This guide provides step-by-step instructions to configure a secure and reliable email server using Postfix, Dovecot, and MySQL on Debian or Ubuntu. The process includes setting up DNS, configuring MySQL for virtual hosts, and integrating Postfix and Dovecot to handle email delivery and retrieval securely.
Configure DNS for Your Email Server
To ensure your mail server functions properly, update the DNS settings for your domain:
A or CNAME Record:
Create an A record pointing to your server's IP address (e.g., mail.example.org) or a CNAME pointing to another domain name.MX Record:
Add an MX record with:- Hostname: @ (or the root of your domain).
- Mail server: mail.example.org (replace with your domain).
- Priority: 10.
Additional DNS Records:
- SPF: Add a TXT record to specify allowed senders, e.g., v=spf1 ip4:<IP_ADDRESS> -all.
- DKIM: Publish your DKIM key to validate outgoing mail.
- DMARC: Add a TXT record for DMARC to specify the postmasters address and .
Example DNS zone file:
mail A 192.168.0.1
@ MX 10 mail.example.org.
@ TXT "v=spf1 ip4:192.168.0.1 -all"
_dmarc TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@example.org; ruf=mailto:postmaster@example.org; fo=1;"
Ensure all domains and subdomains that will receive email are updated accordingly.
Install Required Packages
Start by updating your system and installing the necessary packages:
Update and Upgrade:
apt-get update apt-get upgrade
Install Packages: Install Postfix, Dovecot, MySQL, and related tools:
apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql mysql-server
Postfix Installation:
- Select Internet Site as the mail server type when prompted.
- Set the System Mail Name to the domain used for sending and receiving emails, like example.org.
Notes:
- If mysql-server is unavailable, install mariadb-server as a drop-in replacement.
- Recent MySQL versions use unix_socket or auth_socket plugins for root user authentication, allowing root access without a password when connecting as the Linux root user on localhost.
Install an SSL Certificate
An SSL certificate is essential for securing communication between mail clients and your server. It encrypts data transmission and verifies your mail server’s identity.
Generate a Certificate
Use Certbot to request an SSL certificate for your server's fully qualified domain name (FQDN), e.g., mail.example.org:
certbot certonly --standalone --preferred-challenges http-01 --cert-name mail.example.org -d mail.example.org --force-renewal
The SSL certificate files will be saved in /etc/letsencrypt/live/mail.example.org/. These will be referenced in the Dovecot configuration to enable secure email communication.
Configure MySQL for Postfix and Dovecot
1. Secure MySQL Installation
Run the mysql_secure_installation tool to improve MySQL security by enabling options like removing anonymous users, disabling root remote logins, and deleting test databases:
mysql_secure_installation
2. Log in to MySQL
Log in as the root user:
mysql -u root -p
3. Create the Database and User
Set up the mailbox database and grant access to a dedicated user:
CREATE DATABASE mailbox;
CREATE USER 'mailuser'@'127.0.0.1' IDENTIFIED BY 'securepassword';
GRANT SELECT ON mailbox.* TO 'mailuser'@'127.0.0.1';
FLUSH PRIVILEGES;
4. Define Tables
Switch to the mailbox database:
USE mailbox;
Create tables for domains, users, and aliases:
CREATE TABLE domains (
id INT NOT NULL AUTO_INCREMENT KEY,
name VARCHAR(128) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE users (
id INT NOT NULL AUTO_INCREMENT KEY,
domain_id INT NOT NULL,
password VARCHAR(128) NOT NULL,
email VARCHAR(128) NOT NULL,
UNIQUE KEY email (email),
FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE aliases (
id INT NOT NULL AUTO_INCREMENT KEY,
domain_id INT NOT NULL,
source VARCHAR(128) NOT NULL,
destination VARCHAR(128) NOT NULL,
FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Add Default Data to MySQL
1. Add a Domain
Insert your domain into the domains table:
INSERT INTO domains (name) VALUES ('example.org');
SELECT * FROM domains;
Make a note of the id for the domain.
2. Add a Postmaster Email Address
Hash the password using doveadm:
doveadm pw -s SHA512-CRYPT
Copy the output starting with $6$. Insert the postmaster email:
INSERT INTO users (domain_id, password, email) VALUES (1, '<hash>', 'postmaster@example.org');
SELECT * FROM users;
3. Add Additional Email Addresses
Add more users by hashing their passwords and inserting them into the users table:
INSERT INTO users (domain_id, password, email) VALUES (1, '<hash>', 'user@example.org');
SELECT * FROM users;
4. Add an Alias
Optionally create aliases to forward emails to postboxes:
INSERT INTO aliases (domain_id, source, destination) VALUES ('1', 'info@example.org', 'user@example.org');
SELECT * FROM aliases;
Which forwards all emails from info@example.org to user@example.org.
Alternative Password Hashing using MySQL (Optional)
If doveadm isn't available, generate a password hash directly in MySQL:
- MySQL ≤ 5.7: Use ENCRYPT():
INSERT INTO users (domain_id, password, email) VALUES ('1', ENCRYPT('password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'user@example.org');
- MySQL ≥ 5.8: SHA2 can be used but is not recommended due to its lack of secure password handling.
Alternative Password Hashing Using PHP (Optional)
If you’re building an admin panel in PHP, you can use password_hash() to generate secure password hashes for email users:
<?php
$hash = password_hash("pass", PASSWORD_DEFAULT);
This method ensures strong encryption and can directly integrate into your management tools.
Postfix: The Mail Transfer Agent (MTA)
Postfix is a Mail Transfer Agent (MTA) responsible for transferring emails between mail servers using the SMTP protocol. It can also deliver emails to local mailboxes or forward them to other servers. Postfix is highly configurable and supports various use cases:
Local Mail Server:
Handles email delivery within a local network. This setup is often used for system notifications or services requiring local email functionality, such as Samba.Internet Mail Server:
Sends and receives emails over the internet. This configuration requires:- A fixed IP address to avoid being flagged as a spam source.
- Integration with DNS for resolving recipient domains.
- SSL/TLS encryption to secure password transmission.
Backup Mail Server:
Acts as a secondary server to queue and relay emails when the primary server is unavailable.
Combining Postfix with Dovecot
Postfix handles sending and receiving emails via SMTP, while Dovecot manages mailbox access for email clients using IMAP or POP3. Together, they create a complete mail server solution that ensures seamless email delivery, secure retrieval, and user authentication.
Configuring Postfix for Your Email Server
Backup and Edit Configuration
- Backup the default configuration:
cp /etc/postfix/main.cf /etc/postfix/main.cf.bak
- Edit /etc/postfix/main.cf, replacing example.org with your domain and ensuring SSL paths are correct. Below is a complete example:
Example: /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6
# TLS settings
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.schwerterloge.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.schwerterloge.de/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level=may
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
# Restrictions
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
reject_unauth_destination
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
myhostname = mail.schwerterloge.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydomain = schwerterloge.de
myorigin = $mydomain
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
# Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-alias-maps.cf,
mysql:/etc/postfix/mysql-email2email.cf
# Even more Restrictions and MTA params
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
#smtpd_etrn_restrictions = reject
#smtpd_reject_unlisted_sender = yes
#smtpd_reject_unlisted_recipient = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
#smtpd_hard_error_limit = 1
smtpd_timeout = 60s
smtp_helo_timeout = 40s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h
# Reply Rejection Codes
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
# Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
# Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-alias-maps.cf,
mysql:/etc/postfix/mysql-email2email.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345
Create MySQL Configuration Files
Ensure Postfix can query MySQL for domains, mailboxes, and aliases. Replace mailuserpass with your MySQL user’s password.
Domains: /etc/postfix/mysql-mailbox-domains.cf
user = mailuser password = mailuserpass hosts = 127.0.0.1 dbname = mailbox query = SELECT 1 FROM domains WHERE name='%s'
Mailboxes: /etc/postfix/mysql-mailbox-maps.cf
user = mailuser password = mailuserpass hosts = 127.0.0.1 dbname = mailbox query = SELECT 1 FROM users WHERE email='%s'
Aliases: /etc/postfix/mysql-alias-maps.cf
user = mailuser password = mailuserpass hosts = 127.0.0.1 dbname = mailbox query = SELECT destination FROM aliases WHERE source='%s'
Direct Email Lookup: /etc/postfix/mysql-email2email.cf
user = mailuser password = mailuserpass hosts = 127.0.0.1 dbname = mailbox query = SELECT email FROM users WHERE email='%s'
Testing Postfix
Restart and Test Postfix
Check the Postfix configuration syntax:
postfix check
Restart the Postfix service:
systemctl restart postfix
Display Postfix’s default settings:
postconf -d
Postfix is now set up to handle email delivery with MySQL integration for virtual domains, users, and aliases.
Verify MySQL Integration with Postfix
Use the postmap command to test whether Postfix can query its lookup tables. Replace placeholders with appropriate values from your database.
Test Virtual Domains:
Verify that Postfix can query the domains table. Replace example.org with an actual domain from the table:postmap -q example.org mysql:/etc/postfix/mysql-mailbox-domains.cf
The command should return 1 if successful.
Test Virtual Users:
Check if Postfix can retrieve an email from the users table. Replace user@example.org with an email address from the table:postmap -q user@example.org mysql:/etc/postfix/mysql-mailbox-maps.cf
The output should be 1.
Test Virtual Aliases:
Verify Postfix can query the aliases table. Replace info@example.org with a source email address from the table. The command should return the corresponding destination email:postmap -q info@example.org mysql:/etc/postfix/mysql-alias-maps.cf
These tests confirm that Postfix is properly connected to the MySQL database and can query the required data for virtual domains, users, and aliases.
Master Program Settings
Postfix’s master program controls all Postfix processes, with its behavior defined in the master.cf file.
Backup and Edit Configuration
Backup the current master.cf file:
cp /etc/postfix/master.cf /etc/postfix/master.cf.bak
Edit /etc/postfix/master.cf to include the following changes. Leave the rest of the file unchanged:
Example: /etc/postfix/master.cf
# Master process configuration file
smtp inet n - n - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
...
Secure the Postfix Directory
Restrict permissions to secure Postfix configuration files:
chmod -R o-rwx /etc/postfix
Restart Postfix
Restart Postfix to apply the changes:
systemctl restart postfix
Dovecot Configuration
Dovecot serves as a POP3 and IMAP server, providing email clients access to stored emails and functioning as the Local Delivery Agent (LDA) for Postfix. Additional installed modules, such as dovecot-antispam, dovecot-sieve, and dovecot-solr, extend its capabilities for spam filtering, mail filtering, and full-text search.
Backup Configuration Files
Backup all critical Dovecot configuration files:
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.bak cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.bak cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.bak cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.bak cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.bak cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.bak
Update Dovecot Configuration Files
1. Edit /etc/dovecot/dovecot.conf
Enable protocols and specify the postmaster address:
# Enable installed protocols
protocols = imap pop3 lmtp
# Postmaster address
postmaster_address = postmaster@example.org
2. Edit /etc/dovecot/conf.d/10-mail.conf
Set mail storage location and permissions:
mail_location = maildir:/var/mail/vhosts/%d/%n/
mail_privileged_group = mail
Create the required directories and system users:
mkdir -p /var/mail/vhosts/example.org groupadd -g 5000 vmail useradd -g vmail -u 5000 vmail -d /var/mail chown -R vmail:vmail /var/mail
3. Edit /etc/dovecot/conf.d/10-auth.conf
Enable secure authentication:
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-system.conf.ext
!include auth-sql.conf.ext
4. Edit /etc/dovecot/conf.d/auth-sql.conf.ext
Configure SQL authentication and user storage:
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}
5. Edit /etc/dovecot/dovecot-sql.conf.ext
Update MySQL connection details:
driver = mysql
connect = host=127.0.0.1 dbname=mailbox user=mailuser password=mailuserpass
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email AS user, password FROM users WHERE email='%u';
For alias-based logins: 1. Add alias to the aliases table with source and destination. 2. Modify password_query:
SELECT email AS user, password FROM users WHERE email=(SELECT destination FROM aliases WHERE source='%u');
6. Edit /etc/dovecot/conf.d/10-master.conf
Disable unencrypted IMAP/POP3 and configure services:
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = dovecot
}
service auth-worker {
user = vmail
}
7. Edit /etc/dovecot/conf.d/10-ssl.conf
Require SSL and define certificate paths:
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.org/privkey.pem
Secure and Restart Dovecot
Restrict permissions on configuration files:
chown -R vmail:dovecot /etc/dovecot chmod -R o-rwx /etc/dovecot
Restart the Dovecot service:
systemctl restart dovecot
Dovecot is now configured to handle secure email retrieval and integrate seamlessly with Postfix for storing and managing email.
Testing the Email Server with Mailutils
Install Mailutils
Install Mailutils to test sending and receiving emails:
apt-get install mailutils
Send a Test Email from the Server
Send an email to an external email address, such as Gmail. Replace user@example.org with an email address from your server:
echo "Hello World" | mail -s "Hello Subject line" recipient@example.com -aFrom:user@example.org
Log in to the external email account and verify the email was received.
Send a Test Email to the Server
- From an external email account, send an email to user@example.org on your mail server.
Log in to the server and check the email:
mail -f /var/mail/vhosts/example.org/user
Review the email list displayed:
"/var/mail/vhosts/example.org/": 4 messages 3 new 1 unread U 1 Robert Eisele Wed Jan 21 15:00 51/2379 Test email 1 U 2 Robert Eisele Wed Jan 21 15:02 54/2150 Test email 2 U 3 Robert Eisele Wed Jan 21 15:35 12/591 Test email 3 >N 4 Robert Eisele Mon Jul 2 10:55 13/599 Hello Subject ?
- Enter the number corresponding to the email you want to read.
- Verify the message header and body content.
Configuring an Email Client
To connect an email client to your mail server, you can often rely on automatic detection of server settings. If manual configuration is needed, use the following parameters:
Required Settings
- Username: The full email address (e.g., user@example.org).
- Password: The password associated with the email account.
- Server: Use the domain that resolves to your mail server (e.g., mail.example.org).
- IMAP:
- Port: 993
- Security: SSL/TLS
- Port: 993
- POP3 (if using instead of IMAP):
- Port: 995
- Security: SSL/TLS
- Port: 995
- SMTP:
- Port: 587
- Security: STARTTLS
- Port: 587
Configure DKIM (DomainKeys Identified Mail)
DKIM allows your mail server to sign outgoing emails using a private key, enabling recipients to verify the authenticity of the email through a public key published in your DNS records. This setup is critical for improving email delivery rates and reducing the likelihood of being flagged as spam.
Step 1: Install OpenDKIM
Install OpenDKIM and its tools:
apt-get install opendkim opendkim-tools
Create the required directories and set permissions:
mkdir -p /etc/opendkim/keys chmod 700 /etc/opendkim/keys chown -R opendkim:opendkim /etc/opendkim
Step 2: Configure OpenDKIM
Edit /etc/opendkim.conf
Create or edit the OpenDKIM configuration file to include the following:
Mode sv Socket inet:12345@localhost UserID opendkim:opendkim PidFile /var/run/opendkim/opendkim.pid Syslog yes SyslogSuccess yes Canonicalization relaxed/simple InternalHosts refile:/etc/opendkim/TrustedHosts SigningTable refile:/etc/opendkim/SigningTable KeyTable /etc/opendkim/KeyTable SignatureAlgorithm rsa-sha256 OversignHeaders From
Add Trusted Hosts
Define hosts that don’t require DKIM signatures in /etc/opendkim/TrustedHosts:
127.0.0.1 localhost example.org
Define Signing Table
Specify which domains use which keys in /etc/opendkim/SigningTable:
*@example.org example
Define Key Table
Map domains and selectors to key file paths in /etc/opendkim/KeyTable:
example example.org:default:/etc/opendkim/keys/example.key
Step 3: Generate DKIM Keys
Generate a private and public key pair for your domain:
cd /etc/opendkim opendkim-genkey -d example.org -b 2048 -r -s default mv default.private keys/example.key mv default.txt keys/example.pub.key chmod 600 /etc/opendkim/keys/* chown -R opendkim:opendkim /etc/opendkim
Step 4: Publish the Public Key in DNS
Add the public key from example.pub.key to your domain’s DNS as a TXT record. The hostname should follow this format: <selector>._domainkey.
Example DNS entry: - Hostname: default._domainkey.example.org - Value:
v=DKIM1; h=sha256; k=rsa; p=PUBLIC_KEY_CONTENT
Test the DNS entry:
host -t TXT default._domainkey.example.org
Step 5: Test OpenDKIM
Restart OpenDKIM to apply changes:
service opendkim restart
Test the setup:
opendkim-testkey -d example.org -s default -vvv
If successful, you should see a message like key OK. Ignore warnings about key not secure unless DNSSEC is in use.
Step 6: Integrate OpenDKIM with Postfix
Update Postfix configuration (/etc/postfix/main.cf) to use OpenDKIM as a mail filter:
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345
Restart Postfix:
systemctl restart postfix
Step 7: Verify DKIM Signatures
Send an email to a DKIM verification service, such as:
- autorespond+dkim@dk.elandsys.com
- check-auth2@verifier.port25.com
Check the email headers for a DKIM-Signature entry.
Managing Spam with SpamAssassin
SpamAssassin is a powerful, open-source platform for filtering and identifying spam emails. It integrates seamlessly with Postfix and Dovecot to protect your email server from spam.
Step 1: Install SpamAssassin
Install SpamAssassin and its client utility:
apt-get install spamassassin spamc
Create a dedicated user for the SpamAssassin daemon (spamd):
adduser spamd --disabled-login
Step 2: Configure SpamAssassin
Edit the SpamAssassin configuration file at /etc/default/spamassassin to set up the home directory, options, and enable cron:
HOMEDIR="/home/spamd/"
OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir ${HOMEDIR} -s ${HOMEDIR}spamd.log"
PIDFILE="${HOMEDIR}spamd.pid"
CRON=1
Step 3: Set Spam Rules
Edit /etc/spamassassin/local.cf to define anti-spam rules. The following settings mark emails with a score > 5.0 as spam: ini rewrite_header Subject ***** SPAM _SCORE_ ***** report_safe 0 required_score 5.0 use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 0 use_dcc 0 use_pyzor 0
Step 4: Integrate SpamAssassin with Postfix
Edit /etc/postfix/master.cf to configure Postfix to use SpamAssassin as a filter:
smtp inet n - - - - smtpd
-o content_filter=spamassassin
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
Step 5: Enable and Start SpamAssassin
Start SpamAssassin and enable it to run on boot:
systemctl start spamassassin systemctl enable spamassassin
If you’re not using systemd (e.g., Debian 7 or earlier), edit /etc/default/spamassassin and set:
ENABLED=1
Step 6: Restart Postfix
Restart Postfix to apply the anti-spam configuration:
systemctl restart postfix
SpamAssassin is now configured to filter emails on your server. Emails with a score higher than 5.0 will be marked as spam and delivered to the junk folder. You can customize the scoring and filtering rules in SpamAssassin’s configuration files to better suit your needs.
Testing Your Mail Environment (DKIM, SPF, and DNSSEC)
After configuring DKIM, SPF, and DMARC, it’s important to validate that these mechanisms are correctly set up and functioning as intended. Use the following tools to test your email server configuration:
Final Test: Comprehensive Email Validation
To fully validate your mail environment, use tools like SPF Validator, DKIM Validator, DNSSEC Analyzer to test DKIM, SPF, and DMARC together. Send a test email to the provided address, and review the detailed results to confirm proper configuration.
Regularly testing these records ensures your mail server meets security and reliability standards, reducing the chances of being flagged as spam.