SMTP Relay

Setup SMTP Relay for additional security and sustain IP reputation

Be sure to check the Relay Server IP address once and a while for any blacklisting.

Allow only specific IP addresses to and from servers
Block all others

Below is the setup procedure:

https://www.linuxbabe.com/mail-server/postfix-send-only-multiple-domains-ubuntu

 

apt-get update

apt-get install postfix -y

postconf -e "myhostname = sso.kalolina.com"

postconf mydomain

postconf -e "mydomain = sso.kalolina.com"

postconf myorigin

    myorigin = /etc/mailname

cat /etc/mailname

echo "kalolina.com" | sudo tee /etc/mailname

systemctl restart postfix

 

host 139.162.53.96

 

apt-get install opendkim opendkim-tools

adduser postfix opendkim

nano /etc/opendkim.conf

 

    uncomment

    Canonicalization     relaxed/simple

    Mode                 s

    SubDomains           no

 

#OpenDKIM user

# Remember to add user postfix to group opendkim

UserID             opendkim

 

# Map domains in From addresses to keys used to sign messages

KeyTable           refile:/etc/opendkim/key.table

SigningTable       refile:/etc/opendkim/signing.table

 

# A set of internal hosts whose mail should be signed

InternalHosts       /etc/opendkim/trusted.hosts

 

mkdir /etc/opendkim

mkdir /etc/opendkim/keys

chown -R opendkim:opendkim /etc/opendkim

chmod go-rw /etc/opendkim/keys

 

nano /etc/opendkim/signing.table

*@kalolina.com     sendonly._domainkey.kalolina.com

 

nano /etc/opendkim/key.table

sendonly._domainkey.kalolina.com    kalolina.com:sendonly:/etc/opendkim/keys/kalolina.com/sendonly.private

 

nano /etc/opendkim/trusted.hosts

 

    127.0.0.1

    localhost

 

    *.kalolina.com

 

mkdir /etc/opendkim/keys/kalolina.com

opendkim-genkey -b 2048 -d kalolina.com -D /etc/opendkim/keys/kalolina.com -s sendonly -v

 

chown opendkim:opendkim /etc/opendkim/keys/kalolina.com/sendonly.private

 

cat /etc/opendkim/keys/kalolina.com/sendonly.txt

   

    The string after the p parameter is the public key. In your DNS manager, create a TXT record for the second domain. Enter sendonly._domainkey in the Name field. Copy everything in the parentheses and paste into the value field. Delete all double quotes. (You can paste it into a text editor first, delete all double quotes, the copy it to your DNS manager. Your DNS manager may require you to delete other invalid characters, such as carriage return.)

 

 

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzaLWzpp1GYD2mOV1241vD4mcKARkOnuF1jxOrGAqtvKMisf5XS/1U2Jb8Zinu5BvWlDNwvrw+b6NIURyYpageXqNRMitxN3oNOnVK9C7v4P0k4S31Xpj1YcP7i1wFI/+KX+3V/s0AHYpL0+Jd+MCsbQiIvWto97hoovSoK3SvsX8tZjZiDahHpq3Eq9QnicIl7p8l02x6yKadw

 

opendkim-testkey -d kalolina.com -s sendonly -vvv

 

nano /etc/opendkim.conf

Socket local:/var/spool/postfix/opendkim/opendkim.sock

 

mkdir /var/spool/postfix/opendkim

chown opendkim:postfix /var/spool/postfix/opendkim

 

nano /etc/default/opendkim

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"

 

nano /etc/postfix/main.cf

 

smtp_tls_security_level = may

smtp_tls_loglevel = 1

 

# add at bottom

# Milter configuration

milter_default_action = accept

milter_protocol = 6

smtpd_milters = local:opendkim/opendkim.sock

non_smtpd_milters = $smtpd_milters

 

systemctl restart opendkim postfix

systemctl status opendkim

 

TXT  @   v=spf1 mx ip4:12.34.56.78 ip6:2600:3c01::f03c:93d8:f2c6:78ad ~all

 

systemctl restart postfix

 

sudo ufw insert 1 allow in from 12.34.56.78 to any port 25 proto tcp

sudo ufw allow 80/tcp

 

postconf "inet_interfaces = all"

 

nano /etc/postfix/master.cf

 

submission     inet     n    -    y    -    -    smtpd

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_tls_wrappermode=no

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

  -o smtpd_sasl_type=dovecot

  -o smtpd_sasl_path=private/auth

 

 

apt install dovecot-core

nano /etc/dovecot/conf.d/10-auth.conf

  disable_plaintext_auth = yes

  disable_plaintext_auth = yes

  auth_mechanisms = plain login

 

nano /etc/dovecot/conf.d/10-master.conf

  service auth {

    unix_listener /var/spool/postfix/private/auth {

      mode = 0660

      user = postfix

      group = postfix

    }

   }

 

systemctl restart dovecot

 

apt install certbot

 

certbot certonly --standalone --agree-tos --email support@kalolina.com -d sso.kalolina.com.com

 

postconf "smtpd_tls_cert_file = /www/server/panel/vhost/ssl/sso.kalolina.com/fullchain.pem"

postconf "smtpd_tls_key_file = /www/server/panel/vhost/ssl/sso.kalolina.com/privkey.pem"

 

systemctl restart postfix

 

adduser kapro --no-create-home