How to setup a send-only mail server with TLS and SMTP credentials (postfix, submission, CyrusSASL)

HOWTO.md

Prepare server

• sudo hostnamectl set-hostname example.com
• sudo apt install mailutils postfix
• • Choose "internet site", and type your domain (example.com)

Test postfix

• mail [email protected] -s "Subject"
• You should receive a mail from [email protected]

TLS

Generating certificates

• sudo apt install certbot
• sudo certbot certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d example.com
• • You might need to kill your running webserver (port 80) to complete the challenge in standalone mode

Giving rights to postfix

• sudo chown -R root:postfix /etc/letsencrypt/live/example.com

Postfix config

/etc/postfix/main.cf

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
smtp_use_tls=yes

SPF and DMARC

• SPF: v=spf1 ip4:<your_ipv4> ~all
• DMARC: v=DMARC1;p=none;pct=100;[email protected];sp=none;aspf=r;

DKIM

• https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
• All the check-auth tests should pass (SPF, DKIM, DMARC)

SMTPD

Enable submission

• Uncomment submission's lines in /etc/postfix/master.cf
• change smtpd_sasl_type=dovecot by smtpd_sasl_type=cyrus
• add -o smtpd_sasl_security_options=noanonymous

Install Cyrus SASL

• sudo apt install sasl2-bin
• sudo usermod -aG sasl postfix

Configure SASL

• /etc/default/saslauthd

• • START=yes
• • MECHANISMS="sasldb"
• • OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

• sudo systemctl restart saslauthd

• systemctl status saslauthd

• • Make sure it is running with the /var/spool arguments

Add a user

• sudo saslpasswd2 -c -u example.com user

• • The user does not have to be the user you will send mail with, it is just credentials

• sudo testsaslauthd -u user -p password -f /var/spool/postfix/var/run/saslauthd/mux

• • Add a space before the command to not keep this in your history
• • Note the custom socket path, it is required

Link postfix with Cyrus

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

sudo postfix reload

Final test

• Use https://www.mail-tester.com/ to make sure everything is working properly
• Example code (TS) below, can be ran with npx ts-node test.ts
• Use real data to test your setup or SpamAssassin will not be happy

import nodemailer from "nodemailer";

const smtpEndpoint = "example.com";
const port = 587;
const senderAddress = "My name <[email protected]>";
const smtpUsername = "user";
const smtpPassword = "pass";

const transport = nodemailer.createTransport({
  host: smtpEndpoint,
  port: port,
  secure: false,
  auth: { user: smtpUsername, pass: smtpPassword },
});

transport.sendMail({
  from: senderAddress,
  to: 'your-mail-tester-addr',
  subject: 'A real subject',
  text: "A real body",
})

Additional steps for Outlook/Live

Configure virtual aliases

/etc/postfix/main.cf

virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual

@example.com debian

sudo postmap /etc/postfix/virtual

Sign up to sendersupport

• https://sendersupport.olc.protection.outlook.com/snds/index.aspx
• Claim your IP with [email protected]
• Open your mail on the server with mail and confirm IP's ownership

Useful to debug

• tail -f /var/log/mail.info
• -v in submission parameters (/etc/postfix/master.cf)

Additional resources

• http://www.postfix.org/SASL_README.html#server_cyrus
• https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-18-04