Mail Server

22 Notes
+ Set up DMARC, DKIM, and SPF (March 11, 2023, 11:42 p.m.)

DMARC, DKIM, and SPF have to be set up in the domain's DNS settings. Administrators can contact their DNS provider — or, their web hosting platform may provide a tool that enables them to upload and edit DNS records. ----------------------------------------------------------------------------------- SPF Check if you have an existing SPF record: Create SPF Record: - Start with v=spf1 (version 1) tag and follow it with the IP addresses that are authorized to send mail. For example, v=spf1 ip4: ip4: - If you use a third party to send an email on behalf of the domain in question, you must add an "include" statement in your SPF record (e.g., to designate that third party as a legitimate sender - Once you have added all authorized IP addresses and include statements, end your record with an ~all or -all tag. An ~all tag indicates a soft SPF fail while an -all tag indicates a hard SPF fail. In the eyes of the major mailbox providers ~all and -all will result in SPF failure. Validity recommends an -all as it is the most secure record. - SPF records cannot be over 255 characters in length and cannot include more than ten include statements, also known as “lookups.” Example: v=spf1 ip4: ip4: -all ----------------------------------------------------------------------------------- DKIM ----------------------------------------------------------------------------------- DMARC -----------------------------------------------------------------------------------

+ Check if an email has passed SPF, DKIM, and DMARC (March 11, 2023, 11:34 p.m.)

Most email clients provide an option labeled "Show details" or "Show original" that displays the full version of an email, including its header. The header — typically a long block of text above the body of the email — is where mail servers append the results of SPF, DKIM, and DMARC. Reading through the dense header can be tricky. Users viewing it on a browser can click "Ctrl+F" or "Command+F" and type "spf," "dkim," or "dmarc" to find these results. The relevant text might look like this: arc=pass (i=1 spf=pass dkim=pass dmarc=pass; The appearance of the word "pass" in the text above indicates that the email has passed an authentication check. "spf=pass," for example, means the email did not fail SPF; it came from an authorized server with an IP address that is listed in the domain's SPF record. In this example, the email passed all three of SPF, DKIM, and DMARC, and the mail server was able to confirm it really came from and not an impostor. It is also important to note that domain owners need to configure their SPF, DKIM, and DMARC records properly themselves — both in order to prevent spam from their domain and to make sure that legitimate emails from their domain are not marked as spam. Web hosting services do not necessarily do this automatically. Even domains that do not send emails should at least have DMARC records so that spammers cannot pretend to send emails from that domain.

+ SPF, DKIM, and DMARC (March 11, 2023, 10:16 p.m.)

SPF, DKIM, and DMARC are collections of free email authentication methods used to verify that senders are legitimately authorized to send emails from a specific domain. Together, they help prevent spammers, phishers, and other unauthorized parties from sending emails on behalf of a domain* they do not own. -------------------------------------------------------------------------------------- SPF SPF stands for Sender Policy Framework. It allows you to cache a list of authorized IP addresses that are allowed to send emails to your customers on your behalf. How does SPF work? When sending an email, the receiving end would mainly check for a published SPF record. When it detects an SPF record, it searches through the list of authorized addresses for the record. If a valid record exists, the validations are marked as "PASS." Otherwise, the email would be rejected and routed to the spam folder. -------------------------------------------------------------------------------------- DKIM DKIM stands for Domain Keys Identified Mail. DKIM is a stronger authentication method than SPF since it uses public-key cryptography instead of IP addresses. When using DKIM, a sender can attach DKIM signatures to email headers and validate them using a public cryptographic key found in the company's DNS record. The domain owner publishes the cryptographic key and configures it as a TXT record in its general DNS record. -------------------------------------------------------------------------------------- DMARC DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that uses SPF and DKIM to decide the authenticity of an email. DMARC is very effective because it validates the sender of an email using both DKIM and SPF records. Furthermore, it assists mail systems in deciding what to do with messages sent from your domain that fails SPF or DKIM checks. --------------------------------------------------------------------------------------

+ How Does Sending and Receiving Emails Work? (Dec. 18, 2020, 12:01 p.m.)

An email message travels through at least two main SMTP servers that belong to the senders and the recipients. First, SMTP connects your client with your email provider’s server. Next, it checks the email header for relevant information about the sender and the recipient’s address. Once a destination is determined, the server will check the location of the domain associated with the address in the Domain Name System. For example, if you are trying to send a message to, the server locates and relays the message to that specific computer. Then, the recipient’s SMTP server delivers the message to the server’s mailbox until the intended user logs in to their email account. When that happens, either POP3 or IMAP will forward the new message to the recipient’s email client so they can view it.

+ POP3 / IMAP / SMTP (Dec. 18, 2020, 11:50 a.m.)

Both POP3 and IMAP are incoming mail protocols used by email clients to retrieve messages from email servers. The client can be application-based like Thunderbird or web-based like Gmail or Yahoo!. Even though they serve the same function, they do have several differences. ---------------------------------------------------------------------- IMAP (Internet Messaging Access Protocol) POP3 (Post Office Protocol) SMTP (Simple Mail Transfer Protocol) ---------------------------------------------------------------------- What is POP3? POP3 (Post Office Protocol version 3) is a one-way incoming mail protocol that downloads a copy of messages from an email server to a local machine. Once the post office protocol completes the process, it deletes the original data from the server’s inbox. However, many providers these days give an option to keep the original copies intact, allowing users to see the same content when accessing messages from a different platform. This protocol cannot sync the content of your offline inbox with its online counterpart by default. So if the device that stores the messages is lost or broken, you could lose all of the ones you’ve saved. Default POP3 Ports: - Port 110 – non-encrypted port - Port 995 – SSL/TLS port, also known as POP3S ---------------------------------------------------------------------- What is IMAP? IMAP (Internet Message Access Protocol), as opposed to POP3, is a two-way incoming mail protocol that only downloads email headers instead of its entire content. As a result, the actual email messages are still kept on the server after being fetched for viewing, making them accessible from another platform. This protocol also syncs whatever changes made on the email client to the server, hence the two-way communication. This configuration is recommended for those who want to interact with their email messages across multiple devices, so you don’t have to worry about losing important ones should a device is broken or stolen. Another perk of using IMAP is the ease of finding a specific message using a keyword. Default ports that IMAP connection use: - Port 143 – non-encrypted port - Port 993 – SSL/TLS port, also known as IMAPS ---------------------------------------------------------------------- What is SMTP? Now that we have learned about the incoming protocols, POP3 vs IMAP, let’s take a look at the one used to handle outgoing emails. Simple Mail Transfer Protocol (SMTP) is used to send emails from a local client to a recipient’s address. It works side-by-side with a software called Message Transfer Agent (MTA) to transfer electronic messages to their correct destinations. Aside from sending emails, this protocol also acts as a safeguard to filter which message passes through. It regulates the limit of how many messages an account can send within a time frame. Default SMTP ports: - Port 25 – non-encrypted port - Port 465 – SSL/TLS port, also known as SMTPS ----------------------------------------------------------------------

+ Postfix / Dovecot (Dec. 18, 2020, 11:43 a.m.)

Postfix is a Mail Transfer Agent. It accepts mail from the outside world and from local sources, then routes it to its destination. This may involve an SMTP connection to another machine, or it may involve delivering it to a local delivery agent or writing it directly to a Mailbox. Dovecot is an open-source IMAP and POP3 email server for Linux/UNIX-like systems. Dovecot is mailbox interface software. Specifically, it allows users to access their mailboxes using the IMAP interface. If configured correctly, it only interacts with authenticated users. This means that in general, dovecot doesn't have to "talk to the bad guys." Postfix can use dovecot to perform authentication.

+ SASL (Dec. 18, 2020, 10:59 a.m.)

Simple Authentication and Security Layer (SASL) is an authentication layer used in Internet protocols. SASL is not a protocol, but rather a framework that provides developers of applications and shared libraries with mechanisms for authentication, data integrity–checking, and encryption. SASL is a framework for application protocols, such as SMTP or IMAP, that adds authentication support. It checks whether the user has the proper permissions to use the server in the way they request.

+ Test SMTP authentication (Dec. 18, 2020, 10:05 a.m.)

1- telnet 25 2- helo something 3- auth login 4- Paste the output of the following base64 username 5- Paste the output of the following base64 password ------------------------------------------------------------- echo -n "username" | base64 echo -n "password" | base64 -------------------------------------------------------------

+ What is reverse DNS (rDNS)? (Feb. 12, 2020, 1:37 p.m.)

Reverse DNS, or rDNS, does the opposite of the traditional DNS. That is, instead of resolving a domain name to an IP, it resolves an IP to a hostname. The rDNS resolution is a completely separate mechanism from the regular DNS resolution. For example, if the domain “” points to IP (dummy IP address), it doesn’t necessarily mean that the reverse resolution for the IP is To store rDNS records, there’s a specific type of DNS record called the PTR record. This record is also known as the “resource record” (RR), and specifies the IP addresses of all systems using an inverted notation. This rDNS configuration allows you to search for an IP in the DNS, since the domain is added to the inverted IP notation, turning the IP into a domain name. For example: in order to convert the IP address into a PTR record, we need to invert the IP and add the domain which results in the following record: -------------------------------------------------------------------------------------------- When is rDNS useful? If you want to prevent email issues. If you’re hosting your own email server, rDNS becomes pretty useful for your outgoing emails. An rDNS record allows tracing the origin of the email, increasing the credibility of the email server, and becoming a trusted source for many popular email providers such as Gmail, Yahoo, Hotmail, and others. Some incoming email servers won’t even let your email arrive at their email boxes if you don’t have an rDNS record setup. So if you’re using your own mail server, you’ll want to keep it in mind. When you’re performing a cybercrime investigation. Another popular use of reverse DNS records is to identify potential threats and mass scanners throughout the Internet. By using both security API endpoints, or web-based products like SurfaceBrowser, you or your team can easily identify authors and networks behind mass scanning, malware spreading or other types of malicious activities. -------------------------------------------------------------------------------------------- How can I perform a reverse DNS lookup? There are many methods and rDNS lookup tools in use for doing the opposite of a normal DNS check: resolving a given IP to host. Some of these web-based utilities are known as reverse DNS tools, and they all do the same thing, query a given IP to resolve a hostname. Let’s look at some terminal-based examples first: dig -x host --------------------------------------------------------------------------------------------

+ Difference Between Maildir and Mbox Directory Structure (Feb. 12, 2020, 11:33 a.m.)

Maildir and Mbox are email formats that act as a directory for storing messages in email applications. Mbox was the original mail storage system on a cPanel server, but now Maildir is the default option. Mbox places all messages in the same file on the server, whereas, Maildir stores messages in individual files with unique names. Maildir Directories in the Maildir format has three subdirectories. They are: 1) new: Each file in a new subdirectory is all incoming email messages received in a limited time. It is used for notifying the user to have a new message. The modification time of the files in the new directory is the delivery date of the message. The message is normally in RFC 822 format in which it starts with a “Return-path” line and a “Delivered-to” line. 2) Cur: The files in the cur directory are the same as the new directory but, the files in cur are no longer new mail. They have been seen by the user’s mail reading program. That is, it saves only those messages, which have been read by the user. 3) tmp: tmp directory includes a temporary data file associated with the Maildir file extension directory. It is used for ensuring the reliable delivery of the message. Benefits of Maildir 1) Maildir is more current. 2) Faster and stable than mbox. 3) The main advantage of this file format is that it can easily classify into subdirectories. When a new message arrives, it filters accordingly and moves in the respective subdirectories. 4) These files can be distributed over the network without any compatibility issues. 5) Compatible with both courier and dovecot mail servers. 6) Most secure format and minimum chances of data corruption. 7) Maildir directory creates one single file for every incoming mail messages. Mailbox Mailbox file format is also known as Mbox. Mbox is an email file type, which stores messages in plain text format. The email contents in the file comprise in the form of 7-bit ASCII text and the rest of the email components (attachments, metadata, etc..) are stored in encoded form. Mailbox works in a single file format in which all email messages are stored in a single file on the account, usually inbox. Benefits of Mbox 1) The file format is universally supported. 2) Appending new mail in the mailbox is faster. 3) Searching text inside the mailbox is faster. It has some file locking problems and problems when used with network file systems.

+ PostfixAdmin (Feb. 10, 2020, 8:37 a.m.)

1- Download the latest version of PostfixAdmin: cd /srv/ wget -O postfixadmin.tgz tar -zxf postfixadmin.tgz mv postfixadmin-postfixadmin-3.2 postfixadmin 2- Copy the "PHP Configuration" from my notes in "Nginx" category to nginx sites-enabled. server_name; root /srv/postfixadmin/public; 3- Create a PostgreSQL user "postfix" and a database named "postfix" 4- Create /srv/postfixadmin/config.local.php file for your local configuration. vim /srv/postfixadmin/config.local.php Configure PostfixAdmin so it can find the database. Add the following lines to config.local.php: <?php $CONF['database_type'] = 'pgsql'; $CONF['database_user'] = 'postfix'; $CONF['database_password'] = 'your_password'; $CONF['database_name'] = 'postfix'; $CONF['configured'] = true; ?> You can see for all available config options and their default value. You can also edit instead of creating a config.local.php, but this will make updates harder and is therefore not recommended. 5- Create a template directory for smarty cache: mkdir -p /srv/postfixadmin/templates_c chown -R www-data /srv/postfixadmin/templates_c 6- Install the following packages: apt install php7.3-imap dovecot-pgsql postfix-pgsql dovecot-pop3d dovecot-imapd dovecot-lmtpd 7- Check settings, and create Admin user. Restart nginx and open the following link in your computer browser: You will be asked to set a setup password. After setting it, you will be given a hash password. Put it in the config file you created at the earlier steps. $CONF['setup_password'] = '' Then you will be asked to create a superadmin account. 8- Since we are configuring a mail server with virtual users we need one system user which will be the owner of all mailboxes and will be used by the virtual users to access their email messages on the server. groupadd -g 5000 vmail useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail 9- Dovecot setup vim /etc/dovecot/conf.d/10-mail.conf mail_location = maildir:/var/mail/vmail/%d/%n/ If you don't have ssl: vim /etc/dovecot/conf.d/10-ssl.conf ssl = no Login for outlook express and mobile applications: vim /etc/dovecot/conf.d/10-auth.conf disable_plaintext_auth = yes auth_mechanisms = plain login Comment this line so that you don't get errors like "pam_authenticate() failed: Authentication failure". We are using virtual user (from database) no need for PAM which is for operating system user authentications. #!include auth-system.conf.ext Uncommend this line: !include auth-sql.conf.ext vim /etc/dovecot/dovecot-sql.conf.ext driver = pgsql password_query = SELECT username AS user,password FROM mailbox WHERE username = '%u' AND active='1' user_query = SELECT '/var/mail/vmail/' || maildir AS home, 5000 AS uid, 5000 AS gid, '*:bytes=' || quotaAS quota_rule FROM mailbox WHERE username = '%u' AND active = true connect = host=localhost dbname=postfix user=postfix password=my_password default_pass_scheme = MD5 # depends on your $CONF['encrypt'] Postfixadmin settings 10- Add the following lines to Postfix configurations file: vim /etc/postfix/ relay_domains = $mydestination, proxy:pgsql:/etc/postfix/pgsql/ virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/ virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/ virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/ virtual_mailbox_base = /var/mail/vmail virtual_mailbox_limit = 512000000 virtual_minimum_uid = 8 virtual_transport = virtual virtual_uid_maps = static:8 virtual_gid_maps = static:8 local_transport = virtual local_recipient_maps = $virtual_mailbox_maps # SASL Auth for SMTP relaying smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_authenticated_header = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes 11- Create a folder and some config files, then add the following lines in each file: mkdir /etc/postfix/pgsql vim /etc/postfix/pgsql/ user = postfix password = whatever hosts = localhost dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' vim /etc/postfix/pgsql/ user = postfix password = whatever hosts = localhost dbname = postfix query = SELECT goto FROM alias WHERE address='%s' AND active = true vim /etc/postfix/pgsql/ user = postfix password = whatever hosts = localhost dbname = postfix #query = SELECT domain FROM domain WHERE domain='%s' #optional query to use when relaying for backup MX query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true vim /etc/postfix/pgsql/ user = postfix password = whatever hosts = localhost dbname = postfix query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true chmod 777 /etc/postfix/pgsql -R chown root:postfix /etc/postfix/pgsql -R postfix set-permissions 12- Enable Roundcube password plugin to enable database-based authentication: vim /srv/roundcubemail/config/ // Enable plugins $config['plugins'] = array('managesieve','password'); // Configure managesieve plugin $rcmail_config['managesieve_port'] = 4190; // Configure password plugin $config['password_driver'] = 'sql'; $config['password_db_dsn'] = 'pgsql://postfix:my_password@localhost/postfix'; $config['password_query'] = 'UPDATE mailbox SET password=%c WHERE username=%u'; --------------------------------------------------------------------------------- Debug: These postmap queries should return the found string: Note that we are NOT authenticating against the credentials set for each email account, we are only testing the ability of Postfix to detect those records in the database. postmap -q pgsql:/etc/postfix/pgsql/ postmap -q pgsql:/etc/postfix/pgsql/ doveadm auth test -x service=imap -x rip= tail -f /var/log/mail*.log If you're having trouble, try uncommenting the following lines in the file: vim /etc/dovecot/conf.d/10-logging.conf auth_debug = yes auth_debug_passwords = yes auth_verbose = yes ---------------------------------------------------------------------------------

+ Roundcube - Enable emoticons plugin (Dec. 25, 2019, 7:27 p.m.)

1- Edit the file /srv/roundcube/config/ 2- Add 'emoticons' to line 49: $config['plugins'] = array('emoticons')

+ Virtual domains (Aug. 22, 2014, 8:24 a.m.)

1- Add these lines to /etc/postfix/ virtual_alias_domains = virtual_alias_maps = hash:/etc/postfix/virtual 2- Create a file "/etc/postfix/virtual" and specify the domains and users to accept mail for. mohsen mohsen nozhanrayan nozhanrayan 3- postmap /etc/postfix/virtual 4- /etc/init.d/postfix restart

+ Find Postfix mail server version (Dec. 15, 2018, 1:24 a.m.)

postconf -d mail_version

+ Roundcube (Dec. 15, 2019, 1:22 a.m.)

1- You will need these packages for Roundcube installer: apt install php-mbstring php-gd php-imagick php-pgsql php-intl php-pear php-zip php-common php-cli php-fpm 2- Download and extract the latest "complete" Roundcube version from: Extract it and give it write/read permission: chmod 777 roundcubemail -R 3- Copy the "PHP Configuration" from my notes in "Nginx" category to nginx sites-enabled. 4- Create a PostgreSQL user "roundcube", with a password, and a database named "roundcubemail". You need the initial SQL database structure for PostgreSQL database. This file exists in the root folder of the roundcube you just downloaded, "roundcubemail/SQL/postgres.initial.sql". Use the following command to load the structure into the database: psql -U roundcube -f /srv/roundcubemail/SQL/postgres.initial.sql roundcubemail When setting configurations in step 6, if you got error "DB Schema: NOT OK(Database schema differs)" you might need another version of the above structure file. You can download it from the following link: You need to DOWNLOAD the file as raw, do not download the file directly. Click on the link, then click "raw" and copy the link from browser URL, download the raw file using wget, something like the following link: psql -U roundcube -f postgres.initial.sql roundcubemail 5- Edit the file "/etc/php/7.3/fpm/php.ini" and set: date.timezone = 'Asia/Tehran' upload_max_filesize = 300M post_max_size = 300M 6- After restarting the required services, such as Nginx and probably php7.0-fpm, browse the address: 7- Add the following line to the file /srv/roundcube/config/ $config['mail_domain'] = ''; $config['smtp_port'] = 25; 8- Enable creation of primary folders upon user login: vim /srv/roundcubemail/config/ $config['create_default_folders'] = true; ----------------------------------------------------------------------------- You can edit the settings and configurations you have selected or filled-up in the installer web page using this file: roundcube/config/ ----------------------------------------------------------------------------- For debug purpose: tail -f /srv/roundcube/logs/errors tail -f /var/log/mail*.log

+ Web Mail Installation (Dec. 15, 2019, 1:22 a.m.)

apt install postfix dovecot-core dovecot-imapd ---------------------------------------------------- For connecting your cellphone to the webmail: Add these lines to /etc/postfix/ mydestination = (Do not put Only the main domain name!) smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth message_size_limit = 102400000 Edit these lines from /etc/dovecot/conf.d/10-auth.conf: disable_plaintext_auth = no auth_mechanisms = plain login If there was any problem when connecting cellphone to your webmail, check the logs for solving the problems: tail -f /var/log/mail*.log ---------------------------------------------------- Edit the file /etc/dovecot/conf.d/10-master.conf: # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } ---------------------------------------------------- For having "Maildir", edit the file /etc/dovecot/conf.d/10-mail.conf: mail_location = maildir:~/Maildir And the file /etc/postfix/ home_mailbox = Maildir/ mkdir ~/Maildir chmod 700 ~/Maildir chown mohsen:mohsen ~/Maildir ---------------------------------------------------- After making the above changes, restart the services: dovecot postfix ---------------------------------------------------- Debug IMAP: telnet 143 Now type each line as a command: a login USERNAME PASSWORD a examine inbox a logout ---------------------------------------------------- When receiving mails, I noticed "delivered to command: procmail -a" message in logs. Mails would not appear in inbox. For solving the problem I had to use the following commands: postconf -e 'home_mailbox = Maildir/' postconf -e 'mailbox_command =' /etc/init.d/postfix restart ----------------------------------------------------

+ TXT Records (Dec. 15, 2019, 1:21 a.m.)

Create an account in, and using the instructions create DMARC DNS records. You need to create TXT record like this: Host Name: Destination: <The values the site gives you> (without the double quotations) Description: DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email. ----------------------------------------------------------- Creating an SPF or Caller ID record: Create a TXT record: Host Name: Destination: v=spf1 mx ip4: -all -----------------------------------------------------------

+ Test your Reverse PTR record (April 8, 2019, 1:21 a.m.)

+ Is your domain's SPF record correct? (Dec. 15, 2018, 1:20 a.m.)

+ Is your domain's DKIM record correct? (Dec. 15, 2018, 1:20 a.m.)

+ Check your server IP is not on any email blacklists (Dec. 15, 2018, 1:18 a.m.)

+ Description (Aug. 22, 2014, 8:19 a.m.)

Debian Mail Server Setup with Postfix + Dovecot + SASL Postfix is an attempt to provide an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and hopefully secure, while at the same time being sendmail compatible enough to not upset your users. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It’s fast, simple to set up, requires no special administration and it uses very little memory. When sending mail, the Postfix SMTP client can look up the remote SMTP server hostname or destination domain (the address right-hand part) in a SASL password table, and if a username/password is found, it will use that username and password to authenticate to the remote SMTP server. And as of version 2.3, Postfix can be configured to search its SASL password table by the sender email address. Note : If you install Postfix/Dovecot mail server you will ONLY be able to send mail within your network. You can only send mail externally if you install SASL authentication with TLS. As otherwise you get “Relay Access Denied” error. SASL Configuration + TLS (Simple authentication security layer with transport layer security) used mainly to authenticate users before sending email to external server, thus restricting relay access. If your relay server is kept open, then spammers could use your mail server to send spam. It is very essential to protect your mail server from misuse.