Following on from my posts -
I deployed a Ubuntu 18.04 VPS and locked it down (SSH, non-root user, created private\public keys, etc.)
I actually installed iptables (and persistent) and closed everything down except 22. I also installed Fail2Ban - the sshd is active by default.
I installed Virtualmin GPL as per the instruction in the docs - and more less clicked Next, Next, etc and it finished without errors.
Paying attention - I realised it installed (again) Fail2Ban and FirewallD. I’m an iptables person, so it took a bit of time realising what had happened. I uninstalled firewallD manually. Now I just have iptables and a warning saying it thinks I’m using FirewallD - I just ignore that for now.
Then came the Postfix hardening - I just looked at the config of the existing host and copied all the “restriction” entries.
I created a new Virtual Server - a new domain. I had already created the DNS entries at the 3rd party control panel the evening before.
SSL - cert worked fine for the new domain\Virtual Server.
I also created the Virtual Server for the hosting\main domain. It’s SSL was only for the host - the exiting host has the “fuller” cert. Copied the cert to Postfix.
I ran the install script for Roundcube - no issues. going to https
://myNewdomain.com/roundcube, the login appeared. Having created a new email user, I tried to login. No luck - I’ll post up another thread for help with that.
Using Virtualmin\Webmin I sent an email to and from a test account on the new host to an account on the exiting host - outbound worked fine. Inbound wouldn’t.
At this point I removed the Recipient Restrictions and inbound worked. Looking closely at the Recipient Restrictions - I recognised all of them except an spf-policy one.
A quick Google showed it related to “postfix-policyd-spf-python”. A quick check on the existing host showed the package to be installed, but not the new one. 1 apt-get install later it was installed on the new host.
Putting the Recipient Restrictions back - inbound emails worked.
One slight quirk - on the existing host the inbound email headers showed
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=1.2.3.4; helo=host2.myDomain2; envelope-from=test1@newDomain2.com; receiver=user@myDomain1.com
Whilst inbound new emails to host2 showed
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.5; helo=host1.myDomain1.com; envelope-from=user@myDomain1.com; receiver=
This stumped me. A quick Google shown that I needed to add the following line
Hide_Receiver = No
into
/etc/postfix-policyd-spf-python/policyd-spf.conf
Once added - receiver= was no longer UNKNOWN. I still haven’t got to the bottom of by Host 1 says
Received-SPF: Pass (sender SPF authorized)
and Host2 (new one) says
Received-SPF: Pass (mailfrom)
On the list of things to do.
DKIM - I had to enable DNS for the new Virtual Server (the one with a new domain). Went to Email Settings>> Domain Identified Keys and hit the install button. In the hosts field I put in host2.myDomain.com, put in a selector\descriptor for the key and clicked save.
Went back in the form and copied the key. I removed the "'s and spaces and as per suggestion from @calport I put it in the DNS 3rd party control panel as
v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5iUXsdYFAKne/qncNIGPOWJmApXZr+tmf4sEIudFl4hpY0KWLUQLZ7IqyB1dH6Mb60we3y1TkoOksXbOtBLIrfjp5DFI2KzvaQOGkTxMOSPF4J7gq98BmgdeActNli64WMZ0aOxXdePsslo6lmkenj+6Lz70QuUk0J/O7qZp4fWVpu560NkJ2AYvAGvRAVkdknm4ZdE8OukLH3K3lM+EnVv/o7Y5YgU1+40KfV2Z8rauVHpONJcNciw9YwLZhKLTefGUVj1F7IN5LvZNbZKz7zZitDGesVYDIbr4D20j6MGj+sGXBVOZQ8YBOOZSZnGKL5oFOKCAmbu9xln3jpj9+QIDAQAB
[That’s not my key.]
I wasted about an hour messing about as using DKIM key checking websites - they all said the key was invalid. Generated a new one - not really needed - and copying it from the form, I realised I hadn’t copied the previous key fully.
Once entered into the DNS panel - the “correct” checked out fine.
Then sending test emails to https://www.appmaildev.com/ kept saying outbound emails from host2 (new one) were not being signed with DKIM. Googling and checking the forums - there were a few suggestions:
https://www.virtualmin.com/comment/808804#comment-808804
https://www.virtualmin.com/node/59560
I set Postfix to use Domain name for outbound emails, and changed
Socket local:/var/run/opendkim/opendkim.sock
to
Socket inet:8891@localhost
That still didn’t cure it. So checking to see if anything was lsitening on 8891 - a qucik netstat command and I realised nothing was listing on 8891.
So a quick
service opendkim restart
and a netstat command showed opendkim was listening on 8891. I sent another test email to https://www.appmaildev.com/ showed outbound emails were being signed with DKIM.
I have DMARC yet to setup and test and the Roundcube issue to deal with. Then I’ll be ready to start moving stuff across. Also check the same number of Fail2Ban jails are on both hosts (more a sanity check than anything else. And that they are set up the same).
Apologies for the long post - might be of use\interest to someone. LOL
Cheers
Dibs