.0'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='<vpn subnet>'
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
#dc_local_domains=@:localhost:dsearch:/etc/exim4/virtual

./salt/mail/exim4/conf.d/acl/40_exim4-config_check_data-deny-virus.patch:

--- 40_exim4-config_check_data  2012-11-25 03:27:26.000000000 -0500
+++ 40_exim4-config_check_data-tmp  2013-12-21 14:12:35.458090355 -0500
@@ -70,6 +70,25 @@
   .include CHECK_DATA_LOCAL_ACL_FILE
   .endif

+  # Reject messages that have serious MIME errors.
+  # This calls the demime condition again, but it
+  # will return cached results.
+  deny message = Serious MIME defect detected ($demime_reason)
+  demime = *
+  condition = ${if >{$demime_errorlevel}{2}{1}{0}}
+
+  # Reject file extensions used by worms.
+  # Note that the extension list may be incomplete.
+  deny message = This domain has a policy of not accepting certain types of attachments \
+    in mail as they may contain a virus. This mail has a file with a .$found_extension \
+    attachment and is not accepted. If you have a legitimate need to send \
+    this particular attachment, send it in a compressed archive, and it will \
+    then be forwarded to the recipient.
+  demime = exe:com:vbs:bat:pif:scr
+
+  # Reject messages containing malware.
+  deny message = This message contains a virus ($malware_name) and has been rejected
+  malware = *

   # accept otherwise
   accept

./salt/mail/exim4/conf.d/main/01_exim4-config_listmacrosdefs:

Here are only the relevant lines to keep it shorter.

...
domainlist local_domains = MAIN_LOCAL_DOMAINS:dsearch;/etc/exim4/virtual
...
domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS:dsearch;/etc/exim4/virtual
....
av_scanner = clamd:/var/run/clamav/clamd.ctl

./salt/mail/exim4/conf.d/main/03_exim4-config_tlsoptions:

MAIN_TLS_ENABLE = yes
...

./salt/mail/exim4/conf.d/router/350_exim4-config_vdom_aliases:

#####################################################
### router/350_exim4-config_vdom_aliases
#####################################################

vdom_aliases:
  debug_print = "R: vdom_aliases for $local_part@$domain"
  driver = redirect
  allow_defer
  allow_fail
  domains = dsearch;/etc/exim4/virtual
  data = ${expand:${lookup{$local_part}lsearch{/etc/exim4/virtual/$domain}}}
  retry_use_local_part
  pipe_transport   = address_pipe
  file_transport   = address_file

vdom_aliases_suffix:
  debug_print = "R: vdom_aliases_suffix for $local_part@$domain"
  driver = redirect
  local_part_suffix = +*
  local_part_suffix_optional
  allow_defer
  allow_fail
  domains = dsearch;/etc/exim4/virtual
  data = ${expand:${lookup{$local_part}lsearch*@{/etc/exim4/virtual/$domain}}}
  retry_use_local_part
  pipe_transport = address_pipe
  file_transport = address_file
  no_more

#####################################################
### end router/350_exim4-config_vdom_aliases
#####################################################

./salt/mail/spamassassin:

ENABLED=1

./salt/mail/.forward:

# Exim filter
if $h_X-Spam-Flag: contains "YES"
then
save $home/Maildir/.Spam/
finish
endif

./salt/mail/exim4/virtual/\<domain.tld>:

* : herbert@localhost

./salt/mail/dovecot/10-mail.conf:

mail_location = maildir:~/Maildir

Pillar files

./pillar/mail/init.sls:

mailfolders:
  - Archives
  - Drafts
  - Sent
  - Spam
  - Templates
  - Trash

and again add it to the base pillar:

./pillar/top.sls:

base:
  '*':
    - common
    - ssh
    - mail

In the next chapter I will setup the bind9 DNS server for multiple domains using SaltStack.

Featured Apps

Free Money