Links
- Reverse DNS on Lightsail: https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-configuring-reverse-dns.html
GPT Recommendation
For a low-volume mail server setup on Debian 12 (Bookworm) that’s primarily used for sending outbound messages from a local instance of MediaWiki, you can opt for a simple yet reliable software stack. The primary goal here is to ensure that emails sent by MediaWiki (e.g., account creation confirmations, notifications) are delivered reliably without setting up a full-fledged mail receiving infrastructure.
Software Stack:
- Postfix: A widely used, open-source Mail Transfer Agent (MTA) that can handle sending outbound emails. It’s relatively straightforward to configure for sending emails and can be secured to prevent unauthorized use.
- Optional: Dovecot: If you ever decide to handle receiving emails (for bounces or administrative purposes), Dovecot is a secure IMAP and POP3 server that integrates well with Postfix. However, for your described use case, Dovecot may not be necessary.
- Certbot (Let’s Encrypt): For securing your connections with TLS, using Certbot to obtain a free SSL certificate from Let’s Encrypt is recommended, especially if you’ll be sending sensitive information.
Basic Setup Instructions:
1. Install Postfix
Update your package list:
sudo apt update
Install Postfix:
sudo apt install postfix
During installation, you’ll be prompted for some basic configuration:
- General type of mail configuration: Choose “Internet Site”.
- System mail name: This should be your domain name (e.g., example.com).
2. Basic Configuration
Edit the main Postfix configuration file
/etc/postfix/main.cf
to ensure it’s set up for sending mail correctly. For a basic setup, you might only need to adjust or verify a few lines:inet_interfaces = loopback-only myhostname = example.com mydestination = mynetworks = 127.0.0.0/8
inet_interfaces
set toloopback-only
ensures Postfix only listens on the localhost interface.myhostname
should be your server’s FQDN.- Clear
mydestination
to prevent Postfix from considering itself the final destination for mail. mynetworks
restricts which IPs can send mail through this server, set it to localhost only for security.
Reload or restart Postfix to apply the changes:
sudo systemctl restart postfix
3. Configure MediaWiki for Email
Ensure MediaWiki is configured to send email through your local Postfix installation. This is usually done in MediaWiki’s LocalSettings.php
:
$wgSMTP = [
'host' => 'localhost',
'IDHost' => 'example.com',
'port' => 25,
'auth' => false,
];
Adjust example.com
to match your domain.
Security and Sending Limits
- IP and Domain Reputation: Ensure your server’s IP and domain have a good reputation. A new IP or one previously used for spam can negatively affect deliverability.
- Reverse DNS: Set up reverse DNS for your server’s IP to match your domain. This is often done through your hosting provider’s control panel.
- SPF Record: Add an SPF record to your domain’s DNS to authorize your server to send email on behalf of your domain.
- DKIM and DMARC: For a low-volume server used as described, DKIM and DMARC are optional but recommended for improving email authenticity.
This setup is sufficient for sending outbound emails from a MediaWiki instance. Remember to monitor your server for any abuse and ensure that it’s not configured as an open relay. For more extensive email needs in the future, consider additional configurations and possibly using external SMTP services designed for high deliverability.
SPF, DKIM, DMARC
Sure, here’s a simplified overview of setting up SPF, DKIM, and DMARC through DNS records. Note that specific values can vary based on your email sending service (e.g., Google Workspace, Office 365, SendGrid, etc.) or if you’re sending emails directly from your own server.
SPF (Sender Policy Framework)
Purpose: SPF allows the owner of a domain to specify which mail servers are permitted to send email on behalf of that domain.
DNS Record Type: TXT
Example Value:
v=spf1 include:_spf.example.com ~all
v=spf1
specifies the SPF version.include:_spf.example.com
tells receiving mail servers to consider the SPF record of_spf.example.com
as part of this domain’s SPF record. Replace_spf.example.com
with the SPF record of your email service provider or your own mail server.~all
is a soft fail for mechanisms not specified in the record. It advises recipients to accept mail whether it passes the SPF check or not but to mark it as suspicious. Use-all
for a hard fail if you’re sure all legitimate sources are listed.
HSL Version
For the HeatSync Labs wiki server, we know the domain (heatsynclabs.wiki) is dedicated to a single purpose, so we can go pretty hardcore. We'll specify that only email from the mx mail.heatsynclabs.wiki should be accepted.
v=spf1 mx:mail.heatsynclabs.wiki -all
DKIM (DomainKeys Identified Mail)
Purpose: DKIM provides a way to validate a domain name identity that is associated with a message through cryptographic authentication.
Configuration: You’ll generate a public/private key pair. The public key goes into your DNS records, and the private key is used by your outgoing email server to sign messages.
DNS Record Type: TXT
Example Value:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3...[your_public_key]...
v=DKIM1
specifies the DKIM version.k=rsa
indicates the key type.p=[your_public_key]
is where you paste the actual public key generated by your mail server or email service.
The specific TXT
record name often includes a selector which is a prefix to _domainkey
, like selector1._domainkey.example.com
. The selector is specified by your email system when setting up DKIM.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Purpose: DMARC uses SPF and DKIM to determine the legitimacy of an email message, providing instructions to the receiving mail server on what to do if neither of those authentication methods passes. It also specifies how an email sender can receive feedback on messages that pass and/or fail DMARC evaluation.
DNS Record Type: TXT
Example Value:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com
v=DMARC1
specifies the DMARC version.p=reject
is the policy, telling receiving servers to reject messages that fail DMARC checks. Other options includenone
(do nothing, only log the event) andquarantine
(mark as spam).rua=mailto:dmarc-reports@example.com
specifies an email address where aggregate reports should be sent.
For all three, replace example.com
with your domain and adjust values according to your specific setup or service provider’s guidelines. Setting up these records correctly can significantly improve your email deliverability and protect your domain against misuse. Always test your configuration using tools like Google’s Admin Toolbox or other DMARC, SPF, and DKIM validation tools available online.
DKIM on Postfix
To configure Postfix with DomainKeys Identified Mail (DKIM) to sign outgoing emails, you typically use an external application like OpenDKIM. OpenDKIM provides a method to sign email messages with a DKIM signature based on your private key, enhancing email security and deliverability. Here’s a basic guide to configuring Postfix with DKIM using OpenDKIM:
Step 1: Install OpenDKIM
First, install OpenDKIM and its tools. On Debian/Ubuntu systems, you can do this with:
sudo apt-get update
sudo apt-get install opendkim opendkim-tools
Step 2: Generate DKIM Keys
You’ll need to generate a private and public key pair for DKIM.
- Create a directory for your keys:
sudo mkdir -p /etc/dkimkeys/yourdomain.com
- Generate the keys:
sudo opendkim-genkey -b 2048 -d yourdomain.com -D /etc/dkimkeys/yourdomain.com -s mail -v
- Change ownership of the private key to the opendkim user:
sudo chown opendkim:opendkim /etc/dkimkeys/yourdomain.com/mail.private
In this example, yourdomain.com
should be replaced with your actual domain, and mail
is a selector that will be part of your DKIM record.
Set the access on the private key:
sudo chmod 0600 /etc/dkimkeys/heatsynclabs.wiki/mail.private
HeatSync Labs DNS Entry
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoO06v9Pk+J4zAHn7lKAyIB+FYyph6REHI47BnXX991UWDmJNGRNBmMy3t6fBoz1j8oCzjruBdgHFrGUnXRcGZFBeJFX2/Zg/NvSTRV6axMdki936fELtZi+ftUetPHbRpD0J7yYlyOZ+816em9J68MtAfBSUj2uCcA8RVGXs2YdcfcridEFvXmzd4N0fdcU21LyMkGotyMCKZ9" "CLnNn0BFFdVkHEtjtTqasnvzOkL002UOS+DApLdAReNCDYciJpuHusQBw5LAoj+nJO/bI4BBSVPt7jUgQv1oNWAbw7mSZRwAHNDhGs4Feh9imITw7sxsF6Q513uAFqZoXBiiADVQIDAQAB" ) ; ----- DKIM key mail for heatsynclabs.wiki
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoO06v9Pk+J4zAHn7lKAyIB+FYyph6REHI47BnXX991UWDmJNGRNBmMy3t6fBoz1j8oCzjruBdgHFrGUnXRcGZFBeJFX2/Zg/NvSTRV6axMdki936fELtZi+ftUetPHbRpD0J7yYlyOZ+816em9J68MtAfBSUj2uCcA8RVGXs2YdcfcridEFvXmzd4N0fdcU21LyMkGotyMCKZ9CLnNn0BFFdVkHEtjtTqasnvzOkL002UOS+DApLdAReNCDYciJpuHusQBw5LAoj+nJO/bI4BBSVPt7jUgQv1oNWAbw7mSZRwAHNDhGs4Feh9imITw7sxsF6Q513uAFqZoXBiiADVQIDAQAB
Step 3: Configure OpenDKIM
Big Email System Config (don't use this)
Edit the OpenDKIM main configuration file (/etc/opendkim.conf
) to specify your key and signing details. You may need root privileges to edit this file.
- Open
/etc/opendkim.conf
in your text editor. - Add or ensure these lines are configured with your domain and key information:
KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts
- Create or edit
/etc/opendkim/KeyTable
and add your domain’s key:
mail._domainkey.yourdomain.com yourdomain.com:mail:/etc/dkimkeys/yourdomain.com/mail.private
- Create or edit
/etc/opendkim/SigningTable
and link email addresses to the selector and domain:
*@yourdomain.com mail._domainkey.yourdomain.com
- Create or edit
/etc/opendkim/TrustedHosts
and add your localhost and domain names to specify which hosts can send mail that will be signed:
127.0.0.1 localhost yourdomain.com
Simple Basic Version
Domain heatsynclabs.wiki Selector mail KeyFile /etc/dkimkeys/heatsynclabs.wiki/mail.private
Step 4: Connect OpenDKIM to Postfix
Configure Postfix to use OpenDKIM for signing by editing /etc/postfix/main.cf
and adding:
milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301
Make sure the port (12301
in this example) matches the one configured for OpenDKIM.
Step 5: Restart and Test
- Restart OpenDKIM and Postfix to apply changes:
sudo systemctl restart opendkim postfix
- Test your DKIM configuration using online tools or by sending an email to a service like
check-auth@verifier.port25.com
, which will reply with an analysis of your email’s authentication results, including DKIM.
Step 6: Publish Your DKIM Public Key
Don’t forget to publish your DKIM public key in your DNS. You’ll find the public key in a file named mail.txt
within your domain’s key directory /etc/opendkim/keys/yourdomain.com
. Create a TXT record for mail._domainkey.yourdomain.com
with the value provided in that file.
Make sure to replace placeholders like yourdomain.com
and mail
(if you used a different selector) with your actual domain and selector used during key generation. This guide assumes basic familiarity with Linux server administration and might require adjustments based on your system’s specifics and the domain registrar’s DNS settings interface.
DKIM
OpenDKIM Config
/etc/opendkim.conf, at end of file
# ------------------------------------------------------------------------- # Custom for heatsynclabs.wiki # ---------------------------- # See: http://www.opendkim.org/opendkim.conf.5.html # LogWhy # If logging is enabled (see Syslog below), issues very detailed logging # about the logic behind the filter’s decision to either sign a message # or verify it. The logic behind the decision is non-trivial and can be # confusing to administrators not familiar with its operation. A # description of how the decision is made can be found in the OPERATIONS # section of the opendkim(8) man page. This causes a large increase in the # amount of log data generated for each message, so it should be limited # to debugging use and not enabled for general operation. # LogWhy yes # enables extra logging # Mode # Selects operating modes. The string is a concatenation of characters that # indicate which mode(s) of operation are desired. Valid modes are s # (signer) and v (verifier). The default is sv except in test mode # (see the opendkim(8) man page) in which case the default is v. When # signing mode is enabled, one of the following combinations must also be # set: # (a) Domain, KeyFile, Selector, no KeyTable, no SigningTable; <-- 1 domain # (b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector; # (c) KeyTable, SetupPolicyScript, no Domain, no KeyFile, no Selector. # Mode sv # Signing domain, selector, and key (required). For example, perform signing # for domain "example.com" with selector "2020" (2020._domainkey.example.com), # using the private key stored in /etc/dkimkeys/example.private. More granular # setup options can be found in /usr/share/doc/opendkim/README.opendkim. # # Domain # A set of domains whose mail should be signed by this filter. Mail from # other domains will be verified rather than being signed. Domain heatsynclabs.wiki # # KeyFile # Gives the location of a PEM-formatted private key to be used for signing # all messages. Ignored if a KeyTable is defined. KeyFile /etc/dkimkeys/heatsynclabs.wiki/mail.private # # Selector # Defines the name of the selector to be used when signing messages. See # the DKIM specification for details. Used only when signing with a single # key; see the SigningTable parameter below for more information. Selector mail # Socket for the MTA connection (required). If the MTA is inside a chroot jail, # it must be ensured that the socket is accessible. In Debian, Postfix runs in # a chroot in /var/spool/postfix, therefore a Unix socket would have to be # configured as shown on the last line below. # # Specifies the socket that should be established by the filter to receive # connections from sendmail(8) in order to provide service. socketspec is in # one of two forms: local:path, which creates a UNIX domain socket at the # specified path, or inet:port[@host] or inet6:port[@host] which creates a # TCP socket on the specified port and in the specified protocol family. If # the host is not given as either a hostname or an IP address, the socket # will be listening on all interfaces. A literal IP address must be enclosed # in square brackets. This option is mandatory either in the configuration # file or on the command line. Socket local:/var/spool/postfix/opendkim/opendkim.sock # -------------------------------------------------------------------------
Postfix Config
/etc/postfix/main.cf, at end of file
# OpenDKIM Config milter_default_action = accept milter_protocol = 6 smtpd_milters = local:/opendkim/opendkim.sock non_smtpd_milters = local:/opendkim/opendkim.sock