To avoid being flagged a spammer, your DNS server (and SMTP server) needs to be configured for:
- PTR Records (Host)
- SPF Records (DNS)
- DKIM Records (DNS + SMTP)
- DMARC Records (DNS + an email address)
- TLS Certificate (an SSL Certifiate for your mail domain)
The last one is required to send encrypted mail.
PTR Record
Also known as the Reverse DNS. This is SUPER REQUIRED OMG!
It should reference your mail server. i.e. mail.mydomain.com
SPF Records
These are easy. Add them to your DNS. TXT records are most important (one site says SPF records were obsoleted).
DKIM Records
This was very difficult to get working! To make matters worse, WordPress is stuid, and hasn’t fixed this even though it’s very broken and causes problems. WTF.
About the WP bug: https://core.trac.wordpress.org/ticket/22837
Setting up DKIM Tools:
A useful tool for generating the correct public/private key files (public key requires fancy formatting).
https://www.port25.com/support/domainkeysdkim-wizard/
Add a TXT record for the DKIM public key:
If configured and sent correctly, your emails will include a DKIM signature section in the header (the private key).
The key thing to know here is that the “s=mail” should match the name (i.e. the mail in mail._domainkey).
More DKIM:
http://blog.codinghorror.com/so-youd-like-to-send-some-email-through-code/
DMARC Records
Just a simple record that tells people where to send reports.
https://support.google.com/a/answer/2466563?hl=en&ref_topic=2759254
This link above told me everything I needed. I added a simple record to my cloudflare, and it was good. Reports started showing up.
SSMTP
SSMTP is a sendmail compatible light client that forwards e-mails to other addresses. It’s not a mailserver.
Installing Postfix
Postfix is an SMTP server. It should be installed like so.
https://www.digitalocean.com/community/tutorials/how-to-install-and-setup-postfix-on-ubuntu-14-04
DON’T FORGET TO SET THE HOSTS FILES!
It can be configured as a “SEND ONLY” server.
Details on how it can be CHROOT’ed are in the documentation:
http://www.postfix.org/BASIC_CONFIGURATION_README.html
Some useful commands:
http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html
(mailq, postfix flush, postsuper)
Apparently easy to add to PHP (if not already working… it might be).
Configure Postfix/Sendmail for PHP mail() in Ubuntu
Testing
http://mxtoolbox.com/SuperTool.aspx?action=smtp
TLS Encryption
Encrypting emails is another issue that needs to be dealt with.
Create/follow the instructions here, and generate a free certificate for your mail.website.com domain.
It required a passphrase to generate the CSR+KEY. However, Postfix does not support KEYs with a password.
I tried this reference without luck (though I didn’t follow all configuration instructions).
http://forums.sentora.org/showthread.php?tid=46
This is how to force TLS, but not necessary once configured correctly.
http://serverfault.com/questions/120123/forcing-smtp-outgoing-mail-encryption-on-postfix
Getting root emails forwarded
Was pretty easy.
http://blog.dastrup.com/?p=53=1
Add a line “root: [email protected]” to ‘/etc/aliases’. run ‘newaliases’. Magic.
SRS Forwarding
The above is easy, but will fail SPF checks. The sender needs to be modified to correctly forward an e-mail, then the SPF can be regenerated. This is done using SRS.
https://seasonofcode.com/posts/setting-up-dkim-and-srs-in-postfix.html
The ‘postsrsd’ package *IS* available on Ubuntu now, so just apt-get it.
More info on SRS:
rsyslogd-2007: action ‘action 9’ suspendend
When you look at the syslog (/var/log/syslog), you see lines like the above.
This (or lines like it) are caused by a default Ubuntu/Debian configuration. At the bottom of “/etc/rsyslog.d/50-default.conf”, there are a several lines that describe logging to xconsole. Xconsole, AFAIK is the XWindows logger. Oops! So that’s not going to work while running a headless server.
https://www.raspberrypi.org/forums/viewtopic.php?f=91&t=122601
Socket Madness
You can bind the default /var/run folder to use the default unix domain socket config.
NOTE: The OpenDKIM service does some funny stuff regarding settings. If you customize the socket, it sometimes appends your socket settings to “/etc/default/opendkim“.
To work around this, I had to start from scratch.
Purge is required. Otherwise, the old config files will stick around.
http://www.binarytides.com/postfix-mail-forwarding-debian/
More:
http://www.postfix.org/aliases.5.html
http://www.postfix.org/virtual.5.html
http://wiki.dovecot.org/MailboxFormat/dbox
https://help.ubuntu.com/community/PostfixBasicSetupHowto
http://www.courier-mta.org/maildir.html
http://unix.stackexchange.com/questions/132654/how-to-make-postfix-create-maildir