An official website of the European UnionAn official EU website
My Email Communications Security Assessment (MECSA)

How to Install Postfix to obtain Maximum scores in MECSA?

The following is a brief description on How to install a Postfix email server that will score the maximum in all three domaisns of the report: Confidential Delivery, Phishing-Identity Theft and Integrity of Messages. This guide has been tested on a virtual machine running Ubuntu 16.04 LTS.

1. The first step is to install Ubuntu Server 16.04 LTS.

  • # sudo su -
  • # apt-get update
  • # apt-get upgrade

2. DNS and DNSSEC configuration.

The most straight forward way to have DNSSEC is to use a service provider with DNSSEC support. An alternative that we will explore in future guides is to install our own DNS service with DNSSSEC support. Before starting, our domain name must have an MX record, and our MX record must have an ip address assigned, an A record. In our DNS service (either local or provided by a third party) we will create an MX record (at least one) for the domain 5 The first value corresponds to the priority, and the second to the hostname of the MTA. For each MX record created, we will create an A record to resolve the MX hostname into an Ip address, e.g.: IN A

3. Install Postfix and initial configuration.

  • # apt-get install postfix
  • # dpkg-reconfigure postfix
General type of mail configuration?Internet Site
System mail
root and postmaster mail recipientsmodel (root user)
destinations to accept mail for (mydestinations)
force synchronous updates on mailyes
local networks (mynetworks)
Mailbox Size limit (bytes)0 (means no limit)
Local address extension character(no address extensions)
Internet Protocols to useIPv4
  • # postconf -e 'home_mailbox = Maildir/'
  • # postconf -e 'mailbox_command ='
  • # service postfix restart

We create aliases to receive DMARC reports.

  • # vi /etc/aliases
  • postmaster: model
  • dmarc_reports: model
  • # postalias /etc/aliases
  • # service postfix restart

4. StartTLS configuration.

To set up StartTLS correctly in our Postfix installation, we need a certificate signed by a recognized Certification Authority (CA), and to configure a set of variables in the Postfix server. We will start by requesting a certificate signed by a valid authority. In this example we will use Let's Encrypt as CA to issue a valid free certificate. We will follow the installation guide for a Debian generic platform.

The application to request the certificate requires access to the TCP port 80. If we have any application running in this port, we have to stop it before continuing. Once we have the certificate, we can resume our service. When we request the certificate it is important that we correctly specify the domain name we want to authenticate with the certificate. In this case we specified for our email server.

  • # apt-get install ca-certificates
  • # postconf -e 'smtp_tls_security_level = dane'
  • # postconf -e 'smtp_dns_support_level = dnssec'
  • # postconf -e 'smtpd_tls_security_level = may'
  • # postconf -e 'smtp_tls_note_starttls_offer = yes'
  • # postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/'
  • # postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/'
  • # postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
  • # postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
  • # postconf -e 'smtpd_tls_ask_ccert = yes'
  • # postconf -e 'smtpd_tls_loglevel = 1'
  • # postconf -e 'smtpd_tls_received_header = yes'
  • # postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
  • # postconf -e 'tls_random_source = dev:/dev/urandom'
  • # postconf -e 'myhostname ='

5. SPF (Sender Policy Framework) Configuration.

To configure SPF, we have to set up a DNS record, so that other Mail Transfer Agents (MTAs) can use it when receiving e-mails from our domain. But for our domain to use SPF when receiving e-mails, we have to install an application using the apt-get tool, and configure it properly.

We will start by setting up a simple DNS record policy stating the hosts authorized to send emails on behalf of our domain

IN TXT "v=spf1 mx -all"

Then we will install and configure the postfix-policyd-spf-python package:

  • # apt-get install postfix-policyd-spf-python
  • # vi /etc/postfix/

# SPF /etc/postfix/ configuration
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf

  • # vi /etc/postfix/

# SPF /etc/postfix/ configuration
policy-spf_time_limit = 3600s
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination, check_policy_service unix:private/policy-spf

6. DKIM (DomainKeys Identified Mail) Configuration

DKIM requires 3 steps to activate it:

  • Installation of opendkim
  • Creation of keys
  • Creation of DNS record
  • Configuration of opendkim and postfix
  • # apt-get install opendkim opendkim-tools
  • # mkdir -pv /etc/opendkim/private_keys/
  • # chown -R opendkim:opendkim /etc/opendkim
  • # chmod 700 /etc/opendkim/*
  • # cd /etc/opendkim/private_keys/
  • # opendkim-genkey -b 2048 -r -h rsa-sha256 -d -s modelSelector
  • # mv -v modelSelector.private modelSelector.key
  • # chown opendkim:opendkim *
  • # chmod 600 *

Once we have generated the keys, we can use the output to create the corresponding TXT record in the DNS of our domain. The subdomain to where it will be attached is <selector>._domainkey.<our_domain>.

  • # cat modelSelector.txt
  • !!!!! even though the content of the file says h=rsa-sha256;, the CORRECT value is h=sha256

modelSelector._domainkey IN TXT ("v=DKIM1; h=sha256; k=rsa; s=email; p=MIGf...QAB")

After the key generation and the creation of a TXT record, we have to configure opendkim to work with postfix.

  • # cd /etc/opendkim/
  • # vi KeyTable

#key_name domain:selector:/path/to/private_key_file

  • # vi SigningTable

#signer_of_the_message key_name

  • # vi TrustedHosts

#list-of-hosts (ips and hostnames)

  • # chown opendkim:opendkim /etc/opendkim/{KeyTable,SigningTable,TrustedHosts}
  • # mv /etc/opendkim.conf /etc/opendkim.conf.original
  • # vi /etc/opendkim.conf

Syslog yes
SyslogSuccess yes
LogWhy yes
UMask 002
OversignHeaders From,Subject
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
SignatureAlgorithm rsa-sha256
AutoRestart Yes
UserID opendkim:opendkim

  • # mkdir -p /var/spool/postfix/var/run/opendkim
  • # chown opendkim:opendkim /var/spool/postfix/var/run/opendkim
  • # usermod -a -G opendkim postfix
  • # vi /etc/default/opendkim


  • # vi /etc/postfix/

# OpenDKIM milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

  • # vi service opendkim restart
  • # vi service postfix restart

7. DMARC Configuration.

The configuration of DMARC is similar that the DKIM, with the exception of the key generation.

  • Installation of opendmarc
  • Creation of DNS record
  • Configuration of opendmarc and postfix

  • # apt-get install opendmarc

In the case of DMARC, the TXT record is attached to the subdomain _dmarc.<our_domain>. The basic content of a DMARC policy record is the version, the policy to follow (accept, reject, …) and the mail address to report to.

_dmarc TXT( "v=DMARC1; p=reject;")

Finally, we have to configure postfix and opendmarc.

  • # vi /etc/opendmarc.conf

Socket inet:8893@localhost

  • # vi /etc/postfix/

# DMARC /etc/postfix/ configuration
# 8893 is default for opendmarc
smtpd_milters = unix:/var/run/opendkim/opendkim.sock, inet:

  • # vi service opendmarc restart
  • # vi service postfix restart

8. DANE configuration.

Postfix has support for DANE, as option in the TLS configuration. This options have been already set up during the configuration of StartTLS.

smtp_tls_security_level = dane
smtp_dns_support_level = dnssec

Postfix requires a DNSSEC-validating recursive nameserver to do DNSSEC validation. Therefore either we install and configure a local DNSSEC-validating recursive caching nameserver, or we configure our system to use an external one. To set up the TLSA records, we can use an online tool (example) to generate the corresponding values. To obtain the pem value of the certificate we can execute:

  • # cat /etc/letsencrypt/live/


Following the Postfix documentation we will choose the following parameters to generate the TLSA records:

  • Usage Field: 3 (Domain Issued Certificate)
  • Selector Field: 1 (Use subject public key)
  • Matching-Type Field: 1 (SHA-256)

we will generate a record for a TCP service in port 25, therefore: TLSA 3 1 1 1cf86240705080beee6827b063e52274e545859711d4f63aca3af259210ad6ab