Introduction¶
AI needed to email accounts for both my local development server as well as ramoneburrell.com as I needed to received email notifications when I receive contacts, or when comments are posted from the live site and I wanted a personal email address @ramoneburrell.com. I didn't need a complicated setup because my blog is small and I am the only user. I have worked with Postfix before but it was more than I needed. So, I decided to use Sendmail for my SMTP server to send mail and as my IMAP server I decided to use Dovecot.
Sendmail is a powerful Mail Transport Agent (MTA) that has been around for more than 40 years. It supports a number of mail delivery formats. You can view the manual for sendmail here. Dovecot is an IMAP and POP3 email server. You can read Dovecot's documentation here. The difference between the two servers is that Sendmail is used to transfer sent mail accross the internet while Dovecot is used to read already sent mail accross the internet.
From the command line, you can type the below commands to view the manual pages for Sendmail or Dovecot.
$ man 8 sendmail
$ man dovecot
In this blog, I will walk you through installing, configuring and testing Sendmail and Dovcot on Ubuntu 22.04.
Dovecot¶
Installing and Configuring Dovevot¶
We will setup Dovecot before we setup Sendmail because we want to make sure that we configure where we want mail written to before we start receiving mail Sendmail will be writing mails to is configured and in place before we begin to send mail.
From your command line, install Dovcot with these commands.
$ sudo apt-get install dovecot-imapd dovecot-pop3d
Dovecot is configured by default to use imap pop3 and lmtp protocols but I will set my configration for the first two. Your Dovecot configuration file will be found at /etc/dovecot/dovecot.conf. Open it and add the lines below. The first line will ensure that Dovecot's local mail delivery agent creates the user's mailbox if it doesn't exist and the second line sets the appropriate protocols.
lda_mailbox_autocreate = yes
protocols = imap pop3
Now we need to set the kind of mailbox that we want Dovecot to use. Dovecot supports maildir and mbox mailbox formats. We will use the maildir format. Open the file /etc/dovecot/conf/10-mail.conf and set the configuration as below.
mail_location = maildir:~/Maildir
Now restart the Dovecot server.
$ systemctl restart dovecot
Use telnet to check that Dovecot is listening for connections.
$ telnet localhost 143
You should see something similar to the output below.
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready.
Securing Dovecot¶
We need to setup SSL/TLS for Dovecot. You can learn more about Dovecot's SSL configuration here, Dovecot SSL configuration. The first thing we want to do is generate an SSL certificate and key file. But before we generate a certificate and key we need to create a certificate authority (CA). You can read more on Certificate Authority here, https://www.ssl.com/faqs/what-is-a-certificate-authority/. If you are configuring Dovecot for use only on a development server where mail will only be sent internally, you may use a self-signed certificate. However, since we are configuring Dovecot for a production environment, we will go through the full procedure of creating a certificate and certificate key.
Create a Certificate Authority¶
- Create a RSA private key for your Certificate Authority (CA). It will be AES256 encrypted and the output format will be PEM.
$ openssl genrsa -aes256 -out ca.key 4096
You can see the details of the RSA private key using the command below.
$ openssl rsa -noout -text -in ca.key
2. Create a certificate for the CA
$ openssl req -new -x509 -days 365 -key ca.key -out ca.pem
You can see the details of the certificate with:
$ openssl x509 -noout -text -in ca.pem
3. Add the CA certificate you created to the trusted root certificates by first installing ca-certificates if it is not already installed, copying the certificate to /usr/local/share/ca-certificates then updateing the CA certificates.
$ sudo apt install -y ca-certificates
$ sudo cp ca.pem /etc/ssl/certs
$ sudo update-ca-certificates
Add this CA to all user's "Trusted Root Certificate Authorities" so that the certificates will be trusted by the mail clients. You can do this on any desktop mail client and also on iOS and Android devices.
Create and Install a Certificate and Private Key for Dovecot¶
4. Create a certificate signing request (.csr), sign the certificate, then append the CA to the certificate, as per Chained SSL certificates.
$ openssl req -new -nodes -out dovecot.csr -newkey rsa:4096 -keyout dovecot.key
$ openssl x509 -req -in dovecot.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out dovecot.pem -days 730 -sha256
$ cat ca.pem >> dovecot.pem
You may verify the certificate with the CA using
$ openssl verify -CAfile ca.pem dovecot.pem
5. Set the appropriate permissions on the certificate and key files then copy them to /etc/ssl/certs/ and /etc/ssl/private/ respectively.
$ chmod 444 dovecot.pem
$ chmod 400 dovecot.key
$ cp dovecot.key /etc/ssl/private/dovecot.key
$ cp dovecot.pem /etc/ssl/certs/dovecot.pem
6. Update the SSL configurations with the approtiate paths to the certificate and key files in /etc/dovecot/conf.d/10-ssl.conf.
ssl_cert = /etc/ssl/certs/dovecot.pem
ssl_key = /etc/ssl/private/dovecot.key
7. Restart Dovecot
$ systemctl restart dovecot
8. Test the setup.
$ openssl s_client -servername localhost -connect localhost:imaps
You should see output like the following.
CONNECTED(00000003)
depth=1 CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
verify return:1
depth=0 CN = ramoneburrell.com, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrellBlog
verify return:1
---
Certificate chain
0 s:CN = ramoneburrell.com, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrellBlog
i:CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 17 17:34:09 2023 GMT; NotAfter: Dec 16 17:34:09 2025 GMT
1 s:CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
i:CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 17 17:27:59 2023 GMT; NotAfter: Dec 16 17:27:59 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFWjCCA0ICFBYNkgXg5Wqr/k4/aCIiJPLYyZiFMA0GCSqGSIb3DQEBCwUAMGox
HzAdBgNVBAMMFlJhbW9uZSBCdXJyZWxsIFJvb3QgQ0ExCzAJBgNVBAYTAkNBMRAw
DgYDVQQIDAdPbnRhcmlvMRAwDgYDVQQHDAdUb3JvbnRvMRYwFAYDVQQKDA1SYW1v
bmVCdXJyZWxsMB4XDTIzMTIxNzE3MzQwOVoXDTI1MTIxNjE3MzQwOVowaTEaMBgG
A1UEAwwRcmFtb25lYnVycmVsbC5jb20xCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdP
bnRhcmlvMRAwDgYDVQQHDAdUb3JvbnRvMRowGAYDVQQKDBFSYW1vbmVCdXJyZWxs
QmxvZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANE3S9bwdgImZPxX
z8zwseb5AkaMOjn64II6sKxQv1XbL4kQkzMPV7QT9DFddE3FE2VDBg4mpeMb2XYh
q6NlMjLVgBLdunSwRLjy9XRKWocVkD1CmtMe76ox0Sb/AGlX7jACabUmsV2/MXbF
gSbgNLct69op3Vjxoteqa/xb5bl8Ah71Z/Ssg61zOqZ4tSZOK+anGR01N60b+Z1D
oM1C0fibwbyZS1yJNmnFNFJ1o/fYZRlIvlmeCM8paZAt8sGw0vaVr5cGtdLhBKO2
lS7UHr3F0nJstzFVzKLteDykQ5kSRQXFcfIgeWKKcoYX8Iix8V5o8E4Ub3f02BGe
jct/rAgiX32Q41lpWdaoXJu5BR6CXCiEBSVa2/iF9Ufbyl/kcKnQcWAfZyaRI/+j
pJjan3RSc637p37ggUa/1gOp7uc4fgh3zKiK38Pq7fhcQJhXJNyAFXV3Igm9C3Gf
D2weOF6S4ojbzEf2AkaZXKBPQcl5XKG/mLrfIQhufwmRFcKGcB//oSi8/mRDyeq4
e/7lRmVoFS9rLvRs9IIqMaL77SBZiYk0oe2GvcB1ABwo05mWaa5TdaEwtjjYTqiX
+z4rYchME2I17Xx9DBiXb3ut3QFvzGQeYo0S9shhPKXQBfseA/6YTGu2w991auYA
GjQWQoG1dIA0q6aHDAATFMbbfLcrAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAFhD
/gPSMaNbitUWJN3oSPvpXcSdSjABySiaWDbn1pYnRtnHhRiEanuMENDidXiQhORW
fSG3KaY66eqI3RWaaog5+pwu2KMz5EVn7oN6Y/5MVkdArEqX1iHvHJIas02qF81g
JD9vbTLxcvLjgSgiME+Pnk1/oLWBwdMee03caLv6xhI9u6PxW4brSJalc2MrYVMf
nBE2iM7rt4N+40FaV27ovzO5/H6LW3sYl9CZSt0hAuEtM7v5LoEtG/VsKa5KvhLN
WCHICBSbiEI0cFiyIi6I8eGCtmJSsvr2HjU0mLqVWlD3RYl4bh3XhXV2Sf6DV4uX
v2CsIpRrpfuZ3EAloT5j7/znqY78P4hsq7txcUeZjD00kFaOxWifdwyX5c6gJ5eA
eBuch/d1PEzPNSgF4i03RV7G/99oK5HEv+IzBeTxLane8lZ2zmpXoXMcbzM6Fmnq
sm6MIKW3/FrRX2xND+51299EmskIUdqAp3VsN16OqHpb47uvQ4LmMmUMci3ibGuu
ZwS05CApXmEUbGhWE6TDrfB5CQRbcxtgkUhHbum7cGwgA/lDOsSeU/vxuiPaTmFB
cq/x/SpXbHL7JhoBVDiBfwt8cZzD0N3pAXm8obGQpjIie3+VPo5i9lRHN4taeijX
rDWTlEHe4IsNgBKWceLvIfCXwxVQACqLd0GcatEp
-----END CERTIFICATE-----
subject=CN = ramoneburrell.com, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrellBlog
issuer=CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3660 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 88ED6FF683FAF162D90D176F0439530347EBD0D018311213E915D9C3B84A1F2B
Session-ID-ctx:
Resumption PSK: F4D3A34E6B8C19F6EED73AC8959BC59DC9250A02B31DDE2912E6A3781861AA3CD40A3CD6CC046307FEC3B0190BB7B212
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 2e 26 1c ce 95 a4 6c 5a-4f f0 c5 44 1c 4c 7c fc .&....lZO..D.L|.
0010 - 63 fe 4f 80 38 02 d3 c2-ac 3b 0a c4 c6 88 f9 7f c.O.8....;......
0020 - 4c 19 1e ad 7a 05 1a 96-1f e9 fc 11 a3 33 f9 9a L...z........3..
0030 - cd 98 11 75 e8 10 09 b7-4c 31 3a cb 47 a6 80 82 ...u....L1:.G...
0040 - 10 51 6a da 92 33 54 12-1e 56 90 38 19 aa ae 6d .Qj..3T..V.8...m
0050 - 9c 40 6b c1 b1 89 ac 01-4e 70 5c 77 1d 6d 70 38 .@k.....Np\w.mp8
0060 - 3c 2f 30 3a 3e 49 d5 e6-b5 2d f2 af 8a d4 a1 8a I...-......
0070 - 1d fd c6 87 2e 74 83 1b-03 61 32 29 4f 39 17 23 .....t...a2)O9.#
0080 - 0d b8 47 72 79 af 62 e9-11 10 31 09 c7 8a 03 37 ..Gry.b...1....7
0090 - 48 a9 f9 92 3b e5 94 c5-72 35 05 a0 63 90 e6 1d H...;...r5..c...
00a0 - 12 92 14 dd 67 76 d3 58-af 42 fb 6d 22 96 2b 20 ....gv.X.B.m".+
00b0 - 4f 08 50 8b 98 0e 7c 5b-10 5d 3b bd 35 ff 49 28 O.P...|[.];.5.I(
00c0 - 7d 4d 96 51 cd 49 99 a9-99 60 0b f2 f2 f9 8f 09 }M.Q.I...`......
Start Time: 1702863786
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: BA016E55502FBD1C86B57E1682FD24E1B6E8387AF5FB2DF5248DBEBBABB75696
Session-ID-ctx:
Resumption PSK: F53766A6724DD4DF04A413C1E8B6C88A7FD5B9E4AD396DC2067EB03B2E9661ED3BF19114E302B00B1C868FFB14F293CF
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 2e 26 1c ce 95 a4 6c 5a-4f f0 c5 44 1c 4c 7c fc .&....lZO..D.L|.
0010 - 5b 41 7c 08 0e c2 4a 08-7d e3 49 44 f1 13 5c 57 [A|...J.}.ID..\W
0020 - 41 b5 23 a1 57 ce 48 9c-7e ca 28 ae 3d 75 19 bf A.#.W.H.~.(.=u..
0030 - 56 ba b3 ee cd 3c 83 94-4f 3f 15 a1 aa 33 86 bd V....<..O?...3..
0040 - cf 85 a1 46 78 41 4d 0d-25 22 85 34 f5 0c 0b 3a ...FxAM.%".4...:
0050 - 31 2e 1a 16 57 24 e9 a8-59 32 5a aa 0e c2 37 b6 1...W$..Y2Z...7.
0060 - 53 2e 6e 90 44 4f 65 39-dd c5 c7 67 23 73 32 04 S.n.DOe9...g#s2.
0070 - dc ad 08 4e f9 10 5f 02-6c 6c f5 68 f2 c1 cf db ...N.._.ll.h....
0080 - 01 22 f1 a1 98 d6 4e 8c-fe 7f 1c 9f 4b c7 58 1e ."....N.....K.X.
0090 - 47 00 53 d4 70 01 ee 17-65 da b0 ef 0a 75 bf 7b G.S.p...e....u.{
00a0 - 0d 87 be 9e 47 a5 5a c1-d5 b1 0a 01 be e9 d4 71 ....G.Z........q
00b0 - d9 c2 d5 13 69 15 5a 78-65 38 b2 23 5d 8d 2f 78 ....i.Zxe8.#]./x
00c0 - 2f 96 22 67 05 3d db 1e-2b 5e a8 15 4f ce dd 72 /."g.=..+^..O..r
Start Time: 1702863786
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Ubuntu) ready.
Now we'll move onto installing and configuring Sendmail.
Sendmail¶
Installing and Configuring Sendmail¶
Sendmail uses Cyrus SASL to authenticate your users when they attempt to connect to the SMTP server when setting up an account on a client and when they send a new email. You can read more about Cyrus SASL here.
Install sendmail and sasl2-bin.
sudo apt-get install sendmail sasl2-bin
Run the command below to see if saslauthd is enabled.
$ systemctl is-enabled saslauthd
saslauthd.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install is-enabled saslauthd
disabled
If you get output like the above, run the command below to ensure that saslauthd is started when your server starts up.
$ systemctl enable saslauthd
Sendmail uses a local Local Delivery Agent called procmail that needs to be configured to know where to deliver emails to. We want it to deliver emails in the same way we configured Dovecot above to read emails, using the mailbox format. You should not need to manually install it as it is a dependency of sendmail and would have automatically been installed when you installed sendmail above. You can type man procmail on your command line to get more information on procmail.
Create the file /etc/procmailrc and add the lines below.
:0
MAILDIR=$HOME/Maildir/cur
DEFAULT=$HOME/Maildir/cur
LOGFILE=/var/log/procmail.log
Securing Sendmail¶
Now we going to enable TLS/SSL for Sendmail. We have already created a CA and will use it to sign the certificates for Sendmail.
Create and Install a Certificate and Private Key for Sendmail¶
- Create a certificate signing request (.csr), sign the certificate, then append the CA to the certificate.
$ openssl req -new -nodes -out sendmail.csr -newkey rsa:4096 -keyout sendmail.key
$ openssl x509 -req -in sendmail.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out sendmail.pem -days 730 -sha256
$ cat ca.pem >> sendmail.pem
You may view the contents of the certificate with:
$ openssl x509 -noout -text -in sendmail.pem
2. Set the appropriate permissions on the certificate and key files then copy then to /etc/ssl/certs/ and /etc/ssl/private/ respectively.
$ chmod 444 sendmail.pem
$ chmod 400 sendmail.key
$ cp sendmail.pem /etc/ssl/certs/
$ cp sendmail.key /etc/ssl/private/
3. Open the file /etc/mail/sendmail.mc and add the below lines after the dnl comment block and before any "FEATURE" macro. The first two lines define the autentication mechanisms that Sendmail will have and the second line directs Sendmail to trust those authentication mechanism. Set 'mail.mydomain.com' to the FQDN of your mail server and adjust the log level as you like. I recommened keeping it at 10 while you iron out an quirks. You can remove the log level line entirely or lower the log level when you setup is running well.
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
dnl ### do STARTTLS
define(`confCACERT_PATH', `/etc/ssl/certs/')dnl
define(`confCACERT', `/etc/ssl/certs/ca.pem')dnl
define(`confSERVER_CERT', `/etc/ssl/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/ssl/private/sendmail.key')dnl
define(`confCLIENT_CERT', `/etc/ssl/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/etc/ssl/private/sendmail.key')dnl
define(`confLOG_LEVEL', `10')dnl
define(`confDOMAIN_NAME', `mail.mydomain.com')dnl
4. At the very bottom of /etc/sendmail/sendmail.mc, and after the list of mailer definitions, add the line below to define procmail as a mailer.
MAILER(`procmail')dnl
5. In the same file, find this line:
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl
DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl
and change them to the below by remove the 'Addr' option from each:
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea')dnl
The first line is for the SMTP port, port 25 and the second the submission port, port 587. Removin the Addr option from each will ensure that Sendmail will listen to all IP addresses on all network interfaces for email connections.
6. Now reprocess the macro file to regenerate Sendmail's config file /etc/main/sendmail.cf.
$ cd /etc/mail/
$ make
You should send something like below.
root@localhost:/etc/mail# make
Updating databases ...
Reading configuration from /etc/mail/sendmail.conf.
Validating configuration.
Creating /etc/mail/databases...
Creating /etc/mail/relay-domains
# Optional file...
Updating Makefile ...
Reading configuration from /etc/mail/sendmail.conf.
Validating configuration.
Creating /etc/mail/Makefile...
Updating sendmail.cf ...
The following file(s) have changed:
/etc/mail/relay-domains /etc/mail/sendmail.cf
** ** You should issue `/etc/init.d/sendmail reload` ** **
5. Now restart Sendmail
$ systemctl restart sendmail
6. Test the setup
$ openssl s_client -servername localhost -connect localhost:587
You should see something like this:
CONNECTED(00000003)
depth=1 CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
verify return:1
depth=0 CN = ramoneburrell.com, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrellBlog
verify return:1
---
Certificate chain
0 s:CN = ramoneburrell.com, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrellBlog
i:CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 17 17:40:01 2023 GMT; NotAfter: Dec 16 17:40:01 2025 GMT
1 s:CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
i:CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 17 17:27:59 2023 GMT; NotAfter: Dec 16 17:27:59 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFWjCCA0ICFHtdQ0pdTi/wEhmNUkL1HxiJfBhaMA0GCSqGSIb3DQEBCwUAMGox
HzAdBgNVBAMMFlJhbW9uZSBCdXJyZWxsIFJvb3QgQ0ExCzAJBgNVBAYTAkNBMRAw
DgYDVQQIDAdPbnRhcmlvMRAwDgYDVQQHDAdUb3JvbnRvMRYwFAYDVQQKDA1SYW1v
bmVCdXJyZWxsMB4XDTIzMTIxNzE3NDAwMVoXDTI1MTIxNjE3NDAwMVowaTEaMBgG
A1UEAwwRcmFtb25lYnVycmVsbC5jb20xCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdP
bnRhcmlvMRAwDgYDVQQHDAdUb3JvbnRvMRowGAYDVQQKDBFSYW1vbmVCdXJyZWxs
QmxvZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL1kR1FEagyrtWYa
JOXkd0xAnNPfK6yWc95ChEtGHTk9wGWmvwdu+Rx8n749L2AbR50l2ZYvXHXYIc8t
TDt/XZq60h1AxVy5jtUmmPrt1Fvv0fqXtpSplyg6P8dtcgQahwP1WuI1dj3GtnmY
dBzBZGSQzM7tm8miRqmLyxey+IajfxQ+CZXXPRDMyVb/WPOvTcmvHdKKpQ/6YnKa
mMYvQN0sm4vlEhxn6UyXHWTtsFHpdMUr2UYDZFn68n9ZSmDasCHjEeDi2+W4XmXJ
SNSbx7hvYVMgMldCfv7sj3C4biG9Bdqlxr6fTd199C0kII4EdFXuW2T++HoQqJPP
5Wm5e3IfYF086Hdfl2iO7yDfYGFuYeOC/1L/C0blPUg4/WzuDIG1PS/VVC85P5ho
k9L8R02gpXaTWPYgi9ufma+2ON6HQ6XaRn5Hp+TeHjW9EdhEeSBA1Cgp2UGo/kj1
8x7J7ANt2BGdcC9T92lmr0J+AP4XO7l+rxj4Ww/YInsZNJb3Y+/G6yh/CDO2aj2g
ijxe79kVjxPVOMn7kQDUXEEx4Vw7ZPl6/VOm6t1aBfq1nTPocdNy/rqVvyzMDth+
eCv0Q3cUkv6svliUX3xi6Kbpsib6BHRY/gaeJ5y1Rp3JCOXdZ7nyJHoF16oBPja2
NWHl0ifJFDTuM+SKsdiWRKNsDQ7xAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAG9C
WG2/rDZc3EPLQpg1c9A+85tN31X+tSUwFdoXnv+lbFB66fk26f6dKXKI8eF4VU3C
lOG2HF2vAvAKNPpNgalstOqCfUSn5dnUiCA0CDZODqAqXM6v2L1dUDiZ6UmuxPhC
E0rX0TwIJR0EtRwh207lrUri3nnC818KndAB/7oxwZ2yFr/T7biAqkMG2G/o0UlX
I0IYx5P/INO/8JuyA8yxMkBkBxLlYmGVkLavAwr5llyLOeLTJXH3nC4HvPVtVVHi
O5LulOmOadmuG2lm+nIY8Fn1pJAzR6vh59HjrsiaYhgQZNd4wQuRTAxz8HqLS/IX
d7lk+Nxrt6SvMPJWX0tNfZc6sGCjUa6J4TEPqDRDIH7cbc3qjbjIeAbIsuLjpLyo
qk+tUaJHd4RvUXInqgpal3H4CvQZ7kuUgOTcY9p1sIZyYtJfpcVWDdzsxwdbFZDQ
udtQqkKRolX4/LtDWvge7rrtwGuL8Jmv//QnDugXNv5BxVO/Knw1qXSN2iEnAmBm
zhHWleZ2Vk9MtWOB3Z5/y/t0q98raJUhe4IrKRwpO+m9OHvIBt/Fifj2tPDXjWeU
Sa5lUbCLnouqUbvs/3aZgT37TRtBP/7Bp4LO3P6+ij4uDfuvxgF4I5EVVuD1qecx
gU9kx5G9bUxHnZrgJbmFsfhkGNXZ7+o5vjprV5as
-----END CERTIFICATE-----
subject=CN = ramoneburrell.com, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrellBlog
issuer=CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
---
Acceptable client certificate CA names
CN = Ramone Burrell Root CA, C = CA, ST = Ontario, L = Toronto, O = RamoneBurrell
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4423 bytes and written 798 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 HELP
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: E46E295F357F40ECC96A01BA1968B2FDBE8B49DCE8465CB1DEA4DF5F633F72F2
Session-ID-ctx:
Resumption PSK: 18AF4C0BAD1CC0DED0057E4CE8E99769DC514E67BF914FB8D3ECB4EE3B96628A7342B40AF206847008D1736B6CABD7F9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 1 (seconds)
TLS session ticket:
0000 - 97 ae 0c f0 3b 88 6d 4c-6d b3 bb 3d ca f1 f8 1d ....;.mLm..=....
0010 - 14 01 e3 4a 08 d6 5b 50-5f 65 ee 38 8a d6 49 5d ...J..[P_e.8..I]
0020 - b5 4f 98 59 c1 9f dc 75-4a cf e0 fa f0 4a 1d 0f .O.Y...uJ....J..
0030 - d1 52 75 eb 95 a9 21 3d-7b 34 9c 2f a4 28 f5 16 .Ru...!={4./.(..
0040 - c2 4e 71 0d fb 6e 77 eb-61 da bc cc f4 de 08 5e .Nq..nw.a......^
0050 - 18 23 63 40 50 ac ec ce-c5 c3 8b e8 23 ff 04 47 .#c@P.......#..G
0060 - 21 3a 98 4a 81 31 dc 00-da 1b 24 74 90 d3 1d 24 !:.J.1....$t...$
0070 - 97 ee 94 af 6a 69 bb c0-c5 01 fd 3d 70 c5 93 65 ....ji.....=p..e
0080 - 19 51 80 80 9d 55 90 21-50 cc e9 69 ef e8 ab 83 .Q...U.!P..i....
0090 - dc 5d 02 87 27 98 70 7f-1b 78 4d 69 65 cd 66 4e .]..'.p..xMie.fN
00a0 - 68 46 2e 0f 88 47 5d 31-6d a0 39 13 b5 cc 22 2c hF...G]1m.9...",
00b0 - 6a 19 2c 95 60 46 96 96-f6 cf 55 76 5e a0 96 15 j.,.`F....Uv^...
00c0 - d3 b3 a2 61 c8 af 10 d2-52 e5 52 4e 25 1f 3d c9 ...a....R.RN%.=.
Start Time: 1702868903
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 99E29B265D3612DE706F6E6100CD5D8F3D0B6922857C8DF3CDFAB5482A481D0E
Session-ID-ctx:
Resumption PSK: C438810E5F23B7B351B643D14761F7FA9B6D8A3960F63085B9625186736B6CA389275BFD95C3BACB1352AA021A6934A4
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 1 (seconds)
TLS session ticket:
0000 - 97 ae 0c f0 3b 88 6d 4c-6d b3 bb 3d ca f1 f8 1d ....;.mLm..=....
0010 - 0d ef 48 b2 1a 75 c2 72-7b 87 f5 6f 6b 93 6c a0 ..H..u.r{..ok.l.
0020 - a4 8d 22 56 8e bc 5e 08-48 0d ab 95 5c a7 8a 0d .."V..^.H...\...
0030 - a9 fe 9e c2 0f 52 d0 b6-66 a8 bb b9 fc c1 5f f7 .....R..f....._.
0040 - b6 e2 6d 59 32 c1 f0 0f-ea 0c d8 4d 50 5b 8c 06 ..mY2......MP[..
0050 - 55 6c b0 3d f8 9c de 3c-c6 c1 21 12 13 ec 9d c8 Ul.=...<..!.....
0060 - bd 91 aa cd d1 15 12 71-d3 b7 5f b7 5d 58 b4 2f .......q.._.]X./
0070 - 94 91 85 6b fd 26 2c ac-b3 4c 03 7b 73 17 3f 0e ...k.&,..L.{s.?.
0080 - 9b 8c d1 90 d1 b8 fc ba-44 fc 5c 94 83 5b 9f b9 ........D.\..[..
0090 - ad 1b 4d 4a e2 78 37 de-07 53 cf d5 d8 ff 69 7f ..MJ.x7..S....i.
00a0 - 39 85 1d 0b e9 a5 ab 99-f4 b6 a9 9e 85 82 2d 00 9.............-.
00b0 - db 7a f8 12 7b 6d d9 e8-b3 67 8b 30 f0 bf 00 97 .z..{m...g.0....
00c0 - a9 0c 92 d6 7f 39 85 55-ac 69 d8 03 1e 8b 4f 06 .....9.U.i....O.
Start Time: 1702868903
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Test the authentication for a user on your server through SASL.
$ testsaslauthd -r mydomain.com -u username -p mypassword
0: OK "Success."
If you get the output as above, you can now try to setup an email account with a client and test sending and receiving emails to and from your account.
Conclusion¶
You can setup Sendmail and Dovecot to send and receive emails from your server over the internet. The process is not complicated but it is quite involved and not always smooth. Yoy may want to run a check on your domain using Google's Check MX tool to iron out any issues with your domain to ensure that your ourgoing emails are delivered.
Comment below and I will try to pitch in to help you solve any issues you have.
Charles Cochems says:
May 23, 2024 10:29 amUseful howto, but what if i want a LetsEncrypt cert?