official nimbu blog

Setting up a postifx outbound mail server with SPF, DomainKey and DKIM support

Make sure you enable the firewall first:
sudo apt-get install ufw && sudo ufw enable

sudo apt-get install postfix dk-filter dkim-filter
openssl genrsa -out private.key 1024
openssl rsa -in rsa.private -out public.key -pubout -outform PEM
sudo mv private.key /etc/mail/example.key

/etc/postfix/main.cf

# INTERNET HOST AND DOMAIN NAMES
myhostname = mail.example.com

# SENDING MAIL
myorigin = $mydomain

# RECEIVING MAIL
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# ALIAS DATABASE
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# DKIM and DomainKey filters
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,inet:localhost:8892
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892

/etc/default/dk-filter

# Sign for example.com with key in /etc/mail/example.key using
# selector 'mail' (e.g. mail._domainkey.example.com)
DAEMON_OPTS="$DAEMON_OPTS -l -i /etc/dkim-hosts.conf -d example.com -s /etc/mail/example.key -S mail"
SOCKET="inet:8892@localhost"

/etc/dkim-filter.conf

Syslog            yes
# Sign for example.com with key in /etc/mail/example.key using
# selector 'mail' (e.g. mail._domainkey.example.com)
Domain            example.com
KeyFile            /etc/mail/example.key
Selector          mail
InternalHosts        /etc/dkim-hosts.conf

/etc/dkim-hosts.conf

127.0.0.1
192.168.0.1

DNS Entries

_domainkey.example.com TXT "o=~\; r=contact@example.com"
mail._domainkey.example.com TXT "k=rsa\; p={public-key-here}"
example.com TXT "v=spf1 ip4:xx.xx.xx.xx -all"

Test

Restart everything (postfix, dk-filter, dkim-filter) and then test using:

mail -s 'testing domain keys' check-auth2@verifier.port25.com

You should get a report back that looks something like:

==========================================================

New Feature: Twitter Alerts

You can now receive http://nimbu.net/ alert notifications via Twitter as Direct Messages.

New Feature: Mobile Dashboard

You can now keep an eye on your website when on the move.  The mobile dashboard is an optimized view of your account giving you all the information you need on the go.

Sending email in the cloud

Having run a couple of startup companies in the cloud on Amazon Web Services, the issue of sending email has cropped up a number of times.

The problems

Amazon doesn't allow you to set reverse DNS lookup entries for your mail server and a large number of mail servers will not accept mail from a server that doesn't have this.  This is a spam prevention feature to try and cut down on mail being relayed through insecure mail servers.

The other blocking issue you will come across is blacklisting.  Because of the nature of cloud systems it is likely that someone else has had your IP address in the past.  If the person wasn't entirely honest then they will probably have been blacklisted at some point.  Here is an example error message you will receive if you try and mail from a blacklisted host:

553 Mail from xx.xxx.xxx.xxx not allowed - 5.7.1 [BL21] Connections not accepted from IP addresses on Spamhaus PBL; see http://postmaster.yahoo.com/550-bl21.html [550]

or

550 DY-001 Mail rejected by Windows Live Hotmail for policy reasons. We generally do not accept email from dynamic IP's as they are not typically used to deliver unauthenticated SMTP e-mail to an Internet mail server...

The solutions

So, what can you do about it?  The simple answer is do not send mail from the cloud, instead relay your mail through a server hosted somewhere else.

The first option is to send email through GMail.  This works fine for small volumes of email but as your web application becomes more succesful you will quickly start hitting the volume limits imposed by Google and will start seeing entries like this in your mail log:

550 5.4.5 Daily sending quota exceeded.

The best long-term solution is to run your own mail server hosted outside of the cloud.  I recommend slicehost as a provider, you can have a mail server up and running from as little as $20/month and this will allow you to send masses of email.  This might sound a bit ominous if you haven't set one up before but they have a great tutorial on setting up a mail server.

Dodging the spam folder

Once you have your mail server up and running you should set an SPF record for your domain.  SPF records are TXT DNS records that you create to announce that your new mail server is allowed to send mail for your domain.  Lets say you have just finished setting up your mail host as mail.example.com then you need to create a TXT entry for example.com with the following contents (including the quotes!):

"v=spf1 include:mail.example.com -all"

You should now be sending mail happily from the cloud and with a bit of luck your recipients will receive the mail in their inboxes.

New Feature: Global Visualization

You can now visualize your website response time from all our monitoring nodes around the world.

Tell us what you think

We've just added a new 'Feedback' link to the footer that allows you to tell us what you think about the site and vote on what other users have been talking about. 

We take your feedback very seriously and will react to any comments.

New Feature: Weekly Reports

Last night saw the launch of Weekly Monitoring Reports from Nimbu.  Every Monday you will receive a report for the previous week so you can see at a glance if there were any issues that you need to address.

Nimbu Alpha Launched

The Alpha of nimbu.net is finally released, thanks to my private testers who helped get it to this stage.  Please hit me with any feedback.

Nimbu Site Monitoring Beta almost ready