本文最后更新于 225 天前,其中的信息可能已经有所发展或是发生改变。
Tips1
- 域名需要正常的顶级域名 com、net 等出名后缀
- 域名需要注册满7、14、30天以上,时间越短越不利好
- 文中所有的
example.com均要替换为自己的根域名 - 文中的
postmaster修改为自己的喜欢的名称 - 文章所有关键字段全部已进行脱敏处理
- 建议复制下来,自行进行文本替换后进行使用
- 请根据实际情况进行更改,请勿照抄
- 需要安装1panel、或者自行使用docker-compose安装
Maddy Mail Server - 测试系统Debian11
Tips2
- 需要开放防火墙端口和信息
| 信息 | 端口 |
|---|---|
| SMTP 入站端口 | 25 |
| IMAP4 端口 | 143 |
| IMAP4 端口 | 993 |
| SMTP 提交端口 | 465 |
| SMTP 提交端口 | 587 |
| POP3 端口 | 110 |
| POP3 端口 | 995 |
| 邮箱 MX 主机名 | mx1.example.com |
| 邮箱域名 | example.com |
Tips3
- 需要开通25端口
- 需要支持 TXT、PTR{不支持ptr记录很难发进gmail}、DMARC、SPF、DKIM、rDNS
- 需要支持 IMAP和IMAP+,SMTP
- 需要反病毒扫描器 、反垃圾邮件、自动学习、灰名单
常见扣分项
大项
- Untrustworthy TLDs
- FROM_SUSPICIOUS_NTLD – From abused NTLD
- From domain was registered in last 7 days
- Delivered to internal network by a host with no rDNS,This may indicate you do not have a rDNS configured for your hostname or the rDNS does not match your sending IP
- SPF: HELO does not match SPF record (softfail)softfail
小项
- FROM_SUSPICIOUS_NTLD_FP – From abused NTLD
- From domain was registered in last 7-14 days
- Bulk signature with no Unsubscribe
- HTML included in message
正式教程
修改Linux主机名称
hostnamectl set-hostname mx1.example.comResult
root@mx1:~# hostname
mx1.example.com
root@mx1:~# hostname -f
mx1.example.com安装1panel > Maddy Mail Server
过程省略
创建Volume
docker volume create maddydata进入容器创建ssl
# 进入存储卷路径
cd $(docker volume inspect maddydata --format '{{.Mountpoint}}')
# 创建证书文件夹
mkdir -p tls上传证书和私钥到tls文件夹,并重命名为
- fullchain.pem
- privkey.pem
设置DKIM DNS解析
cd $(docker volume inspect maddydata --format '{{.Mountpoin
t}}')
`dkim_keys`路径下会有个类似`example.com_default.dns`的文件
`cat dkim_keys/example.com_default.dns`
default._domainkey.example.com. TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg="DKIM DNS解析 便捷查看命令
cat $(docker volume inspect maddydata --format '{{.Mountpoint}}')/dkim_keys/*.dnsResult {脱敏处理}
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyC5/ApPYyzpz1NkgBlUzt8vjss81Jiq/****************************/qx6jpZWkYm5FWYY1EeJrlXL6oq/Xz1VSRuzScT/PpZ1DnGRbV21****************************tMYe3UUV5F4GMMV+****************************/****************************+UTHCxj7nYRzTSMfNQIDAQAB添加其他的解析
- 注意按需修改
| 记录类型 | 域名 | 值 |
|---|---|---|
| A(必) | mx1.example.com |
服务器ipv4地址 |
| A | example.com |
服务器ipv4地址 |
| AAAA | mx1.example.com |
服务器ipv6地址(如果有) |
| AAAA | example.com |
服务器ipv6地址(如果有) |
| MX(必) | example.com |
mail.example.com |
| CNAME | mail.exampel.com | 设置通俗易懂的CNAME解析 |
| TXT(必) | mx1.example.com(二选一、测试) |
v=spf1 mx ~all |
| TXT(必) | mx1.example.com(二选一、测试) |
v=spf1 mx ip4:74.**.**.142/32 -all |
| TXT(必) | example.com |
v=spf1 mx ~all |
| TXT(必) | _dmarc.example.com |
v=DMARC1; p=quarantine; ruf=mailto:[email protected] |
| TXT | _mta-sts.example.com |
v=STSv1; id=1 |
| TXT | _smtp._tls.example.com |
v=TLSRPTv1;rua=mailto:[email protected] |
官方DNS records
How it is configured depends on your DNS provider (or server, if you run your own). Here is how your DNS zone should look like:
; Basic domain->IP records, you probably already have them.
example.org. A 10.2.3.4
example.org. AAAA 2001:beef::1
; It says that "server mx1.example.org is handling messages for example.org".
example.org. MX 10 mx1.example.org.
; Of course, mx1 should have A/AAAA entry as well:
mx1.example.org. A 10.2.3.4
mx1.example.org. AAAA 2001:beef::1
; Use SPF to say that the servers in "MX" above are allowed to send email
; for this domain, and nobody else.
example.org. TXT "v=spf1 mx ~all"
; It is recommended to server SPF record for both domain and MX hostname
mx1.example.org. TXT "v=spf1 mx ~all"
; Opt-in into DMARC with permissive policy and request reports about broken
; messages.
_dmarc.example.org. TXT "v=DMARC1; p=quarantine; ruf=mailto:[email protected]"
; Mark domain as MTA-STS compatible (see the next section)
; and request reports about failures to be sent to [email protected]
_mta-sts.example.org. TXT "v=STSv1; id=1"
_smtp._tls.example.org. TXT "v=TLSRPTv1;rua=mailto:[email protected]"And the last one, DKIM key, is a bit tricky. maddy generated a key for you on the first start-up. You can find it in /var/lib/maddy/dkim_keys/example.org_default.dns. You need to put it in a TXT record for default._domainkey.example.org. domain, like that:
default._domainkey.example.org. TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg="官方MTA-STS and DANE
By default SMTP is not protected against active attacks. MTA-STS policy tells compatible senders to always use properly authenticated TLS when talking to your server, offering a simple-to-deploy way to protect your server against MitM attacks on port 25.
Basically, you to create a file with following contents and make it available at https://mta-sts.example.org/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
max_age: 604800
mx: mx1.example.orgNote: mx1.example.org in the file is your MX hostname, In a simple configuration, it will be the same as your hostname example.org. In a more complex setups, you would have multiple MX servers – add them all once per line, like that:
mx: mx1.example.org
mx: mx2.example.orgIt is also recommended to set a TLSA (DANE) record. Use https://www.huque.com/bin/gen_tlsa to generate one. Set port to 25, Transport Protocol to "tcp" and Domain Name to the MX hostname. Example of a valid record:
_25._tcp.mx1.example.org. TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96e3498238正文查询解析情况
正向A解析
nslookup mx1.example.comResult 正向A解析
服务器: dns.google
Address: 8.8.8.8
非权威应答:
名称: mx1.example.com
Addresses: 2607:****:*:**:**:**:****:b7c2
74.**.***.142Mx解析
nslookup -type=mx example.com
nslookup -type=mx mx1.example.comResult Mx解析
服务器: dns.google
Address: 8.8.8.8
非权威应答:
example.com MX preference = 10, mail exchanger = mx1.example.comSFP解析
nslookup -type=txt example.com
nslookup -type=txt mx1.example.comResult SFP解析
服务器: dns.google
Address: 8.8.8.8
非权威应答:
example.com text =
"v=spf1 mx ~all"
服务器: dns.google
Address: 8.8.8.8
非权威应答:
mx1.example.com text =
"v=spf1 mx ~all"DKIM解析
nslookup -type=txt default._domainkey.example.comResult DKIM解析
服务器: dns.google
Address: 8.8.8.8
非权威应答:
default._domainkey.example.com text =
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyC5/ApPYyzpz1NkgBlUzt8vjss81Jiq/****************************/qx6jpZWkYm5FWYY1EeJrlXL6oq/Xz1VSRuzScT/PpZ1DnGRbV21****************************tMYe3UUV5F4GMMV+"
"****************************/****************************+UTHCxj7nYRzTSMfNQIDAQAB"DMARC解析
nslookup -type=txt _dmarc.example.comResult DMARC解析
服务器: dns.google
Address: 8.8.8.8
非权威应答:
_dmarc.example.com text =
"v=DMARC1;p=quarantine;ruf=mailto:[email protected]"Other TXT 解析
nslookup -type=txt _mta-sts.example.com 8.8.8.8
nslookup -type=txt _smtp._tls.example.com 8.8.8.8
Result DMARC解析
服务器: dns.google
Address: 8.8.8.8
非权威应答:
_mta-sts.example.com text =
"v=STSv1;id=1"
服务器: dns.google
Address: 8.8.8.8
非权威应答:
_smtp._tls.example.com text =
"v=TLSRPTv1;rua=mailto:[email protected]"rDNS
nslookup 74.**.***.142 请替换成自己的ip地址Result rDNS
服务器: dns.google
Address: 8.8.8.8
名称: mx1.example.com
Address: 74.**.***.142一切就绪!!!
创建发送账户
maddy creds create [email protected]
maddy imap-acct create [email protected]其他的邮件程序(仅收集)
mailcow 要求很高
poste
docker run -d \
-p 880:80 -p 8443:443 -p 25:25 -p 110:110 -p 143:143 -p 465:465 -p 587:587 -p 993:993 -p 995:995 -p 4190:4190 \
-e TZ=Asia/Shanghai \
-v /data/poste:/data \
-e "HTTPS=OFF" \
-e "DISABLE_CLAMAV=TRUE" \
--name "PosteServ" -h "mx1.你的域名.com" \
--restart=always \
-t analogic/poste.io