To avoid being flagged a spammer, your DNS server (and SMTP server) needs to be configured for:

  • PTR Records (Host)
  • SPF Records (DNS)
  • DKIM Records (DNS + SMTP)
  • DMARC Records (DNS + an email address)
  • TLS Certificate (an SSL Certifiate for your mail domain)

The last one is required to send encrypted mail.

PTR Record

Also known as the Reverse DNS. This is SUPER REQUIRED OMG!

It should reference your mail server. i.e. mail.mydomain.com

dig mail.mydomain.com
# should return IP address

# using that IP
dig -x 123.45.6.78
# should return mail.mydomain.com

SPF Records

These are easy. Add them to your DNS. TXT records are most important (one site says SPF records were obsoleted).

Record  Name               Value
TXT     mail               v=spf1 +ip4:200.14.16.114/24 ~all
SPF     mail               v=spf1 +ip4:200.14.16.114/24 ~all

TXT     mydomain.com       v=spf1 include:mail.mydomain.com ~all
SPF     mydomain.com       v=spf1 include:mail.mydomain.com ~all

DKIM Records

This was very difficult to get working! To make matters worse, WordPress is stuid, and hasn’t fixed this even though it’s very broken and causes problems. WTF.

About the WP bug: https://core.trac.wordpress.org/ticket/22837

Setting up DKIM Tools:

DKIM with Postfix

A useful tool for generating the correct public/private key files (public key requires fancy formatting).

https://www.port25.com/support/domainkeysdkim-wizard/

Add a TXT record for the DKIM public key:

TXT     mail._domainkey      v=DKIM1; k=rsa; p=(SOME_CRAZYLONG_STRING)

If configured and sent correctly, your emails will include a DKIM signature section in the header (the private key).

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.com; s=mail;
	t=number; bh=hash;
	h=From:Subject:Date:From;
	b=SOME_VERY_LONG_STRING_AHHHHHHHHHHHHHHHHHHHH

The key thing to know here is that the “s=mail” should match the name (i.e. the mail in mail._domainkey).

More DKIM:

How to get DKIM (DomainKeys Identified Mail) working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM

http://blog.codinghorror.com/so-youd-like-to-send-some-email-through-code/

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy

DMARC Records

Just a simple record that tells people where to send reports.

https://support.google.com/a/answer/2466563?hl=en&ref_topic=2759254

This link above told me everything I needed. I added a simple record to my cloudflare, and it was good. Reports started showing up.

TXT    _dmarc        v=DMARC1; p=none; rua=mailto:[email protected]

SSMTP

SSMTP is a sendmail compatible light client that forwards e-mails to other addresses. It’s not a mailserver.

Installing Postfix

Postfix is an SMTP server. It should be installed like so.

https://www.digitalocean.com/community/tutorials/how-to-install-and-setup-postfix-on-ubuntu-14-04

DON’T FORGET TO SET THE HOSTS FILES!

# /etc/hostname
machine_name

# /etc/hosts
127.0.1.1       domain.com machine_name  # domain.com will not be set
127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

It can be configured as a “SEND ONLY” server.

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-14-04

Details on how it can be CHROOT’ed are in the documentation:

http://www.postfix.org/BASIC_CONFIGURATION_README.html

Some useful commands:

http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html

(mailq, postfix flush, postsuper)

Apparently easy to add to PHP (if not already working… it might be).

Configure Postfix/Sendmail for PHP mail() in Ubuntu

Testing

http://mxtoolbox.com/SuperTool.aspx?action=smtp

# Get MX Records
dig legacy.ludumdare.com MX

# Get NS Records (to know Authority server)
dig legacy.ludumdare.com NS

# Get MX Records from Authority server (the @)
dig @angela.ns.cloudflare.com legacy.ludumdare.com MX

# View Mail/Sendmail/PostFix log
cat /var/log/mail.log

# Clear Log (trick! redirect nothing to it, not append)
> /var/log/mail.log

# Verify email by sending a message to port25
echo " " | mail -s "test" [email protected]

# dkim key needs to be limited to whom can read it  
chmod 600 /etc/postfix/dkim.key 

TLS Encryption

Encrypting emails is another issue that needs to be dealt with.

Create/follow the instructions here, and generate a free certificate for your mail.website.com domain.

Configure Postfix TLS with a Free StartSSL Certificate

It required a passphrase to generate the CSR+KEY. However, Postfix does not support KEYs with a password.

# Check if key is good (or requires passphrase)
openssl rsa -in in_file.key -check -noout

# Unencrypt a key
openssl rsa -in in_file.key -out out_file.key

I tried this reference without luck (though I didn’t follow all configuration instructions).

http://forums.sentora.org/showthread.php?tid=46

This is how to force TLS, but not necessary once configured correctly.

http://serverfault.com/questions/120123/forcing-smtp-outgoing-mail-encryption-on-postfix

Getting root emails forwarded

Was pretty easy.

http://blog.dastrup.com/?p=53=1

Add a line “root: [email protected]” to ‘/etc/aliases’. run ‘newaliases’. Magic.

SRS Forwarding

The above is easy, but will fail SPF checks. The sender needs to be modified to correctly forward an e-mail, then the SPF can be regenerated. This is done using SRS.

https://seasonofcode.com/posts/setting-up-dkim-and-srs-in-postfix.html

The ‘postsrsd’ package *IS* available on Ubuntu now, so just apt-get it.

More info on SRS:

http://www.openspf.org/SRS

rsyslogd-2007: action ‘action 9’ suspendend

When you look at the syslog (/var/log/syslog), you see lines like the above.

This (or lines like it) are caused by a default Ubuntu/Debian configuration. At the bottom of “/etc/rsyslog.d/50-default.conf”, there are a several lines that describe logging to xconsole. Xconsole, AFAIK is the XWindows logger. Oops! So that’s not going to work while running a headless server.

https://www.raspberrypi.org/forums/viewtopic.php?f=91&t=122601

Socket Madness

You can bind the default /var/run folder to use the default unix domain socket config.

mkdir -p /var/spool/postfix/var/run/opendkim
mount --bind /var/run/opendkim /var/spool/postfix/var/run/opendkim

NOTE: The OpenDKIM service does some funny stuff regarding settings. If you customize the socket, it sometimes appends your socket settings to “/etc/default/opendkim“.

To work around this, I had to start from scratch.

apt-get remove --purge opendkim

Purge is required. Otherwise, the old config files will stick around.

http://www.binarytides.com/postfix-mail-forwarding-debian/

More:

http://www.postfix.org/aliases.5.html

http://www.postfix.org/virtual.5.html

http://wiki.dovecot.org/MailboxFormat/dbox

https://help.ubuntu.com/community/PostfixBasicSetupHowto

http://www.courier-mta.org/maildir.html

http://unix.stackexchange.com/questions/132654/how-to-make-postfix-create-maildir

https://rimuhosting.com/support/bindviawebmin.jsp