Additional Settings

The mail-gateway should work now and filter the most common spam and virus-mails. But spam is an aggressive business and therefore mailservers/ISPs are very restrictive in receiving mails. Your mailserver maybe get blocked by some ISPs with the standard settings (for example chello.at checks if there’s a valid reverse DNS entry for your mailserver).

You can check your current mail settings by sending a mail to a Mail Tester (just three checks per day are allowed).

With adding the settings below, mails should work with almost every receiving mailserver,

Reverse DNS^[4]

To ensure that your mailserver is allowed to send mails, one common method is to check if the IP of the sending mailserver is valid for the sent domain-name. A reverse DNS entry is only valid between one IP and exactly one domain.

For example, my mailserver 178.63.18.4 has a reverseDNS entry “smtp.philipp.info”. If smtp.philipp.info is sending a mail with the IP 178.63.18.4, everything is all right. But if I change my mailserver name to smtp2.philipp.info (or any other name), the IP is the same with 178.63.18.4 but the expected dns-entry is smtp.philipp.info and not smtp2.philipp.info so the receiving mailservers may deny this mails.

You have to set a reverse DNS entry in the admin-panel of your hoster. Here’s an example of my provider (Hetzner)

SPF-Record^[5]

SPF-Records ensure that mailservers and/or IPs are allowed to send mails in the name of the domain.

It’s a TXT-record in the DNS of your domain and looks similar to this record (of philipp.info):

@                        IN TXT     "v=spf1 a mx a:smtp.philipp.info mx:dieholzers.at ip4:91.112.5.189 ip4:178.63.18.4 -all"

You can create such SPF-records with this online-tool: SPF-Record (German)

DKIM-Record^[6] (DomainKeys Identified Mail)

DKIM is an email authentication method. It verifies signed mails with the associated, published public key of the domain.

[7] (German) describes, how it works. But I summarize it up for this blog-post.

At first, you need at least the following packages

apt-get install amavisd-new libmail-dkim-perl

Enable DKIM Verification

If you want to enable the DKIM-verification for each incoming mail, add this to /etc/amavis/conf.d/50-user:

$enable_dkim_verification = 1;

Now reload amavis with amavis reload

Add DKIM Signatures to outgoing mails

DKIM needs a public/private key-pair in x509 format. The private key is for signing the outgoing mails (by amavisd-new) and the public key is for publishing it per DNS.

Let’s start with creating the public/private keys with the amavisd-new command.

# amavisd-new genrsa /var/lib/amavis/db/example1.net 2048
Private RSA key successfully written to file "/var/lib/amavis/db/example1.net" \
  (2048 bits, PEM format)

Now we have to configure the private key in the /etc/amavis/conf.d/50-user file.

$enable_dkim_signing = 0;
dkim_key('example1.net', 'mail201612', '/var/lib/amavis/db/example1.net');
@dkim_signature_options_bysender_maps = (
    { '.' =>
        {
                ttl => 21*24*3600,
                c => 'relaxed/simple'
        }
    }
);

It’s important that you don’t enable dkim signing yet because the public key isn’t published to the DNS yet. So currently the check of DKIM-Signatures of outgoing mails will fail.

Reload amavisd-new and show the public key for the DNS entry (in the right syntax) by executing amavisd-new showkeys example1.net

; key#1 2048 bits, i=mail201612, d=example1.net, /var/lib/amavis/db/example1.net
mail201612._domainkey.example1.net.     3600 TXT (
  "v=DKIM1; p="
  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5TnRx88tjZ+7DcpXoAHa"
  "GOa6k2rWc/RQRhyRGAayZHlxjb1VukifAZ83HXAAFhP1vDaqN4SXKEyvB/RY3i7H"
  "SQmEqfFTlE7rpdeuzOvdMgbxPj3qFu3Rb4k0weiOKnV74UV/EWwXJ6cVCo7gQMuY"
  "vSFX+Gq/3O1jeMlsALIDXo6alStA5txqAdi4cGCo4a0esN/swkghMBoyDQn3kzvi"
  "Byfdj/nAt/+QcBCszPnG/B1DFp5p2MuVQeZxb1P2p7KfnNRMyhH+1mmm3iBi6FpQ"
  "2wcmT8/i0E3qfoQYrXUSPfz8MSSTYwHLJ62N0R6ugjXYnDQ/bMrjdxZsTd+QPkw4"
  "VwIDAQAB")

Add the whole output to the ZONE file of the domain “example1.net”. Afterwards, check with amavisd-new testkeys example1.net the output. If the ZONE file was set, the output should be:

TESTING#1: mail201612._domainkey.example1.net     => pass

Before we can start signing mails with DKIM, the amavis needs to know which mails are outgoing. Therefor amavis sets the ORIGINATING Tag to each outgoing mail. This tag isn’t configured by default, so you have to add a new policy to amavis in the /etc/amavis/conf.d/50-user file:

$policy_bank{'SUBMISSION'} = {
    originating => 1,
    bypass_spam_checks_maps   => [1],
    bypass_banned_checks_maps => [1],
    final_virus_destiny => D_REJECT,
    final_bad_header_destiny => D_PASS,
    terminate_dsn_on_notify_success => 0,
    warnbadhsender => 1,
};

The other options check that the originating tag is only added to mails of trusted sites and only for submission-senders.

Now enable dkim signing with $enable_dkim_signing = 1; and reload amavis with amavisd-new reload.

Congratulations, you are now signing outgoing mails with DKIM-private keys 🙂

DMARC-Record^[8]

DMARC is an email-validation system and is designed to be on top of the two existing mechanisms SPF and DKIM. I’m not going any further because in my setting, I just disabled any DMARC-Validation with this DNS-entry:

 _dmarc.example1.net.  3600 IN TXT     "v=DMARC1; p=none"

As far as I know, only a few mailservers will validate it.

Sources

• [1] Creating an Outgoing Mail Relay with Postfix and SpamAssassin
• [2] Configuring Postfix as an Inbound Gateway for Exchange or other backe-end
• [3] Spam- und Virenschutz mit Postfix (Debian) [German]
• [4] ReverseDNS Lookup
• [5] OpenSPF
• [6] DomainKeys Identified Mail
• [7] amavisd-new DKIM Howto
• [8] Domain-based Message Authentication, Reporting and Conformance