diff options
Diffstat (limited to 'live/blog/a/mail_server_with_postfix.html')
-rw-r--r-- | live/blog/a/mail_server_with_postfix.html | 70 |
1 files changed, 48 insertions, 22 deletions
diff --git a/live/blog/a/mail_server_with_postfix.html b/live/blog/a/mail_server_with_postfix.html index c8acc43..95003e5 100644 --- a/live/blog/a/mail_server_with_postfix.html +++ b/live/blog/a/mail_server_with_postfix.html @@ -16,14 +16,21 @@ <!-- theme related --> <script type="text/javascript" src="https://static.luevano.xyz/scripts/theme.js"></script> <link id="theme-css" rel="stylesheet" type="text/css" href="https://static.luevano.xyz/css/theme.css"> + <!-- misc functions--> + <script type="text/javascript" src="https://static.luevano.xyz/scripts/return_top.js"></script> <!-- extra --> -<!-- highlight support for code blocks --> + <!-- highlight support for code blocks --> <script type="text/javascript" src="https://static.luevano.xyz/hl/highlight.min.js"></script> <script type="text/javascript"> hljs.initHighlightingOnLoad(); </script> <link id="code-theme-css" rel="stylesheet" type="text/css" href="https://static.luevano.xyz/hl/styles/nord.min.css"> + + + + + <!-- og meta --> <meta property="og:title" content="Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM -- Luevano's Blog"/> <meta property="og:type" content="article"/> @@ -73,18 +80,38 @@ </header> <main> + <div class="return-top"> + <button class="return-top" onclick="returnTop()" id="returnTopButton"> + <i class="fas fa-arrow-up" alt="Return to top"></i> + </button> + </div> <h1>Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</h1> - <p>The entry is going to be long because it’s a <em>tedious</em> process. This is also based on <a href="https://github.com/LukeSmithxyz/emailwiz">Luke Smith’s script</a>, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I’m in the process of installing/configuring the mail server on a new VPS of mine; also I’m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted <a href="https://git.luevano.xyz/server_scripts.git">here</a>.</p> -<p>This configuration works for local users (users that appear in <code>/etc/passwd</code>), and does not use any type of SQL Database. And note that most if not all commands executed here are run with root privileges.</p> -<h3 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">¶</a></h3> + <p>The entry is going to be long because it’s a <em>tedious</em> process. This is also based on <a href="https://github.com/LukeSmithxyz/emailwiz">Luke Smith’s script</a>, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I’m in the process of installing/configuring the mail server on a new VPS of mine; <del>also I’m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted <a href="https://git.luevano.xyz/server_scripts.git">here</a>.</del> <ins>I haven’t had time to do the script so nevermind this, if I ever do it I’ll make a new entry regarding it.</ins></p> +<p>This configuration works for local users (users that appear in <code>/etc/passwd</code>), and does not use any type of SQL database. And note that most if not all commands executed here are run with root privileges, unless stated otherwise.</p> +<h2 id="table-of-contents">Table of contents<a class="headerlink" href="#table-of-contents" title="Permanent link">¶</a></h2> +<div class="toc"> +<ul> +<li><a href="#table-of-contents">Table of contents</a></li> +<li><a href="#prerequisites">Prerequisites</a></li> +<li><a href="#postfix">Postfix</a></li> +<li><a href="#dovecot">Dovecot</a></li> +<li><a href="#opendkim">OpenDKIM</a><ul> +<li><a href="#opendkim-dns-txt-records">OpenDKIM DNS TXT records</a></li> +</ul> +</li> +<li><a href="#spamassassin">SpamAssassin</a></li> +<li><a href="#wrapping-up">Wrapping up</a></li> +</ul> +</div> +<h2 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">¶</a></h2> <p>Basically the same as with the <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website with Nginx and Certbot</a>, with the extras:</p> <ul> <li>You will need a <strong>CNAME</strong> for “mail” and (optionally) “www.mail”, or whatever you want to call the sub-domains (although the <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a> states that it NEEDS to be an <strong>A</strong> record, fuck the police).</li> <li>An SSL certificate. You can use the SSL certificate obtained following my last post using <code>certbot</code> (just create a <code>mail.conf</code> and run <code>certbot --nginx</code> again).</li> -<li>Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall.</li> +<li>Ports <code>25</code>, <code>587</code> (SMTP), <code>465</code> (SMTPS), <code>143</code> (IMAP) and <code>993</code> (IMAPS) open on the firewall (I use <code>ufw</code>).</li> </ul> -<h3 id="postfix">Postfix<a class="headerlink" href="#postfix" title="Permanent link">¶</a></h3> +<h2 id="postfix">Postfix<a class="headerlink" href="#postfix" title="Permanent link">¶</a></h2> <p><a href="https://wiki.archlinux.org/title/postfix">Postfix</a> is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.</p> <p>Install the <code>postfix</code> package:</p> <pre><code class="language-sh">pacman -S postfix @@ -121,7 +148,7 @@ smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous </code></pre> -<p>Specify the mailbox home (this is going to be a directory inside your user’s home containing the actual mail files):</p> +<p>Specify the mailbox home, this is going to be a directory inside your user’s home containing the actual mail files, for example it will end up being<code>/home/david/Mail/Inbox</code>:</p> <pre><code class="language-apache">home_mailbox = Mail/Inbox/ </code></pre> <p>Pre-configuration to work seamlessly with <code>dovecot</code> and <code>opendkim</code>:</p> @@ -135,8 +162,7 @@ smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = inet:127.0.0.1:8891 mailbox_command = /usr/lib/dovecot/deliver </code></pre> -<p>Where <code>{yourdomainname}</code> is <code>luevano.xyz</code> in my case, or if you have <code>localhost</code> configured to your domain, then use <code>localhost</code> for <code>myhostname</code> (<code>myhostname = localhost</code>).</p> -<p>Lastly, if you don’t want the sender’s IP and user agent (application used to send the mail), add the following line:</p> +<p>Where <code>{yourdomainname}</code> is <code>luevano.xyz</code> in my case. Lastly, if you don’t want the sender’s IP and user agent (application used to send the mail), add the following line:</p> <pre><code class="language-apache">smtp_header_checks = regexp:/etc/postfix/smtp_header_checks </code></pre> <p>And create the <code>/etc/postfix/smtp_header_checks</code> file with the following content:</p> @@ -173,7 +199,7 @@ newaliases <pre><code class="language-sh">systemctl start postfix.service systemctl enable postfix.service </code></pre> -<h3 id="dovecot">Dovecot<a class="headerlink" href="#dovecot" title="Permanent link">¶</a></h3> +<h2 id="dovecot">Dovecot<a class="headerlink" href="#dovecot" title="Permanent link">¶</a></h2> <p><a href="https://wiki.archlinux.org/title/Dovecot">Dovecot</a> is an IMAP and POP3 server, which is what lets an email application retrieve the mail.</p> <p>Install the <code>dovecot</code> and <code>pigeonhole</code> (sieve for <code>dovecot</code>) packages:</p> <pre><code class="language-sh">pacman -S dovecot pigeonhole @@ -288,8 +314,8 @@ account required pam_unix.so <pre><code class="language-sh">systemctl start dovecot.service systemctl enable dovecot.service </code></pre> -<h3 id="opendkim">OpenDKIM<a class="headerlink" href="#opendkim" title="Permanent link">¶</a></h3> -<p><a href="https://wiki.archlinux.org/title/OpenDKIM">OpenDKIM</a> is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.</p> +<h2 id="opendkim">OpenDKIM<a class="headerlink" href="#opendkim" title="Permanent link">¶</a></h2> +<p><a href="https://wiki.archlinux.org/title/OpenDKIM">OpenDKIM</a> is needed so services like G**gle don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.</p> <p>Install the <code>opendkim</code> package:</p> <pre><code class="language-sh">pacman -S opendkim </code></pre> @@ -338,7 +364,8 @@ chmod g+r /etc/postfix/dkim/* <pre><code class="language-sh">systemctl start opendkim.service systemctl enable opendkim.service </code></pre> -<p>And don’t forget to add the following <strong>TXT</strong> records on your domain registrar (these examples are for Epik):</p> +<h3 id="opendkim-dns-txt-records">OpenDKIM DNS TXT records<a class="headerlink" href="#opendkim-dns-txt-records" title="Permanent link">¶</a></h3> +<p>Add the following <strong>TXT</strong> records on your domain registrar (these examples are for Epik):</p> <ol> <li><em>DKIM</em> entry: look up your <code>{yoursubdomain}.txt</code> file, it should look something like:</li> </ol> @@ -346,7 +373,7 @@ systemctl enable opendkim.service "p=..." "..." ) ; ----- DKIM key mail for {yourdomain} </code></pre> -<p>In the TXT record you will place <code>{yoursubdomain}._domainkey</code> as the “Host” and <code>"v=DKIM1; k=rsa; s=email; " "p=..." "..."</code> in the “TXT Value” (replace the dots with the actual value you see in your file).</p> +<p>In the <strong>TXT</strong> record you will place <code>{yoursubdomain}._domainkey</code> as the “Host” and <code>"v=DKIM1; k=rsa; s=email; " "p=..." "..."</code> in the “TXT Value” (replace the dots with the actual value you see in your file).</p> <ol start="2"> <li> <p><em>DMARC</em> entry: just <code>_dmarc.{yourdomain}</code> as the “Host” and <code>"v=DMARC1; p=reject; rua=mailto:dmarc@{yourdomain}; fo=1"</code> as the “TXT Value”.</p> @@ -356,7 +383,7 @@ systemctl enable opendkim.service </li> </ol> <p>And at this point you could test your mail for spoofing and more.</p> -<h3 id="spamassassin">SpamAssassin<a class="headerlink" href="#spamassassin" title="Permanent link">¶</a></h3> +<h2 id="spamassassin">SpamAssassin<a class="headerlink" href="#spamassassin" title="Permanent link">¶</a></h2> <p><a href="https://wiki.archlinux.org/title/SpamAssassin">SpamAssassin</a> is just <em>a mail filter to identify spam</em>.</p> <p>Install the <code>spamassassin</code> package (which will install a bunch of ugly <code>perl</code> packages…):</p> <pre><code class="language-sh">pacman -S spamassassin @@ -409,10 +436,10 @@ ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/sp <pre><code class="language-sh">systemctl start spamassassin.service systemctl enable spamassassin.service </code></pre> -<h3 id="wrapping-up">Wrapping up<a class="headerlink" href="#wrapping-up" title="Permanent link">¶</a></h3> -<p>We should have a working mail server by now. Before continuing check your journal logs (<code>journalctl -xe --unit={unit}</code>, where <code>{unit}</code> could be <code>spamassassin.service</code> for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked <em>(((it just werks on my machine)))</em>.</p> +<h2 id="wrapping-up">Wrapping up<a class="headerlink" href="#wrapping-up" title="Permanent link">¶</a></h2> +<p>We should have a working mail server by now. Before continuing check your journal logs (<code>journalctl -xe --unit={unit}</code>, where <code>{unit}</code> could be <code>spamassassin.service</code> for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere because all the settings and steps detailed here just worked; I literally just finished doing everything on a new server as of the writing of this text, <mark>it just werks on my machine</mark>.</p> <p>Now, to actually use the mail service: first of all, you need a <em>normal</em> account (don’t use root) that belongs to the <code>mail</code> group (<code>gpasswd -a user group</code> to add a user <code>user</code> to group <code>group</code>) and that has a password.</p> -<p>Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for <code>thunderdbird</code>(I tested in windows default mail app and you don’t need a lot of settings):</p> +<p>Next, to actually login into a mail app/program, you will use the following settings, at least for <code>thunderdbird</code>(I tested in windows default mail app and you don’t need a lot of settings):</p> <ul> <li>* server: subdomain.domain (mail.luevano.xyz in my case)</li> <li><strong>SMTP</strong> port: 587</li> @@ -426,10 +453,9 @@ systemctl enable spamassassin.service </ul> <p>All that’s left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to <a href="https://www.appmaildev.com/en/dkim">DKIM Test</a> and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:</p> <figure id="__yafg-figure-3"> -<img alt="DKIM Test successful" src="images/b/notes/mail/dkim_test_successful.png" title="DKIM Test successful"> +<img alt="DKIM Test successful" src="https://static.luevano.xyz/images/b/notes/mail/dkim_test_successful.png" title="DKIM Test successful"> <figcaption>DKIM Test successful</figcaption> </figure> -<p>Finally, that’s actually it for this entry, if you have any problem whatsoever you can <a href="https://luevano.xyz/contact.html">contact me</a>.</p> <div class="page-nav"> <span class="next"> @@ -459,10 +485,10 @@ systemctl enable spamassassin.service <div class="article-info"> <p>By David LuĂ©vano</p> <p>Created: Sun, Mar 21, 2021 @ 04:05 UTC</p> - <p>Modified: Tue, Jun 08, 2021 @ 07:29 UTC</p> + <p>Modified: Fri, May 05, 2023 @ 08:35 UTC</p> <div class="article-tags"> <p>Tags: -<a href="https://blog.luevano.xyz/tag/@english.html">english</a>, <a href="https://blog.luevano.xyz/tag/@server.html">server</a>, <a href="https://blog.luevano.xyz/tag/@tools.html">tools</a>, <a href="https://blog.luevano.xyz/tag/@tutorial.html">tutorial</a> </p> +<a href="https://blog.luevano.xyz/tag/@code.html">code</a>, <a href="https://blog.luevano.xyz/tag/@english.html">english</a>, <a href="https://blog.luevano.xyz/tag/@server.html">server</a>, <a href="https://blog.luevano.xyz/tag/@tools.html">tools</a>, <a href="https://blog.luevano.xyz/tag/@tutorial.html">tutorial</a> </p> </div> </div> |