ankitpatial/dev-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1c13547385
dev-ops/postfix-setup.md
Ankit Patial 1c13547385 mailu setup steps
2024-12-16 12:29:19 +05:30

363 lines
9.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# upgrade
- Ubuntu [ref page](https://ubuntu.com/server/docs/install-and-configure-postfix)
```bash
sudo apt update
sudo apt upgrade -y
```
## install postfix
```bash
sudo apt install -y postfix
```
in case to reconfigre postfix:
```bash
sudo dpkg-reconfigure postfix
```
## Configure mailbox format
To configure the mailbox format for Maildir:
```bash
sudo postconf -e 'home_mailbox = maildir/'
```
This will place new mail in /home/<username>/maildir so you will need to configure your Mail Delivery Agent (MDA) to use the same path.
## Configure SMTP authentication
To configure Postfix for SMTP-AUTH using SASL (Dovecot SASL), run these commands at a terminal prompt:
```bash
sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous,noplaintext'
sudo postconf -e 'smtpd_sasl_tls_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
```
## setup ssl
install certbot to use letsencrypt
```bash
sudo apt install -y certbot
```
and get cert
```bash
sudo certbot certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d my_domain
```
Once you have a certificate, configure Postfix to provide TLS encryption for both incoming and outgoing mail:
```bash
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/my_domain/privkey.pem'
sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/my_domain/fullchain.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'myhostname = my_domain'
```
restart postfix
```bash
sudo systemctl restart postfix.service
```
### Configure SASL
Postfix supports two SASL implementations: Cyrus SASL and Dovecot SASL.
To enable Dovecot SASL the dovecot-core package will need to be installed:
```bash
sudo apt install dovecot-core
```
Next, edit /etc/dovecot/conf.d/10-master.conf and change the following:
```text
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Its default
# permissions make it readable only by root, but you may need to relax these
# permissions. Users that have access to this socket are able to get a list
# of all usernames and get results of everyone's userdb lookups.
unix_listener auth-userdb {
#mode = 0600
#user =
#group =
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
```
Once you have configured Dovecot, restart it with:
```bash
sudo systemctl restart dovecot.service
```
### Setup SPF and dkim
Step 1: Create an SPF Record in DNS
In your DNS management interface, create a new TXT record like below.
```
TXT @ v=spf1 mx ~all
```
### Setting up DKIM
First, install OpenDKIM which is an open-source implementation of the DKIM sender authentication system.
```bash
sudo apt install opendkim opendkim-tools
```
Then add postfix user to opendkim group.
```bash
sudo gpasswd -a postfix opendkim
```
Edit OpenDKIM main configuration file.
```bash
sudo vim /etc/opendkim.conf
```
Find the following line.
```
Syslog yes
```
By default, OpenDKIM logs will be saved in /var/log/mail.log file. Add the following line so OpenDKIM will generate more detailed logs for debugging.
```
Logwhy yes
```
Set
```
Canonicalization simple
Mode sv
SubDomains no
```
Then add the following lines below
```
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
```
Next, add the following lines at the end of this file.
```
# OpenDKIM user
# Remember to add user postfix to group opendkim
UserID opendkim
# Map domains in From addresses to keys used to sign messages
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
# Hosts to ignore when verifying signatures
ExternalIgnoreList /etc/opendkim/trusted.hosts
# A set of internal hosts whose mail should be signed
InternalHosts /etc/opendkim/trusted.hosts
```
Save and close the file.
### Create Signing Table, Key Table and Trusted Hosts File
Create a directory structure for OpenDKIM
```bash
sudo mkdir /etc/opendkim
sudo mkdir /etc/opendkim/keys
```
Change the owner from root to opendkim and make sure only opendkim user can read and write to the keys directory.
```bash
sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod go-rw /etc/opendkim/keys
```
Create the signing table.
```bash
sudo vim /etc/opendkim/signing.table
```
Add the following two lines to the file. This tells OpenDKIM that if a sender on your server is using a @your-domain.com address, then it should be signed with the private key identified by default.\_domainkey.your-domain.com. The second line tells that your sub-domains will be signed by the private key as well.
```
_@your-domain.com default.\_domainkey.your-domain.com
\_@\*.your-domain.com default.\_domainkey.your-domain.com
```
Save and close the file. Then create the key table.
```bash
sudo vim /etc/opendkim/key.table
```
Add the following line, which tells the location of the private key.
```
default.\_domainkey.your-domain.com your-domain.com:default:/etc/opendkim/keys/your-domain.com/default.private
```
Save and close the file. Next, create the trusted hosts file.
```bash
sudo vim /etc/opendkim/trusted.hosts
```
Add the following lines to the newly created file. This tells OpenDKIM that if an email is coming from localhost or from the same domain, then OpenDKIM should only sign the email but not perform DKIM verification on the email.
```
127.0.0.1
localhost
cdl.patialtech.com
.patialtech.com
```
### Save and close the file.
Generate Private/Public Keypair
Since DKIM is used to sign outgoing messages and verify incoming messages, we need to generate a private key for signing and a
public key for remote verifier. Public key will be published in DNS.
Create a separate folder for the domain.
```bash
sudo mkdir /etc/opendkim/keys/your-domain.com
```
Generate keys using opendkim-genkey tool.
```bash
sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s default -v
```
The above command will create 2048 bits keys. -d (domain) specifies the domain. -D (directory) specifies the directory
where the keys will be stored and we use default as the selector (-s), also known as the name. Once the command is executed,
the private key will be written to default.private file and the public key will be written to default.txt file.
Make opendkim as the owner of the private key.
```bash
sudo chown opendkim:opendkim /etc/opendkim/keys/your-domain.com/default.private
```
And change the permission, so only the opendkim user has read and write access to the file.
```bash
sudo chmod 600 /etc/opendkim/keys/your-domain.com/default.private
```
Display the public key
```bash
sudo cat /etc/opendkim/keys/your-domain.com/default.txt
```
### Test DKIM Key
Enter the following command on Ubuntu server to test your key.
```bash
sudo opendkim-testkey -d your-domain.com -s default -vvv
```
If everything is OK, you will see Key OK in the command output.
```
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'default._domainkey.your-domain.com'
opendkim-testkey: key secure
opendkim-testkey: key OK
```
If you see Key not secure in the command output, dont panic. This is because DNSSEC isnt enabled on your domain name.
DNSSEC is a security standard for secure DNS query. Most domain names havent enabled DNSSEC.
Theres absolutely no need to worry about Key not secure. You can continue to follow this guide.
### Connect Postfix to OpenDKIM
Postfix can talk to OpenDKIM via a Unix socket file. The default socket file used by OpenDKIM is /var/run/opendkim/opendkim.sock, as shown in /etc/opendkim.conf file. But the postfix SMTP daemon shipped with Ubuntu runs in a chroot jail, which means the SMTP daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). So we need to change the OpenDKIM Unix socket file.
Create a directory to hold the OpenDKIM socket file and allow only opendkim user and postfix group to access it.
```bash
sudo mkdir /var/spool/postfix/opendkim
sudo chown opendkim:postfix /var/spool/postfix/opendkim
```
Then edit the OpenDKIM main configuration file.
```bash
sudo vim /etc/opendkim.conf
```
set
```bash
Socket local:/var/spool/postfix/opendkim/opendkim.sock
```
Save and close the file.
Next, we need to edit the Postfix main configuration file.
```bash
sudo vim /etc/postfix/main.cf
```
Add the following lines at the end of this file, so Postfix will be able to call OpenDKIM via the milter protocol.
```
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
```
Then restart opendkim and postfix service.
```bash
sudo systemctl restart opendkim postfix
```
Reference in New Issue View Git Blame Copy Permalink