Last active
October 19, 2025 08:38
-
-
Save howyay/57982e6ba9eedd3a5662c518f1b985c7 to your computer and use it in GitHub Desktop.
Revisions
-
Haoye revised this gist
Mar 24, 2019 . 1 changed file with 10 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -389,7 +389,7 @@ If you want to setup multiple domains, here are some additional instructions: Acquire multi-domain SSL certificate ``` certbot --agree-tos --standalone -d mail.domain.com -d mail.domain2.com certonly ``` Add a virtual map in postfix settings @@ -405,8 +405,10 @@ Append your other domain to `/etc/postfix/virtual` ``` /etc/postfix/virtual domain2.com anything #domain3.com anything @domain2.com @domain.com #@domain3.com @domain.com ``` Refresh map rules @@ -418,7 +420,8 @@ postmap /etc/postfix/virtual Add your other domain to DKIM SigningTable and KeyTable ``` export domain=domain2.com #export domain=domain3.com mkdir /etc/opendkim mkdir /etc/opendkim/keys mkdir /etc/opendkim/keys/$domain @@ -429,14 +432,15 @@ echo "default._domainkey.$domain $domain:default:/etc/opendkim/keys/$domain/defa echo "*@$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable ``` Again, the DNS record will be saved in `/etc/opendkim/keys/domain#.com/default.txt` and private key in default.private Append your other domain to the end of TrustedHosts for opendkim ``` /etc/opendkim/TrustedHosts domain2.com #domain3.com ``` And finally, you may restart your mail server -
howyay revised this gist
Mar 16, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # An ultimate guide to Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support and additional instructions for a multi-domain setup In this guide, `domain.com` will be your root domain and `mail.domain.com` will be the hostname of your mail server -
Mar 11, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # The ultimate guide to Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support and additional instructions for a multi-domain setup In this guide, `domain.com` will be your root domain and `mail.domain.com` will be the hostname of your mail server -
Mar 11, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -275,7 +275,7 @@ service auth { } } ssl = required ssl_cert = </path/to/cert/fullchain.pem ssl_key = </path/to/cert/privkey.pem #set your certificate -
Mar 10, 2019 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,8 @@ # An ultimate guide to Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support and additional instructions for a multi-domain setup In this guide, `domain.com` will be your root domain and `mail.domain.com` will be the hostname of your mail server - [An ultimate guide to Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support and additional instructions for a multi-domain setup](#an-ultimate-guide-to-postfix--dovecot-imap-server-with-complete-spf-dkim-and-dmarc-support-and-additional-instructions-for-a-multi-domain-setup) - [0x01 Adding DNS records](#0x01-adding-dns-records) - [0x02 Set hostname](#0x02-set-hostname) - [0x03 Verify DNS resolution](#0x03-verify-dns-resolution) -
Mar 10, 2019 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,8 @@ # Install Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support with additional instructions for a multi-domain setup In this guide, `domain.com` will be your root domain and `mail.domain.com` will be the hostname of your mail server - [Install Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support with additional instructions for a multi-domain setup](#install-postfix--dovecot-imap-server-with-complete-spf-dkim-and-dmarc-support-with-additional-instructions-for-a-multi-domain-setup) - [0x01 Adding DNS records](#0x01-adding-dns-records) - [0x02 Set hostname](#0x02-set-hostname) - [0x03 Verify DNS resolution](#0x03-verify-dns-resolution) -
Mar 10, 2019 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -395,6 +395,8 @@ certbot --agree-tos --standalone -d mail.domain.com -d mail.otherdomain.com cert Add a virtual map in postfix settings ``` /etc/postfix/main.cf virtual_alias_maps=hash:/etc/postfix/virtual ``` -
Mar 10, 2019 . 1 changed file with 8 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,8 @@ # Install Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support In this guide, `domain.com` will be your root domain and `mail.domain.com` will be the hostname of your mail server - [Install Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support](#install-postfix--dovecot-imap-server-with-complete-spf-dkim-and-dmarc-support) - [0x01 Adding DNS records](#0x01-adding-dns-records) - [0x02 Set hostname](#0x02-set-hostname) - [0x03 Verify DNS resolution](#0x03-verify-dns-resolution) @@ -15,8 +15,8 @@ In this guide, `domain.com` will be your root domain and `mail.domain.com` will - [0x08 Add a user (you)](#0x08-add-a-user-you) - [0x08.1 Set alias (redirect mails to root to your user)](#0x081-set-alias-redirect-mails-to-root-to-your-user) - [0x09 Restart](#0x09-restart) - [Appendix](#appendix) - [Multi-domain](#multi-domain) ## 0x01 Adding DNS records @@ -38,6 +38,8 @@ _dmarc IN TXT "v=DMARC1;p=quarantine;rua=mailto:[email protected]" //DMARC, no additional settings required ``` Now we've finished setting up SPF and DMARC, we will move onto actual setup of a postfix+dovecot imap server with complete DKIM support ## 0x02 Set hostname Use your favorite editor to append your hostname to `/etc/hostname` @@ -378,9 +380,9 @@ Restart everything systemctl restart postfix dovecot opendkim && postfix reload ``` # Appendix ## Multi-domain If you want to setup multiple domains, here are some additional instructions: -
Mar 10, 2019 . 1 changed file with 179 additions and 92 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,15 +5,18 @@ In this guide, `domain.com` will be your root domain and `mail.domain.com` will - [Install Postfix + Dovecot IMAP server with complete spf, dkim and dmarc support](#install-postfix--dovecot-imap-server-with-complete-spf-dkim-and-dmarc-support) - [0x01 Adding DNS records](#0x01-adding-dns-records) - [0x02 Set hostname](#0x02-set-hostname) - [0x03 Verify DNS resolution](#0x03-verify-dns-resolution) - [0x04 Get SSL certificate](#0x04-get-ssl-certificate) - [0x05 Install and configure Postfix](#0x05-install-and-configure-postfix) - [0x05.1 main.cf](#0x051-maincf) - [0x05.2 master.cf](#0x052-mastercf) - [0x06 Setup Dovecot IMAP server](#0x06-setup-dovecot-imap-server) - [0x07 Setup DKIM signature](#0x07-setup-dkim-signature) - [0x08 Add a user (you)](#0x08-add-a-user-you) - [0x08.1 Set alias (redirect mails to root to your user)](#0x081-set-alias-redirect-mails-to-root-to-your-user) - [0x09 Restart](#0x09-restart) - [Appendix](#appendix) - [Multi-domain](#multi-domain) ## 0x01 Adding DNS records @@ -29,42 +32,23 @@ Additional record like SPF, DKIM, and DMARC will look similar to these ``` @ IN TXT "v=spf1 mx a -all" //SPF, no additional settings required default._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=*" //DKIM, additional settings with opendkim is required _dmarc IN TXT "v=DMARC1;p=quarantine;rua=mailto:[email protected]" //DMARC, no additional settings required ``` ## 0x02 Set hostname Use your favorite editor to append your hostname to `/etc/hostname` ``` /etc/hostname mail.domain.com ``` ## 0x03 Verify DNS resolution ``` apt-get update @@ -86,24 +70,25 @@ dig a mail.domain.com +short Check if the output of the second command above matches your current mail server's ip ## 0x04 Get SSL certificate ***For additional instructions for a multi-domain mail server, check out the [Appendix](#appendix)*** ``` apt-get update apt-get upgrade ``` Install certbot ``` apt-get install certbot ``` Acquire the certificate file only ``` certbot --agree-tos --standalone -d mail.domain.com certonly ``` Fill in the information accordingly, select the standalone option when authenticating with the CA, @@ -112,14 +97,18 @@ Put `mail.domain.com` when it asks you for your domain, Finally, the certificate(cert.pem) and the private key(privkey.pem) will be saved to `/etc/letsencrypt/live/mail.domain.com/` Copy the certificate file and private key to somewhere easy to access ``` cp /etc/letsencrypt/live/mail.domain.com/*.pem /path/to/cert/ ``` ## 0x05 Install and configure Postfix ``` apt-get update apt-get upgrade ``` Install postfix and mailutils @@ -129,46 +118,46 @@ apt-get install postfix mailutils Select `Internet Site` and put `domain.com` ### 0x05.1 main.cf ***For additional instructions for a multi-domain mail server, check out the [Appendix](#appendix)*** Use your favorite editor to edit `/etc/postfix/main.cf` ``` vim /etc/postfix/main.cf ``` Confirm your following settings ``` myhostname = mail.domain.com mydomain = domain.com myorigin = $mydomain mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost ``` Here you may append the path of SSL certificate and private key to where you saved them earlier and add a few additional security settings ``` smtpd_tls_cert_file = /path/to/cert/fullchain.pem smtpd_tls_key_file = /path/to/cert/privkey.pem smtpd_tls_security_level = encrypt smtp_tls_security_level = encrypt smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 ``` Set up for Maildir style mailbox ``` home_mailbox = Maildir/ ``` Use SASL auth and prepare for dovecot installation ``` smtpd_sasl_type = dovecot @@ -179,13 +168,21 @@ smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject ``` Add the following to prepare for opendkim setup ``` smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = inet:127.0.0.1:8891 milter_default_action = accept ``` After saving the configuration, you can use the following command to verify your main settings ``` postconf -n ``` ### 0x05.2 master.cf Uncomment lines as follows in `/etc/postfix/master.cf` @@ -203,21 +200,20 @@ submission inet n - - - - smtpd # -o milter_macro_daemon_name=ORIGINATING ``` ## 0x06 Setup Dovecot IMAP server ``` apt-get update apt-get upgrade ``` Install dovecot core and imap server ``` apt-get install dovecot-core dovecot-imapd ``` Backup original dovecot configuration and create a blank one using your favorite editor ``` mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig @@ -227,20 +223,22 @@ vim /etc/dovecot/dovecot.conf Paste contents below ``` disable_plaintext_auth = yes mail_privileged_group = mail mail_location = maildir:~/Maildir #set mailbox location to Maildir style userdb { driver = passwd } passdb { args = %s driver = pam } protocols = "imap" namespace inbox { inbox = yes @@ -265,32 +263,31 @@ namespace inbox { special_use = \Archive } } #create and autosubscribe to some default folders service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } ssl=required ssl_cert = </path/to/cert/fullchain.pem ssl_key = </path/to/cert/privkey.pem #set your certificate ``` ## 0x07 Setup DKIM signature ***For additional instructions for a multi-domain mail server, check out the [Appendix](#appendix)*** ``` apt-get update apt-get upgrade ``` Install opendkim and utilities ``` @@ -300,28 +297,26 @@ apt-get install opendkim opendkim-tools Generate SigningTable, KeyTable and DNS records + private key ``` export domain=domain.com mkdir /etc/opendkim mkdir /etc/opendkim/keys mkdir /etc/opendkim/keys/$domain cd /etc/opendkim/keys/$domain opendkim-genkey -d $domain -s default chown -R opendkim:opendkim /etc/opendkim/keys/$domain echo "default._domainkey.$domain $domain:default:/etc/opendkim/keys/$domain/default.private" >> /etc/opendkim/KeyTable echo "*@$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable ``` DNS record will be in `/etc/opendkim/keys/domain.com/default.txt`, private key will be `default.private` in the same directory Edit `/etc/opendkim.conf` ``` Syslog yes UMask 007 Canonicalization relaxed/simple Mode sv SubDomains no AutoRestart yes @@ -332,24 +327,116 @@ SignatureAlgorithm rsa-sha256 SigningTable refile:/etc/opendkim/SigningTable KeyTable /etc/opendkim/KeyTable ExternalIgnoreList /etc/opendkim/TrustedHosts InternalHosts /etc/opendkim/TrustedHosts Socket inet:8891@localhost PidFile /var/run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key UserID opendkim ``` Append the following to the TrustedHosts ``` /etc/opendkim/TrustedHosts 127.0.0.1 localhost mail.server.ip.address domain.com ``` ## 0x08 Add a user (you) ``` useradd -m -s /bin/bash username passwd username ``` ### 0x08.1 Set alias (redirect mails to root to your user) Use your favorite editor to append the following to `/etc/alias/ ` ``` root: username ``` Refresh aliases ``` newaliases ``` ## 0x09 Restart Restart everything ``` systemctl restart postfix dovecot opendkim && postfix reload ``` ## Appendix ### Multi-domain If you want to setup multiple domains, here are some additional instructions: Acquire multi-domain SSL certificate ``` certbot --agree-tos --standalone -d mail.domain.com -d mail.otherdomain.com certonly ``` Add a virtual map in postfix settings ``` virtual_alias_maps=hash:/etc/postfix/virtual ``` Append your other domain to `/etc/postfix/virtual` ``` /etc/postfix/virtual otherdomain.com anything @domain.com @otherdomain.com ``` Refresh map rules ``` postmap /etc/postfix/virtual ``` Add your other domain to DKIM SigningTable and KeyTable ``` export domain=otherdomain.com mkdir /etc/opendkim mkdir /etc/opendkim/keys mkdir /etc/opendkim/keys/$domain cd /etc/opendkim/keys/$domain opendkim-genkey -d $domain -s default chown -R opendkim:opendkim /etc/opendkim/keys/$domain echo "default._domainkey.$domain $domain:default:/etc/opendkim/keys/$domain/default.private" >> /etc/opendkim/KeyTable echo "*@$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable ``` Again, the DNS record will be saved in `/etc/opendkim/keys/otherdomain.com/default.txt` and private key in default.private Append your other domain to the end of TrustedHosts for opendkim ``` /etc/opendkim/TrustedHosts otherdomain.com ``` And finally, you may restart your mail server ``` systemctl restart postfix dovecot opendkim && postfix reload ``` -
Mar 8, 2019 . 1 changed file with 12 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -252,6 +252,18 @@ namespace inbox { auto = subscribe special_use = \Sent } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Archive { auto = subscribe special_use = \Archive } } ``` -
Mar 8, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -31,7 +31,7 @@ Additional record like SPF, DKIM, and DMARC will look similar to these //SPF, no additional settings required mail._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=*" //DKIM, additional settings with opendkim is required _dmarc IN TXT "v=DMARC1;p=quarantine;rua=mailto:[email protected]" //DMARC, no additional settings required ``` -
Mar 7, 2019 . 1 changed file with 9 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -306,13 +306,22 @@ Edit `/etc/opendkim.conf` ``` Syslog yes UMask 007 Domain domain.com Canonicalization simple Mode sv SubDomains no AutoRestart yes Background yes DNSTimeout 5 SignatureAlgorithm rsa-sha256 SigningTable refile:/etc/opendkim/SigningTable KeyTable /etc/opendkim/KeyTable Socket inet:8892@localhost PidFile /var/run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key -
Mar 6, 2019 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,8 @@ # Install Postfix + Dovecot IMAP server with complete spf, dkim and dmarc support In this guide, `domain.com` will be your root domain and `mail.domain.com` will be the hostname of your mail server - [Install Postfix + Dovecot IMAP server with complete spf, dkim and dmarc support](#install-postfix--dovecot-imap-server-with-complete-spf-dkim-and-dmarc-support) - [0x01 Adding DNS records](#0x01-adding-dns-records) - [0x02 Set hostname](#0x02-set-hostname) - [0x03 Add a user (you)](#0x03-add-a-user-you) @@ -37,7 +37,7 @@ _dmarc IN TXT "v=DMARC1;p=quarantine;[email protected]" ## 0x02 Set hostname Set hostname of your mail server to `mail.domain.com` ``` hostname mail.domain.com @@ -108,7 +108,7 @@ certbot --agree-tos --dry-run certonly Fill in the information accordingly, select the standalone option when authenticating with the CA, Put `mail.domain.com` when it asks you for your domain, Finally, the certificate(cert.pem) and the private key(privkey.pem) will be saved to `/etc/letsencrypt/live/mail.domain.com/` @@ -127,7 +127,7 @@ Install postfix and mailutils apt-get install postfix mailutils ``` Select `Internet Site` and put `domain.com` ### 0x06.1 main.cf -
Mar 6, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # Install Postfix + Dovecot IMAP server with complete spf, dkim and dmarc support In this guide, domain.com will be your root domain and mail.domain.com will be the hostname of your mail server -
Mar 6, 2019 . 1 changed file with 79 additions and 63 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,21 @@ # Install Postfix + Dovecot IMAP server with DKIM signature In this guide, domain.com will be your root domain and mail.domain.com will be the hostname of your mail server - [Install Postfix + Dovecot IMAP server with DKIM signature](#install-postfix--dovecot-imap-server-with-dkim-signature) - [0x01 Adding DNS records](#0x01-adding-dns-records) - [0x02 Set hostname](#0x02-set-hostname) - [0x03 Add a user (you)](#0x03-add-a-user-you) - [0x03.1 Set alias (redirect mails to root to your user)](#0x031-set-alias-redirect-mails-to-root-to-your-user) - [0x04 Verify DNS resolution](#0x04-verify-dns-resolution) - [0x05 Get SSL certificate](#0x05-get-ssl-certificate) - [0x06 Install and configure Postfix](#0x06-install-and-configure-postfix) - [0x06.1 main.cf](#0x061-maincf) - [0x06.2 master.cf](#0x062-mastercf) - [0x07 Setup Dovecot IMAP server](#0x07-setup-dovecot-imap-server) - [0x08 Setup DKIM signature](#0x08-setup-dkim-signature) ## 0x01 Adding DNS records Add following DNS record to your domain @@ -14,53 +27,66 @@ mail IN A your_mail_server_ip Additional record like SPF, DKIM, and DMARC will look similar to these ``` @ IN TXT "v=spf1 mx a -all" //SPF, no additional settings required mail._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=*" //DKIM, additional settings with opendkim is required _dmarc IN TXT "v=DMARC1;p=quarantine;[email protected]" //DMARC, no additional settings required ``` ## 0x02 Set hostname Set hostname of your mail server to mail.domain.com ``` hostname mail.domain.com ``` Or use your favorite editor to append your hostname in `/etc/hostname` ``` vim /etc/hostname ``` ## 0x03 Add a user (you) ``` useradd -m -s /bin/bash username passwd username ``` ### 0x03.1 Set alias (redirect mails to root to your user) Use your favorite editor to append the following to `/etc/alias/ ` ``` root: haoye ``` ## 0x04 Verify DNS resolution ``` apt-get update apt-get upgrade ``` Install dnsutils ``` apt-get install dnsutils ``` Verify dns resolution ``` dig mx domain.com +short dig a mail.domain.com +short ``` Check if the output of the second command above matches your current mail server's ip ## 0x05 Get SSL certificate Install certbot @@ -77,7 +103,7 @@ certbot --agree-tos certonly For staging environment, use the --dry-run flag ``` certbot --agree-tos --dry-run certonly ``` Fill in the information accordingly, select the standalone option when authenticating with the CA, @@ -93,7 +119,7 @@ cp /etc/letsencrypt/live/mail.domain.com/cert.pem /path/to/mail.crt cp /etc/letsencrypt/live/mail.domain.com/privkey.pem /path/to/mail.key ``` ## 0x06 Install and configure Postfix Install postfix and mailutils @@ -103,36 +129,37 @@ apt-get install postfix mailutils Select `Internet Site` and put domain.com ### 0x06.1 main.cf Use your favorite editor to edit `/etc/postfix/main.cf` ``` vim /etc/postfix/main.cf ``` Confirm your $myhostname setting ``` myhostname = mail.domain.com ``` Set a variable for \$mydomain ``` mydomain = domain.com myorigin = $mydomain mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost ``` Here you may append the path of SSL certificate and private key to where you saved them earlier and add a few additional settings ``` smtpd_tls_cert_file = /path/to/mail.crt smtpd_tls_key_file = /path/to/mail.key smtpd_tls_security_level = may smtp_tls_security_level = may #smtpd_tls_protocols = !SSLv2, !SSLv3 ``` Add this line to set up for Maildir style mailbox @@ -158,7 +185,7 @@ After saving the configuration, you can use the following command to verify your postconf -n ``` ### 0x06.2 master.cf Uncomment lines as follows in `/etc/postfix/master.cf` @@ -176,13 +203,13 @@ submission inet n - - - - smtpd # -o milter_macro_daemon_name=ORIGINATING ``` Restart postfix service and reload postfix config ``` systemctl restart postfix && postfix reload ``` ## 0x07 Setup Dovecot IMAP server Install dovecot core and imap server package @@ -202,7 +229,6 @@ Paste contents below ``` disable_plaintext_auth = no mail_privileged_group = mail mail_location = maildir:~/Maildir userdb { driver = passwd @@ -211,19 +237,19 @@ passdb { args = %s driver = pam } protocols = "imap" ``` ``` namespace inbox { inbox = yes mailbox Trash { auto = subscribe special_use = \Trash } mailbox Sent { auto = subscribe special_use = \Sent } } @@ -245,7 +271,13 @@ ssl_cert = </path/to/mail.crt ssl_key = </path/to/mail.key ``` Restart & reload postfix and dovecot ``` systemctl restart postfix dovecot && postfix reload ``` ## 0x08 Setup DKIM signature Install opendkim and utilities @@ -281,10 +313,10 @@ SubDomains no SigningTable refile:/etc/opendkim/SigningTable KeyTable /etc/opendkim/KeyTable Socket inet:8892@localhost PidFile /var/run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key UserID opendkim ``` Add following line to `/etc/postfix/main.cf` @@ -300,19 +332,3 @@ Restart everything ``` systemctl restart postfix dovecot opendkim && postfix reload ``` -
Mar 5, 2019 . 1 changed file with 22 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,8 +7,19 @@ In this guide, replace domain.com with your domain and mail.domain.com with your Add following DNS record to your domain ``` mail IN A your_mail_server_ip @ IN MX mail.domain.com ``` Additional record like SPF, DKIM, and DMARC will look similar to these ``` @ IN TXT "v=spf1 mx ip4:68.183.169.161 -all" //SPF, no additional settings required mail._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=*" //DKIM, additional settings with opendkim is required _dmarc IN TXT "v=DMARC1;p=quarantine;[email protected]" //DMARC, no additional settings required ``` ## Verify DNS resolution @@ -43,7 +54,7 @@ Set hostname of your mail server to mail.domain.com hostname mail.domain.com ``` Or use your favorite editor to append your hostname in `/etc/hostname` ``` vim /etc/hostname @@ -63,6 +74,12 @@ Acquire the certificate file only certbot --agree-tos certonly ``` For staging environment, use the --dry-run flag ``` certbot --agree-tos certonly ``` Fill in the information accordingly, select the standalone option when authenticating with the CA, Put mail.domain.com when it asks you for your domain, @@ -239,7 +256,7 @@ apt-get install opendkim opendkim-tools Generate SigningTable, KeyTable and DNS records + private key ``` export domain=haoye.dev mkdir /etc/opendkim mkdir /etc/opendkim/keys mkdir /etc/opendkim/keys/$domain @@ -257,7 +274,7 @@ Edit `/etc/opendkim.conf` ``` Syslog yes UMask 007 Domain domain.com Canonicalization simple Mode sv SubDomains no -
Mar 5, 2019 . 1 changed file with 142 additions and 66 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,11 +1,26 @@ # Install Postfix + Dovecot IMAP server with DKIM signature In this guide, replace domain.com with your domain and mail.domain.com with your mail server hostname ## Adding DNS records Add following DNS record to your domain ``` mail IN A your_mail_server_ip @ IN MX mail.domain.com ``` ## Verify DNS resolution Install package updates ``` apt-get update apt-get upgrade ``` Install dnsutils ``` apt-get install dnsutils @@ -14,78 +29,102 @@ apt-get install dnsutils Verify dns resolution ``` dig mx domain.com +short dig a mail.domain.com +short ``` Check if the output of the second command above matches your current mail server's ip ## Set hostname Set hostname of your mail server to mail.domain.com ``` hostname mail.domain.com ``` Or use your favorite editor to append your hostname to `/etc/hostname` ``` vim /etc/hostname ``` ## Get free SSL certificate Install certbot ``` apt-get install certbot ``` Acquire the certificate file only ``` certbot --agree-tos certonly ``` Fill in the information accordingly, select the standalone option when authenticating with the CA, Put mail.domain.com when it asks you for your domain, Finally, the certificate(cert.pem) and the private key(privkey.pem) will be saved to `/etc/letsencrypt/live/mail.domain.com/` I recommend renaming them to mail.crt and mail.key and copy them somewhere easy to access ``` cp /etc/letsencrypt/live/mail.domain.com/cert.pem /path/to/mail.crt cp /etc/letsencrypt/live/mail.domain.com/privkey.pem /path/to/mail.key ``` ## Install and configure Postfix Install postfix and mailutils ``` apt-get install postfix mailutils ``` Select `Internet Site` and put domain.com ### main.cf Use your favorite editor to edit `/etc/postfix/main.cf ``` vim /etc/postfix/main.cf ``` make sure $myhostname is set to your hostname, ``` myhostname = mail.domain.com ``` Here you may append the path of SSL certificate and private key to where you saved Let's Encrypt cert and key earlier and add few additional settings ``` smtpd_tls_cert_file = /path/to/mail.crt smtpd_tls_key_file = /path/to/mail.key #smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtp_tls_security_level = may ``` It is also recommended to add a variable \$mydomain and replace domain.com with $mydomain ``` mydomain = domain.com myorigin = $mydomain mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost ``` Add this line to set up for Maildir style mailbox ``` home_mailbox = Maildir/ ``` Add the following lines to use sasl auth and prepare for dovecot installation ``` smtpd_sasl_type = dovecot @@ -96,13 +135,15 @@ smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject ``` After saving the configuration, you can use the following command to verify your main settings ``` postconf -n ``` ### master.cf Uncomment lines as follows in `/etc/postfix/master.cf` ``` submission inet n - - - - smtpd @@ -116,18 +157,6 @@ submission inet n - - - - smtpd # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING ``` restart postfix service and reload postfix config @@ -136,20 +165,22 @@ restart postfix service and reload postfix config systemctl restart postfix && postfix reload ``` ## Setup Dovecot IMAP server Install dovecot core and imap server package ``` apt-get install dovecot-core dovecot-imapd ``` Backup original dovecot configuration and create a blank one ``` mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig vim /etc/dovecot/dovecot.conf ``` Paste contents below ``` disable_plaintext_auth = no @@ -167,14 +198,17 @@ protocols = " imap" ``` ``` namespace inbox { inbox = yes mailbox Trash { auto = subscribe # autocreate and autosubscribe the Trash mailbox special_use = \Trash } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } } ``` @@ -190,36 +224,78 @@ service auth { ``` ssl=required ssl_cert = </path/to/mail.crt ssl_key = </path/to/mail.key ``` ## Setup DKIM signature Install opendkim and utilities ``` apt-get install opendkim opendkim-tools ``` Generate SigningTable, KeyTable and DNS records + private key ``` export domain=xn--bdk.dev mkdir /etc/opendkim mkdir /etc/opendkim/keys mkdir /etc/opendkim/keys/$domain cd /etc/opendkim/keys/$domain opendkim-genkey -d $domain -s mail chown -R opendkim:opendkim /etc/opendkim/keys/$domain echo "mail._domainkey.$domain $domain:mail:/etc/opendkim/keys/$domain/mail.private" >> /etc/opendkim/KeyTable echo "*@$domain mail._domainkey.$domain" >> /etc/opendkim/SigningTable ``` DNS record will be in `/etc/opendkim/keys/domain.com/mail.txt`, private key will be `mail.private` in the same directory Edit `/etc/opendkim.conf` ``` Syslog yes UMask 007 Domain xn--bdk.dev Canonicalization simple Mode sv SubDomains no SigningTable refile:/etc/opendkim/SigningTable KeyTable /etc/opendkim/KeyTable Socket inet:8892@localhost PidFile /var/run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key UserID opendkim ``` Add following line to `/etc/postfix/main.cf` ``` smtpd_milters = inet:127.0.0.1:8892 non_smtpd_milters = inet:127.0.0.1:8892 milter_default_action = accept ``` Restart everything ``` systemctl restart postfix dovecot opendkim && postfix reload ``` ## Add a personal user (you) ``` useradd -m -s /bin/bash username passwd username vim /etc/aliases root: username newaliases ``` Restart everything ``` systemctl restart postfix dovecot opendkim && postfix reload ``` -
Mar 4, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,225 @@ Install package updates ``` apt-get update apt-get upgrade ``` install dnsutils ``` apt-get install dnsutils ``` Verify dns resolution ``` dig mx yourdomain.com +short //exmaple: linux.org dig a mx.hostname.com +short //example: mail.linux.org ``` Check if the output of the second command above matches your current mail server's ip install git ``` apt-get install git ``` clone certbot ``` git clone https://github.com/certbot/cerbot.git cd certbot/ ``` aquire ssl cert ``` ./certbot-auto --agree-tos certonly ``` Fill in the information accordingly, select the standalone option when authenticating with the CA, for the domain, put your mail server hostname, and finally, the cert file(fullchain.pem) and the private key(privkey.pem) will be save to cp /etc/letsencrypt/live/your.domain.com/, it is recommended to copy them to somewhere easy to access install postfix and mailutils ``` apt-get install postfix mailutils ``` Select internet site and put your domain.com Use your favorite editor to edit postfix configuration ``` vim /etc/postfix/main.cf ``` make sure $myhostname is set to your hostname, ``` mail.domain.com ``` here you may append the path of ssl cert and key to where you saved Let's Encrypt cert and key earlier and add few additional settings ``` smtpd_tls_cert_file = /path/to/fullchain.pem smtpd_tls_key_file = /path/to/privkey.pem smtpd_tls_security_level=may smtpd_tls_protocols = !SSLv2, !SSLv3 ``` it is also recommended to add a variable $mydomain and replace domain.com with $mydomain ``` mydomain = domain.com myorigin = $mydomain mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost ``` append the following line to use Maildir style mailbox ``` home_mailbox = Maildir/ ``` add the following lines to use sasl auth ``` smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject ``` you can use the following command to verify your main settings ``` postconf -n ``` uncomment as follows in `/etc/postfix/master.cf` ``` submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd # you dont necssarily have to enable smtps as its getting replaced by starttls # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING ``` restart postfix service and reload postfix config ``` systemctl restart postfix && postfix reload ``` install dovecot core and imap server package ``` apt-get install dovecot-core dovecot-imapd ``` backup original dovecot configuration and create a blank one ``` mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig vim /etc/dovecot/dovecot.conf ``` paste contents below ``` disable_plaintext_auth = no mail_privileged_group = mail #mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_location = maildir:~/Maildir userdb { driver = passwd } passdb { args = %s driver = pam } protocols = " imap" ``` ``` protocol imap { mail_plugins = " autocreate" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } ``` ``` service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } ``` ``` ssl=required ssl_cert = </etc/ssl/certs/unified.crt ssl_key = </etc/ssl/private/my-private-decrypted.key ``` add an user and set an alias for root then refresh aliases ``` useradd -m -s /bin/bash username vim /etc/aliases root: username newaliases ``` restart postfix and dovecot ``` systemctl restart postfix && postfix reload && systemctl restart dovecot ``` ``` export domain=xn--bdk.dev mkdir /etc/opendkim/keys/$domain cd /etc/opendkim/keys/$domain opendkim-genkey -d $domain -s mail chown -R opendkim:opendkim /etc/opendkim/keys/$domain echo "mail._domainkey.$domain $domain:mail:/etc/opendkim/keys/$domain/mail.private" >> /etc/opendkim/KeyTable echo "*@$domain mail._domainkey.$domain" >> /etc/opendkim/SigningTable ```
Haoye
revised
this gist