Brad Smith CPA Tech Blog
Wednesday, January 16, 2069
Intro
Thursday, June 15, 2023
Oracle Free Tier VPN with Debian 12
I successfully installed Debian 12 on an Oracle Free Tier VPN with 4 CPU, 24GB memory, and 50 storage.
Debian is not one of the images available, so I started off with Canonical Ubuntu 22.04 Minimal aarch64 for the image and VM.Standard.A1.Flex for the shape. I used PuttyGen to generate public and private keys and pasted the public key into the Oracle Create Compute Instance screen. After the instance was up and running I connected to the server using Putty with the private key attached.
After connecting, getting the GUI installed was my first priority. I made a mistake in the installation with the lightdm desktop manager and was unable to connect with Windows Remote Desktop. I made several attempts to fix the error to no avail.
Oracle does not give the option to reinstall the OS to an existing instance for Free Tier customers. The only official option available was to destroy the instance and create a new one. This is not an attractive option because available shapes are limited. After trying to find a workaround I found a git that provided a script to reinstall a minimal Debian 10,11, or 12 remotely on a VPN.
https://github.com/bohanyang/debi
I was skeptical but had nothing to lose. To my pleasant surprise, the reinstallation was fast and flawless. The script provides a fresh Debian 12 install with a user named debian. I rebooted the server and logged back in with putty. Since the ssh public key was destroyed after reinstallation, I logged in with password credentials and manually added the public key as follows:
Create a text file with the public ssh keys in the user's root directory: $ sudo mkdir ~/.ssh/
$ sudo nano ~/.ssh/authorized_keys Copy and paste the public key in the above file, save, and exit.
$ sudo reboot
With that task accomplished I was off to the races.
Here are the steps I followed to create a GUI XRDP environment:
$ sudo apt update && sudo apt upgradeAfter a reboot, I was able to access the server with Windows Remote Desktop.
$ sudo apt install whiptail
$ sudo apt install accountsservice
$ sudo apt install lightdm
$ sudo dpkg-reconfigure lightdm
$ sudo apt install xfce4
$ sudo apt install xrdp
$ sudo apt install timeshift
Wednesday, November 6, 2019
Modoboa Mail Server with Apache2 as Web Server on Ubuntu 18.04
The Modoboa install script installs the Nginx web server by default. Nginx is best for static content and Apache is better for dynamic content (like php). The key advantage to using Nginx is it commands less system resources due to its architecture. Still, if your web traffic is low, the performance gains by using Nginx is negligible. I decided my website would be best served with Apache alone, though I still wanted to use Modoboa as my email server.
Since the installation script installs Nginx by default, a few modifications to the script file are needed. The following instructions assume a fresh Ubuntu 18.04 with Apache already installed. Also, make sure DNS MX record is already configured with mail.your-domain.com.
Modoboa Installer
First install mod_wsgi then restart Apache
$ sudo apt-get install libapache2-mod-wsgi $ sudo systemctl restart apache2The installation script is available from GitHub.
$ git clone https://github.com/modoboa/modoboa-installerInstall the necessary perl scripts
$ sudo apt-get install python-virtualenv python-pipNavigate to the installer directory
$ cd modoboa-installerRun the following command.
$ sudo ./run.py --stop-after-configfile-check your-domain.comYou'll get a warning that the installer.cfg file was not found so a new one was created. installer.cfg file allows you to customize certain elements of the installation. The default contents include the following:
$ [general] hostname = mail.%(domain)s [certificate] generate = true type = self-signed [letsencrypt] email = admin@your-domain.com [database] engine = postgres host = 127.0.0.1 install = true [postgres] user = postgres password =Leave the certificate type to self-signed. We will install a Let's Encrypt certificate manually later.
If you want to use MariaDB instead of postgres, change the engine type under database to mysql. Scroll down and change the instruction to install nginx to false.
[nginx]
enabled = false
Make the desired changes and save the file. Next we'll re-run the installation routine using --interactive.$ sudo ./run.py --interactive your-domain.com
If you have problems with the installation, rerun the script with the debug option:$ sudo ./run.py --interactive --debug your-domain.com
If all goes well, the completed installation should look similar to the following:Welcome to Modoboa installer! Warning: Before you start the installation, please make sure the following DNS records exist for domain 'microsmith.net': mail IN A <IP ADDRESS OF YOUR SERVER> IN MX mail.your-domain.com Your mail server will be installed with the following components: modoboa automx amavis clamav dovecot razor postfix postwhite spamassassin uwsgi radicale opendkim Do you confirm? (Y/n) The process can be long, feel free to take a coffee and come back later ;) Starting... Generating new self-signed certificate Installing amavis Installing spamassassin Installing razor Installing clamav Installing modoboa Installing automx Installing radicale Installing uwsgi Installing opendkim Installing postfix Installing postwhite Installing dovecot Congratulations! You can enjoy Modoboa at https://mail.your-domain.com (admin:password)
Apache Configuration
Next we need to create an Apache config file for mail.your-domain.com Here is the file I created in the /etc/apache2/sites-available directory and named mail.your-domain.com.conf :
<VirtualHost *:80> ServerName mail.microsmith.net DocumentRoot /srv/modoboa/instance/ Alias /media/ /srv/modoboa/instance/media/ <Directory /srv/modoboa/instance/media> Order deny,allow Allow from all </Directory> Alias /sitestatic/ /srv/modoboa/instance/sitestatic/ <Directory /srv/modoboa/instance/sitestatic> Order deny,allow Allow from all </Directory> </VirtualHost>Next we need to configure the Apache config file.
$ sudo nano /etc/apache2/apache2.confScroll down the page and uncomment (or add if it's missing) the following lines.
<Directory /srv/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>In addition, we need to configure WSGI. Add the following lines to the Apache config file:
WSGIScriptAlias / /srv/modoboa/instance/instance/wsgi.py WSGIPythonHome /srv/modoboa/env/ WSGIPythonPath /srv/modoboa/instance/ <Directory /srv/modoboa/instance/instance> <Files wsgi.py> Require all granted </Files> </Directory> WSGIPassAuthorization OnSave the file and reboot.
Install Lets Encrypt Certificate
Make sure the https port 443 is included in your firewall configuration. See Install Firewall (ufw).
Install certbot
Add the PPA and install certbot (install software-properties-common if necessary)
$ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt update
$ sudo apt install python-certbot-apache
Install certificate:
Install the certificate as shown
$ sudo certbot --apache -d mail.your-domain.com
Answer any prompts and wait for the confirmation that the certificate has been issued. If you have problems getting the certificate issue, try visiting the website https://letsdebug.net/. The Let's Encrypt Certificate is only valid for 90 days. However the certbot installation includes a cron script that auto renews the certificate 30 days before expiration. The script is located at /etc/cron.d.You can test the renewal process by running the following command again:
$ sudo certbot renew --dry-run
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName mail.your-domain.com DocumentRoot /srv/modoboa/instance/ Alias /media/ /srv/modoboa/instance/media/ <Directory </srv/modoboa/instance/media> Order deny,allow Allow from all </Directory> Alias /sitestatic/ /srv/modoboa/instance/sitestatic/ <Directory /srv/modoboa/instance/sitestatic> Order deny,allow Allow from all </Directory> SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>Note your certificate file path may vary.
There are two additional lines we need to add to the Apache config file file. Add the two following lines after the WSGIScriptAlias.
WSGIDaemonProcess your-domain.com python-path=/srv/modoboa/instance:/srv/modoboa/env/lib/python2.7/site-packages WSGIProcessGroup your-domain.com
Modoboa Log-In Panel
Modoboa is programmed to work with IMAP. If you want to connect to your mail server via pop3 to another email service, you need to make configuration changes. The easiest was to do this is to install dovecot-pop3d.
$ sudo apt install dovecot-pop3dOpen firewall ports for 25, 587, 993, 995.
We're now ready to log into the Modoboa panel. Go to https://mail.your-domain.com. Your log-in is Admin and the password is password. Once you're logged in change your username and/or password. Click on the user name in the top right of the menu panel, then go to settings>>profile to make the changes.
To set up domains for the server, click Domains from the top menu bar then click the Add+ button. Be sure to enable dkim signing. Once the domain is setup, you can retrieve the public key for DKIM by selecting Domains from the top menu bar, then click the domain name. Click the Show key button in the DNS box on the top right. You will need to add the domain key to your DNS settings.
If you plan to use Modoboa's webmail (I used it for testing) you should change the IMAP and SMTP ports and enable ssl/tls. Click Modoboa in the menu bar, then select the Webmail tab. Under IMAP settings, click the radio button to use a secure connection and change the port to 993. Under SMTP settings, click the radio button to enable STARTTLS, change the server port to 587, then click the "Yes" radio button to require authentication. Click save.
Monday, November 4, 2019
Awstats setup on Apache2 Ubuntu 18.04
Awstats is a useful free program that provides website statistics. The installation in this guide was performed on a Ubuntu 18.04 server running Apache2.
Install and Configure Awstats
$ sudo apt install awstats libgeo-ip-perl libgeo-ipfree-perlEdit domain config file
$ sudo nano /etc/apache2/sites-available/your-domain.com
Append log file names to separate stats for each website you'll track. Edit thefollowing within the <VirtualHost> tagErrorLog ${APACHE_LOG_DIR}/your-domain.com_error.log CustomLog ${APACHE_LOG_DIR}/your-domain.com_access.log combinedAdd the following before the closing </VirtualHost> tag.
Alias /awstatsclasses "/usr/share/awstats/lib/" Alias /awstats-icon/ "/usr/share/awstats/icon/" Alias /awstatscss "/usr/share/doc/awstats/examples/css" ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ ScriptAlias /awstats/ /usr/lib/cgi-bin/ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatchSave file. Enable the CGI module
$ sudo a2enmod cgiConfigure Awstats files for default website. Back up the file
$ sudo cp /etc/awstats/awstats.conf /etc/awstats/awstat.conf.bakThen edit
$ sudo nano /etc/awstats/awstats.confEdit the following lines as shown
LogFile="/var/log/apache2/your-domain.com_access.log" LogFormat=1 SiteDomain="your-domain.com" HostAliases="your-domain.com localhost 127.0.0.1" DirData="/var/lib/awstats/your-domain.com"Save file. Give user www-data log access permissions (the following command requires "acl")
$ sudo setfacl -R -m "u:www-data:rx" /var/log/apache2/Create directory structure to hold data and then grant permissions
$ sudo mkdir -p /var/lib/awstats/your-domain.com $ sudo chown www-data:www-data /var/lib/awstats/your-domain.comRestart Apache2
$ sudo systemctl restart apache2The stats for your main (or only) domain should be accessible now at your-domain.com/cgi-bin/awstats.pl. Cron should be set to update awstats every ten minutes by default.
Secure access to Awstats page
Now that Astats is working you'll want to restrict access. Run the following to set a password for admin. The password will be stored at /etc/apache2/htpasswd.
$ sudo htpasswd -c /etc/apache2/htpasswd adminConfigure the Apache virtual host file
$ sudo nano /etc/apache2/sites-available/your-domain.com.conf
Then add the following<Directory "/usr/lib/cgi-bin/"> AuthUserFile /etc/apache2/htpasswd AuthName "Please Enter Your Password" AuthType Basic Require valid-user </Directory>Save the file. Restart Apache2
$ sudo systemctl restart apache2Now when you access the awstats page you should be prompted to enter a user name and password.
Multiple Websites
Create an awstats config file for your other websites.
$ sudo nano /etc/awstats/awstats.your-other-domain.com.conf
An include statement at the top will bring over the settings from the default awstats file. We just need to change some of the directives from the default by adding the following linesInclude "/etc/awstats/awstats.conf" SiteDomain="your-other-domain.com" HostAliases="your-other-domain.com localhost 127.0.0.1" DirData="/var/lib/awstats/your-other-domain.com" LogFile="/var/log/apache2/your-other-domain.com_access_log"Create directory structure and set permissions.
$ sudo mkdir -p /var/lib/awstats/your-other-domain.com $ sudo chown www-data:www-data /var/lib/awstats/your-other-domain.comRestart Apache2
$ sudo systemctl restart apache2Cron will update the stats in ten minutes. If you want to check your configuration now run the following:
$ sudo -l -c /usr/share/awstats/tools/update.sh www-data
Log File Permissions and Rotation
Edit the Apache logrotate file to give apache read permissions to everyone.
$ sudo nano /etc/logrotate.d/apache2Edit the following line as shown
create 644 root adm
Save the file.Tuesday, September 24, 2019
Email Spam and Virus Filters
Helpful websites: Postfix Amavis New, Mail Filtering.
Excellent article on spam filtering using postfix
Install mail filtering programs and utilities
$ sudo apt install amavisd-new spamassassin clamav-daemon $ sudo apt-get install libnet-dns-perl libmail-spf-perl pyzor razor $ sudo apt-get install arj bzip2 cabextract cpio file gzip lhasa liblz4-tool lrzip nomarch pax rar ripole rpm unrar-free lzop unzip zipCross add clamav and amvis to each other's group
$ sudo adduser clamav amavis $ sudo adduser amavis clamavAmavis is its own spamassassin-daemon (amavis uses the spamassassin libraries). There is no need to configure spamassassin.
Enable pyzor and razor
$ sudo amavis -s /bin/bash $ sudo razor-admin -create $ sudo razor-admin -registerActivate spam and antivirus detection in Amavis. Edit /etc/amavis/conf.d/15-content_filter_mode
$ sudo nano /etc/amavis/conf.d/15-content_filter_mode
use strict; # You can modify this file to re-enable SPAM checking through spamassassin # and to re-enable antivirus checking. # # Default antivirus checking mode # Uncomment the two lines below to enable it # @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # # Default SPAM checking mode # Uncomment the two lines below to enable it # @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; # insure a defined return
$ sudo nano /etc/amavis/conf.d/50-userEdit as follows
$myhostname = 'your-mail-server-domain.com'; @local_domains_acl = ( "your-domain.com", "your-domain.org" );or configure last line above this way
@local_domains_acl = qw(.);Restart amavis service
$ sudo systemctl restart amavis
Postfix integration
Run the following command
$ sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'Edit postfix master.cf
$ sudo nano /etc/postfix/master.cfAdd the following to the end of file
smtp-amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_miltersAlso add the following to the postfix master.cer file immediately after the pickup transport service.
-o content_filter= -o receive_override_options=no_header_body_checksRestart postfix service
$ sudo systemctl restart postfix
Testing
Test that amavisd-new is listening
$ telnet localhost 10024 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 [127.0.0.1] ESMTP amavisd-new service ready ^] 22Review incoming email headers for the presence of X-Virus-Scanned and X-Spam-Status entries.
Get last date clamav virus definitions were updated
$ strings /var/lib/clamav/daily.cld|head -1|cut -c1-2
Website Security with fresh Ubuntu 18.04 install
First update and upgrade
# apt update # apt upgrade
Update Firewall (ufw)
Firewall needs to be enabled# ufw enableVerify firewall is active
# ufw status verboseAllow access to port 22
# ufw allow 22Configure firewall to allow the following additional ports:
- 80
- 8080
- 443
# sudo ufw allow from ###.###.###.### to any port 3389Recheck ufw status
# ufw status verboseThe results should be similar to the following:
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skipTo Action From -- ------ ---- 22 ALLOW IN Anywhere 80 ALLOW IN Anywhere 8080 ALLOW IN Anywhere 443 ALLOW IN Anywhere
3389 ALLOW IN ###.###.###.### 22 (v6) ALLOW IN Anywhere (v6) 80 (v6) ALLOW IN Anywhere (v6) 8080 (v6) ALLOW IN Anywhere (v6) 443 (v6) ALLOW IN Anywhere (v6)
Set up user
Add a user
# adduser example_user
Add to sudo group (if new user needs root privileges)
# adduser example_user sudo
Exit then log-in with new credentials.Secure SSH Log-in Using PuTTY
Enable firewall for ssh access
$ sudo ufw allow ssh
Configure the server
Backup the sshd_config file
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
$ sudo nano /etc/ssh/sshd_config
Generate keys with PuTTYgen
- Go to Windows Start menu → All Programs → PuTTY→ PuTTYgen
- Generate a public/private key pair
- Parameters (use defaults)
- Type of key: RSA
- bits: 2048
- click Generate
- Putty uses mouse movements for randomness
- When key generation is complete enter a passphrase
- Save public key
- Save private key
- Install public key on server
- In the users root directory create .ssh folder
$ mkdir ~/.ssh
- Create a new file as follows:
$ nano ~/.ssh/authorized_keys
- Copy/paste the public key created in step 2 in the new file. The key must be all on one line.
- Save the file
- Exit
Disable "root" user
$ sudo nano /etc/ssh/sshd_configFor security purposes, change PermitRootLogin to no. Save file. Reboot.
Monday, September 23, 2019
Ubuntu 18.04 email using postfix, dovecot, and opendkim
The following assumes you have already set up your webserver with apache2 and/or nginx, and secured the website with a Let's Encrypt certificate.
Hostname
$ sudo hostnamectl set-hostname your-domain
To verify changes relog-in and run the followinghostname -f
DNS
Name: @; Type: MX; Content: mail.your-domain.com Name:mail.your-domain.com: Type: A; Content: your-ip
$ sudo apt update $ sudo apt install postfix -yYou will be prompted to answer some questions.
Type: Internet Site
System mail name: your-domain.com
Configure postfix. Review the postfix main config file.$ sudo nano /etc/postfix/main.cfReview the following and edit as needed
myhostname = your-domain.com mydomain = your-domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $mydomain, localhost.$mydomain, localhost; relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all home_mailbox = Maildir/
$ sudo nano /etc/postfix/master.cfAdd the submission section to the end of the file
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_tls_wrappermode=no -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
$ sudo nano /etc/postfix/main.cfAdd the following to the end of the file
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.your-domain.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mail.your-domain.com/privkey.pem smtpd_tls_security_level=may smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_security_level = may smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Restart postfix service.
$ sudo systemctl restart postfix
Install and configure dovecot
$ sudo apt install dovecot-core dovecot-imapdEdit the main dovecot config file.
$ sudo nano /etc/dovecot/dovecot.confAdd the following to enable imap
protocols = imap
$ sudo nano /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
$ sudo nano /etc/dovecot/conf.d/10-ssl.confEdit file to require SSL
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem
$ sudo nano /etc/dovecot/conf.d/10-master.conf
service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }Auto create folders
$ sudo nano /etc/dovecot/conf.d/15-mailboxes.conf
mailbox Trash {
auto = create
special_use = \Trash
}
Tell Dovecot to use Maildir.$ sudo nano /etc/dovecot/conf.d/10-mail.confReplace /etc/dovecot/conf.d/10-mail.conf with the following:/etc/dovecot/conf.d/10-mail.conf
$ sudo systemctl restart dovecot $ sudo systemctl restart postfix
Sender Policy Framework - SPF
Add a DNS record for SPF.
Name: @; Type: TXT; Content: v=spf1 mx ~allThere are several SPF tags and mechanisms.
You can invoke SPF checking for incoming email
sudo apt install postfix-policyd-spf-python
$ sudo nano /etc/postfix/master.cf
policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf
$ sudo nano /etc/postfix/main.cfAdd to the end of file
policyd-spf_time_limit = 3600 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf
$ sudo systemctl restart postfix
DKIM
Install opendkim.
$ sudo apt install opendkim opendkim-toolsAdd postfix to opendkim user group.
$ sudo gpasswd -a postfix opendkim
$ sudo nano /etc/opendkim.conf
Canonicalization relaxed/simple
Mode sv
SubDomains no
Add the following after Subdomains no.AutoRestart yes AutoRestartRate 10/1M Background yes DNSTimeout 5 SignatureAlgorithm rsa-sha256
#OpenDKIM user # Remember to add user postfix to group opendkim UserID opendkim # Map domains in From addresses to keys used to sign messages KeyTable refile:/etc/opendkim/key.table SigningTable refile:/etc/opendkim/signing.table # Hosts to ignore when verifying signatures ExternalIgnoreList /etc/opendkim/trusted.hosts # A set of internal hosts whose mail should be signed InternalHosts /etc/opendkim/trusted.hosts
Create Signing Table, Key Table and Trusted Hosts Files
Create directory structure.
$ sudo mkdir /etc/opendkim $ sudo mkdir /etc/opendkim/keysChange ownership and permissions.
$ sudo chown -R opendkim:opendkim /etc/opendkim $ sudo chmod go-rw /etc/opendkim/keys
$ sudo nano /etc/opendkim/signing.table
*@your-domain.com default._domainkey.your-domain.com
Save and close. Create key table.$ sudo nano /etc/opendkim/key.table
$ default._domainkey.your-domain.com your-domain.com:default:/etc/opendkim/keys/your-domain.com/default.private
$ sudo nano /etc/opendkim/trusted.hostsAdd the following lines.
127.0.0.1
localhost
*.your-domain.com
$ sudo mkdir /etc/opendkim/keys/your-domain.com
Generate keys.$ sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s default -v
$ sudo chown opendkim:opendkim /etc/opendkim/keys/your-domain.com/default.private
$ sudo cat /etc/opendkim/keys/your-domain.com/default.txt
Name: default._domainkey.your-domain.com; Type: TXT; Content: v=DKIM1; k=rsa; p=KEYSTRINGHERE
$ sudo opendkim-testkey -d your-domain.com -s default -vvv
Connect opendkim to postfix
Create directory structure.
$ sudo mkdir /var/spool/postfix/opendkim $ sudo chown opendkim:postfix /var/spool/postfix/opendkimOpen conf file.
$ sudo nano /etc/opendkim.confFind this line.
Socket local:/var/run/opendkim/opendkim.sock
Socket local:/var/spool/postfix/opendkim/opendkim.sock
$ sudo nano /etc/postfix/main.cf
# Milter configuration milter_default_action = accept milter_protocol = 6 smtpd_milters = local:/opendkim/opendkim.sock non_smtpd_milters = $smtpd_miltersSave and close the file then restart opendkim and postfix.
$ sudo systemctl restart opendkim $ sudo systemctl restart postfix
$ [email protected]
DMARC
Set up a DMARC record in your DNS table similar to the following.
Name: _dmarc.your-domain.com; Type: TXT; Content: v=DMARC1; p=none; pct=100; fo=1; rua=mailto:[email protected]
v - DMARC version p - policy (what to do with email that doesn't pass the dmarc test. pct - The percentage of email the policy should be applied fo - report preferences: 0 (default): generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result 1: generate reports if any mechanisms fail. d: generate report if DKIM signature failed to verify s: generate report if SPF failed rua - the email address dmarc reports should be sent toCheck your dmarc set-up as follows
dig txt +short _dmarc.example.com
Set up aliases
Open alias file$ sudo nano /etc/aliases