The original is published on a personal site: GitDiG.com , link to the original text: 9102, Play Mail System Again: Installation
This article was originally intended to be written in the middle of a series of articles about the mail system in 9102, but it was the first to do so.This series will include the following three articles:
- [] 9102, Play Mail System Again: Principles
- [x] 9102, Play Mail System Again: Installation
- [] 9102, Play Mail System Again: Extensions
Because it's a start-up story, but to help readers quickly get a global idea of the mail system, first provide a schematic diagram:
The following pages record the complete installation of the entire mail system, using postfix + dovecot to simplify the installation without using a database.
1. Cloud Service Provider Selection
At present, the cloud service in China, ECS virtual machine does not provide 25 ports by default, that is, smtp service can not be used normally.Of course, Ali Yun and Tencent Yun both provide application entry, and can apply to open 25 ports.That's not the problem. The incoming and outgoing packets on port 25 are still restricted.Foreign cloud services also have a 25-port limit disabled or unrestricted, after balancing the virtual machine services provided by Linode.Linode also provides a very detailed mail system deployment scenario:
Because you need to integrate your own account system, you omit the MySQL database for the simplest configuration.
2. System Environment Configuration
Select the Linode 4G scheme and the operating system ubuntu 19.04.
2.1 Host Firewall Settings
After opening the host, set up the host security firewall first.In ubuntu 19.04, firewall settings are done using the ufw tool, which is off by default.
$: ufw status Status: inactive # View current listening port $: netstat -ltpn
ufwYou can set relevant security policy in the off state and turn on the firewall after configuring.The security policy settings are as follows:# Current machine listening on SSH port number: 1122 $: ufw allow 1122/tcp # Default in and out $: ufw default allow outgoing $: ufw default deny incoming # HTTP/HTTPS Port Setting Certificate $: ufw allow http/tcp $: ufw allow https/tcp # Mail Port $: ufw allow smtp/tcp $: ufw allow smtps/tcp $: ufw allow imap/tcp $: ufw allow imaps/tcp $: ufw allow 995/tcp $: ufw allow 587/tcp # Enable firewall to confirm SSH port is open $: ufw enable # Query firewall status $: ufw status Status: active To Action From -- ------ ---- 1122/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 25/tcp ALLOW Anywhere 465/tcp ALLOW Anywhere 143/tcp ALLOW Anywhere 993/tcp ALLOW Anywhere 995/tcp ALLOW Anywhere 587/tcp ALLOW Anywhere 1122/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 25/tcp (v6) ALLOW Anywhere (v6) 465/tcp (v6) ALLOW Anywhere (v6) 143/tcp (v6) ALLOW Anywhere (v6) 993/tcp (v6) ALLOW Anywhere (v6) 995/tcp (v6) ALLOW Anywhere (v6) 587/tcp (v6) ALLOW Anywhere (v6)
2.2 Domain Name Service Settings
Because mail services rely heavily on DNS services, it is recommended that specific domain names be managed on Linode by setting up ns records.After completing the domain name proxy management, first set up the host domain name, example: mail.example.org.
Verify that the domain name A record on the host resolves to the IP of this machine.
# Verify A Record Resolution $: systemd-resolve mail.example.org
After parsing correctly, continue setting the corresponding MX record: example.org MX 10 mail.example.org
# Verify MX record parsing $: systemd-resolve -t mx example.org example.org IN MX 10 mail.example.org
2.3 Host Host Settings
First, set the hostname through the hostname CTL command.
$: hostnamectl set-hostname mail
Modify the /etc/hosts file as follows:
127.0.0.1 localhost.localdomain localhost xx.xx.xx.xx mail.example.org mail
Where xx.xx.xx.xx is the host's network IP.
3. Certificate Installation
Certificate installation is installed using automated tools provided by Let's Encrypt, refer to the installation guide:
Here's a quick record of the process:
# Installation Tools $: apt install certbot python-certbot-nginx # Automatically configure certificates to confirm that http ports are open in the firewall $: certbot --nginx
During installation, set the domain name: example.org, select Y, and install automatically.After installation, the certificate is stored in: /etc/letsencrypt/live/example.org/directory.
4. Mail System
The simplest installation scheme, Postfix + Dovecot, is mainly made use of:
- The postfix service mainly provides smtp services, delivering incoming messages to directories in maildir format corresponding to specified user accounts.
- The dovecot service mainly provides imap service, which interacts with the user client through the imap protocol by reading the mail in the maildir format directory corresponding to the specified user account.
- At the same time, the user client's authentication at the sending and receiving stage is authenticated by the authentication method provided by dovecot sasl.
4.1 Service Installation
Install the necessary toolkits:
$: apt-get install postfix dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd
The version information for the specific installation package can be queried through apt show [pkgname].During the installation of Postfix, select the type of mail server as prompted: internet site, and set the host FQDN domain name: example.org.
Once the installation is complete, the Postfix and Dovecot related services are fully started.Listening port information can be viewed through netstat-ltpn.
4.2 maildir preparation
maildir serves as a storage intermediary for postfix and dovecot services, providing mail storage capabilities.The simplest configuration does not take into account the distributed storage scheme required by multiple MTA s.Set maildir storage directory and related permission settings locally.
# Create directory $: mkdir -p /var/mail/vhosts/example.org # Permission Settings $: groupadd -g 5000 vmail $: useradd -g vmail -u 5000 vmail -d /var/mail $: chown -R vmail:vmail /var/mail
4.3 Mailbox Account
In addition to mail storage, mailbox accounts are another key data preparation. Both postfix and dovecot provide flexible access interfaces for different users to integrate their own mailbox account systems.
4.3.1 Posfix data preparation
There are 120 ways to integrate external data in postfix.Specifically supported integration methods can be queried by the following commands:
$: postconf -m btree cidr environ fail hash inline internal memcache nis pipemap proxy randmap regexp socketmap static tcp texthash unionmap unix
These methods of integration, how to integrate, can refer to the documentation: Postfix Lookup Table Overview.
Here we use the simplest method of integration: hash, or file, to prepare account data.Virtual mailbox account data needs to be prepared, including:
- List of virtual domain names
- List of virtual mailbox accounts
- List of virtual mailbox aliases
Now prepare the simplest data separately:
# Switch to/etc/postfix directory $: cd /etc/postfix # Virtual domain name list format: <domain><space><value> $: cat <<EOF > /etc/postfix/virtual_domains example.org OK EOF # Virtual mailbox account list format: <mailbox><space><maildir path> $: cat <<EOF > /etc/postfix/virtual_mailboxes admin@example.org example.org/admin/ foo@example.org example.org/foo/ bar@example.org example.org/bar/ EOF # Virtual mailbox alias list format: <alias-mailbox><space><mailbox> $: cat <<EOF > /etc/postfix/virtual_aliases postmaster@example.org admin@example.org EOF
Now that the data is ready, hash the above files.The processing commands are as follows:
$: cd /etc/postfix $: postmap /etc/postfix/virtual_domains $: postmap /etc/postfix/virtual_mailboxes $: postmap /etc/postfix/virtual_aliases
When finished, three files were added to the directory: virtual_domains.db,virtual_mailboxes.db,virtual_aliases.db.
Then the query is validated by the postmap command.
$: cd /etc/postfix $: postmap -q "foo@example.org" virtual_mailboxes example.org/foo/
Verification was successful.Other types of data integration can also be queried using this command, with a small project written specifically tcp-lookup Can be extended as a basic service for tcp-integrated data locally.
4.3.2 dovecot data preparation
In dovecot, data integration can refer to official documents: PasswordDatabase Since it's the simplest installation, use the simplest way to integrate data.The data that needs to be integrated in the dovecot is:
- Virtual Account Password Information
- Virtual Account Storage Information
Similarly, data preparation is done as a file.Prepare your account password data first, using Passwd-file to prepare:
$: cd /etc/dovecot $: cat <<EOF > /etc/dovecot/virtal-mailbox-passwd admin@example.org:{PLAIN}admin:::::: foo@example.org:{PLAIN}123456:::::: bar@example.org:{PLAIN}654321:::::: EOF
As for account storage data, static configuration can be done directly in dovecot.See the dovecot configuration section for details.
4.4 postfix configuration
Posfix primarily provides mail reception services and delivers local mail to maildir-formatted directories under user accounts.For historical reasons, postfix was originally developed for the native system account Unix Account, but later it began to support the virtual account Virtual Account, which means there was no corresponding system account on the local machine.Official Minimum Configuration Refer to: virtual_mailbox.
The configuration provided by Linode is also used here, which is more complete for the mail system, adds the necessary anti-spam policies, and adds the dovecot sasl authentication function to reconfigure only the data related to MySQL user accounts.The configuration process is documented below:
# Backup Default Configuration $: cp /etc/postfix/main.cf /etc/postfix/main.cf.orig
Edit/etc/postfix/main.cf as follows:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/letsencrypt/live/example.org/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/example.org/privkey.pem smtpd_use_tls=yes smtpd_tls_auth_only = yes smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous # Authentication smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. # Restrictions smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unauth_destination smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = example.org alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydomain = example.com myorigin = $mydomain mydestination = localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all # Virtual Domain Name/Account/Alias Data Integration Configuration virtual_mailbox_domains = hash:/etc/postfix/virtual_domains virtual_mailbox_maps = hash:/etc/postfix/virtual_mailboxes virtual_alias_maps = hash:/etc/postfix/virtual_aliases # Local Delivery - Local Delivery Service provided by dovecot # virtual_transport = lmtp:unix:private/dovecot-lmtp # Local Delivery - Use a custom Delivery Program # virtual_transport = maildrop # Default Local Delivery - The local delivery service provided by postfix requires the following configuration virtual_mailbox_base = /var/mail/vhosts virtual_minimum_uid = 100 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 # Even more Restrictions and MTA params disable_vrfy_command = yes strict_rfc821_envelopes = yes #smtpd_etrn_restrictions = reject #smtpd_reject_unlisted_sender = yes #smtpd_reject_unlisted_recipient = yes smtpd_delay_reject = yes smtpd_helo_required = yes smtp_always_send_ehlo = yes #smtpd_hard_error_limit = 1 smtpd_timeout = 30s smtp_helo_timeout = 15s smtp_rcpt_timeout = 15s smtpd_recipient_limit = 40 minimal_backoff_time = 180s maximal_backoff_time = 3h # Reply Rejection Codes invalid_hostname_reject_code = 550 non_fqdn_reject_code = 550 unknown_address_reject_code = 550 unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unverified_recipient_reject_code = 550 unverified_sender_reject_code = 550
On, ports 465 and 587 of the smtpd service, that is, smtps and submission service ports.Modify/etc/postfix/master.cf configuration as follows:
# Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING ...ellipsis...
When the configuration is complete, restart the service: systemctl restart postfix.
4.5 dovecot configuration
The dovecot service configuration is a bit like nginx, putting different types of configurations in different files and referencing them through the main configuration file.
For this installation, first make a backup of the relevant configuration, then configure it in turn.
# Back up configuration to be modified $: sudo cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig $: sudo cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig $: sudo cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig $: sudo cp /etc/dovecot/conf.d/15-mailboxes.conf /etc/dovecot/conf.d/15-mailboxes.conf.orig $: sudo cp /etc/dovecot/conf.d/auth-passwdfile.conf.ext /etc/dovecot/conf.d/auth-passwdfile.conf.ext.orig $: sudo cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig $: sudo cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig
4.5.1 Open Service
Modify the/etc/dovecot/dovecot.conf master configuration file to open the imap,pop3,lmtp protocol services.
... # Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol protocols = imap pop3 lmtp ...
4.5.2 Mail Storage
Modify/etc/dovecot/conf.d/10-mail.conf to configure the mail store.
... mail_location = maildir:/var/mail/vhosts/%d/%n/ ... mail_privileged_group = mail ...
4.5.3 Authentication Configuration
Modify/etc/dovecot/conf.d/10-auth.conf configuration authentication settings.
... disable_plaintext_auth = yes ... auth_mechanisms = plain login ... !include auth-system.conf.ext ... !include auth-passwdfile.conf.ext ...
Because it is the simplest configuration, use/etc/dovecot/conf.d/auth-passwdfile.conf.ext for user authentication configuration.Modify as follows:
... passdb { driver = passwd-file args = /etc/dovecot/virtal-mailbox-passwd } userdb { driver = static args = uid=5000 gid=5000 home=/var/mail/vhosts/%d/%n } ...
This configuration configures both user authentication data and user storage path configuration.
4.5.4 Directory Permission Settings
Set permissions for the /etc/dovecot directory.
$: sudo chown -R vmail:dovecot /etc/dovecot $: sudo chmod -R o-rwx /etc/dovecot
4.5.5 Close unsafe ports
Open the/etc/dovecot/conf.d/10-master.conf configuration and close the non-SSL ports of pop3 and imap.
... service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } ... } ... service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } ...
4.5.6 Open dovecot local delivery
Configure this first, although in postfix, we use the default local delivery program.Open the/etc/dovecot/conf.d/10-master.conf configuration and modify it as follows:
... service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { #mode = 0666i mode = 0600 user = postfix group = postfix } ... }
4.5.7 Turn on dovecot SASL authentication
Open the/etc/dovecot/conf.d/10-master.conf configuration and modify it as follows:
... service auth { ... unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } ... user = dovecot } ... service auth-worker { ... user = vmail } ...
Configure the SSL certificate, open the /etc/dovecot/conf.d/10-ssl.conf configuration, and modify it as follows:
... # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required ... ssl_cert = </etc/letsencrypt/live/example.org/fullchain.pem ssl_key = </etc/letsencrypt/live/example.org/privkey.pem
4.5.8 Set Mailbox Default Folder
Open the /etc/dovecot/conf.d/15-mailboxes.conf configuration and modify it as follows:
... namespace inbox { mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } mailbox Archive { auto = subscribe special_use = \Archive } # For \Sent mailboxes there are two widely used names. We'll mark both of # them as \Sent. User typically deletes one of them if duplicates are created. mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } ... }
After completing the above configuration, restart the service, systemctl restart dovecot.
5. DNS domain name reconfiguration
Now you can use your own mail client, configure your account, and send and receive mail.However, sending mail requires further configuration of domain name information to increase the reputation of the mail service.
These configurations are now not optional but required, spf and dkim configurations.
5.1 Tool Installation
Before configuring, first extend the functionality of the mail server by installing the necessary toolkits:
$: apt-get install opendkim opendkim-tools postfix-policyd-spf-python postfix-pcre # Increase postfix user to opendkim group $: adduser postfix opendkim
5.2 spf Configuration
5.2.1 Increase spf records
On the domain name server, add a TXT record to example.org, which reads: v=spf1 a:mail.example.org-all.
5.2.2 Turn on spf validation
- Open configuration/etc/postfix-policyd-spf-python/policyd-spf.conf to modify the following configuration:
... HELO_reject = False Mail_From_reject = False ...
- Open Configuration/etc/postfix/main.cf to add the following configurations:
... policyd-spf_time_limit = 3600 ... smtpd_recipient_restrictions = ... reject_unauth_destination, check_policy_service unix:private/policyd-spf, ... ...
- Open Configuration/etc/postfix/master.cf to add the following configurations:
... policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf
After configuring, restart the service: systemctl restart postfix.
5.3 dkim configuration
5.3.1 Generate dkim
Before adding a dkim record, the record data needs to be generated first. The specific operations are as follows:
- Configure/etc/opendkim.conf as follows (direct copy available):
# This is a basic configuration that can easily be adapted to suit a standard # installation. For more advanced options, see opendkim.conf(5) and/or # /usr/share/doc/opendkim/examples/opendkim.conf.sample. # Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 002 # OpenDKIM user # Remember to add user postfix to group opendkim UserID opendkim # Map domains in From addresses to keys used to sign messages KeyTable /etc/opendkim/key.table SigningTable refile:/etc/opendkim/signing.table # Hosts to ignore when verifying signatures ExternalIgnoreList /etc/opendkim/trusted.hosts InternalHosts /etc/opendkim/trusted.hosts # Commonly-used options; the commented-out versions show the defaults. Canonicalization relaxed/simple Mode sv SubDomains no #ADSPAction continue AutoRestart yes AutoRestartRate 10/1M Background yes DNSTimeout 5 SignatureAlgorithm rsa-sha256 # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian package # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From # Define the location of the Socket and PID files Socket local:/var/spool/postfix/opendkim/opendkim.sock PidFile /var/run/opendkim/opendkim.pid
- Prepare directories and permissions
$: chmod u=rw,go=r /etc/opendkim.conf $: mkdir /etc/opendkim $: mkdir /etc/opendkim/keys $: chown -R opendkim:opendkim /etc/opendkim $: chmod go-rw /etc/opendkim/keys
- Add signature configuration/etc/opendkim/signing.table as follows:
*@example.org example
- Add key configuration/etc/opendkim/key.table as follows:
example example.org:201907:/etc/opendkim/keys/example.private
- Add trusted hosts/etc/opendkim/trusted.hosts as follows:
127.0.0.1 ::1 localhost mail mail.example.org example.org
- Generate dkim data
$: chown -R opendkim:opendkim /etc/opendkim $: chmod -R go-rwx /etc/opendkim/keys $: cd /etc/opendkim/keys $: opendkim-genkey -b 2048 -h rsa-sha256 -r -s 201907 -d example.org -v $: mv 201907.private example.private $: mv 201907.txt example.txt $: cd /etc $: chown -R opendkim:opendkim /etc/opendkim $: chmod -R go-rw /etc/opendkim/keys
At this point, the generated dkim record is already in/etc/opendkim/keys/example.txt.
Restart the opendkim service: systemctl restart opendkim.
5.3.2 DNS Configuration dkim
DNS configuration dkim is simple, it is a TXT record.However, the contents of the record come from what was generated in the previous step:
Take the official website as an example, the generated/etc/opendkim/keys/example.txt is as follows:
201907._domainkey IN TXT ( "**v=DKIM1; h=rsa-sha256; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5oIUrFDWZK7F4thFxpZa2or6jBEX3cSL6b2TJdPkO5iNn9vHNXhNX31nOefN8FksX94YbLJ8NHcFPbaZTW8R2HthYxRaCyqodxlLHibg8aHdfa+bxKeiI/xABRuAM0WG0JEDSyakMFqIO40ghj/h7DUc/4OXNdeQhrKDTlgf2bd+FjpJ3bNAFcMYa3Oeju33b2Tp+PdtqIwXR" "ZksfuXh7m30kuyavp3Uaso145DRBaJZA55lNxmHWMgMjO+YjNeuR6j4oQqyGwzPaVcSdOG8Js2mXt+J3Hr+nNmJGxZUUW4Uw5ws08wT9opRgSpn+ThX2d1AgQePpGrWOamC3PdcwIDAQAB**" ) ; ----- DKIM key 201510 for example.com
When actually configuring DNS, the TXT record needs to be slightly edited, mainly from h=rsa-sha256 to h=sha256. The actual configuration record is:
v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5oIUrFDWZK7F4thFxpZa2or6jBEX3cSL6b2TJdPkO5iNn9vHNXhNX31nOefN8FksX94YbLJ8NHcFPbaZTW8R2HthYxRaCyqodxlLHibg8aHdfa+bxKeiI/xABRuAM0WG0JEDSyakMFqIO40ghj/h7DUc/4OXNdeQhrKDTlgf2bd+FjpJ3bNAFcMYa3Oeju33b2Tp+PdtqIwXRZksfuXh7m30kuyavp3Uaso145DRBaJZA55lNxmHWMgMjO+YjNeuR6j4oQqyGwzPaVcSdOG8Js2mXt+J3Hr+nNmJGxZUUW4Uw5ws08wT9opRgSpn+ThX2d1AgQePpGrWOamC3PdcwIDAQAB
After waiting for the DNS record to take effect, you can verify that the dkim configuration was successful by following commands:
$: opendkim-testkey -d example.org -s 201907
Success without any output.
5.3.3 Enable dkim
dkim is added to postfix mainly through milter extensions.Specific principles can be referred to: MILTER_README.
The steps for integrating dkim tools are as follows:
- Create UNIX Local Communication Socket File
$: mkdir /var/spool/postfix/opendkim $: chown opendkim:postfix /var/spool/postfix/opendkim
- Modify the opendkim configuration: /etc/default/opendkim, as follows:
... # Uncomment to specify an alternate socket # Note that setting this will override any Socket value in opendkim.conf SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock" #SOCKET="inet:54321" # listen on all interfaces on port 54321 #SOCKET="inet:12345@localhost" # listen on loopback on port 12345 #SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345 ...
- Add milter configuration to postfix and modify/etc/postfix/main.cf as follows:
# Milter configuration # OpenDKIM milter_default_action = accept # Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2 milter_protocol = 6 smtpd_milters = local:opendkim/opendkim.sock non_smtpd_milters = local:opendkim/opendkim.sock
After configuring, restart the service:
$: systemctl restart opendkim $: systemctl restart postfix
5.4 Optional Configuration
Once the spf and dkim configurations are complete, further DNS configurations can be made, but these are optional configurations.Configuration is simple and can be referred to directly Linode Documentation ADSP and DMARC configuration in.
6. Summary
The above configuration is valid. The only thing you need to modify is to replace the specific mail domain name example.org with the target domain name.Verify that all configurations are valid by sending the original message to gmail.
