This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
computing:mailserver [2022/12/11 03:13] – oemb1905 | computing:mailserver [2023/08/06 18:42] (current) – oemb1905 | ||
---|---|---|---|
Line 2: | Line 2: | ||
* **mailserver** | * **mailserver** | ||
* **Jonathan Haack** | * **Jonathan Haack** | ||
- | * **Haack' | + | * **Haack' |
- | * **webmaster@haacksnetworking.org** | + | * **webmaster@haacksnetworking.org** |
------------------------------------------- | ------------------------------------------- | ||
- | + | ||
- | // | + | // |
------------------------------------------- | ------------------------------------------- | ||
- | This tutorial is for users of Debian GNU/Linux who want to set up a proper email server. | + | This tutorial is for users of Debian GNU/Linux who want to set up a proper email server.. This tutorial assumes you know how to set up A, AAAA, SPF, DKIM, DMARC, MX, and PTR records. Set an A record for example.org and mail.example.org. If you don't know how, then learn up, and do not proceed. |
sudo nano /etc/hosts | sudo nano /etc/hosts | ||
Line 45: | Line 45: | ||
sudo nano / | sudo nano / | ||
- | < | ||
- | sudo systemctl restart postfix | ||
- | sudo nano / | ||
- | < | ||
- | sudo newaliases | ||
| | ||
- | In my case, being at Brown Rice Internet, I can only support | + | Make sure that the hostname, origin, destination, |
- | + | ||
- | sudo postconf -e " | + | |
- | + | ||
- | Or, alternately | + | |
- | + | ||
- | sudo nano / | + | |
- | <inet protocols; ipv4> | + | |
| | ||
- | Now that ipv4 and the and the hostname are established, restart the service and carry on: | + | myhostname = mail.example.com |
- | + | myorigin = / | |
- | | + | mydestination = example.com, $myhostname, |
+ | | ||
+ | inet_protocols = ipv4 | ||
+ | | ||
| | ||
- | If/when you upgrade postfix, please select "No configuration" | + | Let' |
- | | + | |
- | | + | |
| | ||
Now, set up the server block for your mail server' | Now, set up the server block for your mail server' | ||
- | sudo nano /etc/apache2/sites-available/ | + | sudo nano /etc/nginx/conf.d/ |
+ | sudo mkdir -p / | ||
| | ||
The contents looking something like: | The contents looking something like: | ||
- | server {> | + | server { |
listen 80; | listen 80; | ||
#listen [::]:80; | #listen [::]:80; | ||
Line 84: | Line 76: | ||
} | } | ||
} | } | ||
+ | | ||
+ | Once that is done, restart the service '' | ||
- | Make sure that the directory specified above exists | + | sudo apt install certbot |
+ | sudo apt install python3-certbot-nginx | ||
+ | sudo certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email email@email.com -d mail.example.com | ||
+ | |||
+ | Now, let's configure postfix to work together with Dovecot/ | ||
- | sudo mkdir -p /usr/share/nginx/html/ | + | |
- | sudo systemctl reload nginx | + | -o syslog_name=postfix/ |
+ | -o smtpd_tls_security_level=encrypt | ||
+ | -o smtpd_tls_wrappermode=no | ||
+ | -o smtpd_sasl_auth_enable=yes | ||
+ | -o smtpd_relay_restrictions=permit_sasl_authenticated, | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
+ | -o smtpd_sasl_type=dovecot | ||
+ | -o smtpd_sasl_path=private/ | ||
+ | smtps | ||
+ | -o syslog_name=postfix/ | ||
+ | -o smtpd_tls_wrappermode=yes | ||
+ | -o smtpd_sasl_auth_enable=yes | ||
+ | -o smtpd_relay_restrictions=permit_sasl_authenticated, | ||
+ | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
+ | -o smtpd_sasl_type=dovecot | ||
+ | -o smtpd_sasl_path=private/ | ||
+ | |||
+ | It's now time to configure postfix '' | ||
+ | |||
+ | #Enable TLS Encryption when Postfix receives incoming emails | ||
+ | smtpd_tls_cert_file=/ | ||
+ | smtpd_tls_key_file=/ | ||
+ | smtpd_tls_security_level=may | ||
+ | smtpd_tls_loglevel = 1 | ||
+ | smtpd_tls_session_cache_database = btree: | ||
+ | #Enable TLS Encryption when Postfix sends outgoing emails | ||
+ | smtp_tls_security_level = may | ||
+ | smtp_tls_loglevel = 1 | ||
+ | smtp_tls_session_cache_database = btree: | ||
+ | #Enforce TLSv1.3 or TLSv1.2 | ||
+ | smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
+ | smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
+ | smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
+ | smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 | ||
+ | |||
+ | Now, we can install dovecot and configure it to use IMAP, change the default mailbox location, and add dovecot to the mail group: | ||
+ | |||
+ | sudo apt install dovecot-core dovecot-imapd | ||
+ | sudo nano /etc/dovecot/dovecot.conf | ||
+ | < | ||
+ | sudo nano /etc/ | ||
+ | < | ||
+ | sudo adduser dovecot mail | ||
| | ||
+ | We will now configure dovecot to use lmtp and in so doing use spam sieve and other modules: | ||
+ | sudo apt install dovecot-lmtpd | ||
+ | sudo nano / | ||
+ | < | ||
+ | |||
+ | Now, we need to edit '' | ||
+ | |||
+ | service lmtp { | ||
+ | unix_listener / | ||
+ | mode = 0600 | ||
+ | user = postfix | ||
+ | group = postfix | ||
+ | } | ||
+ | } | ||
+ | |||
+ | Similarly, we need to edit postfix for lmtp: | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | |||
+ | Next, let's configure dovecot authorization: | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
| | ||
+ | Now, configure SSL/TLS encryption in dovecot: | ||
+ | sudo nano / | ||
+ | <ssl = required> | ||
+ | < | ||
+ | <ssl_key = </ | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | SASL configuration by editing '' | ||
+ | service auth { | ||
+ | unix_listener / | ||
+ | mode = 0660 | ||
+ | user = postfix | ||
+ | group = postfix | ||
+ | } | ||
+ | } | ||
| | ||
+ | If you have errors or can't connect your email client at this point, you can test your handshakes as follows: | ||
+ | openssl s_client -connect mail.example.com: | ||
+ | openssl s_client -starttls smtp -connect mail.example.com: | ||
| | ||
+ | Now it is time to setup an spf policy agent so that the incoming email that is received checks for validity of spf records. **Do not confuse this with creating an spf TXT record for your outgoing email.** | ||
+ | sudo apt install postfix-policyd-spf-python | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | Now, it is time to set up DKIM on your server. After creating the DKIM record/key on your server, you will need to create a corresponding TXT record for it to establish that anything over smtp with that signature is, in fact, you/your server. | ||
+ | sudo apt install opendkim opendkim-tools | ||
+ | sudo adduser postfix opendkim | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | |||
+ | Now that the configuration for DKIM is ready, let's create the keys and content for the locations specified above: | ||
+ | |||
+ | sudo mkdir -p / | ||
+ | sudo chown -R opendkim: | ||
+ | sudo chmod 711 / | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo mkdir / | ||
+ | sudo opendkim-genkey -b 2048 -d example.com -D / | ||
+ | sudo chown opendkim: | ||
+ | sudo chmod 600 / | ||
+ | |||
+ | It's now time to create the corresponding TXT record for this DKIM key. To do that, display the key with '' | ||
+ | |||
+ | sudo opendkim-testkey -d example.com -s default -vvv | ||
| | ||
+ | Note that that output will display "key not secure" | ||
+ | sudo mkdir / | ||
+ | sudo chown opendkim: | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | It's now a good time to test your email quality with [[https:// | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | To set up email header and/or body checks to prevent spam: | ||
+ | |||
+ | sudo apt install postfix-pcre | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
| | ||
+ | You will then need to configure the files with whatever strings you expect spam headers or bodies to have, and either reject them and/or discard them. You will also need to rebuild the indexes. | ||
- | --- // | + | sudo nano / |
+ | </free mortgage quote/ | ||
+ | </repair your credit/ | ||
+ | sudo postmap / | ||
+ | sudo nano / | ||
+ | </free mortgage quote/ | ||
+ | </repair your credit/ | ||
+ | sudo postmap / | ||
+ | |||
+ | In general, be careful of setting your own TXT records for dmarc and spf with p=reject and -all because recipient' | ||
+ | |||
+ | sudo apt install opendmarc | ||
+ | <no to db configure> | ||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | <Socket local:/ | ||
+ | sudo mkdir -p / | ||
+ | sudo chown opendmarc: | ||
+ | sudo chmod 750 / | ||
+ | sudo adduser postfix opendmarc | ||
+ | sudo systemctl restart opendmarc | ||
+ | |||
+ | Now, configure postfix to work with openDMARC. Add the openDMARC socket to the milter block you created earlier. | ||
+ | |||
+ | sudo nano / | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | sudo systemctl restart postfix | ||
+ | |||
+ | This about covers everything. The only missing part is how to get past picky microsoft users and/or automate or simplify account creation. Okay, to view and/or delete messages from postfix mailq: | ||
+ | |||
+ | mailq | ||
+ | postcat -q E900C4780073 | ||
+ | postsuper -d E900C4780073 | ||
+ | postsuper -d ALL | ||
+ | |||
+ | If you have issues, it's good to be familiar with some different uses of the '' | ||
+ | |||
+ | dig txt +short _dmarc.jonathanhaack.com | ||
+ | dig txt +short _dmarc.haacksnetworking.org | ||
+ | dig default._domainkey.jonathanhaack.com txt | ||
+ | dig default._domainkey.haacksnetworking.org txt | ||
+ | dig txt +short jonathanhaack.com | ||
+ | dig txt +short haacksnetworking.org | ||
+ | dig -x 8.28.86.130 +short | ||
+ | dig -x 8.28.86.125 +short | ||
+ | sudo opendkim-testkey -d jonathanhaack.com -s default -vvv | ||
+ | sudo opendkim-testkey -d haacksnetworking.org -s default -vvv | ||
+ | |||
+ | Also, please note that the above applies to clients connecting to the domain. If you intend to also host websites/ | ||
+ | |||
+ | echo "Hi, I am testing the subdomain email health." | ||
+ | |||
+ | Setting up dovecot-sieve. | ||
+ | |||
+ | sudo apt install dovecot-sieve dovecot-managesieved | ||
+ | sudo nano / | ||
+ | |||
+ | Set to: | ||
+ | |||
+ | protocols = imap lmtp sieve | ||
+ | |||
+ | Then, open | ||
+ | |||
+ | sudo nano / | ||
+ | |||
+ | Set to: | ||
+ | |||
+ | protocol lda { | ||
+ | mail_plugins = $mail_plugins sieve | ||
+ | } | ||
+ | |||
+ | Finally, | ||
+ | |||
+ | sudo nano / | ||
+ | |||
+ | Which should be: | ||
+ | |||
+ | protocol lmtp { | ||
+ | mail_plugins = quota sieve | ||
+ | } | ||
+ | |||
+ | Restart your services '' | ||
+ | |||
+ | sudo nano / | ||
+ | |||
+ | An example block: | ||
+ | |||
+ | mailbox Drafts { | ||
+ | auto = create | ||
+ | special_use = \Drafts | ||
+ | } | ||
+ | |||
+ | Simply add the '' | ||
+ | |||
+ | --- // |