Personal Cloud #3 - Mailservers! Postfix, Dovecot, and OpenDKIM

You can configure it either way, but for compatibility reasons (smartphones etc.) you probably want password-based. It's also faster set up.

I didn't read through the complete tutorial, but in a standard dovecot, postfix install with appropriate firewall rules (iptables for example), you can expect to see a few open ports of these programs (25, 587 for SMTP and 993 for IMAP). You might also be able to do some fingerprinting etc. to figure out the version of the two tools, but nothing sensitive really.

Thanks for the response @comfreak.

So there would be a public facing SMTP port? If so, does dovecot come with a default lockout policy?

You need a public facing SMTP port if you want to receive e-mail from other servers. To be RFC-compliant, it's also necessary to do so even if you don't want to receive mail usually, since an e-mail might be rejected from a later server down the line and needs to be returned to your server. Imagine sending a real letter to someone with your sender address on it. If the receiver doesn't exist for example, the letter will be returned to you by the post office. Now if you took off your mailbox, you wouldn't receive this problem report which a RFC-compliant server should.

In addition, port 587 is used by your own users to submit emails for other servers. If you don't open this port up to the public, you can't send any e-mail to other servers, at least not from a public IP. If you allow private IPs at home, you will only be able to send mail when you're home (or logged in via your own VPN).

To my knowledge, Dovecot will simply throttle you, but not lock you out completely. If you want that, you need something like "fail2ban" which watches your log files for brute-force attempts and in the case it finds something create firewall rules to lock-out a certain IP from your server.

Thanks for the response again! I do appreciate learning more about this system.

Assuming:

  • $localuser and $password are valid credentials for an email user on this server
  • That myemailserver.tech is the correct FDQN for this email server
  • The file /tmp/listOf25000EmailAddresses.txt is a line delmited list of 25,000 valid corporate email addresses, and
  • I execute the following script on some machine anywhere in the world with the proper mail application installed: (pardon any simple syntax errors, it was written on the fly w/o testing)

I have removed this script seeing as it could assist in conducting a malicious phishing attack.

Oh yeah - I forgot to mention /ourCompaniesPortal is a phishing site of our actual companies portal?

What would happen?

Can someone use an email gateway or a reverse proxy to restrict access prior to getting the outward facing SMTP port to remain compliant but restrict access to this port from executing something like the above?

I don't quite understand your question, maybe you can rephrase it?

If you want to restrict unauthorized people from sending e-mail over your server, all you need is a proper authentication set up. If you have strong passwords set up, this is not a problem. Even on port 587, your server will not accept any e-mail from unauthorized/unauthenticated sources. Of course, if user credentials for a user on your server get lost, then nothing will stop third parties from using those credentials to send spam/phishing e-mail through that account.

The usual setup would be that you only allow incoming mail on port 25 and only allow outgoing mail on port 587. On port 25 you do the usual checks to avoid relaying e-mails for other servers and on port 587 you do the usual authentication checks to verify the client connecting to your server is actually authorized to send e-mail via your server.

The deciding factor here is the "RCPT TO" command during delivery (and the "To:" field in the mail header). If that random machine on the internet wants to deliver mail for an address that the receiving server is set up to receive mail for, it will accept the mail and deliver it to the local user's mailbox (unless you have spam filters set up but that is a different part of the system). If the address is not for this server it will only accept the mail and attempt to deliver it to that other server, if the client is authorized (i.e. logged in) to send mail for other servers. This second situation usually happens on port 587, while the first one happens on port 25.

I'm not sure I follow you.

Dovecot allows access via IMAP, which is a totally separate authentication system which only belongs to it. The login and password only exist in the SQL database and don't correlate to any system access at all.

How is that different from OpenDKIM? It sounds like the exact same thing that I've already done in the guide.

If you read the guide: port 25 (mail), 587 (SMTP), 993 (IMAP), 80 (HTTP), 443 (HTTPS), 53 (Bind9).

That's it.

Technically, DKIM and SPF are not the same but they try to prevent the same thing on two different ways. Their goal is to prevent spoofing of sender addresses. SPF defines a set of delivering servers that are allowed to deliver email and DKIM signs e-mails to verify their integrity and their origin. Here it doesn't matter who delivers the mail, as long as the signature is correct, the mail will go through. Since only the authorized server has access to the signing keys you are save to assume that the delivering server is allowed to send the mail.

The problem comes when someone receives email in your name without a signature. DKIM alone will not protect your domain from being spoofed to others. What you need is a DMARC policy in your DNS that tells the receiving side to drop (or mark as spam) any email that lacks a DKIM signature.

Now DKIM is quite new and hardly anyone implements it. You don't have any DKIM/DMARC protection, if the receiver doesn't verify these policies and signatures. SPF on the other hand is a bit older and more common. It's also much easier to set up in an environment with multiple servers, since you only need to put their IP addresses in the DNS and not set up signing keys on them and in the DNS. This means your chances are higher that someone actually verifies your attempts at protecting your domain.

To my knowledge, DMARC also requires SPF, so if you want effective DKIM, you need DMARC and therefore need SPF.


To be completely correct, Postfix can also use Dovecot's authentication to verify clients on the submission side.

1 Like

Yes, but in this case I am using dovecot for authentication.

Hey,
i have problem with OpenDkim.
When i restarted opendkim after this configuration /etc/opendkim/SigningTable not found.
I have one more question…
How i can integrate postfixadmin with this dovecot and postfix conf ?

Thanks for reply! All the best :slight_smile:

Hi

Very good tutorial

I’ve got also a problem when I restarted opendkim, /etc/opendkim/SigningTable not found

Hello, Thank for the tutorial.
I have an error in restarting opendkim:

# sudo systemctl restart opendkim

Job for opendkim.service failed because the control process exited with error code.
See “systemctl status opendkim.service” and “journalctl -xe” for details.

# sudo systemctl status opendkim.service

● opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2018-09-21 13:56:52 UTC; 3s ago
Docs: man:opendkim(8)
man:opendkim.conf(5)
man:opendkim-genkey(8)
man:opendkim-genzone(8)
man:opendkim-testadsp(8)
man:opendkim-testkey
http://www.opendkim.org/docs.html
Process: 12978 ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf (code=exited, status=78)
Main PID: 18643 (code=exited, status=0/SUCCESS)

Sep 21 13:56:52 localhost systemd[1]: opendkim.service: Service hold-off time over, scheduling restart.
Sep 21 13:56:52 localhost systemd[1]: opendkim.service: Scheduled restart job, restart counter is at 5.
Sep 21 13:56:52 localhost systemd[1]: Stopped OpenDKIM DomainKeys Identified Mail (DKIM) Milter.
Sep 21 13:56:52 localhost systemd[1]: opendkim.service: Start request repeated too quickly.
Sep 21 13:56:52 localhost systemd[1]: opendkim.service: Failed with result ‘exit-code’.
Sep 21 13:56:52 localhost systemd[1]: Failed to start OpenDKIM DomainKeys Identified Mail (DKIM) Milter.

Do you now what’s the problem and what should I do?
Regards

There could be typos in your opendkim configuration. I had the same problem where a quotation mark was not a quotation but some other character. You can look into /var/log/daemon.log to try and find out what is happening. Another problem I had was that there was no /etc/opendkim/SigningTable. I created the file (echo "" > /etc/opendkim/SigningTable) and the service started working.

I literally have no idea what I am doing. Don’t blame me if anything happens.