Start reading this document
about why you may not want to run an email server.
I decided to use (1) MTA=Postfix (2) MDA=Dovecot and (3) IMAP server.
I have not yet decided on Spam Filter, AntiVirus and Webmail.
Here is an overview about existing MTA programs.
Create a SPF record
and check its validity with spf-policy-tester
Here is a wiki page
about the MX record (it will always map to an A, AAA record).
For google-site-verification use Google Postmaster Tools
Add DMARC record and test it with
learndmarc.com
Check if the mail server is blacklisted with mxtoolbox
Here is an article about email routing. Observe the last command:
dig vasilian.net mx
Now it's time to install postfix and dovecot. The setup will use Maildir format (instead of mbox) and the SSL certificate that was previously generated.
My 1st installation guide
explains authentication via STARTTLS on smtp port 25.
A 2nd installation guide for CentOS7
has useful parameters for Dovecot.
A 3rd installation guide
exists at DigitalOcean for Debian.
Here are my final changes for the setup.
/etc/postfix/main.cf
mail_owner = postfix
myhostname = mail.vasilian.net
mydomain = vasilian.net
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual
mynetworks = 127.0.0.0/8
relayhost =
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/vasilian.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/vasilian.net/privkey.pem
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
smtpd_sender_login_maps = $virtual_alias_maps
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
/etc/postfix/master.cf
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd -o syslog_name=postfix/smtp -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_local_domain=$myhostname -o smtpd_sender_login_maps=$virtual_alias_maps -o smtpd_sender_restrictions=reject_sender_login_mismatch submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sender_login_maps=$virtual_alias_maps -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,permit_sasl_authenticated,reject
Edit /etc/postfix/virtual
here replace AT with @
mihaiATvasilian.net mihai rootATvasilian.net mihai alinaATvasilian.net alina iuliaATvasilian.net iulia
Here is a guide on postfix
parameters. Of interest here was virtual(5) and $inet_interfaces.
However, after /etc/postfix/virtual file is edited the database must be re-generated with:
postmap /etc/postfix/virtual
Start postfix & check the Warnings...
systemctl enable postfix.service systemctl start postfix.service systemctl status postfix.service
Edit /etc/dovecot/dovecot.conf
protocols = imap
Edit /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes auth_mechanisms = plain login
Edit /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
Edit /etc/dovecot/conf.d/10-master.conf
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
Edit /etc/dovecot/conf.d/10-ssl.conf
ssl = yes ssl_cert = </etc/letsencrypt/live/vasilian.net/fullchain.pem ssl_key = </etc/letsencrypt/live/vasilian.net/privkey.pem ssl_min_protocol = TLSv1.2
Edit /etc/dovecot/conf.d/20-pop3.conf
pop3_uidl_format = %08Xu%08Xv
Start dovecot & check the Warnings..
systemctl enable dovecot.service systemctl start dovecot.service systemctl status dovecot.service
Here is a guide
on how to set the reverse dns for DigitalOcean droplet.
Rename the droplet from Rocky8-512MB-FRA1-01 to vasilian.net
and DigitalOcean will automatically assign a PTR record for the domain.
Check if the IP has a reverse dns with:
host 64.227.114.160 160.114.227.64.in-addr.arpa domain name pointer vasilian.net.
Let's check the mail server functionality
What ports are open?
nmap vasilian.net PORT STATE SERVICE 25/tcp open smtp 143/tcp open imap 587/tcp open submission 993/tcp open imaps
| Protocol | Usage | Plain text / encrypted session |
Encrypted session only |
|---|---|---|---|
| POP3 | Incomming mail | 110 | 995 |
| IMAP | Incomming mail | 143 | 993 |
| SMTP | Outgoing mail | 25 | 465 |
| Submission | Outgoing mail | 587 |
Is AUTH PLAIN LOGIN available unencrypted?
telnet vasilian.net smtp ehlo vasilian.net 250-mail.vasilian.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Does MAIL FROM: work unencrypted?
telnet vasilian.net smtp MAIL FROM: user@vasilian.net 530 5.7.0 Must issue a STARTTLS command first
Does encrypted authentication work?
# use real login data echo -ne '\0user\0password' | base64 AHVzZXIAcGFzc3dvcmQ= openssl s_client -connect vasilian.net:25 -starttls smtp ehlo vasilian.net 250-mail.vasilian.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN 334 AHVzZXIAcGFzc3dvcmQ= 235 2.7.0 Authentication successful quit 221 2.0.0 Bye closed
Copy $USER/Maildir from the old server to the new one and adjust the attributes.
sshocean cd /home/mihai chmod 700 -v Maildir chown mihai:mihai -Rv Maildir chcon -u system_u -r object_r -t mail_home_rw_t -Rv Maildir