Wiki

User Tools

Site Tools

Trace:
email:install_a_full_secure_mail_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
email:install_a_full_secure_mail_server [2020/07/25 16:26] – old revision restored (2016/11/28 12:21) 92.220.10.100email:install_a_full_secure_mail_server [2020/07/26 11:22] (current) – old revision restored (2016/11/28 17:09) 158.69.243.115
Line 3: Line 3:
 ===== Prerequisites ===== ===== Prerequisites =====
  
-1) A Linux server, preferably Debian or Ubuntu to follow this tutorial step by step, on other distributions the software packages and file paths can be different.+  * A Linux server, preferably Debian or Ubuntu to follow this tutorial step by step, on other distributions the software packages and file paths can be different.
  
-2) Public IP address preferably directly on the server (+ if you are not directly owning the IP in RIPE database, the provider of this IP address to you should be able and willing to set reverse DNS entry on this IP address later in this tutorial, so if you are just looking for provider check this with them before ordering a service from them).+  * A Public IP address preferably directly on the server (If you do not have an IP in the RIPE database, then a provider of your IP address who is willing to set reverse DNS entry on this IP address).
  
-3) A publicly registered domain name either with some DNS hosting company or you can do yourself a small DNS server.  If you will have a DNS provider, just make sure they allow you to enter TXT records for your domain record.+  * A publicly registered domain name either with some DNS hosting company or you can do yourself a small DNS server.  If you will have a DNS provider, just make sure they allow you to enter TXT records for your domain record.
  
  
 ===== My example users and domain used in this tutorial ===== ===== My example users and domain used in this tutorial =====
  
-In this tutorial, I will be using "example.com" as the domain.  Please change all example.com text in this tutorial to your own domain when following this tutorial.  At the point of writing this tutorial this example.com was pointing to public IP of 123.123.123.123. +This tutorial will be using "example.com" as the domain with a public IP of 123.123.123.123.
  
-Also the demouser account email is demouser@example.com.+An example email account of demouser@example.com will be used.
  
-The target what we will have at the end of this tutorial+The target that we desire at the end of this tutorial is:
  
-  * En email system with email in the form of @example.com. +  * An email system with email in the form of xxxx@example.com. 
-  * IMAP secured with SSL for access to your emails (test is to access emails from your smartphone)+  * IMAP secured with SSL for access to your emails. 
-  * All standard protection mechanisms on the emails so that other email systems do not classify our emails as SPAM.  This includes SPF, DKIM, rDNS and SpamAssassin headers.+  * All standard protection mechanisms on the emails so that other email systems do not classify the emails as SPAM.  This includes SPF, DKIM, rDNS and SpamAssassin headers.
  
  
 ===== Step 1: Configure local hostname and domain on linux server ===== ===== Step 1: Configure local hostname and domain on linux server =====
  
-How we will call our systems.  This uses "example.com" as the domain, and "exampleserver" as the hostname.  +This uses "example.com" as the domain, and "exampleserver" as the hostname.  
  
-The DNS server will be 8.8.8.8 (**NOTE**: This is gmail DNS system).+The DNS server will be 8.8.8.8 (which is the gmail DNS system, but adjust to any other DNS server as required).
  
 <code bash> <code bash>
Line 35: Line 35:
 </code> </code>
  
-Verification is easy, just use these commands and you should get the answers visible.+Verification is easy, just use these commands and you should get the answers.
  
 <code bash> <code bash>
Line 54: Line 54:
 ===== Step 2: Install email system exim4 and supporting packages ===== ===== Step 2: Install email system exim4 and supporting packages =====
  
-To get all the software in debian for our little tutorial, we need three main pieces of software:+The following software is needed:
  
   - **Exim4** – the SMTP daemon.   - **Exim4** – the SMTP daemon.
-  - **Courier** – communication extension for Exim4 to have IMAP and POP access to emails.+  - **Courier** – communication extension for Exim4 to have IMAP and POP access to emails; or 
 +  - **Dovecot** - communication extension for Exim4 to have IMAP and POP access to emails.
   - **Swaks** – Swiss army knife for SMTP troubleshooting.   - **Swaks** – Swiss army knife for SMTP troubleshooting.
   - **SSL-cert packages** – for easy work with generating certificates in later parts of the tutorial.   - **SSL-cert packages** – for easy work with generating certificates in later parts of the tutorial.
  
-If you are using Debian or Ubuntuthen you can simply follow these commands :+<WRAP todo> 
 +**TODO**: Update to use alternatives to Couriersuch as Dovecot. 
 +</WRAP> 
 + 
 +Issue these commands:
  
 <code bash> <code bash>
 apt-get update  apt-get update 
-apt-get install exim4-daemon-heavy courier-authdaemon courier-imap courier-imap-ssl courier-pop courier-pop-ssl swaks libnet-ssleay-perl ssl-cert+apt-get install exim4-daemon-heavy swaks libnet-ssleay-perl ssl-cert 
 +</code> 
 + 
 +Decide on using Courier or Dovecot.  Recommendation is to use Dovecot. 
 + 
 +==== For Courier ==== 
 + 
 +<code bash> 
 +apt-get install courier-authdaemon courier-imap courier-imap-ssl courier-pop courier-pop-ssl 
 </code> </code>
  
 <WRAP warning> <WRAP warning>
-**Note/Warning**:  Courier will by default use a self-signed certificates.  These are OK if you are going to be the only user of the mail system, but if you plan to invite many people like for a public system (and you do not plan to distribute your own certification authority to them), then you need a signed-certificate.  But for our use-case we will not go into replacing these for our small IMAP usage, but definitely not OK for a public or larger one!  This is also the warning installation will give you about this fact:+**WARNING**:  Courier will by default use a self-signed certificates.  These are OK if you are going to be the only user of the mail system, but if you plan to invite many people like for a public system (and you do not plan to distribute your own certification authority to them), then you need a signed-certificate.  But for our use-case we will not go into replacing these for our small IMAP usage, but definitely not OK for a public or larger one!  This is also the warning installation will give you about this fact:
  
 <code> <code>
Line 86: Line 99:
 </WRAP> </WRAP>
  
-Verification of the installation can be afterwards done by checking the running ports with a netstat command if all the pop3, imap, smtp, pop3s and imaps ports are present like visible like in the example below:+ 
 +==== For Dovecot ==== 
 + 
 +<code bash> 
 +apt-get install dovecot-imapd dovecot-pop3d 
 +</code> 
 + 
 +Edit the file /etc/dovecot/dovecot.conf and amend the following line in the file /etc/dovecot/dovecot.conf: 
 + 
 +<code> 
 +protocols = pop3 pop3s imap imaps 
 +</code> 
 + 
 +In addition, add the following line in the "protocol pop3" section in the /etc/dovecot/dovecot.conf: 
 + 
 +<code> 
 +pop3_uidl_format = %08Xu%08Xv 
 +</code> 
 + 
 +Configure Dovecot to use the maildir mailbox format.  Edit /etc/dovecot/dovecot.conf: 
 + 
 +<code> 
 +mail_location = maildir:~/Maildir 
 +</code> 
 + 
 +<WRAP info> 
 +**NOTE**:  Maildir mails are almost always stored in ~/Maildir/ directory, which contains cur/, new/ and tmp/ subdirectories.  In maildir each mail is stored in a separate file. 
 +</WRAP> 
 + 
 +or alternatively change to: 
 + 
 +<code> 
 +mail_location = maildir:/home/%u/Maildir 
 +</code> 
 + 
 +<WRAP note> 
 +If !include conf.d/*.conf is uncommented in /etc/dovecot/dovecot.conf, it is necessary to set mail_location in /etc/dovecot/conf.d/10-mail.conf or comment the line out.  10-mail.conf will override the mail_location in dovecot.conf. If you choose to set the mail_location in 10-mail.conf, you have to change it to: 
 +</WRAP> 
 + 
 +<code> 
 +mail_location = maildir:~/Maildir 
 +</code> 
 + 
 +For SSL add or amend the following to the /etc/dovecot/dovecot.conf file. 
 + 
 +<code> 
 +disable_plaintext_auth = no 
 +ssl = yes 
 +ssl_cert_file = </etc/ssl/certs/ssl-cert-snakeoil.pem 
 +ssl_key_file = </etc/ssl/private/ssl-cert-snakeoil.key 
 +</code> 
 + 
 +Uncomment following line in /etc/dovecot/dovecot.conf: 
 + 
 +<code> 
 +listen = * 
 +</code> 
 + 
 +However, this method may cause conflicts with other servers already listening on other ports. The alternative (and probably more desirable) method, then, is to enable the specific listening ports for the protocols that are intended to be used. For example, for IMAP/IMAPS and POP3/POP3S, add to the correct protocol imap and protocol pop3 sections: 
 + 
 +<code> 
 +protocol imap { 
 +     listen = *:143 
 +     ssl_listen = *:993 
 +     ... 
 +     } 
 + 
 +protocol pop3 { 
 +     listen = *:110 
 +     ssl_listen = *:995 
 +     ... 
 +     } 
 +</code> 
 + 
 +If you want to see the config Dovecot is currently using (including the mail_location), use 
 + 
 +<code bash> 
 +dovecot -n 
 +</code> 
 + 
 +Start dovecot: 
 + 
 +<code bash> 
 +/etc/init.d/dovecot start 
 +</code> 
 + 
 +See https://help.ubuntu.com/community/Dovecot 
 + 
 + 
 +==== Verify the setup ==== 
 + 
 +Verification of the installation can be done by checking the running ports with a netstat command.  Ensure that all the pop3, imap, smtp, pop3s and imaps ports are present as required:
  
 <code bash> <code bash>
Line 98: Line 202:
 tcp6            0 [::]:pop3s              [::]:                 LISTEN      tcp6            0 [::]:pop3s              [::]:                 LISTEN     
 </code> </code>
 +
  
 ===== Step 3: Preparing local users for mail system (Maildir) ===== ===== Step 3: Preparing local users for mail system (Maildir) =====
  
-In this example, I will prefer each user having his email inside his home directory under ~/Maildir.  For the new users, add this directory to the skeleton so that it is automatically created for new users like this:+In this example, each user will have their email inside their own home directory under ~/Maildir.  To have this as a standard setting for new users, simply add this directory to the skeleton so that it is automatically created for new users like this
 + 
 +It's a good idea to pre-create the Maildir for future users: 
 + 
 +<code bash> 
 +sudo maildirmake.dovecot /etc/skel/Maildir 
 +sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts 
 +sudo maildirmake.dovecot /etc/skel/Maildir/.Sent 
 +sudo maildirmake.dovecot /etc/skel/Maildir/.Trash 
 +sudo maildirmake.dovecot /etc/skel/Maildir/.Templates 
 +</code> 
 + 
 +Then, for an existing user:
  
 <code bash> <code bash>
-maildirmake /etc/skel/Maildir+sudo cp -r /etc/skel/Maildir /home/myuser/ 
 +sudo chown -R myuser:usergroup /home/myuser/Maildir 
 +sudo chmod -R 700 /home/myuser/Maildir
 </code> </code>
  
-For existing users, you have to do this manually (or do a script for this).  For example for my test user “testuser” like this:+or for the example test user "demouser":
  
 <code bash> <code bash>
Line 121: Line 240:
 </code> </code>
  
-Give this user a password when prompted.  Always choose a good password here because this UNIX passwords will also be user by the IMAP/POP3 access to your emails!+Give this user a password when prompted.  Always choose a good password here because this UNIX passwords will also be used by the user for IMAP/POP3 access to their emails!
  
  
 ===== Step 5: Configure exim4 ===== ===== Step 5: Configure exim4 =====
  
-Now, first step here is to use the debian built-in configuration package to configure the main” exim4 points with:+Now, first step here is to use the Debian and Ubuntu built-in configuration package to configure the "mainexim4 points with:
  
 <code bash> <code bash>
Line 132: Line 251:
 </code> </code>
  
-It will give you several options in a wizard, this is how I configured my answers for a small and independent server:+It will give you several options in a wizard.  Here are suggested answers for a small and independent server:
  
   * General type of mail configuration: **internet site**; mail is sent and received directly using SMTP.   * General type of mail configuration: **internet site**; mail is sent and received directly using SMTP.
Line 148: Line 267:
 ===== Step 6: X.509 certificate for exim4 TLS support ===== ===== Step 6: X.509 certificate for exim4 TLS support =====
  
-First run this small command to generate a certificate based on example from exim.+Generate a certificate based on example from exim.
  
 <code bash> <code bash>
Line 219: Line 338:
 ===== Step 7: Verification of emails delivery ===== ===== Step 7: Verification of emails delivery =====
  
-Ok, so the basic email system should now be running, lets test it with the most basic test and that is sending an email locally (either between two users of the local system or to yourself).+The basic email system should now be running.  Test this with basic test of sending an email locally (either between two users of the local system or to yourself).
  
 This test will send email to testuser from testuser. This test will send email to testuser from testuser.
Line 236: Line 355:
 </code> </code>
  
-Ok, all looks good, now lets try sending to external source like gmail (replace the xxxx with your real email).+All looks good.  Now try sending an external email.
  
 <code bash> <code bash>
Line 242: Line 361:
 </code> </code>
  
-Now the good and the bad part, the email arrived, but it ended most probably in spam folder because technically this is a "rogue" system with unknown domain and no basic signatures in the email headers.+Now the good and the bad part, the email arrived, but it ended most probably in the spam folder because technically this is a "rogue" system with unknown domain and no basic signatures in the email headers.
  
  
 ===== Step 8-9: First problem with PAM not enabled in courier ===== ===== Step 8-9: First problem with PAM not enabled in courier =====
  
-As immediate step after my emails got working was that Thunderbird was unable to connect to the courier with IMAPS (with TLS enabled) despite the basic certificates existed from the installation (during apt-get install a default set was generated).+An immediate step after my emails got working was that Thunderbird was unable to connect to the courier with IMAPS (with TLS enabled) despite the basic certificates existed from the installation (during apt-get install a default set was generated).
  
-To verify what is going onethis is the best test to see the problem, we will use SWAKS to troubleshoot like this:+To verify what is going onrun a simple test using SWAKS to troubleshoot:
  
 <code bash> <code bash>
Line 290: Line 409:
 </code> </code>
  
-Install SASLAUTH daemon that will do the authentication for us against local unix usernames.+Install the SASLAUTH daemon that will do the authentication against local UNIX usernames.
  
-**NOTE**: If you want some other method of authentication, check the exim4 wiki.+**NOTE**: If you want some other method of authentication, check the [[https://wiki.debian.org/Exim|Exim4 wiki]].
  
 <code bash> <code bash>
Line 342: Line 461:
 service saslauthd restart service saslauthd restart
 </code> </code>
 +
 +**VERIFICATION** is again with swaks the same command, but now you should get this (note "235 Authentication succeeded" below):
 +
 +<code bash>
 +swaks -a -tls -q AUTH -s localhost -au demouser
 +Password: kreten
 +=== Trying localhost:25...
 +=== Connected to localhost.
 +<-  220 exampleserver.example.com ESMTP Exim 4.80 Tue, 23 Dec 2014 20:58:57 -0500
 + -> EHLO exampleserver.example.com
 +<-  250-exampleserver.example.com Hello localhost [127.0.0.1]
 +<-  250-SIZE 52428800
 +<-  250-8BITMIME
 +<-  250-PIPELINING
 +<-  250-STARTTLS
 +<-  250 HELP
 + -> STARTTLS
 +<-  220 TLS go ahead
 +=== TLS started w/ cipher DHE-RSA-AES256-SHA256
 +=== TLS peer subject DN="/C=JS/ST=Jersey/L=St. Helier/O=example.com/OU=example.com/CN=exampleserver.example.com/emailAddress=demouser"
 + ~> EHLO exampleserver.example.com
 +<~  250-exampleserver.example.com Hello localhost [127.0.0.1]
 +<~  250-SIZE 52428800
 +<~  250-8BITMIME
 +<~  250-PIPELINING
 +<~  250-AUTH PLAIN
 +<~  250 HELP
 + ~> AUTH PLAIN AGRlbW91c2VyAGtyZXRlbg==
 +<~  235 Authentication succeeded
 + ~> QUIT
 +<~  221 exampleserver.example.com closing connection
 +=== Connection closed with remote host.
 +</code>
 +
 +===== Step 10: Configure courier for IMAP =====
 +
 +Ensure that the email client is definitely supporting IMAP.  Just follow these basic commands:
 +
 +<code bash>
 +rm -rf /etc/courier/*.pem
 +make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/courier/imapd.pem 
 +make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/courier/pop3d.pem
 +
 +service courier-imap restart
 +service courier-imap-ssl restart
 +service courier-authdaemon restart
 +service courier-pop restart
 +service courier-pop-ssl restart
 +</code>
 +
 +
 +===== Step 11: Test access with email client (e.g. Thunderbird) =====
 +
 +This setup shows how Thunderbird is configured, but if you have a different preferred client, please feel free to try using it (including smartphone mail clients that support IMAP protocol).
 +
 +<WRAP todo>
 +**TODO**: Add an image here of Thunderbird "Mail Account Setup".
 +</WRAP>
 +
 +**NOTE**:  Since we are using self-signed certificates here, you are definitely going to get warnings from Thunderbird (or other clients) that the certificates are not officially trusted.  If you are doing this for a real company, please go and purchase a real certificates from certification authorities (e.g. verisign…).
 +
 +<WRAP todo>
 +**TODO**: Add an image here of Thunderbird "Add security exception".
 +</WRAP>
 +
 +If your connection with any client was successful, please try writing a quick email to yourself, for example this is how it looked in my system in Thunderbird.
 +
 +<code>
 +   From: Me <demouser@example.com>
 +Subject: Test
 +     To: Me <demouser@example.com>
 +Hello World
 +</code>     
 +
 +Or here is the raw message code:
 +
 +<code>
 +Return-path: <demouser@example.com>
 +Envelope-to: demouser@example.com
 +Delivery-date: Tue, 23 Dec 2014 21:57:21 -0500
 +Received: from [123.123.123.123] (helo=[192.168.1.2])
 + by exampleserver.example.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 + (Exim 4.80)
 + (envelope-from <demouser@example.com>)
 + id 1Y3c8X-00055r-CJ
 + for demouser@example.com; Tue, 23 Dec 2014 21:57:21 -0500
 +Message-ID: <549A1DA1.1030708@example.com>
 +Date: Wed, 24 Dec 2014 02:57:53 +0100
 +From: "Smith, John" <demouser@example.com>
 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
 +MIME-Version: 1.0
 +To: demouser@example.com
 +Subject: Test
 +Content-Type: text/plain; charset=utf-8; format=flowed
 +Content-Transfer-Encoding: 7bit
 +
 +Hello World
 +</code>
 +
 +
 +===== Step 12: Testing sending mail to an external system =====
 +
 +Use Thunderbird, or another client and send an email to external systems.  There is a random chance that your email will end in spam folder on the destination.
 +
 +HINT: To check if your email left your system, check all the mail logs in the /var/log/mail*
 +
 +
 +===== Step 13: Making the email system appear as a valid domain owner for passing spam filters =====
 +
 +There are three basic things every email system should do to get anti-spam protection permitting emails received from your new systems to remote systems inboxes without ending in spam folders.
 +
 +  - rDNS (or reverse DNS)  to have reverse DNS lookup on the public IP pointing back to your domain.
 +  - SPF (Sender Policy Framework) that let’s the receiving system know which systems are allowed to send emails for your domain.
 +  - DKIM (DocumentKeys Identified Mails) a public/private key pair that is used for signing emails by the domain owner to avoid spammers being able to send emails “as if” coming from your domain.
 +
 +
 +==== Step 13A: Reverse DNS entry ====
 +
 +This part is between you and your provider, but you must ask the owner of the public IP you are using to create a reverse DNS entry for you.
 +
 +Most providers of servers have this option as part of their control panel so the work is a few clicks, but it is imperative to do.
 +
 +**DISCLAIMER**:  These examples have the public IP of 123.123.123.123.  Obviously replace that with your own IP.
 +
 +A quick view on one such system:
 +
 +<WRAP box cyan>
 +^IP^Netmark^Gateway^Custom reverse DNS^
 +|123.123.123.123|255.255.254.0|123.123.123.254|example.com|
 +</WRAP>
 +
 +To verify, either use the "nslookup -r" command to your own domain, or web tool such as this one http://mxtoolbox.com/SuperTool.aspx
 +
 +<code bash>
 +nslookup -r 123.123.123.123
 +*** Invalid option: r
 +Server:         8.8.8.8
 +Address:        8.8.8.8#53
 + 
 +Non-authoritative answer:
 +123.123.123.123.in-addr.arpa     name = example.com.
 +</code>
 +
 +
 +==== Step 13B: SPF ====
 +
 +To summarizze what we will be doing here with SPF is basically that you need to interact either with your own DNS system, or contact your DNS hosting company (or do this via their control panel if they have this) and ask them to enter some special TXT records to your domain.  
 +
 +Read this page to understand SFP to avoid generating something incorrectly and hurting you email system from the very beginning!  http://www.openspf.org/SPF_Record_Syntax.
 +
 +This example will allow my main server "exampleserver" from the "example.com" domain to send emails.  So the records are like this for SPF1 and SPF2 records:
 +
 +<code>
 +v=spf1 a include:exampleserver.example.com –all
 +spf2.0/pra a include:exampleserver.example.com -all
 +</code>
 +
 +=== Quick legend: ===
 +
 +  * The **"a"** allows any of the DNS A records to authorize domains (like basic example.com) to send emails.
 +  * The **"include"** allows other domains like the server FQDN to send the email (MAKE SURE YOU ALSO HAVE A DNS A RECORD FOR YOUR SERVER FQDN!)
 +  * **"-all"** removes all other IPs/Domains from the ability of sending emails.
 +
 +You can then apply them to the DNS record and test it with an online tool such as http://tools.bevhost.com/spf/
 +
 +<WRAP note>
 +At the very end of this guide, we will be sending a test email to a testing service that will verify SPF and other useful things for us, so if you have trouble with this tool, wait for that testing.
 +</WRAP>
 +
 +
 +===== Step 13c: DKIM public keypair to sign emails leaving your system =====
 +
 +This is a little more tricky as we are again going to play with certificates, and also with exim4 routing of emails.  So let’s take it slowly:
 +
 +Generate an RSA public and private keys with openssl
 +
 +<code bash>
 +sudo openssl genrsa -out /etc/exim4/private.key 1024
 +sudo openssl rsa -in /etc/exim4/private.key -out /etc/exim4/public.pem -pubout -outform PEM
 +sudo chown Debian-exim:root /etc/exim4/private.key /etc/exim4/public.pem
 +</code>
 +
 +Read your new public key
 +
 +<code bash>
 +cat /etc/exim4/public.pem 
 +-----BEGIN PUBLIC KEY-----
 +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA+WiFmhUpuOav+3oB77E0j06p
 +DAr5cw9NKkcf9tcDbn7nIpBqAIFP8PVTn4tzO3I6LL+o5A9dCGQFPZlzqW8cXPDc
 +Zd/4+4NEw1OIbbaUJh/giTyI24qbxBFTaW1nvdxE9qlWbNOYlbOVp4BpXdwmawVw
 +V72GKjSR2+ql8wM4cQIDAQAB
 +-----END PUBLIC KEY-----
 +</code>
 +
 +Construct a DNS TXT record with the public key using this formula :
 +
 +  * Domain name: key1._domainkey.<your domain name>
 +  * TXT record: v=DKIM1; k=rsa; p=<your public key string> For the domain example.com.
 +
 +<code>
 +key1._domainkey.example.com.example.com
 +</code>
 +
 +TXT record itself:
 +
 +<code>
 +v=DKIM1;\040k=rsa;\040p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA+WiFmhUpuOav+3oB77E0j06pDAr5cw9NKkcf9tcDbn7nIpBqAIFP8PVTn4tzO3I6LL+o5A9dCGQFPZlzqW8cXPDcZd/4+4NEw1OIbbaUJh/giTyI24qbxBFTaW1nvdxE9qlWbNOYlbOVp4BpXdwmawVwV72GKjSR2+ql8wM4cQIDAQAB
 +</code>
 +
 +<WRAP info>
 +The 'p' value is the data that was seen from the public key - but removing any spaces and new lines.
 +</WRAP>
 +
 +
 +Create a file dkim_senders to tell exim what source domains the DKIM should be used for:
 +
 +<code bash>
 +echo "*@example.com: example.com"  > /etc/exim4/dkim_senders
 +</code>
 +
 +Edit /etc/exim4.conf.template and in section "router/200_exim4-config_primary" just before "dnslookup_relay_to_domains:" add these new lines:
 +
 +<code>
 +#NetworkGeekStuff dkim addon rules:
 +dnslookup_dkim:
 +  debug_print = "R: dnslookup_dkim for $local_part@$domain"
 +  driver = dnslookup
 +  domains = ! +local_domains
 +  senders = lsearch*@;/etc/exim4/dkim_senders
 +  transport = remote_smtp_dkim
 +  same_domain_copy_routing = yes
 +  # ignore private rfc1918 and APIPA addresses
 +  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
 +                        172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
 +                        255.255.255.255
 +  no_more
 +</code>
 +
 +Again inside the /etc/exim4/exim4.conf.template inside section "transport/30_exim4-config_remote_smtp" just before "remote_smtp:" add these new lines:
 +
 +<code>
 +remote_smtp_dkim:
 +  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
 +  driver = smtp
 +  dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}}
 +  dkim_selector = key1
 +  dkim_private_key = /etc/exim4/rsa.private
 +  dkim_canon = relaxed
 +  dkim_strict = false
 +  #dkim_sign_headers = DKIM_SIGN_HEADERS
 +</code>
 +  
 +Restart exim
 +
 +<code bash>
 +update-exim4.conf
 +service exim4 restart
 +</code>
 +
 +Now you should have everything very nicely prepared, to get a report about how successfully you were, send a test email to (any content) :
 +
 +<code>
 +check-auth@verifier.port25.com
 +</code>
 +
 +You will get back an email with a very nice and complete summary of the SPF/DKIM and some other checks.  Here is an example with details how the system from this tutorial passed SFP and DKIM test.  This is a very nice result so far.
 +
 +<code>
 +==========================================================
 +Summary of Results
 +==========================================================
 +SPF check:          pass
 +DomainKeys check:   neutral
 +DKIM check:         pass
 +Sender-ID check:    pass
 +SpamAssassin check: ham
 +
 +==========================================================
 +Details:
 +==========================================================
 +
 +HELO hostname:  exampleserver.example.com
 +Source IP:      123.123.123.123
 +mail-from:      demouser@example.com
 +
 +----------------------------------------------------------
 +SPF check details:
 +----------------------------------------------------------
 +Result:         pass 
 +ID(s) verified: smtp.mailfrom=demouser@example.com
 +DNS record(s):
 +    example.com. SPF (no records)
 +    example.com. 600 IN TXT "v=spf1 a include:exampleserver.example.com -all"
 +    example.com. 600 IN TXT "spf2.0/pra a include:exampleserver.example.com -all"
 +    example.com. 600 IN A 123.123.123.123
 +
 +----------------------------------------------------------
 +DKIM check details:
 +----------------------------------------------------------
 +Result:         pass (matches From: demouser@example.com)
 +ID(s) verified: header.d=example.com
 +Canonicalized Headers:
 +    content-transfer-encoding:7bit'0D''0A'
 +    content-type:text/plain;'20'charset=utf-8;'20'format=flowed'0D''0A'
 +    in-reply-to:<549B2103.5080605@example.com>'0D''0A'
 +    references:<549B2103.5080605@example.com>'0D''0A'
 +    subject:test'20'email'20'for'20'DKIM'20'and'20'SPF'0D''0A'
 +    to:check-auth@verifier.port25.com'0D''0A'
 +    mime-version:1.0'0D''0A'
 +    from:"Smith,'20'John"'20'<demouser@example.com>'0D''0A'
 +    date:Wed,'20'24'20'Dec'20'2014'20'23:37:38'20'+0100'0D''0A'
 +    message-id:<549B4032.4040201@example.com>'0D''0A'
 +    dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=example.com;'20's=key1;'20'h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID;'20'bh=Q22dyZju6AlMzw21jDtbRX5w6L8oTce4upEb75AdLqs=;'20'b=;
 +
 +Canonicalized Body:
 +    Test'20'email'20'body'0D''0A'
 +    
 +
 +DNS record(s):
 +    key1._domainkey.example.com. 600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA+WiFmhUpuOav+3oB77E0j06pDAr5cw9NKkcf9tcDbn7nIpBqAIFP8PVTn4tzO3I6LL+o5A9dCGQFPZlzqW8cXPDcZd/4+4NEw1OIbbaUJh/giTyI24qbxBFTaW1nvdxE9qlWbNOYlbOVp4BpXdwmawVwV72GKjSR2+ql8wM4cQIDAQAB"
 +
 +Public key used for verification: key1._domainkey.example.com (1024 bits)
 +
 +NOTE: DKIM checking has been performed based on the latest DKIM specs
 +(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
 +older versions.  If you are using Port25's PowerMTA, you need to use
 +version 3.2r11 or later to get a compatible version of DKIM.
 +</code>
 +
 +
 +===== Step 14: SpamAssassin header attachment =====
 +
 +SpamAssassin is mainly used for incoming emails.  Right now we are going to use SpamAssassin to add its header to all emails that our system sends to try to declare we are not spam.
 +
 +So this is a super quick how-to to enable very basic spam-assassin checks on your emails.
 +
 +See https://wiki.debian.org/Exim.
 +
 +<code bash>
 +apt-get install spamassassin
 +</code>
 +
 +
 +Set "ENABLED=1" inside /etc/default/spamassassin
 +
 +Start the spamassassin daemon:
 +
 +<code bash>
 +/etc/init.d/spamassassin start
 +</code>
 +
 +Uncomment this line in /etc/exim4/exim4.conf.template
 +
 +<code>
 +spamd_address = 127.0.0.1 783
 +</code>
 +
 +Edit /etc/exim4/exim4.conf.template and inside section "40_exim4-config_check_data change" edit the content inside the "acl_check_data:" function:
 +
 +<code>
 +# put headers in all messages (no matter if spam or not)
 + warn  spam = nobody:true
 +     add_header = X-Spam-Score: $spam_score ($spam_bar)
 +     add_header = X-Spam-Report: $spam_report
 + 
 +# add second subject line with *SPAM* marker when message
 +# is over threshold
 +  warn  spam = nobody
 +      add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:
 +</code>
 +      
 +Rebuild exim config and restart exim
 +
 +<code bash>
 +update-exim4.conf
 +service exim4 restart
 +</code>
 +
 +
 +Test by either sending again to check-auth@verifier.port25.com  or catch the outcomming emails from your system and it should have this header inside:
 +
 +<code>
 +X-Spam-Score: -1.0 (-)
 +X-Spam-Report: Spam detection software, running on the system "exampleserver.example.com", has
 + identified this incoming email as possible spam.  The original message
 + has been attached to this so you can view it (if it isn't spam) or label
 + similar future email.  If you have any questions, see
 + @@CONTACT_ADDRESS@@ for details.
 + 
 + Content preview:  Test email body 3 [...] 
 + 
 + Content analysis details:   (-1.0 points, 5.0 required)
 + 
 +  pts rule name              description
 + ---- ---------------------- --------------------------------------------------
 + -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 +</code>
 +
 +
 +===== Summary =====
 +
 +The email system should be running.
 +
 +The next step is to check how well SPF/DKIM and other functions are filtering out incoming spam!
 +
 +
 +===== References =====
 +
 +https://help.ubuntu.com/community/Dovecot
 +
 +http://wiki.dovecot.org/
 +
  
email/install_a_full_secure_mail_server.1595694379.txt.gz · Last modified: 2020/07/25 16:26 by 92.220.10.100
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki