===== Setting up a Postfix + Dovecot mailserver =====
\\
==== Firewall ====
The following ports have to be opened in your firewall:
25/tcp # SMTP
80/tcp # HTTP (for autoconfiguration)
443/tcp # HTTPS (for autoconfiguration)
587/tcp # Submission
993/tcp # IMAP SSL
4190/tcp # ManageSieve (for e-mail filters)
----
\\
==== MariaDB ====
> [[https://en.wikipedia.org/wiki/MariaDB|MariaDB]] is a community-developed fork of the [[https://en.wikipedia.org/wiki/MySQL|MySQL]] relational database management system intended to remain free under the GNU GPL.
Install the database server:
sudo apt install mariadb-server
Harden it:
sudo mysql_secure_installation
Use one file per InnoDB table:
[mysqld]
innodb_file_per_table = 1
Restart the daemon:
sudo systemctl restart mariadb.service
\\
Create a database called ''mailserver'' and a user called ''mailuser'':
sudo mariadb
CREATE DATABASE mailserver;
GRANT SELECT ON mailserver.* TO 'mailuser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
USE mailserver;
(Of course, change ''password'' to an actual password.)\\
\\
=== Create tables ===
Domains:
CREATE TABLE `virtual_domains` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(50) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Users:
CREATE TABLE `virtual_users` (
`id` int(11) NOT NULL auto_increment,
`domain_id` int(11) NOT NULL,
`password` varchar(106) NOT NULL,
`email` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `email` (`email`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Aliases:
CREATE TABLE `virtual_aliases` (
`id` int(11) NOT NULL auto_increment,
`domain_id` int(11) NOT NULL,
`source` varchar(100) NOT NULL,
`destination` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
\\
=== Add domains, users, aliases ===
Domains:
INSERT INTO `mailserver`.`virtual_domains`
(`id` ,`name`)
VALUES
('1', 'quietlife.nl');
Users:
INSERT INTO `mailserver`.`virtual_users`
(`id`, `domain_id`, `password` , `email`)
VALUES
('1', '1', ENCRYPT('user1-password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'user1@quietlife.nl'),
('2', '1', ENCRYPT('user2-password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'user2@quietlife.nl');
Aliases:
INSERT INTO `mailserver`.`virtual_aliases`
(`id`, `domain_id`, `source`, `destination`)
VALUES
('1', '1', 'postmaster@quietlife.nl', 'root@quietlife.nl'),
('2', '1', 'root@quietlife.nl', 'user1@quietlife.nl');
----
\\
==== Postfix ====
> [[https://en.wikipedia.org/wiki/Postfix_(software)|Postfix]] is a free and open-source [[https://en.wikipedia.org/wiki/Mail_transfer_agent|mail transfer agent]] (MTA) that routes and delivers electronic mail, intended as an alternative to Sendmail MTA.
sudo apt install postfix postfix-mysql
\\
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
# TLS parameters
smtp_dns_support_level = dnssec
smtp_tls_cert_file = /etc/letsencrypt/live/quietlife.nl/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/quietlife.nl/privkey.pem
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/quietlife.nl/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/quietlife.nl/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
# Use strong ciphers
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_eecdh_grade = ultra
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
# Enable SMTP for authenticated users and hand off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unauth_pipelining
# Network and host parameters
inet_interfaces = all
inet_protocols = all
mydestination = localhost
myhostname = vitas.quietlife.nl
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
# Mail queue parameters
maximal_queue_lifetime = 12h
bounce_queue_lifetime = 12h
maximal_backoff_time = 1h
minimal_backoff_time = 5m
queue_run_delay = 5m
# Mailbox parameters
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
recipient_delimiter = +
disable_vrfy_command = yes
# Hand off local delivery to Dovecot's LMTP and tell it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
# Virtual domains, users and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf, mysql:/etc/postfix/mysql-virtual-email2email.cf
# Strip MUA headers
smtp_header_checks = regexp:/etc/postfix/header_checks
quietlife.nl
user = mailuser
password = password
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_domains WHERE name='%s'
user = mailuser
password = password
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_users WHERE email='%s'
user = mailuser
password = password
hosts = 127.0.0.1
dbname = mailserver
query = SELECT destination FROM virtual_aliases WHERE source='%s'
user = mailuser
password = password
hosts = 127.0.0.1
dbname = mailserver
query = SELECT email FROM virtual_users WHERE email='%s'
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
/^Received:.*with ESMTPSA/ IGNORE
/^X-Originating-IP:/ IGNORE
----
\\
==== Dovecot ====
> [[https://en.wikipedia.org/wiki/Dovecot_(software)|Dovecot]] is an open-source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind.
sudo apt install dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-sieve dovecot-managesieved dovecot-antispam
Create a ''vmail'' user and ''vmail'' group and set permissions:
sudo groupadd -g 5000 vmail
sudo useradd -g vmail -u 5000 vmail -d /var/mail
sudo chown -R vmail:vmail /var/mail
sudo mkdir -p /var/mail/vhosts/quietlife.nl
sudo chmod 2700 /var/mail/vhosts/*
sudo chown -R vmail:dovecot /etc/dovecot
\\
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap lmtp
# Location for users' mailboxes.
mail_location = maildir:/var/mail/vhosts/%d/%n
[...]
# System user and group used to access mails.
mail_uid = vmail
mail_gid = vmail
# Group to enable temporarily for privileged operations.
mail_privileged_group = vmail
[...]
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
mail_plugins = $mail_plugins antispam quota
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability).
disable_plaintext_auth = yes
[...]
# Space separated list of wanted authentication mechanisms:
auth_mechanisms = plain login
[...]
## Password and user databases
##
#!include auth-system.conf.ext
!include auth-sql.conf.ext
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
[...]
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
# Database driver: mysql, pgsql, sqlite
driver = mysql
[...]
# Database connection string. This is driver-specific setting.
connect = host=localhost dbname=mailserver user=mailuser password=password
[...]
# Default password scheme.
default_pass_scheme = SHA512-CRYPT
[...]
# passdb query to retrieve the password.
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
# Enable imaps on port 993 only (disable imap on port 143)
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
[...]
# Disable pop3s and pop3
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 0
#ssl = yes
}
}
# Enable lmtp for local delivery
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
[...]
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
# Auth process is run as this user.
user = dovecot
}
service auth-worker {
user = vmail
}
# SSL/TLS support: yes, no, required.
ssl = required
[...]
# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert =
Automatically create default mailboxes:
namespace inbox {
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
[...]
mailbox Sent {
auto = subscribe
special_use = \Sent
}
[...]
}
Enable ManageSieve so users can set up filters:
# Uncomment to enable managesieve protocol:
protocols = $protocols sieve
# Service definitions
service managesieve-login {
inet_listener sieve {
port = 4190
}
[...]
}
[...]
protocol lmtp {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins sieve
}
----
\\
==== Sender Policy Framework ====
> [[https://en.wikipedia.org/wiki/Sender_Policy_Framework|Sender Policy Framework]] (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.
sudo apt install postfix-pcre postfix-policyd-spf-python
\\
Add SPF to the Postfix configuration:
Change
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unauth_pipelining
to
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unauth_pipelining,
check_policy_service unix:private/policyd-spf
policyd-spf_time_limit = 3600
(Mind the comma!)
[...]
# SPF configuration
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
\\
Finally, add a DNS TXT record for ''@'' (or ''quietlife.nl.''), containing:
"v=spf1 mx -all"
This tells the receiving mailserver that all mails coming from your domain should originate from the IP's in your A / AAAA records.
----
\\
==== OpenDKIM ====
> [[https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail|DomainKeys Identified Mail]] (DKIM) is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.
sudo apt install opendkim opendkim-tools
\\
Add the ''opendkim'' user to the ''postfix'' group:
sudo adduser postfix opendkim
\\
Create an ''/etc/opendkim'' directory to store the tables:
sudo mkdir /etc/opendkim
Syslog yes
SyslogSuccess yes
LogWhy yes
Canonicalization relaxed/simple
Mode sv
SubDomains no
OversignHeaders From
KeyTable /etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
UserID opendkim:postfix
UMask 007
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock
PidFile /var/spool/postfix/var/run/opendkim/opendkim.pid
TrustAnchorFile /usr/share/dns/root.key
Change the ''201902'' example to the current year/month:
quietlife.nl quietlife.nl:201902:/etc/dkimkeys/quietlife.nl.private
*@quietlife.nl quietlife.nl
Add localhost, your hostname, your domain name(s) and your FQDN to the trusted hosts:
127.0.0.1
::1
localhost
vitas
quietlife.nl
vitas.quietlife.nl
\\
Then override the OpenDKIM systemd unit file by running ''sudo systemctl edit opendkim.service''. Add these lines:
[Service]
PIDFile=/var/spool/postfix/var/run/opendkim/opendkim.pid
User=opendkim
Group=postfix
ExecStart=
ExecStart=/usr/sbin/opendkim -P /var/spool/postfix/var/run/opendkim/opendkim.pid -p local:/var/spool/postfix/var/run/opendkim/opendkim.sock
And run ''sudo systemctl daemon-reload'' afterwards.
\\
\\
Add OpenDKIM to the Postfix configuration:
sudo mkdir -p /var/spool/postfix/var/run/opendkim
sudo chown opendkim:postfix /var/spool/postfix/var/run/opendkim
[...]
# Use OpenDKIM to sign and verify mail
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
\\
Generate keys (use the current year/month instead of the example ''201902''):
opendkim-genkey -b 2048 -h rsa-sha256 -r -s 201902 -d quietlife.nl -v
sudo mv 201902.private /etc/dkimkeys/quietlife.nl.private
sudo chown opendkim:opendkim /etc/dkimkeys/quietlife.nl.private
mv 201902.txt dns.txt
\\
Finally, add a DNS TXT record with the contents of ''dns.txt'':
201902._domainkey 3600 IN TXT "v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA63ggTqo80JaQBGV2uNreiX2/2yQx3PHbh9/4k+gIYO71ujqjGblk5z2FgzbWrTaIU7fZ0nN09bZAVDYavc9817fpYIYvnenDdKPJazl4hiVbBJL8jZ8/0ndu5WkCIzY60ukI423IAK+ppx7UW7Tpq38RokyFW8Wq96RAuhqeGkdxQN03N//yAtRCmeWwHw+jdGGq1WGbOKE7LcigRBMW9xPdJOk/rQPU2OjRh3b/BLohMYY0NX+0+Ybp0+5JuO6NZeYqWKbvezhtltTPrsYJU1m3cJTv11UxYiI8QPmSPGMJKVUevQv6Pn2aCARuNPIxSqfGwW6iwBhUZuxb1zQPCwIDAQAB"
(Change ''h=rsa-sha256'' to ''h=sha256'' and cut the key starting with ''v=DKIM1; ...'')
----
\\
==== Amavis ====
> [[https://en.wikipedia.org/wiki/Amavis|Amavis]] is an open source content filter for electronic mail, implementing mail message transfer, decoding, some processing and checking, and interfacing with external content filters to provide protection against spam, viruses and other malware.
sudo apt install amavisd-new spamassassin libmail-spf-perl pyzor razor p7zip-full unbound
Set up razor:
sudo su - amavis -s /bin/bash
razor-admin -create
razor-admin -register
exit
# To manually set $myhostname, edit the following line with the correct Fully
# Qualified Domain Name (FQDN) and remove the # at the beginning of the line.
$myhostname = "localhost";
Enable spam filtering:
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
$undecipherable_subject_tag = undef;
$virus_admin = undef;
$spam_admin = undef;
$final_spam_destiny = D_DISCARD;
Add Amavis to the Postfix configuration:
[...]
# Use Amavis to filter content
content_filter = smtp-amavis:localhost:10024
[...]
# Amavis configuration
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
localhost:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
Delete quarantined mails older than a month:
sudo -u amavis crontab -e
0 0 * * * find /var/lib/amavis/virusmails/ -mtime +31 -type f -delete &>/dev/null
Automatically move flagged spam mails to the ''Junk'' directory:
sudo mkdir /var/lib/dovecot/sieve
sudo chown dovecot:dovecot /var/lib/dovecot/sieve
require "fileinto";
if exists "X-Spam-Score" {
fileinto "Junk";
stop;
}
sudo sievec /var/lib/dovecot/sieve/spam_to_junk.sieve
sudo chown dovecot:dovecot /var/lib/dovecot/sieve/*
[...]
Location for ":global" include scripts as used by the "include" extension.
sieve_global = /var/lib/dovecot/sieve/
[...]
Train SpamAssassin when moving files to and from the junk directory:
plugin {
#setting_name = value
antispam_debug_target = syslog
antispam_backend = pipe
antispam_trash = Trash
antispam_spam = Junk;Spam
antispam_allow_append_to_spam = no
antispam_pipe_program = /usr/local/bin/sa-learn-pipe.sh
antispam_pipe_program_spam_arg = --spam
antispam_pipe_program_notspam_arg = --ham
}
#!/bin/bash
if [ "$1" != "wrap" ]; then
out=$(sudo -Hu amavis "$0" wrap "$@" < /proc/self/fd/0 2>&1)
ret=$?
lvl="info"
if [ "$ret" -ne 0 ]; then
lvl="err"
fi
logger -p mail.$lvl -i -t sa-learn-pipe "${1//[^a-z]/}: $out"
exit $ret
fi
cd "$HOME"
cmd=${2//[^a-z\- ]/}
sa-learn "$cmd" <(cat -)
ret=$?
exit $ret
Make it executable:
sudo chmod +x /usr/local/bin/sa-learn-pipe.sh
Allow the ''vmail'' user to execute the script as the ''amavis'' user:
vmail ALL=(amavis) NOPASSWD: /usr/local/bin/sa-learn-pipe.sh
Set the correct permissions:
sudo chmod 400 /etc/sudoers.d/vmail-sa-learn
----
\\
==== Fail2Ban ====
> Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.
sudo apt install fail2ban
Create the configuration file for Postfix, Dovecot and Sieve:
[postfix]
enabled = true
mode = aggressive
backend = auto
[dovecot]
enabled = true
mode = aggressive
backend = auto
[sieve]
enabled = true
backend = auto
\\
==== Client autoconfiguration ====
> The goal of [[https://developer.mozilla.org/docs/Mozilla/Thunderbird/Autoconfiguration|autoconfiguration]] is to make it very easy for users to configure the connection to their email servers.
This guide assumes you use Apache or nginx, but any HTTP server will suffice.
The result is an autoconfiguration URL that mail clients like Thunderbird can parse to preconfigure settings.
=== Apache ===
ServerName autoconfig.quietlife.nl
DocumentRoot /var/www/autoconfig.quietlife.nl
Order allow,deny
allow from all
Enable it:
sudo a2ensite autoconfig.quietlife.nl.conf
sudo systemctl reload apache2.service
\\
=== nginx ===
server {
listen 80;
listen [::]:80;
server_name autoconfig.quietlife.nl;
root /var/www/autoconfig.quietlife.nl;
}
Enable it:
cd /etc/nginx/sites-enabled/
sudo ln -s ../sites-available/autoconfig.quietlife.nl autoconfig.quietlife.nl
sudo systemctl reload nginx.service
\\
=== Configuration ===
quietlife.nl
quietlife.nl
quietlife
quietlife.nl
993
SSL
password-cleartext
%EMAILADDRESS%
quietlife.nl
587
STARTTLS
password-cleartext
%EMAILADDRESS%
----
\\
==== SSL certificate renewal ====
Let's Encrypt certificates expire every three months, and certbot automatically renews them. After renewing the certificates, you have to reload Postfix and Dovecot. This can be automated with a script you put in ''/etc/letsencrypt/renewal-hooks/post/'':
#!/bin/sh
systemctl reload dovecot.service postfix.service
Make it executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/mail.sh
----
\\
==== Starting everything up ====
sudo systemctl restart postfix.service dovecot.service opendkim.service amavis.service fail2ban.service
----
\\
==== Testing ====
> [[https://en.wikipedia.org/wiki/Failure|Failure]] is the state or condition of not meeting a desirable or intended objective, and may be viewed as the opposite of success.
=== Test your mail server status ===
Go to [[https://mxtoolbox.com/domain/|MxToolBox]] and run a test. Ideally, you should not see any problems.\\
\\
=== Test DKIM DNS record ===
opendkim-testkey -d quietlife.nl -s 201902
If nothing is shown, your DNS record is set up properly.\\
\\
=== Test signatures ===
Send an empty email to [[check-auth@verifier.port25.com|port25.com's verifier]]. It should return this:
==========================================================
Summary of Results
==========================================================
SPF check: pass
DKIM check: pass
SpamAssassin check: ham
----
\\
==== Author Domain Signing Practices ====
> In computing, [[https://en.wikipedia.org/wiki/Author_Domain_Signing_Practices|Author Domain Signing Practices]] (ADSP) is an optional extension to the DKIM email authentication scheme, whereby a domain can publish the signing practices it adopts when relaying mail on behalf of associated authors.
If DKIM is working well, you can set up an ADSP record, telling the receiving mailserver that all mails coming from your domain should have a valid DKIM signature.
Add a DNS TXT record containing this:
_adsp._domainkey 3600 IN TXT "dkim=all"
----
\\
==== Domain-based Message Authentication, Reporting & Conformance ====
> [[https://en.wikipedia.org/wiki/DMARC|Domain-based Message Authentication, Reporting and Conformance]] (DMARC) is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations.
If SPF and DKIM are working well, you can set up a DMARC record.
Add a DNS TXT record containing this:
_dmarc 3600 IN TXT "v=DMARC1; p=reject"
\\
If you want to receive aggregate reports, you can set a ''rua'' option:
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@quietlife.nl"
If you also want to receive failure reports, you can set a ''ruf'' option:
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@quietlife.nl; ruf=mailto:postmaster@quietlife.nl"
\\
More information about DMARC records can be found [[https://dmarc.org/wiki/FAQ|here]].
----