Monday, September 23, 2019

Ubuntu 18.04 email using postfix, dovecot, and opendkim


Most of these steps were taken from linuxbabe.com and modified for my purposes.  If you want more insight visit her website.

The following assumes you have already set up your webserver with apache2 and/or nginx, and secured the website with a Let's Encrypt certificate.

Email

Hostname


You can change your host name.  If you're using  this server as your mail server you might want to use a FQDN like mail.your-domain.com.  I used my domain name without the domain suffix.
$ sudo hostnamectl set-hostname your-domain
To verify changes relog-in and run the following
hostname -f


DNS


If you're using a mail server, set DNS records like the following:
Name: @; Type: MX; Content: mail.your-domain.com
Name:mail.your-domain.com: Type: A; Content: your-ip
Install and configure postfix
$ sudo apt update
$ sudo apt install postfix -y
You will be prompted to answer some questions.
Type:  Internet Site 
System mail name: your-domain.com
Configure postfix.  Review the postfix main config file.
$ sudo nano /etc/postfix/main.cf
Review the following and edit as needed
myhostname = your-domain.com
mydomain = your-domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $mydomain, localhost.$mydomain, localhost;
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
Open the postfix master config file.
$ sudo nano /etc/postfix/master.cf
Add the submission section to the end of the file
submission     inet     n    -    y    -    -    smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_tls_wrappermode=no
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
More edits to the postfix main config file.
$ sudo nano /etc/postfix/main.cf
Add the following to the end of the file
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_security_level=may 
smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Restart postfix service.
$ sudo systemctl restart postfix

Install and configure dovecot


$ sudo apt install dovecot-core dovecot-imapd
Edit the main dovecot config file.
$ sudo nano /etc/dovecot/dovecot.conf
Add the following to enable imap
protocols = imap
Configure authentication.
$ sudo nano /etc/dovecot/conf.d/10-auth.conf
Uncomment this line to disable plaintext authentication when there’s no SSL/TLS encryption.
disable_plaintext_auth = yes
Configure TLS.
$ sudo nano /etc/dovecot/conf.d/10-ssl.conf
Edit file to require SSL
ssl = required
Provide your SSL certificate addresses.
ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem
SASL Authentication Between Postfix and Dovecot
$ sudo nano /etc/dovecot/conf.d/10-master.conf
Change service auth section.
service auth {
    unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
    }
}
Auto create folders
$ sudo nano /etc/dovecot/conf.d/15-mailboxes.conf
Add auto = create to folders as you see fit. Example:
mailbox Trash {
    auto = create
    special_use = \Trash
 }
Tell Dovecot to use Maildir.
$ sudo nano /etc/dovecot/conf.d/10-mail.conf 
Replace /etc/dovecot/conf.d/10-mail.conf with the following:
/etc/dovecot/conf.d/10-mail.conf
Restart services.
$ sudo systemctl restart dovecot
$ sudo systemctl restart postfix

Sender Policy Framework - SPF


Add a DNS record for SPF.
Name: @; Type: TXT; Content: v=spf1 mx ~all
There are several SPF tags and mechanisms.
You can invoke SPF checking for incoming email
sudo apt install postfix-policyd-spf-python
Configure.
$ sudo nano /etc/postfix/master.cf
Add to the end of file.
policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf
Save, then open the main config file.
$ sudo nano /etc/postfix/main.cf
Add to the end of file
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf
Save file then restart postfix service
$ sudo systemctl restart postfix

DKIM


Install opendkim.
$ sudo apt install opendkim opendkim-tools
Add postfix to opendkim user group.
$ sudo gpasswd -a postfix opendkim
Configure.
$ sudo nano /etc/opendkim.conf
Uncomment the following lines. Replace simple with relaxed/simple.
Canonicalization   relaxed/simple
Mode               sv
SubDomains         no
Add the following after Subdomains no.
AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256
Add the following to the end of file. Ubuntu may already include the first section for UserID.
#OpenDKIM user
# Remember to add user postfix to group opendkim
UserID             opendkim

# Map domains in From addresses to keys used to sign messages
KeyTable           refile:/etc/opendkim/key.table
SigningTable       refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList  /etc/opendkim/trusted.hosts

# A set of internal hosts whose mail should be signed
InternalHosts       /etc/opendkim/trusted.hosts
Save and close file.

Create Signing Table, Key Table and Trusted Hosts Files


Create directory structure.
$ sudo mkdir /etc/opendkim
$ sudo mkdir /etc/opendkim/keys
Change ownership and permissions.
$ sudo chown -R opendkim:opendkim /etc/opendkim
$ sudo chmod go-rw /etc/opendkim/keys
Create signing table.
$ sudo nano /etc/opendkim/signing.table
Add the following line.
*@your-domain.com    default._domainkey.your-domain.com
Save and close.  Create key table.
$ sudo nano /etc/opendkim/key.table
Add the following line.
$ default._domainkey.your-domain.com     your-domain.com:default:/etc/opendkim/keys/your-domain.com/default.private
Save and close.  Create trusted hosts file
$ sudo nano /etc/opendkim/trusted.hosts
Add the following lines.
127.0.0.1
localhost

*.your-domain.com
Create file structure.
$ sudo mkdir /etc/opendkim/keys/your-domain.com
Generate keys.
$ sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s default -v
Change ownership of private key.
$ sudo chown opendkim:opendkim /etc/opendkim/keys/your-domain.com/default.private
Add Public Key in DNS Records. Get the key
$ sudo cat /etc/opendkim/keys/your-domain.com/default.txt
The string after the p is the key. Add DNS record and add key string after the p:
Name: default._domainkey.your-domain.com; Type: TXT; Content: v=DKIM1; k=rsa; p=KEYSTRINGHERE
Test.
$ sudo opendkim-testkey -d your-domain.com -s default -vvv
If the setup is good the response should be key OK .

Connect opendkim to postfix


Create directory structure.
$ sudo mkdir /var/spool/postfix/opendkim
$ sudo chown opendkim:postfix /var/spool/postfix/opendkim
Open conf file.
$ sudo nano /etc/opendkim.conf
Find this line.
Socket                  local:/var/run/opendkim/opendkim.sock
Replace with this.
Socket                local:/var/spool/postfix/opendkim/opendkim.sock
Save and close file. Open postfix main config file.
$ sudo nano /etc/postfix/main.cf
Add the following after smtpd_recipient_restriction.
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
Save and close the file then restart opendkim and postfix.
$ sudo systemctl restart opendkim
$ sudo systemctl restart postfix
Check your spf and dkim set up by sending an email to the following.
$ [email protected]
You should get a response indicating is your setup has passed the checks

DMARC


Set up a DMARC record in your DNS table similar to the following.
Name: _dmarc.your-domain.com; Type: TXT; Content: v=DMARC1; p=none; pct=100; fo=1; rua=mailto:[email protected]
The parameters are as follows:
v - DMARC version
p - policy (what to do with email that doesn't pass the dmarc test.
pct - The percentage of email the policy should be applied
fo - report preferences:     0 (default): generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result
     1:  generate reports if any mechanisms fail.
     d:  generate report if DKIM signature failed to verify
     s: generate report if SPF failed
rua - the email address dmarc reports should be sent to
Check your dmarc set-up as follows
dig txt +short _dmarc.example.com

Set up aliases

Open alias file
$ sudo nano /etc/aliases
Edit file as needed.
# See man 5 aliases for format postmaster: root abuse: root webmaster: root
admin: root root: account you want root email directed to

Thunderbird

If you choose Thunderbird for email note the first time you open the Thunderbird program you need to change the default where Thunderbird looks for your inbound mail.  To do this, Enable the menu (right click at the top click box for menu bar or enter alt or F10).  Go to Edit>>Preferences>>Advanced. Find the section near the bottom where it says Message Store Type for new accounts click the down arrow and select File per message (maildir) .  Close the menu then proceed with adding new accounts.>