Table of Contents

Email - Install a full secure mail server

Prerequisites

My example users and domain used in this tutorial

This tutorial will be using “example.com” as the domain with a public IP of 123.123.123.123.

An example email account of demouser@example.com will be used.

The target that we desire at the end of this tutorial is:

Step 1: Configure local hostname and domain on linux server

This uses “example.com” as the domain, and “exampleserver” as the hostname.

The DNS server will be 8.8.8.8 (which is the gmail DNS system, but adjust to any other DNS server as required).

echo exampleserver> /etc/hostname
hostname -F /etc/hostname
echo "8.8.8.8   exampleserver.example.com exampleserver" >> /etc/hosts

Verification is easy, just use these commands and you should get the answers.

hostname --short
exampleserver
 
hostname --domain
example.com
 
hostname --fqdn
exampleserver.example.com
 
hostname --ip-address
8.8.8.8 

Step 2: Install email system exim4 and supporting packages

The following software is needed:

  1. Exim4 – the SMTP daemon.
  2. Courier – communication extension for Exim4 to have IMAP and POP access to emails; or
  3. Dovecot - communication extension for Exim4 to have IMAP and POP access to emails.
  4. Swaks – Swiss army knife for SMTP troubleshooting.
  5. SSL-cert packages – for easy work with generating certificates in later parts of the tutorial.

TODO: Update to use alternatives to Courier, such as Dovecot.

Issue these commands:

apt-get update 
apt-get install exim4-daemon-heavy swaks libnet-ssleay-perl ssl-cert

Decide on using Courier or Dovecot. Recommendation is to use Dovecot.

For Courier

apt-get install courier-authdaemon courier-imap courier-imap-ssl courier-pop courier-pop-ssl 

WARNING: Courier will by default use a self-signed certificates. These are OK if you are going to be the only user of the mail system, but if you plan to invite many people like for a public system (and you do not plan to distribute your own certification authority to them), then you need a signed-certificate. But for our use-case we will not go into replacing these for our small IMAP usage, but definitely not OK for a public or larger one! This is also the warning installation will give you about this fact:

SSL Certificate Required

POP and IMAP over SSL requires a valid, signed, X.509 certificate.
During the installation of courier-pop-ssl or courier-imap-ssl, a
self-signed certificate will be generated if necessary.

For production use, the X.509 certificate must be signed by a recognized 
certificate authority, in order for mail clients to accept the
certificate.  The default location for this certificate is
/etc/courier/pop3d.pem or /etc/courier/imapd.pem.

For Dovecot

apt-get install dovecot-imapd dovecot-pop3d

Edit the file /etc/dovecot/dovecot.conf and amend the following line in the file /etc/dovecot/dovecot.conf:

protocols = pop3 pop3s imap imaps

In addition, add the following line in the “protocol pop3” section in the /etc/dovecot/dovecot.conf:

pop3_uidl_format = %08Xu%08Xv

Configure Dovecot to use the maildir mailbox format. Edit /etc/dovecot/dovecot.conf:

mail_location = maildir:~/Maildir

NOTE: Maildir mails are almost always stored in ~/Maildir/ directory, which contains cur/, new/ and tmp/ subdirectories. In maildir each mail is stored in a separate file.

or alternatively change to:

mail_location = maildir:/home/%u/Maildir

If !include conf.d/*.conf is uncommented in /etc/dovecot/dovecot.conf, it is necessary to set mail_location in /etc/dovecot/conf.d/10-mail.conf or comment the line out. 10-mail.conf will override the mail_location in dovecot.conf. If you choose to set the mail_location in 10-mail.conf, you have to change it to:

mail_location = maildir:~/Maildir

For SSL add or amend the following to the /etc/dovecot/dovecot.conf file.

disable_plaintext_auth = no
ssl = yes
ssl_cert_file = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file = </etc/ssl/private/ssl-cert-snakeoil.key

Uncomment following line in /etc/dovecot/dovecot.conf:

listen = *

However, this method may cause conflicts with other servers already listening on other ports. The alternative (and probably more desirable) method, then, is to enable the specific listening ports for the protocols that are intended to be used. For example, for IMAP/IMAPS and POP3/POP3S, add to the correct protocol imap and protocol pop3 sections:

protocol imap {
     listen = *:143
     ssl_listen = *:993
     ...
     }

protocol pop3 {
     listen = *:110
     ssl_listen = *:995
     ...
     }

If you want to see the config Dovecot is currently using (including the mail_location), use

dovecot -n

Start dovecot:

/etc/init.d/dovecot start

See https://help.ubuntu.com/community/Dovecot

Verify the setup

Verification of the installation can be done by checking the running ports with a netstat command. Ensure that all the pop3, imap, smtp, pop3s and imaps ports are present as required:

netstat –utal
-- omitted --
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN     
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN     
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN     

Step 3: Preparing local users for mail system (Maildir)

In this example, each user will have their email inside their own home directory under ~/Maildir. To have this as a standard setting for new users, simply add this directory to the skeleton so that it is automatically created for new users like this:

It's a good idea to pre-create the Maildir for future users:

sudo maildirmake.dovecot /etc/skel/Maildir
sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
sudo maildirmake.dovecot /etc/skel/Maildir/.Templates

Then, for an existing user:

sudo cp -r /etc/skel/Maildir /home/myuser/
sudo chown -R myuser:usergroup /home/myuser/Maildir
sudo chmod -R 700 /home/myuser/Maildir

or for the example test user “demouser”:

maildirmake ~demouser/Maildir
chown –R demouser.demouser ~demouser/Maildir

Step 4: Create new user to test the mail system

adduser demouser

Give this user a password when prompted. Always choose a good password here because this UNIX passwords will also be used by the user for IMAP/POP3 access to their emails!

Step 5: Configure exim4

Now, first step here is to use the Debian and Ubuntu built-in configuration package to configure the “main” exim4 points with:

dpkg-reconfigure exim4-config

It will give you several options in a wizard. Here are suggested answers for a small and independent server:

Step 6: X.509 certificate for exim4 TLS support

Generate a certificate based on example from exim.

/usr/share/doc/exim4-base/examples/exim-gencert
[*] Creating a self signed SSL certificate for Exim!
    This may be sufficient to establish encrypted connections but for
    secure identification you need to buy a real certificate!
 
    Please enter the hostname of your MTA at the Common Name (CN) prompt!
 
Generating a 1024 bit RSA private key
...........................................++++++
....................................................................++++++
writing new private key to '/etc/exim4/exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code (2 letters) [US]:JE
State or Province Name (full name) []:Jersey
Locality Name (eg, city) []:St. Helier
Organization Name (eg, company; recommended) []:example.com
Organizational Unit Name (eg, section) []:example.com
Server name (eg. ssl.domain.tld; required!!!) []:exampleserver.example.com
Email Address []:demouser
[*] Done generating self signed certificates for exim!
    Refer to the documentation and example configuration files
    over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS
    support in your mail transfer agent.

Next, based on the documentation you find in /usr/share/doc/exim4-base/ , you should create a file /etc/exim4/exim4.conf.localmacros to and insert these lines to enable TLS support on port 465.

echo "MAIN_TLS_ENABLE = true" > /etc/exim4/exim4.conf.localmacros
echo "tls_on_connect_ports = 465" >> /etc/exim4/exim4.conf.localmacros

Inside /etc/default/exim4 change this line:

SMTPLISTENEROPTIONS=''

To this:

SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'

Ok, now restart exim4 again with the service command

service exim4 restart

And check if the exim4 is listening on port 465:

netstat -atupln | grep 465
tcp        0      0 0.0.0.0:465    0.0.0.0:*    LISTEN      16020/exim4     
tcp6       0      0 :::465         :::*         LISTEN      16020/exim4 

Step 7: Verification of emails delivery

The basic email system should now be running. Test this with a basic test of sending an email locally (either between two users of the local system or to yourself).

This test will send email to testuser from testuser.

echo "test message content" | mail –s "test subject" demouser@example.com

You can either check the inbox of demouser, or more simply check logs inside /var/log/exim4/mainlog

cat /var/log/exim4/mainlog
2014-12-23 16:56:42 1Y3XRa-0004B4-Sj <= root@example.com U=root P=local S=391
2014-12-23 16:56:42 1Y3XRa-0004B4-Sj => demouser <demouser@example.com> R=local_user T=maildir_home
2014-12-23 16:56:42 1Y3XRa-0004B4-Sj Completed

All looks good. Now try sending an external email.

echo "test message content" | mail –s "test subject" xxxxx@gmail.com

Now the good and the bad part, the email arrived, but it ended most probably in the spam folder because technically this is a “rogue” system with unknown domain and no basic signatures in the email headers.

Step 8-9: First problem with PAM not enabled in courier

An immediate step after my emails got working was that Thunderbird was unable to connect to the courier with IMAPS (with TLS enabled) despite the basic certificates existed from the installation (during apt-get install a default set was generated).

To verify what is going on, run a simple test using SWAKS to troubleshoot:

swaks -a -tls -q AUTH -s localhost -au demouser     
Password: playingwithexim4
=== Trying localhost:25...
=== Connected to localhost.
<-  220 exampleserver.example.com ESMTP Exim 4.80 Tue, 23 Dec 2014 20:10:29 -0500
 -> EHLO exampleserver.example.com
<-  250-exampleserver.example.com Hello localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-STARTTLS
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA256
=== TLS peer subject DN="/C=JE/ST=Jersey/L=St. Helier/O=example.com/OU=example.com/CN=exampleserver.example.com/emailAddress=demouser"
 ~> EHLO exampleserver.example.com
<~  250-exampleserver.example.com Hello localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-8BITMIME
<~  250-PIPELINING
<~  250 HELP
*** Host did not advertise authentication
 ~> QUIT
<~  221 exampleserver.example.com closing connection
=== Connection closed with remote host.

As you noticed, the TLS layer is there successfully, the problem is more with the authentication not working.

Add these lines to /etc/exim4/exim4.conf.template

MAIN_TLS_ENABLE = yes
tls_on_connect_ports=465 
rfc1413_query_timeout = 0s

Install the SASLAUTH daemon that will do the authentication against local UNIX usernames.

NOTE: If you want some other method of authentication, check the Exim4 wiki.

apt-get install sasl2-bin

Edit /etc/default/saslauthd to enable saslauth with this line change:

START=yes

Restart the SASLAUTH daemon:

/etc/init.d/saslauthd start

Add exim to sasl group

adduser Debian-exim sasl
Adding user `Debian-exim' to group `sasl' ...
Adding user Debian-exim to group sasl
Done.

Inside /etc/exim4/exim4.conf.template uncomment these lines to enable PAM authentication (in the below all lines below and including the “plain_saslauthd_server”):

/etc/exim4/exim4.conf.template
# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.Debian.gz
# plain_saslauthd_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
#   server_set_id = $auth2
#   server_prompts = : 
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS 
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

Do a restart of both exim4 and saslauth

update-exim4.conf
service exim4 restart
service saslauthd restart

VERIFICATION is again with swaks the same command, but now you should get this (note “235 Authentication succeeded” below):

swaks -a -tls -q AUTH -s localhost -au demouser
Password: kreten
=== Trying localhost:25...
=== Connected to localhost.
<-  220 exampleserver.example.com ESMTP Exim 4.80 Tue, 23 Dec 2014 20:58:57 -0500
 -> EHLO exampleserver.example.com
<-  250-exampleserver.example.com Hello localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-STARTTLS
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA256
=== TLS peer subject DN="/C=JS/ST=Jersey/L=St. Helier/O=example.com/OU=example.com/CN=exampleserver.example.com/emailAddress=demouser"
 ~> EHLO exampleserver.example.com
<~  250-exampleserver.example.com Hello localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-8BITMIME
<~  250-PIPELINING
<~  250-AUTH PLAIN
<~  250 HELP
 ~> AUTH PLAIN AGRlbW91c2VyAGtyZXRlbg==
<~  235 Authentication succeeded
 ~> QUIT
<~  221 exampleserver.example.com closing connection
=== Connection closed with remote host.

Step 10: Configure courier for IMAP

Ensure that the email client is definitely supporting IMAP. Just follow these basic commands:

rm -rf /etc/courier/*.pem
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/courier/imapd.pem 
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/courier/pop3d.pem
 
service courier-imap restart
service courier-imap-ssl restart
service courier-authdaemon restart
service courier-pop restart
service courier-pop-ssl restart

Step 11: Test access with email client (e.g. Thunderbird)

This setup shows how Thunderbird is configured, but if you have a different preferred client, please feel free to try using it (including smartphone mail clients that support IMAP protocol).

TODO: Add an image here of Thunderbird “Mail Account Setup”.

NOTE: Since we are using self-signed certificates here, you are definitely going to get warnings from Thunderbird (or other clients) that the certificates are not officially trusted. If you are doing this for a real company, please go and purchase a real certificates from certification authorities (e.g. verisign…).

TODO: Add an image here of Thunderbird “Add security exception”.

If your connection with any client was successful, please try writing a quick email to yourself, for example this is how it looked in my system in Thunderbird.

   From: Me <demouser@example.com>
Subject: Test
     To: Me <demouser@example.com>
Hello World

Or here is the raw message code:

Return-path: <demouser@example.com>
Envelope-to: demouser@example.com
Delivery-date: Tue, 23 Dec 2014 21:57:21 -0500
Received: from [123.123.123.123] (helo=[192.168.1.2])
	by exampleserver.example.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.80)
	(envelope-from <demouser@example.com>)
	id 1Y3c8X-00055r-CJ
	for demouser@example.com; Tue, 23 Dec 2014 21:57:21 -0500
Message-ID: <549A1DA1.1030708@example.com>
Date: Wed, 24 Dec 2014 02:57:53 +0100
From: "Smith, John" <demouser@example.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: demouser@example.com
Subject: Test
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hello World

Step 12: Testing sending mail to an external system

Use Thunderbird, or another client and send an email to external systems. There is a random chance that your email will end in spam folder on the destination.

HINT: To check if your email left your system, check all the mail logs in the /var/log/mail*

Step 13: Making the email system appear as a valid domain owner for passing spam filters

There are three basic things every email system should do to get anti-spam protection permitting emails received from your new systems to remote systems inboxes without ending in spam folders.

  1. rDNS (or reverse DNS) to have reverse DNS lookup on the public IP pointing back to your domain.
  2. SPF (Sender Policy Framework) that let’s the receiving system know which systems are allowed to send emails for your domain.
  3. DKIM (DocumentKeys Identified Mails) a public/private key pair that is used for signing emails by the domain owner to avoid spammers being able to send emails “as if” coming from your domain.

Step 13A: Reverse DNS entry

This part is between you and your provider, but you must ask the owner of the public IP you are using to create a reverse DNS entry for you.

Most providers of servers have this option as part of their control panel so the work is a few clicks, but it is imperative to do.

DISCLAIMER: These examples have the public IP of 123.123.123.123. Obviously replace that with your own IP.

A quick view on one such system:

IPNetmarkGatewayCustom reverse DNS
123.123.123.123255.255.254.0123.123.123.254example.com

To verify, either use the “nslookup -r” command to your own domain, or web tool such as this one http://mxtoolbox.com/SuperTool.aspx

nslookup -r 123.123.123.123
*** Invalid option: r
Server:         8.8.8.8
Address:        8.8.8.8#53
 
Non-authoritative answer:
123.123.123.123.in-addr.arpa     name = example.com.

Step 13B: SPF

To summarizze what we will be doing here with SPF is basically that you need to interact either with your own DNS system, or contact your DNS hosting company (or do this via their control panel if they have this) and ask them to enter some special TXT records to your domain.

Read this page to understand SFP to avoid generating something incorrectly and hurting you email system from the very beginning! http://www.openspf.org/SPF_Record_Syntax.

This example will allow my main server “exampleserver” from the “example.com” domain to send emails. So the records are like this for SPF1 and SPF2 records:

v=spf1 a include:exampleserver.example.com –all
spf2.0/pra a include:exampleserver.example.com -all

Quick legend:

You can then apply them to the DNS record and test it with an online tool such as http://tools.bevhost.com/spf/

At the very end of this guide, we will be sending a test email to a testing service that will verify SPF and other useful things for us, so if you have trouble with this tool, wait for that testing.

Step 13c: DKIM public keypair to sign emails leaving your system

This is a little more tricky as we are again going to play with certificates, and also with exim4 routing of emails. So let’s take it slowly:

Generate an RSA public and private keys with openssl

sudo openssl genrsa -out /etc/exim4/private.key 1024
sudo openssl rsa -in /etc/exim4/private.key -out /etc/exim4/public.pem -pubout -outform PEM
sudo chown Debian-exim:root /etc/exim4/private.key /etc/exim4/public.pem

Read your new public key

cat /etc/exim4/public.pem 
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA+WiFmhUpuOav+3oB77E0j06p
DAr5cw9NKkcf9tcDbn7nIpBqAIFP8PVTn4tzO3I6LL+o5A9dCGQFPZlzqW8cXPDc
Zd/4+4NEw1OIbbaUJh/giTyI24qbxBFTaW1nvdxE9qlWbNOYlbOVp4BpXdwmawVw
V72GKjSR2+ql8wM4cQIDAQAB
-----END PUBLIC KEY-----

Construct a DNS TXT record with the public key using this formula :

key1._domainkey.example.com.example.com

TXT record itself:

v=DKIM1;\040k=rsa;\040p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA+WiFmhUpuOav+3oB77E0j06pDAr5cw9NKkcf9tcDbn7nIpBqAIFP8PVTn4tzO3I6LL+o5A9dCGQFPZlzqW8cXPDcZd/4+4NEw1OIbbaUJh/giTyI24qbxBFTaW1nvdxE9qlWbNOYlbOVp4BpXdwmawVwV72GKjSR2+ql8wM4cQIDAQAB

The 'p' value is the data that was seen from the public key - but removing any spaces and new lines.

Create a file dkim_senders to tell exim what source domains the DKIM should be used for:

echo "*@example.com: example.com"  > /etc/exim4/dkim_senders

Edit /etc/exim4.conf.template and in section “router/200_exim4-config_primary” just before “dnslookup_relay_to_domains:” add these new lines:

#NetworkGeekStuff dkim addon rules:
dnslookup_dkim:
  debug_print = "R: dnslookup_dkim for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains
  senders = lsearch*@;/etc/exim4/dkim_senders
  transport = remote_smtp_dkim
  same_domain_copy_routing = yes
  # ignore private rfc1918 and APIPA addresses
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                        172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
                        255.255.255.255
  no_more

Again inside the /etc/exim4/exim4.conf.template inside section “transport/30_exim4-config_remote_smtp” just before “remote_smtp:” add these new lines:

remote_smtp_dkim:
  debug_print = "T: remote_smtp_dkim for $local_part@$domain"
  driver = smtp
  dkim_domain = ${lookup{$sender_address}lsearch*@{/etc/exim4/dkim_senders}}
  dkim_selector = key1
  dkim_private_key = /etc/exim4/rsa.private
  dkim_canon = relaxed
  dkim_strict = false
  #dkim_sign_headers = DKIM_SIGN_HEADERS

Restart exim

update-exim4.conf
service exim4 restart

Now you should have everything very nicely prepared, to get a report about how successfully you were, send a test email to (any content) :

check-auth@verifier.port25.com

You will get back an email with a very nice and complete summary of the SPF/DKIM and some other checks. Here is an example with details how the system from this tutorial passed SFP and DKIM test. This is a very nice result so far.

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  exampleserver.example.com
Source IP:      123.123.123.123
mail-from:      demouser@example.com

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass 
ID(s) verified: smtp.mailfrom=demouser@example.com
DNS record(s):
    example.com. SPF (no records)
    example.com. 600 IN TXT "v=spf1 a include:exampleserver.example.com -all"
    example.com. 600 IN TXT "spf2.0/pra a include:exampleserver.example.com -all"
    example.com. 600 IN A 123.123.123.123

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: demouser@example.com)
ID(s) verified: header.d=example.com
Canonicalized Headers:
    content-transfer-encoding:7bit'0D''0A'
    content-type:text/plain;'20'charset=utf-8;'20'format=flowed'0D''0A'
    in-reply-to:<549B2103.5080605@example.com>'0D''0A'
    references:<549B2103.5080605@example.com>'0D''0A'
    subject:test'20'email'20'for'20'DKIM'20'and'20'SPF'0D''0A'
    to:check-auth@verifier.port25.com'0D''0A'
    mime-version:1.0'0D''0A'
    from:"Smith,'20'John"'20'<demouser@example.com>'0D''0A'
    date:Wed,'20'24'20'Dec'20'2014'20'23:37:38'20'+0100'0D''0A'
    message-id:<549B4032.4040201@example.com>'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=example.com;'20's=key1;'20'h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID;'20'bh=Q22dyZju6AlMzw21jDtbRX5w6L8oTce4upEb75AdLqs=;'20'b=;

Canonicalized Body:
    Test'20'email'20'body'0D''0A'
    

DNS record(s):
    key1._domainkey.example.com. 600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA+WiFmhUpuOav+3oB77E0j06pDAr5cw9NKkcf9tcDbn7nIpBqAIFP8PVTn4tzO3I6LL+o5A9dCGQFPZlzqW8cXPDcZd/4+4NEw1OIbbaUJh/giTyI24qbxBFTaW1nvdxE9qlWbNOYlbOVp4BpXdwmawVwV72GKjSR2+ql8wM4cQIDAQAB"

Public key used for verification: key1._domainkey.example.com (1024 bits)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

Step 14: SpamAssassin header attachment

SpamAssassin is mainly used for incoming emails. Right now we are going to use SpamAssassin to add its header to all emails that our system sends to try to declare we are not spam.

So this is a super quick how-to to enable very basic spam-assassin checks on your emails.

See https://wiki.debian.org/Exim.

apt-get install spamassassin

Set “ENABLED=1” inside /etc/default/spamassassin

Start the spamassassin daemon:

/etc/init.d/spamassassin start

Uncomment this line in /etc/exim4/exim4.conf.template

spamd_address = 127.0.0.1 783

Edit /etc/exim4/exim4.conf.template and inside section “40_exim4-config_check_data change” edit the content inside the “acl_check_data:” function:

# put headers in all messages (no matter if spam or not)
 warn  spam = nobody:true
     add_header = X-Spam-Score: $spam_score ($spam_bar)
     add_header = X-Spam-Report: $spam_report
 
# add second subject line with *SPAM* marker when message
# is over threshold
  warn  spam = nobody
      add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:

Rebuild exim config and restart exim

update-exim4.conf
service exim4 restart

Test by either sending again to check-auth@verifier.port25.com or catch the outcomming emails from your system and it should have this header inside:

X-Spam-Score: -1.0 (-)
X-Spam-Report: Spam detection software, running on the system "exampleserver.example.com", has
 identified this incoming email as possible spam.  The original message
 has been attached to this so you can view it (if it isn't spam) or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 
 Content preview:  Test email body 3 [...] 
 
 Content analysis details:   (-1.0 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP

Summary

The email system should be running.

The next step is to check how well SPF/DKIM and other functions are filtering out incoming spam!

References

https://help.ubuntu.com/community/Dovecot

http://wiki.dovecot.org/