postfix
Howto: Setup postfix bulk email server with sasl authentication
As per the project requirment I need to provide bulk email server and have to give valid records for avoid spamming, the DNS records like Reverse lookup, DKIM record , SPF record and Authentication.
I followed the below application for setup the server
1, Postfix – MTA
2, Opendkim – Key identifier
3, dovcot for – SASL authentication
4, Reverse lookup – have the setup from DataCenter where the server is located
Install the necessary package from the repository
yum install dovecot opendkim postfix openssl -y
1, Postfix Configuration
Verify the required given configurations are enabled in the configuration file /etc/postfix/main.cf
smtpd_banner = Welcom to $myhostname.$mydomain ESMTP $mail_name biff = no append_dot_mydomain = no readme_directory = no myhostname = smtp01-planetcure.in mydomain = planetcure.in myorigin = $mydomain alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = localhost.localdomain, , localhost mynetworks = 0.0.0.0/0, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all home_mailbox = Maildir/
2, Configure opendkim
Verify the required given configurations are enabled in the configuration file /etc/opendkim.conf
TemporaryDirectory /var/tmp PidFile /var/run/opendkim/opendkim.pid Mode sv Syslog yes SyslogSuccess yes LogWhy yes UserID opendkim:opendkim Socket inet:8891@localhost Umask 002 Canonicalization relaxed/relaxed Domain cloud.planetcure.in Selector cloud MinimumKeyBits 1024 KeyFile /etc/opendkim/keys/planetcure.in/cloud.private KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts SignatureAlgorithm rsa-sha256
Now append the DKIM configurtion with the existing postix setting in /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept milter_protocol = 2
Generating DKIM keys
1, Create User for starting deamon
useradd -r -g opendkim -G mail -s /sbin/nologin -d /var/run/opendkim -c "OpenDKIM" opendkim
2, Create Key store directory and previleges
mkdir -p /etc/opendkim/keys/planetcure.in/ chown -Rv opendkim:opendkim /etc/opendkim chmod u=rw,go-rwx /etc/opendkim/* chmod -R u=rw,go-rwx /etc/opendkim/keys/*
3, Generate DKIM Keys
opendkim-genkey -D /etc/opendkim/keys/planetcure.in/ -d planetcure.in -s cloud
I generated the keys inside the specified directory, cloud.txt contains the Key which need to be update in the DNS
-rw-------. 1 opendkim opendkim 887 Aug 30 09:19 cloud.private -rw-------. 1 opendkim opendkim 315 Aug 30 09:19 cloud.txt
cat cloud.txt cloud._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA5K5BLNxFZIN43LWjmq7X2h3RW2md6o+Wn6F8lnMvWx/SUZ6FWf9kwkid/JRbEI0PBjgFo6/f6N0+c3j/7WAEH6R81S+X9fo+58eX1RafyNIAofU0PQKQcUKRBWgfNYA5En7DUoVWZpy2ZhbHutTI96U3A4HjDVksm45VWyoTIwIDAQAB" ) ; ----- DKIM key cloud for planetcure.in
4, Update the SigningTable,TrustedHosts KeyTable for the domain planetcure.in
Keys: /etc/opendkim/keys/planetcure.in/
KeyTables: /etc/opendkim/KeyTable
cloud._domainkey.planetcure.in planetcure.in:cloud:/etc/opendkim/keys/planetcure.in/cloud.private
SigningTable : /etc/opendkim/SigningTable
planetcure.in cloud._domainkey.planetcure.in *@planetcure.in cloud._domainkey.planetcure.in
TrustedHosts: /etc/opendkim/TrustedHosts
127.0.0.1 planetcure.in smtp01.planetcure.in 172.31.32.0/20
Thas all with the opendkim, now verify the keys use the below command
opendkim-testkey -vvv -d planetcure.in -k /etc/opendkim/keys/planetcure.in/cloud.private -s cloud
3, Configure Dovecot
Append existing entries for service auth with given entries in the file /etc/dovecot/conf.d/10-master.conf
service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }
If all done from the steps, now time to restart the servers
#service dovecot restart #service opendkim restart #service postfix restart
Add new user for the authentication,
#useradd -M SMTPAUTH #passwd SMTPAUTH
verify the installation
echo $(date) | mailx -v -s "test_subject_1" -S smtp=smtp://smtp01.planetcure.in:25 -S smtp-auth-user=SMTPAUTH -S smtp-auth-password="yzBuffrtkqezfkwO6amcuhh6" -S smtp-auth=login -S from="no-reply@planetcure.in(Intra Domain)" anandbabu.tn@gmail.com/
tail -f /var/log/maillog Jan 9 14:33:40 mta-smtp01 postfix/smtpd[4126]: F246861F2A: client=ip-172-31-9-166.us-west-1.compute.internal[172.31.9.166], sasl_method=LOGIN, sasl_username=SMTPAUTH Jan 9 14:33:41 mta-smtp01 postfix/cleanup[4062]: F246861F2A: message-id=<54afe6c4.4kZNDOCtBpe5ROvd%no-reply@planetcure.in> Jan 9 14:33:41 mta-smtp01 opendkim[32439]: F246861F2A: DKIM-Signature field added (s=cloud, d=planetcure.in) Jan 9 14:33:41 mta-smtp01 postfix/qmgr[1119]: F246861F2A: from=<no-reply@planetcure.in>, size=631, nrcpt=1 (queue active) Jan 9 14:33:41 mta-smtp01 postfix/smtp[4063]: F246861F2A: to=<anandbabu.tn@gmail.com>, relay=mx3.hotmail.com[65.55.33.119]:25, delay=0.6, delays=0.09/0/0.08/0.43, dsn=2.0.0, status=sent (250 <54afe6c4.4kZNDOCtBpe5ROvd%no-reply@planetcure.in> Queued mail for delivery) Jan 9 14:33:41 mta-smtp01 postfix/qmgr[1119]: F246861F2A: removed Don't forget to request reverse DNS for the server IP, it should resolve like this. 444.333.222.11.in-addr.arpa domain name pointer smpt01.planetcure.in
4, Reverse DNS
Don’t forget to request reverse DNS for the server IP, it should resolve like this.
444.333.222.11.in-addr.arpa domain name pointer smpt01.planetcure.in
Build Your Own Website
100+ templates, customize and go live!
Error: posftix: warning: SASL authentication failure: No worthy mechs found
After configuring postfix relay server I found their was some issue with gmail server authentication, it will bounce the emails
Error : postfix/smtp[25857]: 59BF721177: SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.25.108]: no mechanism available postfix/smtp[25861]: warning: SASL authentication failure: No worthy mechs found
Their must be two solid reasons behind this
1, SASL package is missing for plain module
yum install cyrus-sasl{,-plain}
2, Allow plaintext (which is fine when using STARTTLS): make the connection enrypted
smtp_sasl_security_options = noanonymous
Make Sure you enabled all the below options :
smtp_sasl_auth_enable = yes smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_security_level = encrypt smtp_sasl_mechanism_filter = login
HowTo: Authenticated email relay server with Postfix
Setup Postfix as a email relay server which will authenticate with public email server for sending emails. If you want to use a Gmail as a Free SMTP server us, use this as in any of the redhat or ubuntu servers
For Ubuntu
apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
Replace the ceritficate file in the configuration
cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem
If you do not have postfix installed before, postfix configuration wizard will ask you some questions. Just select your server as Internet Site and for FQDN use something like mail.example.com , For Centos
yum install postfix email mailx cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
[root@server ~]# vi /etc/postfix/main.cf biff = no append_dot_mydomain = no readme_directory = no myhostname = smtpout.innovautelabs.intra mydomain = innovaturelabs.intra myorigin = $mydomain alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = localhost.localdomain, , localhost mynetworks = 192.168.1.0/24, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all relayhost = [smtp.gmail.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl-passwords smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.trust.crt smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_security_level = encrypt smtp_sasl_mechanism_filter = login
Now create a password file which should have a valid email and password; onece hashed the password file postfix can read the data in it after that, you can delete the plaintext passwd file. Alternately, if you’d feel better keeping the file around for whatever reason, you can run chmod 600 passwd and make it only readable by its owner, which should be root
vi /etc/postfix/sasl-passwords [smtp.gmail.com]:587 username@gmail.com:password
chmod 600 /etc/postfix/sasl-passwords
postmap /etc/postfix/sasl-passwords
Finally, reload postfix config for changes to take effect:
service postfix restart