From 70e783628b1bf863da45cc8879b06288a498840b Mon Sep 17 00:00:00 2001 From: David Luevano Alvarado Date: Fri, 5 May 2023 03:16:06 -0600 Subject: update css, make articles more uniform, add toc and add functionality to scroll to the top --- live/blog/a/mail_server_with_postfix.html | 70 +++++++++++++++++++++---------- 1 file changed, 48 insertions(+), 22 deletions(-) (limited to 'live/blog/a/mail_server_with_postfix.html') diff --git a/live/blog/a/mail_server_with_postfix.html b/live/blog/a/mail_server_with_postfix.html index c8acc43..95003e5 100644 --- a/live/blog/a/mail_server_with_postfix.html +++ b/live/blog/a/mail_server_with_postfix.html @@ -16,14 +16,21 @@ + + - + + + + + + @@ -73,18 +80,38 @@
+
+ +

Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM

-

The entry is going to be long because it’s a tedious process. This is also based on Luke Smith’s script, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I’m in the process of installing/configuring the mail server on a new VPS of mine; also I’m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted here.

-

This configuration works for local users (users that appear in /etc/passwd), and does not use any type of SQL Database. And note that most if not all commands executed here are run with root privileges.

-

Prerequisites

+

The entry is going to be long because it’s a tedious process. This is also based on Luke Smith’s script, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I’m in the process of installing/configuring the mail server on a new VPS of mine; also I’m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted here. I haven’t had time to do the script so nevermind this, if I ever do it I’ll make a new entry regarding it.

+

This configuration works for local users (users that appear in /etc/passwd), and does not use any type of SQL database. And note that most if not all commands executed here are run with root privileges, unless stated otherwise.

+

Table of contents

+
+ +
+

Prerequisites

Basically the same as with the website with Nginx and Certbot, with the extras:

-

Postfix

+

Postfix

Postfix is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.

Install the postfix package:

pacman -S postfix
@@ -121,7 +148,7 @@ smtpd_sasl_path = private/auth
 smtpd_sasl_security_options = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
-

Specify the mailbox home (this is going to be a directory inside your user’s home containing the actual mail files):

+

Specify the mailbox home, this is going to be a directory inside your user’s home containing the actual mail files, for example it will end up being/home/david/Mail/Inbox:

home_mailbox = Mail/Inbox/

Pre-configuration to work seamlessly with dovecot and opendkim:

@@ -135,8 +162,7 @@ smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = inet:127.0.0.1:8891 mailbox_command = /usr/lib/dovecot/deliver -

Where {yourdomainname} is luevano.xyz in my case, or if you have localhost configured to your domain, then use localhost for myhostname (myhostname = localhost).

-

Lastly, if you don’t want the sender’s IP and user agent (application used to send the mail), add the following line:

+

Where {yourdomainname} is luevano.xyz in my case. Lastly, if you don’t want the sender’s IP and user agent (application used to send the mail), add the following line:

smtp_header_checks = regexp:/etc/postfix/smtp_header_checks

And create the /etc/postfix/smtp_header_checks file with the following content:

@@ -173,7 +199,7 @@ newaliases 
systemctl start postfix.service
 systemctl enable postfix.service
-

Dovecot

+

Dovecot

Dovecot is an IMAP and POP3 server, which is what lets an email application retrieve the mail.

Install the dovecot and pigeonhole (sieve for dovecot) packages:

pacman -S dovecot pigeonhole
@@ -288,8 +314,8 @@ account required pam_unix.so
 
systemctl start dovecot.service
 systemctl enable dovecot.service
 

-
OpenDKIM

-
OpenDKIM is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.

+
OpenDKIM

+
OpenDKIM is needed so services like G**gle don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.

 
Install the opendkim package:

 
pacman -S opendkim
 

@@ -338,7 +364,8 @@ chmod g+r /etc/postfix/dkim/*
 
systemctl start opendkim.service
 systemctl enable opendkim.service
 

-
And don’t forget to add the following TXT records on your domain registrar (these examples are for Epik):

+
OpenDKIM DNS TXT records

+
Add the following TXT records on your domain registrar (these examples are for Epik):

 
    
 
  1. DKIM entry: look up your {yoursubdomain}.txt file, it should look something like:
    2. 
 

@@ -346,7 +373,7 @@ systemctl enable opendkim.service
     "p=..."
     "..." )  ; ----- DKIM key mail for {yourdomain}
-

In the TXT record you will place {yoursubdomain}._domainkey as the “Host” and "v=DKIM1; k=rsa; s=email; " "p=..." "..." in the “TXT Value” (replace the dots with the actual value you see in your file).

+

In the TXT record you will place {yoursubdomain}._domainkey as the “Host” and "v=DKIM1; k=rsa; s=email; " "p=..." "..." in the “TXT Value” (replace the dots with the actual value you see in your file).

  1. DMARC entry: just _dmarc.{yourdomain} as the “Host” and "v=DMARC1; p=reject; rua=mailto:dmarc@{yourdomain}; fo=1" as the “TXT Value”.

    @@ -356,7 +383,7 @@ systemctl enable opendkim.service

And at this point you could test your mail for spoofing and more.

-

SpamAssassin

+

SpamAssassin

SpamAssassin is just a mail filter to identify spam.

Install the spamassassin package (which will install a bunch of ugly perl packages…):

pacman -S spamassassin
@@ -409,10 +436,10 @@ ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/sp
 
systemctl start spamassassin.service
 systemctl enable spamassassin.service
 

-
Wrapping up

-
We should have a working mail server by now. Before continuing check your journal logs (journalctl -xe --unit={unit}, where {unit} could be spamassassin.service for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked (((it just werks on my machine))).

+
Wrapping up

+
We should have a working mail server by now. Before continuing check your journal logs (journalctl -xe --unit={unit}, where {unit} could be spamassassin.service for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere because all the settings and steps detailed here just worked; I literally just finished doing everything on a new server as of the writing of this text, it just werks on my machine.

 
Now, to actually use the mail service: first of all, you need a normal account (don’t use root) that belongs to the mail group (gpasswd -a user group to add a user user to group group) and that has a password.

-
Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for thunderdbird(I tested in windows default mail app and you don’t need a lot of settings):

+
Next, to actually login into a mail app/program, you will use the following settings, at least for thunderdbird(I tested in windows default mail app and you don’t need a lot of settings):

 
    
 
  • * server: subdomain.domain (mail.luevano.xyz in my case)
    • 
 
  • SMTP port: 587
    • 
@@ -426,10 +453,9 @@ systemctl enable spamassassin.service
 

 
All that’s left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to DKIM Test and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:

 

-DKIM Test successful
+DKIM Test successful
 
DKIM Test successful

 

-
Finally, that’s actually it for this entry, if you have any problem whatsoever you can contact me.

 
   

     
@@ -459,10 +485,10 @@ systemctl enable spamassassin.service
   

     
By David Luévano

     
Created: Sun, Mar 21, 2021 @ 04:05 UTC

-      
Modified: Tue, Jun 08, 2021 @ 07:29 UTC

+      
Modified: Fri, May 05, 2023 @ 08:35 UTC

     

   
Tags:
-english, server, tools, tutorial  

+code, english, server, tools, tutorial  

 

 
   

-- 
cgit v1.2.3-70-g09d2