diff options
Diffstat (limited to 'blog/dst/a/mail_server_with_postfix.html')
-rw-r--r-- | blog/dst/a/mail_server_with_postfix.html | 270 |
1 files changed, 72 insertions, 198 deletions
diff --git a/blog/dst/a/mail_server_with_postfix.html b/blog/dst/a/mail_server_with_postfix.html index a39d0b9..eaa620d 100644 --- a/blog/dst/a/mail_server_with_postfix.html +++ b/blog/dst/a/mail_server_with_postfix.html @@ -3,7 +3,7 @@ <head> <base href="https://static.luevano.xyz/"> <meta charset="utf-8"> - <title>Luévano's Blog</title> + <title>Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM -- Luévano's Blog</title> <link rel="icon" href="fa/svgs/solid/dragon.svg"> <!-- general style --> @@ -62,50 +62,33 @@ <main> <h1>Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</h1> - -<p>The entry is going to be long because it's a <em>tedious</em> process. This is also based on <a href="https://github.com/LukeSmithxyz/emailwiz">Luke Smith's script</a>, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go (for Arch Linux), that will be hosted <a href="https://git.luevano.xyz/server_scripts.git">here</a>.</p> - +<p>The entry is going to be long because it’s a <em>tedious</em> process. This is also based on <a href="https://github.com/LukeSmithxyz/emailwiz">Luke Smith’s script</a>, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I’m in the process of installing/configuring the mail server on a new VPS of mine; also I’m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted <a href="https://git.luevano.xyz/server_scripts.git">here</a>.</p> <p>This configuration works for local users (users that appear in <code>/etc/passwd</code>), and does not use any type of SQL. And note that most if not all commands executed here are run with root privileges.</p> - <p>More in depth configuration is detailed in the Arch Wiki for each package used here.</p> - -<h2>Prerequisites</h2> - +<h2 id="prerequisites">Prerequisites</h2> <p>Basically the same as with the <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website with Nginx and Certbot</a>:</p> - -<ul> -<li>A domain name. Got mine on <a href="https://www.epik.com/?affid=da5ne9ru4">Epik</a> (affiliate link, btw). - -<ul> -<li>Later we'll be adding some <strong>MX</strong> and <strong>TXT</strong> records.</li> -<li>You also need a <strong>CNAME</strong> for “mail” and (optionally) “www.mail”, or whatever you want to call the sub-domains (although the <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a> states that it NEEDS to be an <strong>A</strong> record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on <code>nginx</code> and <code>certbot</code>) with <code>certbot</code> (just create a <code>mail.conf</code> for <code>nginx</code>, similar to how we created it in the website entry).</li> -</ul></li> -<li>A VPS or somewhere else to host. I'm using <a href="https://www.vultr.com/?ref=8732849">Vultr</a> (also an affiliate link). - <ul> +<li>A domain name. Got mine on <a href="https://www.epik.com/?affid=da5ne9ru4">Epik</a> (affiliate link, btw).<ul> +<li>Later we’ll be adding some <strong>MX</strong> and <strong>TXT</strong> records.</li> +<li>You also need a <strong>CNAME</strong> for “mail” and (optionally) “www.mail”, or whatever you want to call the sub-domains (although the <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a> states that it NEEDS to be an <strong>A</strong> record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on <code>nginx</code> and <code>certbot</code>) with <code>certbot</code> (just create a <code>mail.conf</code> for <code>nginx</code>, similar to how we created it in the website entry).</li> +</ul> +</li> +<li>A VPS or somewhere else to host. I’m using <a href="https://www.vultr.com/?ref=8732849">Vultr</a> (also an affiliate link).<ul> <li><code>ssh</code> configured.</li> <li>Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall (I use <code>ufw</code>).</li> <li>With <code>nginx</code> and <code>certbot</code> setup and running.</li> -</ul></li> </ul> - -<h2>Postfix</h2> - -<p><a href="https://wiki.archlinux.org/index.php/Postfix">Postfix</a> is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.</p> - +</li> +</ul> +<h2 id="postfix">Postfix</h2> +<p><a href="https://wiki.archlinux.org/index.php/Postfix">Postfix</a> is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.</p> <p>Install the <code>postfix</code> package:</p> - <pre><code class="language-sh">pacman -S postfix </code></pre> - -<p>We have two main files to configure (inside <code>/etc/postfix</code>): <code>master.cf</code> (<a href="https://man.archlinux.org/man/master.5">master(5)</a>) and <code>main.cf</code> (<a href="https://man.archlinux.org/man/postconf.5">postconf(5)</a>). We're going to edit <code>main.cf</code> first either by using the command <code>postconf -e 'setting'</code> or by editing the file itself (I prefer to edit the file).</p> - -<p>Note that the default file itself has a lot of comments with description on what each thing does (or you can look up the manual, linked above), I used what Luke's script did plus some other settings that worked for me.</p> - +<p>We have two main files to configure (inside <code>/etc/postfix</code>): <code>master.cf</code> (<a href="https://man.archlinux.org/man/master.5">master(5)</a>) and <code>main.cf</code> (<a href="https://man.archlinux.org/man/postconf.5">postconf(5)</a>). We’re going to edit <code>main.cf</code> first either by using the command <code>postconf -e 'setting'</code> or by editing the file itself (I prefer to edit the file).</p> +<p>Note that the default file itself has a lot of comments with description on what each thing does (or you can look up the manual, linked above), I used what Luke’s script did plus some other settings that worked for me.</p> <p>Now, first locate where your website cert is, mine is at the default location <code>/etc/letsencrypt/live/</code>, so my <code>certdir</code> is <code>/etc/letsencrypt/live/luevano.xyz</code>. Given this information, change <code>{yourcertdir}</code> on the corresponding lines. The configuration described below has to be appended in the <code>main.cf</code> configuration file.</p> - <p>Certificates and ciphers to use for authentication and security:</p> - <pre><code class="language-apache">smtpd_tls_key_file = {yourcertdir}/privkey.pem smtpd_tls_cert_file = {yourcertdir}/fullchain.pem smtpd_use_tls = yes @@ -127,23 +110,17 @@ smtpd_tls_CApath = /etc/ssl/certs smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_unauth_destination </code></pre> - <p>Also, for the <em>connection</em> with <code>dovecot</code>, append the next few lines (telling postfix that <code>dovecot</code> will use user/password for authentication):</p> - <pre><code class="language-apache">smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous </code></pre> - -<p>Specify the mailbox home (this is going to be a directory inside your user's home):</p> - +<p>Specify the mailbox home (this is going to be a directory inside your user’s home):</p> <pre><code class="language-apache">home_mailbox = Mail/Inbox/ </code></pre> - <p>Pre-configuration to work seamlessly with <code>dovecot</code> and <code>opendkim</code>:</p> - <pre><code class="language-apache">myhostname = {yourdomainname} mydomain = localdomain mydestination = $myhostname, localhost.$mydomain, localhost @@ -154,26 +131,17 @@ smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = inet:127.0.0.1:8891 mailbox_command = /usr/lib/dovecot/deliver </code></pre> - <p>Where <code>{yourdomainname}</code> is <code>luevano.xyz</code> in my case, or if you have <code>localhost</code> configured to your domain, then use <code>localhost</code> for <code>myhostname</code> (<code>myhostname = localhost</code>).</p> - -<p>Lastly, if you don't want the sender's IP and user agent (application used to send the mail), add the following line:</p> - +<p>Lastly, if you don’t want the sender’s IP and user agent (application used to send the mail), add the following line:</p> <pre><code class="language-apache">smtp_header_checks = regexp:/etc/postfix/smtp_header_checks </code></pre> - <p>And create the <code>/etc/postfix/smtp_header_checks</code> file with the following content:</p> - <pre><code class="language-coffee">/^Received: .*/ IGNORE /^User-Agent: .*/ IGNORE </code></pre> - -<p>That's it for <code>main.cf</code>, now we have to configure <code>master.cf</code>. This one is a bit more tricky.</p> - -<p>First look up lines (they're uncommented) <code>smtp inet n - n - - smtpd</code>, <code>smtp unix - - n - - smtp</code> and <code>-o syslog_name=postfix/$service_name</code> and either delete or uncomment them… or just run <code>sed -i "/^\s*-o/d;/^\s*submission/d;/\s*smtp/d" /etc/postfix/master.cf</code> as stated in Luke's script.</p> - +<p>That’s it for <code>main.cf</code>, now we have to configure <code>master.cf</code>. This one is a bit more tricky.</p> +<p>First look up lines (they’re uncommented) <code>smtp inet n - n - - smtpd</code>, <code>smtp unix - - n - - smtp</code> and <code>-o syslog_name=postfix/$service_name</code> and either delete or uncomment them… or just run <code>sed -i "/^\s*-o/d;/^\s*submission/d;/\s*smtp/d" /etc/postfix/master.cf</code> as stated in Luke’s script.</p> <p>Lastly, append the following lines to complete postfix setup and pre-configure for <code>spamassassin</code>.</p> - <pre><code class="language-txt">smtp unix - - n - - smtp smtp inet n - y - - smtpd -o content_filter=spamassassin @@ -189,65 +157,46 @@ smtps inet n - y - - smtpd spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/vendor_perl/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient} </code></pre> - <p>Now, I ran into some problems with postfix, one being <a href="https://www.faqforge.com/linux/fix-for-opensuse-error-postfixmaster-fatal-0-0-0-0smtps-servname-not-supported-for-ai_socktype/">smtps: Servname not supported for ai_socktype</a>, to fix it, as <em>Till</em> posted in that site, edit <code>/etc/services</code> and add:</p> - <pre><code class="language-apache">smtps 465/tcp smtps 465/udp </code></pre> - -<p>Before starting the <code>postfix</code> service, you need to run <code>newaliases</code> first (but you can do a bit of configuration beforehand). Edit the file <code>/etc/postfix/aliases</code> and edit accordingly. I only change the <code>root: you</code> line (where <code>you</code> is the account that will be receiving “root” mail). Check the Arch Wiki for more info and other alternatives/options. After you're done, run:</p> - +<p>Before starting the <code>postfix</code> service, you need to run <code>newaliases</code> first (but you can do a bit of configuration beforehand). Edit the file <code>/etc/postfix/aliases</code> and edit accordingly. I only change the <code>root: you</code> line (where <code>you</code> is the account that will be receiving “root” mail). Check the Arch Wiki for more info and other alternatives/options. After you’re done, run:</p> <pre><code class="language-sh">postalias /etc/postfix/aliases newaliases </code></pre> - -<p>At this point you're done configuring <code>postfix</code> and you can already start/enable the <code>postfix</code> service:</p> - +<p>At this point you’re done configuring <code>postfix</code> and you can already start/enable the <code>postfix</code> service:</p> <pre><code class="language-sh">systemctl start postfix.service systemctl enable postfix.service </code></pre> - -<h2>Dovecot</h2> - +<h2 id="dovecot">Dovecot</h2> <p><a href="https://wiki.archlinux.org/index.php/Dovecot">Dovecot</a> is an IMAP and POP3 server, which is what lets an email application retrieve the mail.</p> - <p>Install the <code>dovecot</code> and <code>pigeonhole</code> (sieve for <code>dovecot</code>) packages:</p> - <pre><code class="language-sh">pacman -S dovecot pigeonhole </code></pre> - <p>On arch, by default, there is no <code>/etc/dovecot</code> directory with default configurations set in place, but the package does provide the example configuration files. Create the <code>dovecot</code> directory under <code>/etc</code> and, optionally, copy the <code>dovecot.conf</code> file and <code>conf.d</code> directory under the just created <code>dovecot</code> directory:</p> - <pre><code class="language-sh">mkdir /etc/dovecot cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot </code></pre> - -<p>As Luke stated, <code>dovecot</code> comes with a lot of “modules” (under <code>/etc/dovecot/conf.d/</code> if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edits/creates the whole <code>dovecot.conf</code> file; although, I would like to check each of the separate configuration files <code>dovecot</code> provides I think the options Luke provides are more than good enough.</p> - -<p>I'm working with an empty <code>dovecot.conf</code> file. Add the following lines for SSL and login configuration (also replace <code>{yourcertdir}</code> with the same certificate directory described in the Postfix section above, note that the <code><</code> is required):</p> - +<p>As Luke stated, <code>dovecot</code> comes with a lot of “modules” (under <code>/etc/dovecot/conf.d/</code> if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edits/creates the whole <code>dovecot.conf</code> file; although, I would like to check each of the separate configuration files <code>dovecot</code> provides I think the options Luke provides are more than good enough.</p> +<p>I’m working with an empty <code>dovecot.conf</code> file. Add the following lines for SSL and login configuration (also replace <code>{yourcertdir}</code> with the same certificate directory described in the Postfix section above, note that the <code><</code> is required):</p> <pre><code class="language-apache">ssl = required -ssl_cert = <{yourcertdir}/fullchain.pem -ssl_key = <{yourcertdir}/privkey.pem +ssl_cert = <{yourcertdir}/fullchain.pem +ssl_key = <{yourcertdir}/privkey.pem ssl_min_protocol = TLSv1.2 ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH ssl_prefer_server_ciphers = yes -ssl_dh = </etc/dovecot/dh.pem +ssl_dh = </etc/dovecot/dh.pem auth_mechanisms = plain login auth_username_format = %n protocols = $protocols imap </code></pre> - -<p>You may notice we specify a file we don't have under <code>/etc/dovecot</code>: <code>dh.pem</code>. We need to create it with <code>openssl</code> (you should already have it installed if you've been following this entry and the one for <code>nginx</code>). Just run (might take a few minutes):</p> - +<p>You may notice we specify a file we don’t have under <code>/etc/dovecot</code>: <code>dh.pem</code>. We need to create it with <code>openssl</code> (you should already have it installed if you’ve been following this entry and the one for <code>nginx</code>). Just run (might take a few minutes):</p> <pre><code class="language-sh">openssl dhparam -out /etc/dovecot/dh.pem 4096 </code></pre> - -<p>After that, the next lines define what a “valid user is” (really just sets the database for users and passwords to be the local users with their password):</p> - +<p>After that, the next lines define what a “valid user is” (really just sets the database for users and passwords to be the local users with their password):</p> <pre><code class="language-apache">userdb { driver = passwd } @@ -256,9 +205,7 @@ passdb { driver = pam } </code></pre> - <p>Next, comes the mail directory structure (has to match the one described in the Postfix section). Here, the <code>LAYOUT</code> option is important so the boxes are <code>.Sent</code> instead of <code>Sent</code>. Add the next lines (plus any you like):</p> - <pre><code class="language-apache">mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs namespace inbox { inbox = yes @@ -288,9 +235,7 @@ namespace inbox { } } </code></pre> - -<p>Also include this so Postfix can use Dovecot's authentication system:</p> - +<p>Also include this so Postfix can use Dovecot’s authentication system:</p> <pre><code class="language-apache">service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 @@ -299,9 +244,7 @@ namespace inbox { } } </code></pre> - <p>Lastly (for <code>dovecot</code> at least), the plugin configuration for <code>sieve</code> (<code>pigeonhole</code>):</p> - <pre><code class="language-apache">protocol lda { mail_plugins = $mail_plugins sieve } @@ -316,81 +259,52 @@ plugin { sieve_dir = ~/.sieve sieve_global_dir = /var/lib/dovecot/sieve/ </code></pre> - -<p>Where <code>/var/lib/dovecot/sieve/default.sieve</code> doesn't exist yet. Create the folders:</p> - +<p>Where <code>/var/lib/dovecot/sieve/default.sieve</code> doesn’t exist yet. Create the folders:</p> <pre><code class="language-sh">mkdir -p /var/lib/dovecot/sieve </code></pre> - <p>And create the file <code>default.sieve</code> inside that just created folder with the content:</p> - -<pre><code class="language-nginx">require ["fileinto", "mailbox"]; -if header :contains "X-Spam-Flag" "YES" { - fileinto "Junk"; +<pre><code class="language-nginx">require ["fileinto", "mailbox"]; +if header :contains "X-Spam-Flag" "YES" { + fileinto "Junk"; } </code></pre> - -<p>Now, if you don't have a <code>vmail</code> (virtual mail) user, create one and change the ownership of the <code>/var/lib/dovecot</code> directory to this user:</p> - -<pre><code class="language-sh">grep -q "^vmail:" /etc/passwd || useradd -m vmail -s /usr/bin/nologin +<p>Now, if you don’t have a <code>vmail</code> (virtual mail) user, create one and change the ownership of the <code>/var/lib/dovecot</code> directory to this user:</p> +<pre><code class="language-sh">grep -q "^vmail:" /etc/passwd || useradd -m vmail -s /usr/bin/nologin chown -R vmail:vmail /var/lib/dovecot </code></pre> - <p>Note that I also changed the shell for <code>vmail</code> to be <code>/usr/bin/nologin</code>. After that, run:</p> - <pre><code class="language-sh">sievec /var/lib/dovecot/sieve/default.sieve </code></pre> - <p>To compile the configuration file (a <code>default.svbin</code> file will be created next to <code>default.sieve</code>).</p> - -<p>Next, add the following lines to <code>/etc/pam.d/dovecot</code> if not already present (shouldn't be there if you've been following these notes):</p> - +<p>Next, add the following lines to <code>/etc/pam.d/dovecot</code> if not already present (shouldn’t be there if you’ve been following these notes):</p> <pre><code class="language-txt">auth required pam_unix.so nullok account required pam_unix.so </code></pre> - -<p>That's it for <code>dovecot</code>, at this point you can start/enable the <code>dovecot</code> service:</p> - +<p>That’s it for <code>dovecot</code>, at this point you can start/enable the <code>dovecot</code> service:</p> <pre><code class="language-sh">systemctl start dovecot.service systemctl enable dovecot.service </code></pre> - -<h1>OpenDKIM</h1> - -<p><a href="https://wiki.archlinux.org/index.php/OpenDKIM">OpenDKIM</a> is needed so services like G**gle (we don't mention that name here [[[this is a meme]]]) don't throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.</p> - +<h1 id="opendkim">OpenDKIM</h1> +<p><a href="https://wiki.archlinux.org/index.php/OpenDKIM">OpenDKIM</a> is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.</p> <p>Install the <code>opendkim</code> package:</p> - <pre><code class="language-sh">pacman -S opendkim </code></pre> - <p>Generate the keys for your domain:</p> - <pre><code class="language-sh">opendkim-genkey -D /etc/opendkim -d {yourdomain} -s {yoursubdomain} -r -b 2048 </code></pre> - -<p>Where you need to change <code>{yourdomain}</code> and <code>{yoursubdomain}</code> (doesn't really need to be the sub-domain, could be anything that describes your key) accordingly, for me it's <code>luevano.xyz</code> and <code>mail</code>, respectively. After that, we need to create some files inside the <code>/etc/opendkim</code> directory. First, create the file <code>KeyTable</code> with the content:</p> - +<p>Where you need to change <code>{yourdomain}</code> and <code>{yoursubdomain}</code> (doesn’t really need to be the sub-domain, could be anything that describes your key) accordingly, for me it’s <code>luevano.xyz</code> and <code>mail</code>, respectively. After that, we need to create some files inside the <code>/etc/opendkim</code> directory. First, create the file <code>KeyTable</code> with the content:</p> <pre><code class="language-txt">{yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private </code></pre> - <p>So, for me it would be:</p> - <pre><code class="language-txt">mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private </code></pre> - <p>Next, create the file <code>SigningTable</code> with the content:</p> - <pre><code class="language-txt">*@{yourdomain} {yoursubdomain}._domainkey.{yourdomain} </code></pre> - <p>Again, for me it would be:</p> - <pre><code class="language-txt">*@luevano.xyz mail._domainkey.luevano.xyz </code></pre> - <p>And, lastly create the file <code>TrustedHosts</code> with the content:</p> - <pre><code class="language-txt">127.0.0.1 ::1 10.1.0.0/16 @@ -399,11 +313,8 @@ localhost {yourserverip} ... </code></pre> - <p>And more, make sure to include your server IP and something like <code>subdomain.domainname</code>.</p> - -<p>Next, edit <code>/etc/opendkim/opendkim.conf</code> to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at <code>/usr/share/doc/opendkim/opendkim.conf.sample</code>, but I'm creating a blank one with the contents:</p> - +<p>Next, edit <code>/etc/opendkim/opendkim.conf</code> to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at <code>/usr/share/doc/opendkim/opendkim.conf.sample</code>, but I’m creating a blank one with the contents:</p> <pre><code class="language-apache">Domain {yourdomain} Selector {yoursubdomain} @@ -413,67 +324,49 @@ UserID opendkim KeyFile /etc/opendkim/{yoursubdomain}.private Socket inet:8891@localhost </code></pre> - <p>Now, change the permissions for all the files inside <code>/etc/opendkim</code>:</p> - <pre><code class="language-sh">chown -R root:opendkim /etc/opendkim chmod g+r /etc/postfix/dkim/* </code></pre> - -<p>I'm using <code>root:opendkim</code> so <code>opendkim</code> doesn't complain about the <code>{yoursubdomani}.private</code> being insecure (you can change that by using the option <code>RequireSafeKeys False</code> in the <code>opendkim.conf</code> file, as stated <a href="http://lists.opendkim.org/archive/opendkim/users/2014/12/3331.html">here</a>).</p> - -<p>That's it for the general configuration, but you could go more in depth and be more secure with some extra configuration as described in the <a href="https://wiki.archlinux.org/index.php/OpenDKIM#Security">Arch Wiki entry for OpenDKIM</a>.</p> - +<p>I’m using <code>root:opendkim</code> so <code>opendkim</code> doesn’t complain about the <code>{yoursubdomani}.private</code> being insecure (you can change that by using the option <code>RequireSafeKeys False</code> in the <code>opendkim.conf</code> file, as stated <a href="http://lists.opendkim.org/archive/opendkim/users/2014/12/3331.html">here</a>).</p> +<p>That’s it for the general configuration, but you could go more in depth and be more secure with some extra configuration as described in the <a href="https://wiki.archlinux.org/index.php/OpenDKIM#Security">Arch Wiki entry for OpenDKIM</a>.</p> <p>Now, just start/enable the <code>opendkim</code> service:</p> - <pre><code class="language-sh">systemctl start opendkim.service systemctl enable opendkim.service </code></pre> - -<p>And don't forget to add the following <strong>TXT</strong> records on your domain registrar (these examples are for Epik):</p> - -<ol start="1"> +<p>And don’t forget to add the following <strong>TXT</strong> records on your domain registrar (these examples are for Epik):</p> +<ol> <li><em>DKIM</em> entry: look up your <code>{yoursubdomain}.txt</code> file, it should look something like:</li> </ol> - -<pre><code class="language-txt">{yoursubdomain}._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; " - "p=..." - "..." ) ; ----- DKIM key mail for {yourdomain} +<pre><code class="language-txt">{yoursubdomain}._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; " + "p=..." + "..." ) ; ----- DKIM key mail for {yourdomain} </code></pre> - -<p>In the TXT record you will place <code>{yoursubdomain}._domainkey</code> as the “Host” and <code>"v=DKIM1; k=rsa; s=email; " "p=..." "..."</code> in the “TXT Value” (replace the dots with the actual value you see in your file).</p> - +<p>In the TXT record you will place <code>{yoursubdomain}._domainkey</code> as the “Host” and <code>"v=DKIM1; k=rsa; s=email; " "p=..." "..."</code> in the “TXT Value” (replace the dots with the actual value you see in your file).</p> <ol start="2"> -<li><p><em>DMARC</em> entry: just <code>_dmarc.{yourdomain}</code> as the “Host” and <code>"v=DMARC1; p=reject; rua=mailto:dmarc@{yourdomain}; fo=1"</code> as the “TXT Value”.</p></li> -<li><p><em>SPF</em> entry: just <code>@</code> as the “Host” and <code>"v=spf1 mx a:{yoursubdomain}.{yourdomain} - all"</code> as the “TXT Value”.</p></li> +<li> +<p><em>DMARC</em> entry: just <code>_dmarc.{yourdomain}</code> as the “Host” and <code>"v=DMARC1; p=reject; rua=mailto:dmarc@{yourdomain}; fo=1"</code> as the “TXT Value”.</p> +</li> +<li> +<p><em>SPF</em> entry: just <code>@</code> as the “Host” and <code>"v=spf1 mx a:{yoursubdomain}.{yourdomain} - all"</code> as the “TXT Value”.</p> +</li> </ol> - -<p>And at this point you could test your mail for spoofing and more, but you don't know -yet- how to login (it's really easy, but I'm gonna state that at the end of this entry).</p> - -<h2>SpamAssassin</h2> - +<p>And at this point you could test your mail for spoofing and more, but you don’t know -yet- how to login (it’s really easy, but I’m gonna state that at the end of this entry).</p> +<h2 id="spamassassin">SpamAssassin</h2> <p><a href="https://wiki.archlinux.org/index.php/SpamAssassin">SpamAssassin</a> is just <em>a mail filter to identify spam</em>.</p> - -<p>Install the <code>spamassassin</code> package (which will install a bunch of ugly <code>perl</code> packages…):</p> - +<p>Install the <code>spamassassin</code> package (which will install a bunch of ugly <code>perl</code> packages…):</p> <pre><code class="language-sh">pacman -S spamassassin </code></pre> - <p>For some reason, the permissions on all <code>spamassassin</code> stuff are all over the place. First, change owner of the executables, and directories:</p> - <pre><code class="language-sh">chown spamd:spamd /usr/bin/vendor_perl/sa-* chown spamd:spamd /usr/bin/vendor_perl/spam* chwown -R spamd:spamd /etc/mail/spamassassin </code></pre> - <p>Then, you can edit <code>local.cf</code> (located in <code>/etc/mail/spamassassin</code>) to fit your needs (I only uncommented the <code>rewrite_header Subject ...</code> line). And then you can run the following command to update the patterns and compile them:</p> - <pre><code class="language-sh">sudo -u spamd sa-update sudo -u spamd sa-compile </code></pre> - <p>And since this should be run periodically, create the service <code>spamassassin-update.service</code> under <code>/etc/systemd/system</code> with the following content:</p> - <pre><code class="language-ini">[Unit] Description=SpamAssassin housekeeping After=network.target @@ -488,9 +381,7 @@ SuccessExitStatus=1 ExecStart=/usr/bin/vendor_perl/sa-compile ExecStart=/usr/bin/systemctl -q --no-block try-restart spamassassin.service </code></pre> - -<p>And you could also execute <code>sa-learn</code> to train <code>spamassassin</code>'s bayes filter, but this works for me. Then create the timer <code>spamassassin-update.timer</code> under the same directory, with the content:</p> - +<p>And you could also execute <code>sa-learn</code> to train <code>spamassassin</code>‘s bayes filter, but this works for me. Then create the timer <code>spamassassin-update.timer</code> under the same directory, with the content:</p> <pre><code class="language-ini">[Unit] Description=SpamAssassin housekeeping @@ -501,34 +392,23 @@ Persistent=true [Install] WantedBy=timers.target </code></pre> - <p>You can now start/enable the <code>spamassassin-update</code> timer:</p> - <pre><code class="language-sh">systemctl start spamassassin-update.timer systemctl enable spamassassin-update.timer </code></pre> - -<p>Next, you may want to edit the <code>spamassassin</code> service before starting and enabling it, because by default, it could <a href="https://rimuhosting.com/howto/memory.jsp">spawn a lot of “childs”</a> eating a lot of resources and you really only need one child. Append <code>--max-children=1</code> to the line <code>ExecStart=...</code> in <code>/usr/bin/systemd/system/spamassassin.service</code>:</p> - +<p>Next, you may want to edit the <code>spamassassin</code> service before starting and enabling it, because by default, it could <a href="https://rimuhosting.com/howto/memory.jsp">spawn a lot of “childs”</a> eating a lot of resources and you really only need one child. Append <code>--max-children=1</code> to the line <code>ExecStart=...</code> in <code>/usr/bin/systemd/system/spamassassin.service</code>:</p> <pre><code class="language-ini">... ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/spamd.sock --listen=localhost --max-children=1 ... </code></pre> - <p>Finally, start and enable the <code>spamassassin</code> service:</p> - <pre><code class="language-sh">systemctl start spamassassin.service systemctl enable spamassassin.service </code></pre> - -<h2>Wrapping up</h2> - +<h2 id="wrapping-up">Wrapping up</h2> <p>We should have a working mail server by now. Before continuing check your journal logs (<code>journalctl -xe --unit={unit}</code>, where <code>{unit}</code> could be <code>spamassassin.service</code>for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked <em>(((it just werks on my machine)))</em>.</p> - -<p>Now, to actually use the mail service: first of all, you need a <em>normal</em> account (don't use root) that belongs to the <code>mail</code> group (<code>gpasswd -a user group</code> to add a user <code>user</code> to group <code>group</code>) and that has a password.</p> - -<p>Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for <code>thunderdbird</code>(I tested in windows default mail app and you don't need a lot of settings):</p> - +<p>Now, to actually use the mail service: first of all, you need a <em>normal</em> account (don’t use root) that belongs to the <code>mail</code> group (<code>gpasswd -a user group</code> to add a user <code>user</code> to group <code>group</code>) and that has a password.</p> +<p>Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for <code>thunderdbird</code>(I tested in windows default mail app and you don’t need a lot of settings):</p> <ul> <li>* server: subdomain.domain (mail.luevano.xyz in my case)</li> <li><strong>SMTP</strong> port: 587</li> @@ -540,19 +420,13 @@ systemctl enable spamassassin.service <li>Username: just your <code>user</code>, not the whole email (<code>david</code> in my case)</li> <li>Password: your <code>user</code> password (as in the password you use to login to the server with that user)</li> </ul> - -<p>All that's left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to <a href="https://www.appmaildev.com/en/dkim">DKIM Test</a> and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:</p> - -<p><img src="https://static.luevano.xyz/images/b/notes/mail/dkim_test_successful.png" alt="DKIM Test successful" /></p> - -<p>(Yes, I blurred a lot in the picture just to be sure, either way what's important is the list on the bottom part of the image)</p> - -<p>Finally, that's actually it for this entry, if you have any problem whatsoever you have my info down below.</p> - -<div class=timestamp> -<hr> -<p>Created: Sat, Mar 20, 2021 @ 02:54 MST; modified: Sat, Mar 20, 2021 @ 21:05 MST</p> -</div> +<p>All that’s left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to <a href="https://www.appmaildev.com/en/dkim">DKIM Test</a> and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:</p> +<p><img alt="DKIM Test successful" src="https://static.luevano.xyz/images/b/notes/mail/dkim_test_successful.png"></p> +<p>(Yes, I blurred a lot in the picture just to be sure, either way what’s important is the list on the bottom part of the image)</p> +<p>Finally, that’s actually it for this entry, if you have any problem whatsoever you have my info down below.</p> <p>Tags: +<a href="https://blog.luevano.xyz/tag/@english.html">english</a>, <a href="https://blog.luevano.xyz/tag/@mail.html">mail</a>, <a href="https://blog.luevano.xyz/tag/@server.html">server</a>, <a href="https://blog.luevano.xyz/tag/@tools.html">tools</a>, <a href="https://blog.luevano.xyz/tag/@tutorial.html">tutorial</a></p> +<p>By: David Luévano</p> +<p>Created: Sun, 21 Mar, 2021 @ 04:05 UTC, edited: Mon, 17 May, 2021 @ 21:04 UTC</p> </main> <footer> @@ -571,7 +445,7 @@ systemctl enable spamassassin.service <br> <i class="fas fa-donate" alt="Donate"></i> - <a href="https://luevano.xyz/donate">Donate</a> + <a href="https://luevano.xyz/donate.html">Donate</a> <a href="https://paypal.me/dlvna"><i class="fab fa-paypal" alt="Paypal"></i></a> </footer> </body> |