This article describe my current email server configuration using Postfix, OpenDKIM, and Dovecot.
For email server using OpenSMTPD, see the next article.
We will use domain name "kilabit.info" as an example in the script or configuration later. Make sure to replace them accordingly, if you copy-paste part of the script or commands from this article.
In this article, we use
awwan
script for configuration management, so if you see string like these
{{.Val "section:sub:key"}}
that means its an awwan variable and needs to
be replaced according to your environment.
Email architecture
In email server, there are two incoming message flows. One from client, where they want to send message to other domain; and one from other domain (Mail Delivery Agent—MDA) where others want to send message to our domain.
IMAP :993 +---------+ +----------| Dovecot | | +---------+ | SMTPS ^ | :465 | v :587 +---------+ :25 Client ------>| Postfix |-----> MDA +---------+ ^ | v +----------+ | OpenDKIM | +----------+
Client send message (submission) using SMTP to Postfix over secure line with TLS or STARTTLS, on port 465 or 587 with authentication. When Postfix receive the message it will forward it to OpenDKIM to sign the message. Once the message is signed, Postfix then forward a copy of it to Dovecot (so the message appear in Client "Sent" box) and transfer it to recipient in other server on port 25.
SMTP :25 +---------+ +---------+ MDA <----->| Postfix |---->| Dovecot | +---------+ +---------+ ^ | :8891 v +----------+ | OpenDKIM | +----------+
The MDA send their message to our email server Postfix on port 25. Postfix validate the signature of message by forwarding it to OpenDKIM and the result is forwarded to Dovecot to be stored and later consumed by client from INBOX. This is the endpoint where spam can abuse our server. If we did not setup and secure it properly, email that is not from real domain may got into Client inbox or relay-ed to other server.
Setting up OpenDKIM
Is simple term, DomainKeys Identified Mail (DKIM) is a mechanism where email is signed using private key to prevent tampering during transit. The public key part is published inside DNS TXT record so others can verified the signature of message.
The following awwan script show how to setup OpenDKIM in Arch Linux (the line number is added for commentary),
0: sudo pacman -Syu --noconfirm 0: sudo pacman -S --noconfirm opendkim 0: sudo systemctl enable opendkim.service 1: sudo mkdir -p /etc/opendkim/keys/kilabit.info 2: opendkim-genkey -r -s 20210411-1 -d kilabit.info 3: sudo mv 20210411-1.* /etc/opendkim/keys/kilabit.info/ 4: sudo chmod 0600 /etc/opendkim/keys/kilabit.info/20210411-1.private 5: sudo mkdir /var/lib/opendkim 6: sudo chown opendkim:opendkim /var/lib/opendkim 7: #put! {{.ScriptDir}}/etc/opendkim/KeyTable /etc/opendkim/ 8: #put! {{.ScriptDir}}/etc/opendkim/SigningTable /etc/opendkim/ 9: #put! {{.ScriptDir}}/etc/opendkim/TrustedHosts /etc/opendkim/ 10: #put! {{.ScriptDir}}/etc/opendkim/opendkim.conf /etc/opendkim/ 11: sudo chown -R opendkim:mail /etc/opendkim 12: sudo systemctl restart opendkim 13: sudo systemctl status opendkim
In line number 2, we generate private key for selector "20210411-1". This selector must be unique, you should changes it according to your need. My recommendation is using current date as label.
The opendkim-genkey command will generated two files: 20210411-1.private and 20210411-1.txt. The 20210411-1.private file contains PEM encoded private key and the 20210411-1.txt file contains DNS record. Example of 20210411-1.txt,
20210411-1._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; " "p=MIGfM...AQAB" ; ----- DKIM key 20210411-1 for kilabit.info )
In your DNS zone, create new subdomain "20210411-1._domainkey" with record type is TXT and its value is the content from "v=DKIM … p=MIGfM…AQAB" — including the double quote.
In line 7-10, we create and populate four file configurations, which is describe below.
/etc/opendkim/KeyTable
:
20210411-1._domainkey.kilabit.info kilabit.info:20210411-1:/etc/opendkim/keys/kilabit.info/20210411-1.private
/etc/opendkim/SigningTable
:
*@kilabit.info 20210411-1._domainkey.kilabit.info
/etc/opendkim/TrustedHosts
:
127.0.0.1 ::1 localhost {{.Val "host::ip_external"}} {{.Val "host::name"}} kilabit.info
The "host::ip_external" and "host::name" is your server external IP address and local hostname, if set other than localhost.
/etc/opendkim/opendkim.conf
:
BaseDirectory /var/lib/opendkim ## Select canonicalizations to use when signing. If the "bodycanon" is ## omitted, "simple" is used. Valid values for each are "simple" and ## "relaxed". Canonicalization relaxed/simple ## Specify for which domain(s) signing should be done. No default; must ## be specified for signing. Domain kilabit.info ## Names a file from which a list of externally-trusted hosts is read. ## These are hosts which are allowed to send mail through you for signing. ## Automatically contains 127.0.0.1. See man page for file format. ExternalIgnoreList refile:/etc/opendkim/TrustedHosts ## Names a file from which a list of internal hosts is read. These are ## hosts from which mail should be signed rather than verified. ## Automatically contains 127.0.0.1. InternalHosts refile:/etc/opendkim/TrustedHosts ## Defines a table that will be queried to convert key names to ## sets of data of the form (signing domain, signing selector, private key). ## The private key can either contain a PEM-formatted private key, ## a base64-encoded DER format private key, or a path to a file containing ## one of those. KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ## Names the socket where this filter should listen for milter connections ## from the MTA. Required. Should be in one of these forms: Socket inet:8891@127.0.0.1 ## Log informational and error activity to syslog? Syslog Yes ## Specifies which directory will be used for creating temporary files ## during message processing. TemporaryDirectory /run/opendkim ## Change to user "userid" before starting normal operation? May include ## a group ID as well, separated from the userid by a colon. UserID opendkim
After the configurations has been populated, we can start the opendkim.service. Check the log if its fail and continue to next section if its started successfully.
Setting up Dovecot
Dovecot is the application that manage email in storage, usually in the format of mbox or Maildir (recommended). Client access the message from external using IMAP with authentication.
The following awwan script show how to setup Dovecot in Arch Linux (the line number added for commentary),
0: sudo pacman -Syu --noconfirm 0: sudo pacman -S --noconfirm dovecot 0: sudo systemctl enable dovecot 1: sudo groupadd {{.Val "email::group"}} -g {{.Val "email::gid"}} 2: sudo useradd {{.Val "email::user"}} \ -r \ -g {{.Val "email::gid"}} \ -u {{.Val "email::uid"}} \ -d {{.Val "email::dir"}} \ -m -c "mail user" 3: sudo mkdir -p /etc/dovecot ## Generate password for IMAP. 4: #put: {{.ScriptDir}}/etc/dovecot/passwd.txt passwd.txt 5: rm -f passwd 6: while read -r email plain; do \ hash=$(doveadm pw -s SHA1 -p "$plain"); \ echo "$email:$hash:::" >> passwd; \ done < passwd.txt 7: cat passwd 8: #get: passwd {{.ScriptDir}}/etc/dovecot/passwd 9: sudo mv passwd /etc/dovecot/passwd 10: rm -f passwd.txt 11: #put! {{.ScriptDir}}/etc/dovecot/dovecot.conf /etc/dovecot/ 12: sudo chmod 0600 /etc/dovecot/{dovecot.conf,passwd} 13: sudo chown -R dovecot:dovecot /etc/dovecot 14: sudo systemctl restart dovecot 15: sudo systemctl status dovecot
In line 1 and 2, we create separate user and group, even thought installing
dovecot in Arch Linux create "dovecot" user in the system.
This is the user that bridge between the Dovecot and Postfix.
In case we want to replace Dovecot with other IMAP service in the future, we
did not need to re-create or chown
the emails that already stored by
Dovecot.
In line 4-10, we generate the password hash for authentication with IMAP by reading the plain text password from "passwd.txt" and write the output back to "passwd" file.
Example content and format of "passwd.txt" file (not the actual password),
ms@kilabit.info s333cr333t
Example of "passwd" output (not the actual hash),
ms@kilabit.info:9QJcSsuTQW1kz3AAl7N2OGWd7QE=:::
/etc/dovecot/dovecot.conf
:
listen = 0.0.0.0 protocols = imap disable_plaintext_auth = yes auth_mechanisms = plain login mail_access_groups = {{.Val "email::group"}} default_login_user = {{.Val "email::user"}} first_valid_uid = {{.Val "email::uid"}} first_valid_gid = {{.Val "email::gid"}} mail_location = maildir:{{.Val "email::dir"}}/%d/%n passdb { driver = passwd-file args = scheme=SHA1 /etc/dovecot/passwd } userdb { driver = static args = uid={{.Val "email::uid"}} gid={{.Val "email::gid"}} home={{.Val "email::dir"}}/%d/%n allow_all_users=yes } service auth { unix_listener auth-client { group = postfix mode = 0660 user = postfix } user = root } service imap-login { process_min_avail = 3 user = {{.Val "email::user"}} inet_listener imap { port=0 } inet_listener imaps { port = 993 ssl = yes } } namespace inbox { inbox = yes mailbox Trash { auto = no special_use = \Trash } mailbox Drafts { auto = no special_use = \Drafts } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } mailbox Spam { auto = create # autocreate Spam, but don't autosubscribe special_use = \Junk } } ##--- SSL/TLS ssl = required ssl_cipher_list = HIGH:!SSLv2:!aNULL@STRENGTH ssl_prefer_server_ciphers = yes ssl_cert = </etc/letsencrypt/live/kilabit.info/cert.pem ssl_key = </etc/letsencrypt/live/kilabit.info/privkey.pem ssl_dh = </etc/haproxy/dhparam local_name kilabit.info { ssl_cert = </etc/letsencrypt/live/kilabit.info/fullchain.pem ssl_key = </etc/letsencrypt/live/kilabit.info/privkey.pem }
Setting up Postfix
The following awwan script show how to setup Postfix in Arch Linux,
sudo pacman -Syu --noconfirm sudo pacman -S --noconfirm postfix sudo systemctl enable postfix #put! {{.ScriptDir}}/etc/postfix/aliases /etc/postfix/aliases sudo chown root:root /etc/postfix/aliases sudo postalias /etc/postfix/aliases #put! {{.ScriptDir}}/etc/postfix/vmail_aliases /etc/postfix/vmail_aliases sudo postmap -o -p /etc/postfix/vmail_aliases #put! {{.ScriptDir}}/etc/postfix/vmail_domains /etc/postfix/vmail_domains sudo postmap -o -p /etc/postfix/vmail_domains #put! {{.ScriptDir}}/etc/postfix/vmail_mailbox /etc/postfix/vmail_mailbox sudo postmap -o -p /etc/postfix/vmail_mailbox #put! {{.ScriptDir}}/etc/postfix/vmail_sni /etc/postfix/vmail_sni sudo postmap -o -p -F hash:/etc/postfix/vmail_sni #put! {{.ScriptDir}}/etc/postfix/master.cf /etc/postfix/ #put! {{.ScriptDir}}/etc/postfix/main.cf /etc/postfix/ sudo chown root:root /etc/postfix/* sudo chmod 0644 /etc/postfix/* sudo postfix check sudo systemctl restart postfix sudo systemctl status postfix
/etc/postfix/aliases
:
# Person who should get root's mail. Don't receive mail as root! root: {{.Val "email::user"}} # Basic system aliases -- these MUST be present MAILER-DAEMON: postmaster postmaster: root # General redirections for pseudo accounts bin: root daemon: root ftp: root ftp-bugs: root hostmaster: root named: root news: root nobody: root postfix: root usenet: root uucp: root webmaster: root www: root # Put your local aliases here. # Well-known aliases manager: root dumper: root operator: root abuse: postmaster # trap decode to catch security attacks decode: root
The above aliases map where the local user delivery should go, in short we
forward all local user email to vmail
.
/etc/postfix/vmail_aliases
:
ms@kilabit.info ms@kilabit.info
The vmail_aliases contains mapping for virtual addresses.
/etc/postfix/vmail_domains
:
kilabit.info OK
The vmail_domains contains list of virtual domains that the Postfix will receives, can be define more than once domain, one per line.
/etc/postfix/vmail_mailbox
:
ms@kilabit.info kilabit.info/ms/
The vmail_mailbox define where the email message for virtual addresses will be located.
/etc/postfix/vmail_sni
:
mail.kilabit.info /etc/letsencrypt/live/kilabit.info/privkey.pem /etc/letsencrypt/live/kilabit.info/fullchain.pem
The vmail_sni define the certificate for each virtual domain that we define in vmail_domains.
/etc/postfix/main.cf
.
## ## COMPATIBILITY ## compatibility_level = 3.6 ## ## LOCAL PATHNAME INFORMATION ## queue_directory = /var/spool/postfix command_directory = /usr/bin daemon_directory = /usr/lib/postfix/bin data_directory = /var/lib/postfix ## ## QUEUE AND PROCESS OWNERSHIP ## mail_owner = postfix ## ## INTERNET HOST AND DOMAIN NAMES ## ## ## SENDING MAIL ## #myorigin = $myhostname ## ## RECEIVING MAIL ## inet_interfaces = all inet_protocols = ipv4 mydestination = localhost.$mydomain, localhost ## ## REJECTING MAIL FOR UNKNOWN LOCAL USERS ## unknown_local_recipient_reject_code = 550 ## ## TRUST AND RELAY CONTROL ## relay_domains = $mydestination virtual_alias_maps = hash:/etc/postfix/vmail_aliases virtual_mailbox_domains = hash:/etc/postfix/vmail_domains virtual_mailbox_maps = hash:/etc/postfix/vmail_mailbox virtual_mailbox_base = {{.Val "email::dir"}} virtual_minimum_uid = {{.Val "email::uid"}} virtual_transport = virtual virtual_uid_maps = static:{{.Val "email::uid"}} virtual_gid_maps = static:{{.Val "email::uid"}} ## ## ALIAS DATABASE ## alias_maps = hash:/etc/postfix/aliases alias_database = $alias_maps ## ## ADDRESS EXTENSIONS (e.g., user+foo) ## recipient_delimiter = + ## ## DELIVERY TO MAILBOX ## home_mailbox = Maildir/ ## ## SHOW SOFTWARE VERSION OR NOT ## #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) ## ## DEBUGGING CONTROL ## debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 >$config_directory/$process_name.$process_id.log & sleep 5 ## ## INSTALL-TIME CONFIGURATION INFORMATION ## sendmail_path = /usr/bin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man readme_directory = /usr/share/doc/postfix inet_protocols = ipv4 meta_directory = /etc/postfix shlib_directory = /usr/lib/postfix smtp_tls_security_level = encrypt smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = no smtpd_tls_security_level = may smtpd_use_tls = yes smtpd_tls_cert_file = /etc/letsencrypt/live/kilabit.info/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/kilabit.info/privkey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept tls_server_sni_maps = hash:/etc/postfix/vmail_sni
/etc/postfix/master.cf
.
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: https://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - n - - smtpd -o smtpd_milters=inet:127.0.0.1:8891 smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination -o milter_macro_daemon_name=ORIGINATING -o smtpd_milters=inet:127.0.0.1:8891 pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o syslog_name=postfix/$service_name showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd
One of the reason that the configurations are long like above is we did not have enough knowledges and times to check it one by one, we use the default and merge information here and there, some are by trial and errors.
Setting up fail2ban
Once your email server is up and working, you will see in the system log many unknown connections try to submit, relay, or login to your SMTP and IMAP services. Even if they fail, they will attempt several times probably with different authentication or IP addresses.
fail2ban is a service that read the failed login attempt from system log and block the origin IP addresses after N retry, for example three times.
The following awwan script show how to setup fail2ban in Arch Linux (the line number is added for brevity),
1: sudo pacman -Sy --noconfirm fail2ban 2: sudo mkdir -p /var/log/fail2ban/ 3: sudo mkdir -p /etc/systemd/system/fail2ban.service.d 4: #put! {{.ScriptDir}}/etc/systemd/system/fail2ban.service.d/fail2ban.conf \ /etc/systemd/system/fail2ban.service.d/ 5: sudo systemctl enable fail2ban 8: #put! {{.ScriptDir}}/etc/fail2ban/fail2ban.local \ /etc/fail2ban/fail2ban.local 9: #put! {{.ScriptDir}}/etc/fail2ban/jail.local \ /etc/fail2ban/jail.local 10: sudo systemctl restart fail2ban 11: sudo systemctl status fail2ban 12: sudo fail2ban-client status 13: sudo fail2ban-client banned ## unban my IP address 14: sudo fail2ban-client set postfix-sasl unbanip 182.253.127.130
In the line 8 and 9, we did not override default installation files, but provide our own, by prefixing it with ".local".
Line 12 is the command to show the status of fail2ban service. Line 13 is the command to show list of IP address banned by fail2ban service.
Line 14 is the command to unban your IP in case you get locked in the future.
/etc/systemd/system/fail2ban.service.d
:
[Service] PrivateDevices=yes PrivateTmp=yes ProtectHome=read-only ProtectSystem=strict ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/log/fail2ban ReadWritePaths=-/var/spool/postfix/maildrop ReadWritePaths=-/run/xtables.lock CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
In this file we hardening the default fail2ban systemd service by make it not running as root. See Arch Linux Wiki on Fail2ban for more information.
/etc/fail2ban/fail2ban.local
:
[Definition] logtarget = /var/log/fail2ban/fail2ban.log
/etc/fail2ban/jail.local
:
[DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 1w banaction = nftables banaction_allports = nftables[type=allports] [dovecot] enabled = true port = imaps [postfix-sasl] enabled = true bantime = -1 maxretry = 1
In the jail.local we enable rules for dovecot and postfix-sasl. If the rules catch any failed login, the IP address will be banned for "bantime" (one week). Also, we use nftables for firewall backend, the "banaction" and "banaction_allports".