User Tools

Site Tools


computing:mailserver

  • mailserver
  • Jonathan Haack
  • Haack's Networking
  • webmaster@haacksnetworking.org

mailserver


This tutorial is for users of Debian GNU/Linux who want to set up a proper email server.. This tutorial assumes you know how to set up A, AAAA, SPF, DKIM, DMARC, MX, and PTR records. Set an A record for example.org and mail.example.org. If you don't know how, then learn up, and do not proceed. Thanks to LinuxBabe for a great jumping off point.

sudo nano /etc/hosts

Edit the second line and add a line to the bottom similar to:

<127.0.1.1 example.org example>
<127.0.0.1 mail.example.org localhost>

Install postfix and mailutils

sudo apt-get install mailutils postfix -y
<Internet Site>
<example.org>

Install firewall, open common ports for front facing website, and for imap/smtp:

sudo apt install ufw
sudo ufw allow 22/tcp
sudo ufw allow 53/tcp
sudo ufw allow 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 143/tcp
sudo ufw allow 993/tcp
sudo ufw allow 80
sudo ufw allow 443

Increase quota / message size:

sudo postconf -e message_size_limit=52428800

Set hostname and aliases

sudo nano /etc/postfix/main.cf

Make sure that the hostname, origin, destination, mailbox size, and quota are set. Also, in my case, I only have ipv4 support, so I explicitly sett that as well.

myhostname = mail.example.com
myorigin = /etc/mailname
mydestination = example.com, $myhostname, localhost.$mydomain, localhost
mailbox_size_limit = 0
inet_protocols = ipv4
message_size_limit = 52428800

Let's also make sure that system emails are sent to the user we created above instead of root by sudo nano /etc/aliases and then:

postmaster: root
root: user

Now, set up the server block for your mail server's website:

sudo nano /etc/nginx/conf.d/mail.example.com.conf
sudo mkdir -p /usr/share/nginx/html/

The contents looking something like:

server {
    listen 80;
    #listen [::]:80;
    server_name mail.example.com;
    root /usr/share/nginx/html/;
    location ~ /.well-known/acme-challenge {
      allow all;
   }
}

Once that is done, restart the service sudo systemctl reload nginx and then let's generate a cert:

sudo apt install certbot
sudo apt install python3-certbot-nginx
sudo certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email email@email.com -d mail.example.com

Now, let's configure postfix to work together with Dovecot/submission on 587 and 465 and to use TLS by editing sudo nano /etc/postfix/master.cf as follows:

submission     inet     n    -    y    -    -    smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_wrappermode=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

It's now time to configure postfix sudo nano /etc/postfix/main.cf to use TLS:

#Enable TLS Encryption when Postfix receives incoming emails
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_security_level=may 
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#Enable TLS Encryption when Postfix sends outgoing emails
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#Enforce TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Now, we can install dovecot and configure it to use IMAP, change the default mailbox location, and add dovecot to the mail group:

sudo apt install dovecot-core dovecot-imapd
sudo nano /etc/dovecot/dovecot.conf
<protocols = imap>
sudo nano /etc/dovecot/conf.d/10-mail.conf
<mail_location = maildir:~/Maildir>
sudo adduser dovecot mail

We will now configure dovecot to use lmtp and in so doing use spam sieve and other modules:

sudo apt install dovecot-lmtpd
sudo nano /etc/dovecot/dovecot.conf
<protocols = imap lmtp>

Now, we need to edit sudo nano /etc/dovecot/conf.d/10-master.conf and make sure that dovecot can leverage lmtp:

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
  }
 }

Similarly, we need to edit postfix for lmtp:

sudo nano /etc/postfix/main.cf
<mailbox_transport = lmtp:unix:private/dovecot-lmtp>
<smtputf8_enable = no>

Next, let's configure dovecot authorization:

sudo nano /etc/dovecot/conf.d/10-auth.conf
<disable_plaintext_auth = yes>
<auth_username_format = %n>
<auth_mechanisms = plain login>

Now, configure SSL/TLS encryption in dovecot:

sudo nano /etc/dovecot/conf.d/10-ssl.conf
<ssl = required>
<ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem>
<ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem>
<ssl_prefer_server_ciphers = yes>
<ssl_min_protocol = TLSv1.2>

SASL configuration by editing sudo nano /etc/dovecot/conf.d/10-master.conf and adding this block:

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

If you have errors or can't connect your email client at this point, you can test your handshakes as follows:

openssl s_client -connect mail.example.com:465
openssl s_client -starttls smtp -connect mail.example.com:25

Now it is time to setup an spf policy agent so that the incoming email that is received checks for validity of spf records. Do not confuse this with creating an spf TXT record for your outgoing email.

sudo apt install postfix-policyd-spf-python
sudo nano /etc/postfix/master.cf
<policyd-spf  unix  -       n       n       -       0       spawn>
<user=policyd-spf argv=/usr/bin/policyd-spf>
sudo nano /etc/postfix/main.cf
<policyd-spf_time_limit = 3600>
<smtpd_recipient_restrictions =>
 <permit_mynetworks,>
 <permit_sasl_authenticated,>
 <reject_unauth_destination,>
 <check_policy_service unix:private/policyd-spf>

Now, it is time to set up DKIM on your server. After creating the DKIM record/key on your server, you will need to create a corresponding TXT record for it to establish that anything over smtp with that signature is, in fact, you/your server.

sudo apt install opendkim opendkim-tools
sudo adduser postfix opendkim
sudo nano /etc/opendkim.conf
<Canonicalization   relaxed/simple>
<Mode               sv>
<SubDomains         no>
<Nameservers     8.8.8.8,1.1.1.1>
<KeyTable           refile:/etc/opendkim/key.table>
<SigningTable       refile:/etc/opendkim/signing.table>
<ExternalIgnoreList  /etc/opendkim/trusted.hosts>
<InternalHosts       /etc/opendkim/trusted.hosts>

Now that the configuration for DKIM is ready, let's create the keys and content for the locations specified above:

sudo mkdir -p /etc/opendkim/keys
sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod 711 /etc/opendkim/keys
sudo nano /etc/opendkim/signing.table
<*@example.com      default._domainkey.example.com>
<*@*.example.com    default._domainkey.example.com>
sudo nano /etc/opendkim/key.table
<default._domainkey.example.com     example.com:default:/etc/opendkim/keys/example.com/default.private>
sudo nano /etc/opendkim/trusted.hosts
<.domain.com>
sudo mkdir /etc/opendkim/keys/example.com
sudo opendkim-genkey -b 2048 -d example.com -D /etc/opendkim/keys/example.com -s default -v
sudo chown opendkim:opendkim /etc/opendkim/keys/example.com/default.private
sudo chmod 600 /etc/opendkim/keys/example.com/default.private

It's now time to create the corresponding TXT record for this DKIM key. To do that, display the key with sudo cat /etc/opendkim/keys/example.com/default.txt and then copy everything between the parentheses into your TXT record with default._domainkey as the host. After the DKIM TXT record caches, test it as follows:

sudo opendkim-testkey -d example.com -s default -vvv

Note that that output will display “key not secure” unless you configure DNSSEC, which this tutorial has not done. It's now time to configure postfix to leverage this DKIM key.

sudo mkdir /var/spool/postfix/opendkim
sudo chown opendkim:postfix /var/spool/postfix/opendkim
sudo nano /etc/opendkim.conf
<Socket    local:/var/spool/postfix/opendkim/opendkim.sock>
sudo nano /etc/default/opendkim
<SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock">
sudo nano /etc/postfix/main.cf
<milter_default_action = accept>
<milter_protocol = 6>
<smtpd_milters = local:opendkim/opendkim.sock>
<non_smtpd_milters = $smtpd_milters>

It's now a good time to test your email quality with Mail Tester to see if you got a 10/10 score. When upgrading postfix on the server, select “No configuration” as otherwise it will overwrite the configurations above. If you need help with creating spf, dmarc, or dkim TXT records, see spfdkim. Another optional setting is to reject incoming email that lacks a PTR (reverse DNS) record.

sudo nano /etc/postfix/main.cf
<smtpd_sender_restrictions =>
  <permit_mynetworks>
  <permit_sasl_authenticated>
  <reject_unknown_reverse_client_hostname>
  

To set up email header and/or body checks to prevent spam:

sudo apt install postfix-pcre
sudo nano /etc/postfix/main.cf
<header_checks = pcre:/etc/postfix/header_checks>
<body_checks = pcre:/etc/postfix/body_checks>

You will then need to configure the files with whatever strings you expect spam headers or bodies to have, and either reject them and/or discard them. You will also need to rebuild the indexes.

sudo nano /etc/postfix/header_checks
</free mortgage quote/     REJECT>
</repair your credit/     DISCARD>
sudo postmap /etc/postfix/header_checks
sudo nano /etc/postfix/body_checks
</free mortgage quote/     REJECT>
</repair your credit/      DISCARD>
sudo postmap /etc/postfix/body_checks

In general, be careful of setting your own TXT records for dmarc and spf with p=reject and -all because recipient's incoming email servers might forward the email on to another server, which will then appear to not originate from the proper location. Setting p=quarantine and ~all are good options in the middle for how servers should treat your email (or those trying to look like your email). As far as how you receive email is concerned, be careful in making your incoming server's rules too strict, otherwise you will never see emails arrive from your friends who might not have DNS records set up as strictly as your settings require. Lastly, you may optionally set up dmarc verification and reporting with openDMARC.

sudo apt install opendmarc
<no to db configure>
sudo nano /etc/opendmarc.conf
<AuthservID OpenDMARC>
<TrustedAuthservIDs mail.yourdomain.com>
<RejectFailures true>
<IgnoreAuthenticatedClients true>
<SPFSelfValidate true>
<Socket local:/var/spool/postfix/opendmarc/opendmarc.sock>
sudo mkdir -p /var/spool/postfix/opendmarc
sudo chown opendmarc:opendmarc /var/spool/postfix/opendmarc -R
sudo chmod 750 /var/spool/postfix/opendmarc/ -R
sudo adduser postfix opendmarc
sudo systemctl restart opendmarc

Now, configure postfix to work with openDMARC. Add the openDMARC socket to the milter block you created earlier.

sudo nano /etc/postfix/main.cf
<milter_default_action = accept>
<milter_protocol = 6>
<smtpd_milters = local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock>
<non_smtpd_milters = $smtpd_milters>
sudo systemctl restart postfix

This about covers everything. The only missing part is how to get past picky microsoft users and/or automate or simplify account creation. Okay, to view and/or delete messages from postfix mailq:

mailq
postcat -q E900C4780073
postsuper -d E900C4780073
postsuper -d ALL

If you have issues, it's good to be familiar with some different uses of the dig command to test your records. Here's how to check dmarc, dkim, spf, and ptr. The +short is optional, of course. I also included how you can verify your dkim key as well.

dig txt +short _dmarc.jonathanhaack.com
dig txt +short _dmarc.haacksnetworking.org
dig default._domainkey.jonathanhaack.com txt
dig default._domainkey.haacksnetworking.org txt
dig txt +short jonathanhaack.com
dig txt +short haacksnetworking.org
dig -x 8.28.86.130 +short
dig -x 8.28.86.125 +short
sudo opendkim-testkey -d jonathanhaack.com -s default -vvv
sudo opendkim-testkey -d haacksnetworking.org -s default -vvv

Also, please note that the above applies to clients connecting to the domain. If you intend to also host websites/content on the same host as the mail server, then you will also need to set up dmarc, spf, and mx records for the subdomain, mail.example.com. You will not need to setup dkim nor change the PTR. To test the validity of the command line email set up, ssh into your server and send an email as follows:

echo "Hi, I am testing the subdomain email health." | mail -s "CLI Email Test" oemb1905@jonathanhaack.com

Setting up dovecot-sieve.

sudo apt install dovecot-sieve dovecot-managesieved
sudo nano /etc/dovecot/dovecot.conf

Set to:

protocols = imap lmtp sieve

Then, open

sudo nano /etc/dovecot/conf.d/15-lda.conf

Set to:

protocol lda {
  mail_plugins = $mail_plugins sieve
}

Finally,

sudo nano /etc/dovecot/conf.d/20-lmtp.conf

Which should be:

protocol lmtp {
  mail_plugins = quota sieve
}

Restart your services systemctl restart dovecot postfix and it should be active. I was having trouble with Nextcloud mail because it could not locate the default / expected IMAP folders. To mitigate that, set them up to be created automatically as follows:

sudo nano /etc/dovecot/conf.d/15-mailboxes.conf

An example block:

mailbox Drafts {
  auto = create
  special_use = \Drafts
}

Simply add the auto = create to whichever directories you need.

oemb1905 2023/08/06 18:39

computing/mailserver.txt · Last modified: 2023/08/06 18:42 by oemb1905