The following is a brief description on How to install a Postfix email server that will score the maximum in all three domaisns of the report: Confidential Delivery, Phishing-Identity Theft and Integrity of Messages. This guide has been tested on a virtual machine running Ubuntu 24.04 LTS.
The most straight forward way to have DNSSEC is to use a service provider with DNSSEC support. An alternative that we will explore in future guides is to install our own DNS service with DNSSSEC support. Before starting, our domain name must have an MX record, and our MX record must have an ip address assigned, an A record. In our DNS service (either local or provided by a third party) we will create an MX record (at least one) for the domain model.dcslab.eu: 5 mx.model.dcslab.eu. The first value corresponds to the priority, and the second to the hostname of the MTA. For each MX record created, we will create an A record to resolve the MX hostname into an Ip address, e.g.:
mx.model.dcslab.eu. IN A 139.191.36.5
General type of mail configuration? | Internet Site |
System mail name | model.dcslab.eu |
root and postmaster mail recipients | model (root user) |
destinations to accept mail for (mydestinations) | model.dcslab.eu |
force synchronous updates on mail | yes |
local networks (mynetworks) | 192.168.1.0/24 127.0.0.1 |
Mailbox Size limit (bytes) | 0 (means no limit) |
Local address extension character | (no address extensions) |
Internet Protocols to use | IPv4 |
We create aliases to receive DMARC reports.
To set up StartTLS correctly in our Postfix installation, we need a certificate signed by a recognized Certification Authority (CA), and to configure a set of variables in the Postfix server. We will start by requesting a certificate signed by a valid authority. In this example we will use Let's Encrypt as CA to issue a valid free certificate. We will follow the installation guide for a Debian generic platform.
The application to request the certificate requires access to the TCP port 80. If we have any application running in this port, we have to stop it before continuing. Once we have the certificate, we can resume our service. When we request the certificate it is important that we correctly specify the domain name we want to authenticate with the certificate. In this case we specified mx.model.dcslab.eu for our email server.
To configure SPF, we have to set up a DNS record, so that other Mail Transfer Agents (MTAs) can use it when receiving e-mails from our domain. But for our domain to use SPF when receiving e-mails, we have to install an application using the apt-get tool, and configure it properly.
We will start by setting up a simple DNS record policy stating the hosts authorized to send emails on behalf of our domain model.dcslab.eu
IN TXT "v=spf1 mx -all"
Then we will install and configure the postfix-policyd-spf-python package:
# SPF /etc/postfix/master.cf configuration
#
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
# SPF /etc/postfix/main.cf configuration
policy-spf_time_limit = 3600s
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination, check_policy_service unix:private/policy-spf
DKIM requires 3 steps to activate it:
Once we have generated the keys, we can use the output to create the corresponding TXT record in the DNS of our domain. The subdomain to where it will be attached is <selector>._domainkey.<our_domain>.
modelSelector._domainkey IN TXT ("v=DKIM1; h=sha256; k=rsa; s=email; p=MIGf...QAB")
After the key generation and the creation of a TXT record, we have to configure opendkim to work with postfix.
#key_name domain:selector:/path/to/private_key_file
model.dcslab.eu model.dcslab.eu:modelSelector:/etc/opendkim/private_keys/modelSelector.key
#signer_of_the_message key_name
*@model.dcslab.eu model.dcslab.eu
#list-of-hosts (ips and hostnames)
127.0.0.1
model.dcslab.eu
192.168.1.0/24
Syslog yes
SyslogSuccess yes
LogWhy yes
UMask 002
OversignHeaders From,Subject
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
SignatureAlgorithm rsa-sha256
AutoRestart Yes
UserID opendkim:opendkim
SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"
# OpenDKIM milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
The configuration of DMARC is similar that the DKIM, with the exception of the key generation.
In the case of DMARC, the TXT record is attached to the subdomain _dmarc.<our_domain>. The basic content of a DMARC policy record is the version, the policy to follow (accept, reject, …) and the mail address to report to.
_dmarc TXT( "v=DMARC1; p=reject; rua=mailto:dmarc_reports@model.dcslab.eu")
Finally, we have to configure postfix and opendmarc.
AuthservID model.dcslab.eu
Socket inet:8893@localhost
# DMARC /etc/postfix/main.cf configuration
# 8893 is default for opendmarc
smtpd_milters = unix:/var/run/opendkim/opendkim.sock, inet:127.0.0.1:8893
Postfix has support for DANE, as option in the TLS configuration. This options have been already set up during the configuration of StartTLS.
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
Postfix requires a DNSSEC-validating recursive nameserver to do DNSSEC validation. Therefore either we install and configure a local DNSSEC-validating recursive caching nameserver, or we configure our system to use an external one. To set up the TLSA records, we can use an online tool (example) to generate the corresponding values. To obtain the pem value of the certificate we can execute:
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgISA/ZiA+nFT1Hd5emwMgI20KtdMA0GCSqGSIb3DQEBCwUA
...
Wq6bzNp36KG7fb86FW5VfJsINeIUdad/6J/gBylPPzaoonQ7vcT0VB6TI4/ic1C1
VuvF9e7YHH42YnWMoBesmOqoNWty+tzyFObvZPp7XLyQCDbS4ZY=
-----END CERTIFICATE-----
Following the Postfix documentation we will choose the following parameters to generate the TLSA records:
we will generate a record for a TCP service in port 25, therefore:
_25._tcp.mx.model.dcslab.eu TLSA 3 1 1 1cf86240705080beee6827b063e52274e545859711d4f63aca3af259210ad6ab