Linux System Administration

Send mail with Postfix and DKIM, DMARC, SPF – records.

How to make your own mail server and avoid getting your mail in spam?

You need to send your emails with a proper DKIM, DMARC and SPF signification!

Postfix

  • Install all required software:
apt-get install opendkim opendkim-tools postfix-policyd-spf-python postfix-pcre
sudo adduser postfix opendkim

Opendkim

Configure opendkim

  • Create a opendkim keys directory:
mkdir -p /etc/opendkim/keys
  • Generate a keys:
export DOMAIN=burlutsky.su

cd /etc/opendkim/keys/
mkdir $DOMAIN
cd $DOMAIN
opendkim-genkey -s mail -d $DOMAIN

Here is a mail selector name. Replace burlutsky.su with your domain name.

  • Create your signing table:
cat >>/etc/opendkim/SigningTable <<EOF
*@$DOMAIN mail._domainkey.$DOMAIN

cat /etc/opendkim/TrustedHosts 
127.0.0.1
localhost

$DOMAIN
*.$DOMAIN
EOF
  • Create a key table:
cat > /etc/opendkim/KeyTable <<EOF
mail._domainkey.$DOMAIN $DOMAIN:mail:/etc/opendkim/keys/$DOMAIN/mail.private
  • Add your files definition to the /etc/opendkim.conf file:
AutoRestart             Yes
AutoRestartRate         10/1h
SyslogSuccess           Yes
LogWhy                  Yes
Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Mode                    sv
Socket                  inet:12301@localhost
  • Enable opendkim daemon running on the localhost TCP socket. Change: /etc/defaults/opendkim
SOCKET="inet:12301@localhost"
  • Add new postfix milter with the opendkim socket. Add to /etc/postfix/main.cf:
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

policyd-spf_time_limit = 3600
smtpd_helo_required = yes
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_policy_service unix:private/policyd-spf

smtp_tls_security_level = may
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_loglevel = 1
  • Set permissions:
chown -R opendkim:opendkim /etc/opendkim
  • Edit /etc/postfix/master.cf and add the following entry at the end:
policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf
  • Enable and start services:
systemctl enable postfix
systemctl restart postfix
systemctl enable opendkim
systemctl restart opendkim

DNS

Now we need to configure DNS system. Add all DNS records below:

  • SPF record. 
TXT "v=spf1 a:burlutsky.su -all"

replace burlutsky.su with your domain.

  • Now you need to get a DKIM key.
cat /etc/opendkim/keys/$DOMAIN/mail.txt

You can see something like this:

mail._domainkey IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq+...)  ; ----- DKIM key mail

Add this text record to the DNS system.

  • Turn on DMARC:
_dmarc.burlutsky.su IN TXT "v=DMARC1; p=none; sp=none;"
  • Test your email with gmail or online services like this: https://mxtoolbox.com/dkim.aspx . Set selector = mail .

DKIM postfix

Tagged with:

Leave a Reply

Your email address will not be published.