This section is being redacted

Some personnal advices about milters and mail filters:

• DO use Unix sockets instead of Inet ones: Unix sockets use less ressources and are faster because of the internal components involved (inet sockets uses IP & TCP, which generate some overhead. Even if you use inet socket, you may not sense a difference if you don't generate a lot of trafic).
• Prefer use of milters over classic content filters: configuration may be more tricky sometimes, but it is worth its weight in gold if you don't have advanced filtering to do. Amavis is heavy, and basic filtering can be handled by maildrop (configuration will be done after this).

Natively available in the wheezy repository, this milter configuration is a bit tricky. To begin the install process, type the following commands.

apt-get install spf-milter-python
mkdir -p /var/spool/postfix/var/run/spf-milter-python
chown spf-milter-python:spf-milter-python /var/spool/postfix/var/run/spf-milter-python
ln -s /var/spool/postfix/var/run/spf-milter-python /var/run/spf-milter-python
adduser postfix spf-milter-python

Change the socket name as follow in /etc/spf-milter-python/spfmilter.cfg

socketname = /var/run/spf-milter-python/spfmilter.sock

Edit /etc/init.d/spf-milter-python to add the following lines after the “start-stop-daemon” commands in sections start and restart. Replace the socket definition by SOCKET=$RUNDIR/spfmilter.sock, and

        sleep 5
        chmod g+w $SOCKET

Restart the spf-milter-python service.

Add the milter socket in /etc/postfix/main.cf as described below:

smtpd_milters = unix:/var/run/spf-milter-python/spfmilter.sock

You must put this filter before opendmarc (DMARC validation won't be done if you don't do it), and you should put it before spamass-milter socket (SPF validation contributes to spam flagging).

This part has been inspired by the following tutorial: http://blog.tjitjing.com/index.php/2012/03/guide-to-install-opendkim-for-multiple-domains-with-postfix-and-debian.html Guide to Install OpenDKIM for multiple domains with Postfix and Debian

To begin with, type

apt-get install opendkim opendkim-tools
adduser postfix opendkim
mkdir -p /var/spool/postfix/var/run/opendkim/
chown opendkim:opendkim /var/spool/postfix/var/run/opendkim/

Edit /etc/default/opendkim to set the socket as follow:

SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"

Edit /etc/opendkim.conf and add the following lines:

KeyTable                /etc/opendkim/KeyTable
SigningTable            /etc/opendkim/SigningTable
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts

In the same file, edit the socket permission mask as follow:

UMask 0002

You should uncomment/add the following lines to get some debugging informations.

Syslog yes
LogWhy yes

Check also that the line OversignHeaders From is uncommented, then save and close the file.

Next step is to generate the DKIM keys that will be used to sign the mails going out of your domains. The following commands are given for domain.com:

mkdir -p /etc/opendkim/keys/mydomain.com
cd /etc/opendkim/keys/mydomain.com
opendkim-genkey -b 3072 -r -d mydomain.com
chown opendkim:opendkim default.private

Then add the following line to /etc/opendkim/KeyTable:

default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default.private

and the following line in /etc/opendkim/SigningTable:

mydomain.com default._domainkey.mydomain.com

You will find the appropriate record in /etc/opendkim/keys/mydomain.com/default.txt. You should secure your DNS zone with DNSSEC to enhance your immunity to DNS records spoofing. Start opendkim service and double-check that it is started at each reboot.q