How to set up an outgoing email server
Here is a guide on getting outgoing email services running on Ubuntu using Postfix. This tutorial has been tested on Ubuntu 8.04 VPS from
LogicWeb. Please keep in mind that you have to be logged as root during the whole process.
Let’s get core email functionality going with Postfix.
aptitude install postfix sasl2-bin libsasl2-modules
You will be asked a few questions. Unfortunately, the graphical configuration interface that was automatically launched was a condensed version. Confirm the defaults and run the full graphical configuration utility.
Again, you will be asked some questions:
- General type of mail configuration: Internet Site
- System mail name: subdomain.hostname.tld (Use the identity domain and replace the prefix as necessary)
- Root and postmaster mail recipient: firstname.lastname@example.org
- Other destinations to accept mail for: subdomain.hostname.tld, localhost (Use the identity domain)
- Force synchronous updates on mail queue: No
- Local networks: leave default
- Use procmail for local delivery: Yes
- Mailbox size limit (bytes): 0
- Local address extension character? leave default
- Internet protocols to use: all
Sometimes sendmail is an idiot and keeps running although it was replaced by postfix. In order to avoid problems run:
Next, let’s take care of certificates for TLS. First create a new directory.
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/
Now create a new key and generate a certificate request. You will be asked several questions during this process. Fill them as suggested below. Of course you will have to use domain and name of identity for which this server is being setup.
openssl genrsa -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr
Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]: Locality Name (eg, city) :London Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hostname Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :subdomain.hostname.tld Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Now we need to self-sign the certificate.
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt chmod 600 smtpd.key rm smtpd.csr
Finish configuring Postfix for TLS and SASL.
postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtpd_tls_auth_only = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom' postconf -e 'home_mailbox = Maildir/'
For some strange reason Postfix config did not use the mail name as the hostname in the SMTP banner so we'll have to configure it manually. <c> postconf -e 'myhostname = subdomain.hostname.tld' </c>
In case server doesn't have ipv6 interface set
postconf -e 'inet_protocols = ipv4'
If you want that SMTP runs on port 465, you have to add this lines to
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
Finally, restart Postfix.
Postfix uses the syslog facility for logging, which means all logs will be stored in
These files should be rotated weekly, but pretty much all virtual Ubuntu servers I tested had a weird bug. The weekly syslog script was missing and the log files did not get rotated. If you come across the same problem just install
rsyslog which is newer and better than
syslogd and uses
aptitude install rsyslog
Authentication will be done by saslauthd which will need to be configured to support a chrooted Postfix setup. Edit
/etc/default/saslauthd and add or change the following settings so that they match:
START=yes OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Finish up SASL by creating the chroot directory, adding the postfix user to the sasl group, and then starting saslauthd.
mkdir -p /var/spool/postfix/var/run/saslauthd dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd adduser postfix sasl /etc/init.d/saslauthd start
At this point, core email services should be up and running. Let’s make sure that you’re in good shape before moving on. First, establish a connection with the mail server.
telnet localhost 25
After establsihing a connection with the Postfix service, run:
... 250-STARTTLS 250-AUTH PLAIN LOGIN ...
Type quit to get out.
Some mail servers don't accept emails from servers with an invalid or non-existent reverse DNS record. Reverse DNS is linking an IP address to a host name and is maintained by the ISP. Contact the server provider and ask them to set up an RDNS record for the new server (IP -> System mail name). Needless to say the hostname must resolve to the appropriate IP address.
Sender Policy Framework (SPF) is an e-mail validation system designed to prevent e-mail spam. It allows e-mail administrators the ability to specify which Internet hosts are allowed to send e-mail claiming to originate from that domain. From our point of view it's a way to look more legitimate to mail servers, therefore prevent our emails from being marked as spam.
To setup a SPF record you'll have to edit DNS records of sender domain, in our case hostname.tld. Let's presume we want to specify that servers smtp01.hostname.tld and smtp02.hostname.tld can send emails from @hostname.tld. You can do this by adding a new TXT record named
hostname.tld to the DNS:
v=spf1 a:smtp01.hostname.tld a:smtp02.hostname.tld -all
Postfix seem to always use the last defined net interface for sending emails. It is better to specify which interface should be used in the main Postfix configuration file
/etc/postfix/main.cf to avoid later problems with SPF:
smtp_bind_address = 18.104.22.168 # use IP of smtp01.hostname.tld
Note:This setting will cause Amavis (see ZhoubaWiki:HowToSetupSpamFilterAmavis) to reject emails from Postfix:
(!)DENIED ACCESS from IP x.y.z.v, policy bank
Append following setting to
/etc/amavis/conf.d/40-policy_banks to allow messages from bind interface:
- relace x.y.z.v by server IP
@inet_acl = qw( 127.0.0.1 x.y.z.v [::1]) </c>
Detailed information about SPF can be found... on the internet.
Stripping the 'Received' header
By default Postfix will record the IP address of the client who sent the email. In our case it's the machine where the sendmail script is running. This information can potentially link two Hostname identities together which is something we want to avoid. Therefore we'll configure Postfix to strip the 'Received' header. The
/etc/postfix/main.cf file will have to have a reference to the
header_checks file as follows:
header_checks = regexp:/etc/postfix/header_checks
Create a new file
/etc/postfix/header_checks and add the below line:
/^Received: from/ IGNORE
Apply the new configuration by restarting Postfix.
This variant is different, instead of removing received header it only replaces received from IP address. It will replace all existing Received: from records! Regexp can be latered to taget specific IP only.
First install postfix support for perlc regxexp
aptitude install postfix-pcre
Create file with replacement rules
/^\s*(Received: from)[^\n]/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])
- Pattern for specific IP replace SERVER IP string
/^\s*(Received: from)[^\n]*SERVER IP[^\n]*(.*)/ REPLACE $1 [127.0.0.1] (localhost [127.0.0.1])$2
- Optional, removes headers about agent and client
- /^\s*User-Agent/ IGNORE
- /^\s*X-Enigmail/ IGNORE
- /^\s*X-Mailer/ IGNORE
- /^\s*X-Originating-IP/ IGNORE
smtp_header_checks = pcre:/etc/postfix/smtp_headers_checks
That's all. Test the new configuration using MX Toolbox.
...and you can create SMTP connection on your e-mail client. There is example for Thunderbird:
Server Address: IP address for new mail-server Port:25 User name: tester Authentization: Password, Secure transmission Securely Connection: STARTTLS