Updated: 2023/07/21
The <domain_name> can be considered as a main domain (e.g. example.com
) or a subdomain (e.g. mail.example.com
). Using the subdomain and MX record is a batter way for web mail server management.
# DNS setting example
# A record for subdomain
mail.cocobird.net. 3600 IN A <IP>
# MX record for domain (content format: "<priority> <mail_domain>")
cocobird.net. 3600 IN MX 10 mail.cocobird.net.
# SPF record example
mail.cocobird.net. 3600 IN TXT "v=spf1 include:_spf.google.com ip4:<IP> ~all"
# DMARC record example
_dmarc.mail.cocobird.net. 3600 IN TXT "v=DMARC1; p=none; sp=none; rua=mailto:dmarc-reports@mail.cocobird.net"
sudo apt install postfix
# --> Select Internet Site
# --> Enter domain name
# --> Default the following options
# Enable postfix service while start-up
sudo systemctl enable postfix
/etc/postfix/main.cf
# In file '/etc/postfix/main.cf'
myhostname = <domain_name>
# Check mydestination includes $myhostname and <domain_name>
sudo systemctl restart postfix
/etc/postfix/main.cf
# In file '/etc/postfix/main.cf'
myhostname = <domain_name>
# Check mydestination includes $myhostname and <domain_name>
smtpd_tls_cert_file=/etc/letsencrypt/live/<domain_name>/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/<domain_name>/privkey.pem
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
# TLS for external
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
/etc/postfix/master.cf
# In file '/etc/postfix/master.cf'
# Find and uncomment to enable smtps service
smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
sudo apt install opendkim opendkim-tools
# Add postfix user to opendkim group
sudo gpasswd -a postfix opendkim
/etc/opendkim.conf
# In file '/etc/opendkim.conf'
Syslog yes
SyslogSuccess yes
LogWhy yes
Canonicalization relaxed/simple
Mode sv
#SubDomains no
OversignHeaders From
Domain <domain_name>
Selector <selector>
KeyFile /etc/dkimkeys/<key_name>.private
#Socket local:/run/opendkim/opendkim.sock
Socket inet:8891@localhost
#Socket inet:8891
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
/etc/default/opendkim
# In file '/etc/default/opendkim'
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
# SOCKET=local:$RUNDIR/opendkim.sock
SOCKET="inet:8891@localhost"
/etc/postfix/main.cf
# In file '/etc/postfix/main.cf'
.
.
.
# Add following lines at the end
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
opendkim-genkey --selector=<selector> --domain=<domain_name>
# The keys <selector>.txt and <selector>.private will be generated under current directory.
Once generated the DKIM key, move the key to default DKIM key path, the path must match the KeyFile
setting under /etc/opendkim.conf
sudo mv <selector>.txt <selector>.private /etc/dkimkeys/
# Modify the directory owner to opendkim
sudo chown -R opendkim:opendkim /etc/dkimkeys/
Changing owner is an important step for opendkim.service to find the private key location.
According to the former section, The file <selector>.txt
describes the DNS record format, simply add the content into DNS record.
# In file '/etc/dkimkeys/<selector>.txt'
<selector>._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; p=<rsa_hash_code>" ) ; ----- DKIM key <selector> for <domain_name>
sudo apt install dovecot-imapd dovecot-pop3d
/etc/dovecot/dovecot.conf
# In file '/etc/dovecot/dovecot.conf'
.
.
.
# Add following lines at the end
protocols = imap imaps pop3 pop3s
mail_location = maildir:~/Maildir
/etc/dovecot/conf.d/10-auth.conf
# In file '/etc/dovecot/conf.d/10-auth.conf'
disable_plaintext_auth = no
auth_username_format = %n
auth_mechanisms = plain login
/etc/dovecot/conf.d/10-ssl.conf
# In file '/etc/dovecot/conf.d/10-ssl.conf'
ssl = yes
ssl_cert = </etc/letsencrypt/live/<domain_name>/fullchain.pem
ssl_key = </etc/letsencrypt/live/<domain_name>/privkey.pem
/etc/dovecot/conf.d/10-mail.conf
# In file '/etc/dovecot/conf.d/10-mail.conf'
mail_privileged_group = mail
# Location same as 'mail_location' under '/etc/dovecot/dovecot.conf'
sudo postconf -e "home_mailbox = Maildir/"
/etc/postfix/main.cf
# In file '/etc/postfix/main.cf'
# SASL (Dovecot Not Support Client)
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#relayhost = [mail.cocobird.net]
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_sasl_auth_enable = yes
#smtp_tls_security_level = encrypt
#smtp_sasl_tls_security_options = noanonymous
#smtp_sender_dependent_authentication = yes
#smtp_sasl_security_options = noanonymous, noplaintext
#smtp_sasl_tls_security_options = noanonymous
#smtp_sasl_mechanism_filter = plain, login
/etc/postfix/sasl_passwd
# In file '/etc/postfix/sasl_passwd'
[<domain_name>] username:password
# Alternative form:
# [<domain_name>]:submission username:password
/etc/postfix/sasl_passwd
# In file '/etc/postfix/sasl_passwd'
# Find and uncomment
service auth {
.
.
.
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}