Garak: Created page with " Category:Zhouba {| align="right" | TOC |} = How to set up an outgoing email server = Here is a guide on getting outgoing..."

2021-05-22T16:19:27Z

Created page with " Category:Zhouba  {| align="right" | __TOC__ |} = How to set up an outgoing email server = Here is a guide on getting outgoing..."

New page

[[Category:Zhouba]]

{| align="right"
| __TOC__
|}
= How to set up an outgoing email server =

Here is a guide on getting outgoing email services running on Ubuntu using Postfix. This tutorial has been tested on Ubuntu 8.04 VPS from <code>LogicWeb</code>. Please keep in mind that you have to be logged as root during the whole process.

== Postfix ==

Let’s get core email functionality going with Postfix.

<pre>
aptitude install postfix sasl2-bin libsasl2-modules
</pre>

You will be asked a few questions. Unfortunately, the graphical configuration interface that was automatically launched was a condensed version. Confirm the defaults and run the full graphical configuration utility.

<pre>
dpkg-reconfigure postfix
</pre>

Again, you will be asked some questions:

* General type of mail configuration: '''Internet Site'''
* System mail name: '''subdomain.hostname.tld''' ''(Use the identity domain and replace the prefix as necessary)''
* Root and postmaster mail recipient: '''hosting@bugweis.com'''
* Other destinations to accept mail for: '''subdomain.hostname.tld, localhost''' ''(Use the identity domain)''
* Force synchronous updates on mail queue: '''No'''
* Local networks: ''leave default''
* Use procmail for local delivery: '''Yes'''
* Mailbox size limit (bytes): '''0'''
* Local address extension character? ''leave default''
* Internet protocols to use: '''all'''

Sometimes sendmail is an idiot and keeps running although it was replaced by postfix. In order to avoid problems run:

<pre>
killall sendmail-mta
</pre>

Next, let’s take care of certificates for TLS. First create a new directory.

<pre>
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
</pre>

Now create a new key and generate a certificate request. You will be asked several questions during this process. Fill them as suggested below. Of course you will have to use domain and name of identity for which this server is being setup.

<pre>
openssl genrsa -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
</pre>

''Example input:''
<pre>
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hostname
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:subdomain.hostname.tld
Email Address []:admin@hostname.tld

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre>

Now we need to self-sign the certificate.
<pre>
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
chmod 600 smtpd.key
rm smtpd.csr
</pre>

Finish configuring Postfix for TLS and SASL.

<pre>
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_auth_only = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'home_mailbox = Maildir/'
</pre>

For some strange reason Postfix config did not use the mail name as the hostname in the SMTP banner so we'll have to configure it manually.
<c>
postconf -e 'myhostname = subdomain.hostname.tld'
</c>

In case server doesn't have ipv6 interface set <code>inet_protocols</code>
<c>
postconf -e 'inet_protocols = ipv4'
</c>

If you want that SMTP runs on port 465, you have to add this lines to <code>/etc/postfix/master.cf</code>
<pre>
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
</pre>

Finally, restart Postfix.

<pre>
/etc/init.d/postfix restart
</pre>

== Logging ==

Postfix uses the syslog facility for logging, which means all logs will be stored in <code>/var/log/mail.*</code>.

These files should be rotated weekly, but pretty much all virtual Ubuntu servers I tested had a weird bug. The weekly syslog script was missing and the log files did not get rotated. If you come across the same problem just install <code>rsyslog</code> which is newer and better than <code>syslogd</code> and uses <code>logrotate</code>.

<pre>
aptitude install rsyslog
</pre>

== SASL ==

Authentication will be done by saslauthd which will need to be configured to support a chrooted Postfix setup. Edit <code>/etc/default/saslauthd</code> and add or change the following settings so that they match:

<pre>
START=yes
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
</pre>

Finish up SASL by creating the chroot directory, adding the postfix user to the sasl group, and then starting saslauthd.

<pre>
mkdir -p /var/spool/postfix/var/run/saslauthd
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl
/etc/init.d/saslauthd start
</pre>

== Testing ==

At this point, core email services should be up and running. Let’s make sure that you’re in good shape before moving on. First, establish a connection with the mail server.

<pre>
telnet localhost 25
</pre>

After establsihing a connection with the Postfix service, run:

<pre>
ehlo localhost
</pre>

<pre>
...
250-STARTTLS
250-AUTH PLAIN LOGIN
...
</pre>

Type quit to get out.

== Reverse DNS ==

Some mail servers don't accept emails from servers with an invalid or non-existent reverse DNS record. Reverse DNS is linking an IP address to a host name and is maintained by the ISP. Contact the server provider and ask them to set up an RDNS record for the new server (IP -> System mail name). Needless to say the hostname must resolve to the appropriate IP address.

== SPF Record ==

Sender Policy Framework (SPF) is an e-mail validation system designed to prevent e-mail spam. It allows e-mail administrators the ability to specify which Internet hosts are allowed to send e-mail claiming to originate from that domain. From our point of view it's a way to look more legitimate to mail servers, therefore prevent our emails from being marked as spam.

To setup a SPF record you'll have to edit DNS records of sender domain, in our case hostname.tld. Let's presume we want to specify that servers smtp01.hostname.tld and smtp02.hostname.tld can send emails from @hostname.tld. You can do this by adding a new TXT record named <code>hostname.tld</code> to the DNS:

<pre>
v=spf1 a:smtp01.hostname.tld a:smtp02.hostname.tld -all
</pre>

Postfix seem to always use the last defined net interface for sending emails. It is better to specify which interface should be used in the main Postfix configuration file <code>/etc/postfix/main.cf</code> to avoid later problems with SPF:

<pre>
smtp_bind_address = 123.123.123.123 # use IP of smtp01.hostname.tld
</pre>

Restart Postfix.

<strong>Note:</strong>This setting will cause Amavis (see [[ZhoubaWiki:HowToSetupSpamFilterAmavis]]) to reject emails from Postfix:
<c>
(!)DENIED ACCESS from IP x.y.z.v, policy bank ''
</c>
Append following setting to <code>/etc/amavis/conf.d/40-policy_banks</code> to allow messages from bind interface:
<c>
# relace x.y.z.v by server IP
@inet_acl = qw( 127.0.0.1 x.y.z.v [::1])
</c>

Detailed information about SPF can be found... on the internet.

== Stripping the 'Received' header ==

=== Variant A ===
By default Postfix will record the IP address of the client who sent the email. In our case it's the machine where the sendmail script is running. This information can potentially link two Hostname identities together which is something we want to avoid. Therefore we'll configure Postfix to strip the 'Received' header. The <code>/etc/postfix/main.cf</code> file will have to have a reference to the <code>header_checks</code> file as follows:

<pre>
header_checks = regexp:/etc/postfix/header_checks
</pre>

Create a new file <code>/etc/postfix/header_checks</code> and add the below line:

<pre>
/^Received: from/ IGNORE
</pre>

Apply the new configuration by restarting Postfix.

=== Variant B ===
This variant is different, instead of removing received header it only replaces received from IP address. It will replace
all existing Received: from records! Regexp can be latered to taget specific IP only.

First install postfix support for perlc regxexp
<c bash>
aptitude install postfix-pcre
</c>
Create file with replacement rules <code>/etc/postfix/smtp_headers_checks</code>
<c>
# universal
/^\s*(Received: from)[^\n]/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])
# Pattern for specific IP replace SERVER IP string
/^\s*(Received: from)[^\n]*SERVER IP[^\n]*(.*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2
# Optional, removes headers about agent and client
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
</c>
Update <code>/etc/postfix/main.cf</code> with
<c>
smtp_header_checks = pcre:/etc/postfix/smtp_headers_checks
</c>

Reload postfix

== Test ==

That's all. Test the new configuration using MX Toolbox.

http://mxtoolbox.com/diagnostic.aspx

...and you can create SMTP connection on your e-mail client. There is example for Thunderbird:
<pre>
Server Address: IP address for new mail-server
Port:25
User name: tester
Authentization: Password, Secure transmission
Securely Connection: STARTTLS
</pre>

ZhoubaWiki:HowToSetupSmtpServer - Revision history

Garak: Created page with " Category:Zhouba {| align="right" | __TOC__ |} = How to set up an outgoing email server = Here is a guide on getting outgoing..."

Garak: Created page with " Category:Zhouba {| align="right" | TOC |} = How to set up an outgoing email server = Here is a guide on getting outgoing..."