===== Setting up a Postfix + Dovecot mailserver =====
\\
==== Firewall ====
The following ports have to be opened in your firewall:
  25/tcp  # SMTP
  80/tcp  # HTTP (for autoconfiguration)
 443/tcp  # HTTPS (for autoconfiguration)
 587/tcp  # Submission
 993/tcp  # IMAP SSL
4190/tcp  # ManageSieve (for e-mail filters)
----
\\
==== MariaDB ====
> [[https://en.wikipedia.org/wiki/MariaDB|MariaDB]] is a community-developed fork of the [[https://en.wikipedia.org/wiki/MySQL|MySQL]] relational database management system intended to remain free under the GNU GPL.
Install the database server:
sudo apt install mariadb-server
Harden it:
sudo mysql_secure_installation
Use one file per InnoDB table:
[mysqld]
innodb_file_per_table = 1
Restart the daemon:
sudo systemctl restart mariadb.service
\\
Create a database called ''mailserver'' and a user called ''mailuser'':
sudo mariadb
CREATE DATABASE mailserver;
GRANT ALL ON mailserver.* TO 'mailuser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
USE mailserver;
(Of course, change ''password'' to an actual password.)\\
\\
=== Create tables ===
Domains:
CREATE TABLE `virtual_domains` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(50) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Users:
CREATE TABLE `virtual_users` (
  `id` int(11) NOT NULL auto_increment,
  `domain_id` int(11) NOT NULL,
  `password` varchar(106) NOT NULL,
  `email` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`),
  FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Aliases:
CREATE TABLE `virtual_aliases` (
  `id` int(11) NOT NULL auto_increment,
  `domain_id` int(11) NOT NULL,
  `source` varchar(100) NOT NULL,
  `destination` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
\\
=== Add domains, users, aliases ===
Domains:
INSERT INTO `mailserver`.`virtual_domains`
  (`id` ,`name`)
VALUES
  ('1', 'quietlife.nl');
Users:
INSERT INTO `mailserver`.`virtual_users`
  (`id`, `domain_id`, `password` , `email`)
VALUES
  ('1', '1', ENCRYPT('user1-password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'user1@quietlife.nl'),
  ('2', '1', ENCRYPT('user2-password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'user2@quietlife.nl');
Aliases:
INSERT INTO `mailserver`.`virtual_aliases`
  (`id`, `domain_id`, `source`, `destination`)
VALUES
  ('1', '1', 'postmaster@quietlife.nl', 'root@quietlife.nl'),
  ('2', '1', 'root@quietlife.nl', 'user1@quietlife.nl');
----
\\
==== Postfix ====
> [[https://en.wikipedia.org/wiki/Postfix_(software)|Postfix]] is a free and open-source [[https://en.wikipedia.org/wiki/Mail_transfer_agent|mail transfer agent]] (MTA) that routes and delivers electronic mail, intended as an alternative to Sendmail MTA.
sudo apt install postfix postfix-mysql
\\
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
compatibility_level = 3.6
# TLS parameters
smtp_dns_support_level = dnssec
smtp_tls_cert_file = /etc/letsencrypt/live/quietlife.nl/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/quietlife.nl/privkey.pem
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/quietlife.nl/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/quietlife.nl/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# Use strong ciphers
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
# Enable SMTP for authenticated users and hand off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
	permit_sasl_authenticated,
	permit_mynetworks,
	reject_unauth_destination,
	reject_unauth_pipelining
# Restrict senders to match the SASL login
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
smtpd_sender_restrictions = reject_sender_login_mismatch
# Network and host parameters
inet_interfaces = all
inet_protocols = all
mydestination = localhost
myhostname = vitas.quietlife.nl
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
# Mail queue parameters
maximal_queue_lifetime = 12h
bounce_queue_lifetime = 12h
maximal_backoff_time = 1h
minimal_backoff_time = 5m
queue_run_delay = 5m
# Mailbox parameters
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
recipient_delimiter = +
disable_vrfy_command = yes
mailbox_size_limit = 0
message_size_limit = 0
# Hand off local delivery to Dovecot's LMTP and tell it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
# Virtual domains, users and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf, mysql:/etc/postfix/mysql-virtual-email2email.cf
# Strip MUA headers
smtp_header_checks = regexp:/etc/postfix/header_checks
vitas.quietlife.nl
user = mailuser
password = password
hosts = 127.0.0.1
dbname = mailserver
query = SELECT name FROM virtual_domains WHERE name='%s'
user = mailuser
password = password
hosts = 127.0.0.1
dbname = mailserver
query = SELECT email FROM virtual_users WHERE email='%s'
user = mailuser
password = password
hosts = 127.0.0.1
dbname = mailserver
query = SELECT destination FROM virtual_aliases WHERE source='%s'
user = mailuser
password = password
hosts = 127.0.0.1
dbname = mailserver
query = SELECT email FROM virtual_users WHERE email='%s'
# ==========================================================================
# service   type  private unpriv  chroot  wakeup  maxproc command + args
#                 (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp        inet  n       -       y       -       -       smtpd
#smtp       inet  n       -       y       -       1       postscreen
#smtpd      pass  -       -       y       -       -       smtpd
#dnsblog    unix  -       -       y       -       0       dnsblog
#tlsproxy   unix  -       -       y       -       0       tlsproxy
submission  inet  n       -       y       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#smtps      inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628        inet  n       -       y       -       -       qmqpd
pickup      unix  n       -       y       60      1       pickup
   -o content_filter=
   -o receive_override_options=no_header_body_checks
cleanup     unix  n       -       y       -       0       cleanup
qmgr        unix  n       -       n       300     1       qmgr
#qmgr       unix  n       -       n       300     1       oqmgr
tlsmgr      unix  -       -       y       1000?   1       tlsmgr
rewrite     unix  -       -       y       -       -       trivial-rewrite
bounce      unix  -       -       y       -       0       bounce
defer       unix  -       -       y       -       0       bounce
trace       unix  -       -       y       -       0       bounce
verify      unix  -       -       y       -       1       verify
flush       unix  n       -       y       1000?   0       flush
proxymap    unix  -       -       n       -       -       proxymap
proxywrite  unix  -       -       n       -       1       proxymap
smtp        unix  -       -       y       -       -       smtp
relay       unix  -       -       y       -       -       smtp
#  -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq       unix  n       -       y       -       -       showq
error       unix  -       -       y       -       -       error
retry       unix  -       -       y       -       -       error
discard     unix  -       -       y       -       -       discard
local       unix  -       n       n       -       -       local
virtual     unix  -       n       n       -       -       virtual
lmtp        unix  -       -       y       -       -       lmtp
anvil       unix  -       -       y       -       1       anvil
scache      unix  -       -       y       -       1       scache
/^Received:.*with ESMTPSA/	IGNORE
/^X-Originating-IP:/		IGNORE
----
\\
==== Dovecot ====
> [[https://en.wikipedia.org/wiki/Dovecot_(software)|Dovecot]] is an open-source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind.
sudo apt install dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-sieve dovecot-managesieved
Create a ''vmail'' user and ''vmail'' group and set permissions:
sudo groupadd -g 5000 vmail
sudo useradd -g vmail -u 5000 vmail -d /var/mail
sudo mkdir -p /var/mail/vhosts
sudo chmod 2755 /var/mail/vhosts
sudo chown -R vmail:vmail /var/mail
protocols = imap lmtp
!include_try /usr/share/dovecot/protocols.d/*.protocol
mail_driver = maildir
mail_path = /var/mail/vhosts/%{user|domain}/%{user|username}
[...]
mail_uid = vmail
mail_gid = vmail
[...]
mail_privileged_group = vmail
[...]
mail_plugins {
  quota = yes
}
[...]
maildir_stat_dirs = yes
auth_allow_cleartext = no
[...]
auth_mechanisms = plain login
[...]
#!include auth-system.conf.ext
!include auth-sql.conf.ext
sql_driver = mysql
[...]
mysql localhost {
  user = mailuser
  password = password
  dbname = mailserver
}
passdb sql {
  default_password_scheme = SHA512-CRYPT
  query = SELECT email as user, password FROM virtual_users WHERE email = '%{user}'
}
[...]
userdb static {
  fields {
    uid = vmail
    gid = vmail
    home = /var/mail/vhosts/%{user|domain}/%{user|username}
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
[...]
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 0
  }
}
#service submission-login {
  #inet_listener submission {
    #port = 0
  #}
  #inet_listener submissions {
    #port = 0
  #}
#}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}
[...]
service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
    group = vmail
  }
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
  # Auth process is run as this user.
  user = dovecot
}
service auth-worker {
  user = vmail
}
ssl = required
[...]
ssl_server_cert_file = /etc/letsencrypt/live/quietlife.nl/fullchain.pem
ssl_server_key_file = /etc/letsencrypt/live/quietlife.nl/privkey.pe
[...]
ssl_min_protocol = TLSv1.2
Automatically create default mailboxes:
namespace inbox {
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  #mailbox "Sent Messages" {
  #  special_use = \Sent
  #}
}
Enable quota and Sieve:
protocol imap {
  mail_plugins {
    imap_sieve = yes
    imap_quota = yes
  }
}
protocol lmtp {
  mail_plugins {
    sieve = yes
  }
}
mail_plugins {
  quota = yes
}
quota "User quota" {
   storage_size = 10G
}
namespace inbox {
   mailbox Trash {
     quota_storage_extra = 100M
   }
}
# Personal sieve script location
sieve_script personal {
  driver = file
  path = ~
  active_path = ~/dovecot.sieve
}
Enable ManageSieve so users can set up filters:
protocols {
  sieve = yes
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}
----
\\
==== Sender Policy Framework ====
> [[https://en.wikipedia.org/wiki/Sender_Policy_Framework|Sender Policy Framework]] (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.
sudo apt install postfix-pcre postfix-policyd-spf-python
\\
Add SPF to the Postfix configuration:
Change
smtpd_recipient_restrictions = 
	permit_sasl_authenticated, 
	permit_mynetworks, 
	reject_unauth_destination,
	reject_unauth_pipelining
to
smtpd_recipient_restrictions = 
	permit_sasl_authenticated, 
	permit_mynetworks, 
	reject_unauth_destination,
	reject_unauth_pipelining,
	check_policy_service unix:private/policyd-spf
policyd-spf_time_limit = 3600
(Mind the comma!)
[...]
# SPF configuration
policyd-spf unix  -       n       n       -       0       spawn
  user=policyd-spf argv=/usr/bin/policyd-spf
\\
Finally, add a DNS TXT record for ''@'' (or ''quietlife.nl.''), containing:
"v=spf1 mx -all"
This tells the receiving mailserver that all mails coming from your domain should originate from the IP's in your A / AAAA records. 
----
\\
==== OpenDKIM ====
> [[https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail|DomainKeys Identified Mail]] (DKIM) is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.
sudo apt install opendkim opendkim-tools
\\
Add the ''opendkim'' user to the ''postfix'' group:
sudo adduser postfix opendkim
\\
Create an ''/etc/opendkim'' directory to store the tables:
sudo mkdir /etc/opendkim
Syslog                  yes
SyslogSuccess           yes
LogWhy                  yes
Canonicalization        relaxed/simple
Mode                    sv
SubDomains              no
OversignHeaders         From
KeyTable                /etc/opendkim/key.table
SigningTable            refile:/etc/opendkim/signing.table 
ExternalIgnoreList      /etc/opendkim/trusted.hosts
InternalHosts           /etc/opendkim/trusted.hosts
UserID                  opendkim:postfix
UMask                   007
Socket                  local:/var/spool/postfix/var/run/opendkim/opendkim.sock
PidFile                 /var/spool/postfix/var/run/opendkim/opendkim.pid
TrustAnchorFile         /usr/share/dns/root.key
Change the ''201902'' example to the current year/month:
quietlife.nl    quietlife.nl:201902:/etc/dkimkeys/quietlife.nl.private
*@quietlife.nl  quietlife.nl
Add localhost, your hostname, your domain name(s) and your FQDN to the trusted hosts:
127.0.0.1
::1
localhost
vitas
quietlife.nl
vitas.quietlife.nl
\\
Then override the OpenDKIM systemd unit file by running ''sudo systemctl edit opendkim.service''. Add these lines:
[Service]
PIDFile=/var/spool/postfix/var/run/opendkim/opendkim.pid
User=opendkim
Group=postfix
ExecStart=
ExecStart=/usr/sbin/opendkim -P /var/spool/postfix/var/run/opendkim/opendkim.pid -p local:/var/spool/postfix/var/run/opendkim/opendkim.sock
And run ''sudo systemctl daemon-reload'' afterwards.
\\
\\
Add OpenDKIM to the Postfix configuration:
sudo mkdir -p /var/spool/postfix/var/run/opendkim
sudo chown opendkim:postfix /var/spool/postfix/var/run/opendkim
[...]
# Use OpenDKIM to sign and verify mail
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
\\
Generate keys (use the current year/month instead of the example ''201902''):
opendkim-genkey -b 2048 -h rsa-sha256 -r -s 201902 -d quietlife.nl -v
sudo mv 201902.private /etc/dkimkeys/quietlife.nl.private
sudo chown opendkim:opendkim /etc/dkimkeys/quietlife.nl.private
mv 201902.txt dns.txt
\\
Finally, add a DNS TXT record with the contents of ''dns.txt'':
201902._domainkey  3600  IN  TXT  "v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA63ggTqo80JaQBGV2uNreiX2/2yQx3PHbh9/4k+gIYO71ujqjGblk5z2FgzbWrTaIU7fZ0nN09bZAVDYavc9817fpYIYvnenDdKPJazl4hiVbBJL8jZ8/0ndu5WkCIzY60ukI423IAK+ppx7UW7Tpq38RokyFW8Wq96RAuhqeGkdxQN03N//yAtRCmeWwHw+jdGGq1WGbOKE7LcigRBMW9xPdJOk/rQPU2OjRh3b/BLohMYY0NX+0+Ybp0+5JuO6NZeYqWKbvezhtltTPrsYJU1m3cJTv11UxYiI8QPmSPGMJKVUevQv6Pn2aCARuNPIxSqfGwW6iwBhUZuxb1zQPCwIDAQAB"
(Change ''h=rsa-sha256'' to ''h=sha256'' and cut the key starting with ''v=DKIM1; ...'')
----
\\
==== Amavis ====
> [[https://en.wikipedia.org/wiki/Amavis|Amavis]] is an open source content filter for electronic mail, implementing mail message transfer, decoding, some processing and checking, and interfacing with external content filters to provide protection against spam, viruses and other malware.
sudo apt install amavisd-new spamassassin libmail-spf-perl pyzor razor unbound 7zip
Set up razor:
sudo su - amavis -s /bin/bash
razor-admin -create
razor-admin -register
exit
# To manually set $myhostname, edit the following line with the correct Fully
# Qualified Domain Name (FQDN) and remove the # at the beginning of the line.
$myhostname = "localhost";
Enable spam filtering:
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
$undecipherable_subject_tag = undef;
$virus_admin = undef;
$spam_admin = undef;
$final_spam_destiny = D_DISCARD;
Add Amavis to the Postfix configuration:
[...]
# Use Amavis to filter content
content_filter = smtp-amavis:localhost:10024
[...]
# Amavis configuration
smtp-amavis unix  -       -       -       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o max_use=20
   -o receive_override_options=no_address_mappings
localhost:10025 inet n    -       -       -       -       smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=reject_unauth_pipelining
   -o smtpd_end_of_data_restrictions=
   -o mynetworks=127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
Delete quarantined mails older than a month:
sudo -u amavis crontab -e
0 0 * * * find /var/lib/amavis/virusmails/ -mtime +31 -type f -delete &>/dev/null
Automatically move flagged spam mails to the ''Junk'' directory:
sudo mkdir /var/lib/dovecot/sieve
sudo chown dovecot:dovecot /var/lib/dovecot/sieve
require "fileinto";
if exists "X-Spam-Score" {
    fileinto "Junk";
    stop;
}
if header :contains "Received-SPF" "Softfail" {
    fileinto "Junk";
    stop;
}
sudo sievec /var/lib/dovecot/sieve/spam_to_junk.sieve
sudo chown dovecot:dovecot /var/lib/dovecot/sieve/*
[...]
# Default sieve script location
sieve_script default {
  type = default
  name = default
  driver = file
  path = /var/lib/dovecot/sieve/
}
----
\\
==== Fail2Ban ====
> Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.
sudo apt install fail2ban
Create the configuration file for Postfix, Dovecot and Sieve:
[postfix]
enabled  = true
mode     = aggressive
backend  = auto
[dovecot]
enabled  = true
mode     = aggressive
backend  = auto
[sieve]
enabled  = true
backend  = auto
\\
==== Client autoconfiguration ====
> The goal of [[https://developer.mozilla.org/docs/Mozilla/Thunderbird/Autoconfiguration|autoconfiguration]] is to make it very easy for users to configure the connection to their email servers.
This guide assumes you use Apache or nginx, but any HTTP server will suffice.
The result is an autoconfiguration URL that mail clients like Thunderbird can parse to preconfigure settings.
=== Apache ===
   ServerName autoconfig.quietlife.nl
   DocumentRoot /var/www/autoconfig.quietlife.nl
    
     Order allow,deny
     allow from all
    
Enable it:
sudo a2ensite autoconfig.quietlife.nl.conf
sudo systemctl reload apache2.service
\\
=== nginx ===
server {
        listen 80;
        listen [::]:80;
        server_name autoconfig.quietlife.nl;
        root /var/www/autoconfig.quietlife.nl;
}
Enable it:
cd /etc/nginx/sites-enabled/
sudo ln -s ../sites-available/autoconfig.quietlife.nl autoconfig.quietlife.nl
sudo systemctl reload nginx.service
\\
=== Configuration ===
 
  quietlife.nl
  quietlife.nl
  quietlife
   
    quietlife.nl
    993
    SSL
    password-cleartext
    %EMAILADDRESS%
   
   
    quietlife.nl
    587
    STARTTLS
    password-cleartext
    %EMAILADDRESS%
   
 
----
\\
==== SSL certificate renewal ====
Let's Encrypt certificates expire every three months, and certbot automatically renews them. After renewing the certificates, you have to reload Postfix and Dovecot. This can be automated with a script you put in ''/etc/letsencrypt/renewal-hooks/post/'':
#!/bin/sh
systemctl reload dovecot.service postfix.service
Make it executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/mail.sh
----
\\
==== Starting everything up ====
sudo systemctl restart postfix.service dovecot.service opendkim.service amavis.service fail2ban.service
----
\\
==== Testing ====
> [[https://en.wikipedia.org/wiki/Failure|Failure]] is the state or condition of not meeting a desirable or intended objective, and may be viewed as the opposite of success.
=== Test your mail server status ===
Go to [[https://mxtoolbox.com/domain/|MxToolBox]] and run a test. Ideally, you should not see any problems.\\
\\
=== Test DKIM DNS record ===
opendkim-testkey -d quietlife.nl -s 201902
If nothing is shown, your DNS record is set up properly.\\
\\
=== Test signatures ===
Send an empty email to [[check-auth@verifier.port25.com|port25.com's verifier]]. It should return this:
==========================================================
Summary of Results
==========================================================
SPF check:          pass
DKIM check:         pass
SpamAssassin check: ham
----
\\
==== Author Domain Signing Practices ====
> In computing, [[https://en.wikipedia.org/wiki/Author_Domain_Signing_Practices|Author Domain Signing Practices]] (ADSP) is an optional extension to the DKIM email authentication scheme, whereby a domain can publish the signing practices it adopts when relaying mail on behalf of associated authors.
If DKIM is working well, you can set up an ADSP record, telling the receiving mailserver that all mails coming from your domain should have a valid DKIM signature.
Add a DNS TXT record containing this:
_adsp._domainkey  3600  IN  TXT  "dkim=all"
----
\\
==== Domain-based Message Authentication, Reporting & Conformance ====
> [[https://en.wikipedia.org/wiki/DMARC|Domain-based Message Authentication, Reporting and Conformance]] (DMARC) is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations.
If SPF and DKIM are working well, you can set up a DMARC record.
Add a DNS TXT record containing this: 
_dmarc  3600  IN  TXT  "v=DMARC1; p=reject"
\\
If you want to receive aggregate reports, you can set a ''rua'' option:
_dmarc  3600  IN  TXT  "v=DMARC1; p=reject; rua=mailto:postmaster@quietlife.nl"
If you also want to receive failure reports, you can set a ''ruf'' option:
_dmarc  3600  IN  TXT  "v=DMARC1; p=reject; rua=mailto:postmaster@quietlife.nl; ruf=mailto:postmaster@quietlife.nl"
\\
More information about DMARC records can be found [[https://dmarc.org/wiki/FAQ|here]].
----