19. Install the mail server

by Cover Tower - Updated October 18, 2021

A complete mail server, or, more formally, a complete ‘electronic mail system’, is made up of 6 components:

1. The SMTP server: this is the server that handles the Simple Mail Transfer Protocol (SMTP) traffic. It is usually referred to as a Mail Transfer Agent (MTA) and its main function is to send emails to external mail servers and to receive emails from external mail servers. Accepted emails are included into the MTA’s queue. The best free and open source SMTP server, in the sense of the one that offers the most while asking for the least, is Postfix.

2. The IMAP and POP3 server: this is the server that allows email clients installed on the users’ computers (like Thunderbird), or web-based email clients (like Roundcube), to access the emails stored on the server and read them. The Internet Message Access Protocol (IMAP) is the protocol that allows the users to download the emails, while the original messages remain on the remote server, while the Post Office Protocol version 3 (POP3) is the protocol that typically downloads the emails to the clients’ computers and then deletes them from the remote server. Usually, the IMAP and POP3 server also acts as a Mail Delivery Agent (MDA) that is invoked by the MTA to fetch the incoming emails from the MTA and save them in the individual mailboxes. The best free and open source IMAP and POP3 server is Dovecot.

3. The antivirus application: the antivirus application is the program that scans all incoming and outgoing emails and their attachments (even compressed attachments) to find viruses and other types of malware. Once it detects a known virus/malware, it either moves the email to quarantine or deletes it. It has to be properly connected to the SMTP server, so that it can scan emails promptly, the very moment they arrive. Apart from real-time scanning of incoming and outgoing emails, the antivirus can be also used to scan periodically or on demand any sensitive directory on the server, such as the directory used to store emails. A virus that wasn’t detected when the email arrived can be detected during periodic scanning after an antivirus automatic update. The best free and open source antivirus application, both for mail servers and for general use on a server is ClamAV.

4. The spam filter application: the spam filter is the program that scans all incoming emails for spam characteristics. If it detects that an incoming email is spam, it marks it as such and the Mail Delivery Agent sends it to the Spam folder. It needs to be properly connected to the SMTP server, that will invoke it whenever an email arrives. The best free and open source spam filter is Apache SpamAssassin.

5. The web-based email accounts management application: this is the program that allows the administrator to add email domains, to add, modify or remove email accounts, to add email aliases, to implement quota limits for email accounts, etc., in an easy to use web interface. The best free and open source application for this purpose is Postfix Admin.

6. The web-based IMAP email client: This is the web application that allows the user to interact with the remote server to read/write/send emails. It is sometimes called a Mail User Agent (MUA). It has to be easy to use, responsive, it has to allow editing emails in HTML or plain text format, it has to allow adding attachments, changing passwords, configuring filters for incoming emails, configuring out-of-office replies, configuring canned emails, etc. The best free and open source application for this purpose is Roundcube.

Of course, some sysadmins will say that the 5th component is optional, because you can add email domains and create email accounts ‘by hand’ editing configuration files directly. However, if you try to do this for a large number of accounts, you will soon understand that the 5th component is actually needed in order to have a usable, complete mail server. The 6th component may also seem optional, since you can connect your locally installed Thunderbird to your remote mail server, and avoid using a web-based email client. Yet, in real life, a web-based email client like Roundcube, proves to be indispensable, since at least occasionally you will want to log in to your email account from different computers or devices that don’t have Thunderbird or an equivalent application installed and configured. So, for a complete mail server, the 6th component is also mandatory.

The Internet is full of truncated, outdated and wrong information about installing a mail server. You will hardly find a single article that mentions all the 6 components listed above, let alone to explain how to install and configure them properly. Following such incomplete, outdated and misleading guides, many beginner sysadmins ran into so many problems that they eventually gave up installing and maintaining their own mail servers. So much so, that even websites that promote software self-hosting, with large collections of do-it-yourself guides, ended up suggesting to their readers that they might not want to install their own mail servers, because it’s … complicated. The truth is that it’s very complicated to install a mail server when you have bad documentation and it’s very easy when you have complete and correct documentation.

To the 6 mandatory components listed above, we’ll also add Postgrey to implement greylisting, a method used to reduce spam, Mailman, to manage classic mailing lists, and phpList, to send mass emails such as newsletters, marketing emails, announcements, etc.

19.1. IP reputation

When maintaining a mail server it’s of utmost importance to have an IP with a good reputation at all times.This means an IP that is not included on any blacklist. Otherwise, many mail servers that will receive emails sent from your IP will reject them or will send them to the Spam/Junk folder.

Generally, when you rent a VPS or a dedicated server, you will be assigned a ‘clean’ IP. However, there is a slight probability that a previous user of that IP sent spam and caused the IP to be included on a public blacklist. This is why the first thing you should do after renting a server is to check its IP against the main public blacklists, by using this online tool: https://mxtoolbox.com/blacklists.aspx

If you find that the IP of your newly rented server has been included on a public blacklist, you can contact the maintainers of that blacklist (whose contact details you can find on the official web page of the blacklist) and ask that they delist your IP, since you are the new user of that IP and you are not responsible for what the previous users have done using that IP. If they refuse, the next step is to contact the hosting provider of your VPS or dedicated server, explain the situation and ask them to contact the blacklist maintainers and require that they delist the IP. This is almost guaranteed that it will work. If it doesn’t, the last method is to ask the hosting provider to assign you a different IP, since you want to install a mail server and you can’t risk having your emails rejected because the previous users of that IP sent spam and the IP was listed on a public blacklist.

You can also check if the IP has been reported for malicious activities, on https://www.abuseipdb.com/ . If you find that your IP has been reported, you can take the same steps mentioned above, to try to delist the IP.

There is also the possibility that after you install your mail server and start using it, some blacklist maintainers will include your IP on their public blacklist. If they do it because you sent real spam emails becuase you didn’t know what qualified as spam, you can contact them, explain the situation and ask that they delist your IP, since you now know what qulifies as spam and you changed your email sending policy. If they do it because your mail server has been used as a relay by real spammers, you have to investigate the breach, recheck all the mail server configurations, fix the problem, make sure that no unauthorized person can use your mail server again, then contact the blacklist maintainers and explain that the server has been reconfigured and the problem fixed. This is why you have to closely follow the instructions from this guide in order to configure a secure mail server and prevent any attackers to access it.

In fact, from all the components that one might install on a VPS or dedicated server, the mail server will receive the greatest number of attacks, mostly those recorded in logs as ‘postfix-sasl authentication failure’. This means that the attackers will try to log in to the Postfix server in order to send their spam.

It can also happen that the maintainers of a public blacklist include in their blacklist a whole range of IPs, just because they noticed that some spammers used the ‘snowshoe spamming’ method. You may find that your own IP has been included on the public blacklist just because it was part of the IP range considered suspicious by the blacklist maintainers. In this situation, to delist your IP, you should contact the company that hosts your server, explain the situation and ask them to contact the blacklist maintainers and ask for delisting.

The idea is to always keep an eye on the server’s IP reputation. If the IP is included on a blacklist, this will seriously impact your email deliverability.

19.1.1. Spam definition

The best definition of spam is probably the definition given by spamhaus.org here. We reproduce it below.

Spam is generally understood to be Unsolicited Bulk E-mail (UBE).

  • Unsolicited: the recipient has not granted verifiable permission for the message to be sent.
  • Bulk: the message is sent as part of a larger collection of messages with identical content.”

Therefore, to avoid sending spam, you should make sure that when you send mass emails (one email is sent to tens, hundreads, or thousands of recipients at once) you have the explicit approval of the recipients to receive emails from you. For this, it’s necessary to make each potential recipient explicitly opt-in to your newsletter/mass emailing service. You can also use a double opt-in method, by asking the users to enter their email address in a form or check the option to subscribe to your newsletter/emailing service, and then send them an email and ask them to reconfirm their subscription by clicking a link or a button included in the email. Also, each email that is sent to a list of subscribers has to contain the unsubscribe link at the bottom, so that every receiver can have their email address removed from the mailing list at any moment.

If you live in the US or the recipients of your emails live in the US, your emails must comply with the CAN-SPAM Act. For an introduction to CAN-SPAM, CASL (Canadian Anti-Spam Law) and the European Union’s GDPR (General Data Protection Regulation) see this article.

19.2. Mail server ports

A mail server requires that you have the following ports open in your firewall:

  • 25 (SMTP)
  • 110 (POP3)
  • 143 (IMAP)
  • 465 (SMTPS)
  • 587(STARTTLS over SMTP)
  • 993 (IMAPS)
  • 995 (POP3S)

You can open the port for SMTP by running:

ufw allow 25

Open all the ports mentioned above in a similar manner.

In order to use the web-based email client, you will also need to have ports 80 and 443 opened, but you already opened them when configuring Nginx.

After opening the necessary ports, the next step is to configure the /etc/hosts and the /etc/hostname files. Since you already did this at the beginning, you can go to the next steps described below.

19.3. Set default timezone for PHP time functions

In order to see the correct time associated with the sent/received emails in your web-based email client, you have to set the correct timezone in the /etc/php/7.3/fpm/php.ini file. Open this file:

nano /etc/php/7.3/fpm/php.ini

Change the date.timezone directive in /etc/php/7.3/fpm/php.ini, to look like this:

date.timezone = Europe/London

where Europe/London is the timezone your server belongs to. If you live in a different timezone than that of your server and you consider that your location’s timezone is more appropriate to use, you can set it instead of the server’s timezone but don’t forget to also change the server’s clock to match your location’s timezone, as described in the Adjust the server’s clock, if needed chapter. For a complete list of date.timezone options, please see this official PHP documentation page.

19.4. Create a new database and user for the mail server

Log in to phpMyAdmin and create a new database called mail and a new user with the same name, on localhost. Enter a strong password for the user mail and copy it somewhere safe, to use it later. Then give user mail all the privileges over the mail database, except ‘grant’, which is not necessary.

19.5. Create a user to handle virtual mail directories

The mail server will use special ‘virtual’ users, which are not regular users or system users. The emails will be stored in subdirectories of the /var/vmail directory, per domain and per email account. For example, admin@example.com will have the mail directory /var/vmail/example.com/admin. All of these mail directories will be owned by a single user called vmail, and the IMAP server, Dovecot, will use the vmail user to create and update the mail files.

First create the vmail directory:

cd /var
mkdir vmail

Then create the vmail user:

useradd -u 5000 -d /var/vmail -s /bin/false vmail

The meaning of the options used above is the following:

-u 5000: set 5000 as the user id (UID)

-d /var/vmail: set /var/vmail as home directory for the vmail user

-s /bin/false: add a user without shell access

When creating a new user without specifying the group name or the group id, the default behavior is to create a group with the same name as the username, and the same group id (GID) as the user id (UID). Thus, the command from above will create the vmail user with 5000 as UID, and the vmail group with 5000 as GID.

Change ownership for the /var/vmail directory:

chown vmail:vmail /var/vmail

19.6. Install Postfix

To install Postfix run:

apt-get install postfix postfix-mysql

When Postfix installation begins, you will be asked to choose a general type of mail configuration:

Select Internet site, then press Enter.

In the next screen you will be asked to enter the ‘system mail name’. This should be the domain appended to email addresses that don’t have a domain name specified. To allow other applications, like Mailman, to function properly, you should enter here the fully qualified domain name (FQDN) of your server (mail.example.com). So the ‘system mail name’ will be mail.example.com, where example.com is the main domain hosted on your server. Enter mail.example.com and press Enter. You can change the ‘system mail name’ later by manually editing the /etc/mailname file.

The Postfix server will be installed and automatically started. To check the Postfix version run:

postconf mail_version

The output will look like this:

mail_version = 3.4.14

It can happen that port 25, as well as 465 and 587, are blocked by your hosting provider, usually for outgoing traffic only, in order to prevent spam. In fact, as we mentioned at the beginning of this guide, you should check if the provider blocks these ports before renting the VPS or dedicated server. In general, even if they block these ports, the hosting providers are willing to unblock them after you open a support ticket and explain that you intend to host a mail server that needs those ports open and that you intend to send only legitimate emails that comply with all the anti-spam regulations. Here is an example of a hosting provider explaining what to do, to have those ports unblocked.

If you are not sure whether your hosting provider blocks port 25 for outgoing traffic, you can run:

telnet smtp.mail.com 25

If the port is open, the output will look like this:

Trying 74.208.5.15...
Connected to smtp.mail.com.
Escape character is '^]'.
220 mail.com (mrgmxus005) Nemesis ESMTP Service ready

If the port is blocked, the output will look like this:

Trying 74.208.5.15...
telnet: Unable to connect to remote host: Connection timed out

(To end a Telnet session write quit, then press Enter.)

19.7. Configure Postfix

Navigate to /etc/postfix:

cd /etc/postfix

Create the following files with the following content in /etc/postfix (replace as6d516a51df6asdf with the actual password of the user mail, that you set up earlier):

nano mysql-sender-login-maps.cf
hosts = localhost
user = mail
password = as6d516a51df6asdf
dbname = mail
query = SELECT username AS allowedUser FROM mailbox WHERE username="%s" AND active = 1 UNION SELECT goto FROM alias WHERE address="%s" AND active = 1
nano mysql-virtual-alias-maps.cf
hosts = localhost
user = mail
password = as6d516a51df6asdf
dbname = mail
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
nano mysql-virtual-domains-maps.cf
hosts = localhost
user = mail
password = as6d516a51df6asdf
dbname = mail
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'
nano mysql-virtual-mailbox-maps.cf
hosts = localhost
user = mail
password = as6d516a51df6asdf
dbname = mail
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

Change permissions as follows:

chmod 640 /etc/postfix/mysql-*

19.7.1. Edit main.cf

Make a copy of the original /etc/postfix/main.cf file:

cd /etc/postfix
cp main.cf main.cf_orig

Then delete all the content inside main.cf and open it for editing:

cat /dev/null > main.cf
nano main.cf

Add the following content replacing the values in red with your own values. Some parameters that are commented out for the moment will be enabled later on, when you’ll install additional applications to which those parameters refer:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.

compatibility_level=2

inet_protocols = ipv4, ipv6

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/cert.pem
smtpd_tls_CAfile=/etc/letsencrypt/live/mail.example.com/fullchain.pem

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may

smtp_tls_security_level = may
smtpd_tls_loglevel = 2

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
#relayhost =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
message_size_limit = 62914560
recipient_delimiter = +
inet_interfaces = all

# a bit more spam protection
disable_vrfy_command = yes

# Auth
# Allow plaintext mechanisms, but only over a TLS-encrypted connection
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth_dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-sender-login-maps.cf

#mailman
#relay_domains = mailman.example.com
#relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman
#transport_maps = hash:/etc/postfix/transport
#mailman_destination_recipient_limit = 1

# Virtual mailboxes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf
#virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
#                     hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual-domains-maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:unix:private/dovecot-lmtp
local_transport = virtual
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

milter_protocol = 2
milter_default_action = accept

#policyd-spf_time_limit = 3600

smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

#authorized_submit_users = !sshusername, !ftpusername, vmail, root, www-data, asterisk

smtpd_recipient_restrictions =
#   check_client_access hash:/etc/postfix/client_checks,
   reject_sender_login_mismatch,
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_unknown_recipient_domain,
   reject_unknown_sender_domain,
   reject_unauth_destination,
   reject_unauth_pipelining,
   reject_unknown_reverse_client_hostname,
   check_policy_service unix:private/policyd-spf,
   reject_rbl_client zen.spamhaus.org,
#   check_policy_service inet:localhost:60000,
   permit

smtpd_relay_restrictions =
   reject_invalid_hostname,
   reject_unknown_recipient_domain,
   reject_unauth_pipelining,
   permit_mynetworks, permit_sasl_authenticated,
   reject_unauth_destination,
   permit

header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/header_checks

Replace example.com with the main domain hosted on your server. Replace sshusername with your SSH user and ftpusername with your FTP user. They won’t be allowed to send emails because they don’t need to.

Please note that the message_size_limit = 62914560 directive sets a maximum size limit of 62914560 bytes (75MB) to any email (email text plus the attachments). This doesn’t mean that you can send emails up to 75MB in size to other email providers. Unfortunately, many mail servers have a maximum attachment size limit of 25MB, while others have a limit of 50MB. So, to avoid the situation in which the emails sent from your server get rejected by other mail servers because of their size, it’s recommended to keep the size of all your attachments below 25MB, or 50MB if you know that the recipient’s email provider accepts attachments of up to 50MB.

Next, create the /etc/postfix/header_checks file, to remove some sensitive information from the header of outgoing emails:

nano /etc/postfix/header_checks

Add the following content inside this file:

/^Received:/                IGNORE
/^X-Originating-IP:/        IGNORE
/^X-Mailer:/                IGNORE
/^User-Agent:/              IGNORE
/^X-Spam-Status:/           IGNORE
/^X-Spam-Checker-Version:/  IGNORE

Then use the postmap command to create the Postfix lookup table file for the header_checks file:

postmap header_checks

The lines included in the /etc/postfix/header_checks file are meant to prevent the mail server to include certain information in the header of emails, to increase security.

Then restart Postfix:

systemctl restart postfix

The authorized_submit_users = !sshusername, !ftpusername, vmail, root, www-data, asterisk directive allows the vmail, root, www-data and asterisk users to send emails by running PHP scripts containing the mail() function; it also allows them to send emails in command line by running commands like:

echo -e "Subject: Testing \n\n Hello! This is the body of the email." | /usr/sbin/sendmail contact@domain.com

It also denies the right to send emails for the sshusername and ftpusername users.

‘phpList’, that we’ll describe later, won’t be configured to use the PHP mail() function. It will use the PHPMailer class which it includes, to connect by TLS on port 587 to the SMTP server which is Postfix. Therefore, it won’t need to send emails using the mail() function. Nevertheless, many WordPress plugins, such as various contact forms, need to send emails using the mail() function, as the www-data user. So, the www-data user has to be allowed to send emails in the authorized_submit_users parameter.

If you have other users that you want to prevent from sending emails from the server in command line or using the mail() function, just add them like this:

authorized_submit_users = !sshusername, !ftpusername, !user1, !user2, vmail, root, www-data, asterisk

The user root is allowed to send emails because ‘System Health and Security Probe’ needs this to send periodic email reports to the system administrator, as we’ll show later. The vmail user is allowed to send emails because Roundcube’s auto-responder needs this to send ‘out of office’ replies. The user asterisk is allowed to send emails because Asterisk needs it in order to send voicemail messages.

19.7.2. Edit master.cf

Next, make a copy of the original /etc/postfix/master.cf file:

cp /etc/postfix/master.cf /etc/postfix/master.cf_orig

Delete all the content in /etc/postfix/master.cf:

cat /dev/null > /etc/postfix/master.cf

Open /etc/postfix/master.cf:

nano /etc/postfix/master.cf

Add the following content inside this file. Please note that some lines that have been commented out will be enabled later, when we’ll install additional software:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
# -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

#dovecot   unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail:vmail argv=/usr/bin/spamc -u debian-spamd -e /usr/lib/dovecot/deliver -d ${recipient}

#policyd-spf  unix  -       n       n       -       0       spawn
#    user=policyd-spf argv=/usr/bin/policyd-spf

#mailman unix  -       n       n       -       -       pipe
#  flags=FR user=list:list argv=/var/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${recipient}

Change ownership for all the files and directories inside the /etc/postfix directory like this:

chown -R root:postfix /etc/postfix/*

Check Postfix configuration:

postfix check

If you see this warning:

postfix/postfix-script: warning: symlink leaves directory: /etc/postfix/./makedefs.out

you can safely ignore it, because it is harmless. It just mentions that /etc/postfix/makedefs.out is a symlink that points to a directory outside of the /etc/postfix directory, namely /usr/share/postfix/makedefs.out

Please note that at this point, Postfix is not ready to send test emails.

19.8. Configure Fail2ban to protect Postfix against brute-force attacks

To configure Fail2ban to protect Postfix against brute-force attacks open the /etc/fail2ban/jail.local file:

nano /etc/fail2ban/jail.local

Search for the [postfix] block, comment out all the lines in this block and add other lines, as follows:

[postfix]
# To use another modes set filter parameter "mode" in jail.local:
#mode    = more
#port    = smtp,465,submission
#logpath = %(postfix_log)s
#backend = %(postfix_backend)s

enabled  = true
port     = 25,465,submission
filter   = postfix
logpath  = /var/log/mail.log
findtime = 10800
maxretry  = 4
bantime = 2419200

Then search for the [postfix-sasl] block, comment out all the lines in this block and add other lines, as follows:

[postfix-sasl]
#filter   = postfix[mode=auth]
#port     = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
#logpath  = %(postfix_log)s
#backend  = %(postfix_backend)s

enabled   = true
port      = 25,465,143,993,110,995,submission
filter    = postfix-sasl
logpath   = /var/log/mail.log
#logpath   = /var/log/mail.warn
findtime = 10800
maxretry  = 2
bantime = 604800

Please note that you have to edit the /etc/fail2ban/filter.d/postfix-sasl.conf file, to make Fail2ban recognize all the attacks against the postfix-sasl jail:

nano /etc/fail2ban/filter.d/postfix-sasl.conf

Edit this file to make it look like this:

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]

failregex = warning: [-._\w]+\[<HOST>\]: SASL LOGIN authentication failed
            warning: unknown\[<HOST>\]: SASL PLAIN authentication failed
            RCPT from unknown\[<HOST>\]: .* Relay access denied
            ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
            warning: hostname .* does not resolve to address\[<HOST>\]: Name or service not known
ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

# Author: Yaroslav Halchenko

Reload Fail2ban:

systemctl reload fail2ban

19.9. Install Dovecot

To install Dovecot run:

apt-get install dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql

19.9.1. Configure Dovecot

Make a copy of the /etc/dovecot/dovecot.conf file:

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf_orig

Empty dovecot.conf:

cat /dev/null > /etc/dovecot/dovecot.conf

Edit dovecot.conf:

nano /etc/dovecot/dovecot.conf

Add the following content inside this file:

# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol

listen = *,[::]

log_path = /var/log/dovecot.log
auth_mechanisms = cram-md5
disable_plaintext_auth = yes

log_timestamp = "%Y-%m-%d %H:%M:%S "

passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}

protocols = imap pop3 lmtp sieve

service auth {
  unix_listener /var/spool/postfix/private/auth_dovecot {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-master {
    mode = 0600
    user = vmail
  }
  user = root
}

ssl = required
ssl_min_protocol = TLSv1.2
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </etc/dovecot/dh.pem

# Default SSL certificate and private key
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
ssl_cert = </etc/letsencrypt/live/mail.example.com/cert.pem

userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}

protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
  pop3_client_workarounds = oe-ns-eoh
}

protocol lda {
  postmaster_address = admin@example.com
  mail_plugins = $mail_plugins sieve
  mail_location = maildir:/var/vmail/%d/%n/
  mail_home = /var/vmail/%d/%n/
}

protocol lmtp {
  postmaster_address = admin@example.com
  mail_plugins = $mail_plugins sieve
  log_path = /var/log/dovecot-lmtp-errors.log
  mail_location = maildir:/var/vmail/%d/%n/
  mail_home = /var/vmail/%d/%n/
}

plugin {
  mail_home = /var/vmail/%d/%n/
  sieve = /var/vmail/%d/%n/dovecot.sieve
  sieve_dir = /var/vmail/%d/%n/
  sieve_after = /etc/dovecot/conf.d/custom-sieves/global_after.sieve
}

# Sieve configuration
protocol sieve {
  managesieve_implementation_string = dovecot
  log_path = /var/log/dovecot-sieve-errors.log
}

service managesieve-login {
  inet_listener sieve {
      port = 4190
  }
}

!include conf.d/*.conf
!include_try local.conf

Replace example.com with the main domain hosted on your server.

Install the haveged package to increase the amount of available entropy of your server, which will be necessary when generating the Diffie-Hellman Parameters with openssl:

apt-get install haveged

Before generating the Diffie-Hellman Parameters, you can check the available entropy by running:

cat /proc/sys/kernel/random/entropy_avail

The entropy level should be above 2000 in order to allow rapid generation of random numbers. If it’s below 2000, you can perform various activities on the server, that would increase the entropy, like running the apt-get update, apt-get dist-upgrade or htop commands.

If the entropy level is above 2000, generate the Diffie-Hellman Parameters file by running:

openssl dhparam -out /etc/dovecot/dh.pem 4096

The process of generating the dh.pem file with the command from above can take even 45 minutes on a server with 1 CPU core, and 2 GB of RAM.

Since we included the ssl directives (ssl, ssl_min_protocol, ssl_client_ca_dir, ssl_dh, ssl_key, ssl_cert) in this main configuration file, there is no need to include them again in the /etc/dovecot/conf.d/10-ssl.conf file. So, first make a copy of this file:

cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf_orig

Then open the file for editing:

nano /etc/dovecot/conf.d/10-ssl.conf

Comment out all the parameters that are not commented out in this file.

Since we specified auth_mechanisms = cram-md5 in the /etc/dovecot/dovecot.conf configuration file, there is no need to specify it in /etc/dovecot/conf.d/10-auth.conf, so, first make a copy of this file:

cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf_orig

Open the file for editing:

nano /etc/dovecot/conf.d/10-auth.conf

Comment out the auth_mechanisms parameter, to make it look like this:

#auth_mechanisms = plain

The only uncommented line in this file should be:

!include auth-system.conf.ext

Since we mentioned mail_location = maildir:/var/vmail/%d/%n/ in the /etc/dovecot/dovecot.conf file, we need to comment out the mail_location parameter in the /etc/dovecot/conf.d/10-mail.conf file. First make a copy of the original file:

cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf_orig

Then open the file for editing:

nano /etc/dovecot/conf.d/10-mail.conf

Comment out the mail_location line to make it look like this:

#mail_location = mbox:~/mail:INBOX=/var/mail/%u

Also, edit the mail_privileged_group parameter, to mke it look like this:

mail_privileged_group = vmail

Ths file should also contain the following lines:

namespace inbox {
  inbox = yes
}

Also, since we entered the sieve configuration settings in the /etc/dovecot/dovecot.conf file, we have to comment out the corresponding configuration lines that exist by default in the
/etc/dovecot/conf.d/90-sieve.conf file. First make a copy of the original file:

cp /etc/dovecot/conf.d/90-sieve.conf /etc/dovecot/conf.d/90-sieve.conf_orig

Then open the file:

nano /etc/dovecot/conf.d/90-sieve.conf

Comment out the following three lines, like this:

#plugin {
....

#  sieve = file:~/sieve;active=~/.dovecot.sieve
....

#}

All the lines in /etc/dovecot/conf.d/90-sieve.conf should be commented out.

Next, make a copy of the /etc/dovecot/conf.d/10-master.conf file:

cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf_orig

Open the /etc/dovecot/conf.d/10-master.conf file:

nano /etc/dovecot/conf.d/10-master.conf

It should have the following content (pay attention to the lines in blue):

#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1
  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0
  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}
service pop3-login {
  inet_listener pop3 {
    #port = 110
     port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

#service submission-login {
#  inet_listener submission {
    #port = 587
#  }
#}

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    #mode = 0666
    user = postfix
    group = postfix
    mode = 0600
  }
  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port =
  #}
}
service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}
service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

#service submission {
  # Max. number of SMTP Submission processes (connections)
  #process_limit = 1024
#}

#service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
#  unix_listener auth-userdb {
#    mode = 0666
#    user = 
#    group = 
#  }


  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

  # Auth process is run as this user.
  #user = $default_internal_user
#}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root
  user = vmail
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user =
    #group =
    user = vmail
  }
}

Next, navigate to /etc/dovecot:

cd /etc/dovecot

Create a file called dovecot-mysql.conf:

nano dovecot-mysql.conf

Add the following content inside this file:

driver = mysql
connect = host=localhost dbname=mail user=mail password=as6d516a51df6asdf
default_pass_scheme = CRAM-MD5
password_query = SELECT password FROM mailbox WHERE username = '%u'
user_query = SELECT CONCAT('maildir:/var/vmail/',maildir) AS mail, 5000 AS uid, 5000 AS gid FROM mailbox WHERE username = '%u'

Replace as6d516a51df6asdf with the actual password of the user mail, that you set up earlier.

Change ownership and permissions:

chown root:vmail dovecot-mysql.conf
chmod 640 dovecot-mysql.conf

You will also have to add the user www-data to the group dovecot, so that www-data has read and write access to the /run/dovecot/stats-writer file, which is necessary for Postfix Admin:

adduser www-data dovecot

19.9.2. Configure Fail2ban to protect Dovecot against brute-force attacks

To configure Fail2ban to protect Dovecot against brute-force attacks open the /etc/fail2ban/jail.local file:

nano /etc/fail2ban/jail.local

Search for the [dovecot] block, comment out all the lines in this block and add other lines, as follows:

[dovecot]
#port    = pop3,pop3s,imap,imaps,submission,465,sieve
#logpath = %(dovecot_log)s
#backend = %(dovecot_backend)s

enabled = true
port    = 465,143,993,110,995,submission,sieve
filter  = dovecot
logpath = /var/log/mail.log
maxretry = 5
bantime = 604800

Reload Fail2ban:

systemctl reload fail2ban

19.9.3. Configure logrotate to rotate Dovecot logs

Create a new file called dovecot inside the /etc/logrotate.d directory:

nano /etc/logrotate.d/dovecot

Add the following content inside this file:

/var/log/dovecot*.log {
  missingok
  rotate 4
  compress
  notifempty
  delaycompress
  size 2M
  sharedscripts
  postrotate
    /bin/kill -USR1 `cat /var/run/dovecot/master.pid 2>/dev/null` 2> /dev/null || true
  endscript
}

Before restarting Dovecot, you will have to install a few more packages, as described below.

19.9.4. Set up Sieve Mail Filtering

Install the dovecot-sieve and dovecot-managesieved packages:

apt-get install dovecot-sieve dovecot-managesieved

Please note that installing dovecot-sieve without SpamAssassin is not enough to enable Dovecot spam filtering. Only after installing SpamAssassin, as we describe further down below, the spam filtering functionality will work.

The dovecot-sieve plugin has many other uses apart from spam filtering. It can be used to set up custom filters, so that incoming emails will go to certain folders, if they contain specific words in the Subject line, in the email body, etc.

19.9.4.1. Add global rules for sieve filtering

When you will install Roundcube, each user will be able to add their personal custom filter rules in the ‘Settings’ > ‘Filters’ section of their account. However, you will need to add global sieve filter rules that will apply to all mailboxes, in addition to the individual custom rules. We’ll describe below how to add a global rule for spam filtering, so that after you install SpamAssassin, all the incoming emails recognized as spam will be sent to the ‘Junk’ folder.

Create the global sieve rules directory and switch to it:

mkdir /etc/dovecot/conf.d/custom-sieves
cd /etc/dovecot/conf.d/custom-sieves

Create the global sieve rules file:

nano global_after.sieve

Add the following content inside this file:

require ["fileinto"];
if allof (header :contains "X-Spam-Flag" "YES")
{
        fileinto "Junk";
}

This rule sends spam emails to the ‘Junk’ folder automatically, when the X-Spam-Flag header contains the string YES . The X-Spam-Flag header will be added by SpamAssassin to each incoming email.

Compile sieve rules by running:

sievec global_after.sieve

This command will create the compiled file global_after.svbin.

Verify again that in the /etc/dovecot/dovecot.conf file, in the plugin block, you have included the sieve_after parameter, as follows:

plugin {
  mail_home = /var/vmail/%d/%n/
  sieve = /var/vmail/%d/%n/dovecot.sieve
  sieve_dir = /var/vmail/%d/%n/
  sieve_after = /etc/dovecot/conf.d/custom-sieves/global_after.sieve
}

To be able to create custom filters using the web interface, you will need to install Roundcube and the managesieve Roundcube plugin, as we describe further down below.

Finally, you can restart Dovecot for all the configuration changes to take effect:

systemctl restart dovecot

You can test if Dovecot sieve is working by running:

telnet localhost 4190

The output should be similar to this:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
"IMPLEMENTATION" "dovecot"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"
"NOTIFY" "mailto"
"SASL" "CRAM-MD5"
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot (Debian) ready."

To end the telnet session write quit, then press Enter.

19.10. Install Postfix Admin

As mentioned above, Postfix Admin is needed to manage email domains, email addresses, aliases, user quota etc., in a time-effective manner. You can find the latest release of Postfix Admin on the official GitHub Releases page. If you right-click on the zip archive of the latest version and choose ‘Copy Link Location’, you can copy the URL of the archive to clipboard.

First download the archive of the latest version to the /tmp directory, uncompress it, move it into a subdirectory of the /var/www directory and change ownership and permissions for all its files and folders, as follows:

cd /tmp
wget https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.2.4.zip

unzip postfixadmin-3.2.4.zip
rm postfixadmin-3.2.4.zip
mv postfixadmin-postfixadmin-3.2.4 /var/www/net-pstfxdmn

Replace 3.2.4 with your version number. Replace net-pstfxdmn with a custom name, that will be also the name of the Postfix Admin login page. Choose a name that is easy to remember for you, but difficult to guess for an attacker. Definitely something different than postfixadmin, or postfixadmin-login, etc. Change ownership and permissions for Postfix Admin files and directories:

chown -R www-data:www-data /var/www/net-pstfxdmn
find /var/www/net-pstfxdmn -type d -exec chmod 750 {} +
find /var/www/net-pstfxdmn -type f -exec chmod 640 {} +

Next create the directory templates_c inside /var/www/net-pstfxdmn and set the right permissions and ownership, otherwise accessing the setup page will generate an error:

cd /var/www/net-pstfxdmn
mkdir templates_c
chown -R www-data:www-data templates_c
chmod 750 templates_c

Then copy the config.inc.php file to config.local.php and change ownership and permissions:

cp config.inc.php config.local.php
chown www-data:www-data config.local.php
chmod 640 config.local.php

Open the config.local.php file for editing:

nano config.local.php

Search for the following line:

// error message from $PALANG (see languages/*) will be displayed.

Remove the * sign after languages/, because it will cause a big portion of the lines that follow, to be considered as PHP comments, which is not the case. Then, set the following directives as follows, replacing example.com with the main domain hosted on your server and as6d516a51df6asdf with the actual password of the user mail, that you set up earlier:

$CONF['configured'] = true;
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'mail';
$CONF['database_password'] = 'as6d516a51df6asdf';
$CONF['database_name'] = 'mail';
$CONF['admin_email'] = 'admin@example.com';
$CONF['smtp_server'] = 'mail.example.com';
$CONF['smtp_client'] = 'mail.example.com';
$CONF['encrypt'] = 'dovecot:CRAM-MD5';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw";

Comment out the following lines:

//if(@file_exists('/usr/bin/doveadm')) { // @ to silence openbase_dir stuff; see https://github.com/postfixadmin/postfixadmin/issues/171
//    $CONF['dovecotpw'] = "/usr/bin/doveadm pw"; # debian
//}

Also, set up the following parameters like this:

$CONF['default_aliases'] = array (
    'abuse' => 'admin@example.com',
    'hostmaster' => 'admin@example.com',
    'postmaster' => 'admin@example.com',
    'webmaster' => 'admin@example.com'
);

$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['maildir_name_hook'] = 'NO';
$CONF['footer_text'] = 'Return to mail.example.com';
$CONF['footer_link'] = 'https://mail.example.com';

19.10.1. Configure Nginx for Postfix Admin

Open the /etc/nginx/sites-enabled/0-conf file for editing:

nano /etc/nginx/sites-enabled/0-conf

Add the following block inside the server block for mail.example.com, right below the block for phpMyAdmin (location /net-mrdblog { }):

    location /net-pstfxdmn {
        root /var/www;
        index index.php setup.php;
        auth_basic 'Restricted';
        auth_basic_user_file /etc/nginx/htpass/postfixadmin;
        location ~ ^/net-pstfxdmn/(.+.php)$ {
                       fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
                       fastcgi_param HTTPS on;
                       fastcgi_index index.php;
                       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                       include /etc/nginx/fastcgi_params;
        }
    }

Replace net-pstfxdmn with your custom name for the Postfix Admin login page. Don’t forget to create the password file for HTTP authentication in order to restrict access to the login page. If you want to allow the user verner to access the Postfix Admin login page, run:

htpasswd -c /etc/nginx/htpass/postfixadmin verner

Change ownership and permissions for the new password file:

chown www-data:root /etc/nginx/htpass/postfixadmin
chmod 400 /etc/nginx/htpass/postfixadmin

Reload Nginx:

systemctl reload nginx

Next open up a web browser and access:

https://mail.example.com/net-pstfxdmn/public/setup.php

Replace example.com with your main domain and net-pstfxdmn with your custom Postfix Admin login page.

You will see a screen similar to this:

In the ‘Setup password’ field enter a setup password, enter it again in the ‘Setup password (again)’ field, copy it somewhere safe to use it later (you will also need it when upgrading Postfix Admin), then click on ‘Generate setup_password hash’.

A hash will be generated and displayed below the ‘Generate setup_password hash’ button, like this:

Copy the long string between quotes to the clipboard.

Open the config.local.php file:

nano /var/www/net-pstfxdmn/config.local.php

Search for $CONF['setup_password'] and add the hash that you copied earlier to it like this:

$CONF['setup_password'] = '$2y$10$Fafxog0Lt7KAIdd0H.BhiOeNFjBQq7uaPFc1xwyRtkj1zpJeKCmZa';

Return to the setup page and refresh the page. The setup script will perform some checks and will update the database, as seen below:

In the ‘Setup password’ field enter the setup password that you used earlier, in the ‘Admin’ field enter the superadmin’s email address, usually admin@example.com, in the ‘Password’ and ‘Password (again)’ fields enter a password for the superadmin, then click ‘Add Admin’.

From now on, you can log in to Postfix Admin with the superadmin email address and password that you have just set up, at:

https://mail.example.com/net-pstfxdmn/public

After logging in, you will see the following screen:

You can use Postfix Admin to:

add new email domains: ‘Domain List’ > ‘Add Domain’ > in the ‘Domain’ field enter the new domain, (Eg.: example.com), you can set ‘Aliases’ and ‘Mailboxes’ to 0 for unlimited aliases and mailboxes, you can leave everything else as it is, then click ‘Add Domain’.

add mailboxes to each domain: ‘Virtual List’ > ‘Add Mailbox’ > in the ‘Username’ field enter the part before @ of the new mailbox/email address, below the ‘Username’ field select the domain to which the new mailbox/email address will belong, in the ‘Password’ and ‘Password (again)’ fields enter the new password, you can leave the ‘Name’ field empty, you can also leave the ‘Quota’ field empty to assign unlimited storage space to the new mailbox, then click ‘Add Mailbox’.

add aliases for any email address: ‘Domain List’ > click on a domain > click on the ‘Add Alias’ button > in the ‘Alias’ field enter the part before @ of the new alias, in the ‘To’ field enter the complete email address to which the chosen alias is assigned (you can enter multiple email addresses, one per line), leave ‘Active’ checked, then click ‘Add Alias’. For example, if you have configured info@example.com as alias of office@example.com, all the emails sent to info@example.com will go to office@example.com.

After you first log in to Postfix Admin, you should add root@mail.example.com as alias of the main admin email address, usually admin@example.com, so that when an application installed on the server will send a notification email to the default root@mail.example.com, the email will reach admin@example.com. (To add root@mail.example.com as an alias of admin@example.com you should first add mail.example.com as a new domain, in ‘Domain List’ > ‘New Domain’.)

Also, add the mailbox admin@example.com as a new mailbox for the example.com domain. Add other necessary mailboxes for your domain(s): info@example.com, sales@example.com, support@example.com, etc.

After the installation, it’s a good idea to delete the setup.php file, although in the new Postfix Admin versions it’s not really necessary:

cd /var/www/net-pstfxdmn/public
rm setup.php

19.10.2. Move the configuration file outside the web root

To increase security, copy the config.local.php file to the /srv/scripts directory:

cp /var/www/net-pstfxdmn/config.local.php /srv/scripts/postfixadmin.php

Replace the content of the /var/www/net-pstfxdmn/config.local.php file like this:

cd /var/www/net-pstfxdmn
cat /dev/null > config.local.php
nano config.local.php

Add the following line inside this file:

<?php include(‘/srv/scripts/postfixadmin.php’); ?>

Change ownership and permissions for the /srv/scripts/postfixadmin.php file:

cd /srv/scripts
chown www-data:root postfixadmin.php
chmod 400 postfixadmin.php

19.10.3. Configure Fail2ban to protect Postfix Admin against brute-force attacks

Navigate to the /etc/fail2ban/filter.d directory:

cd /etc/fail2ban/filter.d

Create a new filter file for Postfix Admin:

nano postfixadmin.conf

Add the following content in this file:

[Definition]

failregex =  ^<HOST> .* \"POST /net-pstfxdmn/login.php HTTP/2.0\" 200 15.*$
             ^<HOST> .* \"GET /net-pstfxdmn HTTP/2.0\" 401 195 .*$
ignoreregex =

Replace net-pstfxdmn with your custom name of the Postfix Admin login page. The second line identifies the failed log in attempts against the HTTP authentication window, which is displayed right before loading the Postfix Admin login page, and can be also subject to brute-force attacks. Next, open the /etc/fail2ban/jail.local file:

nano /etc/fail2ban/jail.local

Add the following block above the [phpmyadmin] block:

[postfixadmin]
enabled  = true
filter   = postfixadmin
logpath  = /var/log/sites/mail.example.com/access.log           
port     = 80,443
findtime = 3600
maxretry = 4
bantime = 604800

Replace example.com with your main domain.

Reload Fail2ban:

systemctl reload fail2ban

19.10.4. Upgrading Postfix Admin

Before upgrading Postfix Admin to a new version, it’s recommended to check if the new version has been tested and confirmed to function well within the suite by visiting this page.

If you check the official GitHub Releases page of Postfix Admin, and you notice that a new version has been released, you can upgrade Postfix Admin by following the steps from below.

First create the backups. Use phpMyAdmin to export the mail database and change the name of the resulting sql file, to make it include the date of the backup (Eg.: mail-2021-02-15.sql). Then create an archive of the Postfix Admin directory (/var/www/net-pstfxdmn in our example), including the date in the name of the archive, like this:

cd /var/bm_archives
tar czf postfixadmin-2021-02-15.tar.gz /var/www/net-pstfxdmn

Replace net-pstfxdmn with the custom name of the Postfix Admin directory, which is also the name of the login page.

Use a FTP client like FileZilla to upload the sql file to the remote server and place it in /var/bm_archives, and to download the tar.gz archive to your local computer, so as to have the two backup files in two separate locations. You can also copy them to a third location on an external storage device, etc.

Next, download the latest version of Postfix Admin from the official GitHub releases page and extract the archive:

cd /tmp
wget https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.2.5.zip

unzip postfixadmin-3.2.5.zip
rm postfixadmin-3.2.5.zip

Replace 3.2.5 with your version.

Rename the Postfix Admin directory, /var/www/net-pstfxdmn to /var/www/net-pstfxdmn_old:

Move the new Postfix Admin uncompressed directory to /var/www, changing its name to /var/www/net-pstfxdmn:

mv /tmp/postfixadmin-postfixadmin-3.2.5 /var/www/net-pstfxdmn

Create an empty config.local.php file in the /var/www/net-pstfxdmn directory:

cd /var/www/net-pstfxdmn
nano config.local.php

Add the following line inside this file:

<?php include('/srv/scripts/postfixadmin.php'); ?>

Next create the directory templates_c in /var/www/net-pstfxdmn:

mkdir templates_c

Change ownership and permissions for the /var/www/net-pstfxdmn directory:

chown -R www-data:www-data /var/www/net-pstfxdmn
find /var/www/net-pstfxdmn -type d -exec chmod 750 {} +
find /var/www/net-pstfxdmn -type f -exec chmod 640 {} +

Then access the setup page by going to:

https://mail.example.com/net-pstfxdmn/public/setup.php

Replace example.com with your main domain, and net-pstfxdmn with the custom name of the Postfix Admin login page. You will see the following screen:

Enter the setup password that you saved when you installed Postfix Admin in the ‘Setup password’ field, then click on the ‘Login with setup_password’ button. The setup script will check the dependencies and also update the database. If everything is OK, the next screen will look like this:

Ignore the two warnings.

If you want to add a new superadmin account, you can do it by filling the text boxes under ‘Add Superadmin Account’. If you don’t want a new superadmin account, because you intend to use the old superadmin account(s), just leave the text boxes under ‘Add Superadmin Account’ empty. The upgrade is finished. You can access the login page at:

https://mail.example.com/net-pstfxdmn/public

In case the database upgrade fails, you can access https://mail.example.com/net-pstfxdmn/public/setup.php?debug=1 to see the last executed query.

After the installation finishes, it’s a good idea to delete the setup.php file:

cd /var/www/net-pstfxdmn/public
rm setup.php

After you log in to Postfix Admin and confirm that everything is working, you can delete the /var/www/net-pstfxdmn_old directory:

cd /var/www
rm -r net-pstfxdmn_old

19.11. Set up the MX records for your domains

After installing the components presented up to this point, you have to add the specific DNS records necessary to send/receive emails (the MX records), and the records necessary to legitimate your emails, so that they won’t be rejected as spam or considered forged emails (the SPF, DKIM and DMARC records).

The MX record for the example.com domain, as it should appear in the BIND configuration file for example.com (in the /etc/bind/db.example.com file) will look like this:

@      IN      MX     10    mail.example.com.

where @ is the placeholder for example.com , and 10 is the priority indicator (10 is the default priority). Please note that there is a period at the end of the mail.example.com domain.

The MX record from above has to be added for every domain on your server. However, for your main domain, you will also have to add two additional MX records:

  • a MX record for mail.example.com, which is necessary for receiving emails sent by different applications to the default root@mail.example.com address. For mail.example.com, the MX record in BIND (/etc/bind/db.example.com) will look like this:

    mail IN MX 10 mail.example.com.

  • a MX record for mailman.example.com, which is necessary for sending emails to Mailman mailing lists. For mailman.example.com, the MX record in BIND (/etc/bind/db.example.com) will look like this:

    mailman IN MX 10 mail.example.com.

If you use Hurricane Electric’s DNS services, to add a MX record for the example.com domain, first click on ‘New MX’. Then fill the fields as follows:

You will need to add a MX record like the one for example.com, for any other domain that you host on your server: secondsite.net, thirdsite.info, fourthsite.org, etc. However, the MX records for the mailman subdomain and for the mail subdomain should be added only for the main domain hosted on the server, and not for other domains.

19.12. Set up SPF (Sender Policy Framework) for your domains

Sender Policy Framework (SPF) is a system that allows mail servers to know what hosts are allowed to send emails for a given domain. Setting up SPF records for the domains used to send emails is mandatory if you want to avoid having your emails classified as spam.

The SPF record for the example.com domain, as it should appear in the BIND configuration file for example.com (/etc/bind/db.example.com) will look like this:

@     IN     TXT    "v=spf1 a mx ip4:123.123.123.123 ip6:2b03:8df0:0:6:2014:gf:he50:20a4 -all"

where @ is the placeholder for example.com , 123.123.123.123 is the public IPv4 address of your server and 2b03:8df0:0:6:2014:gf:he50:20a4 is the public IPv6 address of your server.

Below is a description of the options used:

v=spf1 specifies the SPF version, is required and has to be the first tag.

a authorizes the hosts identified in the domain’s A records to send e-mail.

mx is a shorthand for all the hosts listed in the MX records for the example.com domain.

ip4 and ip6 specify the IP addresses that are allowed to send emails from the example.com domain.

123.123.123.123 is the public IPv4 address of your mail server.

2b03:8df0:0:6:2014:gf:he50:20a4 is the public IPv6 address of your mail server.

-all indicates that mail from your domain should only come from servers identified in the SPF record. Anything coming from any other source is trying to impersonate your mail server. An alternative is ~all, which shows the same thing but also that mail servers should accept the message and flag it as forged, instead of simply rejecting it. -all makes it more difficult for spammers to send emails that impersonate your domain.

A SPF record like the one from above has to be added for every domain hosted on your server. However, for your main domain, you will also have to add two additional SPF records:

  • a SPF record for mail.example.com, for receiving emails sent by different applications to the default root@mail.example.com. For mail.example.com, the SPF record in BIND (/etc/bind/db.example.com) will look like this:

    mail IN TXT "v=spf1 a mx ip4:123.123.123.123 ip6:2b03:8df0:0:6:2014:gf:he50:20a4 -all"

  • a SPF record for mailman.example.com, which is necessary for sending emails to Mailman mailing lists. For mailman.example.com, the SPF record in BIND (/etc/bind/db.example.com) will look like this:

    mailman IN TXT "v=spf1 a mx ip4:123.123.123.123 ip6:2b03:8df0:0:6:2014:gf:he50:20a4 -all"

To verify the SPF records of incoming mail and thus avoid accepting forged emails, you have to enable two lines that are commented out in the /etc/postfix/master.cf file. Open the file for editing:

nano /etc/postfix/master.cf

Scroll down to the two lines mentioning policyd-spf and remove the comment sign (#), to make them look like this:

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

Also, open the /etc/postfix/main.cf file:

nano /etc/postfix/main.cf

Uncomment the policyd-spf_time_limit line (by removing the # sign), to increase the Postfix policy agent timeout, which will prevent Postfix from aborting the agent if transactions run a bit slowly. Make that line look like this:

policyd-spf_time_limit = 3600

In the same file, check if you have the following two lines in the smtpd_recipient_restrictions entry:

smtpd_recipient_restrictions =
    ...
    reject_unauth_destination,
    check_policy_service unix:private/policyd-spf,
    ...

Without these settings, SPF verification won’t function properly.

Restart Postfix:

systemctl restart postfix

If you use Hurricane Electric’s DNS services, to add a SPF record for example.com click on ‘New TXT’ and fill the fields as follows:

Replace example.com with your own domain, replace 123.123.123.123 with the public IPv4 address of your server and 2bc6:4ce0:2:9::4728 with the public IPv6 address of your server.

19.13. Set up DKIM (DomainKeys Identified Mail) for your domains

DKIM (DomainKeys Identified Mail) is an authentication method used to link an email to a domain name. DKIM proves not only that a domain name hasn’t been used falsely by others, but also that the email message hasn’t been changed in transit.

DKIM relies on asymmetric encryption: first you generate a private/public key pair, then enter the public key as a TXT record of the domain used to send emails, then the private key is used to create a signature for each email. The signature is a hash created using the content of the email and the private key. The signature is added as a header to the email. In this way, a receiver mail server that knows the public key from the TXT record of the domain can use it to verify if the email comes from the legitimate domain and that it hasn’t been changed in transit.

Like SPF entries, DKIM entries help a lot in reducing the possibility that your emails might be considered spam by other mail servers.

To implement DKIM for your domains, first you have to install some new packages:

apt-get install opendkim opendkim-tools postfix-policyd-spf-python postfix-pcre

Then create the directories necessary to store the new files:

mkdir -p /etc/opendkim/keys

Make a copy of the /etc/opendkim.conf file:

cp /etc/opendkim.conf /etc/opendkim.conf_orig

Emtpy the /etc/opendkim.conf file:

cat /dev/null > /etc/opendkim.conf

Open the file for editing:

nano /etc/opendkim.conf

Add the following content inside this file:

Mode  sv
Syslog  yes
UserID  opendkim:postfix
UMask  007
Socket  local:/var/run/opendkim/opendkim.sock
PidFile  /var/run/opendkim/opendkim.pid
Selector  default
SendReports  no
SoftwareHeader  yes
Canonicalization  relaxed/simple
SubDomains  no
SignatureAlgorithm  rsa-sha256
MinimumKeyBits  2048
OversignHeaders  From
KeyTable  refile:/etc/opendkim/KeyTable
SigningTable  refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts  refile:/etc/opendkim/TrustedHosts

Also, in the /etc/opendkim directory, you have to create three files. First create the /etc/opendkim/TrustedHosts file:

nano /etc/opendkim/TrustedHosts

Add the following content inside this file:

127.0.0.1
::1
localhost
mail
mail.example.com
example.com
secondsite.net
thirdsite.info
fourthsite.org
fifthsite.us

Replace example.com with the main domain hosted on your server and secondsite.net, thirdsite.info, fourthsite.org, fifthsite.us, with the other domains hosted on the server.

Then create the /etc/opendkim/SigningTable file:

nano /etc/opendkim/SigningTable

Add the following content inside this file:

*@example.com  default._domainkey.example.com
*@secondsite.net  default._domainkey.secondsite.net
*@thirdsite.info  default._domainkey.thirdsite.info
*@fourthsite.org  default._domainkey.fourthsite.org
*@fifthsite.us  default._domainkey.fifthsite.us

Replace example.com with the main domain hosted on your server and secondsite.net, thirdsite.info, fourthsite.org, fifthsite.us, with the other domains hosted on the server.

Next, create the /etc/opendkim/KeyTable file:

nano /etc/opendkim/KeyTable

Add the following content inside this file:

default._domainkey.example.com  example.com:default:/etc/opendkim/keys/example.com.private
default._domainkey.secondsite.net  secondsite.net:default:/etc/opendkim/keys/secondsite.net.private
default._domainkey.thirdsite.info  thirdsite.info:default:/etc/opendkim/keys/thirdsite.info.private
default._domainkey.fourthsite.org  fourthsite.org:default:/etc/opendkim/keys/fourthsite.org.private
default._domainkey.fifthsite.us  fifthsite.us:default:/etc/opendkim/keys/fifthsite.us.private

Replace example.com with the main domain hosted on your server and secondsite.net, thirdsite.info, fourthsite.org, fifthsite.us, with the other domains hosted on the server.

Navigate to the /etc/opendkim/keys directory:

cd /etc/opendkim/keys

Generate the key for example.com by running:

opendkim-genkey -b 2048 -h rsa-sha256 -r -s default -d example.com

This command will create the files default.private and default.txt. Change the name of these two files as follows:

mv default.private example.com.private
mv default.txt example.com.txt

Repeat the key generation and file renaming for each domain hosted on your server (secondsite.net, thirdsite.info, fourthsite.org, fifthsite.us, etc.)

Change ownership for the /etc/opendkim directory and its content, and permissions for the /etc/opendkim/keys directory:

chown -R opendkim:opendkim /etc/opendkim
chmod 700 /etc/opendkim/keys

To allow the user postfix to have proper access to the /var/run/opendkim/opendkim.sock file, you have to add it to the opendkim group by running:

adduser postfix opendkim

In this way, the /var/run/opendkim directory, which is owned by the opendkim user and the opendkim group, with 750 permissions, will allow the postfix user to access the /var/run/opendkim/opendkim.sock file.

Then make a copy of the /etc/default/opendkim file:

cp /etc/default/opendkim /etc/default/opendkim_orig

Edit the /etc/default/opendkim file:

nano /etc/default/opendkim

Change the group owner for the socket file from opendkim to postfix as follows:

GROUP=postfix

Also edit the /etc/postfix/main.cf file:

nano /etc/postfix/main.cf

Add the following directives right below the milter_default_action = accept line:

smtpd_milters = local:/var/run/opendkim/opendkim.sock
non_smtpd_milters = local:/var/run/opendkim/opendkim.sock

Restart opendkim and Postfix:

systemctl restart opendkim
systemctl restart postfix

19.13.1. Add the DKIM TXT records for your domains

If you look into the /etc/opendkim/keys/example.com.txt file that you generated earlier for the example.com domain with the opendkim-genkey command, you will see a content similar to this:

default._domainkey	IN	TXT	( "v=DKIM1; h=rsa-sha256; k=rsa; s=email; "
	  "p=MIIBIdCBEhdqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp562Yiy2bRa4xUJgpJlPbk69tWp5aYiZkOYJWIACpcK6TgTS197HavECcZVTu4ZijcmyZqecfytqvjo23mW+7lBc4DMlynYzcNtC2e/i29mKeMT4KPzfz8czBdByjZ76ZKclUkgtVhtsaF2KPUsw6vgn2dYFjMSNQWRtM3LyiWymkwOeKOkbHrQsgb4vxReiq6M8jPd4r0Ad5"
	  "k2FlgfDFqvRgYy3GxQUtAIYdT1G7T7Jc+Q433DG4RPq4WGA6YufkskPbmyP5yquOiJuPNSxzo6srC3zhGzzL6MTMk145iof85keUVgTi3XrlWKPwd8/VOgos2nyVLK5ewd5jnWawJGASZB" )  ; ----- DKIM key default for example.com

Please note that the long string listed after ‘p=‘ is split into two sections. You have to copy this long string in a TXT record added to the example.com domain, in your DNS settings, preserving the two sections of the string.

Therefore, the DKIM record for the example.com domain, as it should appear in the BIND configuration file for example.com (/etc/bind/db.example.com) will look like this:

default._domainkey    IN     TXT    "v=DKIM1; h=sha256; k=rsa; s=email;"  "p=MIIBIdCBEhdqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp562Yiy2bRa4xUJgpJlPbk69tWp5aYiZkOYJWIACpcK6TgTS197HavECcZVTu4ZijcmyZqecfytqvjo23mW+7lBc4DMlynYzcNtC2e/i29mKeMT4KPzfz8czBdByjZ76ZKclUkgtVhtsaF2KPUsw6vgn2dYFjMSNQWRtM3LyiWymkwOeKOkbHrQsgb4vxReiq6M8jPd4r0Ad5"  "k2FlgfDFqvRgYy3GxQUtAIYdT1G7T7Jc+Q433DG4RPq4WGA6YufkskPbmyP5yquOiJuPNSxzo6srC3zhGzzL6MTMk145iof85keUVgTi3XrlWKPwd8/VOgos2nyVLK5ewd5jnWawJGASZB"

Add similar TXT records in the DNS settings for all your other domains.

To test the opendkim configuration run:

opendkim-testkey -d example.com -s default -vvv

The last message should be “key OK”. If you see a “key not secure” message above the “key OK” line, it doesn’t represent an error, it just means that DNSSEC is not in use for opendkim and you can ignore it.

If you use Hurricane Electric’s DNS services, to add a DKIM entry for example.com, click on ‘New TXT’, then fill the fields as follows:

If you want to be extra cautious, you can re-generate the private and public keys with the opendkim-genkey command, then update the TXT records for your domains, once every 3 months.

19.14. Set up a DMARC (Domain Message Authentication, Reporting & Conformance) record for your domains

A DMARC record is used to advise mail servers what you think they should do with emails claiming to be from your domain, that fail validation with SPF and/or DKIM. DMARC also allows you to request reports from other mail servers, about mail that fails to pass one or more validation checks. You should set up DMARC records only after setting up SPF and DKIM records, for each domain.

The DMARC record for the example.com domain, as it should appear in the BIND configuration file for example.com (/etc/bind/db.example.com) will look like this:

_dmarc     IN     TXT    "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; fo=1; rf=afrf; rua=mailto:admin@example.com"

where admin@example.com is the address where you want to receive the aggregated reports from other mail servers, for emails coming from you.

Below is a description of the options used:

v specifies the protocol version, in this case DMARC1.

p specifies the policy to be used for emails coming from the example.com domain. The available options are:

  • quarantine instructs that if an email fails validation, the recipient should set it aside for processing.
  • reject requests that the receiving mail server reject the emails that fail validation.
  • none requests that the receiver take no action if an email does not pass validation.

sp specifies the policy for subdomains, such as subdomain.example.com. It accepts the same arguments as the p tag.

adkim specifies the alignment mode for DKIM, which determines how strictly DKIM records are validated. The available options are:

  • r relaxed alignment mode: DKIM authentication is less strictly enforced.
  • s strict alignment mode: only an exact match with the DKIM entry for the root domain will be seen as validated.

aspf specifies the alignment mode for SPF verification. It allows the same options as adkim.

fo allows you to specify which failed authentication methods will be reported. The available options are:

  • 0 requests a report if all authentication methods fail. For example, if an SPF check failed but the DKIM authentication was successful, a report would not be sent.
  • 1 requests a report if any authentication check fails.
  • d requests a report if a DKIM check fails.
  • s requests a report if an SPF check fails.

rf specifies the format used for authentication failure reports. The available options are:

  • afrf uses the ‘Authentication Failure Reporting Format’ as defined by RFC 6591.
  • iodef uses the ‘Incident Object Description Exchange Format’ as defined by RFC 5070 & RFC 6685.

rua specifies the email address that will receive aggregate reports. This option accepts multiple addresses in the following format: rua=mailto:tom@domain1.com,mailto:jerry@domain2.com,mailto:oscar@domain3.com; . Once you receive reports and notice that everything works well, you can disable this feature by removing the rua=mailto:admin@example.com parameter from the DMARC entry, because in time, these reports can become annoying.

Please note that you will need to add a DMARC record like the one for example.com, for any other domain that you host on your server: secondsite.net, thirdsite.info, fourthsite.org, etc.

If you use Hurricane Electric’s DNS services, to add a DMARC record for example.com, click on ‘New TXT’, then fill the fields as follows:

In conclusion, if you use Hurricane Electric’s DNS service, the DNS records related to emails, for the main domain hosted on the server, example.com, should look similar to the following:

For other domains different from the main domain, the email related settings should be identical to the ones from above, with the exception of the two records for Mailman, which appear only in the settings for the main domain.

19.15. Install Roundcube

Log in to phpMyAdmin and create a database called roundcubemail and a user called roundcubeuser, on localhost, with a strong password. Save the password somewhere safe, to use it later. Then give user roundcubeuser all the privileges over the roundcubemail database, except the GRANT privilege, which is not necessary.

Then use a browser to access Roundcube’s official download page. Right-click on the ‘Download’ button of the latest ‘Stable Version’ ‘Complete’ of Roundcube, then choose ‘Copy Link Location’ from the context menu, to copy the download link to the clipboard, so that you can use it later, with the wget command.

On your remote server, navigate to /tmp:

cd /tmp

Download the latest version of Roundcube:

wget https://github.com/roundcube/roundcubemail/releases/download/1.4.8/roundcubemail-1.4.8-complete.tar.gz

Replace 1.4.8 with your version number. Uncompress the archive:

tar xf roundcubemail-1.4.8-complete.tar.gz

Remember that you already created the /var/www/mail.example.com directory when installing phpMyAdmin, so now you only need to copy the uncompressed folders and files of Roundcube to /var/www/mail.example.com:

cp -r /tmp/roundcubemail-1.4.8/* /var/www/mail.example.com

Remove the directory and archive from /tmp, because you no longer need them:

rm -r /tmp/roundcubemail-1.4.8 /tmp/roundcubemail-1.4.8-complete.tar.gz

Change ownership and permissions for the /var/www/mail.example.com directory and its content:

chown -R www-data:www-data /var/www/mail.example.com
find /var/www/mail.example.com -type d -exec chmod 750 {} +
find /var/www/mail.example.com -type f -exec chmod 640 {} +

Use a browser to access the Roundcube installer at:

https://mail.example.com/installer/

The first screen will look like this:

The installer checks if all the needed software packages are installed. All the checks should display OK, with the exception of PostgreSQL, and the other DBMS, which are not necessary, since you have MariaDB installed (identified by the installer as MySQL). Click ‘Next’.

In the next screen, leave all the fields and checkboxes as they are, with the exception of the fields/checkbloxes listed below, which you should fill in as follows:

General configuration

Under enable_spellcheck, uncheck Make use of the spell checker.

Logging & Debugging

log_driver file

log_dir /var/log/sites/mail.example.com/

Database setup

Database server localhost

Database name roundcubemail

Database user name roundcubeuser

Database password strongpassword (enter the password of roundcubeuser set up earlier)

IMAP Settings

default_host mail.example.com

SMTP Settings

smtp_server
tls://mail.example.com

Make sure that Use the current IMAP username and password for SMTP authentication is checked.

Display settings & user prefs

In the language* field enter the RFC1766 formatted language name (en_US, de_DE, de_CH, fr_FR, pt_BR, etc.), like:

language* en_US

skin* elastic

prefer_html* check Prefer displaying HTML messages and for Compose HTML formatted messages choose ‘always’

Plugins

Check the following plugins:

additional_message_headers
jqueryui
managesieve
markasjunk
password
show_additional_headers

As mentioned, leave all the other fields/checkboxes as they are, then click ‘CREATE CONFIG’.

The installer will display the following message at the top of the page:

The config file was saved successfully into /var/www/mail.example.com/config directory of your Roundcube installation.

Please note that there is a ‘Continue’ button below the message. Before clicking on that button, leave the browser open and edit the /var/www/mail.example.com/config/config.inc.php file:

nano /var/www/mail.example.com/config/config.inc.php

Add the following line at the top of the file:

$config['enable_installer'] = true;

Also, since you specified that /var/log/sites/mail.example.com should be the log directory, you have to give www-data write access to this directory:

chown www-data:root /var/log/sites/mail.example.com

Next, come back to the installation page opened in your browser and click on the ‘Continue’ button mentioned above.

In the next screen you will see the message ‘DB Schema: NOT OK (Database not initialized)’. Click on the ‘Initialize database’ button below this message. After the initialization, all the checks should display OK.

Next, open the /var/www/mail.example.com/config/config.inc.php file:

nano /var/www/mail.example.com/config/config.inc.php

Below the $config['db_dsnw'] line, add the following line:

$config['log_driver'] = 'file';

Below $config['smtp_server'] = 'tls://mail.example.com'; add the following lines:

$config['smtp_port'] = '587';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['auto_create_user'] = true;

Also add the following lines at the end of the file, to tell Roundcube to create the default folders (Sent, Drafts, Junk and Trash) for any new mailbox, when the user first logs in:

// Automatically create the Sent, Drafts, Junk and Trash default folders on user login
$config['create_default_folders'] = true;

To disable the installer which is no longer needed, remove the following line:

$config['enable_installer'] = true;

Now, that Roundcube is installed, for security reasons, delete the installer directory:

cd /var/www/mail.example.com
rm -r installer

19.15.1. Move the configuration file outside the web root

To increase security, copy the config.inc.php file to a directory outside /var/www, like this:

cp /var/www/mail.example.com/config/config.inc.php /srv/scripts/roundcube.php

Empty the configuration file:

cd /var/www/mail.example.com/config
cat /dev/null > config.inc.php

Open the configuration file:

nano config.inc.php

And add the following line inside this file:

<?php include('/srv/scripts/roundcube.php'); ?>

Change the ownership and permissions for the /srv/scripts/roundcube.php file:

cd /srv/scripts
chown www-data:root roundcube.php
chmod 400 roundcube.php

Reload Nginx:

systemctl reload nginx

19.15.2. How to turn debug mode on

If you want to enable debugging mode to troubleshoot various problems, add the following lines to the configuration file (/srv/scripts/roundcube.php):

// Debug level (from 1 to 4)
$config['debug_level'] = 4;

// Log SQL queries
$config['sql_debug'] = true;

// Log IMAP conversation
$config['imap_debug'] = true;

// Log LDAP conversation
$config['ldap_debug'] = true;

// Log SMTP conversation
$config['smtp_debug'] = true;

Remember to comment these lines out when you don’t need debug mode enabled.

19.15.3. Restrict access to Roundcube’s login page

At this point, you can log in to Roundcube using any of the email addresses and their respective passwords that you have set up previously in Postfix Admin. The login page is:

https://mail.example.com

When you access this page, you will be asked for your HTTP authentication credentials. You have to enter the username and password set up earlier (in the Install phpMyAdmin chapter, in the /etc/nginx/htpass/mail.example.com password file).

Please note that you will have to add to the /etc/nginx/htpass/mail.example.com file a username and password for all the users that you want to allow access to Roundcube’s login page. At this point, the password file should contain the name and the hashed password of only one user (verner in our example). If you want to allow the user albert to access the login page, you should add his name and a password to the password file like this:

htpasswd /etc/nginx/htpass/mail.example.com albert

Repeat this command for all the users that you want to allow access to Roundcube’s login page.

After entering your HTTP authentication credentials, you will see the login page:

Now you can use the email addresses and their respective passwords that you have set up in Postfix Admin, to log in to Roundcube.

Before you can send emails to external domains, make sure that you have properly configured a MX record, a SPF record, an Opendkim record and a DMARC record (apart from the A and AAAA records), as described in the 19.11., 19.12., 19.13. and 19.14. chapters, respectively.

19.15.4. Configure logrotate to rotate the Roundcube errors log

Roundcube will write access data to the access.log and errors to the errors.log. Both logs are located in the directory that you have set up earlier as log_dir, namely /var/log/sites/mail.example.com. You have to configure logrotate to rotate these logs.

Open the /etc/logrotate.d/nginx file:

nano /etc/logrotate.d/nginx

Add the following block at the end of this file:

/var/log/sites/mail.example.com/access.log  /var/log/sites/mail.example.com/errors.log {
        missingok
        rotate 10
        compress
        delaycompress
        notifempty
        create 0640 www-data adm
        size 2M
        sharedscripts
        prerotate
                if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
                        run-parts /etc/logrotate.d/httpd-prerotate; \
                fi; \
        endscript
        postrotate
                [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
        endscript
}

19.15.5. Configure Fail2ban to protect Roundcube against brute-force attacks

Navigate to the /etc/fail2ban/filter.d directory:

cd /etc/fail2ban/filter.d

Ignore the roundcube-auth.conf file which is already there, and create a new file called roundcube.conf:

nano roundcube.conf

Add the following content in this file:

[Definition]

failregex = IMAP Error: Login failed for .* from <HOST>
            ^<HOST> .* \"GET / HTTP/2.0\" 401 195 .*$
ignoreregex =

The second line identifies the failed log in attempts against the HTTP authentication window, which is displayed right before loading the Roundcube login page and can be also subject to brute-force attacks. Now open the /etc/fail2ban/jail.local file:

nano /etc/fail2ban/jail.local

Add the following lines in the 'Webmail and groupware servers' section:

[roundcube]
enabled  = true
filter   = roundcube
logpath  = /var/log/sites/mail.example.com/errors.log
           /var/log/sites/mail.example.com/access.log
port     = 80,443
maxretry = 4
bantime = 259200

Replace example.com with the main domain hosted on your server. Reload Fail2ban:

systemctl reload fail2ban

19.15.6. Enable the ‘managesieve’ plugin in Roundcube

When configuring the Roundcube installation, you have checked managesieve in the list of plugins that will be installed. So, the managesieve plugin is already installed. Yet, to be able to use it and create custom filters from Roundcube ‘Settings’ > ‘Filters’, you will have to enable it. Navigate to the managesieve directory of Roundcube:

cd /var/www/mail.example.com/plugins/managesieve

Copy config.inc.php.dist to config.inc.php:

cp config.inc.php.dist config.inc.php

Open the config.inc.php file:

nano config.inc.php

Change $config['managesieve_port'] = null; to:

$config['managesieve_port'] = 4190;

Change $config['managesieve_default'] = '/etc/dovecot/sieve/global'; to:

$config['managesieve_default'] = '/etc/dovecot/conf.d/custom-sieves/global_after.sieve';

Also change $config['managesieve_vacation'] = 0; to:

$config['managesieve_vacation'] = 1;

Restart Dovecot:

systemctl restart dovecot

19.15.7. Enable the ‘password’ plugin in Roundcube

When installing Roundcube, you have checked ‘password’ in the list of plugins that will be installed. Therefore, the ‘password’ plugin is already installed. Yet, to be able to use it, you have to enable it.

Execute the following SQL commands in order to give user roundcubeuser SELECT privileges on the username and password columns and UPDATE privileges on the password column of the mailbox table from the mail database, on localhost:

mysql -u root -p
MariaDB [(none)]> GRANT SELECT (username, password), UPDATE (password) ON mail.mailbox TO 'roundcubeuser'@'localhost';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> exit
Bye

Whithout these privileges, the users won’t be able to change their passwords from inside Roundcube.

Navigate to the plugin’s directory:

cd /var/www/mail.example.com/plugins/password

Copy the config.inc.php.dist file to config.inc.php:

cp config.inc.php.dist config.inc.php

Edit config.inc.php:

nano config.inc.php

Edit only the lines listed below. They should look like this:

$config['password_driver'] = 'sql';
$config['password_confirm_current'] = true;
$config['password_minimum_length'] = 8;
$config['password_log'] = false;
$config['password_login_exceptions'] = null;
$config['password_hosts'] = array('mail.example.com');
$config['password_force_save'] = true;
$config['password_algorithm'] = 'dovecot';
//$config['password_dovecotpw'] = '/usr/local/sbin/doveadm pw'; // for dovecot-2.x
//$config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; // for dovecot-1.x
$config['password_dovecotpw'] = '/usr/bin/doveadm pw';
$config['password_dovecotpw_method'] = 'CRAM-MD5';
$config['password_dovecotpw_with_method'] = true;

// SQL Driver options.

$config['password_db_dsn'] = 'mysql://mail:gdf6g19VBg45sDfg14@localhost/mail';

$config['password_query'] = 'UPDATE mail.mailbox SET password=%P WHERE username=%u AND password=%O LIMIT 1';

$config['password_crypt_hash'] = 'md5';
$config['password_hash_algorithm'] = 'sha1';

where gdf6g19VBg45sDfg14 is the password of the user mail, that you set up when you created the mail database.

Now, every user can change her/his password when logged in to Roundcube from ‘Settings’ > ‘Password’.

19.15.8. Enable the ‘autologon’ and ‘autologout’ plugins

If you want to integrate Roundcube with Roundpin, to be able to open a new email window with one click, to easily send emails to your Roundpin contacts, and to be able to check incoming emails from inside Roundpin, you will need to enable the ‘autologon’ and ‘autologout’ Roundcube plugins. To do so, edit the main configuration file (remember that you have copied the main configuration file, /var/www/mail.example.com/config/config.inc.php, as /srv/scripts/roundcube.php, for security reasons):

nano /srv/scripts/roundcube.php

Add ‘autologon’ and ‘autologout’ to the list of enabled plugins, by modifying the $config['plugins'] array, as follows:

// List of active plugins (in plugins/ directory)
$config['plugins'] = array('additional_message_headers', 'jqueryui', 'managesieve', 'markasjunk', 'password', 'show_additional_headers', 'autologon', 'autologout');

The ‘autologon’ plugin is already present in the /var/www/mail.example.com/plugins directory because it’s part of the default Roundcube installation, therefore, you don’t have to download it and put it in that directory. However, the ‘autologout’ plugin has to be first downloaded from here, then uncompressed and saved in the /var/www/mail.example.com/plugins directory under the name autologout. You should also set the right ownership and permissions for the new plugin:

cd /var/www/mail.example.com/plugins
chown -R www-data:www-data autologout
chmod 750 autologout
chmod 640 autologout/*

This concludes enabling the two plugins.

19.15.9. Creating canned emails

If you frequently send emails with similar content, you can create a template, or a ‘canned’ email, that you can then select from a drop-down list, modify a bit if necessary and send. This will spare you the time to write the same content over and over again.

To create a ‘canned’ email go to ‘Settings’ > ‘Responses’ > click on the ‘Create’ button in the upper bar. You will see the following screen:

In the ‘Name’ field enter a name for that ‘canned’ email, in the ‘Response Text’ text area enter the content of the email, then click ‘Save’. You can create as many ‘canned’ emails as you need. Then, when you want to send a new email or to reply to a received email, you will see the ‘Responses’ button in the upper bar of the email editing window. When you click on ‘Responses’, you will see a drop-down list with all the ‘canned’ emails that you have saved. When you choose an email from the drop-down list, its content will be automatically inserted in the text area of the new message or reply. You can then modify the text where you find necessary and send the email to the recipient.

19.15.10. Creating filters

If you want to filter incoming messages according to certain rules, to separate them from regular emails and send them to a specific folder, flag them, redirect them, discard them, etc. you can create an email filter. To create a new filter go to ‘Settings’ > ‘Filters’ > click on the ‘Create’ button in the upper bar. You will see the following screen:

In the ‘Filter name’ field enter a name for the filter, in the ‘Scope’ field choose from the drop-down list one of the three options: ‘matching all of the following rules’, ‘matching any of the following rules’ or ‘all messages’. In the ‘Rules’ section add any rules you need. For example:

Subject

From

contains

is equal to

view our catalog

contact@domain.com

You can add new rules by clicking on the ‘+’ sign.

In the ‘Actions’ section add any action you need. For example:

Move message to

Junk

You can add multiple actions, such as:

Redirect message to

Send message copy to

info@somedomain.com

office@otherdomain.com

Click ‘Save’.

If you want to separate a specific type of incoming emails from the regular emails and send them to a separate folder, you can create a new folder in ‘Settings’ > ‘Folders’ > ‘Create’, then add a filter to send all incoming emails falling under a specific rule, to the newly created folder.

19.15.11. Creating ‘out of office’ replies

When you know you will be out of office for a period of time because of a vacation, a voyage, etc., and you want to inform your contacts that you are out of office if they send you emails during that period, you can create an ‘out of office’ reply. Go to ‘Settings’ > ‘Out of Office’. You will see the following screen:

In the ‘Subject’ field enter a subject for the reply, such as ‘I’m on vacation’. In the ‘Body’ field enter the content of the message, for example:

Hello,

I’m on vacation until July 31. For urgent matters you can contact my assistant at office@domain.com.

As soon as I come back I’ll send you my response.

Thank you for your understanding!

Sincerely,

John Doe

In the ‘Start time’ and ‘End time’ fields enter the days from the beginning and the end of the time period in which you want the automatic ‘out of office’ reply to be sent. In the ‘Status’ field choose ‘On’. Under ‘Advanced settings’, in the ‘My e-mail address’ enter the email address of the Roundcube account. In the ‘Reply interval’ enter 1. This means that the mail server will send the ‘out of office’ reply only once per day if a contact sends multiple emails to your email address in a day. In the ‘Incoming message action’ field choose ‘Keep’ if you want the incoming messages to be kept in the Inbox after they arrive. You can also choose to discard the messages that arrive during the vacation, to redirect them, or to send copies of the incomng messages to a different email address. Click ‘Save’.

Please note that after you create the ‘out of office’ reply, it will be listed in the ‘Filters’ section. This is because the ‘out of office’ reply is nothing else than a type of filter: it filters all the incoming emails and if it finds that some emails have arrived in the specified period of time, it replies with the predefined text of the ‘out of office’ response. Thus, you can create multiple ‘out of office’ replies as regular filters, one for each period of vacation during the year, and you can enable and disable them as needed. If in addition to an ‘out of office’ reply you add other type of filters, in the ‘Out of Office’ section you will find a new field called ‘Put the out-of-office rule after’, which will allow you to choose the filter after which the ‘out of office’ filter will be applied to incoming emails.

19.15.12. Changing themes

You can change Roundcube’s themes, called ‘skins’ by clicking on ‘Settings’ on the left bar > ‘Preferences’ > ‘User Interface’ > ‘Interface Skin’. You can choose between ‘Classic’, ‘Elastic’ and ‘Larry’. However, only ‘Elastic’ is responsive.

In the ‘Preferences’ section you can also change other settings, such as those related to ‘Composing Messages’.

19.15.13. Upgrading Roundcube

Before upgrading Roundcube to a new version, it’s recommended to check if the new version has been tested and confirmed to function well within the suite by visiting this page.

You can check whether a new version of Roundcube has been released on the official github.com ‘Releases’ page: https://github.com/roundcube/roundcubemail/releases . When a new version is avaialble, you can upgrade your existing installation by following the steps detailed below.

First make a backup of your Roundcube database by logging in to phpMyAdmin, clicking on the Roundcube database (roundcubemail) on the left panel, then going to ‘Export’, then ‘Go’, then ‘Save File’, then ‘OK’. Don’t forget to include the date of the backup in the name of the exported file (Eg.: roundcubemail-2021-9-25.sql).

Then make a backup copy of the whole Roundcube directory:

cd /var/bm_archives
tar czf var-www-mail.example.com-2021-09-25.tar.gz /var/www/mail.example.com

Replace example.com-2021-09-25 with your domain and date of backup. You can use a FTP client like FileZilla to upload the database backup from your local computer (roundcubemail-2021-9-25.sql) to the backups directory on the remote server (/var/bm_archives). Also, you can use FTP to download the backup of the Roundcube files (var-www-mail.example.com-2021-09-25.tar.gz) to your local computer. In this way you will have the backups both on the remote server and your local computer.

Please note that you shouldn’t overwrite the Roundcube installation with the new version. First download the latest version of Roundcube from their official website to the /tmp directory. Navigate to https://roundcube.net/download/, look for the latest ‘Complete’ stable version, right-click on the ‘Download’ button and choose ‘Copy link location’ to copy the URL to the clipboard. Then run:

cd /tmp
wget https://github.com/roundcube/roundcubemail/releases/download/1.4.8/roundcubemail-1.4.8-complete.tar.gz

Extract the archive, then go to the /bin directory:

tar xf roundcubemail-1.4.8-complete.tar.gz 
cd roundcubemail-1.4.8/bin

Next use the installto.sh script to upgrade Roundcube. Run:

php installto.sh /var/www/mail.example.com

Replace example.com with your domain. You’ll be asked if you want to update; ansewer ‘yes’. The update script will then copy all the new files to the target location and check and update the database schema.

Next, go to the Roundcube directory and update the dependencies with composer like this:

cd /var/www/mail.example.com
php composer.phar update --no-dev 

Then, because you are using the build-in addressbook, you have to also run the indexing script (bin/indexcontacts.sh). Run it specifying its full path, like this:

/var/www/mail.example.com/bin/indexcontacts.sh

Don’t forget to set the right ownership and permissions for the mail.example.com directory and all its subdirectories, so as to match the ownership and permissions of /var/www. Run the following commands:

chown -R www-data:www-data /var/www/mail.example.com
find /var/www/mail.example.com -type d -exec chmod 750 {} +
find /var/www/mail.example.com -type f -exec chmod 640 {} +

Then the archive and the directory of the new Roundcube version from the /tmp directory can be removed:

cd /tmp
rm -rf roundcubemail-1.4.8-complete.tar.gz roundcubemail-1.4.8

If during the upgrade process you are asked if you want to let the upgrade script to edit the configuration file to remove obsolete settings, etc., you should answer yes. In this case, the /var/www/mail.example.com/config/config.inc.php file will be edited by the script and for security reasons you’ll have to take its content outside the web root, as you did when installing Roundcube. So, copy the content of the config.inc.php file to /srv/scripts like this:

cp /var/www/mail.example.com/config/config.inc.php /srv/scripts/roundcube.php

Next, empty the /var/www/mail.example.com/config/config.inc.php file:

cat /dev/null > /var/www/mail.example.com/config/config.inc.php

Edit the file:

nano /var/www/mail.example.com/config/config.inc.php

Place the following line inside this file:

<?php include('/srv/scripts/roundcube.php'); ?>

Set the proper permissions for the /srv/scripts/roundcube.php file:

cd /srv/scripts
chown www-data:root roundcube.php
chmod 400 roundcube.php

19.16. Install and integrate SpamAssassin

The best free and open source spam filter is SpamAssassin, officially called “Apache SpamAssassin”. To install it run:

apt-get install spamassassin spamc dovecot-antispam spamass-milter

Make a copy of the /etc/default/spamassassin file:

cp /etc/default/spamassassin /etc/default/spamassassin_orig

Open the /etc/default/spamassassin file:

nano /etc/default/spamassassin

Change the OPTIONS parameter, to make it look like this:

OPTIONS="-x --max-children 5 --nouser-config --helper-home-dir /var/lib/spamassassin -u debian-spamd -g debian-spamd --siteconfigpath /etc/spamassassin --socketpath=/var/spool/postfix/spamassassin/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660"

Change the PIDFILE parameter, to make it look like this:

PIDFILE="/var/run/spamassassin.pid"

Change the CRON parameter, to make it look like this:

CRON=1

Add the spamass-milter user to the debian-spamd group:

adduser spamass-milter debian-spamd

Create the /var/spool/postfix/spamassassin directory and set the right ownership for it:

mkdir /var/spool/postfix/spamassassin
chown -R debian-spamd:debian-spamd /var/spool/postfix/spamassassin

Make a copy of the /etc/spamassassin/local.cf file:

cp /etc/spamassassin/local.cf /etc/spamassassin/local.cf_orig

Open the /etc/spamassassin/local.cf file:

nano /etc/spamassassin/local.cf

Change/add the following parameters to make them look like this:

report_safe 0
required_score 2.0

use_bayes               1
use_bayes_rules         1
bayes_auto_learn        1

skip_rbl_checks         1
skip_uribl_checks       1
use_razor2              0
use_pyzor               0

#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status

ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif # Mail::SpamAssassin::Plugin::Shortcircuit

Make a copy of the /etc/default/spamass-milter file:

cp /etc/default/spamass-milter /etc/default/spamass-milter_orig

Open the /etc/default/spamass-milter file:

nano /etc/default/spamass-milter

Change the OPTIONS parameter, to make it look like this:

OPTIONS="-u spamass-milter -i 127.0.0.1 -m -I -- --socket=/var/spool/postfix/spamassassin/spamd.sock"

Enable spamassassin and spamass-milter by running:

systemctl enable spamassassin.service
systemctl enable spamass-milter.service

Now open the /etc/postfix/master.cf file:

nano /etc/postfix/master.cf

Uncomment the following two lines located near the end of the file, above the policyd-spf line. The two lines should look like this:

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/bin/spamc -u debian-spamd -e /usr/lib/dovecot/deliver -d ${recipient}

Open the /etc/postfix/main.cf file:

nano /etc/postfix/main.cf

Edit the smtpd_milters and non_smtpd_milters lines, to make them look like this :

smtpd_milters = unix:/var/spool/postfix/spamass/spamass.sock local:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/spool/postfix/spamass/spamass.sock local:/var/run/opendkim/opendkim.sock

Restart the following services:

systemctl restart dovecot
systemctl restart postfix
systemctl restart spamassassin
systemctl restart spamass-milter

To check if SpamAssassin works, send an email from one of your other email addresses hosted on other servers to an email address on the mail server that you are configuring now (for example to admin@example.com). On the ‘Subject’ line enter the following text:

*****SPAM***** XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

You can leave the body of the email empty. If SpamAssassin is functioning correctly, the message from above should be sent to the ‘Junk’ folder of your Roundcube email account.

To see the way SpamAssassin marks an email as spam, you can look at the source of an email identified as such. You will see the headers added by SpamAssassin, which will look similar to this:

X-Spam-Flag: YES
X-Spam-Status: Yes, score=1001.6 required=2.0 tests=DKIM_SIGNED,DKIM_VALID,
        FREEMAIL_FROM,GTUBE,SUBJ_ALL_CAPS,UNPARSEABLE_RELAY autolearn=no
        autolearn_force=no version=3.4.2
X-Spam-Report: 
        * 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
        *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
        *      provider (...)
        *  1.6 SUBJ_ALL_CAPS Subject is all capitals
        * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
        *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
        *       valid
        *  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
        *      lines
X-Spam-Level: **************************************************
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
        mail.example.com

After you install SpamAssassin you may notice in your /var/log/mail.log, /var/log/mail.warn and /var/log/mail.err files an error like this:

spamass-milter[12892]: Could not retrieve sendmail macro "i"!.  Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results

This is a harmless warning that you can ignore. It appears because unlike the Sendmail server, for which spamass-milter was written originally, Postfix assigns a queue ID to an incoming message later in the SMTP transaction, and spamass-milter asks for that information before Postfix can provide it. This doesn’t affect spam filtering.

19.17. Install ClamAV and integrate it using clamav-milter

A mail server should scan all incoming and outgoing emails, including their archived attachments, with an antivirus. We’ll install ClamAV both for email scanning and for general use, to scan directories periodically or on demand. To install ClamAV, run:

apt-get install clamav clamav-freshclam clamsmtp clamav-milter clamdscan

Make a copy of the /etc/clamav/clamd.conf file:

cp /etc/clamav/clamd.conf /etc/clamav/clamd.conf_orig

Open the /etc/clamav/clamd.conf file:

nano /etc/clamav/clamd.conf

Change the following directives, to make them look like this:

LocalSocket /var/run/clamav/clamd.ctl
LocalSocketMode 664
MaxScanSize 600M
MaxFileSize 600M

Next, make a copy of the /etc/clamav/clamav-milter.conf file:

cp /etc/clamav/clamav-milter.conf /etc/clamav/clamav-milter.conf_orig

Open the /etc/clamav/clamav-milter.conf file:

nano /etc/clamav/clamav-milter.conf

Change the following directives, to make them look like this:

MilterSocket /var/run/clamav/clamav-milter.ctl
ClamdSocket unix:/var/run/clamav/clamd.ctl
MaxFileSize 600M
MilterSocketGroup postfix
MilterSocketMode 664

Make a copy of the /etc/clamsmtpd.conf file:

cp /etc/clamsmtpd.conf /etc/clamsmtpd.conf_orig

Open the /etc/clamsmtpd.conf file:

nano /etc/clamsmtpd.conf

Change the following directives, to make them look like this:

OutAddress: 10026
Listen: 127.0.0.1:10025
ClamAddress: /var/run/clamav/clamd.ctl

Now create the socket directory and set the proper ownership for it:

mkdir /var/spool/postfix/clamav
chown -R clamav:postfix /var/spool/postfix/clamav

Next, open the /etc/postfix/main.cf file:

nano /etc/postfix/main.cf

Edit the smtpd_milters and non_smtpd_milters lines, to make them look like this:

smtpd_milters = unix:/var/spool/postfix/spamass/spamass.sock unix:/var/run/clamav/clamav-milter.ctl local:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/spool/postfix/spamass/spamass.sock unix:/var/run/clamav/clamav-milter.ctl local:/var/run/opendkim/opendkim.sock

Stop and disable the clamav-freshclam daemon, because we will use a cron job to update ClamAV with a specific frequency, so we won’t need the clamav-freshclam daemon for updating purposes:

systemctl stop clamav-freshclam
systemctl disable clamav-freshclam

Now add a cron job to update ClamAV once a day, at a moment when the server is not busy:

crontab -e

Add the following lines inside the file:

# Update the ClamAV antivirus definitions every day at 3:40 AM
40 3 * * * /usr/bin/freshclam --quiet

This cron job will run the freshclam command and update ClamAV once a day, at 3:40 a.m.

Restart services and update the virus signatures:

systemctl restart clamav-daemon
systemctl restart clamav-milter
freshclam
systemctl restart postfix

Add the webserver user, www-data, to the clamav group, to allow applications like Roundpin to invoke clamdscan to scan uploaded files:

adduser www-data clamav

If you use the top command to see the memory used by all the running processes on the server (run top, then press f, then use the arrow keys to select %MEM, to order all the processes by the RAM percentage that they use, then press s, then press Esc), you will see that clamd uses a big portion of the server’s RAM (more than 700MB). This is because it has to load into memory, for quick access, all the virus and malware signatures, which take a lot of space. Although this substantial memory consumption is an important disadvantage, it is inevitable. Stopping the clamav-daemon and configuring ClamAV to load all the signatures in memory only when emails arrive, is not feasible on a well-configured mail server, because from time to time a large number of emails can arrive simultaneously and the antivirus won’t be able to load the virus signatures and scan the emails properly, causing errors or overloading issues.

Please note that even if you keep all your installed packages up-to-date, from time to time, you may see the follwoing warning in the /var/log/clamav/freshclam.log file:

WARNING: Your ClamAV installation is OUTDATED!

This happens because in general there is a delay between the moment a new version of ClamAV is released and the moment the new version is included in the Debian repository. If your version of ClamAV is the newest version that exists in the Debian repository, you should ignore this warning, because the freshclam utility will still work and you will get the newest virus signatures in your version of ClamAV. Installing the latest ClamAV version from source or from the official website is not recommended since this can create problems when upgrading the antivirus or other packages. Therefore, the best method to run ClamAV is to install the version included in the Debian repository, as explained above, and keep that version up to date.

19.17.1. Scan directories and files manually with ClamAV

You can scan manually any directory or file with ClamAV by running:

clamscan -ir /path/to/directory/or/file

19.17.2. Scan directories and files automatically with ClamAV

You can also scan automatically any directories or files with ClamAV by setting a cron job like this:

crontab -e

Add a line like the following:

30 2 * * * /usr/bin/clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/saved/report/scanreport.txt > /dev/null 2>&1

This will set ClamAV to scan the specified directory every day at 2:30 a.m., and save a report with the infected files in the specified file.

Please note that when scanning folders and files as shown above, by default, ClamAV will only identify the infected files but will not remove them, so, once you know which are the infected files, you’ll have to delete them manually. The situation will be different with the infected files uploaded to Nextcloud, as we’ll describe further down below. All the infected files uploaded to Nextcloud will be removed the very moment they will be detected.

19.17.3. Test email virus detection

You can check if ClamAV is scanning incoming and outgoing emails by sending an email from an email address on a different host to an email address on the server that you are configuring, and vice versa. If you check the source of such an email (in Thunderbird, in the opened message window, go to ‘More’ > ‘View Source’), you will see two lines like this:

X-Virus-Scanned: clamav-milter 0.102.4 at mail.example.com
X-Virus-Status: Clean

To check if the antivirus detects viruses included in the email attachment or in the email body, do the following experiment:

Create the EICAR Anti-Virus Test File by saving the following string in a text file called testing:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The EICAR test file simulates a real virus, without causing any harm. Attach the testing file to an email and send that email to an email address hosted on the server that you are configuring. Be aware that some email providers, such as mail.com will refuse to send an email with an attachedment that contains a test virus. When trying to send such a message, you will receive a ‘Mail delivery failed: returning message to sender’ message. On the other hand, other email providers, such as proton.com will let you send the email.

If the real-time email virus detection works as expected, you shouldn’t receive the email with the ‘infected’ attachment in the mailbox located on the server that you are configuring. Instead, in the /var/log/clamav/clamav.log file, you will see a line this this:

Sat Mar 05 11:10:38 2021 -> fd[10]: Eicar-Signature(69630e4574ec6798239b091cda43dca0:69) FOUND

You will see a similar line if you try to send an ‘infected’ email from the server you are configuring, to an email account on an external host. In this situation, if you check the /var/log/mail.log file, you will also see a line like the one shown below, which will indicate that the antivirus has prevented the ‘infected’ email from being sent, although the message will appear as successfully sent in Roundcube:

milter-hold: END-OF-MESSAGE from mail.example.com[123.123.123.123]: milter triggers HOLD action; from=<admin@example.com> to=<username@recipientdomain.com> proto=ESMTP helo=<mail.example.com>

Therefore, ClamAV deletes immediately any infected incoming or outgoing email. As mentioned, an infected outgoing email will have a copy saved in the Sent folder, although it won’t be actually sent.

You can repeat the experiment from above, by archiving the testing file in different formats (zip, tar.gz, tar.xz, tar.bz2, etc.) and attaching the archive to the test email, to test if ClamAV can detect viruses hidden inside archives, or by including the EICAR string in the body of the email. The EICAR string wasn’t created to be detected when surrounded by other texts, so, if you include it in the body of an email, make sure to include it alone, without any other text lines above or below it.

19.17.4. Remove the X-Virus-Scanned and the X-Virus-Status headers from all emails

After you run the tests described above and verify that the antivirus works as expected, you should remove the X-Virus-Scanned and the X-Virus-Status headers from outgoing and incoming emails, because they can give potential attackers information about clamav-milter‘s existence and version. To remove this line from the headers of all the emails, edit the /etc/clamav/clamav-milter.conf file:

nano /etc/clamav/clamav-milter.conf

Comment out the AddHeader Replace parameter like this:

#AddHeader Replace

Then restart clamav-milter:

systemctl restart clamav-milter

19.18. Install and integrate Postgrey

Postgrey is an application that implements ‘greylisting’ to fight spam. ‘Greylisting’ means that when the mail server receives a request for email delivery from an external SMTP server whose IP address is seen for the first time, it neither blacklists it, nor whitelists it. It just responds with a temporary SMTP error code, to test if the external server will try again after a few minutes, as it is required by the official RFC rules and as all the legitimate SMTP servers will do. If the external server tries again after a specified time, the email is accepted. This approach drastically reduces spam, because in general spammers use compromised mail servers to send as many spam emails as possible in a short period of time, since their behavior can be noticed, the compromised system can be patched, or their IP can be included on public blacklists. Thus, the typical spam sending SMTP server will try to deliver an email only once.

To install Postgrey run:

apt-get install postgrey

Edit the /etc/postfix/main.cf file:

nano /etc/postfix/main.cf

Uncomment the following line located at the end of the smtpd_recipient_restrictions block, before permit, to make it look like this:

smtpd_recipient_restrictions =
            ...
            check_policy_service inet:localhost:60000,
            permit

Restart Postfix:

systemctl restart postfix

Make a copy of the /etc/default/postgrey file:

cp /etc/default/postgrey /etc/default/postgrey_orig

Edit the /etc/default/postgrey file:

nano /etc/default/postgrey

Edit the POSTGREY_OPTS and the POSTGREY_TEXT directives. Make them look like this:

POSTGREY_OPTS="--inet=60000 --delay=199 --max-age=35 --auto-whitelist-clients=5"

POSTGREY_TEXT="Please come back later."

The options used in the POSTGREY_OPTS parameter are explained below:

--inet=60000 make Postgrey listen on port 60000 on localhost, both on IPv4 and IPv6;

--delay=199 reject the emails from new IPs for a minimum time span of 199 seconds;

--max-age=35 delete recorded IPs older than 35 days since the last time that they have been seen

--auto-whitelist-clients=5 whitelist a client only after the 5th successful email delivery

The text included in the POSTGREY_TEXT parameter is the customized rejection text.

Postgrey comes with two important configuration files: /etc/postgrey/whitelist_recipients and /etc/postgrey/whitelist_clients.

The /etc/postgrey/whitelist_recipients file offers a quick way to bypass all greylisting mechanisms. In this file you can include all the email addresses hosted on the server for which you want to receive emails from any external server, including potential spammers. This can be useful for public addresses that should receive emails instantly, such as postmaster@ or abuse@ (these two addresses have been already included in this file by default).

The /etc/postgrey/whitelist_clients file lets you control the whitelisting of various mail hosts. In this file you can include domains, IPs or regular expressions, to identify the mail servers that will be allowed to send emails without passing through the greylisting mechanism implemented by Postgrey, so that you can be sure that all emails coming from them will reach your mailboxes. By default, this file already contains a long list of mail servers that are known to have problems with resending emails, although they are legitimate mail servers.

You can add other domains to /etc/postgrey/whitelist_clients, such as domains that you know to be legitimate email senders, like the following:

mout.gmx.com
mail.com
aol.com
hotmail.com

Restart Postgrey:

systemctl restart postgrey

To see if Postgrey is listening to port 60000, run:

lsof -i :60000

The result should look like this:

COMMAND     PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
postgrey  24520 postgrey    5u  IPv6 473078      0t0  TCP localhost:60000 (LISTEN)
postgrey  24520 postgrey    6u  IPv4 473079      0t0  TCP localhost:60000 (LISTEN)

To check if Postgrey is working as expected, you can send an email from an email account hosted on an external server, to an email account hosted on the server you are configuring. If the IP of the sending server is new, you will see a line similar to the one from below, in the /var/log/mail.log file:

mail postgrey[25613]: action=greylist, reason=new, client_name=sender.com, client_address=124.124.124.124/32, sender=usernameg@senderdomain.com, recipient=admin@example.com

Also, you will receive the email after a delay of 199 seconds (3.3 minutes) or more. In the header of the received email you can notice the X-Greylist header, that will look like this:

X-Greylist: delayed 303 seconds by postgrey-1.36 at mail.example.com;

19.19. Special Postfix settings

19.19.1. Blacklist and whitelist IPs and domains with Postfix

If you want to blacklist IPs, IP ranges, domains and subdomains, so that all the emails coming from them will be rejected, you need to edit the /etc/postfix/main.cf file:

nano /etc/postfix/main.cf

Add check_client_access hash:/etc/postfix/client_checks, right below smtpd_recipient_restrictions = like this:

smtpd_recipient_restrictions =
            check_client_access hash:/etc/postfix/client_checks,
            reject_sender_login_mismatch,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_invalid_hostname,
            ...

Next create a file called client_checks in the /etc/postfix directory:

nano  client_checks

Here, first list all the IPs, IP ranges or domains that you want rejected, and then all the IPs, IP ranges or domains that you want to whitelist, so that all the emails coming from them will be accepted, like the following:

example.com              REJECT 
123.123.123.123          REJECT
222.222.222.0/24         REJECT
2002:acf4::1             REJECT
2001:db8:1234::/48       REJECT
example2.org             OK
example3.net             OK
111.111.111.111          OK
232.232.232.0/24         OK
2002:be21::2             OK
2001:cf9:45::/48         OK

You can add an optional message to be sent by Postfix when rejecting an email like so:

example.com               REJECT     Your domain is blacklisted

Please note that when listing a domain, like example.com, with the REJECT directive, the emails from all its subdomains will also be rejected (the emails from sub1.example.com or sub2.example.com will also be rejected). In other words, listing a domain with REJECT will also blacklist its subdomains.

Next, create the lookup table file by running:

postmap client_checks

Run the postmap command again each time you modify the /etc/postfix/client_checks file.

In the situation in which you want to reject or accept the emails coming from specific email addresses, in spite of the Postfix policy for their domains or IPs, you can do so by using the check_sender_access directive. Open the /etc/postfix/main.cf file and add check_sender_access hash:/etc/postfix/sender_checks, right above check_client_access hash:/etc/postfix/client_checks, like this:

smtpd_recipient_restrictions =
       check_sender_access hash:/etc/postfix/sender_checks,
       check_client_access hash:/etc/postfix/client_checks,
       reject_sender_login_mismatch,
       permit_mynetworks,
       permit_sasl_authenticated,
       reject_invalid_hostname,
       ...

Then create the sender_checks file in the /etc/postfix directory:

nano sender_checks

Add the email addresses that you want to blacklist/whitelist like this:

contact@example3.com    REJECT
office@example4.net     OK

This will ensure that all the emails coming from contact@example3.com will be rejected, even if the example3.com domain is whitelisted in the /etc/postfix/client_checks file. It will also ensure that all the emails coming from office@example4.net will be accepted, even if the example4.net domain is blacklisted in the /etc/postfix/client_checks file or if the IP of the example4.net domain is included in a public blacklist like zen.spamhaus.org . Then run the postmap command:

postmap  sender_checks

Run the postmap command again each time you modify the /etc/postfix/sender_checks file.

For all the changes to take effect restart Postfix:

systemctl restart postfix

Please note that for the above settings to work correctly, the check_sender_access directive has to be placed before the check_client_access directive, and both of them must be placed before all the other directives in the smtpd_recipient_restrictions block.

19.19.2. Configure alias email addresses

If you want all the emails coming to one email address to be automatically transferred to a different email address, you can do this by configuring an alias email address. For example you want all the emails received by support@somedomain.com to be sent automatically to office@anotherdomain.net. All you have to do is to use Postfix Admin to add support@somedomain.com as the alias of office@anotherdomain.net . So, log in to Postfix Admin at:

https://mail.example.com/net-pstfxdmn/public

Replace example.com with the main domain hosted on your server and net-pstfxdmn with the custom name of the Postfix Admin login page. Once logged in, go to ‘Domain List’, click on the domain of the email address that you want to set as alias, here it’s somedomain.com, next click on ‘Add Alias’, then, in the ‘Alias’ text box enter the first part of the email address that you want to set as alias, here support, then, in the ‘To’ text area enter one per line all the email addresses to which you want all the emails to be transferred; here we want all the emails to go to office@anotherdomain.net, so we’ll enter only office@anotherdomain.net . Then click on ‘Add Alias’. From now on, all the emails received by support@somedomain.com will be automatically transferred to office@anotherdomain.net.

19.19.3. Change the “From”, “Return-Path” and “X-Sender” address of outgoing emails

A very important directive in Postfix settings is the reject_sender_login_mismatch directive located in the smtpd_recipient_restrictions block, in the /etc/postfix/main.cf file. This directive prevents logged in email clients (like Roundcube), to send emails with a ‘From’ address different from the email address that they are logged in with. Without this directive in place, any user that gets logged in to Postfix with a web application like Roundcube, can change the “From” address when sending an email, to literally anything that they want, even to nonexistent addresses with nonexistent domains. In this way they can send emails impersonating existing users on the same mail server or other users on other mail servers or nonexistent users. Thus, the reject_sender_login_mismatch has a very important role, by forcing users that log in with email clients like Roundcube, to use their real email address in the ‘From’ field. They can still change the ‘From’ address in their email client, but when they try to send the email, they will receive an error telling them that the server rejected the message.

However, there can be rare cases in which you want to replace the real ‘From’, as well as the ‘Return-Path’ and ‘X-Sender’ address, with a different email address that exists on the same server. This is called ‘address rewriting’. For example, you want all the emails sent from your server from the addresses info@domain.com to appear as being sent from office@otherdomain.net. In other words, you want Postfix to rewrite the ‘From’, ‘Return-Path’ and ‘X-sender’ address for all the emails sent from info@domain.com, so that they appear as being sent from office@otherdomain.net. You can also add office@otherdomain.net as the ‘Reply-To’ address to all the emails sent from info@domain.com. To be noted that all the three email addresses are hosted on your server and the emails are sent to external email addresses, not to local ones.

To rewrite the ‘From’ and ‘X-sender’ address and to add a ‘Reply-To’ address, first make sure that the following line is present at the bottom of the /etc/postfix/main.cf file:

header_checks = regexp:/etc/postfix/header_checks

Then edit the header_checks file:

nano /etc/postfix/header_checks

Enter the following lines at the bottom of this file:

/^From:.*info@domain.com/ REPLACE From: office@otherdomain.net
/^X-Sender:.*info@domain.com/ REPLACE X-Sender: office@otherdomain.net
/^From:.*info@domain.com/ PREPEND Reply-To: office@otherdomain.net

You can add multiple similar lines for different email addresses.

Then run the postmap command:

postmap /etc/postfix/header_checks

With these configurations you replaced the ‘From’ and ‘X-Sender’ address and added a ‘Reply-To’ address to all the emails sent from info@domain.com. However, the ‘Return-Path’ address, that can be seen by any recipient in the message’s source, remained info@domain.com . To change the ‘Return-Path’ address to office@otherdomain.net , first edit the /etc/postfix/main.cf file:

nano /etc/postfix/main.cf

Add smtp_generic_maps = hash:/etc/postfix/generic-maps right below smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-sender-login-maps.cf .

Then create the generic-maps file like this:

nano /etc/postfix/generic-maps

Enter the following content in this file:

info@domain.com  office@otherdomain.net

You can enter multiple similar lines for other email addresses. If you had wanted all the emails coming from the domain.com domain to have office@otherdomain.net as ‘Return-Path’ address, you would have entered:

@domain.com  office@otherdomain.net

Run the postmap command:

postmap /etc/postfix/generic-maps

Change ownership for the new files:

cd /etc/postfix
chown root:postfix generic-maps generic-maps.db

Restart Postfix:

systemctl restart postfix

Please keep in mind that the address rewriting configured as described above works only for emails sent to external email addresses. It won’t work for emails sent to email addresses hosted on the same server. Those emails will still appear as being sent from their real sending address.

19.20. Undeserved email deliverability issues

After you install the mail server as described above, you will want to send test emails to email addresses offered by different email providers, to see if they reach their target and are not considered spam. This is a way to test if the SPF, DKIM and DMARC records are effective in prooving to external mail servers that the emails coming from your mail server are legitimate.

You can expect that all the big email providers will accept your emails in the ‘Inbox’ (where they belong), with the exception of Microsoft and Yahoo. Even if your mail server is perfectly configured and your server’s IP is not included on any public blacklist, it can still be included on private black lists (or block lists), without your fault. Big companies like Microsoft or Yahoo have their own private blacklists, in which they include IPs and even entire IP ranges, based on criteria that they keep for themselves. Your IP can be included on such a private blacklist because in the past, other users used that IP to send spam, or just because it is part of a range of IPs that were identified as spam-sending IPs, or even because your IP is part of a range of IPs that have been known to be dynamically allocated and not static IPs. There may be also other reasons. So, even if you made absolutely no mistake and your mail server is perfectly configured, your emails can be automatically filtered as spam by Yahoo, or they can be even rejected by Microsoft, with an ‘Undelivered Mail Returned to Sender’ message similar to this:

hotmail-com.olc.protection.outlook.com[104.47.58.33] said: 550 5.7.1
    Unfortunately, messages from [123.123.123.123] weren't sent. Please contact
    your Internet service provider since part of their network is on our block
    list (S3150). You can also refer your provider to
    http://mail.live.com/mail/troubleshooting.aspx#errors.

where 123.123.123.123 is the IP of your server.

The first thing to do in this situation, is to try to delist your IP from the private blacklists of the two providers.

If your emails are rejected by ‘office.com’ email accounts, you can try to delist your IP on the delisting portal available at: https://sender.office.com . However, if your emails are rejected by ‘hotmail.com’/’live.com’/’outlook.com’ email accounts, or by ‘yahoo.com’ emails accounts, you should send a support request by filling a form, as shown below:

For Microsoft, the support form is:

https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&locale=en-us&ccsid=635900597399910848

For Yahoo, the support form is:

https://io.help.yahoo.com/contact/index?page=contactform&locale=en_US&token=Zh/BBVqXzLHlIbokbUqVWTUbuuQeXGkGnZzhKR2JQ4O6mMQdy9JSWdtWFXvjthcYCRj9bUIFfycOfG+4GOHPHoOGa8HwDO2+0kYRtTcdR8O13Mvs9cOruJ0TlC3hh4bCEtPlZ0yk7fvp1MFjGnAOWw==&selectedChannel=email-icon&guccounter=1

In these forms you should explain shortly that you rented the server recently, that you didn’t send any bulk emails, that you just sent test emails and that they should remove your IP from their blacklist, because all your emails are rejected / filtered as spam by their mail servers.

You will receive an answer after about one day. If they refuse to delist your IP you should insist. They can ask you to prove that you acquired the IP recently by attaching the first invoice from your hosting provider and a PDF file with the email that the hosting provider sent you when you signed up with them, confirming the opening of your account. You can send them these documents after you remove your personal data from them. If they refuse to delist your IP, you can insist, stressing that you rented the server with that IP only a short time before and that you didn’t send any bulk emails.

If even after your explanations, they refuse to delist your IP, the nest step is to open a support ticket with the company that you rented your server from. You should explain the same things to them, insisting that you only sent test emails, that the server is perfectly configured and that other major email providers accept your emails in the Inbox. You should urge them to contact Microsoft/Yahoo support and ask that they delist your IP or the IP range to which your IP belongs, because this situation was not caused by any mistakes on your part and it impairs your email communication.

Depending on your experience with Microsoft and Yahoo support, you can even display a message similar to the following, on your newsletter subscription page (if you have one):

“We recommend that you sign up with an email address with a different domain than: hotmail.com, live.com, outlook.com or yahoo.com. Apart from the privacy concerns that they arise, these types of email accounts are known for rejecting perfectly legitimate emails or tagging them as spam.”

It’s possible that even aol.com accounts can filter the emails coming from your server as spam, but after the user marks an email as ‘Not spam’ (by clicking on the OK sign in the upper bar), all the emails that will follow will land in the ‘Inbox’.

19.20.1. UCEPROTECTL3 blacklist

If you find that your server’s IP has ended up on the UCEPROTECTL3 blacklist (uceprotect.net), you should know that this is not a serious blacklist and that it is not taken into account by many mail server administrators. However, it seems that it is taken into account by Microsoft’s mail servers, which makes it problematic. If your IP is only included on the UCEPROTECT Level 3 blacklist and not on the Level 2 or Level 1 blacklists, it means that you didn’t send any spam but other IPs in the same range as your IP were caught sending spam. By including your IP on the Level 3 blocklist, they try to make you complain to your ISP, and in this way, the ISP might feel pressured to take action against the spam sending IPs from the IP ranges that they control. This strategy would seem legit if Uceprotect-Network didn’t have a very questionable way of delisting IPs on request: they ask money for every IP that wants to be delisted, in spite of the fact that it didn’t do anything wrong. This way of asking for money in exchange for delisting IPs, which none of the reputable public blacklists practice, is very questionable. In no circumstance should you pay to have your IP delisted from a blacklist like UCEPROTECTL3.

The solution to this problem is to contact your hosting provider and describe the situation, pointing out that according to UCEPROTECT’s own words, you didn’t send any spam, but other IPs from the same range, did. Your hosting provider may contact UCEPROTECT to ask for delisting, or the delisting may happen automatically, if no IPs in the same range as yours, will be caught sending spam within a certain period of time.

You can send your questions and comments to: