Category:Email: Difference between revisions

From Traxel Wiki
Jump to navigation Jump to search
(Replaced content with "Category:Hacking = Links = * Reverse DNS on Lightsail: https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-configuring-reverse-dns.html * Email_Webmail")
Tag: Replaced
 
(16 intermediate revisions by the same user not shown)
Line 2: Line 2:
= Links =
= Links =
* Reverse DNS on Lightsail: https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-configuring-reverse-dns.html
* Reverse DNS on Lightsail: https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-configuring-reverse-dns.html
= GPT Recommendation =
* [[Email_Webmail]]
For a low-volume mail server setup on Debian 12 (Bookworm) that’s primarily used for sending outbound messages from a local instance of MediaWiki, you can opt for a simple yet reliable software stack. The primary goal here is to ensure that emails sent by MediaWiki (e.g., account creation confirmations, notifications) are delivered reliably without setting up a full-fledged mail receiving infrastructure.
 
=== Software Stack: ===
 
* '''Postfix''': A widely used, open-source Mail Transfer Agent (MTA) that can handle sending outbound emails. It’s relatively straightforward to configure for sending emails and can be secured to prevent unauthorized use.
* '''Optional: Dovecot''': If you ever decide to handle receiving emails (for bounces or administrative purposes), Dovecot is a secure IMAP and POP3 server that integrates well with Postfix. However, for your described use case, Dovecot may not be necessary.
* '''Certbot (Let’s Encrypt)''': For securing your connections with TLS, using Certbot to obtain a free SSL certificate from Let’s Encrypt is recommended, especially if you’ll be sending sensitive information.
 
=== Basic Setup Instructions: ===
 
==== 1. Install Postfix ====
 
<ol style="list-style-type: decimal;">
<li><p>Update your package list:</p>
<pre>sudo apt update</pre></li>
<li><p>Install Postfix:</p>
<pre>sudo apt install postfix</pre></li>
<li><p>During installation, you’ll be prompted for some basic configuration:</p>
<ul>
<li>'''General type of mail configuration''': Choose “Internet Site”.</li>
<li>'''System mail name''': This should be your domain name (e.g., example.com).</li></ul>
</li></ol>
 
==== 2. Basic Configuration ====
 
<ol style="list-style-type: decimal;">
<li><p>Edit the main Postfix configuration file <code>/etc/postfix/main.cf</code> to ensure it’s set up for sending mail correctly. For a basic setup, you might only need to adjust or verify a few lines:</p>
<pre>inet_interfaces = loopback-only
myhostname = example.com
mydestination =
mynetworks = 127.0.0.0/8</pre>
<ul>
<li><code>inet_interfaces</code> set to <code>loopback-only</code> ensures Postfix only listens on the localhost interface.</li>
<li><code>myhostname</code> should be your server’s FQDN.</li>
<li>Clear <code>mydestination</code> to prevent Postfix from considering itself the final destination for mail.</li>
<li><code>mynetworks</code> restricts which IPs can send mail through this server, set it to localhost only for security.</li></ul>
</li>
<li><p>Reload or restart Postfix to apply the changes:</p>
<pre>sudo systemctl restart postfix</pre></li></ol>
 
==== 3. Configure MediaWiki for Email ====
 
Ensure MediaWiki is configured to send email through your local Postfix installation. This is usually done in MediaWiki’s <code>LocalSettings.php</code>:
 
<source lang="php">$wgSMTP = [
    'host' => 'localhost',
    'IDHost' => 'example.com',
    'port' => 25,
    'auth' => false,
];</source>
Adjust <code>example.com</code> to match your domain.
 
=== Security and Sending Limits ===
 
* '''IP and Domain Reputation''': Ensure your server’s IP and domain have a good reputation. A new IP or one previously used for spam can negatively affect deliverability.
* '''Reverse DNS''': Set up reverse DNS for your server’s IP to match your domain. This is often done through your hosting provider’s control panel.
* '''SPF Record''': Add an SPF record to your domain’s DNS to authorize your server to send email on behalf of your domain.
* '''DKIM and DMARC''': For a low-volume server used as described, DKIM and DMARC are optional but recommended for improving email authenticity.
 
This setup is sufficient for sending outbound emails from a MediaWiki instance. Remember to monitor your server for any abuse and ensure that it’s not configured as an open relay. For more extensive email needs in the future, consider additional configurations and possibly using external SMTP services designed for high deliverability.
== SPF, DKIM, DMARC ==
Sure, here’s a simplified overview of setting up SPF, DKIM, and DMARC through DNS records. Note that specific values can vary based on your email sending service (e.g., Google Workspace, Office 365, SendGrid, etc.) or if you’re sending emails directly from your own server.
 
=== SPF (Sender Policy Framework) ===
 
'''Purpose:''' SPF allows the owner of a domain to specify which mail servers are permitted to send email on behalf of that domain.
 
'''DNS Record Type:''' TXT
 
'''Example Value:'''
 
<pre class="plaintext">v=spf1 include:_spf.example.com ~all</pre>
* <code>v=spf1</code> specifies the SPF version.
* <code>include:_spf.example.com</code> tells receiving mail servers to consider the SPF record of <code>_spf.example.com</code> as part of this domain’s SPF record. Replace <code>_spf.example.com</code> with the SPF record of your email service provider or your own mail server.
* <code>~all</code> is a soft fail for mechanisms not specified in the record. It advises recipients to accept mail whether it passes the SPF check or not but to mark it as suspicious. Use <code>-all</code> for a hard fail if you’re sure all legitimate sources are listed.
 
==== HSL Version ====
For the HeatSync Labs wiki server, we know the domain (heatsynclabs.wiki) is dedicated to a single purpose, so we can go pretty hardcore. We'll specify that only email from the mx mail.heatsynclabs.wiki should be accepted.
<pre>
v=spf1 mx:mail.heatsynclabs.wiki -all
</pre>
 
=== DKIM (DomainKeys Identified Mail) ===
 
'''Purpose:''' DKIM provides a way to validate a domain name identity that is associated with a message through cryptographic authentication.
 
'''Configuration:''' You’ll generate a public/private key pair. The public key goes into your DNS records, and the private key is used by your outgoing email server to sign messages.
 
'''DNS Record Type:''' TXT
 
'''Example Value:'''
 
<pre class="plaintext">v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3...[your_public_key]...</pre>
* <code>v=DKIM1</code> specifies the DKIM version.
* <code>k=rsa</code> indicates the key type.
* <code>p=[your_public_key]</code> is where you paste the actual public key generated by your mail server or email service.
 
The specific <code>TXT</code> record name often includes a selector which is a prefix to <code>_domainkey</code>, like <code>selector1._domainkey.example.com</code>. The selector is specified by your email system when setting up DKIM.
 
=== DMARC (Domain-based Message Authentication, Reporting, and Conformance) ===
 
'''Purpose:''' DMARC uses SPF and DKIM to determine the legitimacy of an email message, providing instructions to the receiving mail server on what to do if neither of those authentication methods passes. It also specifies how an email sender can receive feedback on messages that pass and/or fail DMARC evaluation.
 
'''DNS Record Type:''' TXT
 
'''Example Value:'''
 
<pre class="plaintext">v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com</pre>
* <code>v=DMARC1</code> specifies the DMARC version.
* <code>p=reject</code> is the policy, telling receiving servers to reject messages that fail DMARC checks. Other options include <code>none</code> (do nothing, only log the event) and <code>quarantine</code> (mark as spam).
* <code>rua=mailto:dmarc-reports@example.com</code> specifies an email address where aggregate reports should be sent.
 
For all three, replace <code>example.com</code> with your domain and adjust values according to your specific setup or service provider’s guidelines. Setting up these records correctly can significantly improve your email deliverability and protect your domain against misuse. Always test your configuration using tools like Google’s Admin Toolbox or other DMARC, SPF, and DKIM validation tools available online.
== DKIM on Postfix ==
To configure Postfix with DomainKeys Identified Mail (DKIM) to sign outgoing emails, you typically use an external application like OpenDKIM. OpenDKIM provides a method to sign email messages with a DKIM signature based on your private key, enhancing email security and deliverability. Here’s a basic guide to configuring Postfix with DKIM using OpenDKIM:
 
=== Step 1: Install OpenDKIM ===
 
First, install OpenDKIM and its tools. On Debian/Ubuntu systems, you can do this with:
 
<source lang="bash">sudo apt-get update
sudo apt-get install opendkim opendkim-tools</source>
=== Step 2: Generate DKIM Keys ===
 
You’ll need to generate a private and public key pair for DKIM.
 
# Create a directory for your keys:
 
<source lang="bash">sudo mkdir -p /etc/dkimkeys/yourdomain.com</source>
<ol start="2" style="list-style-type: decimal;">
<li>Generate the keys:</li></ol>
 
<source lang="bash">sudo opendkim-genkey -b 2048 -d yourdomain.com -D /etc/dkimkeys/yourdomain.com -s mail -v</source>
<ol start="3" style="list-style-type: decimal;">
<li>Change ownership of the private key to the opendkim user:</li></ol>
 
<source lang="bash">sudo chown opendkim:opendkim /etc/dkimkeys/yourdomain.com/mail.private</source>
In this example, <code>yourdomain.com</code> should be replaced with your actual domain, and <code>mail</code> is a selector that will be part of your DKIM record.
 
=== Step 3: Configure OpenDKIM ===
 
Edit the OpenDKIM main configuration file (<code>/etc/opendkim.conf</code>) to specify your key and signing details. You may need root privileges to edit this file.
 
# Open <code>/etc/opendkim.conf</code> in your text editor.
# Add or ensure these lines are configured with your domain and key information:
 
<pre class="conf">KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts          refile:/etc/opendkim/TrustedHosts</pre>
<ol start="3" style="list-style-type: decimal;">
<li>Create or edit <code>/etc/opendkim/KeyTable</code> and add your domain’s key:</li></ol>
 
<pre class="conf">mail._domainkey.yourdomain.com yourdomain.com:mail:/etc/opendkim/keys/yourdomain.com/mail.private</pre>
<ol start="4" style="list-style-type: decimal;">
<li>Create or edit <code>/etc/opendkim/SigningTable</code> and link email addresses to the selector and domain:</li></ol>
 
<pre class="conf">*@yourdomain.com mail._domainkey.yourdomain.com</pre>
<ol start="5" style="list-style-type: decimal;">
<li>Create or edit <code>/etc/opendkim/TrustedHosts</code> and add your localhost and domain names to specify which hosts can send mail that will be signed:</li></ol>
 
<pre class="conf">127.0.0.1
localhost
yourdomain.com</pre>
=== Step 4: Connect OpenDKIM to Postfix ===
 
Configure Postfix to use OpenDKIM for signing by editing <code>/etc/postfix/main.cf</code> and adding:
 
<pre class="conf">milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301</pre>
Make sure the port (<code>12301</code> in this example) matches the one configured for OpenDKIM.
 
=== Step 5: Restart and Test ===
 
# Restart OpenDKIM and Postfix to apply changes:
 
<source lang="bash">sudo systemctl restart opendkim postfix</source>
<ol start="2" style="list-style-type: decimal;">
<li>Test your DKIM configuration using online tools or by sending an email to a service like <code>check-auth@verifier.port25.com</code>, which will reply with an analysis of your email’s authentication results, including DKIM.</li></ol>
 
=== Step 6: Publish Your DKIM Public Key ===
 
Don’t forget to publish your DKIM public key in your DNS. You’ll find the public key in a file named <code>mail.txt</code> within your domain’s key directory <code>/etc/opendkim/keys/yourdomain.com</code>. Create a TXT record for <code>mail._domainkey.yourdomain.com</code> with the value provided in that file.
 
Make sure to replace placeholders like <code>yourdomain.com</code> and <code>mail</code> (if you used a different selector) with your actual domain and selector used during key generation. This guide assumes basic familiarity with Linux server administration and might require adjustments based on your system’s specifics and the domain registrar’s DNS settings interface.

Latest revision as of 00:12, 23 October 2025

Links

Pages in category "Email"

The following 2 pages are in this category, out of 2 total.

E

Retrieved from "https://wiki.traxel.com/index.php?title=Category:Email&oldid=5509"