Postfix Adventures #1

Yes, hashtags to guide you through the chapters of every single topic on this blog will be a tendency here and of course, this subject will be a major one, since mail server has the most detailed configuration ever and to build a mail server manually can be a tough work if you plan to achieve 10/10 on Mail-Tester.

To achieve a solid mail server, you must understand its complex configurations, editing each piece manually to be able to build one up, and keep in mind that you will face a lot of issues with silly things that are hidden throughout a bunch of configuration files. Thinking of that I’ve started to build a bash script in order to achieve a fully functional mail server based on Postfix. It installs and configure not only Postfix and Dovecot but also, OpenDKIM.

But first, we need to understand all the concept behind the script. On our very first topic on the subject, we’re going to start by enumerating the important steps needed to achieve a 10/10 result on Mail-Tester and the services that are dependent on that.

https://www.mail-tester.com/test-qgr6g


Virtual Mailbox:

One can say that a mail server is not that complicated, all you have to do is to install the packages and start the services. Is that it? Well I do not think so. Have you heard about Virtual Mailbox? E-mail address were meant to be bound with every system’s user so, imagine if you want to manage a billion of e-mail account such as Gmail does, did you really think that Gmail creates a user on their mail server, for every e-mail address they have?

Virtual Mailbox allows you to manage multiple e-mail addresses for all domains available on your server and it uses database to store account information. When Postfix is installed along with Dovecot, they are not configured out of the box with Virtual Mailbox. So we’ll explain how to achieve that and how to use Postfixadmin to manage our addresses into Postfix’s database.


How do I read my messages?

When we think about Virtual Mailbox we’re tempted to ask; ‘ok, database managed e-mail addresses, fine. But how do I read my messages?’ The short answer is, you read your messages using an e-mail client such as Thunderbird. Now if you have mean, ‘How do I access my messages through my browser?’ then the answer is a virtual mail client such as Roundcube.

The smart question though is ‘How do I authenticate into my individual e-mail address in order to read my messages?’ To answer that question we need to basically understand the SMTP transfer model:

SMTP Transfer Model

As you may have noticed above, there’s five important steps before the message can be delivered in a mailbox.

  • MUA: Is a fancy name for mail client, for instance, both Roundcube and Thunderbird are Mail User Agents.
  • MSA: Is the Mail Submission Agent. This one handles the message submitted by MUA and passes to MTA. The software that we’re going to use is Dovecot that is also our MDA. 
  • MTA: Is the Mail Transport Agent which is the one who sent the message. For this one we’re going to use Postfix.
  • MDA: The Mail Delivery Agent which is also Dovecot. This service handles every message that arrives for an MX address pointing to our server.
  • MX: The most important DNS entry for the mail server. This entry points the server which will receive e-mails.

So in order to set a mail server we must configure these 5 agents to work together. There’s 5 services to handle in order to provide a fully functional e-mail server.


Mail Score:

Apache SpamAssassin is an application widely used to filter all incoming mail in a server. It’s based on a large set of rules which are applied to determine whether an email is spam or not. Most rules are based on regular expressions that are matched against the body or header fields of the message to determine if it’s spam, based on the score classified by Apache SpamAssassin.

Mail Scores can be positive or negative, with positive values indicating “spam” and negative “ham” (non-spam messages). There are specific DNS entries that must be provided for a domain, in order to certificate that the domain is authorized to send messages, consequently increasing it’s Mail Score. There are 3 DNS entries that must be provided to achieve a good mail score: DKIM, DMARC and SPF.

  • DKIM: Is a certificate that signs the message digitally, informing the receiver the the server is allowed to sent messages from the domain.
  • DMARC: Is a policy for mail transfer, which is already supported by some common mail providers. It depends on Sender Policy Framework and DKIM. DMARC provides a policy for outgoing mail and checks incoming mails for compliance with that policy.
  • SPF: Is an email validation protocol designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain’s administrators.


Next Chapter:

On our next chapter of Postfix Adventures we’ll install all the packages needed to provide at least a mail server based on Virtual Mailbox configuration. See you soon =)

Links:

Leave a Reply

Your email address will not be published. Required fields are marked *