Difference between revisions of "ZhoubaWiki:HowToSetupSmtpServer"
(Created page with "<!-- Category section --> Category:Zhouba <!-- Contents --> {| align="right" | __TOC__ |} = How to set up an outgoing email server = Here is a guide on getting outgoing...") |
(No difference)
|
Latest revision as of 16:19, 22 May 2021
How to set up an outgoing email server
Here is a guide on getting outgoing email services running on Ubuntu using Postfix. This tutorial has been tested on Ubuntu 8.04 VPS from LogicWeb
. Please keep in mind that you have to be logged as root during the whole process.
Postfix
Let’s get core email functionality going with Postfix.
aptitude install postfix sasl2-bin libsasl2-modules
You will be asked a few questions. Unfortunately, the graphical configuration interface that was automatically launched was a condensed version. Confirm the defaults and run the full graphical configuration utility.
dpkg-reconfigure postfix
Again, you will be asked some questions:
- General type of mail configuration: Internet Site
- System mail name: subdomain.hostname.tld (Use the identity domain and replace the prefix as necessary)
- Root and postmaster mail recipient: hosting@bugweis.com
- Other destinations to accept mail for: subdomain.hostname.tld, localhost (Use the identity domain)
- Force synchronous updates on mail queue: No
- Local networks: leave default
- Use procmail for local delivery: Yes
- Mailbox size limit (bytes): 0
- Local address extension character? leave default
- Internet protocols to use: all
Sometimes sendmail is an idiot and keeps running although it was replaced by postfix. In order to avoid problems run:
killall sendmail-mta
Next, let’s take care of certificates for TLS. First create a new directory.
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/
Now create a new key and generate a certificate request. You will be asked several questions during this process. Fill them as suggested below. Of course you will have to use domain and name of identity for which this server is being setup.
openssl genrsa -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr
Example input:
Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hostname Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:subdomain.hostname.tld Email Address []:admin@hostname.tld Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Now we need to self-sign the certificate.
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt chmod 600 smtpd.key rm smtpd.csr
Finish configuring Postfix for TLS and SASL.
postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtpd_tls_auth_only = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom' postconf -e 'home_mailbox = Maildir/'
For some strange reason Postfix config did not use the mail name as the hostname in the SMTP banner so we'll have to configure it manually. <c> postconf -e 'myhostname = subdomain.hostname.tld' </c>
In case server doesn't have ipv6 interface set inet_protocols
<c>
postconf -e 'inet_protocols = ipv4'
</c>
If you want that SMTP runs on port 465, you have to add this lines to /etc/postfix/master.cf
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
Finally, restart Postfix.
/etc/init.d/postfix restart
Logging
Postfix uses the syslog facility for logging, which means all logs will be stored in /var/log/mail.*
.
These files should be rotated weekly, but pretty much all virtual Ubuntu servers I tested had a weird bug. The weekly syslog script was missing and the log files did not get rotated. If you come across the same problem just install rsyslog
which is newer and better than syslogd
and uses logrotate
.
aptitude install rsyslog
SASL
Authentication will be done by saslauthd which will need to be configured to support a chrooted Postfix setup. Edit /etc/default/saslauthd
and add or change the following settings so that they match:
START=yes OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Finish up SASL by creating the chroot directory, adding the postfix user to the sasl group, and then starting saslauthd.
mkdir -p /var/spool/postfix/var/run/saslauthd dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd adduser postfix sasl /etc/init.d/saslauthd start
Testing
At this point, core email services should be up and running. Let’s make sure that you’re in good shape before moving on. First, establish a connection with the mail server.
telnet localhost 25
After establsihing a connection with the Postfix service, run:
ehlo localhost
... 250-STARTTLS 250-AUTH PLAIN LOGIN ...
Type quit to get out.
Reverse DNS
Some mail servers don't accept emails from servers with an invalid or non-existent reverse DNS record. Reverse DNS is linking an IP address to a host name and is maintained by the ISP. Contact the server provider and ask them to set up an RDNS record for the new server (IP -> System mail name). Needless to say the hostname must resolve to the appropriate IP address.
SPF Record
Sender Policy Framework (SPF) is an e-mail validation system designed to prevent e-mail spam. It allows e-mail administrators the ability to specify which Internet hosts are allowed to send e-mail claiming to originate from that domain. From our point of view it's a way to look more legitimate to mail servers, therefore prevent our emails from being marked as spam.
To setup a SPF record you'll have to edit DNS records of sender domain, in our case hostname.tld. Let's presume we want to specify that servers smtp01.hostname.tld and smtp02.hostname.tld can send emails from @hostname.tld. You can do this by adding a new TXT record named hostname.tld
to the DNS:
v=spf1 a:smtp01.hostname.tld a:smtp02.hostname.tld -all
Postfix seem to always use the last defined net interface for sending emails. It is better to specify which interface should be used in the main Postfix configuration file /etc/postfix/main.cf
to avoid later problems with SPF:
smtp_bind_address = 123.123.123.123 # use IP of smtp01.hostname.tld
Restart Postfix.
Note:This setting will cause Amavis (see ZhoubaWiki:HowToSetupSpamFilterAmavis) to reject emails from Postfix:
<c>
(!)DENIED ACCESS from IP x.y.z.v, policy bank
</c>
Append following setting to /etc/amavis/conf.d/40-policy_banks
to allow messages from bind interface:
<c>
- relace x.y.z.v by server IP
@inet_acl = qw( 127.0.0.1 x.y.z.v [::1]) </c>
Detailed information about SPF can be found... on the internet.
Stripping the 'Received' header
Variant A
By default Postfix will record the IP address of the client who sent the email. In our case it's the machine where the sendmail script is running. This information can potentially link two Hostname identities together which is something we want to avoid. Therefore we'll configure Postfix to strip the 'Received' header. The /etc/postfix/main.cf
file will have to have a reference to the header_checks
file as follows:
header_checks = regexp:/etc/postfix/header_checks
Create a new file /etc/postfix/header_checks
and add the below line:
/^Received: from/ IGNORE
Apply the new configuration by restarting Postfix.
Variant B
This variant is different, instead of removing received header it only replaces received from IP address. It will replace all existing Received: from records! Regexp can be latered to taget specific IP only.
First install postfix support for perlc regxexp
<c bash>
aptitude install postfix-pcre
</c>
Create file with replacement rules /etc/postfix/smtp_headers_checks
<c>
- universal
/^\s*(Received: from)[^\n]/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])
- Pattern for specific IP replace SERVER IP string
/^\s*(Received: from)[^\n]*SERVER IP[^\n]*(.*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2
- Optional, removes headers about agent and client
- /^\s*User-Agent/ IGNORE
- /^\s*X-Enigmail/ IGNORE
- /^\s*X-Mailer/ IGNORE
- /^\s*X-Originating-IP/ IGNORE
</c>
Update /etc/postfix/main.cf
with
<c>
smtp_header_checks = pcre:/etc/postfix/smtp_headers_checks
</c>
Reload postfix
Test
That's all. Test the new configuration using MX Toolbox.
http://mxtoolbox.com/diagnostic.aspx
...and you can create SMTP connection on your e-mail client. There is example for Thunderbird:
Server Address: IP address for new mail-server Port:25 User name: tester Authentization: Password, Secure transmission Securely Connection: STARTTLS