= Postfix = Postfix is a very popular open source Mail Transfer Agent (MTA). == Steps for Ubuntu Ubuntu 14.04 LTS == * apt-get update / apt-get install mailutils * apt-get install postfix * Choose ok, Internet Site * System mail name: bitarus.allowed.org * nano /etc/postfix/main.cf {{{ mydomain=bitarus.allowed.org myhostname = mail.bitarus.allowed.org smtpd_recipient_restrictions=permit_sasl_authenticated , reject_unauth_destination relay_domains= smtpd_sasl_auth_enable=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_local_domain=$myhostname broken_sasl_auth_clients=yes smtpd_relay_restrictions=permit_sasl_authenticated home_mailbox=Mailbox mail_spool_directory=/var/mail }}} * service --status-all * service postfix restart == User mail spool == * touch /var/mail/userx * chown vitor:mail /var/mail/userx * chmod o-r /var/mail/userx * chmod g+rw /var/mail/userx == SASL == * apt-get install libsasl2-2 sasl2-bin libsasl2-modules * nano /etc/default/saslauthd # change START=yes {{{ START=yes PWDIR="/var/spool/postfix/var/run/saslauthd" PARAMS="-m ${PWDIR}" PIDFILE="${PWDIR}/saslauthd.pid" DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="shadow" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" }}} * dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd * echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf * usermod -a -G sasl postfix * service saslauthd start == Test starttls == * openssl s_client -connect 127.0.0.1:25 -starttls smtp == Remove CRAM-MD5 authentication mechanism == * Go to folder /usr/lib/x86_64-linux-gnu/sasl2 * service postfix stop * mv *crammd5* /root * service postfix start In python 2.7 the CRAM-MD5 is a preferred authentication method for login in smtplib. The current postfix advertises CRAM-MD5 but does not accept it if smtplib tries to authenticate with it. So CRAM-MD5 authentication mechanism was removed. == AWS restrictions to send outbound emails - port 25 == * https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/ {{{ AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances and Lambda functions by default. If you want to send outbound traffic on port 25, you can request for this restriction to be remove }}} * https://docs.amazonaws.cn/en_us/AWSEC2/latest/UserGuide/ec2-resource-limits.html#port-25-throttle {{{ On all instances, Amazon EC2 restricts traffic on port 25 by default. You can request that this restriction be removed. For more information, see How do I remove the restriction on port 25 from my EC2 instance? in the AWS Knowledge Center. }}} == DKIM (Domain Keys Identified Mail) + SPF == * https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy DKIM is an Internet Standard that enables a person or organisation to associate a domain name with an email message. This, in effect, serves as a method of claiming responsibility for a message. At its core, DKIM is powered by asymmetric cryptography. The sender’s Mail Transfer Agent (MTA) signs every outgoing message with a private key. The recipient retrieves the public key from the sender’s DNS records and verifies if the message body and some of the header fields were not altered since the message signing took place. {{{#!highlight bash apt install opendkim opendkim-tools nano /etc/opendkim.conf # create file with the following lines AutoRestart Yes AutoRestartRate 10/1h UMask 002 Syslog yes SyslogSuccess Yes LogWhy Yes Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable Mode sv PidFile /var/run/opendkim/opendkim.pid SignatureAlgorithm rsa-sha256 UserID opendkim:opendkim Socket inet:12301@localhost #### nano /etc/default/opendkim SOCKET="inet:12301@localhost" vi /etc/postfix/main.cf milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 mkdir /etc/opendkim mkdir /etc/opendkim/keys nano /etc/opendkim/TrustedHosts 127.0.0.1 localhost x.x.x.x/24 *.bitarus.allowed.org nano /etc/opendkim/KeyTable mail._domainkey.bitarus.allowed.org bitarus.allowed.org:mail:/etc/opendkim/keys/bitarus.allowed.org/mail.private nano /etc/opendkim/SigningTable *@bitarus.allowed.org mail._domainkey.bitarus.allowed.org cd /etc/opendkim/keys mkdir bitarus.allowed.org cd bitarus.allowed.org opendkim-genkey -s mail -d bitarus.allowed.org chown opendkim:opendkim mail.private cat mail.txt mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=xxxxxx" ) ; ----- DKIM key mail for bitarus.allowed.org nano /etc/bind/bitarus.allowed.org.hosts mail._domainkey IN TXT "v=DKIM1; k=rsa; p=xxxxx" bitarus.allowed.org. IN TXT "v=spf1 a mx ip4:54.68.9.58 include:_spf.google.com ~all" service bind9 restart service postfix restart service opendkim restart dig bitarus.allowed.org txt dig mail._domainkey.bitarus.allowed.org txt }}}