Host an E-mail Service on Your Own VPS
Oct 17, 2022
Credit: How to run your own e-mail server with your own domain (Series)
Hosting an e-mail service definitely feels like something that can be done without significant effort. (It is so common!) Unfortunately, there are many caveats if we want to host a reasonable e-mail service that can send and receive e-mails from popular e-mail service providers like Gmail. I spent a good-old three days of trying to Google up everything and now hopefully you don't have to do it again :)
Architecture: How does an E-mail Service Work?
E-mail architecture is very complicated and consists of many different protocols and jargons. This section covers the basics of everything so we know what we are building.
At the beginning of the world, there is a protocol called SMTP (Simple Mail Transfer Protocol). SMTP allows us to input a message and deliver it to the other side. Postfix is an open-source implementation of such protocol:
Everything is good. However, it very quickly turns out that no one wants to deal with a bunch of unsorted e-mail files. Therefore, people developed the POP3/IMAP protocol to allow a user to sort all the e-mails into Unread/Read, Inbox/Junk, etc. POP3 is the older/outdated protocol and IMAP is the newer/fancier one. Dovecot is an open-source implementation of both:
The system turned out to be very successful, and everyone is sending e-mails. Actually it became too successful, and people are starting to receive a lot of spam e-mails! To remedy this issue, spam filters are introduced to detect spam emails; signatures (DKIM) and a lot of DNS-related measures (PTR, SPF, DMARC) are adopted to defend against impersonation. There is a hot debate on which spam filter is the best, but we are not going to indulge in it and just use SpamAssassin, an open-source spam detector, coupled with Dovecot Sieve to filter the mails according to the detection results:
OK, that roughly sums up the thing we are building! It is indeed very complicated, but we will go through it step by step.
Prerequisite: PTR Record and Port Availablity
To successfully set up a real e-mail server that can communicate with Gmail we will need two things beyond simply setting up the VPS: one is a PTR record, and the other is that our VPS provider cannot block us from sending e-mails.
PTR Record
A PTR record is like a reverse-DNS: you tell DNS servers what domain name you are using for your IP address, and when people query for your IP address, they can find your domain name. This mechanism is used to prove your identity and make sure that outgoing mails are not sent from frivolous domain names. Unfortunately for us, PTR records can only be set by our VPS provider since they have control of the IP address, so we must contact our VPS provider or do a search to find out.
Port Availablity
Most VPS providers limit (or ban) the connection to other servers' port 25 to limit their servers' potential as an e-mail spammer. Unfortunately we need the port to properly send e-mails.
One way to test if our server has access to port 25 is to do a telnet
test:
$ telnet smtp.gmail.com 25
Trying 173.194.209.109...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP m17-20020ae9e711000000b006aedb35d8a1sm9336266qka.74 - gsmtp
Google Cloud does not support the use of port 25. Therefore, if we try to telnet
on its server the process gets stuck:
$ telnet smtp.gmail.com 25
Trying 209.85.147.109...
Setting up Components
Postfix
Setup
Installation:
apt install postfix
The main configuration file of Postfix is /etc/postfix/main.cf
, which we are going to edit a lot. The result should be something like this:
Click here:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Original from main.cf
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
# myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
relayhost =
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
###############################################################################
# Our configuration
###############################################################################
# Net name parameters
myhostname = zhtluo.com
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
# SMTPD restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
# This parameter breaks Apple mail client
# because they use fake Helo hostname: reject_unknown_helo_hostname
# https://mediaonfire.com/blog/2021_07_02_reject_unknown_helo_hostname.html
smtpd_recipient_restrictions = reject_unknown_client_hostname,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_pipelining, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_invalid_hostname, reject_non_fqdn_sender
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_sender_login_mismatch
smtpd_sender_login_maps = $virtual_mailbox_maps
# Dealing with rejection: use permanent 550 errors to stop retries
unknown_address_reject_code = 550
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
# TLS parameters
tls_random_source = dev:/dev/urandom
# Incoming traffic
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/zhtluo.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/zhtluo.com/privkey.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ciphers = high
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# Outgoing traffic
smtp_tls_cert_file = /etc/letsencrypt/live/zhtluo.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/zhtluo.com/privkey.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_ciphers = high
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Customized Dovecot and virtual user-specific settings
home_mailbox = Maildir/
message_size_limit = 104857600
canonical_maps = hash:/etc/postfix/canonical-maps
virtual_alias_maps = hash:/etc/postfix/virtual-alias-maps
virtual_mailbox_domains = hash:/etc/postfix/virtual-mailbox-domains
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-users
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# SASL parameters
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
# Customized milter settings
milter_default_action = accept
milter_connect_macros = j {daemon_name} v {if_name} _
non_smtpd_milters = $smtpd_milters
smtpd_milters = unix:/spamass/spamass.sock unix:/opendkim/opendkim.sock
To break it down:
Specify our hostname and what network we consider to be local (substitute with your own domain name):
# Net name parameters
myhostname = zhtluo.com
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
Enforce strict SMTPD checks to filter out spams:
# SMTPD restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
# This parameter breaks Apple mail client
# because they use fake Helo hostname: reject_unknown_helo_hostname
# https://mediaonfire.com/blog/2021_07_02_reject_unknown_helo_hostname.html
smtpd_recipient_restrictions = reject_unknown_client_hostname,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_pipelining, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_invalid_hostname, reject_non_fqdn_sender
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_sender_login_mismatch
smtpd_sender_login_maps = $virtual_mailbox_maps
# Dealing with rejection: use permanent 550 errors to stop retries
unknown_address_reject_code = 550
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
Set up TLS (substitute with your own TLS certificate. Get one here if you do not have one already):
# TLS parameters
tls_random_source = dev:/dev/urandom
# Incoming traffic
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/zhtluo.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/zhtluo.com/privkey.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ciphers = high
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# Outgoing traffic
smtp_tls_cert_file = /etc/letsencrypt/live/zhtluo.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/zhtluo.com/privkey.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_ciphers = high
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Configure it to work with Dovecot, OpenDKIM and SpamAssassin:
# Customized Dovecot and virtual user-specific settings
home_mailbox = Maildir/
message_size_limit = 104857600
canonical_maps = hash:/etc/postfix/canonical-maps
virtual_alias_maps = hash:/etc/postfix/virtual-alias-maps
virtual_mailbox_domains = hash:/etc/postfix/virtual-mailbox-domains
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-users
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
# SASL parameters
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
# Customized milter settings
milter_default_action = accept
milter_connect_macros = j {daemon_name} v {if_name} _
non_smtpd_milters = $smtpd_milters
smtpd_milters = unix:/spamass/spamass.sock unix:/opendkim/opendkim.sock
We also need to set up what service Postfix should provide (submission, SMTPS and give received mail to Dovecot). This is done via editing /etc/postfix/master.cf
. It should look something like this:
Click here:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
# Choose one: enable smtps for loopback clients only, or for any client.
#127.0.0.1:smtps inet n - y - - smtpd
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver
-f ${sender} -d ${recipient}
To conclude, we uncommented the part regarding submission and SMTPS, and added Dovecot to the end of the file.
Dovecot
Setup
Installation:
apt install dovecot-imapd dovecot-pop3d dovecot-sieve dovecot-managesieved
The main configuration directory of Dovecot is /etc/dovecot/conf.d
. We are going to create a file 99-main.conf
in the folder and put in our own configuration:
Click here:
# Some general options
protocols = imap pop3 sieve
ssl = yes
ssl_cert = </etc/letsencrypt/live/zhtluo.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/zhtluo.com/privkey.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
mail_home = /var/mail/vmail/%d/%n
mail_location = maildir:/var/mail/vmail/%d/%n/mail:LAYOUT=fs
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
# IMAP configuration
protocol imap {
mail_max_userip_connections = 10
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}
# LDA configuration
protocol lda {
postmaster_address =
[email protected]
mail_plugins = sieve
quota_full_tempfail = yes
deliver_log_format = msgid=%m: %$
rejection_reason = Your message to <%t> was automatically rejected:%n%r
}
# Plugins configuration
plugin {
sieve=~/.dovecot.sieve
sieve_dir=~/sieve
sieve_before = /var/mail/vmail/sieve-before
sieve_after = /var/mail/vmail/sieve-after
}
# Authentication configuration
auth_mechanisms = plain login
passdb {
driver = passwd-file
args = username_format=%u scheme=ssha512 /etc/dovecot/passwd
deny = no
master = no
pass = no
skip = never
result_failure = continue
result_internalfail = continue
result_success = return-ok
}
userdb {
driver = static
args = uid=5000 gid=5000 home=/var/mail/vmail/%d/%n
}
# Log all failed authentication attempts
auth_verbose=yes
service auth {
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/dovecot-auth {
mode = 0660
user = postfix
group = postfix
}
}
service stats {
unix_listener stats-reader {
user = vmail
group = vmail
mode = 0660
}
unix_listener stats-writer {
user = vmail
group = vmail
mode = 0660
}
}
namespace inbox {
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Junk {
special_use = \Junk
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = subscribe
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
}
Finally, we can comment out a line in /etc/dovecot/conf.d/10-auth.conf
since we are using virtual users instead of PAM:
#!include auth-system.conf.ext
Creating a Mail Directory
We used /var/mail/vmail/
as our mail directory for virtual users in the configuration. Therefore, we should create an appropriate user to use it:
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail/vmail -m
Creating Users
First of all, we need to decide what e-mail address real Linux users on the VPS should use. This is done in /etc/aliases
:
# See man 5 aliases for format
postmaster:
[email protected]
root:
[email protected]
www-data:
[email protected]
We should then update the aliases database with:
newaliases
Then, we should set up virtual users who are not Linux users but can send and receive e-mails. Namely we need to create these four files as outlined in main.cf
:
canonical_maps = hash:/etc/postfix/canonical-maps
virtual_alias_maps = hash:/etc/postfix/virtual-alias-maps
virtual_mailbox_domains = hash:/etc/postfix/virtual-mailbox-domains
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-users
The first file is /etc/postfix/virtual-mailbox-domains
, which outlines what domain we are going to use:
zhtluo.com OK
The second file is /etc/postfix/virtual-mailbox-users
, which defines what virtual users are on the system:
The third file is /etc/postfix/virtual-alias-maps
, which allows us to redirect incoming e-mails to users on the system:
The fourth file is /etc/postfix/canonical-maps
, which allows us to map addresses so that legacy systems with a fixed e-mail address can still function. I leave it empty.
We then need to create map files for these files:
postmap /etc/postfix/virtual-mailbox-domains
postmap /etc/postfix/virtual-mailbox-users
postmap /etc/postfix/virtual-alias-maps
postmap /etc/postfix/canonical-maps
Next, we are going to create passwords for users. In Dovecot we have specified the password file to be:
args = username_format=%u scheme=ssha512 /etc/dovecot/passwd
So we should create this file. Generate a password with:
# doveadm pw -s SSHA512
Enter new password:
Retype new password:
{SSHA512}EPqCQ0Gz0+BBRtCL643gIt4G+mlyxGwma6VFziDBAZrJDCN4fSN25vH9cM3kUKRqMDvPP/3yvLSjIDPRo8+C1yV5Jos=
And paste the result into the password file:
[email protected]:{SSHA512}EPqCQ0Gz0+BBRtCL643gIt4G+mlyxGwma6VFziDBAZrJDCN4fSN25vH9cM3kUKRqMDvPP/3yvLSjIDPRo8+C1yV5Jos=
[email protected]:{SSHA512}EPqCQ0Gz0+BBRtCL643gIt4G+mlyxGwma6VFziDBAZrJDCN4fSN25vH9cM3kUKRqMDvPP/3yvLSjIDPRo8+C1yV5Jos=
[email protected]:{SSHA512}EPqCQ0Gz0+BBRtCL643gIt4G+mlyxGwma6VFziDBAZrJDCN4fSN25vH9cM3kUKRqMDvPP/3yvLSjIDPRo8+C1yV5Jos=
And we are done!
DNS Records
There are a lot DNS records to set up. We will need to provide a DKIM key for the record and sign our outgoing message with the key. We will use OpenDKIM for the purpose (substitute the last part with your domain name):
apt install opendkim opendkim-tools
mkdir /etc/opendkim
chown opendkim:opendkim /etc/opendkim
cd /etc/opendkim
opendkim-genkey -r -h sha256 -d zhtluo.com -s mail
Create a file named /etc/opendkim/KeyTable
to set up the keys:
zhtluo.com zhtluo.com:mail:/etc/opendkim/mail.private
Create a file named /etc/opendkim/SigningTable
to decide what keys to use for what domain:
*@zhtluo.com zhtluo.com
Create a file named /etc/opendkim/TrustedHosts
to allow localhost to sign:
127.0.0.1
Give every file to OpenDKIM so that it works:
chown -R opendkim:opendkim /etc/opendkim
Finally, edit the configuration file at /etc/opendkim.conf
:
Click here:
# This is a basic configuration for signing and verifying. It can easily be
# adapted to suit a basic installation. See opendkim.conf(5) and
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
# documentation of available configuration parameters.
Syslog yes
SyslogSuccess yes
#LogWhy no
# Common signing and verification parameters. In Debian, the "From" header is
# oversigned, because it is often the identity key used by reputation systems
# and thus somewhat security sensitive.
Canonicalization relaxed/simple
#Mode sv
#SubDomains no
OversignHeaders From
# Signing domain, selector, and key (required). For example, perform signing
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
# using the private key stored in /etc/dkimkeys/example.private. More granular
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
#Domain example.com
#Selector 2020
#KeyFile /etc/dkimkeys/example.private
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID opendkim
UMask 007
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
# configured as shown on the last line below.
Socket local:/run/opendkim/opendkim.sock
#Socket inet:8891@localhost
#Socket inet:8891
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile /usr/share/dns/root.key
#Nameservers 127.0.0.1
# Our configuration
Canonicalization relaxed/relaxed
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
LogWhy Yes
PidFile /var/run/opendkim/opendkim.pid
Socket local:/var/spool/postfix/opendkim/opendkim.sock
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UserID opendkim:opendkim
Create a socket and restart the service:
mkdir /var/spool/postfix/opendkim
chown opendkim:root /var/spool/postfix/opendkim
usermod -G opendkim postfix
service opendkim restart
Now we are going to deal with DNS by adding a lot of stuff to the DNS records. When we are done it should look like this:
The first line tells the DNS server what mail server we are using; the second line is the SPF record and the third line is the DMARC record. The fourth line is our DKIM public key: we need to copy the content in /etc/opendkim/mail.txt
to the record. All these records are needed for external servers to recognize us as a legit mail server.
SpamAssassin
Installation & adding a user for it to use:
apt install spamass-milter pyzor razor libmail-dkim-perl
usermod -a -G debian-spamd spamass-milter
Edit the configuration file in /etc/default/spamassassin
, mostly let it use the user we just created:
Click here:
# /etc/default/spamassassin
# Duncan Findlay
# WARNING: please read README.spamd before using.
# There may be security risks.
# Prior to version 3.4.2-1, spamd could be enabled by setting
# ENABLED=1 in this file. This is no longer supported. Instead, please
# use the update-rc.d command, invoked for example as "update-rc.d
# spamassassin enable", to enable the spamd service.
# Options
# See man spamd for possible options. The -d option is automatically added.
# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="-x --max-children 5 --helper-home-dir=/var/lib/spamassassin -u debian-spamd -g debian-spamd --siteconfigpath=/etc/spamassassin --socketpath=/var/spool/postfix/spamassassin/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660"
# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"
# Set nice level of spamd
#NICE="--nicelevel 15"
# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=1
Edit the configuration file in /etc/default/spamass-milter
to specify the socket:
Click here:
# spamass-milt startup defaults
# OPTIONS are passed directly to spamass-milter.
# man spamass-milter for details
# Non-standard configuration notes:
# See README.Debian if you use the -x option with sendmail
# You should not pass the -d option in OPTIONS; use SOCKET for that.
# Default, use the spamass-milter user as the default user, ignore
# messages from localhost
OPTIONS="-u spamass-milter -i 127.0.0.1 -m -I -- --socket=/var/spool/postfix/spamassassin/spamd.sock"
# Reject emails with spamassassin scores > 15.
#OPTIONS="${OPTIONS} -r 15"
# Do not modify Subject:, Content-Type: or body.
#OPTIONS="${OPTIONS} -m"
######################################
# If /usr/sbin/postfix is executable, the following are set by
# default. You can override them by uncommenting and changing them
# here.
######################################
# SOCKET="/var/spool/postfix/spamass/spamass.sock"
# SOCKETOWNER="postfix:postfix"
# SOCKETMODE="0660"
######################################
Edit the configuration file in /etc/spamassassin/local.cf
and add a couple lines at the top to use Pyzor and Razor:
Click here:
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################
# Force global Bayesian databases instead of per-user
bayes_path /var/lib/spamassassin/.spamassassin/bayes
bayes_file_mode 0777
# Set Pyzor & Razor config file paths
razor_config /var/lib/spamassassin/.razor/razor-agent.conf
pyzor_options --homedir /var/lib/spamassassin/.pyzor
# A 'contact address' users should contact for more info. (replaces
# _CONTACTADDRESS_ in the report template)
# report_contact
[email protected]
# Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****
# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1
# Set which networks or hosts are considered 'trusted' by your mail
# server (i.e. not spammers)
#
# trusted_networks 212.17.35.
# Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock
# Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0
# Use Bayesian classifier (default: 1)
#
# use_bayes 1
# Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1
# Set headers which may provide inappropriate cues to the Bayesian
# classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status
# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
# them to UTF-8 before the text is given over to rules processing.
#
# normalize_charset 1
# Textual body scan limit (default: 50000)
#
# Amount of data per email text/* mimepart, that will be run through body
# rules. This enables safer and faster scanning of large messages,
# perhaps having very large textual attachments. There should be no need
# to change this well tested default.
#
# body_part_scan_size 50000
# Textual rawbody data scan limit (default: 500000)
#
# Amount of data per email text/* mimepart, that will be run through
# rawbody rules.
#
# rawbody_part_scan_size 500000
# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
# default: strongly-whitelisted mails are *really* whitelisted now, if the
# shortcircuiting plugin is active, causing early exit to save CPU load.
# Uncomment to turn this on
#
# SpamAssassin tries hard not to launch DNS queries before priority -100.
# If you want to shortcircuit without launching unneeded queries, make
# sure such rule priority is below -100. These examples are already:
#
# shortcircuit USER_IN_WHITELIST on
# shortcircuit USER_IN_DEF_WHITELIST on
# shortcircuit USER_IN_ALL_SPAM_TO on
# shortcircuit SUBJECT_IN_WHITELIST on
# the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST on
# shortcircuit USER_IN_BLACKLIST_TO on
# shortcircuit SUBJECT_IN_BLACKLIST on
# if you have taken the time to correctly specify your "trusted_networks",
# this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED on
# and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99 spam
# shortcircuit BAYES_00 ham
endif # Mail::SpamAssassin::Plugin::Shortcircuit
Initialize everything:
mkdir /var/lib/spamassassin/.razor
mkdir /var/lib/spamassassin/.pyzor
mkdir /var/lib/spamassassin/.spamassassin
chown -R debian-spamd:debian-spamd /var/lib/spamassassin
razor-admin -home=/var/lib/spamassassin/.razor -register
razor-admin -home=/var/lib/spamassassin/.razor -create
razor-admin -home=/var/lib/spamassassin/.razor -discover
chown -R debian-spamd:debian-spamd /var/lib/spamassassin
service spamassassin restart && service spamass-milter restart
systemctl enable spamassassin
sa-update -D
chown -R debian-spamd:debian-spamd /var/lib/spamassassin
chmod -R 700 /var/lib/spamassassin/sa-update-keys
Edit /var/lib/spamassassin/.razor/razor-agent.conf
and add this line to the file to configure Razor:
razorhome = /var/lib/spamassassin/.razor
Dovecot Sieve
Create a .sieve
file to throw spams into the Junk folder:
mkdir /var/mail/vmail/sieve-before
mkdir /var/mail/vmail/sieve-after
touch /var/mail/vmail/sieve-before/main.sieve
Edit /var/mail/vmail/sieve-before/main.sieve
and put in the filter:
require ["envelope", "fileinto", "imap4flags", "regex"];
# Trash messages with improperly formed message IDs
# Apparently Microsoft does not have proper message IDs so we cannot throw everything away
# if not header :regex "message-id" ".*@.*\\." {
# fileinto "Junk";
# setflag "\\Seen";
# stop;
# }
# File spam in spam bucket
if header :contains "X-Spam-Level" "*****" {
fileinto "Junk";
setflag "\\Seen";
}
Compile the filter:
cd /var/mail/vmail/sieve-before
sievec main.sieve
chown -R vmail:vmail /var/mail/vmail/sieve-before
chown -R vmail:vmail /var/mail/vmail/sieve-after
Restart & Test
Finally, restart every service and we should be done!
service postfix restart
service dovecot restart
A couple things to test:
- Send a message to Gmail from this server.
- Send a message from Gmail to this server.
- Send a GTube message from Gmail to this server and check that the spam filter works.
And now we have finished building an e-mail server! If you run into any problem you are more than welcome to shoot me an e-mail at the address at the bottom of the page.