-
You'll need a registered domain name and a VPS (Virtual Private Server) provider that allows uploading of iso images for the OS.
I use namecheap to get my registered domain names.
I use contabo.com as my VPS provider, and they work great for this, and have improved a lot over the past year. Contabo allows uploading of ISO and Qcow2 custom
images to use for your OS. If you get a VPS at contabo for setting up a mailserver I'd highly recommend getting a VPS with a minimum of 16gb memory and 6 CPU
cores. I've tried the cheaper VPS with 8gb memory and 4 CPU cores, and it was pretty sluggish for a mailserver.
After you have your domain name and a VPS go to the DNS Zone Management panel at your VPS provider and setup the DNS records for the server. This includes the
SPF records, DMARC records, and DKIM key:
Resource record TTL Type Priority Data
---------------------------------------------------------------------
mail.example.org 14400 A 0 ip.address
example.org 14400 A 0 ip.address
www.example.org 14400 A 0 ip.address
example.org 14400 MX 10 mail.example.org
example.org 14400 TXT 0 v=spf1 mx -all # This is how I do the SPF record, but you can adjust this to your liking.
_dmarc.example.org 14400 TXT 0 v=DMARC1; p=none; pct=100; fo=1; rua=mailto:you@example.org
dkim._domainkey.example.org 14400 TXT 0 v=DKIM1;p= # This is where you put the DKIM key that was generated during the SlackerMail install.
You will have to wait until SlackerMail-FreeBSD is installed to retrieve and enter the DKIM key in your DNS Zone Management at your VPS provider.
Then I setup reverse DNS at my VPS provider with:
ip.address mail.example.org
-
Install FreeBSD
a. Qcow2 Install - (Alternative to ISO Install)
This is the fastest and easiest method to setup FreeBSD at your VPS provider, if they support it. Contabo does support Qcow2 images, and it's the method I always
use. I have two FreeBSD qcow2 images below. One uses the UFS filesystem, and the other uses the ZFS filesystem. They both have a 10gb partition, but can easily be
resized to use the full hard drive of your server. These FreeBSD images are for a command line server only, no X-Windows. I've installed packages that will be needed
by the SlackerMail mail server.
These qcow2 FreeBSD images have the PF firewall enabled and running. The /etc/pf.conf file is where you configure the PF firewall. I think I have the PF firewall setup
properly now. I'm new to PF, so it took some RTFM to get it setup.
Important! - Make sure to read this How-To for directions on how to set these qcow2 images up properly at your provider!
After you have uploaded one of the two qcow2 images below to your VPS provider as a custom image, you can initiate the install to your VPS. You'll need a VNC client
to logon to the server with the VNC ip the provider provided you. I use TigerVNC for my VNC client. TigerVNC is availible for Windows, Mac, Linux, and FreeBSD.
The qcow2 image below uses the ufs filesystem.
FreeBSD-14.3-p3-vps-ufs-10122025.qcow2 (2.58gb) SHA256: f861279109526ea579d3be7c2b368a51e4674c47bd21b8b835d2fb4a1bb25fc5
The qcow2 image below uses the zfs filesystem.
FreeBSD-14.3-p3-vps-zfs-10122025.qcow2 (2.95gb) SHA256: c6f55d607fac16eef7bfffd3d6a844b117d8e39012671b57326291847b6374f0
After you install one of the above qcow2 images at your VPS provider, and have followed the How-To on how to set them up, you can go directly to the SlackerMail-FreeBSD
install script if you want to install SlackerMail. This script is not ready yet, but you can do the manual SlackerMail install starting below, until the install script is ready.
b. ISO Install - (Traditional Install)
Upload the FreeBSD-14.3-RELEASE-amd64-dvd1.iso (4.16gb) image to your VPS provider as a custom image.
After the FreeBSD 14.3 ISO has been uploaded to your provider, initiate the install process in their control panel. Then you'll need to VNC to the ip address given for VNC
access to your FreeBSD server. I use TigerVNC for my VNC client. TigerVNC is availible for Windows, Mac, Linux, and FreeBSD.
FreeBSD-14.3 is the easiest and fastest OS install I've ever seen. When you VNC to your FreeBSD server you'll be met with the install menus below.
01. Welcome - I choose "Install".
02. Keymap Selection - Pick your proper regional keymap.
03. Set Hostname - Enter your FQDN (Fully Qualified Doman Name) eg. mail.example.org.
04. Distribution Select - Choose what you want to install. The default selection looks good, but we'll also need to install "src" and
"ports" because you may need to recompile the kernel at some point, and we'll need to build some ports for the SlackerMail mail server.
05. Partitioning - Pick your preferred disk setup. I pick either "Auto (ZFS)" or "Auto (UFS)", then I choose "Entire Disk", then I choose
"GPT GUID Partition Table"
06. ZFS Configuration - I accept the defaults, and in the next dialog box I choose "Stripe", because I have only 1 disk. Then I choose
"da0 QEMU QEMU HARDDISK" to create the zpool on, and lastly I enter "Yes" to create the drive.
07. FreeBSD is installed
08. Setting the root password - Set a password for root.
09. Network Configuration - I Choose my network interface, then I choose "Yes" to configure IPv4, then "Yes" to configure "DHCP", then
"No" to configure IPv6. Lastly is the network "Resolver Configuration", and if all looks well choose "OK".
10. Time Zone Selector - Choose your time zone.
11. System Configuration - Choose what services will be started at boot. I pick sshd, moused, ntpd, and ntpd_sync_on_start.
12. System Hardening - I leave all of these unchecked.
13. Add User Accounts - Enter Username, then Full name. I then just hit enter for all the default selections, except for "Invite user
into other groups?", I enter "wheel", because you'll need to be in the wheel group to be able to su to root. Lastly you'll need to
enter a password for the user.
14. Final Configuration - If everything looks okay, Exit, to apply configuration and exit installer.
15. Reboot - Reboot and logon to your server using PuTTY with the user you added during install, then to become root run "su - root",
and enter the root password.
Now that FreeBSD is installed, you've rebooted, and logged in with PuTTY, there are a couple files you may want to edit. If you want to be able to login as root, then
you'll need to edit /etc/ssh/sshd_config and change "#PermitRootLogin no" to "PermitRootLogin yes". You'll probably want to edit /boot/defaults/loader.conf, and
change "#autoboot_delay="10"" to "autoboot_delay="0"", so the bootup is faster.
You can edit with "vi" or with "mc -u". "mc -u" (Midnight Commander) is a very nice command line filemanager, and a lot easier to edit with, but you'll have to
install the "mc" package first. If you want to install mc, first run "pkg update", then run "pkg install mc". After mc is installed you can then run "mc -u" to search
for and edit files.
-
FreeBSD Server Initial Setup
Now ssh to your new FreeBSD server with the ip address given to you by your VPS provider, with PuTTY or other ssh client.
You've probably already setup your hostname on the install, but if you didn't you need to do that now. Run the command
below to set your hostname, and adjust for your actual FQDN:
sysrc hostname="mail.example.org"
Then run the echo command below to set your /etc/hosts file, and of course adjust for your actual FQDN:
echo "127.0.0.1 mail.example.org mail localhost.localdomain localhost" > /etc/hosts
Next we need to do a system update:
pkg update
pkg upgrade
freebsd-update fetch
freebsd-update install
After update is installed, then reboot.
Next we need to install some needed packages:
pkg install -y gcc gmake python php84 php84-pecl-imagick bind-tools 7-zip m4 git gnupg \
openssl mc htop neofetch gzip unzip shared-mime-info ca_root_nss bzip2-1.0.8_1 sudo
reboot
We are now ready to install SlackerMail with the SlackerMail-FreeBSD install script at this point. The SlackerMail-FreeBSD install script
is not ready yet, and it will take some time to finish it.
You can also setup SlackerMail by hand following all the directions below. It takes about 5 minutes to install from the script. It will take at
minimum 1 day to install by hand, but it's a good learning experience.
-
PF Firewall Setup
First download the PF config file and move it to the /etc directory:
fetch https://the-slacker.com/download/pf.conf
mv -f pf.conf /etc/
Run "ifconfig" at the command prompt, and take note of the interface name at the very top line. If it doesn't say "vtnet0",
then edit /etc/pf.conf and change "ext_if = "vtnet0"" to the actual name of your device.
Next enable PF firewall and logging to be started at boot, then reboot:
service pf enable
service pflog enable
reboot
After the reboot check the status of PF:
pfctl -s info
To read the pflog run the below command:
tcpdump -n -e -ttt -r /var/log/pflog
-
Install Webmin as the server control panel - Optional
First we need to install some required perl modules needed by Webmin. Just copy, paste, and run the entire block below into PuTTY:
pkg install -y p5-DateTime-Locale p5-DateTime-TimeZone p5-Data-Dumper p5-Digest-MD5 p5-Digest-SHA p5-Encode-Detect p5-File-Path p5-Time-HiRes \
p5-Time-Local p5-Time-Piece p5-Authen-PAM p5-Net-SSLeay p5-IO-Tty gzip unzip shared-mime-info p5-Mail-DKIM p5-DBD-mysql
Install Webmin:
fetch https://www.webmin.com/download/webmin-current.tar.gz
tar zxf webmin-current.tar.gz
cd webmin-current
./setup.sh
Options during install with recommedations:
Config file directory [/etc/webmin]: /usr/local/etc/webmin
Log file directory [/var/webmin]: /var/log/webmin
Use SSL (y/n): y
Start Webmin at boot time (y/n): y
I edit /usr/local/etc/webmin/miniserv.conf and add the line "allow=your.ip.address" # Do this if you
want to only allow your ip address to login with Webmin.
You should now be able to reach your Webmin control panel at https://example.org:10000.
The reason I install Webmin so early into the setup is because it makes editing files and reading logs so easy.
It'll save you many hours over using just the console, and is safe if you add the line "allow=your.ip.address"
in /usr/local/etc/webmin/miniserv.conf.
*Notice
Webmin doesn't recognize the FreeBSD ZFS filesystem, so it doesn't report a disk.
-
Apache or Nginx Web Server
Note! - This is a bit of a confusing mess, the way I have the Apache and Nginx config files setup. I'm going to
try to neaten it up like iRedMail has it.
First off we need to secure PHP, since the web server and other services use it.
Copy the entire block below, then paste it in Putty and run it.
sed -i '' 's/disable_functions =/disable_functions = system,posix_uname,eval,pcntl_wexitstatus,posix_getpwuid,xmlrpc_entity_decode,pcntl_wifstopped,pcntl_wifexited,pcntl_wifsignaled,phpAds_XmlRpc,pcntl_strerror,ftp_exec,pcntl_wtermsig,mysql_pconnect,proc_nice,pcntl_sigtimedwait,posix_kill,pcntl_sigprocmask,fput,phpinfo,phpAds_remoteInfo,ftp_login,inject_code,posix_mkfifo,highlight_file,escapeshellcmd,show_source,pcntl_wifcontinued,fp,pcntl_alarm,pcntl_wait,ini_alter,posix_setpgid,parse_ini_file,ftp_raw,pcntl_waitpid,pcntl_getpriority,ftp_connect,pcntl_signal_dispatch,pcntl_wstopsig,ini_restore,ftp_put,passthru,proc_terminate,posix_setsid,pcntl_signal,pcntl_setpriority,phpAds_xmlrpcEncode,pcntl_exec,ftp_nb_fput,ftp_get,phpAds_xmlrpcDecode,pcntl_sigwaitinfo,shell_exec,pcntl_get_last_error,ftp_rawlist,pcntl_fork,posix_setuid/g' /usr/local/etc/php.ini
Then we need to create a Diffie–Hellman key exchange (DH) that we will use in our webserver, postfix, dovecot, etc.
openssl dhparam -out dh2048_param.pem 2048
mv -f dh2048_param.pem /etc/ssl/
Next we need to setup a web server. Take your choice from Apache or Nginx, both are fine web servers.
Apache:
First we need to install Apache:
pkg install apache24
Then download and install a preconfigured httpd.conf file:
fetch https://the-slacker.com/download/freebsd-httpd.conf
mv -f freebsd-httpd.conf /usr/local/etc/apache24/httpd.conf
Then edit /usr/local/etc/apache24/httpd.conf:
Change ServerAdmin to your email address.
Change ServerName to your domain name.
Then edit /usr/local/etc/rc.d/apache24:
Change the NO to YES in the line "apache24_http_accept_enable="NO""
This allows the use of a kernel module that can help the performance of Apache.
Then enable Apache in the rc.conf file:
service apache24 enable
Then enable the needed php-fpm service:
service php_fpm enable
Then start Apache and php-fpm:
service apache24 onestart
service php_fpm start
You should be able to reach your server with eg. http://example.org
If you want to install a robots.txt file that is set to allow good robots and disallow bad robots, then download and install the following:
fetch https://the-slacker.com/download/robots.txt
mv -f robots.txt /usr/local/www/apache24/data/
Apache will not work like we need it to yet without SSL certs. In the next section we'll get free Let's Encrypt certs.
Nginx:
If you want to use the Nginx web server instead of Apache follow instructions below.
First we need to install Nginx:
pkg install nginx
Then enable Nginx and php-fpm:
service nginx enable
service php_fpm enable
Then start Nginx and php-fpm:
service nginx start
service php_fpm start
You should be able to reach your server with eg. http://example.org
If you want to install a robots.txt file that is set to allow good robots and disallow bad robots, then download and install the following:
fetch https://the-slacker.com/download/robots.txt
mv -f robots.txt /usr/local/www/nginx/
Nginx will not work like we need it to yet without SSL certs. In the next section we'll get free Let's Encrypt certs.
-
Let's Encrypt SSL Certs
Apache and Nginx are not configured for SSL out of the box, so we need to change that.
First we'll need to install "certbot", so we can aquire and update our SSL Certificates:
pkg install py311-certbot
Let's Encrypt setup with Apache web server
First prepare for the Let’s Encrypt’s verification challenge:
mkdir -p /usr/local/www/apache24/data/.well-known/acme-challenge
Then make sure Apache is running and you can reach your server:
http://example.org # Adjust for your actual domain name.
Then run Certbot to aquire your SSL certificates:
Adjust the below command to match your actual FQDN and domain name.
certbot certonly --webroot -w /usr/local/www/apache24/data -d mail.example.org -d www.example.org -d example.org
If the Let's Encrypt certs were installed successfully, then edit /usr/local/etc/apache24/httpd.conf:
Down at the bottom of the file:
Uncomment #Include etc/apache24/extra/httpd-ssl.conf
Download and install a preconfigured httpd-ssl.conf:
fetch https://the-slacker.com/download/freebsd-httpd-ssl.conf
mv -f freebsd-httpd-ssl.conf /usr/local/etc/apache24/extra/httpd-ssl.conf
Edit /usr/local/etc/apache24/extra/httpd-ssl.conf
Change ServerName to match your domain name.
Change ServerAdmin to match your email.
Uncomment and change to match your Let's Encrypt certs.
#SSLCertificateFile "/usr/local/etc/letsencrypt/live/mail.example.org/fullchain.pem"
#SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/mail.example.org/privkey.pem"
If you want to redirect all http traffic to https, then edit /usr/local/etc/apache24/httpd.conf:
Put the following just below Listen 80:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Restart Apache:
service apache24 restart
Hopefully you can now reach your server at https://example.org.
Lastly, set certbot to check every week if a renew is needed for the Let's Encrpyt certs.
Put the two lines below in your /etc/defaults/periodic.conf file.
# 500.certbot
weekly_certbot_enable="YES"
That should do it for now with Let's Encrypt setup for Apache.
Let's Encrypt setup with Nginx web server
First prepare for the Let’s Encrypt’s verification challenge:
mkdir -p /usr/local/www/nginx/.well-known/acme-challenge
Then make sure Nginx is running and you can reach your server:
http://example.org # Adjust for your actual domain name.
Then run Certbot to aquire your SSL certificates:
Adjust the below command to match your actual FQDN and domain name.
certbot certonly --webroot -w /usr/local/www/nginx -d mail.example.org -d www.example.org -d example.org
If the Let's Encrypt certs were installed successfully, then we need to edit /usr/local/etc/nginx/nginx.conf:
The bottom of the file in the "HTTPS server" section needs to look like this. Adjust for your Let's Encrypt
certs location, and make sure "root /usr/local/www/nginx" matches the actual location of your webroot.
# HTTPS server
#
server {
listen 443 ssl;
http2 on;
server_name _;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /usr/local/etc/letsencrypt/live/mail.example.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/mail.example.org/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# ssl_ciphers
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
# Prevent Logjam attack
ssl_dhparam /etc/ssl/dh2048_param.pem;
location / {
root /usr/local/www/nginx;
index index.php index.html;
}
}
If you want to redirect all http traffic to https, then edit /usr/local/etc/nginx/nginx.conf:
Comment or delete the following from the http server section:
location / {
root /usr/local/www/nginx;
index index.html index.htm;
}
Add the following in the http Server section:
# Redirect all insecure http requests to https.
location / {
return 301 https://$host$request_uri;
}
Restart Nginx:
service nginx restart
Hopefully you can now reach your server at https://example.org.
Lastly, set certbot to check every week if a renew is needed for the Let's Encrpyt certs.
Put the two lines below in your /etc/defaults/periodic.conf file.
# 500.certbot
weekly_certbot_enable="YES"
That should do it for now with Let's Encrypt setup for Nginx.
Use Let's Encrypt certs with Webmin
If you installed Webmin, then you can use the Let's Encrypt ssl certs to avoid having to add an exception to get to the login.
Edit the /usr/local/etc/webmin/miniserv.conf file and add the following:
keyfile=/usr/local/etc/letsencrypt/live/mail.example.org/privkey.pem
certfile=/usr/local/etc/letsencrypt/live/mail.example.org/fullchain.pem
Then restart Webmin:
service webmin restart
That should do it for Let's Encrypt for now.
-
MySQL (Oracle)
Install MySQL (Oracle):
Notice!
Oracle MySQL isn't the same as MariaDB MySQL. FreeBSD defaults to Oracle MySQL, so prebuilt FreeBSD packages that
are built with MySQL support are built with Oracle MySQL support. I'll be installing and using Oracle MySQL, so I can use
the FreeBSD prebuilt packages.
pkg install mysql80-server mysql80-client
Enable MySQL to start at boot and start it:
service mysql-server enable
service mysql-server start
Secure the MySQL Installation:
mysql_secure_installation
Test it to see if it's working properly:
mysql -u root -p
We'll need to add php mysql support:
pkg install php84-pdo_mysql
That should do it for MySQL for now.
-
Dovecot
First we'll need to create the MySQL vmail user and database that we'll need for Dovecot, Postfix, Postfixadmin, and
Roundcube. Make it a strong password with only upper and lower case letters and numbers, no special characters.
mysql -u root -p
CREATE DATABASE vmail;
CREATE USER 'vmail'@'localhost' IDENTIFIED BY 'vmailpassword';
GRANT ALL PRIVILEGES ON vmail.* TO 'vmail'@'localhost';
FLUSH PRIVILEGES;
QUIT;
Next we create the vmail group and user with the following commands:
pw groupadd -n vmail -g 150
pw useradd -n vmail -d /var/vmail -s /usr/sbin/nologin -u 150 -g 150
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:vmail /var/vmail
Then we'll need to install Dovecot with builtin MySQL support:
pkg install dovecot-mysql
Install the needed Dovecot config files:
cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot
Then edit /usr/local/etc/dovecot/conf.d/10-ssl.conf
Add the below settings in the file, and make sure to adjust for your Let's Encrypt certs:
ssl_min_protocol = TLSv1.2
ssl = required
verbose_ssl = no
ssl_cert = </usr/local/etc/letsencrypt/live/mail.example.org/fullchain.pem
ssl_key = </usr/local/etc/letsencrypt/live/mail.example.org/privkey.pem
ssl_dh = </etc/ssl/dh2048_param.pem
# Fix 'The Logjam Attack'
ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH
ssl_prefer_server_ciphers = yes
Enable and start Dovecot:
service dovecot enable
service dovecot start
Then we create a new /etc/dovecot/dovecot-sql.conf.ext file with:
Copy and paste the full echo command below into PuTTY and run it.
echo -e "driver = mysql
connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=vmailpassword
default_pass_scheme = SHA512-CRYPT
password_query = \\
SELECT username as user, password, '/var/vmail/%d/%n' as \\
userdb_home, 'maildir:/var/vmail/%d/%n' as userdb_mail, \\
150 as userdb_uid, 150 as userdb_gid \\
FROM mailbox WHERE username = '%u' AND active = '1'
user_query = \\
SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' \\
as vmail, 150 AS uid, 150 AS gid, \\
concat('dirsize:storage=', quota) AS quota \\
FROM mailbox WHERE username = '%u' AND active = '1'" > /usr/local/etc/dovecot/dovecot-sql.conf.ext
Make sure to edit /usr/local/etc/dovecot/dovecot-sql.conf.ext with the vmail password you made earlier.
Then set secure permissions on /usr/local/etc/dovecot/dovecot-sql.conf.ext with:
chmod 0600 /usr/local/etc/dovecot/dovecot-sql.conf.ext
Next create a new /usr/local/etc/dovecot/conf.d/10-auth.conf file with:
echo -e 'disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-sql.conf.ext' > /usr/local/etc/dovecot/conf.d/10-auth.conf
Next append to the /usr/local/etc/dovecot/conf.d/10-mail.conf file with the following:
echo -e 'mail_location = maildir:/var/vmail/%d/%n
mail_uid = vmail
mail_gid = vmail
first_valid_uid = 150
last_valid_uid = 150' >> /usr/local/etc/dovecot/conf.d/10-mail.conf
Next we download a preconfigured Dovecot 10-master.conf file, and move it to /usr/local/etc/dovecot/conf.d/:
fetch https://the-slacker.com/download/10-master.conf
mv -f 10-master.conf /usr/local/etc/dovecot/conf.d/
Next append the following to /usr/local/etc/dovecot/conf.d/10-logging.conf file with the following echo command,
and direct the log files to the /var/log/dovecot directory:
First make /var/log/dovecot directory:
mkdir /var/log/dovecot
Then run echo command below:
echo -e '## Log destination.
##
log_path = /var/log/dovecot/dovecot.log
info_log_path = /var/log/dovecot/dovecot-info.log' >> /usr/local/etc/dovecot/conf.d/10-logging.conf
Dovecot Pigeonhole for Sieve and ManageSieve support.
Install dovecot-pigeonhole with MySQL support:
pkg install dovecot-pigeonhole-mysql
Next we'll need to copy the following example configuration files into the /usr/local/etc/dovecot/conf.d directory:
cp /usr/local/share/doc/dovecot/example-config/conf.d/90-sieve.conf /usr/local/etc/dovecot/conf.d/
cp /usr/local/share/doc/dovecot/example-config/conf.d/90-sieve-extprograms.conf /usr/local/etc/dovecot/conf.d/
cp /usr/local/share/doc/dovecot/example-config/conf.d/20-managesieve.conf /usr/local/etc/dovecot/conf.d/
We will need to create the following Dovecot configuration files now:
Create new /usr/local/etc/dovecot/conf.d/20-lmtp.conf file with the following echo command, and edit for your domain.
echo -e 'protocol lmtp {
postmaster_address = admin@example.org
mail_plugins = $mail_plugins sieve quota
log_path = /var/log/dovecot/dovecot-lmtp-errors.log
info_log_path = /var/log/dovecot/dovecot-lmtp.log
}' > /usr/local/etc/dovecot/conf.d/20-lmtp.conf
Create new /usr/local/etc/dovecot/conf.d/15-lda.conf file with the following echo command, and edit for your domain.
echo -e 'protocol lda {
postmaster_address = admin@example.org
mail_plugins = $mail_plugins sieve quota
auth_socket_path = /var/run/dovecot/auth-master
log_path = /var/log/dovecot/dovecot-lda-errors.log
info_log_path = /var/log/dovecot/dovecot-lda.log
}' > /usr/local/etc/dovecot/conf.d/15-lda.conf
Append the following to the /usr/local/etc/dovecot/conf.d/10-mail.conf file with this echo command.
echo -e 'mail_home = /var/vmail/%d/%n/sieve' >> /usr/local/etc/dovecot/conf.d/10-mail.conf
Create new /usr/local/etc/dovecot/conf.d/20-managesieve.conf file with the following echo command:
echo -e 'protocols = $protocols sieve
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service managesieve {
process_limit = 1024
}
protocol sieve {
log_path = /var/log/dovecot/dovecot-sieve-errors.log
info_log_path = /var/log/dovecot/dovecot-sieve.log
managesieve_max_line_length = 65536
managesieve_implementation_string = Dovecot Pigeonhole
}' > /usr/local/etc/dovecot/conf.d/20-managesieve.conf
Create new /usr/local/etc/dovecot/conf.d/90-sieve.conf file with the following echo command:
echo -e 'plugin {
sieve = file:/var/vmail/%d/%n/sieve;active=/var/vmail/%d/%n/sieve/.dovecot.sieve
sieve_default = /usr/local/etc/dovecot/sieve/default.sieve
sieve_global = /usr/local/etc/dovecot/sieve/global/
}
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes' > /usr/local/etc/dovecot/conf.d/90-sieve.conf
Now we need to create some directories that are needed for our configuration to work:
mkdir -p /usr/local/etc/dovecot/sieve/global
chown -R vmail:vmail /usr/local/etc/dovecot/sieve/
mkdir /var/log/dovecot
chown vmail:vmail /var/log/dovecot
Then create the file /usr/local/etc/dovecot/sieve/default.sieve with the following commands.
It will send Spam to the Junk folder.
echo -e 'require "fileinto";
if header :contains "X-Spam-Flag" "YES" {
fileinto "Junk";
}' > /usr/local/etc/dovecot/sieve/default.sieve
chown vmail:vmail /usr/local/etc/dovecot/sieve/default.sieve
Add www to the vmail group:
pw groupmod vmail -m www
-
Postfix
Install Postfix with MySQL support:
pkg install postfix-mysql
Then enable postfix and disable sendmail:
sysrc postfix_enable="YES"
sysrc sendmail_enable="NONE"
Then install the mailer.conf file for postfix:
install -d /usr/local/etc/mail
install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
Then start postfix:
service postfix start
We'll need to make a mysql directory for postfix:
mkdir -p /usr/local/etc/postfix/mysql
Now we'll create the 5 needed mysql map files with the needed content.
First the /usr/local/etc/postfix/mysql/mysql_virtual_alias_domainaliases_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
query = SELECT goto FROM alias,alias_domain
WHERE alias_domain.alias_domain = '%d'
AND alias.address=concat('%u', '@', alias_domain.target_domain)
AND alias.active = 1" > /usr/local/etc/postfix/mysql/mysql_virtual_alias_domainaliases_maps.cf
Second the /usr/local/etc/postfix/mysql/mysql_virtual_alias_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'" > /usr/local/etc/postfix/mysql/mysql_virtual_alias_maps.cf
Third the /usr/local/etc/postfix/mysql/mysql_virtual_domains_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'" > /usr/local/etc/postfix/mysql/mysql_virtual_domains_maps.cf
Fourth the /usr/local/etc/postfix/mysql/mysql_virtual_mailbox_domainaliases_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
query = SELECT maildir FROM mailbox, alias_domain
WHERE alias_domain.alias_domain = '%d'
AND mailbox.username=concat('%u', '@', alias_domain.target_domain )
AND mailbox.active = 1" > /usr/local/etc/postfix/mysql/mysql_virtual_mailbox_domainaliases_maps.cf
Fifth the /usr/local/etc/postfix/mysql/mysql_virtual_mailbox_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
table = mailbox
select_field = CONCAT(domain, '/', local_part)
where_field = username
additional_conditions = and active = '1'" > /usr/local/etc/postfix/mysql/mysql_virtual_mailbox_maps.cf
Make sure to set your vmail database password created earlier in the 5 files just created.
Then set secure permissions on all the /etc/postfix/mysql/* files with:
chmod 0600 /usr/local/etc/postfix/mysql/*
Then download and install the needed aliases file for this mail serever, then run newaliases at the prompt.
Before you run newaliases at the prompt, make sure to adjust the bottom line of the aliases file to match
the email address that gets root's mail.
fetch https://the-slacker.com/download/aliases
mv -f aliases /usr/local/etc/postfix/
newaliases
Next download and install the /usr/local/etc/postfix/main.cf file that I use for this how-to, and of course adjust
for your domain and Let's Encrypt ssl certs:
fetch https://the-slacker.com/download/main.cf.freebsd
mv -f main.cf.freebsd /usr/local/etc/postfix/main.cf
Then download and install the /usr/local/etc/postfix/master.cf file that I use for this how-to. Shouldn't have to make
any adjustments here:
fetch https://the-slacker.com/download/master.cf.freebsd
mv -f master.cf.freebsd /usr/local/etc/postfix/master.cf
Add Postfix to the Dovecot group with:
pw groupmod dovecot -m postfix
-
PostfixAdmin:
PostfixAdmin will be our mail admin panel. We will install it with:
pkg install postfixadmin33-php84
cd /usr/local/www
ln -s postfixadmin33 postfixadmin
cd postfixadmin
mkdir -p templates_c
chown www:www templates_c
Make a copy of config.inc.php to config.local.php and make your changes there:
cp /usr/local/www/postfixadmin/config.inc.php /usr/local/www/postfixadmin/config.local.php
chown root:www /usr/local/www/postfixadmin/config.local.php
chmod 0640 /usr/local/www/postfixadmin/config.local.php
Then we'll create the setup_password for postfixadmin. Copy, paste, and run all 7 lines of code
below at once to get postfixadmin setup and hashed setup passwords. The postfixadmin setup
password will be in the /root/SlackerMail/postfixadmin_setup.pass file, and the hashed password
that we use in config.local.php file will be in the /root/SlackerMail/postfixadmin_hashed.pass file.
mkdir -p /root/SlackerMail
PASSWD=$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
echo $PASSWD > /root/SlackerMail/postfixadmin_setup.pass
SETUPPASS=$(cat /root/SlackerMail/postfixadmin_setup.pass)
HASHPASS=$(doveadm pw -p $SETUPPASS)
echo $HASHPASS | cut -c 8- > /root/SlackerMail/postfixadmin_setup_hashed.pass
chmod 0600 /root/SlackerMail/postfixadmin_setup.pass /root/SlackerMail/postfixadmin_setup_hashed.pass
Then enter the hashed password from /root/SlackerMail/postfixadmin_setup_hashed.pass in the
setup_password field in /var/www/postfixadmin/config.local.php like below. I left all settings at
default values except what I changed below, and of course adjust for your domain and passwords.
Here are the settings I set in config.local.php:
$CONF['configured'] = true;
$CONF['setup_password'] = 'hashed-setup-password-here';
$CONF['database_type'] = 'mysqli';
$CONF['database_user'] = 'vmail';
$CONF['database_password'] = "vmail-db-password-here";
$CONF['database_name'] = 'vmail';
$CONF['database_host'] = 'localhost';
$CONF['database_port'] = '3306';
//$CONF['database_socket'] = ''; Comment out, since we are using port instead of socket.
$CONF['admin_email'] = 'admin@example.org';
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['dovecotpw'] = "/usr/local/bin/doveadm pw"; # FreeBSD
$CONF['default_aliases'] = array (
'abuse' => 'admin@example.org',
'hostmaster' => 'admin@example.org',
'postmaster' => 'admin@example.org',
'webmaster' => 'admin@example.org',
'virusalert' => 'admin@example.org',
'root' => 'admin@example.org'
);
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
$CONF['footer_text'] = 'Return to example.org';
$CONF['footer_link'] = 'https://example.org';'
$CONF['emailcheck_resolve_domain']='NO';
$CONF['password_expiration'] = 'NO';
Next create the needed postfixadmin tables for the vmail mysql database with:
php /usr/local/www/postfixadmin/public/upgrade.php
Then create the superadmin user for postfixadmin. The password and password2 must be the same
password that you want for the superadmin login of postfixadmin. The reason for entering the same
password twice is because of the postfixadmin setup script asking to confirm password.
chmod 0755 /usr/local/www/postfixadmin/scripts/postfixadmin-cli
/usr/local/www/postfixadmin/scripts/postfixadmin-cli admin add admin@example.org --superadmin 1 --active 1 --password admin-password --password2 admin-password
Then add your domain to postfixadmin. You can adjust --aliases, --mailboxes, and --description to
whatever you want.
/usr/local/www/postfixadmin/scripts/postfixadmin-cli domain add example.org --aliases 100 --mailboxes 1000 --active 1 --description example.org
Lastly add the mailbox for admin@example.org, and again enter the same password twice. You can adjust
--name to your liking, and you can adjust --quota. I have --quota set to 100 here, which is 100mb.
/usr/local/www/postfixadmin/scripts/postfixadmin-cli mailbox add admin@example.org --name admin --quota 0 --active 1 --password roundcube-mailbox-password --password2 roundcube-mailbox-password
If Nginx is your webserver:
Next we need to add the php_workers port to the /usr/local/etc/nginx/nginx.cong file. Put this in the http section above the http server section:
upstream php_workers {
server 127.0.0.1:9000; # Adjust the IP and port as necessary
}
Lastly we'll need to add postfixadmin into our /usr/local/etc/nginx/nginx.conf file. Put this in the HTTPS server section of the file:
# Postfixadmin
location = /postfixadmin {
return 301 /postfixadmin/;
}
location ~ ^/postfixadmin/(.*\.php)$ {
add_header Strict-Transport-Security "max-age=31536000";
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass php_workers;
fastcgi_param HTTP_PROXY '';
fastcgi_param SCRIPT_FILENAME /usr/local/www/postfixadmin/public/$1;
}
location ~ ^/postfixadmin/(.*) {
alias /usr/local/www/postfixadmin/public/$1;
index index.php;
}
Restart Nginx:
service nginx restart
Now you should be able to login to postfixadmin at https://example.org/postfixadmin as admin@example.org
with your admin-password. After Roundcubemail is setup you will be able to login to your admin@example.org
mailbox with your roundcube-mailbox-password.
If Apache is your webserver:
Now you should be able to login to postfixadmin at https://example.org/postfixadmin as admin@example.org
with your admin-password. After Roundcubemail is setup you will be able to login to your admin@example.org
mailbox with your roundcube-mailbox-password.
-
Roundcube Webmail Client:
Important! - Don't use any special characters in the roundcubemail database password, just upper and lower
case letters and numbers.
You can use the following commands to create a roundcube database password for you, or you can make up your
own password in the mysql creation of the roundcubemail database. You can adjust the length of the password by
changing "fold -w 24" to any number you want. The resulting password will be at:
/root/SlackerMail/roundcube_password.pass
PASSWD=$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
echo $PASSWD > /root/SlackerMail/roundcube_password.pass
chmod 0600 /root/SlackerMail/roundcube_password.pass
We'll need to create the mysql database for roundcubemail with:
mysql -u root -p
CREATE DATABASE roundcubemail CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'roundcube_password';
GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'localhost';
FLUSH PRIVILEGES;
QUIT;
Then we'll install Roundcube with:
Note! Make sure to put your roundcube_password in the bottom mysql command directly after the -p without any quotes.
pkg install roundcube-php84
pkg install php84-gd php84-curl
chown -R www /usr/local/www/roundcube
Then run the following:
cd /usr/local/www/roundcube
mysql -u roundcube roundcubemail -proundcube_password < SQL/mysql.initial.sql
Next I had to create a postfix file that roundcube expects:
echo '#submission header checks file' >> /usr/local/etc/postfix/submission_header_checks
You can setup Roundcube with the installer wizard, but it's easier for me to do it manually.
First we need to generate the 24 character Des-Key that Roundcube needs with:
DESKEY=$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
echo $DESKEY > /root/SlackerMail/roundcubemail.deskey
The 24-character-Des-Key will be in the /root/SlackerMail/roundcubemail.deskey file, so just
copy that and paste it into the /usr/local/www/roundcube/config/config.inc.php file in the
appropriate config section.
Then download the needed /usr/local/www/roundcub/config/config.inc.php file, and adjust
for your domain, roudcube password, and 24-character-DES-Key with the following:
fetch https://the-slacker.com/download/config.inc.php.rcm
mv -f config.inc.php.rcm /usr/local/www/roundcube/config/config.inc.php
chown www:www /usr/local/www/roundcube/config/config.inc.php
chmod 0600 /usr/local/www/roundcube/config/config.inc.php
You'll need to edit the following fields in /usr/local/www/roundcube/config/config.inc.php:
$config['db_dsnw'] = 'mysql://roundcube:password-here@localhost/roundcubemail';
$config['support_url'] = 'https://example.org';
$config['des_key'] = '24-character-Des-Key';
Now you need to setup the roundcubemail password plugin configuration file, so users can change passwords:
cp /usr/local/www/roundcube/plugins/password/config.inc.php.dist /usr/local/www/roundcube/plugins/password/config.inc.php
chown www /usr/local/www/roundcube/plugins/password/config.inc.php
-
Amavisd with ClamAV and SpamAssassin:
Install amavisd-new:
pkg install amavisd-new
service amavisd enable
service amavisd start
Spamassassin is installed with Amavisd-New, so we need to update it's database:
sa-update
sa-compile
Install ClamAV:
pkg install clamav
Then enable clamav and freshclam:
service clamav_freshclam enable
service clamav_clamd enable
Then run freshclam and start clamav_clamd:
service clamav_freshclam start
Wait for about 1 minute, then:
service clamav_clamd start
After ClamAV is installed run the following sed command to set LocalSocketGroup vscan:
sed -i '' 's/#LocalSocketGroup virusgroup/LocalSocketGroup vscan/g' /usr/local/etc/clamd.conf
Next add vscan to the clamav group and clamav to the vscan group:
pw groupmod clamav -m vscan
pw groupmod vscan -m clamav
We'll be using the DKIM perl module to verify and sign emails.
We'll first need to make our private and public keys (adjust for your domain) with:
openssl genrsa -out example.org.priv 2048
openssl rsa -in example.org.priv -pubout > example.org.pub
Then we'll install the DKIM keys:
mv -f example.org.priv /etc/ssl/example.org.pem
mv -f example.org.pub /etc/ssl/
chown vscan:vscan /etc/ssl/example.org.pem /etc/ssl/example.org.pub
chmod 600 /etc/ssl/example.org.pem
chmod 644 /etc/ssl/example.org.pub
Run the following line of piped commands to format your example.org.pub file for entering into a DNS Zone Record
for DKIM, and of course adjust for your domain:
sed '1d;$d' "/etc/ssl/example.org.pub" | sed '1s/.*/v=DKIM1;p=&/' | tr -d '\n' > /root/example.org.pub.txt
It's starting to come together. I've been able to send and recieve mail through Roundcube,
and got a 10/10 score at mail-tester.com. From doing this I've also learned ways to improve
the Slackware SlackerMail mail server. It'll still be a little while before the FreeBSD SlackerMail
mail server will be ready.
