summaryrefslogtreecommitdiff
path: root/live/blog/a/mail_server_with_postfix.html
diff options
context:
space:
mode:
authorDavid Luevano Alvarado <david@luevano.xyz>2024-03-07 21:55:16 -0600
committerDavid Luevano Alvarado <david@luevano.xyz>2024-03-07 21:55:16 -0600
commitbd86f4fc950cdc5bb4cb346f48c14a6e356dc4fb (patch)
treec1cebd6a0b48c38e2100d8e4fe9745fd7f585bd5 /live/blog/a/mail_server_with_postfix.html
parentca9c5626495c00f6d6cffd4ae517a66db15b0832 (diff)
stop tracking live/
Diffstat (limited to 'live/blog/a/mail_server_with_postfix.html')
-rw-r--r--live/blog/a/mail_server_with_postfix.html527
1 files changed, 0 insertions, 527 deletions
diff --git a/live/blog/a/mail_server_with_postfix.html b/live/blog/a/mail_server_with_postfix.html
deleted file mode 100644
index defe607..0000000
--- a/live/blog/a/mail_server_with_postfix.html
+++ /dev/null
@@ -1,527 +0,0 @@
-<!DOCTYPE html>
-<html class="theme-dark" lang="en
-"
- prefix="og: https://ogp.me/ns#">
- <head>
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width, initial-scale=1">
- <link rel="icon" href="https://static.luevano.xyz/images/icons/favicon.ico">
-<title>Set up a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM -- Luévano's Blog</title>
- <meta name="description" content="How to set up a Mail server using Postfix, Dovecot, SpamAssassin and OpenDKIM, on Arch. This is a follow up on post about creating a website with Nginx and Certbot."/>
-<link rel="alternate" type="application/rss+xml" href="https://blog.luevano.xyz/rss.xml" title="Luévano's Blog RSS">
- <!-- general style -->
- <link rel="stylesheet" type="text/css" href="https://static.luevano.xyz/css/style.css">
- <link rel="stylesheet" type="text/css" href="https://static.luevano.xyz/fork-awesome/css/fork-awesome.min.css">
- <link rel="stylesheet" type="text/css" href="https://static.luevano.xyz/font-awesome/css/all.min.css">
- <!-- theme related -->
- <script type="text/javascript" src="https://static.luevano.xyz/scripts/theme.js"></script>
- <link id="theme-css" rel="stylesheet" type="text/css" href="https://static.luevano.xyz/css/theme.css">
- <!-- misc functions-->
- <script type="text/javascript" src="https://static.luevano.xyz/scripts/return_top.js"></script>
- <!-- extra -->
- <!-- highlight support for code blocks -->
-<script type="text/javascript" src="https://static.luevano.xyz/hl/highlight.min.js"></script>
-<script type="text/javascript">
- hljs.initHighlightingOnLoad();
-</script>
-<link id="code-theme-css" rel="stylesheet" type="text/css" href="https://static.luevano.xyz/hl/styles/nord.min.css">
-
-
-
-
-
-
- <!-- og meta -->
- <meta property="og:title" content="Set up a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM -- Luévano's Blog"/>
- <meta property="og:type" content="article"/>
- <meta property="og:url" content="https://blog.luevano.xyz/a/mail_server_with_postfix.md"/>
- <meta property="og:image" content="https://static.luevano.xyz/images/b/default.png"/>
- <meta property="og:description" content="How to set up a Mail server using Postfix, Dovecot, SpamAssassin and OpenDKIM, on Arch. This is a follow up on post about creating a website with Nginx and Certbot."/>
- <meta property="og:locale" content="en"/>
- <meta property="og:site_name" content="Luévano's Blog"/>
- </head>
-
- <body>
- <header>
-<nav>
- <ul>
- <li>
- <a href="https://luevano.xyz/"><i class="fas fa-home" alt="Home"></i><span>Home</span></a>
- </li>
-
- <li>
- <a href="https://blog.luevano.xyz/"><i class="fas fa-book-open" alt="Blog"></i><span>Blog</span></a>
- </li>
-
- <li>
- <a href="https://art.luevano.xyz/"><i class="fas fa-paint-brush" alt="Art"></i><span>Art</span></a>
- </li>
-
- <li><i class="fab fa-git" alt="Git"></i><span>Git</span>
- <ul>
- <li><a href="https://git.luevano.xyz/" target="_blank"><i class="fab fa-git-alt" alt="Git-alt"></i></a></li>
-
- <li><a href="https://github.com/luevano" target="_blank"><i class="fab fa-github" alt="Github"></i></a></li>
-
- <li><a href="https://gitlab.com/dluevano" target="_blank"><i class="fab fa-gitlab" alt="Gitlab"></i></a></li>
- </ul>
- </li>
-
- <li><i class="fas fa-box-open" alt="Stuff"></i><span>Stuff</span>
- <ul>
- <li><a href="https://gb.luevano.xyz/"><i class="fas fa-gamepad" alt="Gameboy"></i><span>Gameboy</span></a></li>
- </ul>
- </li>
- </ul>
-</nav>
-
-<button class="theme-switcher" onclick="toggleTheme()"><i class="fas fa-moon"></i><i class="fas fa-sun"></i></button>
-
- </header>
-
- <main>
- <div class="return-top">
- <button class="return-top" onclick="returnTop()" id="returnTopButton">
- <i class="fas fa-arrow-up" alt="Return to top"></i>
- </button>
- </div>
- <h1>Set up a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</h1>
-
- <p>The entry is going to be long because it&rsquo;s a <em>tedious</em> process. This is also based on <a href="https://github.com/LukeSmithxyz/emailwiz">Luke Smith&rsquo;s script</a>, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I&rsquo;m in the process of installing/configuring the mail server on a new VPS of mine; <del>also I&rsquo;m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted <a href="https://git.luevano.xyz/server_scripts.git">here</a>.</del> <ins>I haven&rsquo;t had time to do the script so nevermind this, if I ever do it I&rsquo;ll make a new entry regarding it.</ins></p>
-<p>This configuration works for local users (users that appear in <code>/etc/passwd</code>), and does not use any type of SQL database. Do note that I&rsquo;m not running Postfix in a chroot, which can be a problem if you&rsquo;re following my steps as noted by <mark><a href="https://bojanmilevski.com/">Bojan</a></mark>; in the case that you want to run in chroot then add the steps chown in the Arch wiki: <a href="https://wiki.archlinux.org/title/postfix#Postfix_in_a_chroot_jail">Postfix in a chroot jail</a>; the issue faced if following my steps and using a chroot is that there will be issues resolving the hostname due to <code>/etc/hosts</code> or <code>/etc/hostname</code> not being available in the chroot.</p>
-<p>All commands executed here are run with root privileges, unless stated otherwise.</p>
-<h2 id="table-of-contents">Table of contents<a class="headerlink" href="#table-of-contents" title="Permanent link">&para;</a></h2>
-<div class="toc">
-<ul>
-<li><a href="#table-of-contents">Table of contents</a></li>
-<li><a href="#prerequisites">Prerequisites</a></li>
-<li><a href="#postfix">Postfix</a></li>
-<li><a href="#dovecot">Dovecot</a></li>
-<li><a href="#opendkim">OpenDKIM</a><ul>
-<li><a href="#opendkim-dns-txt-records">OpenDKIM DNS TXT records</a></li>
-</ul>
-</li>
-<li><a href="#spamassassin">SpamAssassin</a></li>
-<li><a href="#wrapping-up">Wrapping up</a></li>
-</ul>
-</div>
-<h2 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">&para;</a></h2>
-<p>Basically the same as with the <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website with Nginx and Certbot</a>, with the extras:</p>
-<ul>
-<li>You will need a <strong>CNAME</strong> for &ldquo;mail&rdquo; and (optionally) &ldquo;www.mail&rdquo;, or whatever you want to call the sub-domains (although the <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a> states that it NEEDS to be an <strong>A</strong> record, fuck the police).</li>
-<li>An SSL certificate. You can use the SSL certificate obtained following my last post using <code>certbot</code> (just create a <code>mail.conf</code> and run <code>certbot --nginx</code> again).</li>
-<li>Ports <code>25</code>, <code>587</code> (SMTP), <code>465</code> (SMTPS), <code>143</code> (IMAP) and <code>993</code> (IMAPS) open on the firewall (I use <code>ufw</code>).</li>
-</ul>
-<h2 id="postfix">Postfix<a class="headerlink" href="#postfix" title="Permanent link">&para;</a></h2>
-<p><a href="https://wiki.archlinux.org/title/postfix">Postfix</a> is a &ldquo;mail transfer agent&rdquo; which is the component of the mail server that receives and sends emails via SMTP.</p>
-<p>Install the <code>postfix</code> package:</p>
-<pre><code class="language-sh">pacman -S postfix
-</code></pre>
-<p>We have two main files to configure (inside <code>/etc/postfix</code>): <code>master.cf</code> (<a href="https://man.archlinux.org/man/master.5">master(5)</a>) and <code>main.cf</code> (<a href="https://man.archlinux.org/man/postconf.5">postconf(5)</a>). We&rsquo;re going to edit <code>main.cf</code> first either by using the command <code>postconf -e 'setting'</code> or by editing the file itself (I prefer to edit the file).</p>
-<p>Note that the default file itself has a lot of comments with description on what each thing does (or you can look up the manual, linked above), I used what Luke&rsquo;s script did plus some other settings that worked for me.</p>
-<p>Now, first locate where your website cert is, mine is at the default location <code>/etc/letsencrypt/live/</code>, so my <code>certdir</code> is <code>/etc/letsencrypt/live/luevano.xyz</code>. Given this information, change <code>{yourcertdir}</code> on the corresponding lines. The configuration described below has to be appended in the <code>main.cf</code> configuration file.</p>
-<p>Certificates and ciphers to use for authentication and security:</p>
-<pre><code class="language-apache">smtpd_tls_key_file = {yourcertdir}/privkey.pem
-smtpd_tls_cert_file = {yourcertdir}/fullchain.pem
-smtpd_use_tls = yes
-smtpd_tls_auth_only = yes
-smtp_tls_security_level = may
-smtp_tls_loglevel = 1
-smtp_tls_CAfile = {yourcertdir}/cert.pem
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-tls_preempt_cipherlist = yes
-smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
- DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
- RSA+AES, eNULL
-
-smtp_tls_CApath = /etc/ssl/certs
-smtpd_tls_CApath = /etc/ssl/certs
-
-smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_unauth_destination
-</code></pre>
-<p>Also, for the <em>connection</em> with <code>dovecot</code>, append the next few lines (telling postfix that <code>dovecot</code> will use user/password for authentication):</p>
-<pre><code class="language-apache">smtpd_sasl_auth_enable = yes
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
-smtpd_sasl_security_options = noanonymous, noplaintext
-smtpd_sasl_tls_security_options = noanonymous
-</code></pre>
-<p>Specify the mailbox home, this is going to be a directory inside your user&rsquo;s home containing the actual mail files, for example it will end up being<code>/home/david/Mail/Inbox</code>:</p>
-<pre><code class="language-apache">home_mailbox = Mail/Inbox/
-</code></pre>
-<p>Pre-configuration to work seamlessly with <code>dovecot</code> and <code>opendkim</code>:</p>
-<pre><code class="language-apache">myhostname = {yourdomainname}
-mydomain = localdomain
-mydestination = $myhostname, localhost.$mydomain, localhost
-
-milter_default_action = accept
-milter_protocol = 6
-smtpd_milters = inet:127.0.0.1:8891
-non_smtpd_milters = inet:127.0.0.1:8891
-mailbox_command = /usr/lib/dovecot/deliver
-</code></pre>
-<p>Where <code>{yourdomainname}</code> is <code>luevano.xyz</code> in my case. Lastly, if you don&rsquo;t want the sender&rsquo;s IP and user agent (application used to send the mail), add the following line:</p>
-<pre><code class="language-apache">smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
-</code></pre>
-<p>And create the <code>/etc/postfix/smtp_header_checks</code> file with the following content:</p>
-<pre><code class="language-coffee">/^Received: .*/ IGNORE
-/^User-Agent: .*/ IGNORE
-</code></pre>
-<p>That&rsquo;s it for <code>main.cf</code>, now we have to configure <code>master.cf</code>. This one is a bit more tricky.</p>
-<p>First look up lines (they&rsquo;re uncommented) <code>smtp inet n - n - - smtpd</code>, <code>smtp unix - - n - - smtp</code> and <code>-o syslog_name=postfix/$service_name</code> and either delete or uncomment them&hellip; or just run <code>sed -i "/^\s*-o/d;/^\s*submission/d;/\s*smtp/d" /etc/postfix/master.cf</code> as stated in Luke&rsquo;s script.</p>
-<p>Lastly, append the following lines to complete postfix setup and pre-configure for <code>spamassassin</code>.</p>
-<pre><code class="language-txt">smtp unix - - n - - smtp
-smtp inet n - y - - smtpd
- -o content_filter=spamassassin
-submission inet n - y - - smtpd
- -o syslog_name=postfix/submission
- -o smtpd_tls_security_level=encrypt
- -o smtpd_sasl_auth_enable=yes
- -o smtpd_tls_auth_only=yes
-smtps inet n - y - - smtpd
- -o syslog_name=postfix/smtps
- -o smtpd_tls_wrappermode=yes
- -o smtpd_sasl_auth_enable=yes
-spamassassin unix - n n - - pipe
- user=spamd argv=/usr/bin/vendor_perl/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}
-</code></pre>
-<p>Now, I ran into some problems with postfix, one being <a href="https://www.faqforge.com/linux/fix-for-opensuse-error-postfixmaster-fatal-0-0-0-0smtps-servname-not-supported-for-ai_socktype/">smtps: Servname not supported for ai_socktype</a>, to fix it, as <em>Till</em> posted in that site, edit <code>/etc/services</code> and add:</p>
-<pre><code class="language-apache">smtps 465/tcp
-smtps 465/udp
-</code></pre>
-<p>Before starting the <code>postfix</code> service, you need to run <code>newaliases</code> first, but you can do a bit of configuration beforehand editing the file <code>/etc/postfix/aliases</code>. I only change the <code>root: you</code> line (where <code>you</code> is the account that will be receiving &ldquo;root&rdquo; mail). After you&rsquo;re done, run:</p>
-<pre><code class="language-sh">postalias /etc/postfix/aliases
-newaliases
-</code></pre>
-<p>At this point you&rsquo;re done configuring <code>postfix</code> and you can already start/enable the <code>postfix</code> service:</p>
-<pre><code class="language-sh">systemctl start postfix.service
-systemctl enable postfix.service
-</code></pre>
-<h2 id="dovecot">Dovecot<a class="headerlink" href="#dovecot" title="Permanent link">&para;</a></h2>
-<p><a href="https://wiki.archlinux.org/title/Dovecot">Dovecot</a> is an IMAP and POP3 server, which is what lets an email application retrieve the mail.</p>
-<p>Install the <code>dovecot</code> and <code>pigeonhole</code> (sieve for <code>dovecot</code>) packages:</p>
-<pre><code class="language-sh">pacman -S dovecot pigeonhole
-</code></pre>
-<p>On arch, by default, there is no <code>/etc/dovecot</code> directory with default configurations set in place, but the package does provide the example configuration files. Create the <code>dovecot</code> directory under <code>/etc</code> and, optionally, copy the <code>dovecot.conf</code> file and <code>conf.d</code> directory under the just created <code>dovecot</code> directory:</p>
-<pre><code class="language-sh">mkdir /etc/dovecot
-cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf
-cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot
-</code></pre>
-<p>As Luke stated, <code>dovecot</code> comes with a lot of &ldquo;modules&rdquo; (under <code>/etc/dovecot/conf.d/</code> if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edit/create the whole <code>dovecot.conf</code> file; although, I would like to check each of the separate configuration files <code>dovecot</code> provides I think the options Luke provides are more than good enough.</p>
-<p>I&rsquo;m working with an empty <code>dovecot.conf</code> file. Add the following lines for SSL and login configuration (also replace <code>{yourcertdir}</code> with the same certificate directory described in the Postfix section above, note that the <code>&lt;</code> is required):</p>
-<pre><code class="language-apache">ssl = required
-ssl_cert = &lt;{yourcertdir}/fullchain.pem
-ssl_key = &lt;{yourcertdir}/privkey.pem
-ssl_min_protocol = TLSv1.2
-ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH
-ssl_prefer_server_ciphers = yes
-ssl_dh = &lt;/etc/dovecot/dh.pem
-
-auth_mechanisms = plain login
-auth_username_format = %n
-protocols = $protocols imap
-</code></pre>
-<p>You may notice we specify a file we don&rsquo;t have under <code>/etc/dovecot</code>: <code>dh.pem</code>. We need to create it with <code>openssl</code> (you should already have it installed if you&rsquo;ve been following this entry and the one for <code>nginx</code>). Just run (might take a few minutes):</p>
-<pre><code class="language-sh">openssl dhparam -out /etc/dovecot/dh.pem 4096
-</code></pre>
-<p>After that, the next lines define what a &ldquo;valid user is&rdquo; (really just sets the database for users and passwords to be the local users with their password):</p>
-<pre><code class="language-apache">userdb {
- driver = passwd
-}
-
-passdb {
- driver = pam
-}
-</code></pre>
-<p>Next, comes the mail directory structure (has to match the one described in the Postfix section). Here, the <code>LAYOUT</code> option is important so the boxes are <code>.Sent</code> instead of <code>Sent</code>. Add the next lines (plus any you like):</p>
-<pre><code class="language-apache">mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
-namespace inbox {
- inbox = yes
-
- mailbox Drafts {
- special_use = \Drafts
- auto = subscribe
- }
-
- mailbox Junk {
- special_use = \Junk
- auto = subscribe
- autoexpunge = 30d
- }
-
- mailbox Sent {
- special_use = \Sent
- auto = subscribe
- }
-
- mailbox Trash {
- special_use = \Trash
- }
-
- mailbox Archive {
- special_use = \Archive
- }
-}
-</code></pre>
-<p>Also include this so Postfix can use Dovecot&rsquo;s authentication system:</p>
-<pre><code class="language-apache">service auth {
- unix_listener /var/spool/postfix/private/auth {
- mode = 0660
- user = postfix
- group = postfix
- }
-}
-</code></pre>
-<p>Lastly (for Dovecot at least), the plugin configuration for <code>sieve</code> (<code>pigeonhole</code>):</p>
-<pre><code class="language-apache">protocol lda {
- mail_plugins = $mail_plugins sieve
-}
-
-protocol lmtp {
- mail_plugins = $mail_plugins sieve
-}
-
-plugin {
- sieve = ~/.dovecot.sieve
- sieve_default = /var/lib/dovecot/sieve/default.sieve
- sieve_dir = ~/.sieve
- sieve_global_dir = /var/lib/dovecot/sieve/
-</code></pre>
-<p>Where <code>/var/lib/dovecot/sieve/default.sieve</code> doesn&rsquo;t exist yet. Create the folders:</p>
-<pre><code class="language-sh">mkdir -p /var/lib/dovecot/sieve
-</code></pre>
-<p>And create the file <code>default.sieve</code> inside that just created folder with the content:</p>
-<pre><code class="language-nginx">require [&quot;fileinto&quot;, &quot;mailbox&quot;];
-if header :contains &quot;X-Spam-Flag&quot; &quot;YES&quot; {
- fileinto &quot;Junk&quot;;
-}
-</code></pre>
-<p>Now, if you don&rsquo;t have a <code>vmail</code> (virtual mail) user, create one and change the ownership of the <code>/var/lib/dovecot</code> directory to this user:</p>
-<pre><code class="language-sh">grep -q &quot;^vmail:&quot; /etc/passwd || useradd -m vmail -s /usr/bin/nologin
-chown -R vmail:vmail /var/lib/dovecot
-</code></pre>
-<p>Note that I also changed the shell for <code>vmail</code> to be <code>/usr/bin/nologin</code>. After that, to compile the configuration file run:</p>
-<pre><code class="language-sh">sievec /var/lib/dovecot/sieve/default.sieve
-</code></pre>
-<p>A <code>default.svbin</code> file will be created next to <code>default.sieve</code>.</p>
-<p>Next, add the following lines to <code>/etc/pam.d/dovecot</code> if not already present (shouldn&rsquo;t be there if you&rsquo;ve been following these notes):</p>
-<pre><code class="language-txt">auth required pam_unix.so nullok
-account required pam_unix.so
-</code></pre>
-<p>That&rsquo;s it for Dovecot, at this point you can start/enable the <code>dovecot</code> service:</p>
-<pre><code class="language-sh">systemctl start dovecot.service
-systemctl enable dovecot.service
-</code></pre>
-<h2 id="opendkim">OpenDKIM<a class="headerlink" href="#opendkim" title="Permanent link">&para;</a></h2>
-<p><a href="https://wiki.archlinux.org/title/OpenDKIM">OpenDKIM</a> is needed so services like G**gle don&rsquo;t throw the mail to the trash. DKIM stands for &ldquo;DomainKeys Identified Mail&rdquo;.</p>
-<p>Install the <code>opendkim</code> package:</p>
-<pre><code class="language-sh">pacman -S opendkim
-</code></pre>
-<p>Generate the keys for your domain:</p>
-<pre><code class="language-sh">opendkim-genkey -D /etc/opendkim -d {yourdomain} -s {yoursubdomain} -r -b 2048
-</code></pre>
-<p>Where you need to change <code>{yourdomain}</code> and <code>{yoursubdomain}</code> (doesn&rsquo;t really need to be the sub-domain, could be anything that describes your key) accordingly, for me it&rsquo;s <code>luevano.xyz</code> and <code>mail</code>, respectively. After that, we need to create some files inside the <code>/etc/opendkim</code> directory. First, create the file <code>KeyTable</code> with the content:</p>
-<pre><code class="language-txt">{yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private
-</code></pre>
-<p>So, for me it would be:</p>
-<pre><code class="language-txt">mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private
-</code></pre>
-<p>Next, create the file <code>SigningTable</code> with the content:</p>
-<pre><code class="language-txt">*@{yourdomain} {yoursubdomain}._domainkey.{yourdomain}
-</code></pre>
-<p>Again, for me it would be:</p>
-<pre><code class="language-txt">*@luevano.xyz mail._domainkey.luevano.xyz
-</code></pre>
-<p>And, lastly create the file <code>TrustedHosts</code> with the content:</p>
-<pre><code class="language-txt">127.0.0.1
-::1
-10.1.0.0/16
-1.2.3.4/24
-localhost
-{yourserverip}
-...
-</code></pre>
-<p>And more, make sure to include your server IP and something like <code>subdomain.domainname</code>.</p>
-<p>Next, edit <code>/etc/opendkim/opendkim.conf</code> to reflect the changes (or rather, addition) of these files, as well as some other configuration. You can look up the example configuration file located at <code>/usr/share/doc/opendkim/opendkim.conf.sample</code>, but I&rsquo;m creating a blank one with the contents:</p>
-<pre><code class="language-apache">Domain {yourdomain}
-Selector {yoursubdomain}
-
-Syslog Yes
-UserID opendkim
-
-KeyFile /etc/opendkim/{yoursubdomain}.private
-Socket inet:8891@localhost
-</code></pre>
-<p>Now, change the permissions for all the files inside <code>/etc/opendkim</code>:</p>
-<pre><code class="language-sh">chown -R root:opendkim /etc/opendkim
-chmod g+r /etc/postfix/dkim/*
-</code></pre>
-<p>I&rsquo;m using <code>root:opendkim</code> so <code>opendkim</code> doesn&rsquo;t complain about the <code>{yoursubdomani}.private</code> being insecure (you can change that by using the option <code>RequireSafeKeys False</code> in the <code>opendkim.conf</code> file, as stated <a href="http://lists.opendkim.org/archive/opendkim/users/2014/12/3331.html">here</a>).</p>
-<p>That&rsquo;s it for the general configuration, but you could go more in depth and be more secure with some extra configuration.</p>
-<p>Now, just start/enable the <code>opendkim</code> service:</p>
-<pre><code class="language-sh">systemctl start opendkim.service
-systemctl enable opendkim.service
-</code></pre>
-<h3 id="opendkim-dns-txt-records">OpenDKIM DNS TXT records<a class="headerlink" href="#opendkim-dns-txt-records" title="Permanent link">&para;</a></h3>
-<p>Add the following <strong>TXT</strong> records on your domain registrar (these examples are for Epik):</p>
-<ol>
-<li><em>DKIM</em> entry: look up your <code>{yoursubdomain}.txt</code> file, it should look something like:</li>
-</ol>
-<pre><code class="language-txt">{yoursubdomain}._domainkey IN TXT ( &quot;v=DKIM1; k=rsa; s=email; &quot;
- &quot;p=...&quot;
- &quot;...&quot; ) ; ----- DKIM key mail for {yourdomain}
-</code></pre>
-<p>In the <strong>TXT</strong> record you will place <code>{yoursubdomain}._domainkey</code> as the &ldquo;Host&rdquo; and <code>"v=DKIM1; k=rsa; s=email; " "p=..." "..."</code> in the &ldquo;TXT Value&rdquo; (replace the dots with the actual value you see in your file).</p>
-<ol start="2">
-<li>
-<p><em>DMARC</em> entry: just <code>_dmarc.{yourdomain}</code> as the &ldquo;Host&rdquo; and <code>"v=DMARC1; p=reject; rua=mailto:dmarc@{yourdomain}; fo=1"</code> as the &ldquo;TXT Value&rdquo;.</p>
-</li>
-<li>
-<p><em>SPF</em> entry: just <code>@</code> as the &ldquo;Host&rdquo; and <code>"v=spf1 mx a:{yoursubdomain}.{yourdomain} - all"</code> as the &ldquo;TXT Value&rdquo;.</p>
-</li>
-</ol>
-<p>And at this point you could test your mail for spoofing and more.</p>
-<h2 id="spamassassin">SpamAssassin<a class="headerlink" href="#spamassassin" title="Permanent link">&para;</a></h2>
-<p><a href="https://wiki.archlinux.org/title/SpamAssassin">SpamAssassin</a> is just <em>a mail filter to identify spam</em>.</p>
-<p>Install the <code>spamassassin</code> package (which will install a bunch of ugly <code>perl</code> packages&hellip;):</p>
-<pre><code class="language-sh">pacman -S spamassassin
-</code></pre>
-<p>For some reason, the permissions on all <code>spamassassin</code> stuff are all over the place. First, change owner of the executables, and directories:</p>
-<pre><code class="language-sh">chown spamd:spamd /usr/bin/vendor_perl/sa-*
-chown spamd:spamd /usr/bin/vendor_perl/spam*
-chwown -R spamd:spamd /etc/mail/spamassassin
-</code></pre>
-<p>Then, you can edit <code>local.cf</code> (located in <code>/etc/mail/spamassassin</code>) to fit your needs (I only uncommented the <code>rewrite_header Subject ...</code> line). And then you can run the following command to update the patterns and compile them:</p>
-<pre><code class="language-sh">sudo -u spamd sa-update
-sudo -u spamd sa-compile
-</code></pre>
-<p>And since this should be run periodically, create the service <code>spamassassin-update.service</code> under <code>/etc/systemd/system</code> with the following content:</p>
-<pre><code class="language-ini">[Unit]
-Description=SpamAssassin housekeeping
-After=network.target
-
-[Service]
-User=spamd
-Group=spamd
-Type=oneshot
-
-ExecStart=/usr/bin/vendor_perl/sa-update --allowplugins
-SuccessExitStatus=1
-ExecStart=/usr/bin/vendor_perl/sa-compile
-ExecStart=/usr/bin/systemctl -q --no-block try-restart spamassassin.service
-</code></pre>
-<p>And you could also execute <code>sa-learn</code> to train <code>spamassassin</code>&lsquo;s bayes filter, but this works for me. Then create the timer <code>spamassassin-update.timer</code> under the same directory, with the content:</p>
-<pre><code class="language-ini">[Unit]
-Description=SpamAssassin housekeeping
-
-[Timer]
-OnCalendar=daily
-Persistent=true
-
-[Install]
-WantedBy=timers.target
-</code></pre>
-<p>You can now start/enable the <code>spamassassin-update</code> timer:</p>
-<pre><code class="language-sh">systemctl start spamassassin-update.timer
-systemctl enable spamassassin-update.timer
-</code></pre>
-<p>Next, you may want to edit the <code>spamassassin</code> service before starting and enabling it, because by default, it could <a href="https://rimuhosting.com/howto/memory.jsp">spawn a lot of &ldquo;childs&rdquo;</a> eating a lot of resources and you really only need one child. Append <code>--max-children=1</code> to the line <code>ExecStart=...</code> in <code>/usr/bin/systemd/system/spamassassin.service</code>:</p>
-<pre><code class="language-ini">...
-ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/spamd.sock --listen=localhost --max-children=1
-...
-</code></pre>
-<p>Finally, start and enable the <code>spamassassin</code> service:</p>
-<pre><code class="language-sh">systemctl start spamassassin.service
-systemctl enable spamassassin.service
-</code></pre>
-<h2 id="wrapping-up">Wrapping up<a class="headerlink" href="#wrapping-up" title="Permanent link">&para;</a></h2>
-<p>We should have a working mail server by now. Before continuing check your journal logs (<code>journalctl -xe --unit={unit}</code>, where <code>{unit}</code> could be <code>spamassassin.service</code> for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere because all the settings and steps detailed here just worked; I literally just finished doing everything on a new server as of the writing of this text, <mark>it just werks on my machine</mark>.</p>
-<p>Now, to actually use the mail service: first of all, you need a <em>normal</em> account (don&rsquo;t use root) that belongs to the <code>mail</code> group (<code>gpasswd -a user group</code> to add a user <code>user</code> to group <code>group</code>) and that has a password.</p>
-<p>Next, to actually login into a mail app/program, you will use the following settings, at least for <code>thunderdbird</code>(I tested in windows default mail app and you don&rsquo;t need a lot of settings):</p>
-<ul>
-<li>* server: subdomain.domain (mail.luevano.xyz in my case)</li>
-<li><strong>SMTP</strong> port: 587</li>
-<li><strong>SMTPS</strong> port: 465 (I use this one)</li>
-<li><strong>IMAP</strong> port: 143</li>
-<li><strong>IMAPS</strong> port: 993 (again, I use this one)</li>
-<li>Connection/security: SSL/TLS</li>
-<li>Authentication method: Normal password</li>
-<li>Username: just your <code>user</code>, not the whole email (<code>david</code> in my case)</li>
-<li>Password: your <code>user</code> password (as in the password you use to login to the server with that user)</li>
-</ul>
-<p>All that&rsquo;s left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to <a href="https://www.appmaildev.com/en/dkim">DKIM Test</a> and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:</p>
-<figure id="__yafg-figure-10">
-<img alt="DKIM Test successful" src="https://static.luevano.xyz/images/b/mail/dkim_test_successful.png" title="DKIM Test successful">
-<figcaption>DKIM Test successful</figcaption>
-</figure>
-
- <div class="page-nav">
- <span class="next">
- <a href="https://blog.luevano.xyz/a/git_server_with_cgit.html" alt="Next">
- <i class="fas fa-arrow-left" alt="Arrow left"></i>
- <span>Next</span>
- </a>
- </span>
-
- <span class="index">
- <a href="https://blog.luevano.xyz" alt="Index">
- <i class="fas fa-home" alt="Home"></i>
- <span>Index</span>
- </a>
- </span>
-
- <span class="previous">
- <a href="https://blog.luevano.xyz/a/website_with_nginx.html" alt="Previous">
- <i class="fas fa-arrow-right" alt="Arrow right"></i>
- <span>Previous</span>
- </a>
- </span>
-</div>
-
-
- <hr>
- <div class="article-info">
- <p>By David Luévano</p>
- <p>Created: Sun, Mar 21, 2021 @ 04:05 UTC</p>
- <p>Modified: Wed, Jun 21, 2023 @ 00:17 UTC</p>
- <div class="article-tags">
- <p>Tags:
-<a href="https://blog.luevano.xyz/tag/@code.html">code</a>, <a href="https://blog.luevano.xyz/tag/@english.html">english</a>, <a href="https://blog.luevano.xyz/tag/@server.html">server</a>, <a href="https://blog.luevano.xyz/tag/@tools.html">tools</a>, <a href="https://blog.luevano.xyz/tag/@tutorial.html">tutorial</a> </p>
-</div>
-
- </div>
- </main>
-
- <footer>
-<span>
- <i class="fas fa-address-card" alt="Contact"></i>
- <a href="https://blog.luevano.xyz/contact.html">Contact</a>
-</span>
-
-<span>
- <i class="fas fa-donate" alt="Donate"></i>
- <a href="https://blog.luevano.xyz/donate.html">Donate</a>
-</span>
-
-<span>
- <i class="fas fa-rss" alt="RSS"></i>
- <a target="_blank" href="https://blog.luevano.xyz/rss.xml">RSS</a>
-</span>
-
-<br>
-<span class="created-with">
- <i class="fas fa-hammer" alt="Hammer"></i>
- Created with <a href="https://github.com/luevano/pyssg">pyssg</a>
-</span>
-
-<br>
-<span class="copyright">
- Copyright <i class="far fa-copyright" alt="Copyright"></i> 2023 David Luévano Alvarado
-</span>
-
- </footer>
- </body>
-</html> \ No newline at end of file