{"id":549,"date":"2009-12-30T23:49:53","date_gmt":"2009-12-31T03:49:53","guid":{"rendered":"https:\/\/lowtek.ca\/roo\/?p=549"},"modified":"2023-11-24T14:02:54","modified_gmt":"2023-11-24T18:02:54","slug":"earning-trust-for-your-email-server","status":"publish","type":"post","link":"https:\/\/lowtek.ca\/roo\/2009\/earning-trust-for-your-email-server\/","title":{"rendered":"Earning Trust for Your Email Server"},"content":{"rendered":"<p>I host my own email server, this in itself is a very odd thing to do in this day and age. \u00a0If you want email to come from your domain, <a href=\"http:\/\/en.wikipedia.org\/wiki\/Google_Apps\">Google offers this for free<\/a> and provides the same interface as Gmail. If you insist on running your own mail server, then setting it up to use your ISP as a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Smart_host\">smarthost<\/a> is the easy way to go (<a href=\"http:\/\/embraceubuntu.com\/2005\/09\/07\/setting-a-smarthost-in-postfix\/\">very easy<\/a> with <a href=\"https:\/\/help.ubuntu.com\/9.04\/installation-guide\/i386\/mail-setup.html\">Ubuntu<\/a>), of course I didn&#8217;t take that path.<\/p>\n<p>As an aside, setting up a mail server that uses <a href=\"http:\/\/fetchmail.berlios.de\/\">fetchmail<\/a> to gather email from the various accounts you have, and using a smarthost configuration to send email does give you most of the benefits of running your own mail server with very few headaches. \u00a0The reason to do this might be that you don&#8217;t want to trust Google (or someone else) to hold all your email, and\/or you don&#8217;t want the individual PCs in your house to be the storage for your email (hard to migrate to a new machine, recover from disaster). \u00a0This is how I started down the path of running my own true email server. [I keep thinking that someone should create an easy to install <a href=\"http:\/\/en.wikipedia.org\/wiki\/Network-attached_storage\">NAS<\/a> add-on that provides exactly this type of email server]<\/p>\n<p>Ok, maybe you don&#8217;t want to run your own email server but you&#8217;re interested in knowing what is involved&#8230; Having a static IP address is handy, mostly to save you from DNS issues. \u00a0While you can manage to have a domain name tied to a dynamic IP, many <a href=\"http:\/\/en.wikipedia.org\/wiki\/DNSBL#Uses_of_DNSBLs\">blacklists<\/a> include the IP ranges used by ISP for dynamic addresses. \u00a0Of course you need a domain name, and a DNS server too. \u00a0You might also want to consider a <a href=\"http:\/\/en.wikipedia.org\/wiki\/MX_record#The_backup_MX\">secondary MX record<\/a>, in case your connection goes down. \u00a0You&#8217;ll also want to check that your ISP isn&#8217;t blocking <a href=\"http:\/\/en.wikipedia.org\/wiki\/Port_25\">port 25<\/a> outgoing, and having a <a href=\"https:\/\/lowtek.ca\/roo\/2008\/reverse-dns\/\">valid reverse DNS<\/a> is important too.<\/p>\n<p>So you&#8217;ve followed the <a href=\"https:\/\/help.ubuntu.com\/community\/MailServer\">Ubuntu documentation<\/a> and setup a mail server, great. \u00a0Assuming your IP address is &#8220;clean&#8221; (ie: not on a blacklist), then you can probably send email just fine. \u00a0Until you start hitting problems where spam filters have taken a dislike to your system &#8211; in my case it was <a href=\"http:\/\/www.rogers.com\/internet\">Rogers<\/a> (email provided by <a href=\"http:\/\/yahoo.com\">Yahoo<\/a>) that treating my outgoing as spam. \u00a0One solution is to have the recipient add your email address to their address book so they do still get to see your email. \u00a0It may still get tagged as [Bulk] but it won&#8217;t get lost. \u00a0This isn&#8217;t a great solution for someone new you want to contact, or a friend who isn&#8217;t terribly technical.<\/p>\n<p>It turns out there are some additional measures you can take on the email server side to add more trust. \u00a0There are three I&#8217;ve implemented:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.openspf.org\/\">Sender Policy Framework (SPF)<\/a><\/li>\n<li><a href=\"https:\/\/help.ubuntu.com\/community\/Postfix\/DKIM\">Domain Keys Identified Mail (DKIM)<\/a><\/li>\n<li><a href=\"https:\/\/help.ubuntu.com\/community\/Postfix\/Domain\">Domain Keys<\/a><\/li>\n<\/ul>\n<p>All of them rely on the same basic &#8216;trick&#8217; of adding a TXT record to your DNS information that serves to validate the email. \u00a0This works for the simple reason that spammers tend to use botnets made up of machines without valid DNS records. \u00a0SPF simply is a declaration that the IP address sending the email is allowed to send email for the specified domain. \u00a0DKIM is an updated version of DomainKeys, but both can be used concurrently and some systems only know one. \u00a0Both DKIM and DomainKeys have the email server sign the email with a secret (private) key, and the DNS record has a public key that will validate the signature.<\/p>\n<p>After implementing all three, it turns out Yahoo was still tagging my email as spam. \u00a0Very frustrating. \u00a0One solution I did consider was to avoid the problem entirely and <a href=\"http:\/\/forum.soft32.com\/linux2\/postfix-smarthost-relayhost-domain-ftopict29748.html\">selectively smarthost<\/a> email going to rogers.com (and yahoo.com, etc). \u00a0In the end, it turns out that Yahoo maintains their own blacklist of sorts and you can request to be removed. \u00a0To check this, you need access to a yahoo email account that you can send test messages to. \u00a0By examining the header you will see X-YahooFilteredBulk if your IP is on their blacklist, this appears to be independent of the status of your SPF\/DKIM\/DomainKeys authentication that should show as a pass. \u00a0The solution is to fill in the <a href=\"http:\/\/help.yahoo.com\/l\/us\/yahoo\/mail\/postmaster\/bulk.html\">Yahoo form<\/a>, and be persistent. \u00a0Much of the form will not apply but you do need to fill it in with something reasonable (and valid). \u00a0After a couple of exchanges over several days I was rewarded with this reply:<\/p>\n<blockquote><p><tt><span style=\"color: #1a1a1a;\">While we cannot fully exempt your mail server from our SpamGuard <\/span><\/tt><br \/>\n<tt><span style=\"color: #1a1a1a;\">technology, we have however, made appropriate changes to this IP address<\/span><\/tt><br \/>\n<tt><span style=\"color: #1a1a1a;\">in our database. This should help with delivering mail to the <\/span><\/tt><br \/>\n<tt><span style=\"color: #1a1a1a;\">appropriate Yahoo! folders.<\/span><\/tt><\/p><\/blockquote>\n<p>Now email sent to yahoo.com is not tagged as spam or [Bulk] &#8211; I did a little victory dance once this happened.<\/p>\n<p>The remainder of this post goes into some of the details of getting the three (SPF, DKIM, DomainKeys) implemented.<\/p>\n<p><!--more--><strong>Sender Policy Framework (SPF)<\/strong><\/p>\n<p>This is very simple as it only needs the addition of a TXT record to your DNS entry. \u00a0The <a href=\"http:\/\/www.openspf.org\/\">SPF project website<\/a> provides additional information, a wizard to help create the record in the correct format and a testing tool.<\/p>\n<p>You can also test is manually using nslookup:<br \/>\n<code>$nslookup<br \/>\n&gt;set type=TXT<br \/>\n&gt;lowtek.ca<br \/>\nlowtek.ca text = \"v=spf1 a mx ~all\"<\/code><\/p>\n<p>Optionally you can configure your email server to use <a href=\"https:\/\/help.ubuntu.com\/community\/Postfix\/SPF\">SPF to reject mail from unauthorized sources<\/a>.<\/p>\n<p><strong>Domain Keys Identified Mail (DKIM)<\/strong><\/p>\n<p>The <a href=\"https:\/\/help.ubuntu.com\/community\/Postfix\/DKIM\">Ubuntu documentation<\/a> on this is pretty straight forward. \u00a0The example \/etc\/dkim-filter.conf file provided has more changes that is strictly required. \u00a0You only need to set the values for: Domain, KeyFile, and Selector &#8211; the remainder of the file you can leave as is.<\/p>\n<p>Creating the key will look something like this:<\/p>\n<p><code>$ openssl genrsa -out private.key 1024<br \/>\nGenerating RSA private key, 1024 bit long modulus<br \/>\n.........................................................++++++<br \/>\n.......++++++<br \/>\ne is 65537 (0x10001)<\/code><\/p>\n<p><code> <\/code><\/p>\n<p><code>$ openssl rsa -in private.key -out public.key -pubout -outform PEM<br \/>\nwriting RSA key<\/code><\/p>\n<p>I did get tripped up copying my public key into my DNS record. The public key will look like:<\/p>\n<p><code>$ cat public.key<br \/>\n-----BEGIN PUBLIC KEY-----<br \/>\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGwwxYKs9orS4a4dh3tUa4Ynwm<br \/>\njZf+cl\/VWA2xXglymfA9HXrWGpGN6PMXRsdlI3IbWQZYQAYQJT6PvCTfU92778v2<br \/>\nZGlChxTGvGPbtJUmrOlA72h1v\/lxMU63oOxLSPafWxpKT7ZQWT7ocriwwgaujmQg<br \/>\n\/U2S1bz1AJvF7jSXOwIDAQAB<br \/>\n-----END PUBLIC KEY-----<\/code><\/p>\n<p>Clearly you need to remove the BEGIN\/END lines, but the TXT record format must be on a single line. \u00a0Thus you need to further edit the key to be a single long string of characters.<\/p>\n<p>There are some <a href=\"http:\/\/www.sendmail.org\/dkim\/tools\">testing tools available at sendmail.org<\/a>. \u00a0You can also manually test using nslookup to validate the data in your DNS entry:<\/p>\n<p><code>$nslookup -query=txt mail._domainkey.lowtek.ca<\/code><\/p>\n<p>Gmail does have DKIM validation, so a simple test is to send email to a gmail account and view the header. \u00a0Look for the Authentication-Results header entry.<\/p>\n<p><strong>Domain Keys<\/strong><\/p>\n<p>Again the <a href=\"https:\/\/help.ubuntu.com\/community\/Postfix\/DomainKeys\">Ubuntu documentation<\/a> is a good guide. \u00a0This is very similar to the DKIM setup so it went smoothly for me. \u00a0The only difference is that it uses two TXT records instead of a single record.<\/p>\n<p>I did come across a <a href=\"http:\/\/www.brandonchecketts.com\/emailtest.php\">nice testing site<\/a> for all of these technologies.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I host my own email server, this in itself is a very odd thing to do in this day and age. \u00a0If you want email to come from your domain, Google offers this for free and provides the same interface as Gmail. If you insist on running your own mail server, then setting it up &hellip; <a href=\"https:\/\/lowtek.ca\/roo\/2009\/earning-trust-for-your-email-server\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Earning Trust for Your Email Server&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,12],"tags":[],"class_list":["post-549","post","type-post","status-publish","format-standard","hentry","category-computing","category-how-to"],"_links":{"self":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/549","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/comments?post=549"}],"version-history":[{"count":9,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/549\/revisions"}],"predecessor-version":[{"id":2236,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/549\/revisions\/2236"}],"wp:attachment":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/media?parent=549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/categories?post=549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/tags?post=549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}