Navigation path

The following is a brief description on How to install a Postfix email server that will score the maximum in all three domaisns of the report: Confidential Delivery, Phishing-Identity Theft and Integrity of Messages. This guide has been tested on a virtual machine running Ubuntu 16.04 LTS.

  1. The first step is to install Ubuntu Server 16.04 LTS.

    • # sudo su -
    • # apt-get update
    • # apt-get upgrade
  2. DNS and DNSSEC configuration.

    The most straight forward way to have DNSSEC is to use a service provider with DNSSEC support. An alternative that we will explore in future guides is to install our own DNS service with DNSSSEC support. Before starting, our domain name must have an MX record, and our MX record must have an ip address assigned, an A record. In our DNS service (either local or provided by a third party) we will create an MX record (at least one) for the domain model.dcslab.eu: 5 mx.model.dcslab.eu. The first value corresponds to the priority, and the second to the hostname of the MTA. For each MX record created, we will create an A record to resolve the MX hostname into an Ip address, e.g.:

     mx.model.dcslab.eu. IN A 139.191.36.5 
  3. Install Postfix and initial configuration.

    • # apt-get install postfix
    • # dpkg-reconfigure postfix
    General type of mail configuration?Internet Site
    System mail namemodel.dcslab.eu
    root and postmaster mail recipientsmodel (root user)
    destinations to accept mail for (mydestinations)model.dcslab.eu
    force synchronous updates on mailyes
    local networks (mynetworks)192.168.1.0/24 127.0.0.1
    Mailbox Size limit (bytes)0 (means no limit)
    Local address extension character(no address extensions)
    Internet Protocols to useIPv4
    • # postconf -e 'home_mailbox = Maildir/'
    • # postconf -e 'mailbox_command ='
    • # service postfix restart

    We create aliases to receive DMARC reports.

    • # vi /etc/aliases
    postmaster: model
    dmarc_reports: model
                    
    • # postalias /etc/aliases
    • # service postfix restart
  4. StartTLS configuration.

    To set up StartTLS correctly in our Postfix installation, we need a certificate signed by a recognized Certification Authority (CA), and to configure a set of variables in the Postfix server. We will start by requesting a certificate signed by a valid authority. In this example we will use Let's Encrypt as CA to issue a valid free certificate. We will follow the installation guide for a Debian generic platform.

    The application to request the certificate requires access to the TCP port 80. If we have any application running in this port, we have to stop it before continuing. Once we have the certificate, we can resume our service. When we request the certificate it is important that we correctly specify the domain name we want to authenticate with the certificate. In this case we specified mx.model.dcslab.eu for our email server.

    • # apt-get install ca-certificates
    • # postconf -e 'smtp_tls_security_level = dane'
    • # postconf -e 'smtp_dns_support_level = dnssec'
    • # postconf -e 'smtpd_tls_security_level = may'
    • # postconf -e 'smtp_tls_note_starttls_offer = yes'
    • # postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/mx.model.dcslab.eu/privkey.pem'
    • # postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/mx.model.dcslab.eu/fullchain.pem'
    • # postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
    • # postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
    • # postconf -e 'smtpd_tls_ask_ccert = yes'
    • # postconf -e 'smtpd_tls_loglevel = 1'
    • # postconf -e 'smtpd_tls_received_header = yes'
    • # postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
    • # postconf -e 'tls_random_source = dev:/dev/urandom'
    • # postconf -e 'myhostname = model.dcslab.eu'
  5. SPF (Sender Policy Framework) Configuration.

    To configure SPF, we have to set up a DNS record, so that other Mail Transfer Agents (MTAs) can use it when receiving e-mails from our domain. But for our domain to use SPF when receiving e-mails, we have to install an application using the apt-get tool, and configure it properly.

    We will start by setting up a simple DNS record policy stating the hosts authorized to send emails on behalf of our domain model.dcslab.eu

    IN TXT "v=spf1 mx -all"
                    

    Then we will install and configure the postfix-policyd-spf-python package:

    • # apt-get install postfix-policyd-spf-python
    • # vi /etc/postfix/master.cf
    #
    # SPF /etc/postfix/master.cf configuration
    #
    policy-spf  unix  -       n       n       -       -       spawn
         user=nobody argv=/usr/bin/policyd-spf
                    
    • # vi /etc/postfix/main.cf
    # SPF /etc/postfix/main.cf configuration
    policy-spf_time_limit = 3600s
    smtpd_helo_restrictions = reject_invalid_hostname
    smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination, check_policy_service unix:private/policy-spf
                    
  6. DKIM (DomainKeys Identified Mail) Configuration

    DKIM requires 3 steps to activate it:
    1. Installation of opendkim
    2. Creation of keys
    3. Creation of DNS record
    4. Configuration of opendkim and postfix

    • # apt-get install opendkim opendkim-tools
    • # mkdir -pv /etc/opendkim/private_keys/
    • # chown -R opendkim:opendkim /etc/opendkim
    • # chmod 700 /etc/opendkim/*
    • # cd /etc/opendkim/private_keys/
    • # opendkim-genkey -b 2048 -r -h rsa-sha256 -d model.dcslab.eu -s modelSelector
    • # mv -v modelSelector.private modelSelector.key
    • # chown opendkim:opendkim *
    • # chmod 600 *

    Once we have generated the keys, we can use the output to create the corresponding TXT record in the DNS of our domain. The subdomain to where it will be attached is <selector>._domainkey.<our_domain>.

    • # cat modelSelector.txt
    • !!!!! even though the content of the file says h=rsa-sha256;, the CORRECT value is h=sha256
    modelSelector._domainkey       IN      TXT     ("v=DKIM1; h=sha256; k=rsa; s=email; p=MIGf...QAB")
                    

    After the key generation and the creation of a TXT record, we have to configure opendkim to work with postfix.

    • # cd /etc/opendkim/
    • # vi KeyTable
    #key_name domain:selector:/path/to/private_key_file
    model.dcslab.eu model.dcslab.eu:modelSelector:/etc/opendkim/private_keys/modelSelector.key
                    
    • # vi SigningTable
    #signer_of_the_message key_name
    *@model.dcslab.eu model.dcslab.eu
                    
    • # vi TrustedHosts
    #list-of-hosts (ips and hostnames)
    127.0.0.1
    model.dcslab.eu
    192.168.1.0/24
                    
    • # chown opendkim:opendkim /etc/opendkim/{KeyTable,SigningTable,TrustedHosts}
    • # mv /etc/opendkim.conf /etc/opendkim.conf.original
    • # vi /etc/opendkim.conf
    Syslog yes
    SyslogSuccess yes
    LogWhy yes
    UMask 002
    OversignHeaders From,Subject
    KeyTable refile:/etc/opendkim/KeyTable
    SigningTable refile:/etc/opendkim/SigningTable
    ExternalIgnoreList /etc/opendkim/TrustedHosts
    InternalHosts /etc/opendkim/TrustedHosts
    SignatureAlgorithm rsa-sha256
    AutoRestart Yes
    UserID opendkim:opendkim
                    
    • # mkdir -p /var/spool/postfix/var/run/opendkim
    • # chown opendkim:opendkim /var/spool/postfix/var/run/opendkim
    • # usermod -a -G opendkim postfix
    • # vi /etc/default/opendkim
    SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"
                    
    • # vi /etc/postfix/main.cf
    # OpenDKIM milter configuration
    milter_default_action = accept
    milter_protocol = 6
    smtpd_milters = unix:/var/run/opendkim/opendkim.sock
    non_smtpd_milters = $smtpd_milters
                    
    • # vi service opendkim restart
    • # vi service postfix restart
  7. DMARC Configuration.

    The configuration of DMARC is similar that the DKIM, with the exception of the key generation.

    1. Installation of opendmarc
    2. Creation of DNS record
    3. Configuration of opendmarc and postfix
    • # apt-get install opendmarc

    In the case of DMARC, the TXT record is attached to the subdomain _dmarc.<our_domain>. The basic content of a DMARC policy record is the version, the policy to follow (accept, reject, …) and the mail address to report to.

    _dmarc   TXT( "v=DMARC1; p=reject; rua=mailto:dmarc_reports@model.dcslab.eu")
                    

    Finally, we have to configure postfix and opendmarc.

    • # vi /etc/opendmarc.conf
    AuthservID model.dcslab.eu
    Socket inet:8893@localhost
                    
    • # vi /etc/postfix/main.cf
    # DMARC /etc/postfix/main.cf configuration
    # 8893 is default for opendmarc
    smtpd_milters = unix:/var/run/opendkim/opendkim.sock, inet:127.0.0.1:8893
                    
    • # vi service opendmarc restart
    • # vi service postfix restart
  8. DANE configuration.

    Postfix has support for DANE, as option in the TLS configuration. This options have been already set up during the configuration of StartTLS.

    smtp_tls_security_level = dane
    smtp_dns_support_level = dnssec
                    

    Postfix requires a DNSSEC-validating recursive nameserver to do DNSSEC validation. Therefore either we install and configure a local DNSSEC-validating recursive caching nameserver, or we configure our system to use an external one. To set up the TLSA records, we can use an online tool (example) to generate the corresponding values. To obtain the pem value of the certificate we can execute:

    • # cat /etc/letsencrypt/live/mx.model.dcslab.eu/cert.pem
    -----BEGIN CERTIFICATE-----
    MIIFMjCCBBqgAwIBAgISA/ZiA+nFT1Hd5emwMgI20KtdMA0GCSqGSIb3DQEBCwUA
    ...
    Wq6bzNp36KG7fb86FW5VfJsINeIUdad/6J/gBylPPzaoonQ7vcT0VB6TI4/ic1C1
    VuvF9e7YHH42YnWMoBesmOqoNWty+tzyFObvZPp7XLyQCDbS4ZY=
    -----END CERTIFICATE-----
                    

    Following the Postfix documentation we will choose the following parameters to generate the TLSA records:

    • Usage Field: 3 (Domain Issued Certificate)
    • Selector Field: 1 (Use subject public key)
    • Matching-Type Field: 1 (SHA-256)

    we will generate a record for a TCP service in port 25, therefore:

    _25._tcp.mx.model.dcslab.eu TLSA 3 1 1 1cf86240705080beee6827b063e52274e545859711d4f63aca3af259210ad6ab