Setting up a postifx outbound mail server with SPF, DomainKey and DKIM support

Make sure you enable the firewall first:
sudo apt-get install ufw && sudo ufw enable

sudo apt-get install postfix dk-filter dkim-filter
openssl genrsa -out private.key 1024
openssl rsa -in rsa.private -out public.key -pubout -outform PEM
sudo mv private.key /etc/mail/example.key

/etc/postfix/main.cf

# INTERNET HOST AND DOMAIN NAMES
myhostname = mail.example.com

# SENDING MAIL
myorigin = $mydomain

# RECEIVING MAIL
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# ALIAS DATABASE
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# DKIM and DomainKey filters
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,inet:localhost:8892
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892

/etc/default/dk-filter

# Sign for example.com with key in /etc/mail/example.key using
# selector 'mail' (e.g. mail._domainkey.example.com)
DAEMON_OPTS="$DAEMON_OPTS -l -i /etc/dkim-hosts.conf -d example.com -s /etc/mail/example.key -S mail"
SOCKET="inet:8892@localhost"

/etc/dkim-filter.conf

Syslog            yes
# Sign for example.com with key in /etc/mail/example.key using
# selector 'mail' (e.g. mail._domainkey.example.com)
Domain            example.com
KeyFile            /etc/mail/example.key
Selector          mail
InternalHosts        /etc/dkim-hosts.conf

/etc/dkim-hosts.conf

127.0.0.1
192.168.0.1

DNS Entries

_domainkey.example.com TXT "o=~\; r=contact@example.com"
mail._domainkey.example.com TXT "k=rsa\; p={public-key-here}"
example.com TXT "v=spf1 ip4:xx.xx.xx.xx -all"

Test

Restart everything (postfix, dk-filter, dkim-filter) and then test using:

mail -s 'testing domain keys' check-auth2@verifier.port25.com

You should get a report back that looks something like:

==========================================================

Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   pass
DKIM check:         pass
Sender-ID check:    pass

See also:

http://www.dkim.org/info/dkim-faq.html
http://www.port25.com/domainkeys/
Filed under  //   DKIM   DomainKey   Email   postfix   SPF   Ubuntu  

Comments [0]

 

Sending email in the cloud

Having run a couple of startup companies in the cloud on Amazon Web Services, the issue of sending email has cropped up a number of times.

The problems

Amazon doesn't allow you to set reverse DNS lookup entries for your mail server and a large number of mail servers will not accept mail from a server that doesn't have this.  This is a spam prevention feature to try and cut down on mail being relayed through insecure mail servers.

The other blocking issue you will come across is blacklisting.  Because of the nature of cloud systems it is likely that someone else has had your IP address in the past.  If the person wasn't entirely honest then they will probably have been blacklisted at some point.  Here is an example error message you will receive if you try and mail from a blacklisted host:

553 Mail from xx.xxx.xxx.xxx not allowed - 5.7.1 [BL21] Connections not accepted from IP addresses on Spamhaus PBL; see http://postmaster.yahoo.com/550-bl21.html [550]

or

550 DY-001 Mail rejected by Windows Live Hotmail for policy reasons. We generally do not accept email from dynamic IP's as they are not typically used to deliver unauthenticated SMTP e-mail to an Internet mail server...

The solutions

So, what can you do about it?  The simple answer is do not send mail from the cloud, instead relay your mail through a server hosted somewhere else.

The first option is to send email through GMail.  This works fine for small volumes of email but as your web application becomes more succesful you will quickly start hitting the volume limits imposed by Google and will start seeing entries like this in your mail log:

550 5.4.5 Daily sending quota exceeded.

The best long-term solution is to run your own mail server hosted outside of the cloud.  I recommend slicehost as a provider, you can have a mail server up and running from as little as $20/month and this will allow you to send masses of email.  This might sound a bit ominous if you haven't set one up before but they have a great tutorial on setting up a mail server.

Dodging the spam folder

Once you have your mail server up and running you should set an SPF record for your domain.  SPF records are TXT DNS records that you create to announce that your new mail server is allowed to send mail for your domain.  Lets say you have just finished setting up your mail host as mail.example.com then you need to create a TXT entry for example.com with the following contents (including the quotes!):

"v=spf1 include:mail.example.com -all"

You should now be sending mail happily from the cloud and with a bit of luck your recipients will receive the mail in their inboxes.

Filed under  //   AWS   Cloud   DNS   Email   Productionization   SPF   Startups  

Comments [1]

About

Nimbu is an advanced website monitoring platform. Check it out at http://nimbu.net/