To avoid being flagged a spammer, your DNS server (and SMTP server) needs to be configured for:
- PTR Records (Host)
- SPF Records (DNS)
- DKIM Records (DNS + SMTP)
- DMARC Records (DNS + an email address)
- TLS Certificate (an SSL Certifiate for your mail domain)
The last one is required to send encrypted mail.
Also known as the Reverse DNS. This is SUPER REQUIRED OMG!
It should reference your mail server. i.e. mail.mydomain.com
dig mail.mydomain.com # should return IP address # using that IP dig -x 126.96.36.199 # should return mail.mydomain.com
These are easy. Add them to your DNS. TXT records are most important (one site says SPF records were obsoleted).
Record Name Value TXT mail v=spf1 +ip4:188.8.131.52/24 ~all SPF mail v=spf1 +ip4:184.108.40.206/24 ~all TXT mydomain.com v=spf1 include:mail.mydomain.com ~all SPF mydomain.com v=spf1 include:mail.mydomain.com ~all
This was very difficult to get working! To make matters worse, WordPress is stuid, and hasn’t fixed this even though it’s very broken and causes problems. WTF.
About the WP bug: https://core.trac.wordpress.org/ticket/22837
Setting up DKIM Tools:
A useful tool for generating the correct public/private key files (public key requires fancy formatting).
Add a TXT record for the DKIM public key:
TXT mail._domainkey v=DKIM1; k=rsa; p=(SOME_CRAZYLONG_STRING)
If configured and sent correctly, your emails will include a DKIM signature section in the header (the private key).
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.com; s=mail; t=number; bh=hash; h=From:Subject:Date:From; b=SOME_VERY_LONG_STRING_AHHHHHHHHHHHHHHHHHHHH
The key thing to know here is that the “s=mail” should match the name (i.e. the mail in mail._domainkey).
Just a simple record that tells people where to send reports.
This link above told me everything I needed. I added a simple record to my cloudflare, and it was good. Reports started showing up.
TXT _dmarc v=DMARC1; p=none; rua=mailto:[email protected]
SSMTP is a sendmail compatible light client that forwards e-mails to other addresses. It’s not a mailserver.
Postfix is an SMTP server. It should be installed like so.
DON’T FORGET TO SET THE HOSTS FILES!
# /etc/hostname machine_name # /etc/hosts 127.0.1.1 domain.com machine_name # domain.com will not be set 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
It can be configured as a “SEND ONLY” server.
Details on how it can be CHROOT’ed are in the documentation:
Some useful commands:
(mailq, postfix flush, postsuper)
Apparently easy to add to PHP (if not already working… it might be).
# Get MX Records dig legacy.ludumdare.com MX # Get NS Records (to know Authority server) dig legacy.ludumdare.com NS # Get MX Records from Authority server (the @) dig @angela.ns.cloudflare.com legacy.ludumdare.com MX # View Mail/Sendmail/PostFix log cat /var/log/mail.log # Clear Log (trick! redirect nothing to it, not append) > /var/log/mail.log # Verify email by sending a message to port25 echo " " | mail -s "test" [email protected] # dkim key needs to be limited to whom can read it chmod 600 /etc/postfix/dkim.key
Encrypting emails is another issue that needs to be dealt with.
Create/follow the instructions here, and generate a free certificate for your mail.website.com domain.
It required a passphrase to generate the CSR+KEY. However, Postfix does not support KEYs with a password.
# Check if key is good (or requires passphrase) openssl rsa -in in_file.key -check -noout # Unencrypt a key openssl rsa -in in_file.key -out out_file.key
I tried this reference without luck (though I didn’t follow all configuration instructions).
This is how to force TLS, but not necessary once configured correctly.
Getting root emails forwarded
Was pretty easy.
Add a line “root: [email protected]” to ‘/etc/aliases’. run ‘newaliases’. Magic.
The above is easy, but will fail SPF checks. The sender needs to be modified to correctly forward an e-mail, then the SPF can be regenerated. This is done using SRS.
The ‘postsrsd’ package *IS* available on Ubuntu now, so just apt-get it.
More info on SRS:
rsyslogd-2007: action ‘action 9’ suspendend
When you look at the syslog (/var/log/syslog), you see lines like the above.
This (or lines like it) are caused by a default Ubuntu/Debian configuration. At the bottom of “/etc/rsyslog.d/50-default.conf”, there are a several lines that describe logging to xconsole. Xconsole, AFAIK is the XWindows logger. Oops! So that’s not going to work while running a headless server.
You can bind the default /var/run folder to use the default unix domain socket config.
mkdir -p /var/spool/postfix/var/run/opendkim mount --bind /var/run/opendkim /var/spool/postfix/var/run/opendkim
NOTE: The OpenDKIM service does some funny stuff regarding settings. If you customize the socket, it sometimes appends your socket settings to “/etc/default/opendkim“.
To work around this, I had to start from scratch.
apt-get remove --purge opendkim
Purge is required. Otherwise, the old config files will stick around.