Postfix Installation

In Section, we are going to setup postfix SMTP mail server which used as relay host to send an email to outside world. In the setup, the server doesn’t receive any emails, it only sends emails to outside users. So We don’t need to setup MX record for the email server. But at the same time, we have to setup PTR, SPF, and DKIM record to prevent your emails to be classified as spam.

SPF (Sender Policy Framework) is a system that identifies to mail servers what hosts are allowed to send email for a given domain.

DKIM (DomainKeys Identified Mail) is a system that lets your official mail servers add a signature to headers of outgoing email and identifies your domain’s public key so other mail servers can verify the signature. As with SPF, DKIM helps keep your mail from being considered spam.

Where I have used the domain “domain.example.com” which has DNS “A” record for my email server IP.

The below email log indicates your postfix mail server is not authorized to send that domain emails and it doesn’t have signatured headers.

** example of bounce maillog **

Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 https://support.google.com/mail/answer/81126 to review our Bulk Email 421 4.7.0 Senders Guidelines. kh8si41079434wjb.218 – gsmtp (in reply to end of DATA command)

Install Postfix

1) Install postfix using apt-get.
$ apt-get install postfix

2) Configure hostname and mynetworks in /etc/postfix/main.cf file
$ vim /etc/postfix/main.cf

myhostname = domain.example.com
mydestination = $myhostname, localhost.$myhostname, localhost
myorigin = /etc/mailname

3) where it is a relay host server, So configure network range to receive emails from the host.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/24
inet_protocols=ipv4

4) Add origin domain name which used to replace hostname in from address for system root emails.
$ vim /etc/mailname

example.com

Install DKIM

$ sudo apt-get install opendkim opendkim-tools

Generate DKIM record

DKIM is based on asymmetric cryptography. Basically, we will generate a pair of public/private keys on your server and publish the public key on your DNS records.

You can create DKIM in online using any one of the sites listed below.
while create the DKIM record give any string as selector. But it will be used later on server configurations and DNS record.

https://www.socketlabs.com/domainkey-dkim-generation-wizard/
http://dkimcore.org/tools/keys.html

Save your private key on the postfix server.
$ mkdir -p /etc/opendkim

$ vim /etc/opendkim/selector._domainkey.domain.example.com.key

$ chmod 700 /etc/opendkim/selector._domainkey.domain.example.com.key

$ chown -R opendkim:opendkim etc/opendkim/selector._domainkey.domain.example.com.key

Configure DKIM

1) $ sudo vim /etc/opendkim.conf

AutoRestart Yes
AutoRestartRate 10/1h
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Mode sv
PidFile /var/run/opendkim/opendkim.pid
Socket inet:8891@localhost
SyslogSuccess Yes
LogWhy Yes
TemporaryDirectory /var/tmp

2) Next, add the key to /etc/opendkim/KeyTable

$ vim /etc/opendkim/KeyTable

selector._domainkey.example.domain.com example.domain.com:selector:/etc/opendkim/selector._domainkey.example.domain.com.key

3) Add which domain emails to be signed

$ vim /etc/opendkim/SigningTable

*@example.domain.com selector._domainkey.example.domain.com

4) Enter from which domains, hostnames or IP addresses emails to be allowed to sign email headers. where I have whitelisted all the IP addresses, because I can control TrustedHosts using mynetwork variable in /etc/postfix/main.cf file.

$ vim /etc/opendkim/TrustedHosts

0.0.0.0/0

5) configure opendkim socket in /etc/default/opendkim file

$ vim /etc/default/opendkim

SOCKET=”inet:8891@localhost”

6) Connect this to Postfix by appending the following block to /etc/postfix/main.cf

$ vim /etc/postfix/main.cf

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

DNS Setup

1. Setup SPF TXT record for example.domain.com

example.domain.com IN TXT “v=spf1 a mx ip4: ~all”

2. DKIM TXT records for example.domain.com

selector._domainkey.example.domain.com IN TXT “v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC375RlqjIbyUmLmGhRQn82/jdFbYAdYqhDTqydf2VgaKjaVjLtQ8cBpCYZx8lYaQsKFtHFhLAm4CCMAwUtkl7kh38pz2qlg/FQotZ3HOfbzn5twr2Uz8w1RwGWF0opdEHYu5Pg31lr++tbnqjjrQqzpV7e7jS42p34K41vPjnYBQIDAQAB”

Setup a Postfix SMTP server which only allows specific recipient domains:

1) Open /etc/postfix/main.cf & add below line at the end of the file.

transport_maps = hash:/etc/postfix/transport

2) Create /etc/postfix/transport file & insert the line specifying which domain should be allowed as below:

example.com :
* ERROR: ONLY ALLOWING example.com DOMAIN EMAILS

3) Now need to create a hash of the transport file

$ postmap /etc/postfix/transport

Restart services

$ service opendkim restart

$ service postfix restart

Verify DKIM record

After configured DKIM record, verify the DNS record using the below link.

http://protodave.com/tools/dkim-key-checker/
http://dkimcore.org/c/keycheck

Verify your private key with the dkim record using the below command in postfix mail server

$ opendkim-testkey -d example.domain.com -s mail -k /etc/opendkim/selector._domainkey.exampl.domain.com.key -vvvv

Test and verify your email

Get your email configuration rating using the mail tester site.
http://www.mail-tester.com

Send one email from any one of the mail hosts to the email address which is listed on the above site.

$ echo “Test mail” | mail -s “test mail” -S smtp=”domain.example.com” -r mail@example.domain.com web-YKI2sK@mail-tester.com

Also, you can verify your email details on the mail server.

$ postcat -qv

ex. postcat -qa A3EDE40E09AF

Reference Links

http://www.ybn.fr/linux-technical-library/configure-postfix
https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu/
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
https://www.rosehosting.com/blog/how-to-install-and-integrate-opendkim-with-postfix-on-a-centos-6-vps/
https://blog.returnpath.com/protecting-your-brand-from-phishing-how-to-create-a-dkim-record/
https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu/

SPF Links

https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
http://www.openspf.org/SPF_Record_Synta

Verify DNS Setup

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s