The main webmail software is Exim.
Source: https://docs.directadmin.com/other-hosting-services/exim/configuring-exim.html
First, set secure access in DirectAdmin settings.
DirectAdmin Admin Panel Dashboard > Admin > Extra Features > CustomBuild > Settings: Options
WEB Server Settings > redirect_host_https = Yes
Mail transfer agent (MTA) = Exim
Mailbox interface server = Dovecot
Mailbox interface client = Roundcube
1) Exim Customize (exim.conf)
Create the conf file copy first, do not edit the main file /etc/exim.conf directly !
cp /usr/local/directadmin/custombuild/configure/exim/exim.conf /usr/local/directadmin/custombuild/custom/exim/exim.conf
chmod 640 /usr/local/directadmin/custombuild/custom/exim/exim.conf
Modify the /usr/local/directadmin/custombuild/custom/exim/exim.conf file when needed. This file will be used when /etc/exim.conf needs to be created or any future update by DirectAdmin.
The proper way is to use /etc/exim.strings.conf.custom and /etc/exim.variables.conf.custom files to customize the exim.conf.
2) Set Exim SMTP Port
Add the following code to /etc/exim.variables.conf.custom file:
daemon_smtp_ports = 25 : 465 : 587
3) Allow smtp auth login if encryption is enabled
nano /usr/local/directadmin/custombuild/custom/exim/exim.conf
Add the line to your exim.conf authenticators section:
server_advertise_condition = ${if def:tls_in_cipher }
After that this might look like below:
##################################################################################
# AUTHENTICATION CONFIGURATION
##################################################################################
begin authenticators
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${perl{smtpauth}{${lc:$auth2}}{$auth3}}"
server_set_id = ${lc:$auth2}
server_advertise_condition = ${if def:tls_in_cipher }
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
4) Only allow AUTH on Secure ports
nano /etc/exim.variables.conf.custom
Add the below code inside it
auth_advertise_hosts = ${if or { {eq {$received_port}{465}} {eq {$received_port}{587}} } {*}{}}
5) Optional: Force authenticated users mailing from their authenticated domain
nano /etc/exim.acl_check_message.pre.conf
Add the below codes to it
deny
authenticated = *
condition = ${if or { { !eqi{${domain:$authenticated_id}} {$sender_address_domain} }\
{ !eqi{${domain:{$authenticated_id}} {${domain:{${address:$header_From:}}} }\
}\
}
message = Your FROM address domain ( $sender_address_domain ) must match your domain name used in authenticated email user ( $authenticated_id ).
6) Hide the Exim version in the SMTP banner
Add the following code to the /etc/exim.variables.conf.custom file:
smtp_banner="${primary_hostname}"
7) Change SSL/TLS/cipher lists in dovecot
cd /usr/local/directadmin/custombuild/custom/
mkdir dovecot
chmod 711 dovecot
chown diradmin:diradmin dovecot
cd dovecot
mkdir conf
chmod 711 conf
chown diradmin:diradmin conf
cd conf
cp /usr/local/directadmin/custombuild/configure/dovecot/conf/ssl.conf /usr/local/directadmin/custombuild/custom/dovecot/conf/ssl.conf
chmod 640 /usr/local/directadmin/custombuild/custom/dovecot/conf/ssl.conf
nano /usr/local/directadmin/custombuild/custom/dovecot/conf/ssl.conf
Set cipher minimum to
ssl_min_protocol = TLSv1.1
8) Force SSL encryption with Dovecot
nano /etc/dovecot/conf.d/force_ssl.conf
Add the secure code line
ssl=required
14) Force Roundcube use SSL/TLS by default
cd /usr/local/directadmin/custombuild/custom/
mkdir roundcube
chmod 711 roundcube
chown diradmin:diradmin roundcube
cd roundcube
Check if config.inc.php is present in:
/var/www/html/roundcubemail-1.6.8/config/config.inc.php
You should find the folder of the "roundcube version" in /var/www/html/
Then copy the config.inc.php file
Eg: cp /var/www/html/roundcubemail-1.6.8/config/config.inc.php /usr/local/directadmin/custombuild/custom/roundcube/config.inc.php
chmod 640 /usr/local/directadmin/custombuild/custom/roundcube/config.inc.php
nano /usr/local/directadmin/custombuild/custom/roundcube/config.inc.php
Find the force_https line, and change or add it to be:
$config['force_https'] = true;
17) After all done, build conf(s) again
da build exim
da build exim_conf
da build dovecot
da build dovecot_conf
da build roundcube
da build rewrite_confs
systemctl restart directadmin
18) DKIM Enabling
Create a new DNS zone for hostname (if not already exist)
Reconfigure the hostname to Exim;
/usr/local/directadmin/scripts/hostname.sh host.mywebsite.com
Install dkim for hostname;
If the directory not exist, create the directory first: mkdir /etc/virtual/host.mywebsite.com
cd /usr/local/directadmin/scripts
./dkim_create.sh host.mywebsite.com
Find/copy the TXT records from DNS manager
Or, find the DKIM file in /etc/virtual/host.mywebsite.com/dkim.public.key
For the txt record, you may need the subdomain, and before the public key string:
x._domainkey
v=DKIM1; k=rsa; p=
Force DKIM set to all users;
cd /usr/local/directadmin
./directadmin set dkim 1 restart
cd /usr/local/directadmin/custombuild
./build exim
./build eximconf
Also enable DMARC record for all domains;
cp /usr/local/directadmin/data/templates/dns_txt.conf /usr/local/directadmin/data/templates/custom/dns_txt.conf
cd /usr/local/directadmin/data/templates/custom/
echo '_dmarc="v=DMARC1; p=reject; sp=reject; pct=100; adkim=r; aspf=s; ruf=mailto:webmaster@|DOMAIN|"' >> dns_txt.conf
Restart the server, Enjoy !
Post a Comment
Post a Comment