Set Up Postfix Send-Only SMTP Server on CentOS 8
Use Case
You have a site/web application that necessities to send conditional messages to clients, (for example, secret key reset email). Doubtlessly, there's no requirement for clients to answer to these messages, or on the other hand in the event that they answer, the answer messages will be shipped off your devoted mail server. For this situation, you can set up a send-just SMTP server on the web server utilizing Postfix, which is a well known SMTP server programming.
Requirements
To send messages from your server, port 25 (outbound) should be open. Numerous ISPs and facilitating organizations, for example, DigitalOcean block port 25 to control spam. I suggest utilizing ScalaHosting, in light of the fact that it doesn't hinder port 25 (outbound). When you have a ScalaHosting server, introduce CentOS 8 on it, and adhere to the directions underneath.
Setting up Postfix send-just SMTP server for quite some time isn't troublesome really. To start with, we want to design it for one space, then, at that point, set it up for quite a long time.
Stage 1: Set Hostname and PTR Record
Of course, Postfix utilizes your server's hostname to recognize itself when speaking with other SMTP Servers. Some SMTP servers will dismiss your email if your hostname isn't legitimate. You should set a full-qualified doman name (FQDN) like beneath.
sudo hostnamectl set-hostname mta1.yourdomain.com
To check the hostname of your server, run command
hostname -f
You want to log out and log back in to see hostname change at the order brief. This hostname ought to have a DNS A record highlighting the IP address of your server.
Additionally, you want to establish a PTR standard (otherwise known as, pointer record), which maps an IP address to a FQDN. It's the partner to the A record. Numerous SMTP server will dismiss your email on the off chance that your server's IP address doesn't have PTR record.
Since you get IP address from your facilitating supplier or ISP, not from your area enlistment center, so you should establish PTR standard for your IP in the control board of your facilitating supplier, or ask your ISP. For instance, in ScalaHosting, you can establish PTR standard by opening a help ticket or utilize the live visit on their site. In spite of the fact that you can establish PTR standard to any hostname, for best practice, you should utilize the FQDN you recently set.
To check whether your PTR record is set appropriately, run the accompanying order. Supplant 12.34.56.78 with your own IP address.
host 12.34.56.78
Note that assuming your server utilizes IPv6 address, it's likewise really smart to add AAAA record for your FQDN and set PTR standard for your IPv6 address.
Step 2: Install Postfix on CentOS 8
Run the following commands to install Postfix from the default CentOS 8 repository.
sudo dnf update sudo dnf install postfix -y
Once it’s installed, start Postfix SMTP server.
sudo systemctl start postfix
And enable auto-start at boot time.
sudo systemctl enable postfix
Step 3: Configure Postfix
Setting the Postfix hostname
Of course, Postfix SMTP server utilizes the OS's hostname to distinguish itself when speaking with other SMTP server. Nonetheless, the OS hostname may change, so it's a decent practice to set the hostname straightforwardly in Postfix setup record with the accompanying order.
sudo postconf -e "myhostname = mta1.yourdomain.com"
Setting $mydomain Parameter
The $mydomain boundary indicates the local internet domain name. The default is to utilize $myhostname short the principal part. You can show the current worth of $mydomain with:
postconf mydomain
It should be your apex domain name, like
itinfs.com
If it’s not displaying your apex domain name, then set the $mydomain parameter with:
sudo postconf -e "mydomain = yourdomain.com"
Setting $myorigin Parameter
The $myorigin boundary indicates the default domain name that is annexed to source and beneficiary tends to that have no @domain part. The default is to utilize the worth of $myhostname, as should be visible with:
postconf myorigin
Output:
myorigin = $myhostname
You can change its value to yourdomain.com.
sudo postconf -e "myorigin = yourdomain.com"
Restarting Postfix
At last, we want to restart Postfix for the progressions to produce results.
sudo systemctl restart postfix
Step 4: Install and Configure OpenDKIM on CentOS 8
DKIM represents DomainKeys Identified Mail. You can introduce OpenDKIM on your server and use it to add marks to messages sent from your space, with your private key. Getting SMTP servers check the mark by utilizing the relating public key, which is distributed by you in the DNS. Adding DKIM mark is an unquestionable requirement on the off chance that you need your messages to get into the beneficiary's inbox.
Introduce OpenDKIM from the EPEL (Extra Packages for Enterprise Linux) store.
sudo dnf install epel-release
sudo dnf install opendkim perl-Getopt-Long
Edit OpenDKIM main configuration file.
sudo nano /etc/opendkim.conf
Find the following line.
Mode v
Naturally, OpenDKIM runs in confirmation mode (v), which will check the DKIM sign of incomming email messages. We want to sign active messages, so change this line to the accompanying to empower signing mode.
Mode sv
Track down the accompanying line and comment it out, in light of the fact that we will involve separate keys for every domain name.
KeyFile /etc/opendkim/keys/default.private
Next, find the following 4 lines and uncomment them.
# KeyTable /etc/opendkim/KeyTable
# SigningTable refile:/etc/opendkim/SigningTable
# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
# InternalHosts refile:/etc/opendkim/TrustedHosts
Save and close the file.
Create Signing Table, Key Table and Trusted Hosts File
Edit the signing table file.
sudo nano /etc/opendkim/SigningTable
Add the accompanying line toward the finish of this file. This lets OpenDKIM know that assuming a shipper on your server is utilizing a @your-domain.com address, then, at that point, it ought to be endorsed with the private key recognized by mta1._domainkey.your-domain.com.
*@your-domain.com mta1._domainkey.your-domain.com
mta1 is the DKIM selector. An domain name may have various DKIM keys. The DKIM selector permits you to pick a specific DKIM key. You can involve whatever name for the DKIM selector. I believe it's advantageous to utilize the furthest left piece of the hostname as the DKIM selector. Save and close the file. Then, at that point, edit the key table file.
sudo nano /etc/opendkim/KeyTable
Add the following line, which specifies the location of the DKIM private key.
mta1._domainkey.your-domain.com your-domain.com:mta1:/etc/opendkim/keys/your-domain.com/mta1.private
Save and close the file. Next, edit the trusted hosts file.
sudo nano /etc/opendkim/TrustedHosts
127.0.0.0.1 and ::1 are included in this file by default. Presently add the accompanying line. This lets OpenDKIM know that assuming an email is coming from your own domain name, then, at that point, OpenDKIM ought not perform DKIM check on the email.
*.your-domain.com
Save and close the file.
Generate Private/Public Keypair
Since DKIM is utilized to sign outgoing messages and check incoming messages, you really want to create a private key to sign outgoing messages and a public key for getting SMTP servers to confirm the DKIM mark of your email. Public key will be distributed in DNS.
Make a separate folder for the domain.
sudo mkdir /etc/opendkim/keys/your-domain.com
Generate keys using opendkim-genkey tool.
sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s mta1 -v
The above command will create 2048 bits keys. -d (domain) specifies the domain. -D (directory) specifies the directory where the keys will be stored. I use mta1 as the DKIM selector. Once the command is executed, the private key will be written to mta1.private file and the public key will be written to mta1.txt file.
By default, only root can read and write to the key files. Make opendkim as the owner of the private key.
sudo chown opendkim:opendkim /etc/opendkim/keys/ -R
Distribute Your Public Key in DNS Records
Display the public key
sudo cat /etc/opendkim/keys/your-domain.com/mta1.txt
The string after the p parameter is the public key.
Assuming that you see "Key not secure", don't freeze. This is on the grounds that DNSSEC isn't empowered on your domain name. DNSSEC is a security standard for secure DNS query. Most domain names haven't empowered DNSSEC. You can keep on after this aide.
Now we can start the opendkim service.
sudo systemctl start opendkim
And enable auto-start at boot time.
sudo systemctl enable opendkim
OpenDKIM listens on 127.0.0.1:8891.
Step 5: Connect Postfix to OpenDKIM
Edit Postfix main configuration file.
sudo nano /etc/postfix/main.cf
Add the accompanying lines toward the finish of this file, so Postfix will actually want to call OpenDKIM through the milter protocol. Note that you should utilize 127.0.0.1 as the address. Try not to utilize localhost.
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
Save and close the file. Then add postfix user to opendkim group.
sudo gpasswd -a postfix opendkim
Restart postfix service.
sudo systemctl restart postfix
Stage 6: Create SPF DNS Record
SPF (Sender Policy Framework) record indicates which hosts or IP addresses are permitted to send messages for a domain. In your DNS manager, make another TXT record like beneath. Use your own IPv4 address and IPv6 address of your server.
TXT @ v=spf1 mx ip4:12.34.56.78 ip6:2600:3c01::f03c:93d8:f2c6:78ad ~all
Stage 7: Set the From Address, From Name and Return-Path
You can set custom From address, From name and Return-Path in your site/web application. We should involve WordPress for instance. You can add the accompanying lines in your WordPress theme’s functions.php record to supersede the default From address, From name and return-way. Supplant the red text as important.
// Function to change From email address
function wpb_sender_email( $original_email_address ) {
return 'notifications@linuxbabe.com';
}
// Function to change sender name
function wpb_sender_name( $original_email_from ) {
return 'LinuxBabe';
}
// Set return-path the same as From address
function fix_my_email_return_path( $phpmailer ) {
$phpmailer->Sender = $phpmailer->From;
}
// Hooking up our functions to WordPress filters
add_filter( 'wp_mail_from', 'wpb_sender_email' );
add_filter( 'wp_mail_from_name', 'wpb_sender_name' );
add_action( 'phpmailer_init', 'fix_my_email_return_path' );
Save the file and you are done.
Stage 8: Enable TLS Encryption for Outgoing Emails
As a matter of course, Postfix doesn't utilize TLS encryption when sending outgoing messages. To empower TLS encryption, open /etc/postfix/main.cf file and add the accompanying two lines toward the finish of this file.
smtp_tls_security_level = may
smtp_tls_loglevel = 1
The principal line empowers TLS encryption for the Postfix SMTP customer. The subsequent line will log the TLS connection in /var/log/maillog record, so you can check in the event that TLS encryption is working. Save and close the file. Restart Postfix for the progressions to produce results.
sudo systemctl restart postfix
Since Postfix doesn't get incoming messages, there's no compelling reason to arrange a valid TLS certificate for the Postfix SMTP daemon.Presently go to https://www.mail-tester.com. You will see an interesting email address. Send an email from your site on the Postfix SMTP server to this email and afterward really look at your score. As may be obvious, I got an ideal score. In the experimental outcome, you should check on the off chance that your PTR record, SPF and DKIM record is substantial.
You can likewise open the /var/log/maillog file to check assuming TLS encryption is utilized. For instance, the accompanying line shows the connection with mail-tester.com is encrypted.
Anonymous TLS connection established to mail-tester.com[94.23.206.89]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
Configure Postfix Send-only SMTP Server For Multiple Domains
As a matter of course, Postfix permits you to utilize any domain name in the From header and return way address to send outgoing messages. Assuming that your server has different sites, you simply need to make SPF DNS record for your different domains, which is exceptionally simple to do, and design OpenDKIM for your different domains.
To design OpenDKIM for different domains, you want to add other domains in the signing table, key table and trusted hosts file like underneath.
Signing table:
*@example.com mta1._domainkey.example.com
*@example.net mta1._domainkey.example.net
Key table:
mta1._domainkey.example.com example.com:mta1:/etc/opendkim/keys/example.com/mta1.private
mta1._domainkey.example.net example.net:mta1:/etc/opendkim/keys/example.net/mta1.private
Trusted hosts:
127.0.0.1
localhost
*.example.com
*.example.net
Then, at that point, create the DKIM Private/Public keypair by following similar strides as referenced above for different spaces and add the DKIM public key in DNS. Restart OpenDKIM and you are finished. Remember to test your source score.
- Utilize port 25 without SMTP validation: This strategy requires the other server doesn't block port 25 (outbound).
- Utilize port 587 with SMTP authentication: If the other server blocks port 25 (outbound), you can utilize port 587.
sudo firewall-cmd --permanent --add-service={smtp-submission,http}
sudo systemctl reload firewalld
Post a Comment