Skip to content

HOWTO coldsetup 06_mail_server

Jump to bottom
steveoro edited this page Apr 26, 2021 · 1 revision

HOW-TO: Cold Deploy Server step-by-step

Part 6: Mail Server setup

References:

Use Postfix as MTA

(@ remote server)

$> sudo apt update

$> sudo DEBIAN_PRIORITY=low apt install postfix

# OR:
$> sudo apt install mailutils

Installing will require answering some questions:

  • General type of mail configuration? Internet Site

  • System mail name: base domain used to construct a valid email address master-goggles.org

  • Root and postmaster mail recipient: forwarded mail from root & postmaster; use your primary account for this deploy

  • Other destinations to accept mail for: if you need to add any other domains that this server will be responsible for receiving, add those here. Otherwise, the default will be sufficient. $myhostname, master-goggles.org, mail.goggles-v7, localhost.goggles-v7, localhost

  • Force synchronous updates on mail queue? Since you are likely using a journaled filesystem, accept "No"

  • Local networks: a list of the networks for which your mail server is configured to relay messages; the default will work for most scenarios. You'll need to add here also the base IP of any Docker gateway you're running (typically, 172.0.0.0/8) 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

  • Mailbox size limit: 0 (disables any size restriction)

  • Local address extension character: +

  • Internet protocols to use: all

To reconfigure:

$> sudo dpkg-reconfigure postfix

A valid master-goggles.org Postfix config: (check out current version with sudo vi /etc/postfix/main.cf)

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $mydomain ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/master-goggles.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/master-goggles.org/privkey.pem
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

myhostname = master-goggles.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydomain = master-goggles.org
mydestination = master-goggles.org

smtp_bind_address=0.0.0.0
smtp_bind_address6=::

relayhost =
relay_domains = master-goggles.org
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.0.0.0/8

mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Changing the Postfix Configuration

Set the location for your non-root Ubuntu user’s mailbox:

$> sudo postconf -e 'home_mailbox= Maildir/'

Map arbitrary email accounts to Linux system accounts:

$> sudo postconf -e 'virtual_alias_domains = $mydomain'
$> sudo postconf -e 'virtual_alias_maps= hash:/etc/postfix/virtual'

Edit the virtual aliases:

$> sudo vi /etc/postfix/virtual

Example:

root@master-goggles.org         deploy
postmaster@master-goggles.org   deploy
no-reply@master-goggles.org     deploy

Apply the mapping by typing:

$> sudo postmap /etc/postfix/virtual

Restart the Postfix process to be sure that all of your changes have been applied:

$> sudo systemctl restart postfix

Allow connections to the service. For a in/out running Postfix server:

$> sudo ufw allow Postfix

For a send-only Postfix configuration, you don't need to open port 25 for "Anywhere" (which is the default "Postfix" app profile on ufw).

Use instead specific ranges to accept just incoming connections from localhost (for testing) and, possibly, from any Docker bridge network running on the host (172.XXX.0.1).

$> sudo ufw allow from 172.0.0.0/8 to any port 25
$> sudo ufw allow from 127.0.0.0/16 to any port 25

Reload the firewall and check the result:

$> sudo ufw reload
$> sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Apache Full                ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
444/tcp                    ALLOW       Anywhere
8080/tcp                   DENY        Anywhere
9080/tcp                   DENY        Anywhere
25                         ALLOW       172.0.0.0/8
25                         ALLOW       127.0.0.0/16
Apache Full (v6)           ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
444/tcp (v6)               ALLOW       Anywhere (v6)
8080/tcp (v6)              DENY        Anywhere (v6)
9080/tcp (v6)              DENY        Anywhere (v6)

Installing the s-nail Mail Client and Initializing the Maildir Structure

Using s-nail allows to send out emails with more flexibility on the headers & fields when compared to the simple mailutils mail tool.

It's easier, for instance, with the above configuration to have the "from" and "reply-to" fields mapping to the correct original domain (instead of just the hostname) in order to avoid being flagged as spam. See also the paragraph at the end.

$> echo 'export MAIL=~/Maildir' | sudo tee -a /etc/bash.bashrc | sudo tee -a /etc/profile.d/mail.sh
$> source /etc/profile.d/mail.sh
$> sudo apt install s-nail
$> sudo vi /etc/s-nail.rc

Make sure the config file has the following values:

# ...
set emptystart

# ...
set folder=Maildir

# ...
set record=+sent
  • set emptystart: allows the client to open even with an empty inbox
  • set folder=Maildir: sets the Maildir directory to the internal folder variable
  • set record=+sent creates a sent mbox file for storing sent mail within whichever directory is set as the folder variable

Because the sent file will only be available once the Maildir is created, you should disable writing to it for this initial email. Do this by passing the -Snorecord option.

$> echo 'init' | s-nail -s 'init' -Snorecord deploy

(Ignore the normal warning Can't canonicalize "/home/deploy/Maildir" in case it shows up.)

$> ls -R ~/Maildir

Testing the Client

Check the retrieval of the init msg:

$> s-nail

s-nail version v14.9.15.  Type `?' for help
"/home/deploy/Maildir": 1 message 1 new
>N  1 deploy@example.com     2020-05-19 15:40   14/392   init

Press ENTER to display the message.

Commands:

  • h: message list
  • d: delete msg
  • q: quit

Now you can check sending out other messages.

Please refer to the next chapter for avoiding being flagged as a spammer. Nowadays, use these initial outgoing testing e-mails with caution.

Usually a GMail account is more flexible for handling initial un-encrypted & un-verified incoming messages because it relies on in-house AI to tag unknown senders. So, in the worst case scenario, you'll just have to check the "spam" folder for the received message.

(...And not open a ticket in a spammer database service. - True story) :-(

$> echo "This is a test message" | s-nail -s 'Test email from Goggles!' -T "to: steve.alloro@gmail.com"

Check the outgoing msg with s-nail:

$> s-nail

# ...Or any issues directly in the log:
$> sudo tail /var/log/mail.log

Clone this wiki locally