Installing Postfix with DKIM and SPF to Send Outbound Email on Ubuntu 16.04

Installing Postfix

Step 1 - Download mailutils and Postfix

ubuntu ~ $ sudo apt install mailutils postfix

Step 2 - Edit /etc/postfix/main.cf Config File

Change the line that reads inet_interfaces = all to inet_interfaces = loopback-only

Step 3 - Verify hostname is Set Correctly for Postfix

ubuntu ~ $ postconf -d | grep 'myhostname ='
myhostname = example.com

If Postfix's myhostname variable is not set with the correct host, make sure the hostname is set correctly in both /etc/hostname and /etc/hosts. If the hostname is already set correctly in those two files but it hasn't taken effect, use the following command to adjust the hostname without rebooting:

ubuntu ~ $ sudo hostname example.com

Step 4 - Send a Test Email

ubuntu ~ $ echo "This is the test email body." | mail -s "Test Subject Line" jon@aol.com

After sending the test email, check your inbox for delivery. If you didn't receive the test email, check /var/log/mail.log for issues. In my case I came across the following error which was preventing the oubound test email from being sent:

postfix/master[4362]: fatal: bind 127.0.0.1 port 25: Address already in use

I encountered some instructions that recommended attempting to kill the sendmail process which was hogging port 25 with the following command, but when I attempted it I received output that indicated no matching process was found:

ubuntu ~ $ sudo killall sendmail
sendmail: no process found

In this askubuntu.com thread I found a suggestion that worked in my case:

ubuntu ~ $ sudo killall sendmail-mta
ubuntu ~ $ sudo service postfix restart

At this point I sent another test email and recieved it successfully.

Step 5 - Prevent Backwards Compatibility Warnings

If you encounter the following (or similar) warnings in /var/log/mail.log:

postfix[21460]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"

Check here: http://www.postfix.org/COMPATIBILITY_README.html to determine if you require backwards compatibility, and if not execute the following two commands (the compatibility_level value should match what's recommended in the log warning entry above):

ubuntu ~ $ sudo postconf compatibility_level=2
ubuntu ~ $ sudo service postfix reload

Setting Up DKIM

Step 1 - Download and Install opendkim and opendkim-tools

ubuntu ~ $ sudo apt-get install opendkim opendkim-tools

Step 2 - Setup opendkim Configuration Files

Edit the /etc/opendkim.conf file and add the following lines to the end of the file (see https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy for an explanation of the parameters):

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost

Comment out the default SOCKET parameter defined in /etc/default/opendkim and replace it with the following:

SOCKET="inet:12301@localhost"

Add the following lines to the bottom of the /etc/postfix/main.cf config file:

milter_protocol = 2
milter_default_action = accept

smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Create the following directories:

ubuntu ~ $ sudo mkdir /etc/opendkim && sudo mkdir /etc/opendkim/keys

Create a file called /etc/opendkim/TrustedHosts with the following lines:

127.0.0.1
localhost
192.168.0.1/24

*.example.com

Create a file called /etc/opendkim/KeyTable with the following line:

mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

Create a file called /etc/opendkim/SigningTable with the following line:

*@example.com mail._domainkey.example.com

Step 3 - Create the DKIM Keys

Enter the /etc/opendkim/keys/ directory and create a directory for your domain:

ubuntu /etc/opendkim/keys $ sudo mkdir example.com && cd example.com

Within this directory run the following command:

ubuntu /etc/opendkim/keys/example.com $ sudo opendkim-genkey -s mail -d example.com

Update the owner of the mail.private file:

ubuntu /etc/opendkim/keys/example.com $ sudo chown opendkim:opendkim mail.private

Step 4 - Add DKIM Record to DNS

Add the contents of the mail.txt file as a TXT record in your domain's DNS settings, and then restart postfix and opendkim:

ubuntu /etc/opendkim/keys/example.com $ sudo service postfix restart
ubuntu /etc/opendkim/keys/example.com $ sudo service opendkim restart

Send a test email and check the headers to see if DKIM is passing.

Step 5 - Test the DKIM Record

ubuntu /etc/opendkim $ opendkim-testkey -d example.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.example.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

Setting Up SPF

Add an SPF TXT record to your domain's DNS that authorizes the host we've just configured to send email on behalf of the primary domain. Ex.:

v=spf1 include:example.com ~all

Miscellaneous

Inspect Postfix Mail Queue:

sudo postqueue -p

Delete Deferred Messages from the Mail Queue:

sudo postsuper -d ALL deferred

Helpful Links

• https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-16-04
• https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy