Differences

This shows you the differences between two versions of the page.

--- email:install_a_full_secure_mail_server [2019/11/27 22:05] – removed peter
+++ email:install_a_full_secure_mail_server [2020/07/26 11:22] (current) – old revision restored (2016/11/28 17:09) 158.69.243.115
@@ Line 1: / Line 1: @@
+====== Email - Install a full secure mail server ======
+===== Prerequisites =====
+  * A Linux server, preferably Debian or Ubuntu to follow this tutorial step by step, on other distributions the software packages and file paths can be different.
+  * A Public IP address preferably directly on the server (If you do not have an IP in the RIPE database, then a provider of your IP address who is willing to set reverse DNS entry on this IP address).
+  * A publicly registered domain name either with some DNS hosting company or you can do yourself a small DNS server.  If you will have a DNS provider, just make sure they allow you to enter TXT records for your domain record.
+===== My example users and domain used in this tutorial =====
+This tutorial will be using "example.com" as the domain with a public IP of 123.123.123.123.
+An example email account of demouser@example.com will be used.
+The target that we desire at the end of this tutorial is:
+  * An email system with email in the form of xxxx@example.com.
+  * IMAP secured with SSL for access to your emails.
+  * All standard protection mechanisms on the emails so that other email systems do not classify the emails as SPAM.  This includes SPF, DKIM, rDNS and SpamAssassin headers.
+===== Step 1: Configure local hostname and domain on linux server =====
+This uses "example.com" as the domain, and "exampleserver" as the hostname.
+The DNS server will be 8.8.8.8 (which is the gmail DNS system, but adjust to any other DNS server as required).
+<code bash>
+echo exampleserver> /etc/hostname
+hostname -F /etc/hostname
+echo "8.8.8.8   exampleserver.example.com exampleserver" >> /etc/hosts
+</code>
+Verification is easy, just use these commands and you should get the answers.
+<code bash>
+hostname --short
+exampleserver
+hostname --domain
+example.com
+hostname --fqdn
+exampleserver.example.com
+hostname --ip-address
+.8.8.8
+</code>
+===== Step 2: Install email system exim4 and supporting packages =====
+The following software is needed:
+  - **Exim4** – the SMTP daemon.
+  - **Courier** – communication extension for Exim4 to have IMAP and POP access to emails; or
+  - **Dovecot** - communication extension for Exim4 to have IMAP and POP access to emails.
+  - **Swaks** – Swiss army knife for SMTP troubleshooting.
+  - **SSL-cert packages** – for easy work with generating certificates in later parts of the tutorial.
+<WRAP todo>
+**TODO**: Update to use alternatives to Courier, such as Dovecot.
+</WRAP>
+Issue these commands:
+<code bash>
+apt-get update
+apt-get install exim4-daemon-heavy swaks libnet-ssleay-perl ssl-cert
+</code>
+Decide on using Courier or Dovecot.  Recommendation is to use Dovecot.
+==== For Courier ====
+<code bash>
+apt-get install courier-authdaemon courier-imap courier-imap-ssl courier-pop courier-pop-ssl
+</code>
+<WRAP warning>
+**WARNING**:  Courier will by default use a self-signed certificates.  These are OK if you are going to be the only user of the mail system, but if you plan to invite many people like for a public system (and you do not plan to distribute your own certification authority to them), then you need a signed-certificate.  But for our use-case we will not go into replacing these for our small IMAP usage, but definitely not OK for a public or larger one!  This is also the warning installation will give you about this fact:
+<code>
+SSL Certificate Required
+POP and IMAP over SSL requires a valid, signed, X.509 certificate.
+During the installation of courier-pop-ssl or courier-imap-ssl, a
+self-signed certificate will be generated if necessary.
+For production use, the X.509 certificate must be signed by a recognized
+certificate authority, in order for mail clients to accept the
+certificate.  The default location for this certificate is
+/etc/courier/pop3d.pem or /etc/courier/imapd.pem.
+</code>
+</WRAP>
+==== For Dovecot ====
+<code bash>
+apt-get install dovecot-imapd dovecot-pop3d
+</code>
+Edit the file /etc/dovecot/dovecot.conf and amend the following line in the file /etc/dovecot/dovecot.conf:
+<code>
+protocols = pop3 pop3s imap imaps
+</code>
+In addition, add the following line in the "protocol pop3" section in the /etc/dovecot/dovecot.conf:
+<code>
+pop3_uidl_format = %08Xu%08Xv
+</code>
+Configure Dovecot to use the maildir mailbox format.  Edit /etc/dovecot/dovecot.conf:
+<code>
+mail_location = maildir:~/Maildir
+</code>
+<WRAP info>
+**NOTE**:  Maildir mails are almost always stored in ~/Maildir/ directory, which contains cur/, new/ and tmp/ subdirectories.  In maildir each mail is stored in a separate file.
+</WRAP>
+or alternatively change to:
+<code>
+mail_location = maildir:/home/%u/Maildir
+</code>
+<WRAP note>
+If !include conf.d/*.conf is uncommented in /etc/dovecot/dovecot.conf, it is necessary to set mail_location in /etc/dovecot/conf.d/10-mail.conf or comment the line out.  10-mail.conf will override the mail_location in dovecot.conf. If you choose to set the mail_location in 10-mail.conf, you have to change it to:
+</WRAP>
+<code>
+mail_location = maildir:~/Maildir
+</code>
+For SSL add or amend the following to the /etc/dovecot/dovecot.conf file.
+<code>
+disable_plaintext_auth = no
+ssl = yes
+ssl_cert_file = </etc/ssl/certs/ssl-cert-snakeoil.pem
+ssl_key_file = </etc/ssl/private/ssl-cert-snakeoil.key
+</code>
+Uncomment following line in /etc/dovecot/dovecot.conf:
+<code>
+listen = *
+</code>
+However, this method may cause conflicts with other servers already listening on other ports. The alternative (and probably more desirable) method, then, is to enable the specific listening ports for the protocols that are intended to be used. For example, for IMAP/IMAPS and POP3/POP3S, add to the correct protocol imap and protocol pop3 sections:
+<code>
+protocol imap {
+     listen = *:143
+     ssl_listen = *:993
+     ...
+     }
+protocol pop3 {
+     listen = *:110
+     ssl_listen = *:995
+     ...
+     }
+</code>
+If you want to see the config Dovecot is currently using (including the mail_location), use
+<code bash>
+dovecot -n
+</code>
+Start dovecot:
+<code bash>
+/etc/init.d/dovecot start
+</code>
+See https://help.ubuntu.com/community/Dovecot
+==== Verify the setup ====
+Verification of the installation can be done by checking the running ports with a netstat command.  Ensure that all the pop3, imap, smtp, pop3s and imaps ports are present as required:
+<code bash>
+netstat –utal
+-- omitted --
+tcp6       0      0 [::]:pop3               [::]:*                  LISTEN
+tcp6       0      0 [::]:imap2              [::]:*                  LISTEN
+tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
+tcp6       0      0 localhost:smtp          [::]:*                  LISTEN
+tcp6       0      0 [::]:imaps              [::]:*                  LISTEN
+tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN
+</code>
+===== Step 3: Preparing local users for mail system (Maildir) =====
+In this example, each user will have their email inside their own home directory under ~/Maildir.  To have this as a standard setting for new users, simply add this directory to the skeleton so that it is automatically created for new users like this:
+It's a good idea to pre-create the Maildir for future users:
+<code bash>
+sudo maildirmake.dovecot /etc/skel/Maildir
+sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
+sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
+sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
+sudo maildirmake.dovecot /etc/skel/Maildir/.Templates
+</code>
+Then, for an existing user:
+<code bash>
+sudo cp -r /etc/skel/Maildir /home/myuser/
+sudo chown -R myuser:usergroup /home/myuser/Maildir
+sudo chmod -R 700 /home/myuser/Maildir
+</code>
+or for the example test user "demouser":
+<code bash>
+maildirmake ~demouser/Maildir
+chown –R demouser.demouser ~demouser/Maildir
+</code>
+===== Step 4: Create new user to test the mail system =====
+<code bash>
+adduser demouser
+</code>
+Give this user a password when prompted.  Always choose a good password here because this UNIX passwords will also be used by the user for IMAP/POP3 access to their emails!
+===== Step 5: Configure exim4 =====
+Now, first step here is to use the Debian and Ubuntu built-in configuration package to configure the "main" exim4 points with:
+<code bash>
+dpkg-reconfigure exim4-config
+</code>
+It will give you several options in a wizard.  Here are suggested answers for a small and independent server:
+  * General type of mail configuration: **internet site**; mail is sent and received directly using SMTP.
+  * System mail name: **example.com**
+  * IP-addresses to listen on for incoming SMTP connections: leave this field empty!!!
+  * Other destinations for which mail is accepted: leave this field empty!!!
+  * Domains to relay mail for: leave this field empty!!!
+  * Machines to relay mail for: leave this field empty!!!
+  * Keep number of DNS-queries minimal (Dial-on-Demand)?: **NO**
+  * Delivery method for local mail: **Maildir format in home directory**
+  * Split configuration into small files?: **NO**
+  * Root and postmaster mail recipient: **demouser** (or your real administrator name, but non-root account)
+===== Step 6: X.509 certificate for exim4 TLS support =====
+Generate a certificate based on example from exim.
+<code bash>
+/usr/share/doc/exim4-base/examples/exim-gencert
+[*] Creating a self signed SSL certificate for Exim!
+    This may be sufficient to establish encrypted connections but for
+    secure identification you need to buy a real certificate!
+    Please enter the hostname of your MTA at the Common Name (CN) prompt!
+Generating a 1024 bit RSA private key
+...........................................++++++
+....................................................................++++++
+writing new private key to '/etc/exim4/exim.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Code (2 letters) [US]:JE
+State or Province Name (full name) []:Jersey
+Locality Name (eg, city) []:St. Helier
+Organization Name (eg, company; recommended) []:example.com
+Organizational Unit Name (eg, section) []:example.com
+Server name (eg. ssl.domain.tld; required!!!) []:exampleserver.example.com
+Email Address []:demouser
+[*] Done generating self signed certificates for exim!
+    Refer to the documentation and example configuration files
+    over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS
+    support in your mail transfer agent.
+</code>
+Next, based on the documentation you find in /usr/share/doc/exim4-base/ , you should create a file /etc/exim4/exim4.conf.localmacros to and insert these lines to enable TLS support on port 465.
+<code bash>
+echo "MAIN_TLS_ENABLE = true" > /etc/exim4/exim4.conf.localmacros
+echo "tls_on_connect_ports = 465" >> /etc/exim4/exim4.conf.localmacros
+</code>
+Inside /etc/default/exim4 change this line:
+<code>
+SMTPLISTENEROPTIONS=''
+</code>
+To this:
+<code>
+SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'
+</code>
+Ok, now restart exim4 again with the service command
+<code bash>
+service exim4 restart
+</code>
+And check if the exim4 is listening on port 465:
+<code bash>
+netstat -atupln | grep 465
+tcp        0      0 0.0.0.0:465    0.0.0.0:*    LISTEN      16020/exim4
+tcp6       0      0 :::465         :::*         LISTEN      16020/exim4
+</code>
+===== Step 7: Verification of emails delivery =====
+The basic email system should now be running.  Test this with a basic test of sending an email locally (either between two users of the local system or to yourself).
+This test will send email to testuser from testuser.
+<code bash>
+echo "test message content" | mail –s "test subject" demouser@example.com
+</code>
+You can either check the inbox of demouser, or more simply check logs inside /var/log/exim4/mainlog
+<code bash>
+cat /var/log/exim4/mainlog
+-12-23 16:56:42 1Y3XRa-0004B4-Sj <= root@example.com U=root P=local S=391
+-12-23 16:56:42 1Y3XRa-0004B4-Sj => demouser <demouser@example.com> R=local_user T=maildir_home
+-12-23 16:56:42 1Y3XRa-0004B4-Sj Completed
+</code>
+All looks good.  Now try sending an external email.
+<code bash>
+echo "test message content" | mail –s "test subject" xxxxx@gmail.com
+</code>
+Now the good and the bad part, the email arrived, but it ended most probably in the spam folder because technically this is a "rogue" system with unknown domain and no basic signatures in the email headers.
+===== Step 8-9: First problem with PAM not enabled in courier =====
+An immediate step after my emails got working was that Thunderbird was unable to connect to the courier with IMAPS (with TLS enabled) despite the basic certificates existed from the installation (during apt-get install a default set was generated).
+To verify what is going on, run a simple test using SWAKS to troubleshoot:
+<code bash>
+swaks -a -tls -q AUTH -s localhost -au demouser
+Password: playingwithexim4
+=== Trying localhost:25...
+=== Connected to localhost.
+<-  220 exampleserver.example.com ESMTP Exim 4.80 Tue, 23 Dec 2014 20:10:29 -0500
+ -> EHLO exampleserver.example.com
+<-  250-exampleserver.example.com Hello localhost [127.0.0.1]
+<-  250-SIZE 52428800
+<-  250-8BITMIME
+<-  250-PIPELINING
+<-  250-STARTTLS
+<-  250 HELP
+ -> STARTTLS
+<-  220 TLS go ahead
+=== TLS started w/ cipher DHE-RSA-AES256-SHA256
+=== TLS peer subject DN="/C=JE/ST=Jersey/L=St. Helier/O=example.com/OU=example.com/CN=exampleserver.example.com/emailAddress=demouser"
+ ~> EHLO exampleserver.example.com
+<~  250-exampleserver.example.com Hello localhost [127.0.0.1]
+<~  250-SIZE 52428800
+<~  250-8BITMIME
+<~  250-PIPELINING
+<~  250 HELP
+*** Host did not advertise authentication
+ ~> QUIT
+<~  221 exampleserver.example.com closing connection
+=== Connection closed with remote host.
+</code>
+As you noticed, the TLS layer is there successfully, the problem is more with the authentication not working.
+Add these lines to /etc/exim4/exim4.conf.template
+<code>
+MAIN_TLS_ENABLE = yes
+tls_on_connect_ports=465
+rfc1413_query_timeout = 0s
+</code>
+Install the SASLAUTH daemon that will do the authentication against local UNIX usernames.
+**NOTE**: If you want some other method of authentication, check the [[https://wiki.debian.org/Exim|Exim4 wiki]].
+<code bash>
+apt-get install sasl2-bin
+</code>
+Edit /etc/default/saslauthd to enable saslauth with this line change:
+<code>
+START=yes
+</code>
+Restart the SASLAUTH daemon:
+<code>
+/etc/init.d/saslauthd start
+</code>
+Add exim to sasl group
+<code bash>
+adduser Debian-exim sasl
+Adding user `Debian-exim' to group `sasl' ...
+Adding user Debian-exim to group sasl
+Done.
+</code>
+Inside /etc/exim4/exim4.conf.template uncomment these lines to enable PAM authentication (in the below all lines below and including the "plain_saslauthd_server"):
+<file bash /etc/exim4/exim4.conf.template>
+# Authenticate against local passwords using sasl2-bin
+# Requires exim_uid to be a member of sasl group, see README.Debian.gz
+# plain_saslauthd_server:
+#   driver = plaintext
+#   public_name = PLAIN
+#   server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
+#   server_set_id = $auth2
+#   server_prompts = :
+#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+#   .endif
+</file>
+Do a restart of both exim4 and saslauth
+<code bash>
+update-exim4.conf
+service exim4 restart
+service saslauthd restart
+</code>
+**VERIFICATION** is again with swaks the same command, but now you should get this (note "235 Authentication succeeded" below):
+<code bash>
+swaks -a -tls -q AUTH -s localhost -au demouser
+Password: kreten
+=== Trying localhost:25...
+=== Connected to localhost.
+<-  220 exampleserver.example.com ESMTP Exim 4.80 Tue, 23 Dec 2014 20:58:57 -0500
+ -> EHLO exampleserver.example.com
+<-  250-exampleserver.example.com Hello localhost [127.0.0.1]
+<-  250-SIZE 52428800
+<-  250-8BITMIME
+<-  250-PIPELINING
+<-  250-STARTTLS
+<-  250 HELP
+ -> STARTTLS
+<-  220 TLS go ahead
+=== TLS started w/ cipher DHE-RSA-AES256-SHA256
+=== TLS peer subject DN="/C=JS/ST=Jersey/L=St. Helier/O=example.com/OU=example.com/CN=exampleserver.example.com/emailAddress=demouser"
+ ~> EHLO exampleserver.example.com
+<~  250-exampleserver.example.com Hello localhost [127.0.0.1]
+<~  250-SIZE 52428800
+<~  250-8BITMIME
+<~  250-PIPELINING
+<~  250-AUTH PLAIN
+<~  250 HELP
+ ~> AUTH PLAIN AGRlbW91c2VyAGtyZXRlbg==
+<~  235 Authentication succeeded
+ ~> QUIT
+<~  221 exampleserver.example.com closing connection
+=== Connection closed with remote host.
+</code>
+===== Step 10: Configure courier for IMAP =====
+Ensure that the email client is definitely supporting IMAP.  Just follow these basic commands:
+<code bash>
+rm -rf /etc/courier/*.pem
+make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/courier/imapd.pem
+make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/courier/pop3d.pem
+service courier-imap restart
+service courier-imap-ssl restart
+service courier-authdaemon restart
+service courier-pop restart
+service courier-pop-ssl restart
+</code>
+===== Step 11: Test access with email client (e.g. Thunderbird) =====
+This setup shows how Thunderbird is configured, but if you have a different preferred client, please feel free to try using it (including smartphone mail clients that support IMAP protocol).
+<WRAP todo>
+**TODO**: Add an image here of Thunderbird "Mail Account Setup".
+</WRAP>
+**NOTE**:  Since we are using self-signed certificates here, you are definitely going to get warnings from Thunderbird (or other clients) that the certificates are not officially trusted.  If you are doing this for a real company, please go and purchase a real certificates from certification authorities (e.g. verisign…).
+<WRAP todo>
+**TODO**: Add an image here of Thunderbird "Add security exception".
+</WRAP>
+If your connection with any client was successful, please try writing a quick email to yourself, for example this is how it looked in my system in Thunderbird.
+<code>
+   From: Me <demouser@example.com>
+Subject: Test
+     To: Me <demouser@example.com>
+Hello World
+</code>
+Or here is the raw message code:
+<code>
+Return-path: <demouser@example.com>
+Envelope-to: demouser@example.com
+Delivery-date: Tue, 23 Dec 2014 21:57:21 -0500
+Received: from [123.123.123.123] (helo=[192.168.1.2])
+	by exampleserver.example.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
+	(Exim 4.80)
+	(envelope-from <demouser@example.com>)
+	id 1Y3c8X-00055r-CJ
+	for demouser@example.com; Tue, 23 Dec 2014 21:57:21 -0500
+Message-ID: <549A1DA1.1030708@example.com>
+Date: Wed, 24 Dec 2014 02:57:53 +0100
+From: "Smith, John" <demouser@example.com>
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
+MIME-Version: 1.0
+To: demouser@example.com
+Subject: Test
+Content-Type: text/plain; charset=utf-8; format=flowed
+Content-Transfer-Encoding: 7bit
+Hello World
+</code>
+===== Step 12: Testing sending mail to an external system =====
+Use Thunderbird, or another client and send an email to external systems.  There is a random chance that your email will end in spam folder on the destination.
+HINT: To check if your email left your system, check all the mail logs in the /var/log/mail*
+===== Step 13: Making the email system appear as a valid domain owner for passing spam filters =====
+There are three basic things every email system should do to get anti-spam protection permitting emails received from your new systems to remote systems inboxes without ending in spam folders.
+  - rDNS (or reverse DNS)  to have reverse DNS lookup on the public IP pointing back to your domain.
+  - SPF (Sender Policy Framework) that let’s the receiving system know which systems are allowed to send emails for your domain.
+  - DKIM (DocumentKeys Identified Mails) a public/private key pair that is used for signing emails by the domain owner to avoid spammers being able to send emails “as if” coming from your domain.
+==== Step 13A: Reverse DNS entry ====
+This part is between you and your provider, but you must ask the owner of the public IP you are using to create a reverse DNS entry for you.
+Most providers of servers have this option as part of their control panel so the work is a few clicks, but it is imperative to do.
+**DISCLAIMER**:  These examples have the public IP of 123.123.123.123.  Obviously replace that with your own IP.
+A quick view on one such system:
+<WRAP box cyan>
+^IP^Netmark^Gateway^Custom reverse DNS^
+|123.123.123.123|255.255.254.0|123.123.123.254|example.com|
+</WRAP>
+To verify, either use the "nslookup -r" command to your own domain, or web tool such as this one http://mxtoolbox.com/SuperTool.aspx
+<code bash>
+nslookup -r 123.123.123.123
+*** Invalid option: r
+Server:         8.8.8.8
+Address:        8.8.8.8#53
+Non-authoritative answer:
+.123.123.123.in-addr.arpa     name = example.com.
+</code>
+==== Step 13B: SPF ====
+To summarizze what we will be doing here with SPF is basically that you need to interact either with your own DNS system, or contact your DNS hosting company (or do this via their control panel if they have this) and ask them to enter some special TXT records to your domain.
+Read this page to understand SFP to avoid generating something incorrectly and hurting you email system from the very beginning!  http://www.openspf.org/SPF_Record_Syntax.
+This example will allow my main server "exampleserver" from the "example.com" domain to send emails.  So the records are like this for SPF1 and SPF2 records:
+<code>
+v=spf1 a include:exampleserver.example.com –all
+spf2.0/pra a include:exampleserver.example.com -all
+</code>
+=== Quick legend: ===
+  * The **"a"** allows any of the DNS A records to authorize domains (like basic example.com) to send emails.
+  * The **"include"** allows other domains like the server FQDN to send the email (MAKE SURE YOU ALSO HAVE A DNS A RECORD FOR YOUR SERVER FQDN!)
+  * **"-all"** removes all other IPs/Domains from the ability of sending emails.
+You can then apply them to the DNS record and test it with an online tool such as http://tools.bevhost.com/spf/
+<WRAP note>
+At the very end of this guide, we will be sending a test email to a testing service that will verify SPF and other useful things for us, so if you have trouble with this tool, wait for that testing.
+</WRAP>
+===== Step 13c: DKIM public keypair to sign emails leaving your system =====
+This is a little more tricky as we are again going to play with certificates, and also with exim4 routing of emails.  So let’s take it slowly:
+Generate an RSA public and private keys with openssl
+<code bash>
+sudo openssl genrsa -out /etc/exim4/private.key 1024
+sudo openssl rsa -in /etc/exim4/private.key -out /etc/exim4/public.pem -pubout -outform PEM
+sudo chown Debian-exim:root /etc/exim4/private.key /etc/exim4/public.pem
+</code>
+Read your new public key
+<code bash>
+cat /etc/exim4/public.pem
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA+WiFmhUpuOav+3oB77E0j06p
+DAr5cw9NKkcf9tcDbn7nIpBqAIFP8PVTn4tzO3I6LL+o5A9dCGQFPZlzqW8cXPDc
+Zd/4+4NEw1OIbbaUJh/giTyI24qbxBFTaW1nvdxE9qlWbNOYlbOVp4BpXdwmawVw
+V72GKjSR2+ql8wM4cQIDAQAB
+-----END PUBLIC KEY-----
+</code>
+Construct a DNS TXT record with the public key using this formula :
+  * Domain name: key1._domainkey.<your domain name>
+  * TXT record: v=DKIM1; k=rsa; p=<your public key string> For the domain example.com.
+<code>
+key1._domainkey.example.com.example.com
+</code>
+TXT record itself:
+<code>
+v=DKIM1;\040k=rsa;\040p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA+WiFmhUpuOav+3oB77E0j06pDAr5cw9NKkcf9tcDbn7nIpBqAIFP8PVTn4tzO3I6LL+o5A9dCGQFPZlzqW8cXPDcZd/4+4NEw1OIbbaUJh/giTyI24qbxBFTaW1nvdxE9qlWbNOYlbOVp4BpXdwmawVwV72GKjSR2+ql8wM4cQIDAQAB
+</code>
+<WRAP info>
+The 'p' value is the data that was seen from the public key - but removing any spaces and new lines.
+</WRAP>
+Create a file dkim_senders to tell exim what source domains the DKIM should be used for:
+<code bash>
+echo "*@example.com: example.com"  > /etc/exim4/dkim_senders
+</code>
+Edit /etc/exim4.conf.template and in section "router/200_exim4-config_primary" just before "dnslookup_relay_to_domains:" add these new lines:
+<code>
+#NetworkGeekStuff dkim addon rules:
+dnslookup_dkim:
+  debug_print = "R: dnslookup_dkim for $local_part@$domain"
+  driver = dnslookup
+  domains = ! +local_domains
+  senders = lsearch*@;/etc/exim4/dkim_senders
+  transport = remote_smtp_dkim
+  same_domain_copy_routing = yes
+  # ignore private rfc1918 and APIPA addresses
+  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
+.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
+.255.255.255
+  no_more
+</code>
+Again inside the /etc/exim4/exim4.conf.template inside section "transport/30_exim4-config_remote_smtp" just before "remote_smtp:" add these new lines:
+<code>
+remote_smtp_dkim:
+  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
+  driver = smtp
+  dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}}
+  dkim_selector = key1
+  dkim_private_key = /etc/exim4/rsa.private
+  dkim_canon = relaxed
+  dkim_strict = false
+  #dkim_sign_headers = DKIM_SIGN_HEADERS
+</code>
+Restart exim
+<code bash>
+update-exim4.conf
+service exim4 restart
+</code>
+Now you should have everything very nicely prepared, to get a report about how successfully you were, send a test email to (any content) :
+<code>
+check-auth@verifier.port25.com
+</code>
+You will get back an email with a very nice and complete summary of the SPF/DKIM and some other checks.  Here is an example with details how the system from this tutorial passed SFP and DKIM test.  This is a very nice result so far.
+<code>
+==========================================================
+Summary of Results
+==========================================================
+SPF check:          pass
+DomainKeys check:   neutral
+DKIM check:         pass
+Sender-ID check:    pass
+SpamAssassin check: ham
+==========================================================
+Details:
+==========================================================
+HELO hostname:  exampleserver.example.com
+Source IP:      123.123.123.123
+mail-from:      demouser@example.com
+----------------------------------------------------------
+SPF check details:
+----------------------------------------------------------
+Result:         pass
+ID(s) verified: smtp.mailfrom=demouser@example.com
+DNS record(s):
+    example.com. SPF (no records)
+    example.com. 600 IN TXT "v=spf1 a include:exampleserver.example.com -all"
+    example.com. 600 IN TXT "spf2.0/pra a include:exampleserver.example.com -all"
+    example.com. 600 IN A 123.123.123.123
+----------------------------------------------------------
+DKIM check details:
+----------------------------------------------------------
+Result:         pass (matches From: demouser@example.com)
+ID(s) verified: header.d=example.com
+Canonicalized Headers:
+    content-transfer-encoding:7bit'0D''0A'
+    content-type:text/plain;'20'charset=utf-8;'20'format=flowed'0D''0A'
+    in-reply-to:<549B2103.5080605@example.com>'0D''0A'
+    references:<549B2103.5080605@example.com>'0D''0A'
+    subject:test'20'email'20'for'20'DKIM'20'and'20'SPF'0D''0A'
+    to:check-auth@verifier.port25.com'0D''0A'
+    mime-version:1.0'0D''0A'
+    from:"Smith,'20'John"'20'<demouser@example.com>'0D''0A'
+    date:Wed,'20'24'20'Dec'20'2014'20'23:37:38'20'+0100'0D''0A'
+    message-id:<549B4032.4040201@example.com>'0D''0A'
+    dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=example.com;'20's=key1;'20'h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID;'20'bh=Q22dyZju6AlMzw21jDtbRX5w6L8oTce4upEb75AdLqs=;'20'b=;
+Canonicalized Body:
+    Test'20'email'20'body'0D''0A'
+DNS record(s):
+    key1._domainkey.example.com. 600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA+WiFmhUpuOav+3oB77E0j06pDAr5cw9NKkcf9tcDbn7nIpBqAIFP8PVTn4tzO3I6LL+o5A9dCGQFPZlzqW8cXPDcZd/4+4NEw1OIbbaUJh/giTyI24qbxBFTaW1nvdxE9qlWbNOYlbOVp4BpXdwmawVwV72GKjSR2+ql8wM4cQIDAQAB"
+Public key used for verification: key1._domainkey.example.com (1024 bits)
+NOTE: DKIM checking has been performed based on the latest DKIM specs
+(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
+older versions.  If you are using Port25's PowerMTA, you need to use
+version 3.2r11 or later to get a compatible version of DKIM.
+</code>
+===== Step 14: SpamAssassin header attachment =====
+SpamAssassin is mainly used for incoming emails.  Right now we are going to use SpamAssassin to add its header to all emails that our system sends to try to declare we are not spam.
+So this is a super quick how-to to enable very basic spam-assassin checks on your emails.
+See https://wiki.debian.org/Exim.
+<code bash>
+apt-get install spamassassin
+</code>
+Set "ENABLED=1" inside /etc/default/spamassassin
+Start the spamassassin daemon:
+<code bash>
+/etc/init.d/spamassassin start
+</code>
+Uncomment this line in /etc/exim4/exim4.conf.template
+<code>
+spamd_address = 127.0.0.1 783
+</code>
+Edit /etc/exim4/exim4.conf.template and inside section "40_exim4-config_check_data change" edit the content inside the "acl_check_data:" function:
+<code>
+# put headers in all messages (no matter if spam or not)
+ warn  spam = nobody:true
+     add_header = X-Spam-Score: $spam_score ($spam_bar)
+     add_header = X-Spam-Report: $spam_report
+# add second subject line with *SPAM* marker when message
+# is over threshold
+  warn  spam = nobody
+      add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:
+</code>
+Rebuild exim config and restart exim
+<code bash>
+update-exim4.conf
+service exim4 restart
+</code>
+Test by either sending again to check-auth@verifier.port25.com  or catch the outcomming emails from your system and it should have this header inside:
+<code>
+X-Spam-Score: -1.0 (-)
+X-Spam-Report: Spam detection software, running on the system "exampleserver.example.com", has
+ identified this incoming email as possible spam.  The original message
+ has been attached to this so you can view it (if it isn't spam) or label
+ similar future email.  If you have any questions, see
+ @@CONTACT_ADDRESS@@ for details.
+ Content preview:  Test email body 3 [...]
+ Content analysis details:   (-1.0 points, 5.0 required)
+  pts rule name              description
+ ---- ---------------------- --------------------------------------------------
+ -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
+</code>
+===== Summary =====
+The email system should be running.
+The next step is to check how well SPF/DKIM and other functions are filtering out incoming spam!
+===== References =====
+https://help.ubuntu.com/community/Dovecot
+http://wiki.dovecot.org/