Try   HackMD

Updated: 2023/07/21

Setup DNS Records

MX Record

The <domain_name> can be considered as a main domain (e.g. example.com) or a subdomain (e.g. mail.example.com). Using the subdomain and MX record is a batter way for web mail server management.

# DNS setting example

# A record for subdomain
mail.cocobird.net.      3600    IN      A       <IP>

# MX record for domain (content format: "<priority> <mail_domain>")
cocobird.net.           3600    IN      MX      10 mail.cocobird.net.

SPF Record

# SPF record example

mail.cocobird.net.      3600    IN      TXT     "v=spf1 include:_spf.google.com ip4:<IP> ~all"

DMARC Record

# DMARC record example

_dmarc.mail.cocobird.net. 3600  IN      TXT     "v=DMARC1; p=none; sp=none; rua=mailto:dmarc-reports@mail.cocobird.net"

Install and Configure postfix

postfix Setting

  1. Install postfix
sudo apt install postfix

# --> Select Internet Site
# --> Enter domain name
# --> Default the following options

# Enable postfix service while start-up
sudo systemctl enable postfix
  1. Edit configure file /etc/postfix/main.cf
# In file '/etc/postfix/main.cf'

myhostname = <domain_name>
# Check mydestination includes $myhostname and <domain_name>
  1. Restart postfix service
sudo systemctl restart postfix

TLS Setting

  1. Edit configure file /etc/postfix/main.cf
# In file '/etc/postfix/main.cf'

myhostname = <domain_name>
# Check mydestination includes $myhostname and <domain_name>

smtpd_tls_cert_file=/etc/letsencrypt/live/<domain_name>/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/<domain_name>/privkey.pem

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

# TLS for external
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
  1. Edit configure file /etc/postfix/master.cf
# In file '/etc/postfix/master.cf'

# Find and uncomment to enable smtps service

smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Install and Configure DKIM Service

Install and Configure opendkim

  1. Install opendkim
sudo apt install opendkim opendkim-tools

# Add postfix user to opendkim group
sudo gpasswd -a postfix opendkim
  1. Edit configure file /etc/opendkim.conf
# In file '/etc/opendkim.conf'

Syslog                  yes
SyslogSuccess           yes
LogWhy                  yes

Canonicalization        relaxed/simple
Mode                    sv
#SubDomains             no
OversignHeaders         From

Domain                  <domain_name>
Selector                <selector>
KeyFile                 /etc/dkimkeys/<key_name>.private

#Socket                 local:/run/opendkim/opendkim.sock
Socket                  inet:8891@localhost
#Socket                 inet:8891
#Socket                 local:/var/spool/postfix/opendkim/opendkim.sock
  1. Edit default configure file /etc/default/opendkim
# In file '/etc/default/opendkim'

# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
# SOCKET=local:$RUNDIR/opendkim.sock
SOCKET="inet:8891@localhost"
  1. Edit postfix configure file /etc/postfix/main.cf
# In file '/etc/postfix/main.cf'

.
.
.
# Add following lines at the end

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
  1. Generate DKIM key
opendkim-genkey --selector=<selector> --domain=<domain_name>
# The keys <selector>.txt and <selector>.private will be generated under current directory.

Once generated the DKIM key, move the key to default DKIM key path, the path must match the KeyFile setting under /etc/opendkim.conf

sudo mv <selector>.txt <selector>.private /etc/dkimkeys/

# Modify the directory owner to opendkim
sudo chown -R opendkim:opendkim /etc/dkimkeys/

Changing owner is an important step for opendkim.service to find the private key location.

Setup DNS DKIM Record

According to the former section, The file <selector>.txt describes the DNS record format, simply add the content into DNS record.

# In file '/etc/dkimkeys/<selector>.txt'

<selector>._domainkey     IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; p=<rsa_hash_code>" )  ; ----- DKIM key <selector> for <domain_name>

Install IMAP and POP3 Service

  1. Install dovecot
sudo apt install dovecot-imapd dovecot-pop3d
  1. Edit configure file /etc/dovecot/dovecot.conf
# In file '/etc/dovecot/dovecot.conf'

.
.
.
# Add following lines at the end

protocols = imap imaps pop3 pop3s
mail_location = maildir:~/Maildir
  1. Edit configure file /etc/dovecot/conf.d/10-auth.conf
# In file '/etc/dovecot/conf.d/10-auth.conf'

disable_plaintext_auth = no
auth_username_format = %n
auth_mechanisms = plain login

  1. Edit configure file /etc/dovecot/conf.d/10-ssl.conf
# In file '/etc/dovecot/conf.d/10-ssl.conf'

ssl = yes
ssl_cert = </etc/letsencrypt/live/<domain_name>/fullchain.pem
ssl_key = </etc/letsencrypt/live/<domain_name>/privkey.pem
  1. Edit configure file /etc/dovecot/conf.d/10-mail.conf
# In file '/etc/dovecot/conf.d/10-mail.conf'

mail_privileged_group = mail
  1. Change postfix mail location
# Location same as 'mail_location' under '/etc/dovecot/dovecot.conf'
sudo postconf -e "home_mailbox = Maildir/"

Relayhost Setting

  1. Edit configure file /etc/postfix/main.cf
# In file '/etc/postfix/main.cf'

# SASL (Dovecot Not Support Client)
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#relayhost = [mail.cocobird.net]
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

#smtp_sasl_auth_enable = yes
#smtp_tls_security_level = encrypt
#smtp_sasl_tls_security_options = noanonymous
#smtp_sender_dependent_authentication = yes
#smtp_sasl_security_options = noanonymous, noplaintext
#smtp_sasl_tls_security_options = noanonymous
#smtp_sasl_mechanism_filter = plain, login
  1. Edit configure file /etc/postfix/sasl_passwd
# In file '/etc/postfix/sasl_passwd'

[<domain_name>]              username:password
# Alternative form:
# [<domain_name>]:submission username:password
  1. Edit configure file /etc/postfix/sasl_passwd
# In file '/etc/postfix/sasl_passwd'

# Find and uncomment

service auth {
  
  .
  .
  .
  
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

Mail Server Testing

Reference