Haack's Wiki

User Tools

Site Tools

Trace: proxmox encryption vmserver
computing:mailserver

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:mailserver [2025/04/12 23:17] oemb1905computing:mailserver [2025/05/15 19:21] (current) oemb1905
Line 11: Line 11:
 ------------------------------------------- -------------------------------------------
  
-This tutorial is for users of Debian GNU/Linux who want to set up a proper email server.. This tutorial assumes you know how to set up A, AAAA, SPF, DKIM, DMARC, MX, and PTR records. Set an A record for example.org and mail.example.org. If you don't know how, then learn up, and do not proceed. //Thanks to LinuxBabe for a great jumping off point//. Let's begin by editing our hosts file ''sudo nano /etc/hosts'' as follows:+This tutorial is for users of Debian GNU/Linux who want to set up a proper email server.. This tutorial assumes you know how to set up A, AAAA, SPF, DKIM, DMARC, MX, and PTR records. Set an A record for example.org and mail.example.org and make sure you or your ISP has set a PTR record to mail.example.org for the IPv4 and IPv6 addresses. If you don't know how, then learn up, and do not proceed. //Thanks to LinuxBabe for a great jumping off point//. Let's begin by editing our hosts file ''sudo nano /etc/hosts'' as follows:
  
   127.0.1.1 example.org example   127.0.1.1 example.org example
Line 22: Line 22:
   sudo apt install ufw   sudo apt install ufw
   sudo ufw allow 22/tcp   sudo ufw allow 22/tcp
-  sudo ufw allow 53/tcp 
   sudo ufw allow 25/tcp   sudo ufw allow 25/tcp
   sudo ufw allow 587/tcp   sudo ufw allow 587/tcp
   sudo ufw allow 143/tcp   sudo ufw allow 143/tcp
 +  sudo ufw allow 465/tcp
   sudo ufw allow 993/tcp   sudo ufw allow 993/tcp
   sudo ufw allow 80   sudo ufw allow 80
Line 125: Line 125:
   <mail_location = maildir:~/Maildir>   <mail_location = maildir:~/Maildir>
  
-Let's make sure dovecot is part of the mail group with ''sudo adduser dovecot mail'' and now we can configure dovecot with ''sudo nano /etc/dovecot/conf.d/10-master.conf'' in order to be able to leverage lmtp:+Let's make sure dovecot is part of the mail group, including any users you intend to use email: 
 + 
 +  sudo adduser dovecot mail 
 +  sudo adduser username mail 
 +   
 +Now we can configure dovecot over at ''sudo nano /etc/dovecot/conf.d/10-master.conf'' in order to be able to leverage lmtp:
  
   service lmtp {   service lmtp {
Line 182: Line 187:
    reject_unauth_destination,    reject_unauth_destination,
    check_policy_service unix:private/policyd-spf    check_policy_service unix:private/policyd-spf
 +
 +You also need to make sure that your spf policy is not set to reject emails by default. 
 +
 +  nano /etc/postfix-policyd-spf-python/policyd-spf.conf
 +  
 +Make sure that ''Fail'' is changed to ''False'' for the top two entries. The policy will ensure that those spf violations are logged, but the change to False ensures no email is lost as a result. 
 +
 +  HELO_reject = False
 +  Mail_From_reject = False
  
 Now, it is time to set up DKIM on your server. After creating the DKIM record/key on your server, you will need to create a corresponding TXT record for it to establish that anything over smtp with that signature is, in fact, you/your server. Let's install opendkim with ''sudo apt install opendkim opendkim-tools'' and add postfix to its group with ''sudo adduser postfix opendkim'' and then adjust the configuration in ''sudo nano /etc/opendkim.conf'' as follows: Now, it is time to set up DKIM on your server. After creating the DKIM record/key on your server, you will need to create a corresponding TXT record for it to establish that anything over smtp with that signature is, in fact, you/your server. Let's install opendkim with ''sudo apt install opendkim opendkim-tools'' and add postfix to its group with ''sudo adduser postfix opendkim'' and then adjust the configuration in ''sudo nano /etc/opendkim.conf'' as follows:
Line 200: Line 214:
   sudo chmod 711 /etc/opendkim/keys   sudo chmod 711 /etc/opendkim/keys
      
-Once all the directories and key locations are created, let's open the signing table with ''sudo nano /etc/opendkim/signing.table'' and enter the following:+Once all the directories and key locations are created, let's open the signing table with ''sudo nano /etc/opendkim/signing.table'' and enter the following (without the single quotes required here due to markdown conflict):
  
-  *@example.com      default._domainkey.example.com +  '*@example.com      default._domainkey.example.com' 
-  *@*.example.com    default._domainkey.example.com+  '*@*.example.com    default._domainkey.example.com'
  
 Now that the signing table is setup, we need to edit the key table with ''sudo nano /etc/opendkim/key.table'' and enter the following: Now that the signing table is setup, we need to edit the key table with ''sudo nano /etc/opendkim/key.table'' and enter the following:
Line 211: Line 225:
 The trusted hosts is next, over in ''sudo nano /etc/opendkim/trusted.hosts'' which we simply enter: The trusted hosts is next, over in ''sudo nano /etc/opendkim/trusted.hosts'' which we simply enter:
  
 +  127.0.0.1
 +  localhost
   .domain.com   .domain.com
      
Line 249: Line 265:
   AuthservID OpenDMARC   AuthservID OpenDMARC
   TrustedAuthservIDs mail.yourdomain.com   TrustedAuthservIDs mail.yourdomain.com
-  RejectFailures true+  RejectFailures false #track only, do not stop at gate
   IgnoreAuthenticatedClients true   IgnoreAuthenticatedClients true
 +  RequireHeaders true
   SPFSelfValidate true   SPFSelfValidate true
   Socket local:/var/spool/postfix/opendmarc/opendmarc.sock   Socket local:/var/spool/postfix/opendmarc/opendmarc.sock
Line 361: Line 378:
   #rewrite_header Subject **Possible Spam**   #rewrite_header Subject **Possible Spam**
   report_safe 0   report_safe 0
-  always_add_headers = 1 +  add_header all Spam-Flag _YESNO_ 
-  #add_header all Flag _YESNO_ +  add_header all Score _SCORE_ 
-  #add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_" +  add_header all Report _REPORT_ 
-  #add_header all Report _REPORT_ +  add_header all Level _STARS_ 
-  #add_header all Level _STARS_ +  add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_" 
-  #add_header all Checker-Version "SpamAssassin _VERSION_ (_DATE_) on _HOSTNAME_"+  add_header all Checker-Version "SpamAssassin _VERSION_ (_DATE_) on _HOSTNAME_" 
 +  #legacy/deprecated header config - do not use, retained for historical record 
 +  #always_add_headers = 1
  
 I included some header options, which can help with debugging. Also, I disable safe reporting and Subject rewriting because they alter the original email, which I think is overkill. In order to activate all that spam assassin can do, we need to have our own recursive DNS resolver, required by RBL services. Let's use the DNS server unbound and install it as follows ''sudo apt install unbound''. It works out of the box, but you can also tweak it by looking at my tutorial here: [[https://wiki.haacksnetworking.org/doku.php?id=computing:unbounddns|Unbound DNS]]. Okay, let's now insruct spamassassin to use our dns server by opening ''sudo nano /etc/spamassassin/local.cf'' and entering the DNS server. We will also add some common scores and white and black lists while at it. I included some header options, which can help with debugging. Also, I disable safe reporting and Subject rewriting because they alter the original email, which I think is overkill. In order to activate all that spam assassin can do, we need to have our own recursive DNS resolver, required by RBL services. Let's use the DNS server unbound and install it as follows ''sudo apt install unbound''. It works out of the box, but you can also tweak it by looking at my tutorial here: [[https://wiki.haacksnetworking.org/doku.php?id=computing:unbounddns|Unbound DNS]]. Okay, let's now insruct spamassassin to use our dns server by opening ''sudo nano /etc/spamassassin/local.cf'' and entering the DNS server. We will also add some common scores and white and black lists while at it.
Line 469: Line 488:
   nano /etc/dovecot/conf.d/10-logging.conf   nano /etc/dovecot/conf.d/10-logging.conf
   <mail_debug yes>   <mail_debug yes>
 +
 +To setup autodiscovery, setup a separate vhost in apache with autodiscover.domain.com, and then create your A, AAAA, and discovery records:
 +
 +  _imap._tcp          10    1                   143        mail.haacksnetworking.org
 +  _submission._tcp    10    1                   587        mail.haacksnetworking.org
 +  _imaps._tcp                               993        mail.haacksnetworking.org
 +  _submissions._tcp                         465        mail.haacksnetworking.org
 +  _autodiscover._tcp  10    1                   443        mail.haacksnetworking.org
 +  autodiscover        A     8.28.86.125         
 +  autodiscover        AAAA  2604:fa40:0:10::18  
 +
 +After that, setup your ''autodiscover.xml'' file:
 +
 +  sudo nano /var/www/autodiscover.haacksnetworking.org/public_html/autodiscover/autodiscover.xml
      
-To check record health after you set your DNS records, you can do the following:+Inside that file, enter something similar to this entry below, obviously adjusting for your priority, weight, and desired client configuration behavior: 
 + 
 +  <?xml version="1.0" encoding="UTF-8"?> 
 +  <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> 
 +    <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> 
 +      <Account> 
 +        <AccountType>email</AccountType> 
 +        <Action>settings</Action> 
 +        <Protocol> 
 +          <Type>IMAP</Type> 
 +          <Server>mail.haacksnetworking.org</Server> 
 +          <Port>993</Port> 
 +          <LoginName>%EMAILADDRESS%</LoginName> 
 +          <Domain>haacksnetworking.org</Domain> 
 +          <Encryption>SSL</Encryption> 
 +        </Protocol> 
 +        <Protocol> 
 +          <Type>IMAP</Type> 
 +          <Server>mail.haacksnetworking.org</Server> 
 +          <Port>143</Port> 
 +          <LoginName>%EMAILADDRESS%</LoginName> 
 +          <Domain>haacksnetworking.org</Domain> 
 +          <Encryption>STARTTLS</Encryption> 
 +        </Protocol> 
 +        <Protocol> 
 +          <Type>SMTP</Type> 
 +          <Server>mail.haacksnetworking.org</Server> 
 +          <Port>465</Port> 
 +          <LoginName>%EMAILADDRESS%</LoginName> 
 +          <Domain>haacksnetworking.org</Domain> 
 +          <Encryption>SSL</Encryption> 
 +        </Protocol> 
 +        <Protocol> 
 +          <Type>SMTP</Type> 
 +          <Server>mail.haacksnetworking.org</Server> 
 +          <Port>587</Port> 
 +          <LoginName>%EMAILADDRESS%</LoginName> 
 +          <Domain>haacksnetworking.org</Domain> 
 +          <Encryption>STARTTLS</Encryption> 
 +        </Protocol> 
 +      </Account> 
 +    </Response> 
 +  </Autodiscover> 
 + 
 +Pretty much everything one needs is now setup. To check record health after you set your DNS records, you can do the following:
      
   dig txt +short _dmarc.jonathanhaack.com   dig txt +short _dmarc.jonathanhaack.com
Line 496: Line 573:
 These tools prove helpful if/when emails get stuck, etc. These tools prove helpful if/when emails get stuck, etc.
  
- --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/04/12 22:51//+ --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/05/15 19:19//
computing/mailserver.1744499823.txt.gz · Last modified: 2025/04/12 23:17 by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki