Installation | Topics | Beyond Lino

Get started

This is a quick cheat sheet for setting up your own mail server.

Preamble

  • Written for Debian 13

  • Replace mydomain.org with your domain.

Before installing Postfix

Check your /etc/mailname file. It should contain the domain name that Postfix will use for outgoing email messages:

$ cat /etc/mailname
mydomain.org

Set up your DNS records (aka zone file):

Type

Host

Priority

Destination

A

mydomain.org

12.34.56.78

A

mail.mydomain.org

12.34.56.78

MX

mydomain.org.

10

mail.mydomain.org

Why mail.laudate.ee instead of simply laudate.ee? In a small system, both names resolve to the same IP address. But it can make sense to have your mail server on a different machine than your web server or other application servers. Already for security reasons. Or in order to be scalable. It seems that the mail subdomain (or sometimes smtp or mx) is general practice.

Note : the domain given by the MX record (the FQDN of our mail server) needs to have its separate A record. Just a CNAME is not enough for a mail server.

Install Postfix

Installing Postfix on Debian will automatically uninstall exim4:

$ sudo apt install postfix

Installing Postfix will start by asking you to select a “General mail configuration type”:

  • No configuration

  • Internet Site

  • Internet with smarthost

  • Satellite system

  • Local only

You select either “Internet” or “Internet with smarthost”. “Smarthost” is a historical word for a relay host.

In both cases the installer then asks for your system’s mail name:

┌─────────────────────────┤ Postfix Configuration ├────────────────────────
│ The 'mail name' is the domain name used to 'qualify' _ALL_ mail
│ addresses without a domain name. This includes mail to and from <root>:
│ please do not make your machine send out mail from root@example.org
│ unless root@example.org has told you to.
│
│ This name will also be used by other programs. It should be the single,
│ fully qualified domain name (FQDN).
│
│ Thus, if a mail address on the local host is foo@example.org, the
│ correct value for this option would be example.org.
│
│ System mail name:
│
│ mydomain.org
│
│                    <Ok>                        <Cancel>
│
└──────────────────────────────────────────────────────────────────────────
mail name

The fully qualified domain name of your server, without any special subdomain, i.e. just the name after the @ of the email addresses for which you want to manage mails.

In both cases your answers are stored in a file /etc/postfix/main.cf, which you will probably continue to modify afterwards.

Internet with smarthost

When you select “Internet with smarthost”, you get a next question asking for the name of your relay host:

┌─────────────────────────┤ Postfix Configuration ├────────────────────────
│ Please specify a domain, host, host:port, [address] or [address]:port.
│ Use the form [destination] to turn off MX lookups. Leave this blank for
│ no relay host.
│
│ Do not specify more than one host.
│
│ The relayhost parameter specifies the default external host to send mail
│ to when no entry is matched in the optional transport(5) table. When no
│ relay host is given, mail is routed directly to the destination.
│
│ SMTP relay host (blank for none):
│
│ smtp.zone.eu
│
│                    <Ok>                        <Cancel>
│
└──────────────────────────────────────────────────────────────────────────

Some typical answers:

If the relay host requires a username and password, then you need to install SASL. Install the library modules:

$ sudo apt-get install libsasl2-modules

Write your credentials to the sasl_password file:

$ sudo nano /etc/postfix/sasl_passwd

Example content:

smtp.zone.eu:587 vps@mydomain.org:1234abcd

After editing your sasl_passwd file, you must compile it:

$ sudo postmap /etc/postfix/sasl_passwd

And your sasl_passwd file must be accessible only by root:

$ sudo chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

And in your /etc/postfix/main.cf file you must instruct Postfix to use this file:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

More settings in the /etc/postfix/main.cf file:

smtp_tls_security_level = encrypt
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

When using a relay host, you don’t need to worry about the remaining sections in this document.

Internet Site

When you select “Internet Site”, the Postfix installer asks no more questions, but you need to execute the remaining ections in this document.

Reverse DNS

For an independent mail server you must make sure that the PTR record (also known as Reverse DNS) of your IP address is configured correctly. Without a PTR record the SMTP servers of your recipients are likely to refuse to talk with your server.

Check whether your PTR record is correctly set:

$ sudo apt install dnsutils
$ nslookup mydomain.org
Name: mydomain.org
Address: 12.34.56.78

$ dig -x 12.34.56.78
;; ANSWER SECTION:
78.56.34.12.in-addr.arpa. 86400 IN PTR mydomain.org.

Install Dovecot

Install the Debian packages:

# apt install dovecot-pop3d  # optional
# apt install dovecot-imapd  # optional

Create a file /etc/dovecot/local.conf and add the following content:

listen = *, ::

auth_mechanisms = plain login

mail_driver = maildir
mail_path = ~/Maildir
mail_inbox_path = ~/Maildir/.INBOX

ssl_server_cert_file = /etc/letsencrypt/live/mail.mydomain.org/fullchain.pem
ssl_server_key_file = /etc/letsencrypt/live/mail.mydomain.org/privkey.pem

IMPORTANT: Mail location parameters should be in sync. Above means that the postfix config parameter is home_mailbox = Maildir/.

Use certbot to install a certificate for the mail server:

# certbot certonly --standalone -d mail.mydomain.org

It is possible that you need to stop nginx before running above command.

Control the Dovecot service:

# systemctl restart dovecot

Using hints from:

Install DKIM

This recipe uses mail as the selector. Selectors are used when you have more than one key per domain, e.g. one for “advertisement” and another for “invoicing”. Common alternative values for the default selector are dkim or simply default.

Install the system package:

# apt install opendkim opendkim-tools

Edit your /etc/opendkim.conf and set the following values:

Domain                  mydomain.org
Selector                mail
      KeyFile                 /etc/dkimkeys/mail.private
Socket local:/var/spool/postfix/opendkim/opendkim.sock

Add user “postfix” to group “opendkim”:

# adduser postfix opendkim

Edit your /etc/postfix/main.cf and set the following values:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen}

Generate your DKIM key:

# opendkim-genkey -r -h rsa-sha256 -d mydomain.org -D /etc/dkimkeys -s mail

This will create two files, mail.private and mail.txt in /etc/dkimkeys. The private key is used to sign outgoing emails.

Both files are readable only by their owner. Change the owner and group of these files to opendkim:

# chown -Rv opendkim:opendkim /etc/dkimkeys/mail.*

Paste the public key into a TXT record of your DNS zone file:

# cat /etc/dkimkeys/mail.txt
mail._domainkey       IN      TXT     ( "v=DKIM1; h=rsa-sha256; k=rsa; s=email; "
mail._domainkey       IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; t=y; "
        "p=AySFjB...very"
        "long string...xorQAB" )  ; ----- DKIM key mail for mydomain.org

The result in your provider’s admin platform should look:

v=DKIM1; h=rsa-sha256; k=rsa; p=AySFjB...very long string...xorQAB

It might take some time for changes to propagate.

Restart the services:

# systemctl restart postfix opendkim

Create /etc/opendkim/KeyTable and add the following line:

mydomain.org mydomain.org:mail:/etc/opendkim/keys/mail.private

Create /etc/opendkim/SigningTable and insert:

*@mydomain.org mail._domainkey.mydomain.org

Finally, create /etc/opendkim/TrustedHosts and insert:

127.0.0.1
::1
localhost
*.mydomain.org

SPF

To enable SPF, the following should be applied. First, install corresponding postfix package:

# apt install postfix-policyd-spf-python

Second, append postfix settings to /etc/postfix/master.cf:

policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf

and to /etc/postfix/main.cf:

policyd-spf_time_limit = 3600 smtpd_recipient_restrictions = … , check_policy_service unix:private/policyd-spf

Test your configuration

Use opendkim-testkey:

$ sudo apt install opendkim-tools
$ sudo opendkim-testkey -d mydomain.org -s mail -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from /etc/dkimkeys/mail.private
opendkim-testkey: checking key 'mail._domainkey.mydomain.org'
opendkim-testkey: key secure
opendkim-testkey: key OK