I was needed to send emails for my new project. I have explored SaaS services first. Free packages provided by them have a small amount of sending emails. So as long as I am a programmer, I decided to host my own sending email server.

After some research, I decided to stay with Postfix send-only configuration. Continue to read how to install and configure SMTP server to send emails and not send them to a spam folder.

Prerequisites

I used a single-core VPS with Ubuntu 18.04 for just 2.5 USD per month. My main app uses a table in DB as an email queue, so I have two NodeJS apps: one to handle the queue and second to get delivery status and update it in the main app DB. Tell me if you want to see it. Here is only the Postfix part.

I also have a domain. Let it be example.com here. Since it will be used for a website, I am using a subdomain email.example.com for the email server.

Postfix installation

Install Postfix using commands below:

sudo apt-get update
sudo apt install mailutils

During installation, select Internet Site option for type of mail configuration. As a System mail name enter your domain, e.g. example.com.

You can see domain later with this command:

cat /etc/mailname

Server configuration

Open the main config file with an editor:

sudo nano /etc/postfix/main.cf

Find inet_interfaces parameter and change it to loopback-only. With that parameter, Postfix will not listen for any connection from outside of VPS.

inet_interfaces = loopback-only

Other parameters and values to change for now:

mydestination = $myhostname, localhost.$mydomain, localhost

Set your mail domain as a server hostname:

sudo hostnamectl set-hostname email.example.com

Check the hostname with the command:

hostname --f

Edit /etc/hosts file and add that subdomain with your remote IP:

1.2.3.4    email.example.com email

Command to restart Postfix after configuration change:

sudo systemctl restart postfix

Command to check current configuration:

postconf -d

Create DKIM signature

Install DKIM tools:

sudo apt-get install opendkim opendkim-tools

Add the user to the group:

sudo gpasswd -a postfix opendkim

Open configuration file /etc/opendkim.conf:

sudo nano /etc/opendkim.conf

Then add or update parameters below in the configuration file:

Socket              inet:8892@localhost
Canonicalization    simple
Mode                sv
SubDomains          no
AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256
UserID              opendkim
KeyTable            refile:/etc/opendkim/key.table
SigningTable        refile:/etc/opendkim/signing.table
ExternalIgnoreList  /etc/opendkim/trusted.hosts
InternalHosts       /etc/opendkim/trusted.hosts

Create a folder for DKIM keys:

sudo mkdir -p /etc/opendkim/keys

Change folder permissions:

sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod go-rw /etc/opendkim/keys

Create opendkim signing table:

sudo nano /etc/opendkim/signing.table

With content inside:

*@example.com    default._domainkey.example.com

Then create key table:

sudo nano /etc/opendkim/key.table

With content inside:

default._domainkey.example.com     example.com:default:/etc/opendkim/keys/example.com/default.private

Add trusted hosts:

sudo nano /etc/opendkim/trusted.hosts

With content inside:

127.0.0.1
localhost
*.example.com

Create keys folder:

sudo mkdir /etc/opendkim/keys/example.com

Then generate keys:

sudo opendkim-genkey -b 2048 -d example.com -D /etc/opendkim/keys/example.com -s default -v

Change the private key file owner:

sudo chown opendkim:opendkim /etc/opendkim/keys/example.com/default.private

Then restart opendkim service:

sudo service opendkim restart

Check the key:

sudo opendkim-testkey -d example.com -s default -vvv

Now add or update parameters in the Postfix configuration file (/etc/postfix/main.cf):

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

Then restart Postfix:

sudo systemctl restart postfix

DNS configuration

You need to configure some DNS records. With that configuration, email services will not treat your emails as spam.

Add A record for the email.example.com:

Type: A
Name: email.example.com
Value: 1.2.3.4

Add SPF record:

Type: TXT
Name: example.com
Value: v=spf1 mx ~all

Add DMARC record:

Type: TXT
Name: _dmarc
Value: v=DMARC1; p=none

Add DKIM record. Use previously generated DKIM signature (/etc/opendkim/keys/example.com/default.txt):

Type: TXT
Name: default._domainkey
Value: v=DKIM1; h=sha256; k=rsa; p=you-key-here-without-spaces

Set PTR record (rDNS). You need to set it in your hosting provider’s control panel.

Set email.example.com as a hostname and 4.3.2.1.in-addr.arpa as IP address. IP should be in reversed order.

Check if it set correctly with the command below:

host 1.2.3.4

Email encryption

Install Certbot:

sudo apt install certbot

Then generate keys:

sudo certbot certonly --standalone -d email.example.com

Configure Postfix to use that keys. Add or edit parameters below in /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/letsencrypt/live/email.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/email.example.com/privkey.pem
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/letsencrypt/live/email.example.com
smtp_tls_security_level=may

Then restart Postfix:

sudo service postfix restart

Test

Send a test email with command:

echo "This is the body of the email" | mail -r test@example.com -s "This is the subject" your_email@gmail.com

Check spam score with online services, e.g.: https://www.mail-tester.com/ (not an ad).