Luke Smith
1 year ago
1 changed files with 74 additions and 83 deletions
Split View
Diff Options
-
+74 -83README.md
+ 74
- 83
README.md
View File
| @@ -24,55 +24,66 @@ give your full domain without any subdomain, i.e. `lukesmith.xyz`. | |||
| - Config files that link the two above securely with native log-ins. | |||
| - **Spamassassin** to prevent spam and allow you to make custom filters. | |||
| - **OpenDKIM** to validate you so you can send to Gmail and other big sites. | |||
| - The required SSL certificates if not already present. | |||
| ## This script does _not_ | |||
| - use a SQL database or anything like that. | |||
| - set up a graphical interface for mail like Roundcube or Squirrel Mail. If you | |||
| want that, you'll have to install it yourself. I just use | |||
| [isync/msmtp/mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard) to | |||
| have an offline mirror of my email setup and I recommend the same. There are | |||
| other ways of doing it though, like Thunderbird, etc. | |||
| ## Before you run this script you need... | |||
| 1. A **Debian or Ubuntu server**. I've tested this on a | |||
| [Vultr](https://www.vultr.com/?ref=8940911-8H) Debian server and one running | |||
| Ubuntu and their setup works, but I suspect other VPS hosts will have | |||
| similar/possibly identical default settings which will let you run this on | |||
| them. Note that the affiliate link there to Vultr gives you a $100 credit | |||
| for the first month to play around. | |||
| 2. **A Let's Encrypt SSL certificate for your site's `mail.` subdomain**. | |||
| 3. You need two little DNS records set on your domain registrar's site/DNS | |||
| server: (1) an **MX record** pointing to your own main domain/IP and (2) a | |||
| **CNAME record** for your `mail.` subdomain. | |||
| 4. **A Reverse DNS entry for your site.** Go to your VPS settings and add an | |||
| entry for your IPv4 Reverse DNS that goes from your IP address to | |||
| `<mail.yourdomain.com>`. If you would like IPv6, you can do the same for | |||
| that. This has been tested on Vultr, and all decent VPS hosts will have a | |||
| section on their instance settings page to add a reverse DNS PTR entry. You | |||
| can use the 'Test Email Server' or ':smtp' tool on | |||
| [mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) to test if you set up a | |||
| reverse DNS correctly. This step is not required for everyone, but some big | |||
| email services like Gmail will stop emails coming from mail servers with | |||
| no/invalid rDNS lookups. This means your email will fail to even make it to | |||
| the recipients spam folder; it will never make it to them. | |||
| 5. `apt purge` all your previous (failed) attempts to install and configure a | |||
| mail server. Get rid of _all_ your system settings for Postfix, Dovecot, | |||
| OpenDKIM and everything else. This script builds off of a fresh install. | |||
| 6. Some VPS providers block mail port numbers like 25, 993 or 587 by default. | |||
| You may need to request these ports be opened to send mail successfully. | |||
| Vultr and most other VPS providers will respond immediately and open the | |||
| ports for you if you open a support ticket. | |||
| 7. If you have a firewall, you'll need to open ports on your side as well. For | |||
| example, with `ufw`, just run: `ufw allow 587` on ports 587, 993 and 25 (you | |||
| will need port 80 for Certbot too). | |||
| ## Post-install requirement! | |||
| - After the script runs, you'll have to add additional DNS TXT records which | |||
| are displayed at the end when the script is complete. They will help ensure | |||
| your mail is validated and secure. | |||
| - use a SQL database or anything like that. We keep it simple and use normal | |||
| Unix system users for accounts and passwords. | |||
| - set up a graphical web interface for mail like Roundcube or Squirrel Mail. | |||
| You are expected to use a normal mail client like Thunderbird or K-9 for | |||
| Android or good old mutt with | |||
| [mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard). Note that there | |||
| is a guide for [Rainloop](https://landchad.net/rainloop/) on | |||
| [LandChad.net](https://landchad.net) for those that want such a web | |||
| interface. | |||
| ## Prerequisites for Installation | |||
| 1. Debian or Ubuntu server. I suited this script for | |||
| [Vultr](https://www.vultr.com/?ref=8940911-8H) servers originally, but it | |||
| works consistently on any normal setup. | |||
| 2. DNS records that point your domain to your server's IP (IPv4 and IPv6). | |||
| ## Mandatory Finishing Touches | |||
| ### Unblock your ports | |||
| While the script enables your mail ports on your server, it is common practice | |||
| for all VPS providers to block mail ports on their end by default. Open a help | |||
| ticket with your VPS provider asking them to open your mail ports and they will | |||
| do it in short order. | |||
| ### DNS records | |||
| At the end of the script, you will be given some DNS records to add to your DNS | |||
| server/registrar's website. These are mostly for authenticating your emails as | |||
| non-spam. The 4 records are: | |||
| 1. An MX record directing to `mail.yourdomain.tld`. | |||
| 2. A TXT record for SPF (to reduce mail spoofing). | |||
| 3. A TXT record for DMARC policies. | |||
| 4. A TXT record with your public DKIM key. This record is long and **uniquely | |||
| generated** while running `emailwiz.sh` and thus must be added after | |||
| installation. | |||
| They will look something like this: | |||
| ``` | |||
| @ MX 10 mail.example.org | |||
| mail._domainkey.example.org TXT v=DKIM1; k=rsa; p=anextremelylongsequenceoflettersandnumbersgeneratedbyopendkim | |||
| _dmarc.example.org TXT v=DMARC1; p=reject; rua=mailto:dmarc@example.org; fo=1 | |||
| example.org TXT v=spf1 mx a: -all | |||
| ``` | |||
| The script will create a file, `~/dns_emailwiz` that will list our the records | |||
| for your convenience, and also prints them at the end of the script. | |||
| ### Add a rDNS/PTR record as well! | |||
| Set a reverse DNS or PTR record to avoid getting spammed. You can do this at | |||
| your VPS provider, and should set it to `mail.yourdomain.tld`. Note that you | |||
| should set this for both IPv4 and IPv6. | |||
| ## Making new users/mail accounts | |||
| @@ -95,50 +106,30 @@ in the server, you could just install mutt, add `set spoolfile="+Inbox"` to | |||
| your `~/.muttrc` and use mutt to view and reply to mail. You'll probably want | |||
| to log in remotely though: | |||
| ## Logging in from Thunderbird or mutt (and others) remotely | |||
| ## Logging in from email clients (Thunderbird/mutt/etc) | |||
| Let's say you want to access your mail with Thunderbird or mutt or another | |||
| email program. For my domain, the server information will be as follows: | |||
| - SMTP server: `mail.lukesmith.xyz` | |||
| - SMTP port: 587 | |||
| - SMTP port: 465 | |||
| - IMAP server: `mail.lukesmith.xyz` | |||
| - IMAP port: 993 | |||
| In previous versions of emailwiz, you also had to log on with *only* your | |||
| username (i.e. `luke`) rather than your whole email address (i.e. | |||
| `luke@lukesmith.xyz`), which caused some confusion. This is no longer the | |||
| case. | |||
| ## Benefited from this? | |||
| I am always glad to hear this script is still making life easy for people! If | |||
| this script or documentation has saved you some frustration, you can donate to | |||
| support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html). | |||
| ## Troubleshooting -- Can't send mail? | |||
| - Always check `journalctl -xe` to see the specific problem. | |||
| - Check with your VPS host and ask them to enable mail ports. Some providers | |||
| disable them by default. It shouldn't take any time. | |||
| - Go to [this site](https://appmaildev.com/en/dkim) to test your TXT records. | |||
| If your DKIM, SPF or DMARC tests fail you probably copied in the TXT records | |||
| incorrectly. | |||
| - If everything looks good and you *can* send mail, but it still goes to Gmail | |||
| or another big provider's spam directory, your domain (especially if it's a | |||
| new one) might be on a public spam list. Check | |||
| [this site](https://mxtoolbox.com/blacklists.aspx) to see if it is. Don't | |||
| worry if you are: sometimes especially new domains are automatically assumed | |||
| to be spam temporarily. If you are blacklisted by one of these, look into it | |||
| and it will explain why and how to remove yourself. | |||
| - Check your DNS settings using [this site](https://intodns.com/), it'll report | |||
| any issues with your MX records | |||
| - Ensure that port 25 is open on your server. | |||
| [Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance | |||
| blocks this by default, you need to open a support ticket with them to open | |||
| it. You can't send mail if 25 is blocked | |||
| ## TODO | |||
| - Fail2ban for security. | |||
| - Scripts for easier spam prevention. | |||
| I am always glad to hear this script is still making life easy for people. If | |||
| this script or documentation has saved you some frustration, donate here: | |||
| - btc: `bc1qzw6mk80t3vrp2cugmgfjqgtgzhldrqac5axfh4` | |||
| - xmr: `8A5v4Ci11Lz7BDoE2z2oPqMoNHzr5Zj8B3Q2N2qzqrUKhAKgNQYGSSaZDnBUWg6iXCiZyvC9mVCyGj5kGMJTi1zGKGM4Trm` | |||
| ## Sites for Troubleshooting | |||
| Can send or receive mail? Getting marked as spam? There are tools to double-check your DNS records and more: | |||
| - Always check `journalctl -xe` first for specific errors. | |||
| - [Check your DNS](https://intodns.com/) | |||
| - [Test your TXT records via mail](https://appmaildev.com/en/dkim) | |||
| - [Is your IP blacklisted?](https://mxtoolbox.com/blacklists.aspx) | |||
| - [mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) | |||