Script for setting up an email server automatically
Log | Files | Refs | README

commit b95fdd933456fdf5c25f12b82dbbe4476084c38e
parent e37db0b9edb487cbfe63ddbe7a85fb75649a63fc
Author: Luke Smith <>
Date:   Mon,  7 Dec 2020 15:19:33 -0500

Merge branch 'master' of

Diffstat: | 12+++++++++--- | 16++++++++++++++--
2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/ b/ @@ -10,7 +10,7 @@ sizeable network of people with email servers thanks to this script. I've linked this file on Github to a shorter, more memorable address on my website so you can get it on your machine with this short command: -``` +```sh curl -LO ``` @@ -21,7 +21,7 @@ give your full domain without any subdomain, i.e. ``. - **Postfix** to send and receive mail. - **Dovecot** to get mail to your email client (mutt, Thunderbird, etc.). -- Config files that unique the two above securely with native log-ins. +- Config files that link the two above securely with native log-ins. - **Spamassassin** to prevent spam and allow you to make custom filters. - **OpenDKIM** to validate you so you can send to Gmail and other big sites. @@ -128,4 +128,10 @@ support me at []( [this site]( to see if it is. Don't worry if you are: sometimes especially new domains are automatically assumed to be spam temporarily. If you are blacklisted by one of these, look into it - and it will explain how to remove yourself. + and it will explain why and how to remove yourself. +- Check your DNS settings using [this site](, it'll report + any issues with your MX records +- Ensure that port 25 is open on your server. + [Vultr]( for instance + blocks this by default, you need to open a support ticket with them to open + it. You can't send mail if 25 is blocked diff --git a/ b/ @@ -38,7 +38,7 @@ apt install postfix dovecot-imapd dovecot-sieve opendkim spamassassin spamc # Check if OpenDKIM is installed and install it if not. which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools domain="$(cat /etc/mailname)" -subdom="mail" +subdom=${MAIL_SUBDOM:-mail} maildomain="$subdom.$domain" certdir="/etc/letsencrypt/live/$maildomain" @@ -66,6 +66,15 @@ postconf -e "smtpd_use_tls = yes" postconf -e "smtpd_tls_auth_only = yes" postconf -e "smtp_tls_security_level = may" postconf -e "smtp_tls_loglevel = 1" +postconf -e "smtp_tls_CAfile=$certdir/cert.pem" +postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "tls_preempt_cipherlist = yes" +postconf -e "smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, + DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, + RSA+AES, eNULL" # Here we tell Postfix to look to Dovecot for authenticating users/passwords. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth @@ -127,6 +136,9 @@ echo "# Dovecot config ssl = required ssl_cert = <$certdir/fullchain.pem ssl_key = <$certdir/privkey.pem +ssl_min_protocol = TLSv1.2 +ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH +ssl_prefer_server_ciphers = yes ssl_dh = </usr/share/dovecot/dh.pem # Plaintext login. This is safe and easy thanks to SSL. auth_mechanisms = plain login @@ -235,7 +247,7 @@ chmod g+r /etc/postfix/dkim/* # Generate the OpenDKIM info: echo "Configuring OpenDKIM..." grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null || -echo "$subdom._domainkey.$domain $domain:mail:/etc/postfix/dkim/mail.private" >> /etc/postfix/dkim/keytable +echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$subdom.private" >> /etc/postfix/dkim/keytable grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null || echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable