Setup your own email server (MTA) on the cheap - part 5

Our PostFix based MTA has been running well now, and all these last changes are just securing the server from SPAM and Viruses. Traditionally SPF was a great protection from SPAM which works by comparing the server sending the message to a DNS record to confirm the validity of the sending server. A great system but it's far from perfect, and most implementations could be generously described as half arsed. To improve on SPF DKIM has been developed which uses keys to sign sent messages, then the receiving server can pull a DNS record to confirm the validity of the mail it's receiving. To do this we're going to install and use opendkim.

    1. Install opendkim, of course:

    sudo apt-get install opendkim opendkim-tools

    2. Open /etc/opendkim.conf in your favourite editor and set these four lines:

    Domain          mydomain.com
    KeyFile         /etc/postfix/dkim.key
    Selector        mail
    SOCKET          inet:8891@localhost

    2a. I've complicated things in my setup to use different keys for each of the domains I use. To support this, I've also added these lines to my opendkim.conf

    KeyTable                       /etc/opendkim/KeyTable
    SigningTable              /etc/opendkim/SigningTable
    ExternalIgnoreList /etc/opendkim/TrustedHosts
    InternalHosts           /etc/opendkim/TrustedHosts

    2b. For my multi-domain setup to work I need to populate these referenced files to map the domains to the keys used (which we'll create soon).
    /etc/opendkim/KeyTable - this maps the domain and selector to a key file:

    mail._domainkey.domain1.com domain1.com:mail:/etc/opendkim/keys/domain1.com.dkim.key
    mail._domainkey.domain2.com domain2.com:mail:/etc/opendkim/keys/domain2.com.dkim.key
    /etc/opendkim/SigningTable - this maps a mail domain to a domain and selector:

    domain1.com mail._domainkey.domain1.com
    domain2.com mail._domainkey.domain2.com

    /etc/opendkim/TrustedHosts - this just ignores local subnets:

    127.0.0.1
    localhost
    172.31.0.0/16

    3. Now we need to create our signing keys. For a simple one domian configuration, run these:

    sudo opendkim-genkey -t -s mail -d domain.com 
    sudo cp mail.private /etc/postfix/dkim.key
    sudo chown opendkim:opendkim /etc/postfix/dkim.key

    3a. Of course, I complicate things so for each domain I need to run similar commands:

    sudo opendkim-genkey -t -s mail -d domain1.com
    sudo cp mail.private /etc/opendkim/keys/domain1.com.dkim.key
    sudo cp mail.txt ~/domain1.com.mail.txt

    sudo chown opendkim:opendkim /etc/opendkim/keys/domain1.com.dkim.key

    sudo opendkim-genkey -t -s mail -d domain2.com
    sudo cp mail.private /etc/opendkim/keys/domain2.com.dkim.key
    sudo cp mail.txt ~/domain2.mail.txt

    sudo chown opendkim:opendkim /etc/opendkim/keys/domain2.com.dkim.key

    These commands are: using opendkim-genkey to generate a key with the selector mail and the domain provided. We then copy the key into /etc/opendkim/keys/ then backup the DNS details it creates in mail.txt, then update the ownership of the key file so the opendkim daemon can access it.

    4. Now you'll need to create TXT dns records for your domain(s) according to the contents of either mail.txt or domainx.mail.txt. These should look something like this:

    Hostname: mail._domainkey
    Type: TXT
    Value: k=rsa;p=somehugerandomstring

    While we're editing DNS, lets also setup DMARC. This DNS record tells mail servers what they should do if DKIM or SPF fails. I'd recommend looking into a service to help report mail from your domains, like: https://dmarc.postmarkapp.com/. When you go through the setup on this site, it will give you details of the DNS records required - although I'd suggest change the p=none; part to p=quarantine; and once you've had a few reports and all looks well, change it to p=reject;

    5. Finally, reload everything and you should be on your way

    sudo service opendkim restart

Comments

Post a Comment

Popular posts from this blog

Sync iTunes with MythMusic

This is something I've been playing with for a while using various scripts but I think I'm now getting close to a good solution. It's a three stage process but its better than the 5+ steps I was doing. Here's what I'm doing now: Save the iTunes album art to the file system with iTSfv Copy the library to my MythTV PC with rsync in cygwin Copy my playlists with a nice perl script i found here: http://www.gossamer-threads.com/lists/mythtv/users/365416?page=last iTSfv is a nice tool which interfaces with iTunes and does various things to tidy up your library. One option is to "Export Artwork to Album folder as Folder.jpg". All you have to do is launch iTSfv and check this option, select all the tracks in your iTunes library and click Validate. It'll go through your library and place a nice jpg in the directory for all yout albums, which MythMusic will make use of. Then use rsync to sync the library to the music folder on the Media PC. I'm not goi
Read more

Using Homebridge and Broadlink RM Mini to automate

Image
In this post, I'll be documenting how I configured a Broadlink RM Mini to work with HomeKit using the Homebridge server I built in my last post . The Broadlink RM Mini is a small IR Blaster that sits on the coffee table and sends IR signals when requested. They're cheap, and they work: In hindsight, for a little more you can also get the RM Pro which (I found out later) includes a thermometer. I added a DS18D20 thermometer to my Raspberry Pi to get around this mess up. To start with, you'll need to unpack your RM Mini and get it setup on your network. To do this, you'll need to download their "e-Control" app and follow through the setup. There's a good summary of these steps here: https://spectrum.co.ae/blogs/technology/how-to-configure-broadlink-devices, you can just stop before step 5 if you don't plan to use the e-Control application. Now we need to add homebridge-broadlink-rm to our Raspberry Pi. Connect to the pi console, SSH or local
Read more

LetsEncrypt and AWS ELB Load Balancers

Image
This is something that I've struggled to find good information on. You've setup your IIS Web Servers in AWS, get them working nicely behind an ELB Load Balancer, now you want to apply a free LetsEncrypt SSL Certificate. This guide will take you through that process. Here's he basic run down: Design your Infrastructure to allow for a Central Validation Server Setup and IAM identity with access to manage your certificates Setup an initial certificate Apply the new certificate to a new ELB Re-generate the LetsEncrypt Certificate with a script to automatically update the ELB Certificate Design your Infrastructure to allow for a Central Validation Server One concept discussed in LetsEncrypt's Integration Guide  is a Central Validation Server. To abbreviate this considerably, this is setting up one of the servers to manage the certificates. Fortunately ELB2 presents the certificate to clients and it doesn't matter which certificate is presented by the server.
Read more