This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
computing:mailserver [2022/12/11 03:56] – oemb1905 | computing:mailserver [2023/08/06 18:42] (current) – oemb1905 | ||
---|---|---|---|
Line 2: | Line 2: | ||
* **mailserver** | * **mailserver** | ||
* **Jonathan Haack** | * **Jonathan Haack** | ||
- | * **Haack' | + | * **Haack' |
- | * **webmaster@haacksnetworking.org** | + | * **webmaster@haacksnetworking.org** |
------------------------------------------- | ------------------------------------------- | ||
- | + | ||
- | // | + | // |
------------------------------------------- | ------------------------------------------- | ||
Line 62: | Line 62: | ||
Now, set up the server block for your mail server' | Now, set up the server block for your mail server' | ||
- | sudo nano /etc/apache2/sites-available/ | + | sudo nano /etc/nginx/conf.d/ |
sudo mkdir -p / | sudo mkdir -p / | ||
| | ||
Line 130: | Line 130: | ||
sudo adduser dovecot mail | sudo adduser dovecot mail | ||
| | ||
- | sdsd | + | We will now configure dovecot to use lmtp and in so doing use spam sieve and other modules: |
- | Note that when upgrading postfix, please select "No configuration" | + | sudo apt install dovecot-lmtpd |
- | + | sudo nano / | |
+ | < | ||
- | --- // | + | Now, we need to edit '' |
+ | |||
+ | service lmtp { | ||
+ | unix_listener / | ||
+ | mode = 0600 | ||
+ | user = postfix | ||
+ | group = postfix | ||
+ | } | ||
+ | } | ||
+ | |||
+ | Similarly, we need to edit postfix for lmtp: | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | |||
+ | Next, let's configure dovecot authorization: | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | Now, configure SSL/TLS encryption in dovecot: | ||
+ | |||
+ | sudo nano / | ||
+ | <ssl = required> | ||
+ | < | ||
+ | <ssl_key = </ | ||
+ | < | ||
+ | < | ||
+ | |||
+ | SASL configuration by editing '' | ||
+ | |||
+ | service auth { | ||
+ | unix_listener / | ||
+ | mode = 0660 | ||
+ | user = postfix | ||
+ | group = postfix | ||
+ | } | ||
+ | } | ||
+ | |||
+ | If you have errors or can't connect your email client at this point, you can test your handshakes as follows: | ||
+ | |||
+ | openssl s_client -connect mail.example.com: | ||
+ | openssl s_client -starttls smtp -connect mail.example.com: | ||
+ | |||
+ | Now it is time to setup an spf policy agent so that the incoming email that is received checks for validity of spf records. **Do not confuse this with creating an spf TXT record for your outgoing email.** | ||
+ | |||
+ | sudo apt install postfix-policyd-spf-python | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | Now, it is time to set up DKIM on your server. After creating the DKIM record/key on your server, you will need to create a corresponding TXT record for it to establish that anything over smtp with that signature is, in fact, you/your server. | ||
+ | |||
+ | sudo apt install opendkim opendkim-tools | ||
+ | sudo adduser postfix opendkim | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | Now that the configuration for DKIM is ready, let's create the keys and content for the locations specified above: | ||
+ | |||
+ | sudo mkdir -p / | ||
+ | sudo chown -R opendkim: | ||
+ | sudo chmod 711 / | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo mkdir / | ||
+ | sudo opendkim-genkey -b 2048 -d example.com -D / | ||
+ | sudo chown opendkim: | ||
+ | sudo chmod 600 / | ||
+ | |||
+ | It's now time to create the corresponding TXT record for this DKIM key. To do that, display the key with '' | ||
+ | |||
+ | sudo opendkim-testkey -d example.com -s default -vvv | ||
+ | |||
+ | Note that that output will display "key not secure" | ||
+ | |||
+ | sudo mkdir / | ||
+ | sudo chown opendkim: | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | It's now a good time to test your email quality with [[https:// | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | To set up email header and/or body checks to prevent spam: | ||
+ | |||
+ | sudo apt install postfix-pcre | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | |||
+ | You will then need to configure the files with whatever strings you expect spam headers or bodies to have, and either reject them and/or discard them. You will also need to rebuild the indexes. | ||
+ | |||
+ | sudo nano / | ||
+ | </free mortgage quote/ | ||
+ | </repair your credit/ | ||
+ | sudo postmap / | ||
+ | sudo nano / | ||
+ | </free mortgage quote/ | ||
+ | </repair your credit/ | ||
+ | sudo postmap / | ||
+ | |||
+ | In general, be careful of setting your own TXT records for dmarc and spf with p=reject and -all because recipient' | ||
+ | |||
+ | sudo apt install opendmarc | ||
+ | <no to db configure> | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | <Socket local:/ | ||
+ | sudo mkdir -p / | ||
+ | sudo chown opendmarc: | ||
+ | sudo chmod 750 / | ||
+ | sudo adduser postfix opendmarc | ||
+ | sudo systemctl restart opendmarc | ||
+ | |||
+ | Now, configure postfix to work with openDMARC. Add the openDMARC socket to the milter block you created earlier. | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | sudo systemctl restart postfix | ||
+ | |||
+ | This about covers everything. The only missing part is how to get past picky microsoft users and/or automate or simplify account creation. Okay, to view and/or delete messages from postfix mailq: | ||
+ | |||
+ | mailq | ||
+ | postcat -q E900C4780073 | ||
+ | postsuper -d E900C4780073 | ||
+ | postsuper -d ALL | ||
+ | |||
+ | If you have issues, it's good to be familiar with some different uses of the '' | ||
+ | |||
+ | dig txt +short _dmarc.jonathanhaack.com | ||
+ | dig txt +short _dmarc.haacksnetworking.org | ||
+ | dig default._domainkey.jonathanhaack.com txt | ||
+ | dig default._domainkey.haacksnetworking.org txt | ||
+ | dig txt +short jonathanhaack.com | ||
+ | dig txt +short haacksnetworking.org | ||
+ | dig -x 8.28.86.130 +short | ||
+ | dig -x 8.28.86.125 +short | ||
+ | sudo opendkim-testkey -d jonathanhaack.com -s default -vvv | ||
+ | sudo opendkim-testkey -d haacksnetworking.org -s default -vvv | ||
+ | |||
+ | Also, please note that the above applies to clients connecting to the domain. If you intend to also host websites/ | ||
+ | |||
+ | echo "Hi, I am testing the subdomain email health." | ||
+ | |||
+ | Setting up dovecot-sieve. | ||
+ | |||
+ | sudo apt install dovecot-sieve dovecot-managesieved | ||
+ | sudo nano / | ||
+ | |||
+ | Set to: | ||
+ | |||
+ | protocols = imap lmtp sieve | ||
+ | |||
+ | Then, open | ||
+ | |||
+ | sudo nano / | ||
+ | |||
+ | Set to: | ||
+ | |||
+ | protocol lda { | ||
+ | mail_plugins = $mail_plugins sieve | ||
+ | } | ||
+ | |||
+ | Finally, | ||
+ | |||
+ | sudo nano / | ||
+ | |||
+ | Which should be: | ||
+ | |||
+ | protocol lmtp { | ||
+ | mail_plugins = quota sieve | ||
+ | } | ||
+ | |||
+ | Restart your services '' | ||
+ | |||
+ | sudo nano / | ||
+ | |||
+ | An example block: | ||
+ | |||
+ | mailbox Drafts { | ||
+ | auto = create | ||
+ | special_use = \Drafts | ||
+ | } | ||
+ | |||
+ | Simply add the '' | ||
+ | |||
+ | --- // |