raw administration

This guide provides step-by-step instructions to configure a secure and reliable email server using Postfix, Dovecot, and MySQL on Debian or Ubuntu. The process includes setting up DNS, configuring MySQL for virtual hosts, and integrating Postfix and Dovecot to handle email delivery and retrieval securely.

Configure DNS for Your Email Server

To ensure your mail server functions properly, update the DNS settings for your domain:

  1. A or CNAME Record:
    Create an A record pointing to your server's IP address (e.g., mail.example.org) or a CNAME pointing to another domain name.

  2. MX Record:
    Add an MX record with:

    • Hostname: @ (or the root of your domain).
    • Mail server: mail.example.org (replace with your domain).
    • Priority: 10.
  3. Additional DNS Records:

    • SPF: Add a TXT record to specify allowed senders, e.g., v=spf1 ip4:<IP_ADDRESS> -all.
    • DKIM: Publish your DKIM key to validate outgoing mail.
    • DMARC: Add a TXT record for DMARC to specify the postmasters address and .

Example DNS zone file:

mail        A    192.168.0.1
@           MX   10   mail.example.org.
@           TXT  "v=spf1 ip4:192.168.0.1 -all"
_dmarc      TXT  "v=DMARC1; p=quarantine; rua=mailto:postmaster@example.org; ruf=mailto:postmaster@example.org; fo=1;"

Ensure all domains and subdomains that will receive email are updated accordingly.

Install Required Packages

Start by updating your system and installing the necessary packages:

  1. Update and Upgrade:

    apt-get update
    apt-get upgrade

  2. Install Packages: Install Postfix, Dovecot, MySQL, and related tools:

    apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql mysql-server

  3. Postfix Installation:

    • Select Internet Site as the mail server type when prompted.
    • Set the System Mail Name to the domain used for sending and receiving emails, like example.org.

Notes:

Install an SSL Certificate

An SSL certificate is essential for securing communication between mail clients and your server. It encrypts data transmission and verifies your mail server’s identity.

Generate a Certificate

Use Certbot to request an SSL certificate for your server's fully qualified domain name (FQDN), e.g., mail.example.org:

certbot certonly --standalone --preferred-challenges http-01 --cert-name mail.example.org -d mail.example.org --force-renewal

The SSL certificate files will be saved in /etc/letsencrypt/live/mail.example.org/. These will be referenced in the Dovecot configuration to enable secure email communication.

Configure MySQL for Postfix and Dovecot

1. Secure MySQL Installation

Run the mysql_secure_installation tool to improve MySQL security by enabling options like removing anonymous users, disabling root remote logins, and deleting test databases:

mysql_secure_installation

2. Log in to MySQL

Log in as the root user:

mysql -u root -p

3. Create the Database and User

Set up the mailbox database and grant access to a dedicated user:

CREATE DATABASE mailbox;
CREATE USER 'mailuser'@'127.0.0.1' IDENTIFIED BY 'securepassword';
GRANT SELECT ON mailbox.* TO 'mailuser'@'127.0.0.1';

FLUSH PRIVILEGES;

4. Define Tables

Switch to the mailbox database:

USE mailbox;

Create tables for domains, users, and aliases:

CREATE TABLE domains (
  id INT NOT NULL AUTO_INCREMENT KEY,
  name VARCHAR(128) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE users (
  id INT NOT NULL AUTO_INCREMENT KEY,
  domain_id INT NOT NULL,
  password VARCHAR(128) NOT NULL,
  email VARCHAR(128) NOT NULL,
  UNIQUE KEY email (email),
  FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE aliases (
  id INT NOT NULL AUTO_INCREMENT KEY,
  domain_id INT NOT NULL,
  source VARCHAR(128) NOT NULL,
  destination VARCHAR(128) NOT NULL,
  FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Add Default Data to MySQL

1. Add a Domain

Insert your domain into the domains table:

INSERT INTO domains (name) VALUES ('example.org');
SELECT * FROM domains;

Make a note of the id for the domain.

2. Add a Postmaster Email Address

Hash the password using doveadm:

doveadm pw -s SHA512-CRYPT

Copy the output starting with $6$. Insert the postmaster email:

INSERT INTO users (domain_id, password, email) VALUES (1, '<hash>', 'postmaster@example.org');
SELECT * FROM users;

3. Add Additional Email Addresses

Add more users by hashing their passwords and inserting them into the users table:

INSERT INTO users (domain_id, password, email) VALUES (1, '<hash>', 'user@example.org');
SELECT * FROM users;

4. Add an Alias

Optionally create aliases to forward emails to postboxes:

INSERT INTO aliases (domain_id, source, destination) VALUES ('1', 'info@example.org', 'user@example.org');
SELECT * FROM aliases;

Which forwards all emails from info@example.org to user@example.org.


Alternative Password Hashing using MySQL (Optional)

If doveadm isn't available, generate a password hash directly in MySQL:

Alternative Password Hashing Using PHP (Optional)

If you’re building an admin panel in PHP, you can use password_hash() to generate secure password hashes for email users:

<?php

$hash = password_hash("pass", PASSWORD_DEFAULT);

This method ensures strong encryption and can directly integrate into your management tools.

Postfix: The Mail Transfer Agent (MTA)

Postfix is a Mail Transfer Agent (MTA) responsible for transferring emails between mail servers using the SMTP protocol. It can also deliver emails to local mailboxes or forward them to other servers. Postfix is highly configurable and supports various use cases:

  1. Local Mail Server:
    Handles email delivery within a local network. This setup is often used for system notifications or services requiring local email functionality, such as Samba.

  2. Internet Mail Server:
    Sends and receives emails over the internet. This configuration requires:

    • A fixed IP address to avoid being flagged as a spam source.
    • Integration with DNS for resolving recipient domains.
    • SSL/TLS encryption to secure password transmission.
  3. Backup Mail Server:
    Acts as a secondary server to queue and relay emails when the primary server is unavailable.

Combining Postfix with Dovecot

Postfix handles sending and receiving emails via SMTP, while Dovecot manages mailbox access for email clients using IMAP or POP3. Together, they create a complete mail server solution that ensures seamless email delivery, secure retrieval, and user authentication.

Configuring Postfix for Your Email Server

Backup and Edit Configuration

  1. Backup the default configuration:
    cp /etc/postfix/main.cf /etc/postfix/main.cf.bak
  2. Edit /etc/postfix/main.cf, replacing example.org with your domain and ensuring SSL paths are correct. Below is a complete example:

Example: /etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6

# TLS settings
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.schwerterloge.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.schwerterloge.de/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level=may
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

# Restrictions
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unlisted_recipient,
        reject_unauth_destination
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destination

myhostname = mail.schwerterloge.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydomain = schwerterloge.de
myorigin = $mydomain
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp

# Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-alias-maps.cf,
        mysql:/etc/postfix/mysql-email2email.cf

# Even more Restrictions and MTA params
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
#smtpd_etrn_restrictions = reject
#smtpd_reject_unlisted_sender = yes
#smtpd_reject_unlisted_recipient = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
#smtpd_hard_error_limit = 1
smtpd_timeout = 60s
smtp_helo_timeout = 40s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h

# Reply Rejection Codes
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

# Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp

# Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-alias-maps.cf,
        mysql:/etc/postfix/mysql-email2email.cf

milter_default_action = accept
milter_protocol = 6
smtpd_milters     = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

Create MySQL Configuration Files

Ensure Postfix can query MySQL for domains, mailboxes, and aliases. Replace mailuserpass with your MySQL user’s password.

  1. Domains: /etc/postfix/mysql-mailbox-domains.cf

    user = mailuser
    password = mailuserpass
    hosts = 127.0.0.1
    dbname = mailbox
    query = SELECT 1 FROM domains WHERE name='%s'
  2. Mailboxes: /etc/postfix/mysql-mailbox-maps.cf

    user = mailuser
    password = mailuserpass
    hosts = 127.0.0.1
    dbname = mailbox
    query = SELECT 1 FROM users WHERE email='%s'
  3. Aliases: /etc/postfix/mysql-alias-maps.cf

    user = mailuser
    password = mailuserpass
    hosts = 127.0.0.1
    dbname = mailbox
    query = SELECT destination FROM aliases WHERE source='%s'
  4. Direct Email Lookup: /etc/postfix/mysql-email2email.cf

    user = mailuser
    password = mailuserpass
    hosts = 127.0.0.1
    dbname = mailbox
    query = SELECT email FROM users WHERE email='%s'

Testing Postfix

Restart and Test Postfix

  1. Check the Postfix configuration syntax:

    postfix check
  2. Restart the Postfix service:

    systemctl restart postfix
  3. Display Postfix’s default settings:

    postconf -d

Postfix is now set up to handle email delivery with MySQL integration for virtual domains, users, and aliases.


Verify MySQL Integration with Postfix

Use the postmap command to test whether Postfix can query its lookup tables. Replace placeholders with appropriate values from your database.

  1. Test Virtual Domains:
    Verify that Postfix can query the domains table. Replace example.org with an actual domain from the table:

    postmap -q example.org mysql:/etc/postfix/mysql-mailbox-domains.cf

    The command should return 1 if successful.

  2. Test Virtual Users:
    Check if Postfix can retrieve an email from the users table. Replace user@example.org with an email address from the table:

    postmap -q user@example.org mysql:/etc/postfix/mysql-mailbox-maps.cf

    The output should be 1.

  3. Test Virtual Aliases:
    Verify Postfix can query the aliases table. Replace info@example.org with a source email address from the table. The command should return the corresponding destination email:

    postmap -q info@example.org mysql:/etc/postfix/mysql-alias-maps.cf

These tests confirm that Postfix is properly connected to the MySQL database and can query the required data for virtual domains, users, and aliases.

Master Program Settings

Postfix’s master program controls all Postfix processes, with its behavior defined in the master.cf file.

Backup and Edit Configuration

  1. Backup the current master.cf file:

    cp /etc/postfix/master.cf /etc/postfix/master.cf.bak
  2. Edit /etc/postfix/master.cf to include the following changes. Leave the rest of the file unchanged:

Example: /etc/postfix/master.cf

# Master process configuration file
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  ...

Secure the Postfix Directory

Restrict permissions to secure Postfix configuration files:

chmod -R o-rwx /etc/postfix

Restart Postfix

Restart Postfix to apply the changes:

systemctl restart postfix


Dovecot Configuration

Dovecot serves as a POP3 and IMAP server, providing email clients access to stored emails and functioning as the Local Delivery Agent (LDA) for Postfix. Additional installed modules, such as dovecot-antispam, dovecot-sieve, and dovecot-solr, extend its capabilities for spam filtering, mail filtering, and full-text search.


Backup Configuration Files

Backup all critical Dovecot configuration files:

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.bak
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.bak
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.bak
cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.bak
cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.bak
cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.bak

Update Dovecot Configuration Files

1. Edit /etc/dovecot/dovecot.conf

Enable protocols and specify the postmaster address:

# Enable installed protocols
protocols = imap pop3 lmtp

# Postmaster address
postmaster_address = postmaster@example.org

2. Edit /etc/dovecot/conf.d/10-mail.conf

Set mail storage location and permissions:

mail_location = maildir:/var/mail/vhosts/%d/%n/
mail_privileged_group = mail

Create the required directories and system users:

mkdir -p /var/mail/vhosts/example.org
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail
chown -R vmail:vmail /var/mail

3. Edit /etc/dovecot/conf.d/10-auth.conf

Enable secure authentication:

disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-system.conf.ext
!include auth-sql.conf.ext

4. Edit /etc/dovecot/conf.d/auth-sql.conf.ext

Configure SQL authentication and user storage:

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}

5. Edit /etc/dovecot/dovecot-sql.conf.ext

Update MySQL connection details:

driver = mysql
connect = host=127.0.0.1 dbname=mailbox user=mailuser password=mailuserpass
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email AS user, password FROM users WHERE email='%u';

For alias-based logins: 1. Add alias to the aliases table with source and destination. 2. Modify password_query:

SELECT email AS user, password FROM users WHERE email=(SELECT destination FROM aliases WHERE source='%u');

6. Edit /etc/dovecot/conf.d/10-master.conf

Disable unencrypted IMAP/POP3 and configure services:

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = dovecot
}

service auth-worker {
  user = vmail
}

7. Edit /etc/dovecot/conf.d/10-ssl.conf

Require SSL and define certificate paths:

ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.org/privkey.pem

Secure and Restart Dovecot

  1. Restrict permissions on configuration files:

    chown -R vmail:dovecot /etc/dovecot
    chmod -R o-rwx /etc/dovecot
  2. Restart the Dovecot service:

    systemctl restart dovecot

Dovecot is now configured to handle secure email retrieval and integrate seamlessly with Postfix for storing and managing email.

Testing the Email Server with Mailutils

Install Mailutils

Install Mailutils to test sending and receiving emails:

apt-get install mailutils


Send a Test Email from the Server

  1. Send an email to an external email address, such as Gmail. Replace user@example.org with an email address from your server:

    echo "Hello World" | mail -s "Hello Subject line" recipient@example.com -aFrom:user@example.org
  2. Log in to the external email account and verify the email was received.


Send a Test Email to the Server

  1. From an external email account, send an email to user@example.org on your mail server.
  2. Log in to the server and check the email:

    mail -f /var/mail/vhosts/example.org/user
  3. Review the email list displayed:

    "/var/mail/vhosts/example.org/": 4 messages 3 new 1 unread
    U   1 Robert Eisele     Wed Jan 21 15:00  51/2379  Test email 1
    U   2 Robert Eisele     Wed Jan 21 15:02  54/2150  Test email 2
    U   3 Robert Eisele     Wed Jan 21 15:35  12/591   Test email 3
    >N   4 Robert Eisele     Mon Jul  2 10:55  13/599   Hello Subject
    ?
    • Enter the number corresponding to the email you want to read.
    • Verify the message header and body content.

Configuring an Email Client

To connect an email client to your mail server, you can often rely on automatic detection of server settings. If manual configuration is needed, use the following parameters:

Required Settings


Configure DKIM (DomainKeys Identified Mail)

DKIM allows your mail server to sign outgoing emails using a private key, enabling recipients to verify the authenticity of the email through a public key published in your DNS records. This setup is critical for improving email delivery rates and reducing the likelihood of being flagged as spam.


Step 1: Install OpenDKIM

Install OpenDKIM and its tools:

apt-get install opendkim opendkim-tools

Create the required directories and set permissions:

mkdir -p /etc/opendkim/keys
chmod 700 /etc/opendkim/keys
chown -R opendkim:opendkim /etc/opendkim


Step 2: Configure OpenDKIM

Edit /etc/opendkim.conf

Create or edit the OpenDKIM configuration file to include the following:

Mode                sv
Socket              inet:12345@localhost
UserID              opendkim:opendkim
PidFile             /var/run/opendkim/opendkim.pid
Syslog              yes
SyslogSuccess       yes
Canonicalization    relaxed/simple
InternalHosts       refile:/etc/opendkim/TrustedHosts
SigningTable        refile:/etc/opendkim/SigningTable
KeyTable            /etc/opendkim/KeyTable
SignatureAlgorithm  rsa-sha256
OversignHeaders     From

Add Trusted Hosts

Define hosts that don’t require DKIM signatures in /etc/opendkim/TrustedHosts:

127.0.0.1
localhost
example.org

Define Signing Table

Specify which domains use which keys in /etc/opendkim/SigningTable:

*@example.org example

Define Key Table

Map domains and selectors to key file paths in /etc/opendkim/KeyTable:

example example.org:default:/etc/opendkim/keys/example.key

Step 3: Generate DKIM Keys

Generate a private and public key pair for your domain:

cd /etc/opendkim
opendkim-genkey -d example.org -b 2048 -r -s default
mv default.private keys/example.key
mv default.txt keys/example.pub.key
chmod 600 /etc/opendkim/keys/*
chown -R opendkim:opendkim /etc/opendkim

Step 4: Publish the Public Key in DNS

Add the public key from example.pub.key to your domain’s DNS as a TXT record. The hostname should follow this format: <selector>._domainkey.

Example DNS entry: - Hostname: default._domainkey.example.org - Value:

v=DKIM1; h=sha256; k=rsa; p=PUBLIC_KEY_CONTENT

Test the DNS entry:

host -t TXT default._domainkey.example.org

Step 5: Test OpenDKIM

Restart OpenDKIM to apply changes:

service opendkim restart

Test the setup:

opendkim-testkey -d example.org -s default -vvv

If successful, you should see a message like key OK. Ignore warnings about key not secure unless DNSSEC is in use.


Step 6: Integrate OpenDKIM with Postfix

Update Postfix configuration (/etc/postfix/main.cf) to use OpenDKIM as a mail filter:

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

Restart Postfix:

systemctl restart postfix

Step 7: Verify DKIM Signatures

Send an email to a DKIM verification service, such as:

Check the email headers for a DKIM-Signature entry.


Managing Spam with SpamAssassin

SpamAssassin is a powerful, open-source platform for filtering and identifying spam emails. It integrates seamlessly with Postfix and Dovecot to protect your email server from spam.


Step 1: Install SpamAssassin

Install SpamAssassin and its client utility:

apt-get install spamassassin spamc

Create a dedicated user for the SpamAssassin daemon (spamd):

adduser spamd --disabled-login

Step 2: Configure SpamAssassin

Edit the SpamAssassin configuration file at /etc/default/spamassassin to set up the home directory, options, and enable cron:

HOMEDIR="/home/spamd/"
OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir ${HOMEDIR} -s ${HOMEDIR}spamd.log"
PIDFILE="${HOMEDIR}spamd.pid"
CRON=1

Step 3: Set Spam Rules

Edit /etc/spamassassin/local.cf to define anti-spam rules. The following settings mark emails with a score > 5.0 as spam: ini rewrite_header Subject ***** SPAM _SCORE_ ***** report_safe 0 required_score 5.0 use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 0 use_dcc 0 use_pyzor 0


Step 4: Integrate SpamAssassin with Postfix

Edit /etc/postfix/master.cf to configure Postfix to use SpamAssassin as a filter:

smtp      inet  n       -       -       -       -       smtpd
  -o content_filter=spamassassin

spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Step 5: Enable and Start SpamAssassin

Start SpamAssassin and enable it to run on boot:

systemctl start spamassassin
systemctl enable spamassassin

If you’re not using systemd (e.g., Debian 7 or earlier), edit /etc/default/spamassassin and set:

ENABLED=1

Step 6: Restart Postfix

Restart Postfix to apply the anti-spam configuration:

systemctl restart postfix

SpamAssassin is now configured to filter emails on your server. Emails with a score higher than 5.0 will be marked as spam and delivered to the junk folder. You can customize the scoring and filtering rules in SpamAssassin’s configuration files to better suit your needs.

Testing Your Mail Environment (DKIM, SPF, and DNSSEC)

After configuring DKIM, SPF, and DMARC, it’s important to validate that these mechanisms are correctly set up and functioning as intended. Use the following tools to test your email server configuration:


Final Test: Comprehensive Email Validation

To fully validate your mail environment, use tools like SPF Validator, DKIM Validator, DNSSEC Analyzer to test DKIM, SPF, and DMARC together. Send a test email to the provided address, and review the detailed results to confirm proper configuration.

Regularly testing these records ensures your mail server meets security and reliability standards, reducing the chances of being flagged as spam.