Postfix SPF DKIM Installation

Postfix

Installation

sudo apt-get install postfix

Basic Configuration

sudo dpkg-reconfigure postfix

在被詢問時，插入以下的內容 ( 若是你有一個域名的話,這裏假設域名爲 smartats.com ):

- Internet Site
- smartats.com  (System mail name)
- (Root and postmaster mail recipient)
- smartats.com, localhost
- No
- 127.0.0.0/8
- Yes
- 0
- +
- all

SASL Configuration

sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

edit /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

TLS Configuration

sudo mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
sudo openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
sudo chmod 600 smtpd.key
sudo openssl req -new -key smtpd.key -out smtpd.csr
sudo openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
sudo openssl rsa -in smtpd.key -out smtpd.key.unencrypted
sudo mv -f smtpd.key.unencrypted smtpd.key
sudo openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo postconf -e 'myhostname = mail.cloudrecruit.com'

sasl install

sudo apt-get install libsasl2-2 libsasl2-modules sasl2-bin

edit /etc/default/saslauthd,激活saslauthd.

START=yes

Remove Postfix from chroot

edit /etc/postfix/master.cf

smtp inet n - - - - smtpd

modify it as follows:

smtp inet n - n - - smtpd

Add postfix to group sasl

sudo service postfix restart
sudo chown -R root:sasl /var/run/saslauthd
sudo service saslauthd start
sudo adduser postfix sasl

Creating an alias for an account

sudo useradd -s /bin/false mail01(login username)
sudo passwd mail01(setting password)
sudo vi /etc/aliases

add next line to /etc/aliases

fmaster: mail01

sudo newaliases

test sasl

sudo testsaslauthd -u mail01 -p 123456

Postfic/SPF

Installation

sudo apt-get install postfix-policyd-spf-python

Postfix Integration, Enabling the Policy Service

Add this section to /etc/postfix/master.cf for the Python script

policy-spf unix - n n - - spawn
  user=nobody argv=/usr/bin/policyd-spf

Add the policy service to your smtpd_recipient_restrictions in file /etc/postfix/main.cf:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy-spf

Add SPF record for the domain

Reload Postfix

sudo service postfix reload

Postfix/DKIM

Installation

sudo apt-get install opendkim opendkim-tools

edit /etc/opendkim.conf

For more advanced options, you can man opendkim.conf

Syslog yes
UMask 002
Domain mail.ourats.local
KeyFile /etc/mail/dkim.key
# Defines the name of the selector to be used when signing messages
Selector mail
# automatically re-start on failures
AutoRestart yes
# leaving the service running in the background
Background yes
# Selects the canonicalization method(s) to be used when signing messages (header/body)
Canonicalization relaxed/relaxed
Mode sv
SubDomains no
X-Header no
Statistics /var/log/dkim-filter/dkim-stats

edit /etc/default/opendkim

SOCKET="inet:8891@localhost"

edit /etc/postfix/main.cf

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Key generation for dkim-milter and its setup with DNS

sudo opendkim-genkey -t -s mail -d smartats.com
sudo cp mail.private /etc/mail/dkim.key
sudo service opendkim start

Add your DKIM record for domain mail._domainkey as supplied in mail.txt

Reload Postfix

sudo service postfix restart