Documenting best guides for setting up postfix server.
- Setup forward and reverse DNS: DNS Guide
- Install Postfix: Postfix Guide
- Setting up SPF and DKIM: PepiPost Guide
- Install pflogsumm
- Setup DMARC: Add TXT record for
_dmarc.from-address.comwith valuev=DMARC1; p=quarantine; rua=mailto:postmaster@example.com; pct=100. https://www.uriports.com/dmarc offers DMARC rua as a service for $1/month. - Configure deferred emails: JRS Blog
- Setup different policies for different domains: Policy Rate Limiting. Ensure to edit both
/etc/postfix/main.cfas well as/etc/postfix/master.cf - Disable ipv6 protocol: Fix Postfix network unreachable
- A good guide on line-by-line postfix config: https://jan.wildeboer.net/2022/08/Email-1-Postfix-2022/
- Add the new server to Google Postmaster and Outlook SNDS.
- Enroll for Yahoo's CFL.
- Monitor the logs for next few days.
- Enable encryption for Gmail: Encryption
- Increase SWAP to
pflogsum. We should have memory equal to the size of/var/log/mail.log.
systemctl reload postfixto reload changes after modifyingmain.cf
We often need to drop a request to AWS or other hosting provider to increase the sending limits. This template can be used for such emails.
(your website name) provides (what you do).
We use emails to (why?).
**Protection:**
- All emails follow with SPF and DKIM specifications
- All emails contain "List-Unsubscribe" headers for one-click unsubscribe
- Enabled SASL and firewall to send emails only from internal IPs.
- Have registered on Google Postmaster and Outlook's SNDS to track IP reputation.
- All complaints and bounces are immediately dealth with.
**Quality:**
- We email only registered users who ask for email updates.
- We have not purchased any email list.
- [any other thing you can show for quality. like reviews or age of website].
We need to configure TLS support on Postfix to use it with Django and Ruby libraries.
- Install Certbot
- Use
--standaloneoption to create certificates by spinning up a certbot www server
The above will show something like:
Certificate is saved at: /etc/letsencrypt/live/post.screener.in/fullchain.pem
Key is saved at: /etc/letsencrypt/live/post.screener.in/privkey.pem
Add it to postix config
sudo vi /etc/postfix/main.cf
# add this
smtpd_tls_security_level = may
smtpd_tls_chain_files =
/etc/letsencrypt/live/post.screener.in/privkey.pem,
/etc/letsencrypt/live/post.screener.in/fullchain.pem
# reload postfix
systemctl reload postfix
Add cron to reload ssl certificates in postfix: sudo crontab -e -uroot
# reload postfix configuration every month
# the ssl renewal is done automatically every 60 days using certbot
# we can see that using `systemctl list-timers`
0 1 1 1 1 systemctl reload postfix