Postfix and dovecot will be the two primary pieces of our mail sever. Postfix is the mail transport agent that handles the sending and receiving of mail and dovecot is the IMAP server that will allow us to access our mail from a mail client such as mutt. The server will also have several other supporting components, a complete list of which is:
- SpamAssassin for spam filtering
- OpenDKIM for DKIM verification and signing
- Postgrey for greylisting
- Policyd-SPF for SPF verification
- OpenDMARC for DMARC verification
You can use this script I have written to automate this process, but I would recommend that you run through the tutorial first to understand what is being done.
Please note that this tutorial is loosely intended for small personal mail servers. Using PAM for authentication, as is done here, is not a scalable solution for working with a large number of users. I do plan on covering Dovecot LDAP authentication at some point which would be a better solution in an enterprise setting.
Install Packages
Let's start by installing the required packages. Note that if you already have Apache installed on the server, replace python3-certbot-nginx with python3-certbot-apache.
apt install postfix dovecot-imapd dovecot-sieve opendkim opendkim-tools spamassassin gnupg postgrey postfix-policyd-spf-python opendmarc dbconfig-no-thanks certbot python3-certbot-nginx
During the installation of Postfix you will get a Debconf prompt in which you need to select "Internet Site" and then provide your domain name, example.com.
Get a certificate
Now we'll use Certbot to get a certificate for our server. If you are using Apache replace nginx with apache2.
systemctl stop nginx
certbot certonly --standalone -d mail.example.com
systemctl start nginx
Postfix Main Configuration
In this section we will be doing the bulk of the postfix configuration. The postconf command used throughout appends (or changes) the specified configuration item in /etc/postfix/main.cf
Network Configuration
Let's start by configuring some network and domain information.
postconf -e "myorigin = example.com"
postconf -e "mydestination = \$myhostname, \$mydomain, localhost"
postconf -e "mynetworks = 127.0.0.0/8 [::1]/128"
postconf -e "myhostname = mail.example.com"
Next, point postfix to the cerbot key and certificate, as well as the distro's CA certificates.
postconf -e "smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem"
postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem"
postconf -e "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt"
Harden the TLS configuration by forcing strong protocols and ciphers, and requiring that authentication occur only over an encrypted session.
# Require authentication over TLS and optionally use it for sending and receiving mail
postconf -e "smtpd_tls_auth_only = yes"
postconf -e "smtpd_tls_security_level = may"
postconf -e "smtp_tls_security_level = may"
# Force the use of TLSv1.2 or TLSv1.3
postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
postconf -e 'smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
postconf -e 'smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
# Prefer server ciphers
postconf -e "tls_preempt_cipherlist = yes"
# Force strong ciphers
postconf -e "smtpd_tls_ciphers = high"
postconf -e "smtpd_tls_mandatory_ciphers = high"
postconf -e "smtp_tls_ciphers = high"
postconf -e "smtp_tls_mandatory_ciphers = high"
postconf -e "smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH"
postconf -e "smtp_tls_exclude_ciphers = aNULL, eNULL, EXP, LOW, MEDIUM, PSK, SRP, SHA1, kRSA, CAMELLIA, ARIA, DSS, RSA+AES, ADH, AECDH"
Local Recipients and Aliases
Here we configure the bulk of the postfix built-in security settings which are structured as a series of access restrictions. Do not edit these settings without first reading the Postfix documentation as an incorrect change could inadvertently make your server an open relay.
postconf -e "smtpd_helo_required = yes"
postconf -e "smtpd_sender_login_maps = proxy:hash:/etc/postfix/login_maps"
postconf -e "smtpd_helo_restrictions = reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname"
postconf -e "smtpd_sender_restrictions = reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain"
postconf -e "smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/postgrey, check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org"
postconf -e "smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination"
postconf -e "smtpd_data_restrictions = reject_unauth_pipelining"
# Disable VRFY command to prevent harvesting of user accounts on system
postconf -e "disable_vrfy_command = yes"
# Change smptd banner (hide distribution)
postconf -e "smtpd_banner = \$myhostname ESMTP \$mail_name"
Now, configure the local mail recipients and some aliases. We'll create an account called mailadmin to receive mail addressed to several other accounts. This is to keep administrative mail separate, but you can certainly alias these to your main account later if you would prefer to see it there.
# Set a custom local_recipient_maps here in order to avoid accepting mail for all local accounts
postconf -e "local_recipient_maps = proxy:hash:/etc/postfix/local_maps \$alias_maps"
# You will need to manually set a password later to login as mailadmin
adduser --disabled-login --shell /usr/sbin/nologin --gecos "" mailadmin
echo "# postfix aliases
postmaster: mailadmin
root: mailadmin
dmarc: mailadmin
" > /etc/aliases
# Update address databases
echo "mailadmin@mail.example.com mailadmin" > /etc/postfix/login_maps
echo "mailadmin mailadmin" > /etc/postfix/local_maps
newaliases
postmap /etc/postfix/login_maps
postmap /etc/postfix/local_maps
Mail Delivery
These commands configure our mail delivery preferences. Mail will be delivered inside a user's home folder with a maildir-style mailbox using dovecot.
# Maildir delivery to $HOME/Mail/Inbox/
postconf -e "home_mailbox = Mail/Inbox/"
# Deliver mail with Dovecot
postconf -e "mailbox_command = /usr/lib/dovecot/deliver"
Header and Body Checks
Header and body checks allow for some simple content filtering within Postfix. This is done by scanning a message line by line for a configured regex string, nothing more. For example, the first header check listed will reject a message with an attachment of ransomware.exe but will not block it if sent with no extension. This is mostly a protection against uneducated users and poorly written mail clients. Other checks block vulnerabilities and improve privacy.
Create a new file /etc/postfix/header_checks, then open it in a text editor and add the following
# Block files with common executable extensions
/name=[^>]*\.(exe|pif|com|dll|vbs|bat|sh|bash|so|zip|tar|gz|cpio)/ REJECT
# Block message/partial vulnerability
/message\/partial/ REJECT
# Remove Received string that is created when spamassassin reinjects message into postfix
# This is to prevent leaking the userid of the spamassassin user
/^Received:.*userid.*/ IGNORE
# Remove User-Agent strings from headers
/^User-Agent: .*/ IGNORE
Create another new file /etc/postfix/body_checks, and add this
# Block messages with iframes
/<iframe/ REJECT" > /etc/postfix/body_checks
And then run these commands to point postfix to the check files.
postconf -e "header_checks = regexp:/etc/postfix/header_checks"
postconf -e "body_checks = regexp:/etc/postfix/body_checks"
Postfix Master Configuration
SMTP client
This simple command configures the SMTP client process that is responsible for sending your mail to other mail servers.
postconf -M "smtp/unix=smtp unix - - y - - smtp"
Postscreen and SMTP Recipient
Postscreen is a kind of firewall that sits in front of the Postfix SMTPD process and receives all incoming traffic. Postscreen will drop connections from IPs on a DNS blacklst, or from clients that violate the SMTP protocol by speaking out of turn or sending non-SMTP commands. This adds up to less spam connections and therefore a much lighter workload for your server.
postconf -M "smtp/inet=smtp inet n - y - 1 postscreen"
postconf -M "smtpd/pass=smtpd pass - - y - - smtpd"
postconf -P "smtpd/pass/content_filter=spamassassin"
postconf -M "tlsproxy/unix=tlsproxy unix - - y - 0 tlsproxy"
postconf -M "dnsblog/unix=dnsblog unix - - y - 0 dnsblog"
postconf -e "postscreen_dnsbl_sites = zen.spamhaus.org"
postconf -e "postscreen_dnsbl_action = enforce"
postconf -e "postscreen_greet_action = enforce"
Submission over TLS (submissions)
Submission over TLS (aka submissions) is the process you will use to submit mail to your server from a mail client. These commands configure submissions to use a fully-encrypted session, as opposed to STARTTLS, and to only allow access to authenticated clients.
postconf -M "submissions/inet=submissions inet n - y - - smtpd"
postconf -P "submissions/inet/smtpd_tls_wrappermode=yes"
postconf -P "submissions/inet/smtpd_tls_security_level=encrypt"
postconf -P "submissions/inet/smtpd_tls_auth_only=yes"
postconf -P "submissions/inet/smtpd_sasl_auth_enable=yes"
postconf -P "submissions/inet/smtpd_client_restrictions=permit_sasl_authenticated,reject"
postconf -P "submissions/inet/smtpd_helo_restrictions="
postconf -P "submissions/inet/smtpd_sender_restrictions=reject_sender_login_mismatch"
postconf -P "submissions/inet/smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"
postconf -P "submissions/inet/syslog_name=postfix/submissions"
postconf -P 'submissions/inet/smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
postconf -P 'submissions/inet/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
OPTIONAL - submission with mandatory STARTTLS
Having configured submission over TLS on port 465 this step is optional. STARTTLS is considered by some to be less secure than full-session TLS and may be vulnerable to exploitation.
postconf -M "submission/inet=submission inet n - y - - smtpd"
postconf -P "submission/inet/smtpd_tls_security_level=encrypt"
postconf -P 'submission/inet/smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
postconf -P 'submission/inet/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
postconf -P "submission/inet/smtpd_sasl_auth_enable=yes"
postconf -P "submission/inet/smtpd_tls_auth_only=yes"
postconf -P "submission/inet/syslog_name=postfix/submission"
postconf -P "submission/inet/smtpd_helo_restrictions="
postconf -P "submission/inet/smtpd_client_restrictions=permit_sasl_authenticated,reject"
postconf -P "submission/inet/smtpd_helo_restrictions="
postconf -P "submission/inet/smtpd_sender_restrictions=reject_sender_login_mismatch"
postconf -P "submission/inet/smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"
SpamAssassin Configuration
Finally, this command tells Postfix how to interact with SpamAssassin.
postconf -M "spamassassin/unix=spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc --socket=/var/run/spamd.sock -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}"
Dovecot Configuration
Dovecot configuration is usually split up into many different files under /etc/dovecot/conf.d/ but here will be doing all of the configuration in the primary config file /etc/dovecot/dovecot.conf. Open that file with your editor of choice, clear all of its contents, and then replace it with the following.
# /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_username_format = %n
auth_mechanisms = plain
userdb {
driver = passwd
}
passdb {
driver = pam
}
# /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
namespace inbox {
type = private
prefix =
separator = /
inbox = yes
subscriptions = yes
list = yes
}
# /etc/dovecot/conf.d/10-master.conf
service imap-login {
# Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs)
service_count = 1
# Disable unencrypted IMAP by setting port for plain IMAP to 0
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
# Allow postfix to use dovecot SASL
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
# /etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
# Mozilla intermediate compatibility
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE+ECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+ECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:DHE+aRSA+AESGCM:!aNULL:!eNULL
ssl_prefer_server_ciphers = yes
ssl_client_require_valid_cert = yes
# /etc/dovecot/conf.d/15-lda.conf
protocol lda {
mail_plugins = \$mail_plugins sieve
}
# /etc/dovecot/conf.d/15-mailboxes.conf
namespace inbox {
mailbox Sent {
special_use = \Sent
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = create
autoexpunge = 30d
}
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Spam {
special_use = \Junk
auto = create
autoexpunge = 30d
}
mailbox Archive {
special_use = \Archive
auto = create
}
}
# /etc/dovecot/conf.d/20-imap.conf
imap_capability = +SPECIAL-USE
# /etc/dovecot/conf.d/90-sieve.conf
plugin {
sieve = ~/.dovecot.sieve
sieve_default = /var/lib/dovecot/sieve/default.sieve
sieve_global = /var/lib/dovecot/sieve/
}
Then create the default sieve filtering script at /var/lib/dovecot/sieve/default.sieve
require ["fileinto", "mailbox"];
/*
* Discard mail that has a spam score greater than or equal to 10
*/
if header :contains "X-Spam-Level" "**********" {
discard;
stop;
}
/*
* Discard messages marked as infected by a virus scanner
*/
if header :contains "X-Virus-Scan" "infected" {
discard;
stop;
}
/*
* If message is marked as spam (and falls below discard threshold) put into spam mailbox
*/
if header :contains "X-Spam-Flag" "YES" {
fileinto "Spam";
}
And compile the script
sievec /var/lib/dovecot/sieve/default.sieve
Finally, configure PAM authentication for dovecot at /etc/pam.d/dovecot. Append these changes leaving any include statements intact.
auth required pam_unix.so
account required pam_unix.so
OpenDKIM
DKIM is a mail-verification method that cryptographically signs mail to allow receivers to verify the authenticity of the sender. Our mail server will use DKIM to validate signatures on incoming mail and sign outgoing mail. DKIM requires a public key to be published via DNS, which will be done near the end of the guide.
Start by generating the DKIM key
opendkim-genkey -D /etc/dkimkeys -d example.com -s mail
chown opendkim: /etc/dkimkeys/*
chmod 600 /etc/dkimkeys/*
mv /etc/dkimkeys/mail.private /etc/dkimkeys/mail.pem
Here we make a directory for the opendkim socket inside the postfix chroot and make it accessible to the postfix user.
mkdir /var/spool/postfix/opendkim
chmod 770 /var/spool/postfix/opendkim
chown opendkim:opendkim /var/spool/postfix/opendkim
usermod -aG opendkim postfix
Edit the configuration file at /etc/opendkim.conf to be as follows:
On-BadSignature reject
On-Security reject
Syslog yes
SyslogSuccess yes
LogResults yes
Canonicalization simple
Mode sv
OversignHeaders From
Domain example.com
Selector mail
KeyFile /etc/dkimkeys/mail.pem
UserID opendkim
UMask 007
Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
TemporaryDirectory /run/opendkim
InternalHosts 127.0.0.1
TrustAnchorFile /usr/share/dns/root.key
RequireSafeKeys True
AlwaysAddARHeader True
OpenDMARC
DMARC is another mail-verification technology that provides verification of the address seen by end-users and either or both of SPF and DKIM.
Like with OpenDKIM, we need to make a directory inside the postfix chroot for the socket and assign proper permissions.
mkdir /var/spool/postfix/opendmarc
chmod 770 /var/spool/postfix/opendmarc
chown opendmarc:opendmarc /var/spool/postfix/opendmarc
usermod -aG opendmarc postfix
Now we write the configuration file at /etc/opendmarc.conf
PidFile /run/opendmarc/opendmarc.pid
PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
RejectFailures True
Socket local:/var/spool/postfix/opendmarc/opendmarc.sock
Syslog True
SyslogFacility mail
UMask 002
UserID opendmarc
HistoryFile /var/run/opendmarc/opendmarc.hist
SPFIgnoreResults True
SPFSelfValidate True
Then create the history file and set permissions.
touch /var/run/opendmarc/opendmarc.hist
chown opendmarc:opendmarc /var/run/opendmarc/opendmarc.hist
chmod 664 /var/run/opendmarc/opendmarc.hist
Now that both OpenDKIM and OpenDMARC are configured we can define them as milters in postfix. This will tell postfix to route mail through one or both of these milters depending on whether it is incoming or outgoing.
postconf -P "smtpd/pass/smtpd_milters=unix:opendkim/opendkim.sock,unix:opendmarc/opendmarc.sock"
postconf -P "submissions/inet/smtpd_milters=unix:opendkim/opendkim.sock"
# If you enabled submission on port 587 run this too
postconf -P "submission/inet/smtpd_milters=unix:opendkim/opendkim.sock"
Postgrey
Postgrey implements a spam-filter technique known as greylisting, which always rejects mail on the first try and for a period of time afterwards known as the greylist period. The idea behind this being that legitimate senders will send the mail again later, while spammers, in a rush to send as many messages as possible before being blacklisted, will not.
Postgrey ships with an extensive whitelist domains that are known to cause issues (mainly large providers that constantly send from different addresses). This whitelist file is located at /etc/postgrey/whitelist_clients and can be appended to include any domain you do not wish to be subject to greylisting.
The configuration needed here is minimal, just open /etc/default/postgrey and make these changes
POSTGREY_OPTS="--unix=/var/spool/postfix/private/postgrey --privacy"
POSTGREY_TEXT="Greylisted - see https://www.greylisting.org"
And then enable the service
systemctl enable --now postgrey
Policyd-SPF
SPF is yet another mail-verification technology that uses DNS records to delegate specific servers as being authorized to send mail for the domain (and implicitly all other servers as unauthorized). Policyd-SPF will perform SPF checking of received mail and reject mail that fails SPF verfication.
First, tell postfix how to access Policyd-SPF
postconf -e "policyd-spf_time_limit = 3600"
postconf -M "policyd-spf/unix=policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf"
And then edit the configuration file at /etc/postfix-policyd-spf-python/policyd-spf.conf
debugLevel = 1
TestOnly = 1
HELO_reject = Fail
Mail_From_reject = Fail
Header_Type = AR
# These settings increase false-positive risk
# Comment them if you want to reduce that risk
PermError_reject = True
TempError_Defer = True
SpamAssassin
SpamAssassin is a spam-filter that will scan all received mail and assign a spam score based on configured rules. SpamAssassin is much heavier and more resource-intensive than any of the previous spam-filtering/verification programs we have configured. The postfix spam-filtering philosophy emphasizes the use of lightweight checks before passing to an external content filter such as SpamAssassin. Ideally, non-legitimate mail will have already been caught by one of the previous methods, and SpamAssassin will only have to operate on a much smaller subset of the mail that is sent to our server.
We have actually already told postfix to use SpamAssassin as a content filter so in this section we just need to edit the configuration file /etc/spamassassin/local.cf.
# Clearly indicate message is spam to user
rewrite_header Subject *****SPAM*****
rewrite_header From *****SPAM*****
# Set required score to be marked as spam, 5.0 is default.
# Lower to make policy more strict or raise to be more lenient.
required_score 5.0
# Attach original messages as text/plain instead of message/rfc822 to spam reports
report_safe 2
Do not implicitly trust mail based on IP address except localhost
trusted_networks 127.0.0.1/32
And finally make a few changes to the defaults file at /etc/default/spamassassin
OPTIONS="--listen /var/run/spamd.sock --max-children 5"
PIDFILE=/var/run/spamd.pid
CRON=1
Wrapping Up
At this point we have done all of the necessary configuration of the mail server programs. We have just a few more minor tasks before your mail server is operational.
Configure Firewall
We need to open the proper ports in the firewall. This example uses UFW.
ufw allow 25 comment "smtp"
ufw allow 465 comment "submission over TLS"
# Run this next command only if you enabled submission on port 587
ufw allow 587 comment "mail submission"
ufw allow 993 comment "IMAP over TLS"
ufw reload
Restart services
Now let's restart the services to pick up any configuration changes.
systemctl restart postfix
systemctl restart dovecot
systemctl restart opendkim
systemctl restart opendmarc
systemctl enable --now spamassassin
systemctl restart spamassassin
systemctl restart postgrey
DNS Entries
Finally, we needs to set some required DNS records to enable mail flow and verification. Begin by logging into your registrar or DNS host and editing your DNS records.
A Record
If you did not set a wildcard A record earlier, you will need to set one now for mail. Alternatively, if you are running the mail server on the same server as your website, you may want to instead make a CNAME record pointing mail to www.
MX Record
MX records tell servers attempting to send you mail where to send it. Open the MX records section on your registrar and add a new record. An MX record consists of a priority and a destination. Set the priority to 10 and the destination to mail, or whatever your subdomain for this mail server is. The host value can be left blank or may need to be set to "@" depending on your registrar.
DKIM TXT Record
Now we will set the three TXT records we need. Open the TXT records tab on your registrar.
We'll set the DKIM record first. The command we ran to generate our DKIM keys also generates a DNS record for us which will be helpful here. Print that to the screen with:
cat /etc/dkimkeys/mail.txt
You should get a lengthy output that looks something like the following. The bolded portion is the value.
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz50PSYL0Ob+OlF/0B77rwlzLe7zF6JKnxQNtMqcOCZ0Dar2FPhSUSz1FR0YmNuoShjMogdgKeojIzgRUqwK5GZ5Lz456qiXWkfAtLPc6UQ/WPoyEBGbJpRBYPGWdN4VoNcHkk/I4csvXW6MOI55ghPOwDmootPkCzNPR6gmNAXMe0duS4Lb+bIjy9QMOxGYVUaQ/b+7xar+fWw"
"bA3DjQa3jTLCydzzJpjEMfVaKqNhQ4N+ve7O2Mb3LF5k5B977mtok/6POjVG5HY8g6Pba+GzMFItR6nJO5EE2fyfv6cNbRLsZiM+WQmqvDBst5ejaeapy86F5PdJFlX/TUgXjtuwIDAQAB" ) ; ----- DKIM key mail for example.com
You can cleanup the spacing of the value as your registrar should automatically handle any needed splitting of the record. The parts you need to paste into your registrar's web interface should then look like this.
# Name/Host
mail._domainkey
# TXT Value
"v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz50PSYL0Ob+OlF/0B77rwlzLe7zF6JKnxQNtMqcOCZ0Dar2FPhSUSz1FR0YmNuoShjMogdgKeojIzgRUqwK5GZ5Lz456qiXWkfAtLPc6UQ/WPoyEBGbJpRBYPGWdN4VoNcHkk/I4csvXW6MOI55ghPOwDmootPkCzNPR6gmNAXMe0duS4Lb+bIjy9QMOxGYVUaQ/b+7xar+fWwbA3DjQa3jTLCydzzJpjEMfVaKqNhQ4N+ve7O2Mb3LF5k5B977mtok/6POjVG5HY8g6Pba+GzMFItR6nJO5EE2fyfv6cNbRLsZiM+WQmqvDBst5ejaeapy86F5PdJFlX/TUgXjtuwIDAQAB"
DMARC TXT Record
The DMARC record should be as follows:
# Name/Host
_dmarc
# Value
"v=DMARC1; p=reject; rua=mailto:dmarc@example.com; fo=1"
SPF Record
Your SPF record will look like this. Remember to replace mail.example.com with your server name.
# Name/Host
@
# Value
"v=spf1 a:mail.example.com -all"
PTR Record
Many mail servers rely on PTR records for verification purposes so we need to make sure our server's IP address resolves to the proper domain name. If your mail server is residing on a VPS, you will need to add this record on your VPS provider's interface, consult their documentation for details.
Creating your own Mail User
Your mail server is now up and running. Let's create an email for you to receive mail.
useradd --shell /usr/sbin/nologin --create-home --user-group user
echo "user@example.com user" >> /etc/postfix/login_maps
echo "user user" >> /etc/postfix/local_maps
postmap /etc/postfix/login_maps
postmap /etc/postfix/local_maps
postfix reload
I have a script available for adding and removing users that you can find here.
Connecting From a Mail Client
When connecting your account to a mail client you need to use these settings.
- Username: user@example.com
- Password: the password for user@example.com
- Server name: mail.example.com
- IMAP Port: 993
- IMAP Connection: SSL/TLS
- SMTP Port: 465
- SMTP Connection Type: SSL/TLS
Consider donating if this article was useful. [BTC]