Postfix hints

I need to have reverse DNS entry for working email services!

For better compatibility with MS Outlook and working SSL on port 465

Edit master.cf and set „-o smtpd_tls_wrappermode=yes“

Determine number of emails waiting in the queue

find /var/spool/postfix/deferred -type f | wc -l

Delete outgoing emails from the queue

mailq | awk '$7 ~ /@upcmail.nl$/ { print $1 }' | tr -d '*!' | postsuper -d -

Delete by recipient

mailq | tail -n +2 | grep -v '^ *(' | awk  'BEGIN { RS = ""} $8 ~ /@aol.com$/ { print $1 }' | tr -d '*!' | postsuper -d -

Disable SSLv2

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_protocols = SSLv3, TLSv1, !SSLv2
smtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL

Then do postfix reload.

/etc/init.d/postfix reload

Check if it is really disabled

openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2

I must get

CONNECTED(00000003)
write:errno=104

DKIM configuration

Debian 6 – squeeze

It’s necessary to have package dkim-filter.

Key creation

mkdir /etc/mail
cd /etc/mail
dkim-genkey -d mydomain.com

Edit or create /etc/dkim-filter.conf

Domain                  mydomain.com (if I need more domain - separate it by a comma and use KeyList instead of KeyFile)
KeyFile                 /etc/mail/default.private
Selector                default

KeyList example

*@abc.com:abc.com:/etc/mail/abccom/mail
*@xy.com:xy.com:/etc/mail/xycom/default

Edit /etc/default/dkim-filter

SOCKET="inet:8891@localhost"

Edit /etc/postfix/main.cf

# DKIM signature of SMTP server
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

It’s almost finished. Now add TXT DNS record:

myselector._domainkey 1800 TXT v=DKIM1; p=mykey

Debian 7 – Wheeze

Download and install opendkim with tools.

apt-get install opendkim opendkim-tools

Add configuration to /etc/opendkim.conf.

AutoRestart             Yes
AutoRestartRate         10/1h
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
UserID                  opendkim:opendkim
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

Edit /etc/postfix/main.cf.

milter_protocol = 2
milter_default_action = accept

#If there is existing spamassasin in avamis conf, just add at the end of the line opendkim.

smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock
non_smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock

#If there is only opendkim filter, add these lines.

smtpd_milters = unix:/opendkim/opendkim.sock
non_smtpd_milters = unix:/opendkim/opendkim.sock

Now it’s time to make dir for opendkim socket.

mkdir -p /var/spool/postfix/opendkim
chown opendkim:opendkim /var/spool/postfix/opendkim/
usermod -a -G opendkim postfix

Generating keys.

mkdir /etc/opendkim
mkdir /etc/opendkim/keys
cd /etc/opendkim/keys
mkdir example.com
cd example.com
opendkim-genkey -s mail -d example.com
chown opendkim:opendkim mail.private

Parameter -s is for selector, d is domain. In mail.txt you can find txt entry for DNS record.

Specify trusted hosts /etc/opendkim/TrustedHosts.

127.0.0.1
localhost
192.168.0.1/24
*.example.com

Create a key table /etc/opendkim/KeyTable.

mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

Create a signing table /etc/opendkim/SigningTable.

*@example.com mail._domainkey.example.com

And last step is

service opendkim restart
service postfix restart

Debian 8 – Jessie

Create the domain key.

mkdir -p /etc/dkim/amavisd-new 
genrsa /etc/dkim/example.key.pem

Configure amavisd to use the new key /etc/amavis/conf.d/50-user.

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;

dkim_key('example.com', 'foo', '/var/db/dkim/example.key.pem');

@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16);  # list your internal networks

To view the public key.

amavisd-new showkeys

Testing the key.

amavisd-new testkeys

If everything is ok, restart amavis.

service amavis restart