1. Introduction

This manual describes the procedure to configure and install an SMTP service suitable for the GBDS Email Notification Service on Ubuntu Linux. This procedure was tested on Ubuntu 20.04 LTS.

1.1. Sending Emails

To send emails locally, set these on the enotifier.setting table:

mail.smtp.host = localhost
mail.smtp.port = 25

1.2. Postfix

Install and configure Postfix. To install, run the following command:

sudo apt update
sudo DEBIAN_PRIORITY=low apt install postfix

The installation will begin. Configure the installation with the following:

  • General type of mail configuration: Internet Site
  • System mail name: alpha-01.pd.griaule
  • Root and postmaster mail recipient: <linux-account-name>
  • Other destinations to accept mail for: localhost.$myhostname, localhost, $mydomainname
  • Force synchronous updates on mail queue?: No
  • Local networks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
  • Mailbox size limit: 0
  • Local address extension character: +
  • Internet protocols to use: all

Access the main.cf file at /etc/postfix/ and modify the following:

inet_interfaces = loopback-only
mydestination = localhost.$mydomain, localhost, $myhostname

Note

If needed, the main.cf file can be used to modify the configurations done in the installation process.

Enable postfix on the firewall, then restart the service. Install the mailutils package and enable port 80 on the firewall. Those can be done with:

sudo ufw allow Postfix
sudo systemctl restart postfix
sudo apt install mailutils
sudo ufw allow 80

Reconfigure postfix:

sudo dpkg-reconfigure postfix

1.3. TLS Self-signed key

To operate the service needs a self-signed certificated key. To create one and move it in the correct location run the following commands:

openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo mv server.crt /etc/ssl/certs
sudo mv server.key /etc/ssl/private

Access the main.cf file at /etc/postfix/ and modify the following:

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_ask_ccert = yes
#smtpd_tls_session_cache_timeout = 3600s

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_loglevel = 1
# Enable TLS
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes

Then, reload and restart postfix.

sudo systemctl reload postfix
sudo systemctl restart postfix

1.4. SPF and DKIM

For authentication to work, SPF and DKIM must be configured:

Warning

SPF and DKIM configurations should be made by the DNS account admin.

1.4.1. SPF

Include DNS TXT value on the DNS domain control panel.

  • Name/Host/Alias: @ or leave blank.
  • Time to Live (TTL): 3600 or leave the default.
  • Value/Answer/Destination: v=spf1 ip4:x.x.x.x ~all (where x.x.x.x is your server IP).

Note

When configuring the Name/Host/Alias, control panel may indicate other preferable DNS records for your domain. Verify the best fit for your environment. If needed, contact Griaule Support Team for more information.

1.4.2. DKIM

Generate DKIM public and private keys on: https://dkimcore.org/tools/keys.html

Copy private key as dkim-private.pem to /etc/ssl/certs

Include DNS TXT value.

  • Name/Host/Alias: mail._domainkey
  • Value: v=DKIM1; h=sha256; k=rsa; t=y; p=<public value on site generated>

Access the main.cf file at /etc/postfix/ and modify the following:

#DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Then, reload and restart postfix.

sudo systemctl reload postfix
sudo systemctl restart postfix

1.4.3. OpenDKIM

To install OpenDKIM, run:

sudo apt-get install opendkim opendkim-tools

Open the opendkim.conf at /etc/ and edit the following:

Socket                  inet:8891@localhost
#Socket                 local:/var/run/opendkim/opendkim.sock

Then open the opendkim file at /etc/default/ and modify as shown:

SOCKET=inet:8891@localhost

To apply the changes, restart postfix and opendkim.

sudo service postfix reload
sudo service postfix restart
sudo service opendkim restart

1.5. SASL

The Simple Authentication and Security Layer configuration makes postfix send emails using known relay hosts on port 25 to authenticate properly, preventing emails from being marked as spam.

Open main.cf at etc/postfix and modify:

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options = noanonymous

Then, go to /etc/postfix/ and open the saslpass file and edit:

[smtp.gmail.com]:587 username@gmail.com:password

The password needed is a new app-generated password. This is generated in the Gmail account security settings.

To finish the configuration, run the following:

sudo postmap /etc/postfix/saslpass
sudo chown root:root /etc/postfix/saslpass /etc/postfix/saslpass.db
sudo chmod 0600 /etc/postfix/saslpass /etc/postfix/saslpass.db
sudo service postifx reload
sudo service postfix restart