Skip to content

Instantly share code, notes, and snippets.

@lodi-g

lodi-g/HOWTO.md

Created March 14, 2021 14:19
Show Gist options
  • Save lodi-g/9f89d102aa51e9e50da5d7954ddc5917 to your computer and use it in GitHub Desktop.
Save lodi-g/9f89d102aa51e9e50da5d7954ddc5917 to your computer and use it in GitHub Desktop.
Download ZIP
How to setup a send-only mail server with TLS and SMTP credentials (postfix, submission, CyrusSASL)
Raw
HOWTO.md

Prepare server

  • sudo hostnamectl set-hostname example.com
  • sudo apt install mailutils postfix
    • Choose "internet site", and type your domain (example.com)

Test postfix

  • mail your-test@yopmail.com -s "Subject"
  • You should receive a mail from debian@example.com

TLS

Generating certificates

  • sudo apt install certbot
  • sudo certbot certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d example.com
    • You might need to kill your running webserver (port 80) to complete the challenge in standalone mode

Giving rights to postfix

  • sudo chown -R root:postfix /etc/letsencrypt/live/example.com

Postfix config

/etc/postfix/main.cf

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
smtp_use_tls=yes

SPF and DMARC

  • SPF: v=spf1 ip4:<your_ipv4> ~all
  • DMARC: v=DMARC1;p=none;pct=100;rua=yourmail@example.com;sp=none;aspf=r;

DKIM

SMTPD

Enable submission

  • Uncomment submission's lines in /etc/postfix/master.cf
  • change smtpd_sasl_type=dovecot by smtpd_sasl_type=cyrus
  • add -o smtpd_sasl_security_options=noanonymous

Install Cyrus SASL

  • sudo apt install sasl2-bin
  • sudo usermod -aG sasl postfix

Configure SASL

  • /etc/default/saslauthd

    • START=yes
    • MECHANISMS="sasldb"
    • OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

  • sudo systemctl restart saslauthd

  • systemctl status saslauthd

    • Make sure it is running with the /var/spool arguments

Add a user

  • sudo saslpasswd2 -c -u example.com user

    • The user does not have to be the user you will send mail with, it is just credentials

  • sudo testsaslauthd -u user -p password -f /var/spool/postfix/var/run/saslauthd/mux

    • Add a space before the command to not keep this in your history
    • Note the custom socket path, it is required

Link postfix with Cyrus

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

sudo postfix reload

Final test

  • Use https://www.mail-tester.com/ to make sure everything is working properly
  • Example code (TS) below, can be ran with npx ts-node test.ts
  • Use real data to test your setup or SpamAssassin will not be happy
import nodemailer from "nodemailer";

const smtpEndpoint = "example.com";
const port = 587;
const senderAddress = "My name <my-address@example.com>";
const smtpUsername = "user";
const smtpPassword = "pass";

const transport = nodemailer.createTransport({
  host: smtpEndpoint,
  port: port,
  secure: false,
  auth: { user: smtpUsername, pass: smtpPassword },
});

transport.sendMail({
  from: senderAddress,
  to: 'your-mail-tester-addr',
  subject: 'A real subject',
  text: "A real body",
})

Additional steps for Outlook/Live

Configure virtual aliases

/etc/postfix/main.cf

virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual

@example.com debian

sudo postmap /etc/postfix/virtual

Sign up to sendersupport

Useful to debug

  • tail -f /var/log/mail.info
  • -v in submission parameters (/etc/postfix/master.cf)

Additional resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment