Differences between revisions 19 and 29 (spanning 10 versions)

Postfix

Postfix is a very popular open source Mail Transfer Agent (MTA) (SMTP).

Steps for Ubuntu 14.04 LTS

   1 apt update
   2 apt install mailutils postfix
   3 # Choose ok, Internet Site
   4 # System mail name: bitarus.mooo.com
   5 nano /etc/postfix/main.cf

/etc/postfix/main.cf

mydomain=bitarus.mooo.com
myhostname = mail.bitarus.mooo.com
smtpd_recipient_restrictions=permit_sasl_authenticated , reject_unauth_destination
relay_domains=
smtpd_sasl_auth_enable=yes
smtpd_sasl_security_options=noanonymous
smtpd_sasl_local_domain=$myhostname
broken_sasl_auth_clients=yes
smtpd_relay_restrictions=permit_sasl_authenticated
home_mailbox=Mailbox
mail_spool_directory=/var/mail

   1 service --status-all
   2 service postfix restart

User mail spool

   1 touch /var/mail/userx
   2 chown vitor:mail /var/mail/userx
   3 chmod o-r /var/mail/userx
   4 chmod g+rw /var/mail/userx

SASL

   1 apt install libsasl2-2 sasl2-bin  libsasl2-modules
   2 nano /etc/default/saslauthd # change START=yes
   3

/etc/default/saslauthd

START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="shadow"
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

   1 dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd
   2 echo 'pwcheck_method: saslauthd' >  /etc/postfix/sasl/smtpd.conf
   3 usermod -a -G sasl postfix
   4 service saslauthd start

Debian systemctl - enable service

   1 service saslauthd status
   2 service saslauthd start
   3 systemctl is-enabled saslauthd
   4 systemctl enable saslauthd

Test starttls

   1 openssl s_client -connect 127.0.0.1:25 -starttls smtp

Remove CRAM-MD5 authentication mechanism

   1 cd /usr/lib/x86_64-linux-gnu/sasl2
   2 service postfix stop
   3 mv *crammd5* /root
   4 service postfix start

In python 2.7 the CRAM-MD5 is a preferred authentication method for login in smtplib. The current postfix advertises CRAM-MD5 but does not accept it if smtplib tries to authenticate with it. So CRAM-MD5 authentication mechanism was removed.

AWS restrictions to send outbound emails - port 25

https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/

AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances and Lambda functions by default. If you want to send outbound traffic on port 25, you can request for this restriction to be remove

https://docs.amazonaws.cn/en_us/AWSEC2/latest/UserGuide/ec2-resource-limits.html#port-25-throttle

On all instances, Amazon EC2 restricts traffic on port 25 by default. You can request that this restriction be removed. For more information, see How do I remove the restriction on port 25 from my EC2 instance? in the AWS Knowledge Center.

DKIM (Domain Keys Identified Mail) + SPF

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy

DKIM is an Internet Standard that enables a person or organisation to associate a domain name with an email message. This, in effect, serves as a method of claiming responsibility for a message. At its core, DKIM is powered by asymmetric cryptography. The sender’s Mail Transfer Agent (MTA) signs every outgoing message with a private key. The recipient retrieves the public key from the sender’s DNS records and verifies if the message body and some of the header fields were not altered since the message signing took place.

   1 apt install opendkim opendkim-tools
   2 nano /etc/opendkim.conf

/etc/opendkim.conf

# create file with the following lines 
AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
UserID                  opendkim:opendkim
Socket                  inet:12301@localhost
####

   1 nano /etc/default/opendkim

/etc/default/opendkim

SOCKET="inet:12301@localhost"

   1 vi /etc/postfix/main.cf

/etc/postfix/main.cf

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

   1 mkdir -p /etc/opendkim/keys
   2 nano /etc/opendkim/TrustedHosts

/etc/opendkim/TrustedHosts

127.0.0.1
localhost
x.x.x.x/24

*.bitarus.mooo.com

   1 nano /etc/opendkim/KeyTable

/etc/opendkim/KeyTable

mail._domainkey.bitarus.mooo.com bitarus.mooo.com:mail:/etc/opendkim/keys/bitarus.mooo.com/mail.private

   1 nano /etc/opendkim/SigningTable

/etc/opendkim/SigningTable

*@bitarus.mooo.com mail._domainkey.bitarus.mooo.com

   1 cd /etc/opendkim/keys
   2 mkdir bitarus.mooo.com
   3 cd bitarus.mooo.com
   4 opendkim-genkey -s mail -d bitarus.mooo.com
   5 chown opendkim:opendkim mail.private
   6 
   7 cat mail.txt 
   8 mail._domainkey IN      TXT     ( "v=DKIM1; k=rsa; "
   9           "p=xxxxxx" )  ; ----- DKIM key mail for bitarus.mooo.com
  10 
  11 nano /etc/bind/bitarus.mooo.com.hosts

/etc/bind/bitarus.mooo.com.hosts

mail._domainkey    IN      TXT "v=DKIM1; k=rsa; p=xxxxx"
bitarus.mooo.com.    IN      TXT "v=spf1 a mx ip4:54.68.9.58 include:_spf.google.com ~all"

   1 service bind9 restart
   2 service postfix restart
   3 service opendkim restart
   4 # see DNS TXT records
   5 dig bitarus.mooo.com txt 
   6 dig mail._domainkey.bitarus.mooo.com txt 
   7 nslookup -q=TXT bitarus.mooo.com
   8 nslookup -q=TXT mail._domainkey.bitarus.mooo.com

Outlook

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide#create-or-update-your-spf-txt-record

# multiple includes are allowed in the DNS TXT record 
include:spf.protection.outlook.com

-  ⇤ ← Revision 19 as of 2023-05-24 13:27:31 → 
  Size: 5871
  Editor: 127
  Comment:
+   ← Revision 29 as of 2025-02-12 11:20:11 → ⇥
  Size: 6608
  Editor: vitor
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 4:
-== Steps for Ubuntu Ubuntu 14.04 LTS ==
+== Steps for Ubuntu 14.04 LTS ==
 Line 7:
-apt install mailutils
apt install postfix
+apt install mailutils postfix
-Line 66:
+Line 65:
+=== Debian systemctl - enable service ===
{{{#!highlight sh
service saslauthd status
service saslauthd start
systemctl is-enabled saslauthd
systemctl enable saslauthd
}}}
-Line 72:
+Line 79:
- * Go to folder /usr/lib/x86_64-linux-gnu/sasl2
 * service postfix stop
 * mv *crammd5* /root
 * service postfix start
+{{{#!highlight sh
cd /usr/lib/x86_64-linux-gnu/sasl2
service postfix stop
mv *crammd5* /root
service postfix start
}}}
-Line 94:
+Line 103:
+}}}

=== /etc/opendkim.conf ===
{{{
-Line 112:
+Line 125:
+}}}

{{{#!highlight sh
-Line 113:
+Line 129:
+}}}

=== /etc/default/opendkim ===
{{{
-Line 114:
+Line 134:
+}}}

{{{#!highlight sh
-Line 116:
+Line 138:
+}}}

=== /etc/postfix/main.cf ===
{{{
-Line 120:
+Line 146:
-mkdir /etc/opendkim
mkdir /etc/opendkim/keys
+}}}

{{{#!highlight sh
mkdir -p /etc/opendkim/keys
-Line 125:
+Line 151:
+}}}

=== /etc/opendkim/TrustedHosts ===
{{{
-Line 130:
+Line 160:
+}}}

{{{#!highlight sh
-Line 132:
+Line 164:
+}}}

=== /etc/opendkim/KeyTable ===
{{{
-Line 133:
+Line 169:
+}}}

{{{#!highlight sh
-Line 135:
+Line 173:
+}}}

=== /etc/opendkim/SigningTable ===
{{{
-Line 136:
+Line 178:
+}}}

{{{#!highlight sh
-Line 148:
+Line 192:
+}}}

=== /etc/bind/bitarus.mooo.com.hosts ===
{{{
-Line 150:
+Line 198:
+}}}

{{{#!highlight sh
-Line 153:
+Line 204:
-dig bitarus.allowed.org txt
+# see DNS TXT records
dig bitarus.mooo.com txt
-Line 155:
+Line 207:
+nslookup -q=TXT bitarus.mooo.com
nslookup -q=TXT mail._domainkey.bitarus.mooo.com