This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
computing:mailserver [2022/12/06 04:10] – oemb1905 | computing:mailserver [2023/08/06 18:42] (current) – oemb1905 | ||
---|---|---|---|
Line 2: | Line 2: | ||
* **mailserver** | * **mailserver** | ||
* **Jonathan Haack** | * **Jonathan Haack** | ||
- | * **Haack' | + | * **Haack' |
- | * **webmaster@haacksnetworking.org** | + | * **webmaster@haacksnetworking.org** |
------------------------------------------- | ------------------------------------------- | ||
- | + | ||
- | // | + | // |
------------------------------------------- | ------------------------------------------- | ||
- | This tutorial is for users of Debian GNU/Linux who want to set up a proper email server. | + | This tutorial is for users of Debian GNU/Linux who want to set up a proper email server.. This tutorial assumes you know how to set up A, AAAA, SPF, DKIM, DMARC, MX, and PTR records. Set an A record for example.org and mail.example.org. If you don't know how, then learn up, and do not proceed. |
sudo nano /etc/hosts | sudo nano /etc/hosts | ||
Line 17: | Line 17: | ||
Edit the second line and add a line to the bottom similar to: | Edit the second line and add a line to the bottom similar to: | ||
- | 127.0.1.1 example.org example | + | |
- | 127.0.0.1 mail.example.org localhost | + | |
- | Install postfix | + | Install postfix |
- | sudo apt-get install postfix -y | + | sudo apt-get install |
< | < | ||
< | < | ||
- | Install firewall | + | Install firewall, open common ports for front facing website, and for imap/smtp: |
sudo apt install ufw | sudo apt install ufw | ||
sudo ufw allow 22/tcp | sudo ufw allow 22/tcp | ||
+ | sudo ufw allow 53/tcp | ||
sudo ufw allow 25/tcp | sudo ufw allow 25/tcp | ||
- | + | sudo ufw allow 587/tcp | |
- | Install legacy mailutils for testing and/or scripts: | + | sudo ufw allow 143/tcp |
- | + | sudo ufw allow 993/tcp | |
- | sudo apt-get install mailutils | + | sudo ufw allow 80 |
+ | sudo ufw allow 443 | ||
| | ||
Increase quota / message size: | Increase quota / message size: | ||
Line 43: | Line 45: | ||
sudo nano / | sudo nano / | ||
- | < | ||
- | sudo systemctl restart postfix | ||
- | sudo nano / | ||
- | < | ||
- | sudo newaliases | ||
| | ||
- | In my case, being at Brown Rice Internet, I can only support | + | Make sure that the hostname, origin, destination, |
+ | |||
+ | myhostname = mail.example.com | ||
+ | myorigin = / | ||
+ | mydestination = example.com, | ||
+ | mailbox_size_limit = 0 | ||
+ | inet_protocols = ipv4 | ||
+ | message_size_limit = 52428800 | ||
+ | |||
+ | Let's also make sure that system emails are sent to the user we created above instead of root by '' | ||
- | | + | |
+ | root: user | ||
| | ||
- | Or, ... | + | Now, set up the server block for your mail server' |
- | sudo dpkg-reconfigure postfix | + | sudo nano / |
- | | + | |
| | ||
- | Now that ipv4 and the and the hostname are established, | + | The contents looking something like: |
+ | server { | ||
+ | listen 80; | ||
+ | #listen [::]:80; | ||
+ | server_name mail.example.com; | ||
+ | root / | ||
+ | location ~ / | ||
+ | allow all; | ||
+ | } | ||
+ | } | ||
+ | | ||
+ | Once that is done, restart the service '' | ||
+ | |||
+ | sudo apt install certbot | ||
+ | sudo apt install python3-certbot-nginx | ||
+ | sudo certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email email@email.com -d mail.example.com | ||
+ | | ||
+ | Now, let's configure postfix to work together with Dovecot/ | ||
+ | |||
+ | submission | ||
+ | -o syslog_name=postfix/ | ||
+ | -o smtpd_tls_security_level=encrypt | ||
+ | -o smtpd_tls_wrappermode=no | ||
+ | -o smtpd_sasl_auth_enable=yes | ||
+ | -o smtpd_relay_restrictions=permit_sasl_authenticated, | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
+ | -o smtpd_sasl_type=dovecot | ||
+ | -o smtpd_sasl_path=private/ | ||
+ | smtps | ||
+ | -o syslog_name=postfix/ | ||
+ | -o smtpd_tls_wrappermode=yes | ||
+ | -o smtpd_sasl_auth_enable=yes | ||
+ | -o smtpd_relay_restrictions=permit_sasl_authenticated, | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
+ | -o smtpd_sasl_type=dovecot | ||
+ | -o smtpd_sasl_path=private/ | ||
+ | |||
+ | It's now time to configure postfix '' | ||
+ | |||
+ | #Enable TLS Encryption when Postfix receives incoming emails | ||
+ | smtpd_tls_cert_file=/ | ||
+ | smtpd_tls_key_file=/ | ||
+ | smtpd_tls_security_level=may | ||
+ | smtpd_tls_loglevel = 1 | ||
+ | smtpd_tls_session_cache_database = btree: | ||
+ | #Enable TLS Encryption when Postfix sends outgoing emails | ||
+ | smtp_tls_security_level = may | ||
+ | smtp_tls_loglevel = 1 | ||
+ | smtp_tls_session_cache_database = btree: | ||
+ | #Enforce TLSv1.3 or TLSv1.2 | ||
+ | smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
+ | smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
+ | smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
+ | smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
+ | |||
+ | Now, we can install dovecot and configure it to use IMAP, change the default mailbox location, and add dovecot to the mail group: | ||
+ | |||
+ | sudo apt install dovecot-core dovecot-imapd | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo adduser dovecot mail | ||
+ | | ||
+ | We will now configure dovecot to use lmtp and in so doing use spam sieve and other modules: | ||
+ | |||
+ | sudo apt install dovecot-lmtpd | ||
+ | sudo nano / | ||
+ | < | ||
+ | |||
+ | Now, we need to edit '' | ||
+ | |||
+ | service lmtp { | ||
+ | unix_listener / | ||
+ | mode = 0600 | ||
+ | user = postfix | ||
+ | group = postfix | ||
+ | } | ||
+ | } | ||
+ | |||
+ | Similarly, we need to edit postfix for lmtp: | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | |||
+ | Next, let's configure dovecot authorization: | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | Now, configure SSL/TLS encryption in dovecot: | ||
+ | |||
+ | sudo nano / | ||
+ | <ssl = required> | ||
+ | < | ||
+ | <ssl_key = </ | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | SASL configuration by editing '' | ||
+ | |||
+ | service auth { | ||
+ | unix_listener / | ||
+ | mode = 0660 | ||
+ | user = postfix | ||
+ | group = postfix | ||
+ | } | ||
+ | } | ||
+ | | ||
+ | If you have errors or can't connect your email client at this point, you can test your handshakes as follows: | ||
+ | |||
+ | openssl s_client -connect mail.example.com: | ||
+ | openssl s_client -starttls smtp -connect mail.example.com: | ||
+ | | ||
+ | Now it is time to setup an spf policy agent so that the incoming email that is received checks for validity of spf records. **Do not confuse this with creating an spf TXT record for your outgoing email.** | ||
+ | |||
+ | sudo apt install postfix-policyd-spf-python | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | Now, it is time to set up DKIM on your server. After creating the DKIM record/key on your server, you will need to create a corresponding TXT record for it to establish that anything over smtp with that signature is, in fact, you/your server. | ||
+ | |||
+ | sudo apt install opendkim opendkim-tools | ||
+ | sudo adduser postfix opendkim | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | Now that the configuration for DKIM is ready, let's create the keys and content for the locations specified above: | ||
+ | |||
+ | sudo mkdir -p / | ||
+ | sudo chown -R opendkim: | ||
+ | sudo chmod 711 / | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo mkdir / | ||
+ | sudo opendkim-genkey -b 2048 -d example.com -D / | ||
+ | sudo chown opendkim: | ||
+ | sudo chmod 600 / | ||
+ | |||
+ | It's now time to create the corresponding TXT record for this DKIM key. To do that, display the key with '' | ||
+ | |||
+ | sudo opendkim-testkey -d example.com -s default -vvv | ||
+ | | ||
+ | Note that that output will display "key not secure" | ||
+ | |||
+ | sudo mkdir / | ||
+ | sudo chown opendkim: | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | It's now a good time to test your email quality with [[https:// | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | To set up email header and/or body checks to prevent spam: | ||
+ | |||
+ | sudo apt install postfix-pcre | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | You will then need to configure the files with whatever strings you expect spam headers or bodies to have, and either reject them and/or discard them. You will also need to rebuild the indexes. | ||
+ | |||
+ | sudo nano / | ||
+ | </free mortgage quote/ | ||
+ | </repair your credit/ | ||
+ | sudo postmap / | ||
+ | sudo nano / | ||
+ | </free mortgage quote/ | ||
+ | </repair your credit/ | ||
+ | sudo postmap / | ||
+ | |||
+ | In general, be careful of setting your own TXT records for dmarc and spf with p=reject and -all because recipient' | ||
+ | |||
+ | sudo apt install opendmarc | ||
+ | <no to db configure> | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | <Socket local:/ | ||
+ | sudo mkdir -p / | ||
+ | sudo chown opendmarc: | ||
+ | sudo chmod 750 / | ||
+ | sudo adduser postfix opendmarc | ||
+ | sudo systemctl restart opendmarc | ||
+ | | ||
+ | Now, configure postfix to work with openDMARC. Add the openDMARC socket to the milter block you created earlier. | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
sudo systemctl restart postfix | sudo systemctl restart postfix | ||
| | ||
+ | This about covers everything. The only missing part is how to get past picky microsoft users and/or automate or simplify account creation. Okay, to view and/or delete messages from postfix mailq: | ||
+ | mailq | ||
+ | postcat -q E900C4780073 | ||
+ | postsuper -d E900C4780073 | ||
+ | postsuper -d ALL | ||
+ | | ||
+ | If you have issues, it's good to be familiar with some different uses of the '' | ||
+ | | ||
+ | dig txt +short _dmarc.jonathanhaack.com | ||
+ | dig txt +short _dmarc.haacksnetworking.org | ||
+ | dig default._domainkey.jonathanhaack.com txt | ||
+ | dig default._domainkey.haacksnetworking.org txt | ||
+ | dig txt +short jonathanhaack.com | ||
+ | dig txt +short haacksnetworking.org | ||
+ | dig -x 8.28.86.130 +short | ||
+ | dig -x 8.28.86.125 +short | ||
+ | sudo opendkim-testkey -d jonathanhaack.com -s default -vvv | ||
+ | sudo opendkim-testkey -d haacksnetworking.org -s default -vvv | ||
+ | | ||
+ | Also, please note that the above applies to clients connecting to the domain. If you intend to also host websites/ | ||
+ | echo "Hi, I am testing the subdomain email health." | ||
+ | | ||
+ | Setting up dovecot-sieve. | ||
+ | sudo apt install dovecot-sieve dovecot-managesieved | ||
+ | sudo nano / | ||
+ | Set to: | ||
+ | |||
+ | protocols = imap lmtp sieve | ||
| | ||
+ | Then, open | ||
+ | sudo nano / | ||
+ | Set to: | ||
+ | |||
+ | protocol lda { | ||
+ | mail_plugins = $mail_plugins sieve | ||
+ | } | ||
| | ||
+ | Finally, | ||
- | --- // | + | sudo nano / |
+ | |||
+ | Which should be: | ||
+ | |||
+ | protocol lmtp { | ||
+ | mail_plugins = quota sieve | ||
+ | } | ||
+ | |||
+ | Restart your services '' | ||
+ | |||
+ | sudo nano / | ||
+ | |||
+ | An example block: | ||
+ | |||
+ | mailbox Drafts { | ||
+ | auto = create | ||
+ | special_use = \Drafts | ||
+ | } | ||
+ | |||
+ | Simply add the '' | ||
+ | |||
+ | --- // |