PDA

View Full Version : Linux: how to use encryption & SPF when sending an e-mail (to Gmail for example)



Fli
04-26-2017, 01:54 PM
I am using Linux server (CentOS) with postfix mail server (service postfix status) to send out e-mail.
And i found my e-mails appears in gmail as not encrypted and not authenticated. Here is what i did to fix it.

Fixing encryption

When i sent an e-mail to Gmail i seen that the message is marked with red padlock as unencrypted.

To fix it i found an tutorial which suggests to open postfix configuration file /etc/postfix/main.cf

and insert into it following lines:

smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

I saved changes and loaded new configuration by command: postfix reload

Then send out an e-mail: echo "testing tls encrypted e-mail"|mail -s "test" [email protected]

Now i can see in Gmail that this e-mail was sent using Standard (TLS) encryption. Good.

For troubleshooting, check mailserver log file:

tail -n 50 /var/log/maillog

Fixing Authentication of the e-mail (SPF/DKIM)

Also Gmail shown red question mark in the e-mail i sent from my Linux server and says e-mail is not authenticated. This is relevant explanation of the issue: https://support.google.com/mail/answer/180707
To fix it i updated TXT record in my domain name DNS zone file.

1) make sure the Linux server hostname from which you are sending e-mail is using the domain name that you have registered. Not something non existing.
# hostname
servernamehere.mydomain.com
if not, set the server hostname by command: hostname servernamehere.mydomain.com
Make sure in /etc/hosts this hostname is shown next to your server public IP:
# cat /etc/hosts
MyServerIPHere servernamehere.mydomain.com servernamehere

2) Login control panel of your server provider (who sold you your server and its public IP) and find section to manage PTR/rDNS(reverse DNS records) to set your Linux server IP record to "servernamehere.mydomain.com". If you can not find the way to change this, contact your server provider and once they set your record, continue this tutorial.

3) Login hosting control panel where you host mydomain.com website and find DNS section to edit DNS zone for mydomain.com
Make sure there is A type record that points hostname to your server IP. Example:
domain: servernamehere
record type: A
ttl: 1200
value: IPOfYourLinuxServer

4) update or add TXT type record with SPF value:
record type: TXT
record name: servernamehere
value: "v=spf1 mx a ptr ip4:IPOfTheServerWhereMyDomainComIsHosted ip4:IPOfYourLinuxServerHere a:servernamehere.mydomain.com a:otherhostnameifexist.mydomain.com ~all"
(including quotation marks)

5) allow some time for the changes to propagate. You can verify changes by Linux command: dig txt mydomain.com
Try these tools to verify newly added SPF record: http://www.kitterman.com/spf/validate.html and http://www.kitterman.com/spf/validate.html

6) try sending new e-mail to your gmail address to verify if Google still complains: echo "test"|mail -s "test" [email protected]