Skip to content

Ubuntu LTS Email Server Setup

This document assumes that you have set up a debian 9 or ubuntu LTS server(/container) set up and that postfix/email has been set up using tasksel.

Dovecot (imap server) and Postfix (mail server)

configure dovecot to use self signed ssl cert created by postfix.

root@naomi:/etc/postfix# cd ../dovecot/conf.d/
root@naomi:/etc/dovecot/conf.d# nano 10-ssl.conf 
##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem

Also set mailbox format to Maildir or all of your legacy data will be hosed.

root@naomi:/etc/dovecot/conf.d# nano 10-mail.conf
  mail_location = maildir:~/Maildir
...

Notice issues with sending mail using ssl/tls

don@bob2:~$ openssl s_client -connect mail.suspectdevices.com:465 -starttls smtp
connect: Connection refused
connect:errno=111

Add ssl/tls to postfix for outgoing mail

root@naomi:/etc/postfix# nano master.cf
...
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
root@naomi:/etc/postfix# service postfix check
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./sbin/lmtp
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-tls.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-global.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-master.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-dns.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./libpostfix-util.so.1
postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/sbin/./lmtp
root@naomi:/etc/postfix# service postfix reload

Link authentication to dovecot and enable auth server in dovecot. '' apparently this can be avoided by installing a single package buried in ubuntu's documentation (g: Mail-Stack Delivery).

root@naomi:/etc/postfix# nano /etc/dovecot/conf.d/10-master.conf 
...
  #Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  user = root
}
...

root@naomi:/etc/postfix# nano main.cf
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination

Follow up on above errors

NOTE: the above errors are related to symlinks and not the files. Both debian and canonical aren't concerned about it and may or may not fix it at some point. https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1728723

eliminate pop3 as it isn't needed

mv /usr/share/dovecot/protocols.d/pop3d.protocol /usr/share/dovecot/pop3d.protocol.disabled
service dovecot reload
netstat -ta

SPF and openDKIM

Gmail currently requires that any email you send that isn't controlled by them use both SPF and DKIM.

What the hell is it?

According to linuxbabe https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf

SPF and DKIM are two types of TXT records in DNS that can help prevent email spoofing and ensure legitimate emails are delivered into the recipient’s inbox instead of spam folder. If your domain is abused by email spoofing, then your emails are likely to landed in recipient’s spam folder if they didn’t add you in address book.

SPF (Sender Policy Framework) record specifies which hosts or IP addresses are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain.

_DKIM (DomainKeys Identified Mail) uses a private key to add a signature to emails sent from your domain. Receiving SMTP servers verify the signature by using the corresponding public key, which is published in your DNS manager. _

SPF

We only want to send email through a single server which is accomplished with the following record. Which needs to be added for each domain using the email server.

root@naomi:~# nano /etc/bind/zones/fromhell.hosts 
... add the following ...
@ TXT "v=spf1 ip4:198.202.31.141 -all"

openDKIM

gotchas

  • convoluted and complex configuration involving 3 major services (dns,postfix,opendkim).
  • postfix is chrooted and milter version is currently 6
  • sample output from current opendkim-tools is wrong and requires manual correction.
  • Relaying requires masquerading.

installation

Install opendkim and edit configuration file

root@naomi:~# apt-get install opendkim opendkim-tools
root@naomi:~# nano /etc/opendkim.conf 
... add/correct the following ...
Socket          local:/var/spool/postfix/var/run/opendkim/opendkim.sock
PidFile               /var/run/opendkim/opendkim.pid
Syslog          yes
UMask           002
UserID          opendkim
KeyTable            refile:/etc/opendkim/key.table
SigningTable        refile:/etc/opendkim/signing.table
ExternalIgnoreList  refile:/etc/opendkim/trusted.hosts
InternalHosts       refile:/etc/opendkim/trusted.hosts

For each domain being handled create a signing key and add to dns zone files.

root@naomi:~# cd /etc/opendkim/keys/
root@naomi:/etc/opendkim/keys# opendkim-genkey -b 2048 -h rsa-sha256 -r -s 201807 -d suspectdevices.com -v
root@naomi:/etc/opendkim/keys# mv 201807.private suspectdevices.private
root@naomi:/etc/opendkim/keys# cat 201807.txt >>/etc/bind/zones/suspectdevices.hosts

Fix the error in dns entry and increment the zones serial number

root@naomi:/etc/opendkim/keys# nano /etc/bind/zones/suspectdevices.hosts 
@               IN      SOA  dns1.digithink.com. don.digithink.com (
                2018072200 10800 3600 3600000 86400 )
...change.this. YYYYMMDDxx  ....
...
... and change h=rsa-sha256 to h=sha256 ...      ...as below...
201807._domainkey       IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; s=email; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ymvRll+pEDThA6fMersYbr6dB5HKIFl4SMSF3ORxkFmrYC//wm6/vrqWNft3AWy4zC7AQNiKyQGg7$
          "BUpxeL2bSGUhMrcZ+OheWWzw7aF746IOYO0IR4oMTFNP9a6hrmwBrLmnA8ploFYUWCa2ETq/VYP6i14LU7P/yi8JhDMu4ZVI6ytlynBcLU42orcNWjWNLHqy/F3L$

Reload bind and check key

root@naomi:/etc/opendkim/keys# service bind9 reload
root@naomi:/etc/opendkim/keys# service bind9 status
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
....
Jul 25 22:35:15 naomi named[28512]: reloading zones succeeded
....
root@naomi:/etc/opendkim/keys# opendkim-testkey -d suspectdevices.com  -s 201807 -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '201807._domainkey.suspectdevices.com'
opendkim-testkey: key not secure .... ignore this ....
opendkim-testkey: key OK

Add entries to key.table signing.table and trusted hosts.

    root@naomi:/etc/opendkim# nano key.table 
    fromhell     fromhell.com:201807:/etc/opendkim/keys/fromhell.private
    suspectdevices suspectdevices.com:201807:/etc/opendkim/keys/suspectdevices.private
    root@naomi:/etc/opendkim# nano signing.table 
*@fromhell.com fromhell
*@suspectdevices.com suspectdevices
    root@naomi:/etc/opendkim# nano trusted.hosts 
    127.0.0.1
    ::1
    198.202.31.221
    198.202.31.242
    localhost
*.fromhell.com
*.suspectdevices.com

Configure socket file to communicate with postfix and add postfix to opendkim group.

root@naomi:~# mkdir -p /var/spool/postfix/var/run/opendkim
root@naomi:~# chown -R opendkim:opendkim /var/spool/postfix/var/run/opendkim
root@naomi:~# touch /var/spool/postfix/var/run/opendkim/opendkim.sock
root@naomi:~# chmod 775 /var/spool/postfix/var/run/opendkim/opendkim.sock
root@naomi:~# usermod -a -G opendkim postfix
root@naomi:~# nano /etc/default/opendkim 
...
DAEMON_OPTS="-vvvv"
SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"
RUNDIR=/var/spool/postfix/var/run/opendkim
USER=opendkim
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=
...

Add filter to postfix and restart both services.

root@naomi:~# nano /etc/postfix/main.cf
...
milter_protocol = 6
milter_default_action = accept
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock
...
root@naomi:~# service opendkim reload
root@naomi:~# service postfix reload

Send test mail

root@naomi:~# echo "dkim test" |mail -testopendkim  check-auth@verifier.port25.com

adding signatures to relayed hosts

To relay mail from other hosts on the local networks requires the following additions to postfix's main.cf

root@naomi:~# nano /etc/postfix/main.cf
...
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, 198.202.31.128/25
...
masquerade_domains = suspectdevices.com, fromhell.com
  • https://www.cioby.ro/2013/11/14/configuring-opendkim-to-sign-postfix-emails/
  • https://linuxaria.com/howto/using-opendkim-to-sign-postfix-mails-on-debian
  • http://www.openspf.org/SPF_Record_Syntax
  • https://blog.whabash.com/posts/send-outbound-email-postfix-dkim-spf-ubuntu-16-04
  • https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/
  • https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
  • https://tools.ietf.org/html/rfc6376
  • https://tweenpath.net/opendkim-postfix-smtp-relay-server-on-debian-7/
  • https://qureshi.me/how-to-setup-postfixdkimspfdmarc-on-ubuntu-plesk-onyx/

Configure root/notification mail from other systems (esp bs2020)

Systems need to be able send email to notify us of issues such as security updates (apticron) etc. In order for email to be signed by opendkim and validated by spf the email needs to strip the hostname from mail sent from it before being relayed through the mail server.

root@bs2020:~# apt-get install mailutils apticron
... select satellite server when asked ...
root@bs2020:~# nano /etc/postfix/main.cf
... add the following ...
relayhost = naomi.suspectdevices.com
compatibility_level=2
masquerade_domains = suspectdevices.com

Since all systems will be striped of their machine names insure the full name of common accounts is made to be uniq

root@bs2020:~# chfn -f "Root at BS2020"
  • http://www.postfix.org/STANDARD_CONFIGURATION_README.html
  • https://www.tecmint.com/setup-postfix-mail-server-smtp-using-null-client-on-centos/ Todo:
  • I think postfix is a little heavy handed to run a null client. Investigate simpler secure solution.
  • add amivis,and other filters linked in at https://help.ubuntu.com/community/MailServer
  • make procmail do some work since its enabled by default
  • make damned sure that it wont accept mail from the entire c-block