Prepare server

• sudo hostnamectl set-hostname example.com
• sudo apt install mailutils postfix
• • Choose “internet site”, and type your domain (example.com)

Test postfix

• mail your-test@yopmail.com -s "Subject"
• You should receive a mail from debian@example.com

TLS

Generating certificates

• sudo apt install certbot
• sudo certbot certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d example.com
• • You might need to kill your running webserver (port 80) to complete the challenge in standalone mode

Giving rights to postfix

• sudo chown -R root:postfix /etc/letsencrypt/live/example.com

Postfix config

/etc/postfix/main.cf

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
smtp_use_tls=yes

SPF and DMARC

• SPF: v=spf1 ip4:<your_ipv4> ~all
• DMARC: v=DMARC1;p=none;pct=100;rua=yourmail@example.com;sp=none;aspf=r;

DKIM

• https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
• All the check-auth tests should pass (SPF, DKIM, DMARC)

SMTPD

Enable submission

• Uncomment submission’s lines in /etc/postfix/master.cf
• change smtpd_sasl_type=dovecot by smtpd_sasl_type=cyrus
• add -o smtpd_sasl_security_options=noanonymous

Install Cyrus SASL

• sudo apt install sasl2-bin
• sudo usermod -aG sasl postfix

Configure SASL

• /etc/default/saslauthd

• • START=yes
• • MECHANISMS="sasldb"
• • OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

• sudo systemctl restart saslauthd

• systemctl status saslauthd

• • Make sure it is running with the /var/spool arguments

Add a user

• sudo saslpasswd2 -c -u example.com user

• • The user does not have to be the user you will send mail with, it is just credentials

• sudo testsaslauthd -u user -p password -f /var/spool/postfix/var/run/saslauthd/mux

• • Add a space before the command to not keep this in your history
• • Note the custom socket path, it is required

Link postfix with Cyrus

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

sudo postfix reload

Final test

• Use https://www.mail-tester.com/ to make sure everything is working properly
• Example code (TS) below, can be ran with npx ts-node test.ts
• Use real data to test your setup or SpamAssassin will not be happy

import nodemailer from 'nodemailer';

const smtpEndpoint = 'example.com';
const port = 587;
const senderAddress = 'My name <my-address@example.com>';
const smtpUsername = 'user';
const smtpPassword = 'pass';

const transport = nodemailer.createTransport({
	host: smtpEndpoint,
	port: port,
	secure: false,
	auth: { user: smtpUsername, pass: smtpPassword }
});

transport.sendMail({
	from: senderAddress,
	to: 'your-mail-tester-addr',
	subject: 'A real subject',
	text: 'A real body'
});

Additional steps for Outlook/Live

Configure virtual aliases

/etc/postfix/main.cf

virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual

@example.com debian

sudo postmap /etc/postfix/virtual

Sign up to sendersupport

• https://sendersupport.olc.protection.outlook.com/snds/index.aspx
• Claim your IP with abuse@example.com
• Open your mail on the server with mail and confirm IP’s ownership

Useful to debug

• tail -f /var/log/mail.info
• -v in submission parameters (/etc/postfix/master.cf)

Additional resources

• http://www.postfix.org/SASL_README.html#server_cyrus
• https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-18-04