Installation | Topics | Beyond Lino

Mail server basics

Concepts

Postfix

A well-known free MTA. There have been long debates on what (if any) should be the default MTA for a Debian system (more). We use Postfix for historical reasons.

Dovecot

An IMAP/POP3 server, which is needed if users of your server want to access their mails from your server using a mail client like Thunderbird.

Before installing Dovecot, you should have installed Postfix.

MTA

Mail Transfer Agent. The main component on a mail server.

mail server

A server that runs an MTA (mail transfer agent) like Postfix and is set up accordingly.

relay host

A mail server that accepts email messages from other mail servers and cares about delivering them to their final destination.

To relay or not to relay?

Using a relay host means to delegate all outgoing mail to a single third-party mail server that is specialized in talking to the mail servers of the recipients. This can make sense because talking with SMTP servers is a complex topic. In particular you need to explain them that you are not a spammer. Because these servers are of course very paranoid regarding spammers. Some examples of sender guidelines published by big mail service providers:

• https://www.gmx.net/mail/senderguidelines/

• https://support.google.com/mail/answer/81126

• https://sendersupport.olc.protection.outlook.com/pm/policies.aspx

A relay host can be any third-party smtpd server as provided by Mailgun, SendGrid, AWS, Rackspace, Google, or your own ISP. Some providers offer a free relay host for the domain names they provide. Mailgun gives you 10000 free emails every month.

To run your mail server without a relay host, you need a static IP address and a fully qualified domain name pointing to it. There can be only one mail server per IP address.

Reverse DNS (PTR record)

PTR record

A record used for reverse DNS, where you tell the owner of an IP what domain name you configured to point to this IP.

Reverse DNS means that the owner of an IP address declares publicly the FQDN that points to this address. While DNS maps a domain name to an IP address, reverse DNS maps an IP address to a domain name. It is a way of publicly declaring that your server at that IP address is responding to your domain name. The provider of your server is the owner of the IP address and they usually have a means for you to tell them the domain name assigned to an IP address.

More about SPF

The Sender policy framework (SPF) is defined by RFC 7208) as an authentication process that ties the envelope from field (defined by RFC 5321) to a set of authorized sender IP addresses. This authorization is published in a TXT record in DNS. Receivers can check SPF at the beginning of an SMTP transaction, compare the connecting IP address to the IP specified by the envelope from field domain and thus validate whether that IP is authorized to send mail.

The SPF TXT record contains (1) a version indicator, (2) a list of allowed IPs and (3) an authorization type.

• version indicator is always the same string v=spf1

• IPs can be - keyword “mx” means “” - either IPv4 space or IPv6 space

Authorization type can be one of the following:

+all	pass	Allow all mail
-all	fail	Only allow mail that matches one of the parameters (ip4, MX, etc) in the record
~all	softfail	Allow mail whether or not it matches the parameters in the record
?all	neutral	No policy statement

Example:

v=spf1 mx ~all

Example (assuming that 12.34.56.78 is the IP address of the server):

v=spf1 ip4:12.34.56.78 -all

DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a way for the receiving mail server to give feedback to the sending mail server about what happened to their message. A message can “pass”, go into “quarantine” or get “rejected”. DMARC builds upon both the DKIM and Sender Policy Framework (SPF) specifications that are currently being developed within the IETF.

A DMARC resource record in the DNS looks like this:

v=DMARC1; p=none

Or like this:

v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@mydomain.org

In this example the sending mail server asks the receiver to boldly reject all non-aligned messages and send an aggregate report about the rejections to <postmaster@mydomain.org>.

DMARC records use the same “tag-value” syntax for DNS-based key records defined in DKIM.

DKIM (DomainKeys Identified Mail)

DKIM is an authentication mechanism for email that uses a “domain name identifier” and a DNS-based publishing service for the public key. We use it to avoid email spoofing and because otherwise our server would be suspected to send spam, which would cause delivery issues.

When using DKIM, Postfix is configured to sign every outgoing message content. The signature information is placed into a field of the message header. The receiving mail server can then validate the signature to check that our server took responsibility for the message.

Spamassassin

Here we describe how to install Spamassassin to a Debian mail server with postfix and dovecot. Necessary packages are:

$ sudo apt-get install spamassassin spamc

We set up user account and group for spamd service:

$ sudo groupadd spamd
$ sudo useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd
$ sudo mkdir /var/log/spamassassin
$ sudo chown spamd:spamd /var/log/spamassassin

Edit /etc/default/spamassassin to add options:

# Change to one to enable spamd
ENABLED=1
SAHOME="/var/log/spamassassin/"
# Options
OPTIONS="--create-prefs --max-children 5 --helper-home-dir  \
--username spamd -H ${SAHOME} -s ${SAHOME}spamd.log"
# Cronjob
CRON=1

Start spamassassin daemon and check corresponding processes:

$ sudo service spamassassin start
$ sudo systemctl status spamassassin
$ ps aux | grep spam

Further, we need to configure postfix master.cf to use spamassassin service:

spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}

To mark spam messages, we configure /etc/spamassassin/local.cf

# rewrite_header Subject *****SPAM*****
rewrite_header Subject [***** SPAM _SCORE_ *****]
# Set the threshold at which a message is considered spam (default: 5.0)
required_score 4.0

After restarting spamd check the logs with

tail -f /var/log/spamassassin/spamd.log

For dovecot we need sieve-plugin

$ sudo apt-get install dovecot-sieve dovecot-managesieved

and edit /etc/dovecot/conf.d/20-lmtp.conf

protocol lmtp {
  mail_plugins = $mail_plugins sieve
}

After that restart dovecot.

To set up sieve filtering create default.sieve in /var/lib/dovecot/sieve/

require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
        fileinto :create "Spam";
}

and compile this in /var/lib/dovecot

$ sudo sievec sieve/
$ sudo chown -R dovecot:dovecot sieve/*
$ sudo chmod a+x .
$ sudo service dovecot restart

Diagnostic tips and tricks

Websites that help with testing your mail server

• https://mxtoolbox.com/

• https://www.mail-tester.com

• https://www.wormly.com/test-smtp-server

How to send a simple mail for testing the mail system?

If mailutils is installed:

$ mail -s "some test" root

If the mail comes through, watch for the From: header of it. The mail command uses username@hostname when submitting it to the MTA. The MTA then replaces the local hostname by your mail server’s FQDN.

The GNU mail program has its own configuration files:

$ mail --show-config-options | grep SYSCONFDIR
SYSCONFDIR=/etc       - System configuration directory

Which means that actually the config files are in /etc/mail. And one of them, /etc/mail/local-host-names contains my default From header.

Which ports is my server listening on? And which service responds to which port?

Say nmap localhost to see this.

Troubleshooting

Some problems we had when running our own mail server and how we fixed them

8891@localhost: garbage after numerical service

This was an odd error. On one server the inet socket connection worked fine, on the other server this error was logged by smtpd every time it sent.

I wasn’t able to find the source for this issue. But the solution to use a file based socket. However the default settings for file socket connection gives file not found errors.

The correct settings for postfix and opendkim for a file socket connection::

#/etc/opendkim.conf
umask           002
Socket                      local:/var/spool/postfix/var/spool/opendkim/opendkim.sock
#/etc/default/opendkim
Socket=local:/var/spool/postfix/var/spool/opendkim/opendkim.sock
#/etc/postfix/main.cf
smtpd_milters = local:/var/spool/opendkim/opendkim.sock

The reason for /var/spool/postfix for opendkim is that postfix thinks that is / when looking for the file.

For this solution you also need to create that path and do some permission work.:

sudo mkdir -p /var/spool/postfix/var/spool/opendkim/
sudo chown opendkim:opendkim /var/spool/postfix/var/spool/opendkim/
sudo adduser postfix opendkim

That will allow postfix to use the socket file.

You will see messages like the following in your /var/log/mail.log file:

Oct 16 07:06:16 host mx01.emig.gmx.net[212.227.17.5] refused to talk to me:
554-gmx.net (mxgmx116) Nemesis ESMTP Service not available
554-No SMTP service 554-Bad DNS PTR resource record.
554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=167.114.229.225&c=rdns

554 Bad DNS PTR resource record means that your reverse DNS record isn’t set up correctly.

550 Email blocked means that the recipient’s mail server refuses to receive your mail because your mail server is blacklisted. To see whether your server is blacklisted, you can ask multirbl.valli.org. For some nice examples of why blacklisting is needed, see bobcares.com.

550-Requested action not taken: mailbox unavailable 550 Sender address has null MX (in reply to MAIL FROM command)) indicates that the From: address of your mail was invalid.

relay=gmail-smtp-in.l.google.com[2a00:1450:4010:c06::1a]:25,
status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4010:c06::1a] said:
  550-5.7.26 Unauthenticated email from laudate.ee is not accepted due to
  domain's 550-5.7.26 DMARC policy. Please contact the administrator of
  laudate.ee domain 550-5.7.26 if this was a legitimate mail.
  Please visit 550-5.7.26  https://support.google.com/mail/answer/2451690
  to learn about the 550 5.7.26 DMARC initiative.

lost connection with mail.example.com

When sending an email, Thunderbird says “Sending of the message failed. The message could not be sent because the connection to Outgoing server (SMTP) mail.mydomain.org was lost in the middle of the transaction. Try again.”

Another problem encountered was this:

postfix/smtp[13506]:B08AC130BC: to=<rec@example.com>,
relay=mail.example.com[46.4.136.153]:25, delay=134801,
delays=134798/0.11/1.4/0.9, dsn=4.4.2,
status=deferred (lost connection with mail.example.com[46.4.136.153] while sending MAIL FROM)

We tried to open an manual connection to the server:

$ openssl s_client -connect mail.example.com:25 -starttls smtp

Sources

• https://dmarc.org/overview/

• https://easyengine.io/tutorials/mail/dkim-postfix-ubuntu/

• http://www.dkim.org/info/dkim-faq.html

• https://serverfault.com/questions/711600/reverse-dns-is-not-a-valid-hostname-error-from-mxtoolbox

• https://www.pbrumby.com/2018/05/09/dns-records-explained/

• https://mxtoolbox.com/dmarc/dkim/setup/how-to-setup-dkim

• https://www.heinlein-support.de/blog/mailserver/gmx-blockt-e-mail-adressen-ohne-aaaaa-record/

• https://stackoverflow.com/questions/4367358/whats-the-difference-between-sender-from-and-return-path

• https://wordtothewise.com/2014/06/authenticating-spf/

• http://www.postfix.org/BASIC_CONFIGURATION_README.html#relayhost

• https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf