FreeBSD Mail Server

[GrumpyOldMan]

First let me say that I am very new to FreeBSD. However... new enough to be dangerous. I have been searching around for server software to replace my Windows servers and seem to have found that FreeBSD will more than suit my needs for what I am trying to accomplish and with that my interest was peeked. So as anyone with a new powerful toy, we play around with it until we make it work.

I have recently set up a mail server for our company using the tutorial at http://www.purplehat.org/ using FreeBSD 9.1, Maia-Mailguard, MySQL, Dovecot, Postfix, Apache, PHP, PostfixAdmin, SpamAssassin, FuzzyOCR, Clam AV, Pear, Maia-Mailguard, Mailgraph, and Roundcube. Would have liked to use Squirrel Mail, however it kept running into an error on install. Something about it would not run on PHP 5.

I started with this as a full solution as it seems to be a step by step solution, therefore allowing me to educate myself instead of bothering others. Through the process I encountered a few issues and was impressed that through help files I was able to solve them myself.

Anyways, in being new to FreeBSD, I had a couple of questions that I have run into. I was able to get the server up and running flawlessly. Everything works very well. It provided a complete solution as to what I was looking for.
I have noticed in my maillog file that we are experiencing a lot of brute force attacks. I am to understand that this can be eliminated or slowed down by Fail2ban. I was unable to find a dummies install tutorial on this. I tried the tutorial "Secure a FreeBSD mail server running Dovecot with Fail2ban" (https://sites.google.com/site/ghidit/how-to-2/secure-a-mail-server-running-dovecot-with-fail2ban) and it appeared to fail miserably. I'm assuming my lack of FreeBSD configuration knowledge has confused me. Can someone point me in the right direction please?

My second question is that I would like to have the SMTP server listen on another port other than 25 (maybe 587 or 465) and also to use SSL in it's incoming and outgoing connection. Could someone steer me in the right direction for that as well?

Thanks in advance for any help you might can give to me.

 

[SirDice]

security/sshguard is a little easier to configure/install and should also be able to protect Dovecot. I'm using it to protect my SSH from bruteforce attacks.

 

[Anonymous]

... My second question is that I would like to have the SMTP server listen on another port other than 25 (maybe 587 or 465) ...

In file /usr/local/etc/postfix/master.cf locate the lines that start with #submission and #smtps. remove the hash sign and save the file. The submission protocol uses port 587 and the smtps protocol uses port number 465.

Below each of these two lines, there are a variety of commented out options. If you leave them hashed out, then the options for the standard smtp protocol on port number 25 are used.

If you want to disable the smtp protocol on port 25, then you need to put a hash in front of the configuration line that starts with smtp.

... and also to use SSL in it's incoming and outgoing connection. Could someone steer me in the right direction for that as well?

1. If you haven't done it already, you need to obtain a certificate chain from a certification authority. You would either buy a certificate, or create a self-signed one by your own authority. In any case, you would end up with three files in the first place:

The public certificate of the certification authority for your server *.example.com, e.g. server.ca
The certificate of your mail service mail.example.com, e.g. mailservice.crt
The private key of the mail service certificate, e.g. mailservice.key

2. If the private key file is secured with a password, then you need to generate one without password security:
# openssl rsa -in server.key -out mailservice.key

3. Join mailservice.crt and mailservice.key into one file and move it together with the server.ca to a place where postfix can read it.
# cat mailservice.key mailservice.crt > /usr/local/etc/postfix/mailservice.pem
# cp server.ca /usr/local/etc/postfix/server.ca
# chown postfix server.ca mailservice.pem
# chmod 400 server.ca mailservice.pem

4. In configuration file /usr/local/etc/postfix/main.cf you would then add the following lines:

smtp_use_tls = yes
smtp_enforce_tls = no
smtp_tls_loglevel = 0
smtp_tls_CAfile = /usr/local/etc/postfix/server.ca
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_tls_loglevel = 0
smtpd_tls_cert_file = /usr/local/etc/postfix/mailservice.pem

5. Restart postfix by # postfix reload and check the logs for any errors

Note, that the above enables TLS (SSL) only as far as Postfix is concerned. For enabling TLS on POP/IMAP, you need to setup Dovecot respectively. Unfortenately, I cannot be of any help for this, because I have experience only with Cycrus IMAP - new installations I also would do with Dovecot, though.

 

[GrumpyOldMan]

Thank you @SirDice and @RolfHeinrich for the excellent resources and advice you have given me. This information is greatly appreciated!