Haack's Wiki

User Tools

Site Tools

Trace: mailserver miscadmin vmserver vpnserver-debian
computing:mailserver

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:mailserver [2025/04/23 20:55] oemb1905computing:mailserver [2025/11/05 01:56] (current) oemb1905
Line 11: Line 11:
 ------------------------------------------- -------------------------------------------
  
-This tutorial is for users of Debian GNU/Linux who want to set up a proper email server.. This tutorial assumes you know how to set up A, AAAA, SPF, DKIM, DMARC, MX, and PTR records. Set an A record for example.org and mail.example.org. If you don't know how, then learn up, and do not proceed. //Thanks to LinuxBabe for a great jumping off point//. Let's begin by editing our hosts file ''sudo nano /etc/hosts'' as follows:+This tutorial is for users of Debian GNU/Linux who want to set up a proper email server.. This tutorial assumes you know how to set up A, AAAA, SPF, DKIM, DMARC, MX, and PTR records. Set an A record for example.org and mail.example.org and make sure you or your ISP has set a PTR record to mail.example.org for the IPv4 and IPv6 addresses. If you don't know how, then learn up, and do not proceed. //Thanks to LinuxBabe for a great jumping off point//. Let's begin by editing our hosts file ''sudo nano /etc/hosts'' as follows:
  
   127.0.1.1 example.org example   127.0.1.1 example.org example
Line 187: Line 187:
    reject_unauth_destination,    reject_unauth_destination,
    check_policy_service unix:private/policyd-spf    check_policy_service unix:private/policyd-spf
 +
 +You also need to make sure that your spf policy is not set to reject emails by default. 
 +
 +  nano /etc/postfix-policyd-spf-python/policyd-spf.conf
 +  
 +Make sure that ''Fail'' is changed to ''False'' for the top two entries. The policy will ensure that those spf violations are logged, but the change to False ensures no email is lost as a result. 
 +
 +  HELO_reject = False
 +  Mail_From_reject = False
  
 Now, it is time to set up DKIM on your server. After creating the DKIM record/key on your server, you will need to create a corresponding TXT record for it to establish that anything over smtp with that signature is, in fact, you/your server. Let's install opendkim with ''sudo apt install opendkim opendkim-tools'' and add postfix to its group with ''sudo adduser postfix opendkim'' and then adjust the configuration in ''sudo nano /etc/opendkim.conf'' as follows: Now, it is time to set up DKIM on your server. After creating the DKIM record/key on your server, you will need to create a corresponding TXT record for it to establish that anything over smtp with that signature is, in fact, you/your server. Let's install opendkim with ''sudo apt install opendkim opendkim-tools'' and add postfix to its group with ''sudo adduser postfix opendkim'' and then adjust the configuration in ''sudo nano /etc/opendkim.conf'' as follows:
Line 256: Line 265:
   AuthservID OpenDMARC   AuthservID OpenDMARC
   TrustedAuthservIDs mail.yourdomain.com   TrustedAuthservIDs mail.yourdomain.com
-  RejectFailures true+  RejectFailures false #track only, do not stop at gate
   IgnoreAuthenticatedClients true   IgnoreAuthenticatedClients true
   RequireHeaders true   RequireHeaders true
Line 479: Line 488:
   nano /etc/dovecot/conf.d/10-logging.conf   nano /etc/dovecot/conf.d/10-logging.conf
   <mail_debug yes>   <mail_debug yes>
 +
 +To setup autodiscovery, setup a separate vhost in apache with autodiscover.domain.com, and then create your A, AAAA, and discovery records:
 +
 +  _imap._tcp          10    1                   143        mail.haacksnetworking.org
 +  _submission._tcp    10    1                   587        mail.haacksnetworking.org
 +  _imaps._tcp                               993        mail.haacksnetworking.org
 +  _submissions._tcp                         465        mail.haacksnetworking.org
 +  _autodiscover._tcp  10    1                   443        mail.haacksnetworking.org
 +  autodiscover        A     8.28.86.125         
 +  autodiscover        AAAA  2604:fa40:0:10::18  
 +
 +After that, setup your ''autodiscover.xml'' file:
 +
 +  sudo nano /var/www/autodiscover.haacksnetworking.org/public_html/autodiscover/autodiscover.xml
      
-To check record health after you set your DNS records, you can do the following:+Inside that file, enter something similar to this entry below, obviously adjusting for your priority, weight, and desired client configuration behavior: 
 + 
 +  <?xml version="1.0" encoding="UTF-8"?> 
 +  <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> 
 +    <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> 
 +      <Account> 
 +        <AccountType>email</AccountType> 
 +        <Action>settings</Action> 
 +        <Protocol> 
 +          <Type>IMAP</Type> 
 +          <Server>mail.haacksnetworking.org</Server> 
 +          <Port>993</Port> 
 +          <LoginName>%EMAILADDRESS%</LoginName> 
 +          <Domain>haacksnetworking.org</Domain> 
 +          <Encryption>SSL</Encryption> 
 +        </Protocol> 
 +        <Protocol> 
 +          <Type>IMAP</Type> 
 +          <Server>mail.haacksnetworking.org</Server> 
 +          <Port>143</Port> 
 +          <LoginName>%EMAILADDRESS%</LoginName> 
 +          <Domain>haacksnetworking.org</Domain> 
 +          <Encryption>STARTTLS</Encryption> 
 +        </Protocol> 
 +        <Protocol> 
 +          <Type>SMTP</Type> 
 +          <Server>mail.haacksnetworking.org</Server> 
 +          <Port>465</Port> 
 +          <LoginName>%EMAILADDRESS%</LoginName> 
 +          <Domain>haacksnetworking.org</Domain> 
 +          <Encryption>SSL</Encryption> 
 +        </Protocol> 
 +        <Protocol> 
 +          <Type>SMTP</Type> 
 +          <Server>mail.haacksnetworking.org</Server> 
 +          <Port>587</Port> 
 +          <LoginName>%EMAILADDRESS%</LoginName> 
 +          <Domain>haacksnetworking.org</Domain> 
 +          <Encryption>STARTTLS</Encryption> 
 +        </Protocol> 
 +      </Account> 
 +    </Response> 
 +  </Autodiscover> 
 + 
 +Pretty much everything one needs is now setup. To check record health after you set your DNS records, you can do the following:
      
   dig txt +short _dmarc.jonathanhaack.com   dig txt +short _dmarc.jonathanhaack.com
Line 503: Line 570:
   postsuper -d E900C4780073   postsuper -d E900C4780073
   postsuper -d ALL   postsuper -d ALL
-   
-These tools prove helpful if/when emails get stuck, etc. 
  
- --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/04/23 20:54//+These tools prove helpful if/when emails get stuck, etc. Here are the Trixie adjustments: 
 + 
 +This tutorial is for users of Debian GNU/Linux who want to set up a proper email server. This particular version is a work in progress and will contain adjustments needed for Trixie. So far, I've found the following differences: 
 + 
 +  # Editing authentication settings 
 +  sudo nano /etc/dovecot/conf.d/10-auth.conf 
 +  auth_username_format = %{user|username|lower} 
 +  #auth_username_format = %n 
 +  # Editing mailbox location settings 
 +  sudo nano /etc/dovecot/conf.d/10-mail.conf 
 +  mail_driver = maildir 
 +  mail_path = ~/Maildir 
 +  mail_inbox_path = ~/Maildir/.INBOX 
 +  #old one was 
 +  #mail_location = mbox:~/mail:INBOX=/var/mail/%u 
 +  #mail_location = maildir:~/Maildir 
 +  # Editing SSL/TLS settings 
 +  sudo nano /etc/dovecot/conf.d/10-ssl.conf 
 +  #new format for cert and key, longer name, removes the classic “<” character 
 +  ssl_server_cert_file = /etc/letsencrypt/live/mail.domain.com/fullchain.pem 
 +  ssl_server_key_file = /etc/letsencrypt/live/mail.domain.com/privkey.pem 
 +  #ssl_prefer_server_ciphers = yes 
 +  #comment out diffy helman, now deprecated 
 +  #ssl_server_dh_file = /etc/dovecot/dh.pem 
 +  # Editing Sieve filter settings 
 +  sudo nano /etc/dovecot/conf.d/90-sieve.conf 
 +  #updating where dovecot looks for sieve rules by default, new format 
 +  sieve_script personal { 
 +    driver = file 
 +    path = ~/sieve 
 +    active_path = ~/.dovecot.sieve 
 +  } 
 +  #old one was 
 +  #plugin {  
 +  #sieve = file:~/sieve;active=~/.dovecot.sieve 
 +  #} 
 +  # Editing main Dovecot configuration 
 +  sudo nano /etc/dovecot/dovecot.conf 
 +  #declare versions 
 +  dovecot_storage_version = 2.4.1 
 +  dovecot_config_version = 2.4 
 +  #comment out dictionary (unless you set it up) 
 +  #dict { 
 +  #  quota = file:/var/lib/dovecot/quota 
 +  #} 
 + 
 +In May 2025, the Validity RBL switched to a locked model, so you need to disable queries to it in spamassassin by editing ''sudo nano /etc/spamassassin/local.cf'' and putting the following restrictions underneath ''dns_server 127.0.0.1'' and then comment out the VALIDITY scoring rule. 
 + 
 +  dns_query_restriction deny bl.score.senderscore.com 
 +  dns_query_restriction deny sa-accredit.habeas.com 
 +  dns_query_restriction deny sa-trusted.bondedsender.org 
 +  #score RCVD_IN_VALIDITY_RPBL             5.0 
 + 
 +The new tutorial embeds the Trixie adjustments inside the tutorial in addition to being a complete re-organization and rewrite of the mail server tutorial. You can view the new tutorial over here at [[https://wiki.haacksnetworking.org/doku.php?id=computing:mailserver-trixie|Mail Server Trixie]]. 
 + 
 + --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/11/05 01:54//
computing/mailserver.1745441726.txt.gz · Last modified: by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki