Installing a new mailserver: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
← Older edit
Visual
No edit summary
 
(58 intermediate revisions by the same user not shown)
Line 1: Line 1:
apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d
You will need these for the mail server
 
apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx


pdnsd - use resolvconf configuration
pdnsd - use resolvconf configuration


= Network =
= Network =
Set up networking in /etc/network/interfaces
[[Debian Network Setup]]
 
Ensure your PTR records are set in DNS
<pre>
<pre>
# The loopback network interface
TXT edgarbv.com v=spf1 mx-all
auto lo
AAAA edgarbv.com IPv6address
iface lo inet loopback
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address
</pre>


# The primary network interface
Certificates for mail.edgarbv.com - see postfix and dovecot
allow-hotplug eth0
#auto eth0
iface eth0 inet static
        address 192.168.0.112
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
#      gateway 192.168.0.1
        dns-nameservers 213.75.63.36 213.75.63.70 192.168.0.1
#      dns-nameservers 192.168.0.1 192.168.0.2
#      dns-search tripnet.int internal.tripnet.int ops.tripnet.int


auto eth1
= Postfix and Procmail =
iface eth1 inet static
First install [[Postfix]] as the mail transport agent, so it handles the sending of email
        address 188.204.140.195
        netmask 255.255.255.224
        network 188.204.140.192
        broadcast 188.204.140.223
        gateway 188.204.140.193
        dns-nameservers 213.75.63.36 213.75.63.70 192.168.0.1
</pre>


= Postfix and Procmail =
= Amavis-new + ClamAV =
First install [[Postfix]]
Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. [[Amavis-new and ClamAV]] Virus and spam checkers


= Spamassassin =
= Spamassassin =
Then install [[Spamassassin]]
Then configure [[Spamassassin]] spam checker


= Dovecot =
= Dovecot =
[ Dovecot ]
Now install [[ Dovecot ]] as an IMAP / POP3 server (to receive and view emails)
 
== Automx2 ==
[[Automx2]] sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings
 
= Roundcube webmail =
And install [[ Roundcube]] for webmail
 
= Converting from mbox to maildir =
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at [[Converting from mbox to maildir]]
 
= Webmail performance =
package imapproxy implements UP-IMapProxy
 
= Iphone Push =
package imaprowl implements push for Iphone and Gmail


== after installation ==
= Connection and Mobile settings =
Logging:
Incoming:<pre>
Hostname: mail.edgarbv.com
Security type: TLS/SSL (Accept all certificates) / STARTTLS (TLS/SSL preferred)
Port: 993 / 143 (TLS/SSL preferred)
</pre>
 
Outgoing:
<pre>
<pre>
log_path = /var/log/mail/dovecot.err
Hostname: mail.edgarbv.com
info_log_path = /var/log/mail/dovecot.info
Security Type: TLS / SSL (Accept all certificates) / STARTTLS
Port: 465 / 587 (465 is preferred)
Require sign in: on
</pre>
</pre>
Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.
== Outlook 2016 and higher + Office 365 ==
If you are using SSL/TLS on port 993 and 465, in Outlook you can just use File -> Add Account.
For some cases for autodiscover to work (also see [[Automx2]]):
don’t do File – Add Account, but do: File – Account Settings – Manage Profiles – Email Accounts – New (also see https://talk.plesk.com/threads/autodiscover-not-working-properly-on-outlook.356682/page-2) - especially when using STARTTLS settings
== IOS / Apple Mobile devices ==
Visit the URL in Safari eg <pre>
autodiscover.edgarbv.com/mobileconfig/?emailaddress=user@edgarbv.com
</pre>It will ask you to download the profile and tell you to go to settings to install the profile (Click on Profile Downloaded and install)
To remove this account you need to go to Settings -> VPN & Device Management -> select the accounts and remove them here
The profile will be unsigned, but to sign you need to either use proprietary Apple distribution systems or https://stackoverflow.com/questions/53434631/how-to-sign-an-ios-configuration-profile-generated-programmatically and https://github.com/rseichter/automx2/issues/17#issuecomment-2773814736
= Spam protection =
https://dmarcguide.globalcyberalliance.org/ tests your SPF / DKIM / DMARC / BIMI and TLS and has guides on how to implement them.
== SPF ==
This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server
http://www.openspf.org/Introduction
[[Sender Policy Framework / SPF]]
== DKIM ==
Another trust mechanism http://www.dkim.org/
/etc/opendkim.conf
<pre>
<pre>
touch /var/log/mail/dovecot.err
Syslog                  yes
touch /var/log/mail/dovecot.info
SyslogSuccess          yes
 
Mode                    sv
SubDomains              no
 
# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts
 
Socket                  inet:8891@localhost
</pre>
</pre>
in /etc/logrotate.d/rsyslog add
 
/etc/dkimkeys/trustedhosts
<pre>
<pre>
/var/log/mail/dovecot.err
127.0.0.1
/var/log/mail/dovecot.info
10.1.0.0/16
1.2.3.4/24
</pre>
</pre>
to the rest of the mail lines


Create a maildir for www-data manually (dovecot has no permissions to create in /var/www)
In /etc/postfix/main.cf
<pre>
<pre>
mkdir /var/www/Maildir
#For opendkim
chown www-data /var/www/Maildir
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
</pre>
</pre>


To test:
Generate the key (nb probably don't use '.' in the selector)
<pre>
<pre>
mutt -f imap://username@localhost
sudo --user opendkim opendkim-genkey -D /etc/dkimkeys -s YYYY_domain_ext -d edgarbv.com
mutt -f pop://username@localhost
<pre>
 
or a longer version of this:
or to open a user's maildir:
<pre>
mutt -m maildir -f ~user/Maildir
sudo --user opendkim opendkim-genkey --directory=/etc/dkimkeys --selector 2025_edgarbv_com --nosubdomains --domain=edgarbv.com
</pre>
</pre>


= Roundcube webmail =
In /etc/dkimkeys/keytable you need to add all your private keys in the format - this maps the domain txt entry to the keyfile.
We're going to get the backport version as it's much much better
 
so in /etc/apt/sources.list add
<pre>
<pre>
deb http://backports.debian.org/debian-backports squeeze-backports main
selector._domainkey.domain.ext domain.ext:selector:/etc/dkimkeys/selector.private
</pre>
</pre>


and to install
In /etc/dkimkeys/signingtable you map senders (by default, taken from the
From: header field of a message passing through the filter) to which keys will be used to sign their mail.  Wildcards are allowed for each domain
<pre>
<pre>
apt-get -t squeeze-backports install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra
# Domain yourdomain.org
*@edgarbv.com 2025_edgarbv_com._domainkey.edgarbv.com
# You can specify multiple domains
# Example.net www._domainkey.example.net
</pre>
</pre>


You will need mysql-server, apache2 and php5 as well.
reload opendkim


then in /etc/roundcube/apache.conf
Add it to your SOA from /etc/dkimkeys/selector.txt (get rid of all " and enters and everything in front of and after the () )
<pre>
<pre>
uncomment:
selector._domainkey.domainext TXT v=DKIM1; h=sha256; k=rsa; t=s; v=DKIM1; h=sha256; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxx3VYFe6f/1aunjZHp4WinOmS29t1EV4VIIvKP7P2aVtlvGxghBluJAkdkhUr20o8Mu/bfyW57JZ0eTKkLS7B0aWVlZlVdb4Qi/gFze3f0fh2ly9SBHRe2FQj4eK4A9Bd+GDBBeS4gQMgeYe38+Pa9LxNQWzyeKv47Isbmk/ffboylhOSKgLO97GHZxl/6qAHUu57bviEtk17/jNRxeBvs7sAqO++3qX/ky5NMObw+sjNa/swD9uG6pIVFpQ7NZbz390UoHj95CuTxZMbtyELRxkcvl0Axq1WXW35M74x2DNOJA0YaJof1X3zbSVSAvwVZ4WvXs7XrZupZ704hVcQIDAQAB
    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
    Alias /roundcube /var/lib/roundcube
</pre>
</pre>


in /etc/roundcube/main.inc.php change
check this has gone right by
<pre>
<pre>
$rcmail_config['htmleditor'] = 0; to 1
dig selector._domainkey.domain.ext txt
$rcmail_config['preview_pane'] = 0; to 1
$rcmail_config['default_host'] = '127.0.0.1';
$rcmail_config['language'] = 'nl_NL';
</pre>
</pre>
then
test by sending an email to check-auth@verifier.port25.com and it should respond with a report


Settings that need looking at and haven't been enabled yet!
and
<pre>
<pre>
$rcmail_config['smtp_server'] = 'localhost';
opendkim-testkey -v -v
$rcmail_config['smtp_user'] = '%u';
 
$rcmail_config['smtp_pass'] = '%p';
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
opendkim-testkey: key mail._domainkey.edgarbv.com secure
opendkim-testkey: 1 key checked; 1 pass, 0 fail
</pre>
</pre>


in /usr/local/etc/php.ini
If you get
<pre>
<pre>
upload_max_filesize = 5M</pre>
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
opendkim-testkey: key mail._domainkey.edgarbv.com: keys do not match
opendkim-testkey: key mail._domainkey.edgarbv.com secure
</pre>
It is saying that the key information in the key in /etc/dkimkeys is not the same as the DNS record TXT information.


== Plugins ==
[https://wiki.debian.org/opendkim Debian wiki opendkim]
=== virtuser_file ===
This comes with the roundcube-plugins package and makes roundcube read the identities (@domain.ext) from a file in the format:


email@domain.ext user
http://www.opendkim.org/opendkim-README
email2@domain2.ext user2


If a user has multiple @domain.ext set in the file, then it makes multiple entries you can choose from as your from address.
[https://www.frontline.ro/en/blog/how-to-configure-opendkim-with-postfix-on-debian-12-bookworm] includes a script to spit out the DNS record


Find in /etc/roundcube/main.inc.php
[https://www.server-world.info/en/note?os=Debian_12&p=mail&f=11] shows opendkim-testkey -d srv.world -s 20240712 -vvv use
 
Permissions for keyfiles: 640
 
if you want multiple subdomains you need to create the keyfiles multiple times
<pre>
<pre>
$rcmail_config['plugins'] = array('virtuser_file');
opendkim-genkey -D /etc/dkimkeys -d mail.example.com -s mail.example.com
</pre>
opendkim-genkey -D /etc/dkimkeys -d smtp.example.com -s smtp.example.com
To enable it. and then all the way at the bottom set
</pre>https://dmarcguide.globalcyberalliance.org/dkim
<pre>
 
$rcmail_config['virtuser_file'] = '/etc/postfix/virtual';
== DMARC ==
</pre>
A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/  https://dmarcguide.globalcyberalliance.org/#/dmarc/
 
_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; ruf=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; sp=none; ri=86400"
 
== Microsoft JMRP and SNDS ==
JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),
 
Enrol here:
 
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0


=== DragnDrop Attachments ===
[https://kb.iweb.com/hc/en-us/articles/230267648-Subscribing-to-Microsoft-JMRP-and-SNDS More information about enrolling]
You can find that [https://github.com/strimpak/dragndrop_attachments here]


download, then unzip and mv to /var/lib/roundcube/plugins/dragndrop_attachments/
= Shorewall firewall =


In main.inc.php
== Ports list ==
<pre>
pop3 110
$rcmail_config['plugins'] = array('virtuser_file','vcard_attachments','show_additional_headers','emoticons','jqueryui','dragndrop_attachments', 'vacation');
</pre>


== Vacation autoresponder ==
pop3s 995
Download it from [http://sourceforge.net/projects/rcubevacation/files/ here]


unzip it to /var/lib/roundcube/plugins/vacation/
imap 143


The config.ini should look like this:
imaps 993
<pre>
[default]
driver = "ftp"
subject = "Afwezig"
body = "default.txt"


[dotforward]
smtp 25
binary = "/usr/bin/vacation"
flags = ""
message = ".vacation.msg"
database = ".vacation.db"
alias_identities = true
set_envelop_sender = false
always_keep_message = true
</pre>


in Roundcube 0.5 the page layout has changed and the plugin displays incorrectly. To fix this, edit
submission / mail submission agent 587


plugins/vacation/skins/default/vacation.css
smtps / ssmtp / urd / submissions 465


and add in some padding:
== /etc/shorewall/rules ==
<pre>
<pre>
#pagecontent {
# email server
width: 800px;
padding-top:70px;
}
</pre>


Also edit plugins/vacation/default.txt
POP3(ACCEPT)    net            $FW
POP3S(ACCEPT)  net            $FW
IMAP(ACCEPT)    net            $FW
IMAPS(ACCEPT)  net            $FW
SMTP(ACCEPT)    net            $FW
MSA(ACCEPT)    net            $FW
#MSA is also known as submission
SMTPS(ACCEPT)  net            $FW
#SMTPS is also known as submissions and also covers sstmp and urd


Note that it won't save the autoresponder message and subject if you don't tick the checkbox on the top of the page (which we've moved down a bit above)


Finally, add 'vacation' to the $rcmail_config['plugins'] in roundcube main.inc.php
</pre>


You can find the auto reply in the settings
= fail2ban =
Also see [[Debian Standard Packages to install afterwards#fail2ban]]


NB. when testing, you may need to delete the users from the database to check if certain settings are being set before logging in.
in /etc/fail2ban/jail.local
<pre>
[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info


= Converting from mbox to maildir =
[postfix]
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at [[Converting from mbox to maildir]]
enabled  = true


= Webmail performance =
[postfix-rbl]
package imapproxy implements UP-IMapProxy
enabled  = true


= Iphone Push =
[postfix-sasl]
package imaprowl implements push for Iphone and Gmail
enabled = true
findtime = 1d
maxretry = 3
bantime = 5d
</pre>
= Deprecated - Automx =
[[ automx ]] sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Latest revision as of 12:02, 4 April 2025

You will need these for the mail server

apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx

pdnsd - use resolvconf configuration

Network

Debian Network Setup

Ensure your PTR records are set in DNS 

TXT edgarbv.com v=spf1 mx-all
AAAA edgarbv.com IPv6address
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address

Certificates for mail.edgarbv.com - see postfix and dovecot

Postfix and Procmail

First install Postfix as the mail transport agent, so it handles the sending of email

Amavis-new + ClamAV

Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. Amavis-new and ClamAV Virus and spam checkers

Spamassassin

Then configure Spamassassin spam checker

Dovecot

Now install Dovecot as an IMAP / POP3 server (to receive and view emails)

Automx2

Automx2 sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Roundcube webmail

And install Roundcube for webmail

Converting from mbox to maildir

Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at Converting from mbox to maildir

Webmail performance

package imapproxy implements UP-IMapProxy

Iphone Push

package imaprowl implements push for Iphone and Gmail

Connection and Mobile settings

Incoming:

Hostname: mail.edgarbv.com
Security type: TLS/SSL (Accept all certificates) / STARTTLS (TLS/SSL preferred)
Port: 993 / 143 (TLS/SSL preferred)

Outgoing: 

Hostname: mail.edgarbv.com
Security Type: TLS / SSL (Accept all certificates) / STARTTLS
Port: 465 / 587 (465 is preferred)
Require sign in: on

Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.

Outlook 2016 and higher + Office 365

If you are using SSL/TLS on port 993 and 465, in Outlook you can just use File -> Add Account.

For some cases for autodiscover to work (also see Automx2): don’t do File – Add Account, but do: File – Account Settings – Manage Profiles – Email Accounts – New (also see https://talk.plesk.com/threads/autodiscover-not-working-properly-on-outlook.356682/page-2) - especially when using STARTTLS settings

IOS / Apple Mobile devices

Visit the URL in Safari eg 

autodiscover.edgarbv.com/mobileconfig/?emailaddress=user@edgarbv.com

It will ask you to download the profile and tell you to go to settings to install the profile (Click on Profile Downloaded and install)

To remove this account you need to go to Settings -> VPN & Device Management -> select the accounts and remove them here

The profile will be unsigned, but to sign you need to either use proprietary Apple distribution systems or https://stackoverflow.com/questions/53434631/how-to-sign-an-ios-configuration-profile-generated-programmatically and https://github.com/rseichter/automx2/issues/17#issuecomment-2773814736

Spam protection

https://dmarcguide.globalcyberalliance.org/ tests your SPF / DKIM / DMARC / BIMI and TLS and has guides on how to implement them.

SPF

This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server http://www.openspf.org/Introduction

Sender Policy Framework / SPF

DKIM

Another trust mechanism http://www.dkim.org/

/etc/opendkim.conf 

Syslog                  yes
SyslogSuccess           yes

Mode                    sv
SubDomains              no

# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable 
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts

Socket                  inet:8891@localhost

/etc/dkimkeys/trustedhosts 

127.0.0.1
10.1.0.0/16
1.2.3.4/24

In /etc/postfix/main.cf 

#For opendkim
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Generate the key (nb probably don't use '.' in the selector) 

sudo --user opendkim opendkim-genkey -D /etc/dkimkeys -s YYYY_domain_ext -d edgarbv.com
<pre>
or a longer version of this:
<pre>
sudo --user opendkim opendkim-genkey --directory=/etc/dkimkeys --selector 2025_edgarbv_com --nosubdomains --domain=edgarbv.com

In /etc/dkimkeys/keytable you need to add all your private keys in the format - this maps the domain txt entry to the keyfile. 

selector._domainkey.domain.ext domain.ext:selector:/etc/dkimkeys/selector.private

In /etc/dkimkeys/signingtable you map senders (by default, taken from the From: header field of a message passing through the filter) to which keys will be used to sign their mail. Wildcards are allowed for each domain 

# Domain yourdomain.org
*@edgarbv.com 2025_edgarbv_com._domainkey.edgarbv.com
# You can specify multiple domains
# Example.net www._domainkey.example.net

reload opendkim

Add it to your SOA from /etc/dkimkeys/selector.txt (get rid of all " and enters and everything in front of and after the () ) 

selector._domainkey.domainext TXT v=DKIM1; h=sha256; k=rsa; t=s; v=DKIM1; h=sha256; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxx3VYFe6f/1aunjZHp4WinOmS29t1EV4VIIvKP7P2aVtlvGxghBluJAkdkhUr20o8Mu/bfyW57JZ0eTKkLS7B0aWVlZlVdb4Qi/gFze3f0fh2ly9SBHRe2FQj4eK4A9Bd+GDBBeS4gQMgeYe38+Pa9LxNQWzyeKv47Isbmk/ffboylhOSKgLO97GHZxl/6qAHUu57bviEtk17/jNRxeBvs7sAqO++3qX/ky5NMObw+sjNa/swD9uG6pIVFpQ7NZbz390UoHj95CuTxZMbtyELRxkcvl0Axq1WXW35M74x2DNOJA0YaJof1X3zbSVSAvwVZ4WvXs7XrZupZ704hVcQIDAQAB

check this has gone right by 

dig selector._domainkey.domain.ext txt

then

test by sending an email to check-auth@verifier.port25.com and it should respond with a report

and 

opendkim-testkey -v -v

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
opendkim-testkey: key mail._domainkey.edgarbv.com secure
opendkim-testkey: 1 key checked; 1 pass, 0 fail

If you get 

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
opendkim-testkey: key mail._domainkey.edgarbv.com: keys do not match
opendkim-testkey: key mail._domainkey.edgarbv.com secure

It is saying that the key information in the key in /etc/dkimkeys is not the same as the DNS record TXT information.

Debian wiki opendkim

http://www.opendkim.org/opendkim-README

[1] includes a script to spit out the DNS record

[2] shows opendkim-testkey -d srv.world -s 20240712 -vvv use

Permissions for keyfiles: 640

if you want multiple subdomains you need to create the keyfiles multiple times 

opendkim-genkey -D /etc/dkimkeys -d mail.example.com -s mail.example.com
opendkim-genkey -D /etc/dkimkeys -d smtp.example.com -s smtp.example.com

https://dmarcguide.globalcyberalliance.org/dkim

DMARC

A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ https://dmarcguide.globalcyberalliance.org/#/dmarc/

_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@edgarbv.com; ruf=mailto:dmarc@edgarbv.com; sp=none; ri=86400"

Microsoft JMRP and SNDS

JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),

Enrol here:

https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0

More information about enrolling

Shorewall firewall

Ports list

pop3 110

pop3s 995

imap 143

imaps 993

smtp 25

submission / mail submission agent 587

smtps / ssmtp / urd / submissions 465

/etc/shorewall/rules

# email server

POP3(ACCEPT)    net             $FW
POP3S(ACCEPT)   net             $FW
IMAP(ACCEPT)    net             $FW
IMAPS(ACCEPT)   net             $FW
SMTP(ACCEPT)    net             $FW
MSA(ACCEPT)     net             $FW
#MSA is also known as submission
SMTPS(ACCEPT)   net             $FW
#SMTPS is also known as submissions and also covers sstmp and urd

fail2ban

Also see Debian Standard Packages to install afterwards#fail2ban

in /etc/fail2ban/jail.local 

[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info

[postfix]
enabled  = true

[postfix-rbl]
enabled  = true

[postfix-sasl]
enabled = true
findtime = 1d
maxretry = 3
bantime = 5d

Deprecated - Automx

automx sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Retrieved from "http://wiki.edgarbv.com/index.php?title=Installing_a_new_mailserver&oldid=37961"