Most of these steps were taken from linuxbabe.com and modified for my purposes. If you want more insight visit her website.
The following assumes you have already set up your webserver with apache2 and/or nginx, and secured the website with a Let's Encrypt certificate.
The following assumes you have already set up your webserver with apache2 and/or nginx, and secured the website with a Let's Encrypt certificate.
Hostname
$ sudo hostnamectl set-hostname your-domain
To verify changes relog-in and run the followinghostname -f
DNS
Name: @; Type: MX; Content: mail.your-domain.com Name:mail.your-domain.com: Type: A; Content: your-ip
Install and configure postfix
$ sudo apt update $ sudo apt install postfix -yYou will be prompted to answer some questions.
Type: Internet Site
System mail name: your-domain.com
Configure postfix. Review the postfix main config file.$ sudo nano /etc/postfix/main.cfReview the following and edit as needed
myhostname = your-domain.com mydomain = your-domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $mydomain, localhost.$mydomain, localhost; relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all home_mailbox = Maildir/
Open the postfix master config file.
$ sudo nano /etc/postfix/master.cfAdd the submission section to the end of the file
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_tls_wrappermode=no -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
More edits to the postfix main config file.
Restart postfix service.
$ sudo nano /etc/postfix/main.cfAdd the following to the end of the file
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.your-domain.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mail.your-domain.com/privkey.pem smtpd_tls_security_level=may smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_security_level = may smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Restart postfix service.
$ sudo systemctl restart postfix
Install and configure dovecot
$ sudo apt install dovecot-core dovecot-imapdEdit the main dovecot config file.
$ sudo nano /etc/dovecot/dovecot.confAdd the following to enable imap
protocols = imap
Configure authentication.
$ sudo nano /etc/dovecot/conf.d/10-auth.conf
Uncomment this line to disable plaintext authentication when there’s no SSL/TLS encryption.
disable_plaintext_auth = yes
Configure TLS.
$ sudo nano /etc/dovecot/conf.d/10-ssl.confEdit file to require SSL
ssl = required
Provide your SSL certificate addresses.
ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem
SASL Authentication Between Postfix and Dovecot
$ sudo nano /etc/dovecot/conf.d/10-master.conf
Change service auth section.
service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }Auto create folders
$ sudo nano /etc/dovecot/conf.d/15-mailboxes.conf
Add auto = create to folders as you see fit. Example:
mailbox Trash {
auto = create
special_use = \Trash
}
Tell Dovecot to use Maildir.$ sudo nano /etc/dovecot/conf.d/10-mail.confReplace /etc/dovecot/conf.d/10-mail.conf with the following:/etc/dovecot/conf.d/10-mail.conf
Restart services.
$ sudo systemctl restart dovecot $ sudo systemctl restart postfix
Sender Policy Framework - SPF
Add a DNS record for SPF.
Name: @; Type: TXT; Content: v=spf1 mx ~allThere are several SPF tags and mechanisms.
You can invoke SPF checking for incoming email
sudo apt install postfix-policyd-spf-python
Configure.
$ sudo nano /etc/postfix/master.cf
Add to the end of file.
policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf
Save, then open the main config file.
$ sudo nano /etc/postfix/main.cfAdd to the end of file
policyd-spf_time_limit = 3600 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf
Save file then restart postfix service
Install opendkim.
$ sudo systemctl restart postfix
DKIM
Install opendkim.
$ sudo apt install opendkim opendkim-toolsAdd postfix to opendkim user group.
$ sudo gpasswd -a postfix opendkim
Configure.
$ sudo nano /etc/opendkim.conf
Uncomment the following lines. Replace simple with relaxed/simple.
Canonicalization relaxed/simple
Mode sv
SubDomains no
Add the following after Subdomains no.AutoRestart yes AutoRestartRate 10/1M Background yes DNSTimeout 5 SignatureAlgorithm rsa-sha256
Add the following to the end of file. Ubuntu may already include the first section for UserID.
#OpenDKIM user # Remember to add user postfix to group opendkim UserID opendkim # Map domains in From addresses to keys used to sign messages KeyTable refile:/etc/opendkim/key.table SigningTable refile:/etc/opendkim/signing.table # Hosts to ignore when verifying signatures ExternalIgnoreList /etc/opendkim/trusted.hosts # A set of internal hosts whose mail should be signed InternalHosts /etc/opendkim/trusted.hosts
Save and close file.
Create directory structure.
Create Signing Table, Key Table and Trusted Hosts Files
Create directory structure.
$ sudo mkdir /etc/opendkim $ sudo mkdir /etc/opendkim/keysChange ownership and permissions.
$ sudo chown -R opendkim:opendkim /etc/opendkim $ sudo chmod go-rw /etc/opendkim/keys
Create signing table.
$ sudo nano /etc/opendkim/signing.table
Add the following line.
*@your-domain.com default._domainkey.your-domain.com
Save and close. Create key table.$ sudo nano /etc/opendkim/key.table
Add the following line.
$ default._domainkey.your-domain.com your-domain.com:default:/etc/opendkim/keys/your-domain.com/default.private
Save and close. Create trusted hosts file
$ sudo nano /etc/opendkim/trusted.hostsAdd the following lines.
127.0.0.1
localhost
*.your-domain.com
Create file structure.
$ sudo mkdir /etc/opendkim/keys/your-domain.com
Generate keys.$ sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s default -v
Change ownership of private key.
$ sudo chown opendkim:opendkim /etc/opendkim/keys/your-domain.com/default.private
Add Public Key in DNS Records. Get the key
$ sudo cat /etc/opendkim/keys/your-domain.com/default.txt
The string after the p is the key. Add DNS record and add key string after the p:
Name: default._domainkey.your-domain.com; Type: TXT; Content: v=DKIM1; k=rsa; p=KEYSTRINGHERE
$ sudo opendkim-testkey -d your-domain.com -s default -vvv
If the setup is good the response should be key OK .
Connect opendkim to postfix
Create directory structure.
$ sudo mkdir /var/spool/postfix/opendkim $ sudo chown opendkim:postfix /var/spool/postfix/opendkimOpen conf file.
$ sudo nano /etc/opendkim.confFind this line.
Socket local:/var/run/opendkim/opendkim.sock
Replace with this.
Socket local:/var/spool/postfix/opendkim/opendkim.sock
Save and close file. Open postfix main config file.
$ sudo nano /etc/postfix/main.cf
Add the following after smtpd_recipient_restriction.
# Milter configuration milter_default_action = accept milter_protocol = 6 smtpd_milters = local:/opendkim/opendkim.sock non_smtpd_milters = $smtpd_miltersSave and close the file then restart opendkim and postfix.
$ sudo systemctl restart opendkim $ sudo systemctl restart postfix
Check your spf and dkim set up by sending an email to the following.
$ [email protected]
You should get a response indicating is your setup has passed the checks
Set up a DMARC record in your DNS table similar to the following.
DMARC
Set up a DMARC record in your DNS table similar to the following.
Name: _dmarc.your-domain.com; Type: TXT; Content: v=DMARC1; p=none; pct=100; fo=1; rua=mailto:[email protected]
The parameters are as follows:
v - DMARC version p - policy (what to do with email that doesn't pass the dmarc test. pct - The percentage of email the policy should be applied fo - report preferences: 0 (default): generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result 1: generate reports if any mechanisms fail. d: generate report if DKIM signature failed to verify s: generate report if SPF failed rua - the email address dmarc reports should be sent toCheck your dmarc set-up as follows
dig txt +short _dmarc.example.com
Set up aliases
Open alias file$ sudo nano /etc/aliases
Edit file as needed.
# See man 5 aliases for format
postmaster: root
abuse: root
webmaster: root
admin: root
root: account you want root email directed to
Thunderbird
If you choose Thunderbird for email note the first time you open the Thunderbird program you need to change the default where Thunderbird looks for your inbound mail. To do this, Enable the menu (right click at the top click box for menu bar or enter alt or F10). Go to Edit>>Preferences>>Advanced. Find the section near the bottom where it says Message Store Type for new accounts click the down arrow and select File per message (maildir) . Close the menu then proceed with adding new accounts.>