====== Internet Email Server Setup ======

===== Tools =====

https://ssl-tools.net/mailservers/irig106.org

https://mxtoolbox.com/

===== TLS Certificate =====

[[http://www.postfix.org/TLS_README.html#quick-start|TLS Quick and Dirty Setup]]

http://www.postfix.org/TLS_README.html

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

http://www.flatmtn.com/article/setting-openssl-create-certificates

  * Edit openssl.cnf for defaults
  * Generate the CA certificate - The first cert is the Authority cert

  openssl ca -new -x509 -extensions v3_ca -keyout private/CA-key.pem -out CA-cert.pem -days 3650 -config ./openssl.cnf -nodes

  * Generate the server certificate - create server cert request to be signed by the CA Authority

  openssl req -new -x509 -extensions v3_ca -keyout private/email-key.pem -out email-cert.pem -days 3650 -config ./openssl.cnf -nodes

  * Sign the server certificate - sign the server cert request with our own CA cert

Hmmm... just for openssl support run the script...

  /usr/libexec/dovecot/mkcert.sh

In PostFix be sure to set these in main.cf:

<code>
# From http://www.postfix.org/TLS_README.html#quick-start
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_tls_cert_file = 
smtp_tls_key_file = 
smtp_tls_CAfile = 
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = 
smtpd_tls_key_file = 
smtpd_tls_CAfile = 
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = MD5,DES,RC4
</code>

SMTP TLS checker tools
  * [[https://ssl-tools.net/mailservers/|SSL Tools]]
  * [[https://luxsci.com/smtp-tls-checker|LUXSCI]]


===== SPF =====

irig106.org TXT record
  "v=spf1 ip4:198.89.126.181 ~all"

Others
  "v=spf1 redirect=irig106.org ~all"

===== DMARC =====

http://dmarc.org/resources.html

  _dmarc.irig106.org    TXT  "v=DMARC1; p=none; rua=mailto:bob.dmarc@irig106.org; ruf=mailto:bob.dmarc@irig106.org"
  _dmarc.baggerman.org  TXT  "v=DMARC1; p=none; rua=mailto:bob.dmarc@baggerman.org; ruf=mailto:bob.dmarc@baggerman.org"

===== DKIM =====

[[http://opendkim.org/|OpenDKIM]]

[[https://www.howtoforge.com/set-up-dkim-domainkeys-identified-mail-working-with-postfix-on-centos-using-opendkim]]

[[https://www.rosehosting.com/blog/how-to-install-and-integrate-opendkim-with-postfix-on-a-centos-6-vps/|Install on CentOS6]]

[[http://edoceo.com/howto/opendkim|More HowTo]]

[[https://help.ubuntu.com/community/Postfix/DKIM|DKIM/Postfix]]

Requires
  * OpenSSL
  * libmilter
  
===== libmilter =====

Builting DKIM milter requires the sendmail development environment. Unfortunately installing the yum
package installs sendmail itself, a real hassle.

http://www.linuxfromscratch.org/blfs/view/cvs/server/sendmail.html

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.15.2.tar.gz

  cd libmilter
  sh ./Build

===== DANE =====
 
[[https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities|DNS-based Authentication of Named Entities
]]

https://ssl-tools.net/dane

https://ssl-tools.net/tlsa-generator