Installing a new mailserver
You will need these for the mail server
apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx
pdnsd - use resolvconf configuration
Network
Ensure your PTR records are set in DNS
TXT edgarbv.com v=spf1 mx-all AAAA edgarbv.com IPv6address MX 10 mail.edgarbv.com edgarbv.com A edgarbv.com IPv4address
Certificates for mail.edgarbv.com - see postfix and dovecot
Postfix and Procmail
First install Postfix as the mail transport agent
Amavis-new + ClamAV
Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. Amavis-new and ClamAV
Spamassassin
Then configure Spamassassin
Dovecot
Now install Dovecot as an IMAP / POP3 server
Automx
automx sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings
Roundcube webmail
And install Roundcube for webmail
Converting from mbox to maildir
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at Converting from mbox to maildir
Webmail performance
package imapproxy implements UP-IMapProxy
Iphone Push
package imaprowl implements push for Iphone and Gmail
Mobile settings
Incoming:
Security type: TLS (Accept all certificates) Port: 143
Outgoing:
Hostname: mail.edgarbv.com Security Type: TLS (Accept all certificates) Port: 587 Require sign in: on
Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.
Spam protection
https://dmarcguide.globalcyberalliance.org/ tests your SPF / DKIM / DMARC / BIMI and TLS and has guides on how to implement them.
SPF
This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server http://www.openspf.org/Introduction
DKIM
Another trust mechanism http://www.dkim.org/
/etc/opendkim.conf
Syslog yes SyslogSuccess yes Mode sv SubDomains no # Specify the list of keys KeyTable file:/etc/dkimkeys/keytable # Match keys and domains. To use regular expressions in the file, use refile: instead of file: SigningTable refile:/etc/dkimkeys/signingtable # Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host. InternalHosts refile:/etc/dkimkeys/trustedhosts Socket inet:8891@localhost
/etc/dkimkeys/trustedhosts
127.0.0.1 10.1.0.0/16 1.2.3.4/24
In /etc/postfix/main.cf
#For opendkim smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept
Generate the key (nb probably don't use '.' in the selector)
sudo --user opendkim opendkim-genkey -D /etc/dkimkeys -s YYYY_domain_ext -d edgarbv.com <pre> or a longer version of this: <pre> sudo --user opendkim opendkim-genkey --directory=/etc/dkimkeys --selector 2025_edgarbv_com --nosubdomains --domain=edgarbv.com
In /etc/dkimkeys/keytable you need to add all your private keys in the format - this maps the domain txt entry to the keyfile.
selector._domainkey.domain.ext domain.ext:selector:/etc/dkimkeys/selector.private
In /etc/dkimkeys/signingtable you map senders (by default, taken from the From: header field of a message passing through the filter) to which keys will be used to sign their mail. Wildcards are allowed for each domain
# Domain yourdomain.org *@edgarbv.com 2025_edgarbv_com._domainkey.edgarbv.com # You can specify multiple domains # Example.net www._domainkey.example.net
reload opendkim
Add it to your SOA from /etc/dkimkeys/selector.txt (get rid of all " and enters and everything in front of and after the () )
selector._domainkey.domainext TXT v=DKIM1; h=sha256; k=rsa; t=s; v=DKIM1; h=sha256; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxx3VYFe6f/1aunjZHp4WinOmS29t1EV4VIIvKP7P2aVtlvGxghBluJAkdkhUr20o8Mu/bfyW57JZ0eTKkLS7B0aWVlZlVdb4Qi/gFze3f0fh2ly9SBHRe2FQj4eK4A9Bd+GDBBeS4gQMgeYe38+Pa9LxNQWzyeKv47Isbmk/ffboylhOSKgLO97GHZxl/6qAHUu57bviEtk17/jNRxeBvs7sAqO++3qX/ky5NMObw+sjNa/swD9uG6pIVFpQ7NZbz390UoHj95CuTxZMbtyELRxkcvl0Axq1WXW35M74x2DNOJA0YaJof1X3zbSVSAvwVZ4WvXs7XrZupZ704hVcQIDAQAB
check this has gone right by
dig selector._domainkey.domain.ext txt
then
test by sending an email to check-auth@verifier.port25.com and it should respond with a report
and
opendkim-testkey -v -v opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved opendkim-testkey: checking key 'mail._domainkey.edgarbv.com' opendkim-testkey: key mail._domainkey.edgarbv.com secure opendkim-testkey: 1 key checked; 1 pass, 0 fail
If you get
opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved opendkim-testkey: checking key 'mail._domainkey.edgarbv.com' opendkim-testkey: key mail._domainkey.edgarbv.com: keys do not match opendkim-testkey: key mail._domainkey.edgarbv.com secure
It is saying that the key information in the key in /etc/dkimkeys is not the same as the DNS record TXT information.
http://www.opendkim.org/opendkim-README
[1] includes a script to spit out the DNS record
[2] shows opendkim-testkey -d srv.world -s 20240712 -vvv use
Permissions for keyfiles: 640
if you want multiple subdomains you need to create the keyfiles multiple times
opendkim-genkey -D /etc/dkimkeys -d mail.example.com -s mail.example.com opendkim-genkey -D /etc/dkimkeys -d smtp.example.com -s smtp.example.com
https://dmarcguide.globalcyberalliance.org/dkim
DMARC
A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ https://dmarcguide.globalcyberalliance.org/#/dmarc/
_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@edgarbv.com; ruf=mailto:dmarc@edgarbv.com; sp=none; ri=86400"
Microsoft JMRP and SNDS
JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),
Enrol here:
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0
More information about enrolling
fail2ban
Also see Debian Standard Packages to install afterwards#fail2ban
in /etc/fail2ban/jail.local
[dovecot] enabled = true logpath = /var/log/mail/dovecot.info [postfix] enabled = true [postfix-rbl] enabled = true [postfix-sasl] enabled = true findtime = 1d maxretry = 3 bantime = 5d