SMTP Server Installation

*`Updated: 2023/07/21`* ## Setup DNS Records ### MX Record The <domain_name> can be considered as a main domain (e.g. `example.com`) or a subdomain (e.g. `mail.example.com`). Using the subdomain and MX record is a batter way for web mail server management. ``` # DNS setting example # A record for subdomain mail.cocobird.net. 3600 IN A <IP> # MX record for domain (content format: "<priority> <mail_domain>") cocobird.net. 3600 IN MX 10 mail.cocobird.net. ``` ### SPF Record ``` # SPF record example mail.cocobird.net. 3600 IN TXT "v=spf1 include:_spf.google.com ip4:<IP> ~all" ``` ### DMARC Record ``` # DMARC record example _dmarc.mail.cocobird.net. 3600 IN TXT "v=DMARC1; p=none; sp=none; rua=mailto:dmarc-reports@mail.cocobird.net" ``` ## Install and Configure postfix ### postfix Setting 1. Install postfix ```bash sudo apt install postfix # --> Select Internet Site # --> Enter domain name # --> Default the following options # Enable postfix service while start-up sudo systemctl enable postfix ``` 2. Edit configure file `/etc/postfix/main.cf` ``` # In file '/etc/postfix/main.cf' myhostname = <domain_name> # Check mydestination includes $myhostname and <domain_name> ``` 3. Restart postfix service ``` sudo systemctl restart postfix ``` ### TLS Setting 1. Edit configure file `/etc/postfix/main.cf` ``` # In file '/etc/postfix/main.cf' myhostname = <domain_name> # Check mydestination includes $myhostname and <domain_name> smtpd_tls_cert_file=/etc/letsencrypt/live/<domain_name>/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/<domain_name>/privkey.pem smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_received_header = yes smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination # TLS for external smtp_use_tls = yes smtp_tls_note_starttls_offer = yes ``` 2. Edit configure file `/etc/postfix/master.cf` ``` # In file '/etc/postfix/master.cf' # Find and uncomment to enable smtps service smtps inet n - y - - smtpd # -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes ``` ## Install and Configure DKIM Service ### Install and Configure opendkim 1. Install opendkim ```bash sudo apt install opendkim opendkim-tools # Add postfix user to opendkim group sudo gpasswd -a postfix opendkim ``` 2. Edit configure file `/etc/opendkim.conf` ``` # In file '/etc/opendkim.conf' Syslog yes SyslogSuccess yes LogWhy yes Canonicalization relaxed/simple Mode sv #SubDomains no OversignHeaders From Domain <domain_name> Selector <selector> KeyFile /etc/dkimkeys/<key_name>.private #Socket local:/run/opendkim/opendkim.sock Socket inet:8891@localhost #Socket inet:8891 #Socket local:/var/spool/postfix/opendkim/opendkim.sock ``` 3. Edit default configure file `/etc/default/opendkim` ``` # In file '/etc/default/opendkim' # Uncomment to specify an alternate socket # Note that setting this will override any Socket value in opendkim.conf # default: # SOCKET=local:$RUNDIR/opendkim.sock SOCKET="inet:8891@localhost" ``` 4. Edit postfix configure file `/etc/postfix/main.cf` ``` # In file '/etc/postfix/main.cf' . . . # Add following lines at the end # DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 ``` 5. Generate DKIM key ```bash opendkim-genkey --selector=<selector> --domain=<domain_name> # The keys <selector>.txt and <selector>.private will be generated under current directory. ``` Once generated the DKIM key, move the key to default DKIM key path, the path must match the `KeyFile` setting under `/etc/opendkim.conf` ```bash sudo mv <selector>.txt <selector>.private /etc/dkimkeys/ # Modify the directory owner to opendkim sudo chown -R opendkim:opendkim /etc/dkimkeys/ ``` :::warning Changing owner is an important step for opendkim.service to find the private key location. ::: ### Setup DNS DKIM Record According to the former section, The file `<selector>.txt` describes the DNS record format, simply add the content into DNS record. ```! # In file '/etc/dkimkeys/<selector>.txt' <selector>._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; p=<rsa_hash_code>" ) ; ----- DKIM key <selector> for <domain_name> ``` ## Install IMAP and POP3 Service 1. Install dovecot ``` sudo apt install dovecot-imapd dovecot-pop3d ``` 2. Edit configure file `/etc/dovecot/dovecot.conf` ``` # In file '/etc/dovecot/dovecot.conf' . . . # Add following lines at the end protocols = imap imaps pop3 pop3s mail_location = maildir:~/Maildir ``` 3. Edit configure file `/etc/dovecot/conf.d/10-auth.conf` ``` # In file '/etc/dovecot/conf.d/10-auth.conf' disable_plaintext_auth = no auth_username_format = %n auth_mechanisms = plain login ``` 4. Edit configure file `/etc/dovecot/conf.d/10-ssl.conf` ``` # In file '/etc/dovecot/conf.d/10-ssl.conf' ssl = yes ssl_cert = </etc/letsencrypt/live/<domain_name>/fullchain.pem ssl_key = </etc/letsencrypt/live/<domain_name>/privkey.pem ``` 5. Edit configure file `/etc/dovecot/conf.d/10-mail.conf` ``` # In file '/etc/dovecot/conf.d/10-mail.conf' mail_privileged_group = mail ``` 6. Change postfix mail location ```bash # Location same as 'mail_location' under '/etc/dovecot/dovecot.conf' sudo postconf -e "home_mailbox = Maildir/" ``` ## Relayhost Setting 1. Edit configure file `/etc/postfix/main.cf` ``` # In file '/etc/postfix/main.cf' # SASL (Dovecot Not Support Client) smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes #relayhost = [mail.cocobird.net] smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd #smtp_sasl_auth_enable = yes #smtp_tls_security_level = encrypt #smtp_sasl_tls_security_options = noanonymous #smtp_sender_dependent_authentication = yes #smtp_sasl_security_options = noanonymous, noplaintext #smtp_sasl_tls_security_options = noanonymous #smtp_sasl_mechanism_filter = plain, login ``` 2. Edit configure file `/etc/postfix/sasl_passwd` ``` # In file '/etc/postfix/sasl_passwd' [<domain_name>] username:password # Alternative form: # [<domain_name>]:submission username:password ``` 3. Edit configure file `/etc/postfix/sasl_passwd` ``` # In file '/etc/postfix/sasl_passwd' # Find and uncomment service auth { . . . # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } ``` ## Mail Server Testing - MXToolBox - https://mxtoolbox.com/ - MXToolBox Mail deliverability - https://mxtoolbox.com/deliverability - Google Admin Toolbox Check MX - https://toolbox.googleapps.com/apps/checkmx/ - mail-tester - https://www.mail-tester.com/ - CheckTLS - https://www.checktls.com/TestReceiver ## Reference - SASL - https://www.postfix.org/SASL_README.html#client_sasl