You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.md 6.7 KiB

5 years ago
1 year ago
5 years ago
5 years ago
5 years ago
5 years ago
1 year ago
5 years ago
5 years ago
1 year ago
1 year ago
5 years ago
1 year ago
5 years ago
1 year ago
1 year ago
5 years ago
5 years ago
5 years ago
4 years ago
4 years ago
1 year ago
1 year ago
5 years ago
1 year ago
1 year ago
1 year ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177
  1. # Email server setup script
  2. This script installs an email server with all the features required in the
  3. modern web.
  4. I've linked this file on Github to a shorter, more memorable address on my
  5. website so you can get it on your machine with this short command:
  6. ```sh
  7. curl -LO lukesmith.xyz/emailwiz.sh
  8. ```
  9. When prompted by a dialog menu at the beginning, select "Internet Site", then
  10. give your full domain without any subdomain, e.g. `lukesmith.xyz`.
  11. I'm glad to say that dozens, hundreds of people have now used it and there is a
  12. sizeable network of people with email servers thanks to this script.
  13. ## This script installs
  14. - **Postfix** to send and receive mail.
  15. - **Dovecot** to get mail to your email client (mutt, Thunderbird, etc.).
  16. - Config files that link the two above securely with native PAM log-ins.
  17. - **Spamassassin** to prevent spam and allow you to make custom filters.
  18. - **OpenDKIM** to validate you so you can send to Gmail and other big sites.
  19. - **Certbot** SSL certificates, if not already present.
  20. - **fail2ban** to increase server security, with enabled modules for the above
  21. programs.
  22. ## This script does _not_...
  23. - use a SQL database or anything like that. We keep it simple and use normal
  24. Unix system users for accounts and passwords.
  25. - set up a graphical web interface for mail like Roundcube or Squirrel Mail.
  26. You are expected to use a normal mail client like Thunderbird or K-9 for
  27. Android or good old mutt with
  28. [mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard). Note that there
  29. is a guide for [Rainloop](https://landchad.net/rainloop/) on
  30. [LandChad.net](https://landchad.net) for those that want such a web
  31. interface.
  32. ## Prerequisites for Installation
  33. 1. Debian or Ubuntu server.
  34. 2. DNS records that point at least your domain's `mail.` subdomain to your
  35. server's IP (IPv4 and IPv6). This is required on initial run for certbot to
  36. get an SSL certificate for your `mail.` subdomain.
  37. ## Mandatory Finishing Touches
  38. ### Unblock your ports
  39. While the script enables your mail ports on your server, it is common practice
  40. for all VPS providers to block mail ports on their end by default. Open a help
  41. ticket with your VPS provider asking them to open your mail ports and they will
  42. do it in short order.
  43. ### DNS records
  44. At the end of the script, you will be given some DNS records to add to your DNS
  45. server/registrar's website. These are mostly for authenticating your emails as
  46. non-spam. The 4 records are:
  47. 1. An MX record directing to `mail.yourdomain.tld`.
  48. 2. A TXT record for SPF (to reduce mail spoofing).
  49. 3. A TXT record for DMARC policies.
  50. 4. A TXT record with your public DKIM key. This record is long and **uniquely
  51. generated** while running `emailwiz.sh` and thus must be added after
  52. installation.
  53. They will look something like this:
  54. ```
  55. @ MX 10 mail.example.org
  56. mail._domainkey.example.org TXT v=DKIM1; k=rsa; p=anextremelylongsequenceoflettersandnumbersgeneratedbyopendkim
  57. _dmarc.example.org TXT v=DMARC1; p=reject; rua=mailto:dmarc@example.org; fo=1
  58. example.org TXT v=spf1 mx a: -all
  59. ```
  60. The script will create a file, `~/dns_emailwiz` that will list our the records
  61. for your convenience, and also prints them at the end of the script.
  62. ### Add a rDNS/PTR record as well!
  63. Set a reverse DNS or PTR record to avoid getting spammed. You can do this at
  64. your VPS provider, and should set it to `mail.yourdomain.tld`. Note that you
  65. should set this for both IPv4 and IPv6.
  66. ## Making new users/mail accounts
  67. Let's say we want to add a user Billy and let him receive mail, run this:
  68. ```
  69. useradd -m -G mail billy
  70. passwd billy
  71. ```
  72. Any user added to the `mail` group will be able to receive mail. Suppose a user
  73. Cassie already exists and we want to let her receive mail too. Just run:
  74. ```
  75. usermod -a -G mail cassie
  76. ```
  77. A user's mail will appear in `~/Mail/`. If you want to see your mail while ssh'd
  78. in the server, you could just install mutt, add `set spoolfile="+Inbox"` to
  79. your `~/.muttrc` and use mutt to view and reply to mail. You'll probably want
  80. to log in remotely though:
  81. ## Logging in from email clients (Thunderbird/mutt/etc)
  82. Let's say you want to access your mail with Thunderbird or mutt or another
  83. email program. For my domain, the server information will be as follows:
  84. - SMTP server: `mail.lukesmith.xyz`
  85. - SMTP port: 465
  86. - IMAP server: `mail.lukesmith.xyz`
  87. - IMAP port: 993
  88. ## MTA-STS and DANE for improved security
  89. ### MTA-STS
  90. By its very nature SMTP does not offer built-in security against man-in-the-middle attacks. To mitigate this risk, you can implement the MTA-STS policy, which instructs compatible senders to employ verified TLS encryption when communicating with your server.
  91. To put this into practice, create a file named mta-sts.txt with the specified content and host it at `https://mta-sts.example.org/.well-known/`:
  92. ```
  93. version: STSv1
  94. mode: enforce
  95. max_age: 604800
  96. mx: mail.example.org
  97. ```
  98. After that you need to add the following DNS records:
  99. ```
  100. _mta-sts.example.org. TXT "v=STSv1; id=<id>"
  101. _smtp._tls.example.org. TXT "v=TLSRPTv1;rua=mailto:postmaster@example.org"
  102. ```
  103. `<id>` can be an arbitrary number but it's recommended to use the current unix timestamp (`date +%s`)
  104. ### DANE
  105. It's also recommended to set up a TLSA (DNSSEC/DANE) record for further security enhancement. Go [here](https://ssl-tools.net/tlsa-generator) to generate a TLSA record. Set the port to 25, Transport Protocol to "tcp", and specify the MX hostname as the Domain Name.
  106. After adding the TLSA DNS record you need to enable opportunistic DANE in postfix by doing the following:
  107. ```
  108. postconf -e 'smtpd_use_tls = yes'
  109. postconf -e 'smtp_dns_support_level = dnssec'
  110. postconf -e 'smtp_tls_security_level = dane'
  111. echo "dane unix - - n - - smtp
  112. -o smtp_dns_support_level=dnssec
  113. -o smtp_tls_security_level=dane" >> /etc/postfix/master.cf
  114. ```
  115. ## Benefited from this?
  116. I am always glad to hear this script is still making life easy for people. If
  117. this script or documentation has saved you some frustration, donate here:
  118. - btc: `bc1qzw6mk80t3vrp2cugmgfjqgtgzhldrqac5axfh4`
  119. - xmr: `8A5v4Ci11Lz7BDoE2z2oPqMoNHzr5Zj8B3Q2N2qzqrUKhAKgNQYGSSaZDnBUWg6iXCiZyvC9mVCyGj5kGMJTi1zGKGM4Trm`
  120. ## Sites for Troubleshooting
  121. Can't send or receive mail? Getting marked as spam? There are tools to double-check your DNS records and more:
  122. - Always check `journalctl -xe` first for specific errors.
  123. - [Check your DNS](https://intodns.com/)
  124. - [Test your TXT records via mail](https://appmaildev.com/en/dkim)
  125. - [Is your IP blacklisted?](https://mxtoolbox.com/blacklists.aspx)
  126. - [mxtoolbox](https://mxtoolbox.com/SuperTool.aspx)
  127. - [Check overall mail/website](https://internet.nl/)
  128. - [Another great mail checker](https://www.checktls.com/#Website)
  129. - [Check DANE](https://www.huque.com/bin/danecheck)