| Size: 924 Comment:  | Size: 5850 Comment:  | 
| Deletions are marked like this. | Additions are marked like this. | 
| Line 2: | Line 2: | 
| Postfix is a very popular open source Mail Transfer Agent (MTA). | Postfix is a very popular open source Mail Transfer Agent (MTA) (SMTP). | 
| Line 4: | Line 4: | 
| == Steps for Ubuntu Ubuntu 14.04 LTS == * apt-get update / apt-get install mailutils * apt-get install postfix * Choose ok, Internet Site * System mail name: bitarus.allowed.org * nano /etc/postfix/main.cf | == Steps for Ubuntu 14.04 LTS == {{{#!highlight sh apt update apt install mailutils postfix # Choose ok, Internet Site # System mail name: bitarus.mooo.com nano /etc/postfix/main.cf }}} === /etc/postfix/main.cf === | 
| Line 12: | Line 14: | 
| mydomain=bitarus.allowed.org myhostname = mail.bitarus.allowed.org | mydomain=bitarus.mooo.com myhostname = mail.bitarus.mooo.com | 
| Line 24: | Line 26: | 
| * service --status-all * service postfix restart | {{{#!highlight sh service --status-all service postfix restart }}} | 
| Line 28: | Line 32: | 
| * touch /var/mail/userx * chown vitor:mail /var/mail/userx * chmod o-r /var/mail/userx * chmod g+rw /var/mail/userx | {{{#!highlight sh touch /var/mail/userx chown vitor:mail /var/mail/userx chmod o-r /var/mail/userx chmod g+rw /var/mail/userx }}} == SASL == {{{#!highlight sh apt install libsasl2-2 sasl2-bin libsasl2-modules nano /etc/default/saslauthd # change START=yes }}} === /etc/default/saslauthd === {{{ START=yes PWDIR="/var/spool/postfix/var/run/saslauthd" PARAMS="-m ${PWDIR}" PIDFILE="${PWDIR}/saslauthd.pid" DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="shadow" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" }}} {{{#!highlight sh dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf usermod -a -G sasl postfix service saslauthd start }}} == Test starttls == {{{#!highlight sh openssl s_client -connect 127.0.0.1:25 -starttls smtp }}} == Remove CRAM-MD5 authentication mechanism == {{{#!highlight sh cd /usr/lib/x86_64-linux-gnu/sasl2 service postfix stop mv *crammd5* /root service postfix start }}} In python 2.7 the CRAM-MD5 is a preferred authentication method for login in smtplib. The current postfix advertises CRAM-MD5 but does not accept it if smtplib tries to authenticate with it. So CRAM-MD5 authentication mechanism was removed. == AWS restrictions to send outbound emails - port 25 == * https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/ {{{ AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances and Lambda functions by default. If you want to send outbound traffic on port 25, you can request for this restriction to be remove }}} * https://docs.amazonaws.cn/en_us/AWSEC2/latest/UserGuide/ec2-resource-limits.html#port-25-throttle {{{ On all instances, Amazon EC2 restricts traffic on port 25 by default. You can request that this restriction be removed. For more information, see How do I remove the restriction on port 25 from my EC2 instance? in the AWS Knowledge Center. }}} == DKIM (Domain Keys Identified Mail) + SPF == * https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM is an Internet Standard that enables a person or organisation to associate a domain name with an email message. This, in effect, serves as a method of claiming responsibility for a message. At its core, DKIM is powered by asymmetric cryptography. The sender’s Mail Transfer Agent (MTA) signs every outgoing message with a private key. The recipient retrieves the public key from the sender’s DNS records and verifies if the message body and some of the header fields were not altered since the message signing took place. {{{#!highlight bash apt install opendkim opendkim-tools nano /etc/opendkim.conf # create file with the following lines AutoRestart Yes AutoRestartRate 10/1h UMask 002 Syslog yes SyslogSuccess Yes LogWhy Yes Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable Mode sv PidFile /var/run/opendkim/opendkim.pid SignatureAlgorithm rsa-sha256 UserID opendkim:opendkim Socket inet:12301@localhost #### nano /etc/default/opendkim SOCKET="inet:12301@localhost" vi /etc/postfix/main.cf milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 mkdir /etc/opendkim mkdir /etc/opendkim/keys nano /etc/opendkim/TrustedHosts 127.0.0.1 localhost x.x.x.x/24 *.bitarus.mooo.com nano /etc/opendkim/KeyTable mail._domainkey.bitarus.mooo.com bitarus.mooo.com:mail:/etc/opendkim/keys/bitarus.mooo.com/mail.private nano /etc/opendkim/SigningTable *@bitarus.mooo.com mail._domainkey.bitarus.mooo.com cd /etc/opendkim/keys mkdir bitarus.mooo.com cd bitarus.mooo.com opendkim-genkey -s mail -d bitarus.mooo.com chown opendkim:opendkim mail.private cat mail.txt mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=xxxxxx" ) ; ----- DKIM key mail for bitarus.mooo.com nano /etc/bind/bitarus.mooo.com.hosts mail._domainkey IN TXT "v=DKIM1; k=rsa; p=xxxxx" bitarus.mooo.com. IN TXT "v=spf1 a mx ip4:54.68.9.58 include:_spf.google.com ~all" service bind9 restart service postfix restart service opendkim restart dig bitarus.mooo.com txt dig mail._domainkey.bitarus.mooo.com txt }}} == Outlook == * https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide#create-or-update-your-spf-txt-record {{{ # multiple includes are allowed in the DNS TXT record include:spf.protection.outlook.com }}} | 
Postfix
Postfix is a very popular open source Mail Transfer Agent (MTA) (SMTP).
Steps for Ubuntu 14.04 LTS
/etc/postfix/main.cf
mydomain=bitarus.mooo.com myhostname = mail.bitarus.mooo.com smtpd_recipient_restrictions=permit_sasl_authenticated , reject_unauth_destination relay_domains= smtpd_sasl_auth_enable=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_local_domain=$myhostname broken_sasl_auth_clients=yes smtpd_relay_restrictions=permit_sasl_authenticated home_mailbox=Mailbox mail_spool_directory=/var/mail
User mail spool
SASL
/etc/default/saslauthd
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="shadow"
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Test starttls
   1 openssl s_client -connect 127.0.0.1:25 -starttls smtp
Remove CRAM-MD5 authentication mechanism
In python 2.7 the CRAM-MD5 is a preferred authentication method for login in smtplib. The current postfix advertises CRAM-MD5 but does not accept it if smtplib tries to authenticate with it. So CRAM-MD5 authentication mechanism was removed.
AWS restrictions to send outbound emails - port 25
AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances and Lambda functions by default. If you want to send outbound traffic on port 25, you can request for this restriction to be remove
On all instances, Amazon EC2 restricts traffic on port 25 by default. You can request that this restriction be removed. For more information, see How do I remove the restriction on port 25 from my EC2 instance? in the AWS Knowledge Center.
DKIM (Domain Keys Identified Mail) + SPF
DKIM is an Internet Standard that enables a person or organisation to associate a domain name with an email message. This, in effect, serves as a method of claiming responsibility for a message. At its core, DKIM is powered by asymmetric cryptography. The sender’s Mail Transfer Agent (MTA) signs every outgoing message with a private key. The recipient retrieves the public key from the sender’s DNS records and verifies if the message body and some of the header fields were not altered since the message signing took place.
   1 apt install opendkim opendkim-tools
   2 nano /etc/opendkim.conf
   3 # create file with the following lines 
   4 AutoRestart             Yes
   5 AutoRestartRate         10/1h
   6 UMask                   002
   7 Syslog                  yes
   8 SyslogSuccess           Yes
   9 LogWhy                  Yes
  10 Canonicalization        relaxed/simple
  11 ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
  12 InternalHosts           refile:/etc/opendkim/TrustedHosts
  13 KeyTable                refile:/etc/opendkim/KeyTable
  14 SigningTable            refile:/etc/opendkim/SigningTable
  15 Mode                    sv
  16 PidFile                 /var/run/opendkim/opendkim.pid
  17 SignatureAlgorithm      rsa-sha256
  18 UserID                  opendkim:opendkim
  19 Socket                  inet:12301@localhost
  20 ####
  21 nano /etc/default/opendkim
  22 SOCKET="inet:12301@localhost"
  23 
  24 vi /etc/postfix/main.cf
  25 milter_protocol = 2
  26 milter_default_action = accept
  27 smtpd_milters = inet:localhost:12301
  28 non_smtpd_milters = inet:localhost:12301
  29 
  30 mkdir /etc/opendkim
  31 mkdir /etc/opendkim/keys
  32 
  33 nano /etc/opendkim/TrustedHosts
  34 127.0.0.1
  35 localhost
  36 x.x.x.x/24
  37 
  38 *.bitarus.mooo.com
  39 
  40 nano /etc/opendkim/KeyTable
  41 mail._domainkey.bitarus.mooo.com bitarus.mooo.com:mail:/etc/opendkim/keys/bitarus.mooo.com/mail.private
  42 
  43 nano /etc/opendkim/SigningTable
  44 *@bitarus.mooo.com mail._domainkey.bitarus.mooo.com
  45 
  46 cd /etc/opendkim/keys
  47 mkdir bitarus.mooo.com
  48 cd bitarus.mooo.com
  49 opendkim-genkey -s mail -d bitarus.mooo.com
  50 chown opendkim:opendkim mail.private
  51 
  52 cat mail.txt 
  53 mail._domainkey IN      TXT     ( "v=DKIM1; k=rsa; "
  54           "p=xxxxxx" )  ; ----- DKIM key mail for bitarus.mooo.com
  55 
  56 nano /etc/bind/bitarus.mooo.com.hosts
  57 mail._domainkey    IN      TXT "v=DKIM1; k=rsa; p=xxxxx"
  58 bitarus.mooo.com.    IN      TXT "v=spf1 a mx ip4:54.68.9.58 include:_spf.google.com ~all"
  59 service bind9 restart
  60 service postfix restart
  61 service opendkim restart
  62 dig bitarus.mooo.com txt 
  63 dig mail._domainkey.bitarus.mooo.com txt 
Outlook
# multiple includes are allowed in the DNS TXT record include:spf.protection.outlook.com
