Setup your own email server (MTA) on the cheap - part 2

Previously I’ve recorded how to build your own email server for your own domain. Now Gmail and Yahoo can be a little picky about what they’ll let you use to send mail. Typically they’ll require (and it’s a good idea to have):
  • Authentication 
  • Secure traffic on port 587 or 465 
  • A valid SSL certificate
Side note, if you haven’t heard of LetsEncrypt, do some research. There’s no excuse for running unsecured web servers when you can get SSL certificates for free.

Here’s how to update our existing configuration to enable these features:

    1. Install sasl so we can use authentication

    sudo apt-get install sasl2-bin

    2. Edit /etc/postfix/main.cf to enable authentication. At the bottom of the file, add this text:
    3. Create a new user to send as. The bold text is what you’ll need to enter:

sudo adduser mailuser1
Adding user `mailuser1' ...
Adding new group `mailuser1' (1004) ...
Adding new user `mailuser1' (1004) with group `mailuser1' ...
Creating home directory `/home/mailuser1' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:xxxxx
Retype new UNIX password:xxxxx
passwd: password updated successfully
Changing the user information for mailuser1
Enter the new value, or press ENTER for the default
        Full Name []: Mail User 1
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
 
    4. Setup the temp location for sasl:

 sudo mkdir -p /var/spool/postfix/var/run/saslauthd

     5. Because we're using chroot you need to edit the file /etc/default/saslauthd. You need to change the line:
OPTIONS="-c -m /var/run/saslauthd"
to:
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Some sites will use a symbolic link to point postfix at the /var/spool path but this is the technique documented in the config file.
    6. Add the sasl daemon account to the postfix group

    sudo adduser postfix sasl

     7. Setup a chroot override so sasl can interact with postfix

    sudo dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

    8. Setup LetsEncrypt:

    sudo apt-get install letsencrypt

    9. Create your certificate:

    sudo letsencrypt certonly --standalone -d mail.mydomain.com
 
    10. Update the PostFix config to use the new certificate:

    sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem'    sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem'

    11. Make sure Lets Encrypt to log its activity:

    sudo chmod -R 744 /var/log/letsencrypt/

    12. Update PostFix to use port 587 and TLS. Edit the file /etc/postfix/master.cf and uncomment the line
    submission inet n - y - - smtpd

    13. Add these lines directly under the submission line in master.cf. This will remove the restrictions in main.cf for authenticated users. It should look like this:      14. Edit the file /etc/postfix/main.cf and add these lines:
    15. Refresh the postfix configuration:

    sudo systemctl restart postfix.service

And that’s it. You can now setup Gmail or Yahoo to send as your new account. Just give it the hostname of your server, port 587, and the credentials you setup in step 3.

Big thanks to these sources:
                         https://www.faqforge.com/linux/how-to-enable-port-587-submission-in-postfix/
                         https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/
                         https://www.kogitae.fr/postfix-with-sasl-authentication-in-debian-jonas-genannt.htm


Setup Steps with links:
  1. Setup PostFix with email address forwarding
  2. Setup sending and use LetsEncrypt to secure the SMTP server 
  3. Setup SPAMAssassain so Gmail or Yahoo don’tblock us for passing on dodgy emails 
  4. Setup ClamAV to block viruses, these will get you blocked too 
  5. Setup DKIM using opendkim to check DKIM on incoming and sign our outgoing mail 
  6. Update sender addresses so SPF passes for forwarded messages 
  7. Use Fail2Ban to block brute force attempts on our server

Comments

Post a Comment

Popular posts from this blog

Using Homebridge and Broadlink RM Mini to automate

Image
In this post, I'll be documenting how I configured a Broadlink RM Mini to work with HomeKit using the Homebridge server I built in my last post . The Broadlink RM Mini is a small IR Blaster that sits on the coffee table and sends IR signals when requested. They're cheap, and they work: In hindsight, for a little more you can also get the RM Pro which (I found out later) includes a thermometer. I added a DS18D20 thermometer to my Raspberry Pi to get around this mess up. To start with, you'll need to unpack your RM Mini and get it setup on your network. To do this, you'll need to download their "e-Control" app and follow through the setup. There's a good summary of these steps here: https://spectrum.co.ae/blogs/technology/how-to-configure-broadlink-devices, you can just stop before step 5 if you don't plan to use the e-Control application. Now we need to add homebridge-broadlink-rm to our Raspberry Pi. Connect to the pi console, SSH or local...
Read more

Using HomeBridge on a Raspberry Pi to control devices from HomeKit

Image
If you’ve got a selection of devices that you’d like to control using iOS HomeKit, setting up homebridge might be a good solution. In short, it’s a platform which acts as a “bridge” between your devices and “HomeKit”. There are MANY plugins available for it: https://www.npmjs.com/search?q=homebridge. Here’s how I use it: I have a Broadlink RM Mini that controls my AC, TV, Radio and a digital photo frame using homebridge-broadlink-rm: https://www.npmjs.com/package/homebridge-broadlink-rm  I have it enable/disable an indoor camera using MotionEye using homebridge-script2: https://www.npmjs.com/package/homebridge-script2  With all those plugins, the options are almost endless if the device is connected to the network. To do this I use a Raspberry Pi 2. To get started, you’ll need to have raspbian installed and running. To do this, there are various guides available, including this official one: https://projects.raspberrypi.org/en/projects/raspberry-pi-getting-started. ...
Read more

LetsEncrypt and AWS ELB Load Balancers

Image
This is something that I've struggled to find good information on. You've setup your IIS Web Servers in AWS, get them working nicely behind an ELB Load Balancer, now you want to apply a free LetsEncrypt SSL Certificate. This guide will take you through that process. Here's he basic run down: Design your Infrastructure to allow for a Central Validation Server Setup and IAM identity with access to manage your certificates Setup an initial certificate Apply the new certificate to a new ELB Re-generate the LetsEncrypt Certificate with a script to automatically update the ELB Certificate Design your Infrastructure to allow for a Central Validation Server One concept discussed in LetsEncrypt's Integration Guide  is a Central Validation Server. To abbreviate this considerably, this is setting up one of the servers to manage the certificates. Fortunately ELB2 presents the certificate to clients and it doesn't matter which certificate is presented by the server....
Read more