Skip to main content

Linux - Setup RedHat 10 SMTP Server

System Configuration

Upgrade Current System

subscription-manager repos --enable codeready-builder-for-rhel-10-$(arch)-rpms
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm -y
dnf upgrade -y

Configure SELinux

setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config

Disable Firewall

systemctl disable firewalld.service

Install Core Tools

dnf install bind-utils bzip2 cups cifs-utils enscript ftp gdb ghostscript  krb5-workstation ksh lftp lrzsz lsof libnsl lzop mariadb-server mlocate mutt ncompress net-tools net-snmp net-snmp-utils net-tools nfs-utils nmap nvme-cli openldap-clients openssh-clients psmisc realmd rsync samba-client strace sysstat tcpdump telnet telnet-server tmux unix2dos vim vim-enhanced vsftpd wget xfsdump vsftpd htop mc rsyslog rsyslog-doc postfix dbus-daemon s-nail dovecot cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain tree -y

Extras not included in EPEL to get the java version for Kiwi

cat <<EOF > /etc/yum.repos.d/adoptium.repo
[Adoptium]
name=Adoptium
baseurl=https://packages.adoptium.net/artifactory/rpm/${DISTRIBUTION_NAME:-$(. /etc/os-release; echo $ID)}/\$releasever/\$basearch
enabled=1
gpgcheck=1
gpgkey=https://packages.adoptium.net/artifactory/api/gpg/key/public
EOF

Run to install java 11

dnf install temurin-11-jdk

Configure Virtual Tool

dnf install open-vm-tools -y
sysctl vm.swappiness=10

Install vim color for scripting

dnf install git -y
git clone https://github.com/flazz/vim-colorschemes ~/.vim/
cp ~/.vim/colors/desert.vim /etc/vimrc.local

Time Sync

Enable Time Synchronization run the the following and add your domain time server

vi /etc/chrony.conf

Add your server below the following and make sure you change the domain name from sflservicesllc.com

server domain.sflserviesllc.com iburst

Should look like this now after the change

#server _gateway iburst
server domain.sflserviesllc.com iburst

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (https://www.pool.ntp.org/join.html).

Enable Time Synchronization

systemctl enable --now chronyd

Note: Time-zone changes are made with the command

timedatectl

Configure Postfix

Postfix Settings

We now have to configure Postfix. One thing to keep in mind is that we're configuring Postfix to only send email, not receive it (as that is a far more complicated topic that requires considerable setup time and understanding to prevent the server from becoming an open relay, which could lead to a serious spam issue). Because of this, we can skip setting up Postfix to listen and instead go right to the hostname.

New for version 10 as for hashing:

cd /etc/postfix
cp /etc/postfix/main.cf /etc/postfix/main.cf.org
sed -i 's/hash:/lmdb:/g' /etc/postfix/main.cf
echo "default_database_type = lmdb" | sudo tee -a /etc/postfix/main.cf
rm /etc/postfix/*.db
postalias lmdb:/etc/aliases
postmap lmdb:/etc/postfix/transport
postmap lmdb:/etc/postfix/virtual
postmap lmdb:/etc/postfix/access
postmap lmdb:/etc/postfix/sasl_passwd
postmap lmdb:/etc/postfix/sender_relay
systemctl restart postfix
tail -f /var/log/maillog

The Postfix hostname must be set to match the system hostname. We'll use the mail.example.com address (so make sure to change this to match your hostname). Set that hostname with the command:

sudo postconf -e "myhostname = mail.yourdomain.com"

Make sure to check that the apex domain (aka root domain) is correct with the command:

postconf mydomain

The apex domain for our example should be listed as http://example.com . If not, set it with:

sudo postconf -e "mydomain = example.com"

Set the myorigin parameter with:

sudo sed -i 's/^#myorigin = $mydomain.*/myorigin = $mydomain/' /etc/postfix/main.cf

Set to allow all IP to access the server with:

sudo postconf -e "inet_interfaces = all"

Set to only allow IPv4 to use this server with:

sudo postconf -e "inet_protocols = ipv4"

Set the mydestination parameter with:

sudo postconf -e "mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain"

Set the allowed IP address to relay on this server with:

sudo postconf -e "mynetworks = 127.0.0.0/8, 10.0.0.0/24, 192.168.0.0/16"

Set the mail folder with:

sudo postconf -e "home_mailbox = Maildir/"

Set the banner with:

sudo postconf -e "smtpd_banner = $myhostname ESMTP"

Set to disable verify with:

sudo postconf -e "disable_vrfy_command = yes"

Set to require the HELO for senders with:

sudo postconf -e "smtpd_helo_required = yes"

Set the message limit for example 10MB with:

sudo postconf -e "message_size_limit = 10240000"

Set SMTP Authentication with:

sudo postconf -e "smtpd_sasl_type = dovecot"
sudo postconf -e "smtpd_sasl_path = private/auth"
sudo postconf -e "smtpd_sasl_auth_enable = yes"
sudo postconf -e "smtpd_sasl_security_options = noanonymous"
sudo postconf -e "smtpd_sasl_local_domain = $myhostname"
sudo postconf -e "smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, permit_sasl_authenticated, reject"

With these taken care of, restart Postfix with:

sudo systemctl restart postfix

Extra Authentications

Configure additional settings for Postfix if you need.
It's possible to reject many spam emails with the settings below.

However, you should consider to apply the settings, because sometimes normal emails are also rejected with them. Especially, there are SMTP servers that forward lookup and reverse lookup of their hostnames on DNS do not match even if they are not spammers.

sudo postconf -e "smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname, permit"
sudo postconf -e "smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain,reject_non_fqdn_sender"
sudo postconf -e "smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname,reject_non_fqdn_hostname, reject_invalid_hostname, permit"

Enable Postfix

sudo systemctl enable --now postfix

Dovecot

Dovecot Settings

This example shows to configure to provide SASL function to Postfix.

vi /etc/dovecot/dovecot.conf and uncomment and if not use IPv6, remove [::]

listen = *, ::

vi /etc/dovecot/conf.d/10-auth.conf and uncomment and change for the case you allow plain text auth

disable_plaintext_auth = no

and then add login to

auth_mechanisms = plain login

vi /etc/dovecot/conf.d/10-mail.conf and uncomment and add

mail_location = maildir:~/Maildir

vi /etc/dovecot/conf.d/10-master.conf and uncomment and add like follows Postfix smtp-auth

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

vi /etc/dovecot/conf.d/10-ssl.conf and change to use SSL if available but not require SSL

ssl = yes

Enable Dovecot

sudo systemctl enable --now dovecot

MailJet (replace defaults)

Add/replace the end to the following:

# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext (opportunistic TLS outbound).
#
smtp_tls_security_level = may
default_database_type = lmdb
shlib_directory = /usr/lib64/postfix
meta_directory = /etc/postfix
#Mailjet
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
mydomain = onling.com
mynetworks = 127.0.0.0/8, 192.168.0.0/16
myorigin = $mydomain
home_mailbox = Maildir/
smtpd_banner = ESMTP

Add the relay servers

sudo cat > /etc/postfix/sender_relay << EOF
@sflservicesllc.com in.mailjet.com
EOF

Add the relay passwords

cat > /etc/postfix/sasl_passwd << EOF
@sflservicesllc.com [hashkey]
EOF

Permissions

chmod 600 /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
postmap lmdb:/etc/postfix/sasl_passwd
postmap lmdb:/etc/postfix/sender_relay

Disable Devcot and restart Postfix:

systemctl stop devcot
systemctl disable devcot
sudo systemctl restart postfix

Test the setup

Now that everything is set up, test Postfix by sending an email from the command line like so:

echo "Install of Linux Rocks $HOSTNAME" | sendmail steve.ling@sflservicesllc.com

Where EMAIL is a valid email address.

If you receive the email, congratulate yourself on a job well done. If the email fails to arrive, you might need to verify if your DNS records are correct and the changes have taken effect (they can take up to 24 hours). You can also check the maillog with a command like:

tail -f /var/log/maillog

With the tail running, open another terminal window and attempt to send another email to see what kind of logs are written. From that information, you can start troubleshooting any issues that are causing problems.

Used ref from

https://www.server-world.info/en/note?os=Rocky_Linux_8&p=mail&f=1

https://www.server-world.info/en/note?os=Rocky_Linux_8&p=mail&f=2

Back to top