# upgrade - Ubuntu [ref page](https://ubuntu.com/server/docs/install-and-configure-postfix) ```bash sudo apt update sudo apt upgrade -y ``` ## install postfix ```bash sudo apt install -y postfix ``` in case to reconfigre postfix: ```bash sudo dpkg-reconfigure postfix ``` ## Configure mailbox format To configure the mailbox format for Maildir: ```bash sudo postconf -e 'home_mailbox = maildir/' ``` This will place new mail in /home//maildir so you will need to configure your Mail Delivery Agent (MDA) to use the same path. ## Configure SMTP authentication To configure Postfix for SMTP-AUTH using SASL (Dovecot SASL), run these commands at a terminal prompt: ```bash sudo postconf -e 'smtpd_sasl_type = dovecot' sudo postconf -e 'smtpd_sasl_path = private/auth' sudo postconf -e 'smtpd_sasl_local_domain =' sudo postconf -e 'smtpd_sasl_security_options = noanonymous,noplaintext' sudo postconf -e 'smtpd_sasl_tls_security_options = noanonymous' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' ``` ## setup ssl install certbot to use letsencrypt ```bash sudo apt install -y certbot ``` and get cert ```bash sudo certbot certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d my_domain ``` Once you have a certificate, configure Postfix to provide TLS encryption for both incoming and outgoing mail: ```bash sudo postconf -e 'smtp_tls_security_level = may' sudo postconf -e 'smtpd_tls_security_level = may' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/my_domain/privkey.pem' sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/my_domain/fullchain.pem' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'myhostname = my_domain' ``` restart postfix ```bash sudo systemctl restart postfix.service ``` ### Configure SASL Postfix supports two SASL implementations: Cyrus SASL and Dovecot SASL. To enable Dovecot SASL the dovecot-core package will need to be installed: ```bash sudo apt install dovecot-core ``` Next, edit /etc/dovecot/conf.d/10-master.conf and change the following: ```text service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Its default # permissions make it readable only by root, but you may need to relax these # permissions. Users that have access to this socket are able to get a list # of all usernames and get results of everyone's userdb lookups. unix_listener auth-userdb { #mode = 0600 #user = #group = } # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } ``` Once you have configured Dovecot, restart it with: ```bash sudo systemctl restart dovecot.service ``` ### Setup SPF and dkim Step 1: Create an SPF Record in DNS In your DNS management interface, create a new TXT record like below. ``` TXT @ v=spf1 mx ~all ``` ### Setting up DKIM First, install OpenDKIM which is an open-source implementation of the DKIM sender authentication system. ```bash sudo apt install opendkim opendkim-tools ``` Then add postfix user to opendkim group. ```bash sudo gpasswd -a postfix opendkim ``` Edit OpenDKIM main configuration file. ```bash sudo vim /etc/opendkim.conf ``` Find the following line. ``` Syslog yes ``` By default, OpenDKIM logs will be saved in /var/log/mail.log file. Add the following line so OpenDKIM will generate more detailed logs for debugging. ``` Logwhy yes ``` Set ``` Canonicalization simple Mode sv SubDomains no ``` Then add the following lines below ``` AutoRestart yes AutoRestartRate 10/1M Background yes DNSTimeout 5 SignatureAlgorithm rsa-sha256 ``` Next, add the following lines at the end of this file. ``` # OpenDKIM user # Remember to add user postfix to group opendkim UserID opendkim # Map domains in From addresses to keys used to sign messages KeyTable refile:/etc/opendkim/key.table SigningTable refile:/etc/opendkim/signing.table # Hosts to ignore when verifying signatures ExternalIgnoreList /etc/opendkim/trusted.hosts # A set of internal hosts whose mail should be signed InternalHosts /etc/opendkim/trusted.hosts ``` Save and close the file. ### Create Signing Table, Key Table and Trusted Hosts File Create a directory structure for OpenDKIM ```bash sudo mkdir /etc/opendkim sudo mkdir /etc/opendkim/keys ``` Change the owner from root to opendkim and make sure only opendkim user can read and write to the keys directory. ```bash sudo chown -R opendkim:opendkim /etc/opendkim sudo chmod go-rw /etc/opendkim/keys ``` Create the signing table. ```bash sudo vim /etc/opendkim/signing.table ``` Add the following two lines to the file. This tells OpenDKIM that if a sender on your server is using a @your-domain.com address, then it should be signed with the private key identified by default.\_domainkey.your-domain.com. The second line tells that your sub-domains will be signed by the private key as well. ``` _@your-domain.com default.\_domainkey.your-domain.com \_@\*.your-domain.com default.\_domainkey.your-domain.com ``` Save and close the file. Then create the key table. ```bash sudo vim /etc/opendkim/key.table ``` Add the following line, which tells the location of the private key. ``` default.\_domainkey.your-domain.com your-domain.com:default:/etc/opendkim/keys/your-domain.com/default.private ``` Save and close the file. Next, create the trusted hosts file. ```bash sudo vim /etc/opendkim/trusted.hosts ``` Add the following lines to the newly created file. This tells OpenDKIM that if an email is coming from localhost or from the same domain, then OpenDKIM should only sign the email but not perform DKIM verification on the email. ``` 127.0.0.1 localhost cdl.patialtech.com .patialtech.com ``` ### Save and close the file. Generate Private/Public Keypair Since DKIM is used to sign outgoing messages and verify incoming messages, we need to generate a private key for signing and a public key for remote verifier. Public key will be published in DNS. Create a separate folder for the domain. ```bash sudo mkdir /etc/opendkim/keys/your-domain.com ``` Generate keys using opendkim-genkey tool. ```bash sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s default -v ``` The above command will create 2048 bits keys. -d (domain) specifies the domain. -D (directory) specifies the directory where the keys will be stored and we use default as the selector (-s), also known as the name. Once the command is executed, the private key will be written to default.private file and the public key will be written to default.txt file. Make opendkim as the owner of the private key. ```bash sudo chown opendkim:opendkim /etc/opendkim/keys/your-domain.com/default.private ``` And change the permission, so only the opendkim user has read and write access to the file. ```bash sudo chmod 600 /etc/opendkim/keys/your-domain.com/default.private ``` Display the public key ```bash sudo cat /etc/opendkim/keys/your-domain.com/default.txt ``` ### Test DKIM Key Enter the following command on Ubuntu server to test your key. ```bash sudo opendkim-testkey -d your-domain.com -s default -vvv ``` If everything is OK, you will see Key OK in the command output. ``` opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: checking key 'default._domainkey.your-domain.com' opendkim-testkey: key secure opendkim-testkey: key OK ``` If you see Key not secure in the command output, don’t panic. This is because DNSSEC isn’t enabled on your domain name. DNSSEC is a security standard for secure DNS query. Most domain names haven’t enabled DNSSEC. There’s absolutely no need to worry about Key not secure. You can continue to follow this guide. ### Connect Postfix to OpenDKIM Postfix can talk to OpenDKIM via a Unix socket file. The default socket file used by OpenDKIM is /var/run/opendkim/opendkim.sock, as shown in /etc/opendkim.conf file. But the postfix SMTP daemon shipped with Ubuntu runs in a chroot jail, which means the SMTP daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). So we need to change the OpenDKIM Unix socket file. Create a directory to hold the OpenDKIM socket file and allow only opendkim user and postfix group to access it. ```bash sudo mkdir /var/spool/postfix/opendkim sudo chown opendkim:postfix /var/spool/postfix/opendkim ``` Then edit the OpenDKIM main configuration file. ```bash sudo vim /etc/opendkim.conf ``` set ```bash Socket local:/var/spool/postfix/opendkim/opendkim.sock ``` Save and close the file. Next, we need to edit the Postfix main configuration file. ```bash sudo vim /etc/postfix/main.cf ``` Add the following lines at the end of this file, so Postfix will be able to call OpenDKIM via the milter protocol. ``` # Milter configuration milter_default_action = accept milter_protocol = 6 smtpd_milters = local:opendkim/opendkim.sock non_smtpd_milters = $smtpd_milters ``` Then restart opendkim and postfix service. ```bash sudo systemctl restart opendkim postfix ```