Cameron's IT stumbles

All going well, this should be the last part of my posts about configuring Postfix as an MTA . This configuration arose because I happened to be looking at my mail.log file while someone in the Ukraine was trying again and again to log in to my server. So, I installed Fail2Ban. Fail2Ban is a clever tool that watches the log files you configure and when suspicious activity is found, it uses iptables (a linux firewall) to block the source of traffic. This tool is built for our setup so it’s relatively straight forward to setup: 1. Install Fail2Ban: sudo apt-get install fail2ban  2. In your favourite editor, create a file /etc/fail2ban/jail.local . This is where all the rules should be customised. Default rules are in jail.conf but these should be left (and will be updated in new versions) so customisation are all in your local file. This is the text I add to my jail.local file: 4. Finally, reload everything and you should be on your way sudo service fail2ban restart

You’ve now got an MTA using PostFix and it works beautifully – and in my case it has been for a month now. If you’re paying attention there are a couple of things you may have noticed. When you go to “Show Original” in Gmail it shows that SPF on incoming messages has failed. After a while Gmail’s SMTP server will respond that they’re throttling you because of the quantity of suspicious mail you send. Gmail doesn’t actually have an issue with the quantity of mail, it has an issue with the quantity of messages that are failing DKIM or, in our case, SPF.  Fortunately, some people smarter than me have already thought of this issue and built postsrsd. Here’s what I did to set this up: 1. Install postsrsd, of course: sudo apt-get install postsrsd 2. Update postfix to use postsrsd: sudo postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001" sudo postconf -e "sender_canonical_classes = envelope_sender" sudo postconf -e "recipient_canonical_maps

Our PostFix based MTA has been running well now, and all these last changes are just securing the server from SPAM and Viruses. Traditionally SPF was a great protection from SPAM which works by comparing the server sending the message to a DNS record to confirm the validity of the sending server. A great system but it's far from perfect, and most implementations could be generously described as half arsed. To improve on SPF DKIM has been developed which uses keys to sign sent messages, then the receiving server can pull a DNS record to confirm the validity of the mail it's receiving. To do this we're going to install and use opendkim.     1. Install opendkim, of course:      sudo apt-get install opendkim opendkim-tools     2. Open /etc/opendkim.conf in your favourite editor and set these four lines:      Domain          mydomain.com      KeyFile         /etc/postfix/dkim.key      Selector        mail      SOCKET          inet:8891@localhost     2a. I've complic

We’ve already built our POSTFIX based MTA and its relaying mail to our target mailbox. We’ve already added SPAM Protection, but what about Viruses. ClamAV is a well-known, and well reputed, antivirus for Linux. They also have a daemon called clamsmtp which we can have look over our mail and make sure we’re not passing along any viruses. These are the steps I followed to add AV scanning.     1. First, let’s install ClamAV and ClamSMTP      sudo apt-get install clamsmtp     2. Now, let’s configure it. Open /etc/clamsmtpd.conf in your favourite editor. Most lines will be left but update these two configuration lines      This bug appears to be resolved in the latest version.     3. There is a small bug at the moment with permissions on some files, to correct these, run these commands:      sudo chown -R clamav:clamav /var/run/clamav/      sudo chown -R clamav:clamav /var/spool/clamsmtp      sudo chown -R clamav:clamav /var/run/clamsmtp/     4. Now, let’s hook it in to PO

Now we’ve got everything working with our MTA , we need to lock it down. If you’re redirecting SPAM to Gmail there’s a risk that they’ll identify you as a SPAMMER and blacklist your IP address. To reduce this risk, we’ll install SpamAssassin to filter messages before we forward them.        1. First, install SpamAssassin      sudo apt-get install spamassassin     And its requirements:      sudo apt-get install libmail-dkim-perl libcrypt-openssl-random-perl libcrypt-openssl-rsa-perl     2. Setup a user and group for the daemons:      sudo groupadd spamd      sudo useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd     3. Setup a folder for the logs:      sudo mkdir /var/log/spamassassin      sudo chown spamd:spamd /var/log/spamassassin     4. Now, the fun starts. Update the configuration. First, edit /etc/spamassassin/local.cf. you can have some fun tweaking things here but these are the settings I change, and they work well for me:     5. Configur

Previously I’ve recorded how to build your own email server for your own domain. Now Gmail and Yahoo can be a little picky about what they’ll let you use to send mail. Typically they’ll require (and it’s a good idea to have): Authentication  Secure traffic on port 587 or 465  A valid SSL certificate Side note, if you haven’t heard of LetsEncrypt, do some research. There’s no excuse for running unsecured web servers when you can get SSL certificates for free. Here’s how to update our existing configuration to enable these features:     1. Install sasl so we can use authentication      sudo apt-get install sasl2-bin     2. Edit /etc/postfix/main.cf to enable authentication. At the bottom of the file, add this text:     3. Create a new user to send as. The bold text is what you’ll need to enter: sudo adduser mailuser1 Adding user `mailuser1' ... Adding new group `mailuser1' (1004) ... Adding new user `mailuser1' (1004) with group `mailuser1'

If you’ve got your own domain, finding a cheap but professional way to host your email can be difficult. Most options either come with a price tag, or recipients get a “sent on behalf of” message in your email headers. This is a cheap way to build your own email server, without the expense of storing all of your messages… and backing them up. I deployed an Ubuntu server in AWS. We only need the minimum of storage since we’re not storing anything so this can easily fit in the free tier to cost you nothing for the first year. This server manages email for my personal domains. It scans messages for SPAM and viruses and routes the messages to corresponding Gmail or yahoo mailboxes. The server is also configured to send messages from Gmail or Yahoo using SMTP. Here’s the setup…     1. First things, first, let’s update everything:      sudo apt-get update      sudo apt-get upgrade     2. Then install PostFix      sudo apt-get install postfix     3. Update the PostFix co