The best way to setup Postfix/DKIM/SPF/DMARC on Ubuntu – Plesk onyx

Installation Guide:

  1. How to Setup Postfix/DKIM/SPF on Ubuntu with or without Plesk Onyx
  2. How to setup DKIM/SPF/DMARC in Ubuntu with Plesk Onyx
  3. How to setup SPF (Sender Policy Framework)
  4. How to setup DMARC and Benefits
  5. Generate a public and private key from OpenSSL (if require)
  6. How to install/setup dkim in cPanel
  7. Server Speedtest from command
  8. User unknown in virtual alias table

Important Tools

For DKIM Checker:

  1. Unlockertheinbox (Recommended)
  2. Dkimvalidator
  3. Mail Tester – (Easy to understand)

DNS Tool

  1. LeafDNS – check MX record for correction.
  2. Unlocktheinbox – Decent result

How to Setup Postfix/OpenDKIM on Ubuntu – version 12.x or later

Intro and Benefits: DKIM is a tool and a method for email to secure, allowing a personal/Origisation email communication secure whilst recvicng/sending to different domains.

Big benefit of that we are announcing to the internet world that we are secure and have better IP/Server reputation.

DKIM used public key called’ Cryptography to allow sender to electornically sign his/her legitimate emails in the way to a verifed my recvicer/recipients.

  Installation

Before start, make sure you already installed Postfix MTA, if not please install it from Postfix.

First thing first, installs opendkim universal repository:

sudo aptitude install opendkim opendkim-tools

If you on previous Ubuntu 12.04 Precise, you require installing backport. – ignore this step if you have latest Ubuntu version installed,

sudo aptitude install opendkim/precise-backports
sudo aptitude install opendkim-tools/precise-backports

Go and add/append in this file: cd /etc/opendkim.conf – example.com, this is an example, make sure use your domain name.

Canonicalization relaxed/simple
Domain    *
KeyFile    /etc/postfix/dkim.key
Selector    dkim
SOCKET    inet:8891@localhost

After above step, go and add a line in the file: cd /etc/default/opendkim:

SOCKET="inet:8891@localhost"

After above step completed then, find a “main.cf” file: cd /etc/postfix/main.cf, find an appropriate line and amend it.

# DKIM
# --------------------------------------
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

For above command: If you already using some milter for Domainkey(old version) then you may add extra ports like this:

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,inet:localhost:8892
non_smtpd_milters = inet:localhost:8891,inet:localhost:8892

Now, look for “master.cf” file in: cd/etc/postfix master.cf and amend one line only. if you can’t find the whole line then all full line:

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Add “no_milter” at the end of the command

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Double check both commands in opendkim.conf, master.cf and main.cf files?

Now time for generating the Public(dkim.txt) and Private Keys(dkim.private), why we have named “dkim”? because we choose the selector in opendkim.conf file, you can choose depending on your requirements. First, create a folder “dkimkeys”, go into the folder and type your first command to generate the keys:

opendkim-genkey -t -s dkim -d example.com

Above command, where is mentioned “dkim” this is a selector and example.com is your domain where you need to replace your original domain.

Two keys have been generated in the “dkimkeys” folder, the only private key has to move to postfix folder to secure email address/domain. Also, secure both keys in the cloud folder as a backup.

mv dkim.private /etc/postfix/dkim.key

90% of your DKIM configuration completed, now restart your opendkim and postfix MTA:

service opendkim start
service postfix restart

After rebooting the services, you may get errors: to check the log file use this command:

grep -i dkim /var/log/mail.log

The next and very important step is to add a TXT(dkim._domainkey) and Public Keys into the domain’s registrar DNS management section like GoDaddy, 123-reg etc. all entries must be TXT format.

The file dkim.txt contains the key and subdomains record: cd /etc/dkimkeys, Copy and Paste and add into the DNS management section. Command: Nano cd /etc/dkimkeys/

Looks like this:

dkim._domainkey IN  TXT ( "v=DKIM1; k=rsa; t=y; "
"p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB

TXT entries for DNS:

v=DKIM1; k=rsa; t=y; p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB

OR

v=DKIM1; p=MGosdjfheiuryjkdhfGIUHiuoiusfoisdufsidufosidfuoc;kasliaufl6PUIOm6uZ5OymhBgpJ0LgmVCW1/k1kxK864WVVSyFVQPyUImqklY+ws4u+mog3PSbuq2J8NFAnvSwzMg3vT1QIDAQAB

Once, key and subdomain TXT setup, check from the dig command that all up and running as excepted.

dig dkim._domainkey.qureshi.me txt

Troubleshooting:

You are done for the day, now for the test purposes, send an email to autorespond+dkim[at]dk.elandsys.com OR [email protected](Highly recommended).

If Signature is missing, check in the log: grep -i dkim /var/log/mail.log

If you can’t see logs then add”-v” in the master.cf file, where you can find this:

127.0.0.1:10025 inet    n       -       -       -       -       smtpd

Must look like this:

127.0.0.1:10025 inet    n       -       -       -       -       smtpd -v

Example:

DKIM signature verification failures

DKIM uses the email headers and body to generate a signature. If the headers are rewritten or text is changed to the message body after it has been signed, the dkim verification fails.

References

DomainKeys Identified Mail (DKIM) – RFC 4871
DKIM Author Domain Signing Practices (ADSP) – RFC 5617

Also, check this site that your email send signature with it or not: http://dkimvalidator.com/

How to setup SPF with any Linux version

What is the SPF: Highly recommend that you create a Sender Policy Framework (SPF) record for your domain. An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain.

The main benefit of SPF is to safe from spammers from sending forged from addresses at your organisation’s domains.

If SPF record does not setup in your domains then, Third party domains may reject your email messages from your organisation’s domains users because they cannot validate that the message from an authorised mail server.

How to configure Sender Policy Framework (SPF) Record

The SPF record should be defined in a Standard Text (TXT)format called resource record andSPF RR typpe BIND release from 9.4.0 support the SPF RR type RFC 4408.

TXT:name   ttl   class   TXT   text
SPF:name   ttl   class   TXT   SPF

Or the second method, if first one doesn’t work.

TXT:example.com.   IN   TXT   “description”
SPF:example.com.   IN   TXT   “v=spf1 mx include:example.net -all”

Let’s create one record from SPF wizard site:

Screenshot:

Then copy and paste into your DNS zone record: qureshi.me.  IN TXT “v=spf1 mx a ip4:12.12.12.12 a:34.34.34.34 include:ak.qureshi.me ?all”

How to setupDomain-based Message, Authentication, Reporting & Conformance (DMARC) and Benefits

If the message fails the SPF record check, DMARC comes in to control how your provider control failures the email message, there is a three option for controlling messages: No action, quarantine and reject.

Go to: https://www.unlocktheinbox.com/dmarcwizard/ > add your domain and add your required information to create one, it’s all depending on your organisation’s policies. Then copy and paste into your DNS zone record: _dmarc.qureshi.me. IN TXT “v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; rf=afrf; pct=100; ri=86400”


How to setup DKIM/SPF/DMARC in Ubuntu with Plesk Onyx – Please click on next page.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *