Introduction
An email server is a system or set of systems which handles the receiving and sending of email messages on the Internet. There are multiple types of email servers such as SMTP servers which use the Simple Mail Transfer Protocol that is used for e-mail transmission. An SMTP server usually runs in conjunction with an IMAP or POP3 server whose purpose is to provide e-mail retrieval and/or storage. Running an email server is not an easy task. It requires installing, configuring, understanding and maintaining a number of different services.
As you can imagine, there are number of different SMTP, POP3 and IMAP servers out there. In this article, we are talking Postfix, Dovecot and DKIM so we will walk you through the steps of installing and configuring an email server with Postfix, Dovecot and OpenDKIM on a CentOS 7 system. For this article, we are using CentOS 7 on a Linux VPS from Rose Hosting but you can also use anything else which runs CentOS 7 and preferably has a public IP address.
Before proceeding any further, it is recommended to verify your host/domain name is a valid FQDN (fully qualified domain name) and it has a valid MX DNS record. For this, you can use a tool like dig for example. Run this command to install dig if it's not already installed on the system:
# if !type -path "dig" > /dev/null 2>&1; then yum install bind-utils -y; fi
In our case, the hostname of the e-mail server is galaxy.mydomain.com and the domain is mydomain.com. The domain name has the following MX record:
# dig MX mydomain.com @4.2.2.2 +short
0 mydomain.com.
which tells everyone on the Internet that the machine where mydomain.com resolves will handle the e-mails for mydomain.com.
It's also recommended that the public IP address of the e-mail server has a valid rDNS (Reverse DNS) record that matches the e-mail server hostname. You can verify this using dig:
# dig -x 1.2.3.4 +short
galaxy.mydomain.com.
Access your Server
To complete this article, you will need to have root access (or sudo privileges) on the CentOS system. So, use your favorite SSH client to connect to your server. In *NIX like operating systems, you can fire up your terminal and execute:
# sshroot@YOUR_SERVER_IP -p 22
Note: Make sure you change the port if SSH is listening on non-default port. Also be sure to replace YOUR_SERVER_IP with your actual server's IP address.
Once you're logged into your CentOS 7 system, install (if it's not already installed) a tool named screen using yum:
# yum install screen
and initiate a new screen session using the command below:
# screen -U -S postfix-dovecot-dkim
Update the System
Once you are in a screen session, it is preferred to make sure your system is fully up-to-date. So, run the following yum command to update your CentOS 7:
# yum update
Note: It is recommended to reboot your system if there's a kernel upgrade.
SSL Certificate
You will need an SSL certificate to make the e-mail server secure and capable of communicating over SSL with other servers or clients. In our example, we are using a self-signed certificate which can be generated using the commands below:
# yum install openssl
# mkdir -p /root/SSL/mydomain.com
# cd /root/SSL/mydomain.com
# opensslgenrsa -out mydomain.com.key 2048
# opensslreq -new -x509 -nodes -days 365 -key mydomain.com.key -out mydomain.com.crt
Enter your SSL certificate details like Country, City, Common Name, etc., for example:
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Oregon
Locality Name (eg, city) [Default City]:Portland
Organization Name (eg, company) [Default Company Ltd]:E-Mail Dept.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:mydomain.com
Once you have the certificate and key, use the following commands to copy them to /etc/pki/tls/certs/ and /etc/pki/tls/private/ respectively:
# cp -av mydomain.com.crt /etc/pki/tls/certs/
# cp -avmydomain.com.key /etc/pki/tls/private/
Install Dovecot
Before installing Dovecot, let's say a word about it. What is Dovecot? It is a POP3 and IMAP server that provides a way to Mail User Agents (MUA) like Thunderbird or Outlook, etc. to access the e-mails on the e-mail server.
Install dovecot using yum:
# yum install dovecot
Once installed, you have to edit a few Dovecot configuration files in /etc/dovecot and add/edit some configuration parameters. Let's start with /etc/dovecot/conf.d/10-mail.conf and /etc/dovecot/conf.d/20-imap.conf where we'll set the mail location where the e-mails are looked up from:
# vim +/mail_location /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
# vim /etc/dovecot/conf.d/20-imap.conf
protocolimap {
mail_location = maildir:~/Maildir
}
Next, edit /etc/dovecot/conf.d/10-ssl.conf and set the following parameters:
# vim +/"ssl =" /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/tls/certs/mydomain.com.crt
ssl_key = </etc/pki/tls/private/mydomain.com.key
Note: Double check the certificate and key actually exist in the paths specified in ssl_cert and ssl_key.
In /etc/dovecot/conf.d/10-auth.conf, set disable_plaintext_auth to no and enable plain and login authentication mechanisms:
# vim +/disable_plaintext_auth /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
auth_mechanisms = plain login
We'll use Dovecot's SMTP authentication service in Postfix to authenticate the e-mail accounts, so edit /etc/dovecot/conf.d/10-master.conf and make sure the following snippet exists within service auth {} section:
# vim /etc/dovecot/conf.d/10-master.conf
...
serviceauth {
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
...
Finally, let's edit /etc/dovecot/dovecot.conf, set the enabled protocols and bind Dovecot to all interfaces:
# vim +/"protocols =" /etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp
listen = *
Restart the Dovecot service on the system using systemctl and add it to the system's startup:
# systemctl restart dovecot
# systemctl status dovecot
# systemctl enable dovecot
Install Postfix
What is Postfix? It is a Mail Transfer Agent (MTA) which is responsible for transferring e-mail messages from one computer to another. An MTA has the capability to act as a client for sending e-mails or as a server for receiving e-mails via the SMTP protocol.
Install postfix using yum:
# yum install postfix
Once installed, create the /etc/mail directory, edit Postfix main configuration file /etc/postfix/main.cf and set the following configuration options:
# mkdir /etc/mail
# vim /etc/postfix/main.cf
inet_interfaces = all
inet_protocols = ipv4
myhostname=galaxy.mydomain.com
mydestination = /etc/mail/my_domains, $myhostname
virtual_alias_maps = hash:/etc/mail/virtual
home_mailbox = Maildir/
tls_random_source = dev:/dev/urandom
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/tls/private/mydomain.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mydomain.com.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
Note: Make sure you replace galaxy.mydomain.com with your actual server's hostname. Also verify the paths used in smtpd_tls_key_file and smtpd_tls_cert_file exist.
Next, create two configuration files, /etc/mail/my_domains and /etc/mail/virtual. The first one will contain all domain names handled by Postfix and the second one will contain the virtual e-mail aliases.
# touch /etc/mail/my_domains /etc/mail/virtual
postmap /etc/mail/virtual
Edit /etc/postfix/master.cf and enable the submission (587) and SSL (465) ports in Postfix:
# vim /etc/postfix/master.cf
submissioninet n - n - - smtpd
smtpsinet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
Restart the Postfix service using systemctl for the changes to take effect:
# systemctl restart postfix
# systemctl status postfix
# systemctl enable postfix
Add Domain, Account and Aliases
Add mydomain.com to /etc/mail/my_domains so Postfix can accept and relay email for this domain. Each domain should be added on a new line.
# echo mydomain.com >> /etc/mail/my_domains
To create a new john@mydomain.com email account on the e-mail server, you can use the following commands:
# useradd -s /sbin/nologin -m john
# passwd john
If you like to add some aliases like helpdesk@mydomain.com or sales@mydomain.com, you can use add the following to /etc/mail/virtual.
helpdesk@mydomain.com john
sales@mydomain.com john
Every-time you change this configuration file, you have to postmap it and restart Postfix for the changes to take effect. For example:
# postmap /etc/mail/virtual
# systemctl restart postfix
Setup OpenDKIM
DKIM is a digital email signing and verification technology that digitally signs the e-mails on the e-mail server. This feature can be used for further verification of the e-mail message that it was signed...
Enable EPEL Repository
You can install the EPEL repository simply by using yum as in:
# yum install https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
Verify EPEL is enabled on the system:
# yumrepolist
Install OpenDKIM
Install OpenDKIM using yum
# yum install opendkim
Configure OpenDKIM
The following configuration is reasonable and should work in most setups. You are free, however, to make any changes as needed for your case.
Make a copy of the opendkimconfig file and modify it as shown below. Finally, save the file and exit vim.
# mv /etc/opendkim.conf{,.orig}
# vim /etc/opendkim.conf
AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode sv
Canonicalization relaxed/simple
ExternalIgnoreListrefile:/etc/opendkim/TrustedHosts
InternalHostsrefile:/etc/opendkim/TrustedHosts
KeyTablerefile:/etc/opendkim/KeyTable
SigningTablerefile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:8891@localhost
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserIDopendkim:opendkim
TemporaryDirectory /var/tmp
Setup DKIM Private/Public Keys
You will now need to create the necessary DKIM private and public keys. Execute the following statements as shown.
# mkdir /etc/opendkim/keys/mydomain.com
# opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s mail
# chown -R opendkim: /etc/opendkim/keys/mydomain.com
# mv /etc/opendkim/keys/mydomain.com/mail.private /etc/opendkim/keys/mydomain.com/mail
Edit the KeyTable file:
# vim /etc/opendkim/KeyTable
mail._domainkey.mydomain.com mydomain.com:mail:/etc/opendkim/keys/mydomain.com/mail
Now edit the SigningTable file:
# vim /etc/opendkim/SigningTable
*@mydomain.com mail._domainkey.mydomain.com
Add the trusted hosts in the file as shown below. Make sure you change mydomain.com with your actual domain name.
# vim /etc/opendkim/TrustedHosts
127.0.0.1
mydomain.com
galaxy.mydomain.com
add a TXT record in tje domain's zone file:
# cat /etc/opendkim/keys/mydomain.com/mail.txt
verify the DKIM TXT record using dig
# dig +short mail._domainkey.mydomain.com TXT
Integrate DKIM in Postfix
# vim /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
# systemctl restart opendkim
# systemctl enable opendkim
# systemctl restart postfix
And that should be it. You should now have a fully functional Postfix, Dovecot and DKIM setup, ready to send and receive DKIM signed emails for your domain.
