An ultimate guide to Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support and additional instructions for a multi-domain setup
In this guide, domain.com
will be your root domain and mail.domain.com
will be the hostname of your mail server
- An ultimate guide to Postfix + Dovecot IMAP server with complete SPF, DKIM and DMARC support and additional instructions for a multi-domain setup
- Appendix
Add following DNS record to your domain
mail IN A your_mail_server_ip
@ IN MX mail.domain.com
Additional record like SPF, DKIM, and DMARC will look similar to these
@ IN TXT "v=spf1 mx a -all"
//SPF, no additional settings required
default._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=*"
//DKIM, additional settings with opendkim is required
_dmarc IN TXT "v=DMARC1;p=quarantine;rua=mailto:your@email.com"
//DMARC, no additional settings required
Now we've finished setting up SPF and DMARC, we will move onto actual setup of a postfix+dovecot imap server with complete DKIM support
Use your favorite editor to append your hostname to /etc/hostname
/etc/hostname
mail.domain.com
apt-get update
apt-get upgrade
Install dnsutils
apt-get install dnsutils
Verify dns resolution
dig mx domain.com +short
dig a mail.domain.com +short
Check if the output of the second command above matches your current mail server's ip
For additional instructions for a multi-domain mail server, check out the Appendix
apt-get update
apt-get upgrade
Install certbot
apt-get install certbot
Acquire the certificate file only
certbot --agree-tos --standalone -d mail.domain.com certonly
Fill in the information accordingly, select the standalone option when authenticating with the CA,
Put mail.domain.com
when it asks you for your domain,
Finally, the certificate(cert.pem) and the private key(privkey.pem) will be saved to /etc/letsencrypt/live/mail.domain.com/
Copy the certificate file and private key to somewhere easy to access
cp /etc/letsencrypt/live/mail.domain.com/*.pem /path/to/cert/
apt-get update
apt-get upgrade
Install postfix and mailutils
apt-get install postfix mailutils
Select Internet Site
and put domain.com
For additional instructions for a multi-domain mail server, check out the Appendix
Use your favorite editor to edit /etc/postfix/main.cf
vim /etc/postfix/main.cf
Confirm your following settings
myhostname = mail.domain.com
mydomain = domain.com
myorigin = $mydomain
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
Here you may append the path of SSL certificate and private key to where you saved them earlier and add a few additional security settings
smtpd_tls_cert_file = /path/to/cert/fullchain.pem
smtpd_tls_key_file = /path/to/cert/privkey.pem
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
Set up for Maildir style mailbox
home_mailbox = Maildir/
Use SASL auth and prepare for dovecot installation
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject
Add the following to prepare for opendkim setup
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
milter_default_action = accept
After saving the configuration, you can use the following command to verify your main settings
postconf -n
Uncomment lines as follows in /etc/postfix/master.cf
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
apt-get update
apt-get upgrade
Install dovecot core and imap server
apt-get install dovecot-core dovecot-imapd
Backup original dovecot configuration and create a blank one using your favorite editor
mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
Paste contents below
disable_plaintext_auth = yes
mail_privileged_group = mail
mail_location = maildir:~/Maildir
#set mailbox location to Maildir style
userdb {
driver = passwd
}
passdb {
args = %s
driver = pam
}
protocols = "imap"
namespace inbox {
inbox = yes
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Archive {
auto = subscribe
special_use = \Archive
}
}
#create and autosubscribe to some default folders
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
ssl = required
ssl_cert = </path/to/cert/fullchain.pem
ssl_key = </path/to/cert/privkey.pem
#set your certificate
For additional instructions for a multi-domain mail server, check out the Appendix
apt-get update
apt-get upgrade
Install opendkim and utilities
apt-get install opendkim opendkim-tools
Generate SigningTable, KeyTable and DNS records + private key
export domain=domain.com
mkdir /etc/opendkim
mkdir /etc/opendkim/keys
mkdir /etc/opendkim/keys/$domain
cd /etc/opendkim/keys/$domain
opendkim-genkey -d $domain -s default
chown -R opendkim:opendkim /etc/opendkim/keys/$domain
echo "default._domainkey.$domain $domain:default:/etc/opendkim/keys/$domain/default.private" >> /etc/opendkim/KeyTable
echo "*@$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable
DNS record will be in /etc/opendkim/keys/domain.com/default.txt
, private key will be default.private
in the same directory
Edit /etc/opendkim.conf
Syslog yes
UMask 007
Canonicalization relaxed/simple
Mode sv
SubDomains no
AutoRestart yes
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/SigningTable
KeyTable /etc/opendkim/KeyTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
Socket inet:8891@localhost
PidFile /var/run/opendkim/opendkim.pid
OversignHeaders From
TrustAnchorFile /usr/share/dns/root.key
UserID opendkim
Append the following to the TrustedHosts
/etc/opendkim/TrustedHosts
127.0.0.1
localhost
mail.server.ip.address
domain.com
useradd -m -s /bin/bash username
passwd username
Use your favorite editor to append the following to /etc/alias/
root: username
Refresh aliases
newaliases
Restart everything
systemctl restart postfix dovecot opendkim && postfix reload
If you want to setup multiple domains, here are some additional instructions:
Acquire multi-domain SSL certificate
certbot --agree-tos --standalone -d mail.domain.com -d mail.domain2.com certonly
Add a virtual map in postfix settings
/etc/postfix/main.cf
virtual_alias_maps=hash:/etc/postfix/virtual
Append your other domain to /etc/postfix/virtual
/etc/postfix/virtual
domain2.com anything
#domain3.com anything
@domain2.com @domain.com
#@domain3.com @domain.com
Refresh map rules
postmap /etc/postfix/virtual
Add your other domain to DKIM SigningTable and KeyTable
export domain=domain2.com
#export domain=domain3.com
mkdir /etc/opendkim
mkdir /etc/opendkim/keys
mkdir /etc/opendkim/keys/$domain
cd /etc/opendkim/keys/$domain
opendkim-genkey -d $domain -s default
chown -R opendkim:opendkim /etc/opendkim/keys/$domain
echo "default._domainkey.$domain $domain:default:/etc/opendkim/keys/$domain/default.private" >> /etc/opendkim/KeyTable
echo "*@$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable
Again, the DNS record will be saved in /etc/opendkim/keys/domain#.com/default.txt
and private key in default.private
Append your other domain to the end of TrustedHosts for opendkim
/etc/opendkim/TrustedHosts
domain2.com
#domain3.com
And finally, you may restart your mail server
systemctl restart postfix dovecot opendkim && postfix reload