Notes: Mail Server Madness

To avoid being flagged a spammer, your DNS server (and SMTP server) needs to be configured for:

  • PTR Records (Host)
  • SPF Records (DNS)
  • DKIM Records (DNS + SMTP)
  • DMARC Records (DNS + an email address)
  • TLS Certificate (an SSL Certifiate for your mail domain)

The last one is required to send encrypted mail.

PTR Record

Also known as the Reverse DNS. This is SUPER REQUIRED OMG!

It should reference your mail server. i.e.

SPF Records

These are easy. Add them to your DNS. TXT records are most important (one site says SPF records were obsoleted).

DKIM Records

This was very difficult to get working! To make matters worse, WordPress is stuid, and hasn’t fixed this even though it’s very broken and causes problems. WTF.

About the WP bug:

Setting up DKIM Tools:

DKIM with Postfix

A useful tool for generating the correct public/private key files (public key requires fancy formatting).

Add a TXT record for the DKIM public key:

If configured and sent correctly, your emails will include a DKIM signature section in the header (the private key).

The key thing to know here is that the “s=mail” should match the name (i.e. the mail in mail._domainkey).

More DKIM:

How to get DKIM (DomainKeys Identified Mail) working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM

DMARC Records

Just a simple record that tells people where to send reports.

This link above told me everything I needed. I added a simple record to my cloudflare, and it was good. Reports started showing up.


SSMTP is a sendmail compatible light client that forwards e-mails to other addresses. It’s not a mailserver.

Installing Postfix

Postfix is an SMTP server. It should be installed like so.


It can be configured as a “SEND ONLY” server.

Details on how it can be CHROOT’ed are in the documentation:

Some useful commands:

(mailq, postfix flush, postsuper)

Apparently easy to add to PHP (if not already working… it might be).

Configure Postfix/Sendmail for PHP mail() in Ubuntu


TLS Encryption

Encrypting emails is another issue that needs to be dealt with.

Create/follow the instructions here, and generate a free certificate for your domain.

Configure Postfix TLS with a Free StartSSL Certificate

It required a passphrase to generate the CSR+KEY. However, Postfix does not support KEYs with a password.

I tried this reference without luck (though I didn’t follow all configuration instructions).

This is how to force TLS, but not necessary once configured correctly.

Getting root emails forwarded

Was pretty easy.

Add a line “root: [email protected]” to ‘/etc/aliases’. run ‘newaliases’. Magic.

SRS Forwarding

The above is easy, but will fail SPF checks. The sender needs to be modified to correctly forward an e-mail, then the SPF can be regenerated. This is done using SRS.

The ‘postsrsd’ package *IS* available on Ubuntu now, so just apt-get it.

More info on SRS:

rsyslogd-2007: action ‘action 9’ suspendend

When you look at the syslog (/var/log/syslog), you see lines like the above.

This (or lines like it) are caused by a default Ubuntu/Debian configuration. At the bottom of “/etc/rsyslog.d/50-default.conf”, there are a several lines that describe logging to xconsole. Xconsole, AFAIK is the XWindows logger. Oops! So that’s not going to work while running a headless server.

Socket Madness

You can bind the default /var/run folder to use the default unix domain socket config.

NOTE: The OpenDKIM service does some funny stuff regarding settings. If you customize the socket, it sometimes appends your socket settings to “/etc/default/opendkim“.

To work around this, I had to start from scratch.

Purge is required. Otherwise, the old config files will stick around.