Email

From Traxel Wiki
Jump to navigation Jump to search

Links

GPT Recommendation

For a low-volume mail server setup on Debian 12 (Bookworm) that’s primarily used for sending outbound messages from a local instance of MediaWiki, you can opt for a simple yet reliable software stack. The primary goal here is to ensure that emails sent by MediaWiki (e.g., account creation confirmations, notifications) are delivered reliably without setting up a full-fledged mail receiving infrastructure.

Software Stack:

  • Postfix: A widely used, open-source Mail Transfer Agent (MTA) that can handle sending outbound emails. It’s relatively straightforward to configure for sending emails and can be secured to prevent unauthorized use.
  • Optional: Dovecot: If you ever decide to handle receiving emails (for bounces or administrative purposes), Dovecot is a secure IMAP and POP3 server that integrates well with Postfix. However, for your described use case, Dovecot may not be necessary.
  • Certbot (Let’s Encrypt): For securing your connections with TLS, using Certbot to obtain a free SSL certificate from Let’s Encrypt is recommended, especially if you’ll be sending sensitive information.

Basic Setup Instructions:

1. Install Postfix

  1. Update your package list:

    sudo apt update
  2. Install Postfix:

    sudo apt install postfix
  3. During installation, you’ll be prompted for some basic configuration:

    • General type of mail configuration: Choose “Internet Site”.
    • System mail name: This should be your domain name (e.g., example.com).

2. Basic Configuration

  1. Edit the main Postfix configuration file /etc/postfix/main.cf to ensure it’s set up for sending mail correctly. For a basic setup, you might only need to adjust or verify a few lines:

    inet_interfaces = loopback-only
    myhostname = example.com
    mydestination = 
    mynetworks = 127.0.0.0/8
    • inet_interfaces set to loopback-only ensures Postfix only listens on the localhost interface.
    • myhostname should be your server’s FQDN.
    • Clear mydestination to prevent Postfix from considering itself the final destination for mail.
    • mynetworks restricts which IPs can send mail through this server, set it to localhost only for security.
  2. Reload or restart Postfix to apply the changes:

    sudo systemctl restart postfix

3. Configure MediaWiki for Email

Ensure MediaWiki is configured to send email through your local Postfix installation. This is usually done in MediaWiki’s LocalSettings.php:

$wgSMTP = [
    'host' => 'localhost',
    'IDHost' => 'example.com',
    'port' => 25,
    'auth' => false,
];

Adjust example.com to match your domain.

Security and Sending Limits

  • IP and Domain Reputation: Ensure your server’s IP and domain have a good reputation. A new IP or one previously used for spam can negatively affect deliverability.
  • Reverse DNS: Set up reverse DNS for your server’s IP to match your domain. This is often done through your hosting provider’s control panel.
  • SPF Record: Add an SPF record to your domain’s DNS to authorize your server to send email on behalf of your domain.
  • DKIM and DMARC: For a low-volume server used as described, DKIM and DMARC are optional but recommended for improving email authenticity.

This setup is sufficient for sending outbound emails from a MediaWiki instance. Remember to monitor your server for any abuse and ensure that it’s not configured as an open relay. For more extensive email needs in the future, consider additional configurations and possibly using external SMTP services designed for high deliverability.

SPF, DKIM, DMARC

Sure, here’s a simplified overview of setting up SPF, DKIM, and DMARC through DNS records. Note that specific values can vary based on your email sending service (e.g., Google Workspace, Office 365, SendGrid, etc.) or if you’re sending emails directly from your own server.

SPF (Sender Policy Framework)

Purpose: SPF allows the owner of a domain to specify which mail servers are permitted to send email on behalf of that domain.

DNS Record Type: TXT

Example Value:

v=spf1 include:_spf.example.com ~all
  • v=spf1 specifies the SPF version.
  • include:_spf.example.com tells receiving mail servers to consider the SPF record of _spf.example.com as part of this domain’s SPF record. Replace _spf.example.com with the SPF record of your email service provider or your own mail server.
  • ~all is a soft fail for mechanisms not specified in the record. It advises recipients to accept mail whether it passes the SPF check or not but to mark it as suspicious. Use -all for a hard fail if you’re sure all legitimate sources are listed.

HSL Version

For the HeatSync Labs wiki server, we know the domain (heatsynclabs.wiki) is dedicated to a single purpose, so we can go pretty hardcore. We'll specify that only email from the mx mail.heatsynclabs.wiki should be accepted.

v=spf1 mx:mail.heatsynclabs.wiki -all

DKIM (DomainKeys Identified Mail)

Purpose: DKIM provides a way to validate a domain name identity that is associated with a message through cryptographic authentication.

Configuration: You’ll generate a public/private key pair. The public key goes into your DNS records, and the private key is used by your outgoing email server to sign messages.

DNS Record Type: TXT

Example Value:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3...[your_public_key]...
  • v=DKIM1 specifies the DKIM version.
  • k=rsa indicates the key type.
  • p=[your_public_key] is where you paste the actual public key generated by your mail server or email service.

The specific TXT record name often includes a selector which is a prefix to _domainkey, like selector1._domainkey.example.com. The selector is specified by your email system when setting up DKIM.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Purpose: DMARC uses SPF and DKIM to determine the legitimacy of an email message, providing instructions to the receiving mail server on what to do if neither of those authentication methods passes. It also specifies how an email sender can receive feedback on messages that pass and/or fail DMARC evaluation.

DNS Record Type: TXT

Example Value:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com
  • v=DMARC1 specifies the DMARC version.
  • p=reject is the policy, telling receiving servers to reject messages that fail DMARC checks. Other options include none (do nothing, only log the event) and quarantine (mark as spam).
  • rua=mailto:dmarc-reports@example.com specifies an email address where aggregate reports should be sent.

For all three, replace example.com with your domain and adjust values according to your specific setup or service provider’s guidelines. Setting up these records correctly can significantly improve your email deliverability and protect your domain against misuse. Always test your configuration using tools like Google’s Admin Toolbox or other DMARC, SPF, and DKIM validation tools available online.

DKIM on Postfix

To configure Postfix with DomainKeys Identified Mail (DKIM) to sign outgoing emails, you typically use an external application like OpenDKIM. OpenDKIM provides a method to sign email messages with a DKIM signature based on your private key, enhancing email security and deliverability. Here’s a basic guide to configuring Postfix with DKIM using OpenDKIM:

Step 1: Install OpenDKIM

First, install OpenDKIM and its tools. On Debian/Ubuntu systems, you can do this with:

sudo apt-get update
sudo apt-get install opendkim opendkim-tools

Step 2: Generate DKIM Keys

You’ll need to generate a private and public key pair for DKIM.

  1. Create a directory for your keys:
sudo mkdir -p /etc/dkimkeys/yourdomain.com
  1. Generate the keys:
sudo opendkim-genkey -b 2048 -d yourdomain.com -D /etc/dkimkeys/yourdomain.com -s mail -v
  1. Change ownership of the private key to the opendkim user:
sudo chown opendkim:opendkim /etc/dkimkeys/yourdomain.com/mail.private

In this example, yourdomain.com should be replaced with your actual domain, and mail is a selector that will be part of your DKIM record.

Set the access on the private key:

sudo chmod 0600 /etc/dkimkeys/heatsynclabs.wiki/mail.private

HeatSync Labs DNS Entry

mail._domainkey	IN	TXT	( "v=DKIM1; h=sha256; k=rsa; "
	  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoO06v9Pk+J4zAHn7lKAyIB+FYyph6REHI47BnXX991UWDmJNGRNBmMy3t6fBoz1j8oCzjruBdgHFrGUnXRcGZFBeJFX2/Zg/NvSTRV6axMdki936fELtZi+ftUetPHbRpD0J7yYlyOZ+816em9J68MtAfBSUj2uCcA8RVGXs2YdcfcridEFvXmzd4N0fdcU21LyMkGotyMCKZ9"
	  "CLnNn0BFFdVkHEtjtTqasnvzOkL002UOS+DApLdAReNCDYciJpuHusQBw5LAoj+nJO/bI4BBSVPt7jUgQv1oNWAbw7mSZRwAHNDhGs4Feh9imITw7sxsF6Q513uAFqZoXBiiADVQIDAQAB" )  ; ----- DKIM key mail for heatsynclabs.wiki

NameCheap wants it in one long string:

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoO06v9Pk+J4zAHn7lKAyIB+FYyph6REHI47BnXX991UWDmJNGRNBmMy3t6fBoz1j8oCzjruBdgHFrGUnXRcGZFBeJFX2/Zg/NvSTRV6axMdki936fELtZi+ftUetPHbRpD0J7yYlyOZ+816em9J68MtAfBSUj2uCcA8RVGXs2YdcfcridEFvXmzd4N0fdcU21LyMkGotyMCKZ9CLnNn0BFFdVkHEtjtTqasnvzOkL002UOS+DApLdAReNCDYciJpuHusQBw5LAoj+nJO/bI4BBSVPt7jUgQv1oNWAbw7mSZRwAHNDhGs4Feh9imITw7sxsF6Q513uAFqZoXBiiADVQIDAQAB

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoO06v9Pk+J4zAHn7lKAyIB+FYyph6REHI47BnXX991UWDmJNGRNBmMy3t6fBoz1j8oCzjruBdgHFrGUnXRcGZFBeJFX2/Zg/NvSTRV6axMdki936fELtZi+ftUetPHbRpD0J7yYlyOZ+816em9J68MtAfBSUj2uCcA8RVGXs2YdcfcridEFvXmzd4N0fdcU21LyMkGotyMCKZ9CLnNn0BFFdVkHEtjtTqasnvzOkL002UOS+DApLdAReNCDYciJpuHusQBw5LAoj+nJO/bI4BBSVPt7jUgQv1oNWAbw7mSZRwAHNDhGs4Feh9imITw7sxsF6Q513uAFqZoXBiiADVQIDAQAB

Step 3: Configure OpenDKIM

Big Email System Config (don't use this)

Edit the OpenDKIM main configuration file (/etc/opendkim.conf) to specify your key and signing details. You may need root privileges to edit this file.

  1. Open /etc/opendkim.conf in your text editor.
  2. Add or ensure these lines are configured with your domain and key information:
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
  1. Create or edit /etc/opendkim/KeyTable and add your domain’s key:
mail._domainkey.yourdomain.com yourdomain.com:mail:/etc/dkimkeys/yourdomain.com/mail.private
  1. Create or edit /etc/opendkim/SigningTable and link email addresses to the selector and domain:
*@yourdomain.com mail._domainkey.yourdomain.com
  1. Create or edit /etc/opendkim/TrustedHosts and add your localhost and domain names to specify which hosts can send mail that will be signed:
127.0.0.1
localhost
yourdomain.com

Simple Basic Version

Domain      heatsynclabs.wiki
Selector    mail
KeyFile     /etc/dkimkeys/heatsynclabs.wiki/mail.private

Step 4: Connect OpenDKIM to Postfix

Configure Postfix to use OpenDKIM for signing by editing /etc/postfix/main.cf and adding:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Make sure the port (12301 in this example) matches the one configured for OpenDKIM.

Step 5: Restart and Test

  1. Restart OpenDKIM and Postfix to apply changes:
sudo systemctl restart opendkim postfix
  1. Test your DKIM configuration using online tools or by sending an email to a service like check-auth@verifier.port25.com, which will reply with an analysis of your email’s authentication results, including DKIM.

Step 6: Publish Your DKIM Public Key

Don’t forget to publish your DKIM public key in your DNS. You’ll find the public key in a file named mail.txt within your domain’s key directory /etc/opendkim/keys/yourdomain.com. Create a TXT record for mail._domainkey.yourdomain.com with the value provided in that file.

Make sure to replace placeholders like yourdomain.com and mail (if you used a different selector) with your actual domain and selector used during key generation. This guide assumes basic familiarity with Linux server administration and might require adjustments based on your system’s specifics and the domain registrar’s DNS settings interface.

DKIM

OpenDKIM Config

/etc/opendkim.conf, at end of file

# -------------------------------------------------------------------------                                                                                   
# Custom for heatsynclabs.wiki                                                                                                                                
# ----------------------------                                                                                                                                
# See: http://www.opendkim.org/opendkim.conf.5.html                                                                                                           

# LogWhy                                                                                                                                                      
# If logging is enabled (see Syslog below), issues very detailed logging                                                                                      
# about the logic behind the filter’s decision to either sign a message                                                                                       
# or verify it. The logic behind the decision is non-trivial and can be                                                                                       
# confusing to administrators not familiar with its operation. A                                                                                              
# description of how the decision is made can be found in the OPERATIONS                                                                                      
# section of the opendkim(8) man page. This causes a large increase in the                                                                                    
# amount of log data generated for each message, so it should be limited                                                                                      
# to debugging use and not enabled for general operation.                                                                                                     
# LogWhy                        yes # enables extra logging                                                                                                   

# Mode                                                                                                                                                        
# Selects operating modes. The string is a concatenation of characters that                                                                                   
# indicate which mode(s) of operation are desired. Valid modes are s                                                                                          
# (signer) and v (verifier). The default is sv except in test mode                                                                                            
# (see the opendkim(8) man page) in which case the default is v. When                                                                                         
# signing mode is enabled, one of the following combinations must also be                                                                                     
# set:                                                                                                                                                        
# (a) Domain, KeyFile, Selector, no KeyTable, no SigningTable; <-- 1 domain                                                                                   
# (b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector;                                                                                             
# (c) KeyTable, SetupPolicyScript, no Domain, no KeyFile, no Selector.                                                                                        
# Mode                  sv                                                                                                                                    

# Signing domain, selector, and key (required). For example, perform signing                                                                                  
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),                                                                                
# using the private key stored in /etc/dkimkeys/example.private. More granular                                                                                
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.                                                                                      
#                                                                                                                                                             
# Domain                                                                                                                                                      
# A set of domains whose mail should be signed by this filter. Mail from                                                                                      
# other domains will be verified rather than being signed.                                                                                                    
Domain                  heatsynclabs.wiki
#                                                                                                                                                             
# KeyFile                                                                                                                                                     
# Gives the location of a PEM-formatted private key to be used for signing                                                                                    
# all messages. Ignored if a KeyTable is defined.                                                                                                             
KeyFile                 /etc/dkimkeys/heatsynclabs.wiki/mail.private
#                                                                                                                                                             
# Selector                                                                                                                                                    
# Defines the name of the selector to be used when signing messages. See                                                                                      
# the DKIM specification for details. Used only when signing with a single                                                                                    
# key; see the SigningTable parameter below for more information.                                                                                             
Selector                mail

# Socket for the MTA connection (required). If the MTA is inside a chroot jail,                                                                               
# it must be ensured that the socket is accessible. In Debian, Postfix runs in                                                                                
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be                                                                                    
# configured as shown on the last line below.                                                                                                                 
#                                                                                                                                                             
# Specifies the socket that should be established by the filter to receive                                                                                    
# connections from sendmail(8) in order to provide service. socketspec is in                                                                                  
# one of two forms: local:path, which creates a UNIX domain socket at the                                                                                     
# specified path, or inet:port[@host] or inet6:port[@host] which creates a                                                                                    
# TCP socket on the specified port and in the specified protocol family. If                                                                                   
# the host is not given as either a hostname or an IP address, the socket                                                                                     
# will be listening on all interfaces. A literal IP address must be enclosed                                                                                  
# in square brackets. This option is mandatory either in the configuration                                                                                    
# file or on the command line.                                                                                                                                
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock
# -------------------------------------------------------------------------                                                                                   

Postfix Config

/etc/postfix/main.cf, at end of file

# OpenDKIM Config                                                                                                                                             
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sock