Mailer installation 2020 at Telehouse, this will replace the inhouse mailer (10.0.3.5), FQDN is test.anydomain.com.
The Mailer supports the typical MTA (Port 25) and IMAP (143) protocols. Optional encryption is available for IMAP (993/SSL/Normal password)
and SMTP (587/STARTTLS/Normal password).

APT Packages

Mail

apt-get install libmail-sendmail-perl sendmail sendmail-base sendmail-bin sendmail-cf sendmail-doc dnsutils mailutils libyaml-dev

Imap

apt-get install dovecot-imapd php-imap

SASL

apt-get install libauthen-sasl-perl libsasl2-2:amd64 libsasl2-modules:amd64 libsasl2-modules-db:amd64 sasl2-bin

SA

apt-get install spamass-milter spamassassin spamc

DKIM

apt-get install libdkim1d libmail-dkim-perl libopendkim11 opendkim opendkim-tools

DMARC

apt-get install libopendmarc2 opendmarc

Apache2

apt-get install apache2 libapache2-mod-php

Roundcube

apt-get install roundcube roundcube-core roundcube-mysql

MTA Configuration

Sendmail

• /etc/mail/sendmail.mc
• Authentication for MTA,IMAP, allow PLAIN, LOGIN DIGEST-MD5 and CRAM-MD5

define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl

• /etc/mail/sendmail.mc
• STARTTLS

include(`/etc/mail/tls/starttls.m4')dnl

• /etc/mail/sendmail.mc
• Spamassassin

INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass/spamass.sock,T=S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, {auth_type}')dnl
define(`confMILTER_MACROS_ENVFROM',`{auth_type}, i')dnl

• /etc/mail/sendmail.mc
• Dkim

INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/opendkim/opendkim.sock,F=,T=C:10m;S:10m;R:20m;E:20m')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl

• /etc/mail/sendmail.mc
• Dmarc

INPUT_MAIL_FILTER(`milter-opendkim',`S=unix:/var/run/opendmarc/opendmarc.sock, F=, T=R:2m')

• /etc/mail/tls/starttls.m4
• TLS (see also the Letsencrypt configuration further down)

define(`confCACERT',           `/etc/mail/tls/fullchain.pem')dnl   # <= EDIT

• Full configuration /etc/mail/sendmail.mc

divert(-1)dnl
#-----------------------------------------------------------------------------
# $Sendmail: debproto.mc,v 8.15.2 2016-12-08 18:43:49 cowboy Exp $
#
# Copyright (c) 1998-2010 Richard Nelson.  All Rights Reserved.
#
# cf/debian/sendmail.mc.  Generated from sendmail.mc.in by configure.
#
# sendmail.mc prototype config file for building Sendmail 8.15.2
#
# Note: the .in file supports 8.7.6 - 9.0.0, but the generated
#       file is customized to the version noted above.
#
# This file is used to configure Sendmail for use with Debian systems.
#
# If you modify this file, you will have to regenerate /etc/mail/sendmail.cf
# by running this file through the m4 preprocessor via one of the following:
#       * make   (or make -C /etc/mail)
#       * sendmailconfig
#       * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# The first two options are preferred as they will also update other files
# that depend upon the contents of this file.
#
# The best documentation for this .mc file is:
# /usr/share/doc/sendmail-doc/cf.README.gz
#
#-----------------------------------------------------------------------------
divert(0)dnl
#
#   Copyright (c) 1998-2005 Richard Nelson.  All Rights Reserved.
#
#  This file is used to configure Sendmail for use with Debian systems.
#
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.15.2-8 2016-12-08 18:43:49 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
dnl #
dnl # General defines
dnl #
dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
dnl #   into this directory before writing files.
dnl #   If *all* your user accounts are under /home then use that
dnl #   instead - it will prevent any writes outside of /home !
dnl #   define(`confSAFE_FILE_ENV',             `')dnl
dnl #
dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
dnl # Remove `, Addr=' clauses to receive from any interface
dnl # If you want to support IPv6, switch the commented/uncommentd lines
dnl #
FEATURE(`no_default_msa')dnl
FEATURE(virtusertable)dnl
dnl Allow IPv4
DAEMON_OPTIONS(`Port=submission, M=Ea, Name=MSA, Family=inet')dnl
DAEMON_OPTIONS(`Port=smtp,Name=MTA, Family=inet')dnl

dnl Set Masq and Domain
FEATURE(`masquerade_envelope')dnl
FEATURE(`limited_masquerade')dnl
define(`confDOMAIN_NAME',`anydomain.com')dnl



dnl #
dnl # Be somewhat anal in what we allow
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
dnl #
dnl # Define connection throttling and window length
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
dnl #
dnl # Features
dnl #
dnl # use /etc/mail/local-host-names
FEATURE(`use_cw_file')dnl
dnl #
dnl # The access db is the basis for most of sendmail's checking
FEATURE(`access_db', , `skip')dnl
dnl #
dnl # The greet_pause feature stops some automail bots - but check the
dnl # provided access db for details on excluding localhosts...
FEATURE(`greet_pause', `1000')dnl 1 seconds
dnl #
dnl # Delay_checks allows sender<->recipient checking
FEATURE(`delay_checks', `friend', `n')dnl
dnl #
dnl # If we get too many bad recipients, slow things down...
define(`confBAD_RCPT_THROTTLE',`3')dnl
dnl #
dnl # Stop connections that overflow our concurrent and time connection rates
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
 
dnl -------------------------------------------
dnl MK Authentication used for IMAP and Dovecot
dnl -------------------------------------------
define(`confAUTH_MECHANISMS', `PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN DIGEST-MD5 CRAM-MD5')dnl
 
dnl MK Fix for error messages in debug log
define(`confCRL', `/etc/ssl/revoke/revoke.crl')

dnl ---------------------------
dnl MK Add optional TLS Support
dnl ---------------------------
include(`/etc/mail/tls/starttls.m4')dnl
 
dnl ---------------------------------------------------------
dnl MK Tweaks
dnl #http://heretic.net-ronin.org/~ramune/sysadmin/sendmail/
dnl ---------------------------------------------------------
define(`confSUPER_SAFE',`true')dnl
define(`confMAX_MESSAGES_SIZE',`1000000')dnl
define(`confMIN_FREE_BLOCKS',`3000')dnl
dnl #define(`confTIME_ZONE',`PST8PDT')dnl


dnl MK Procmail support
FEATURE(`local_procmail')dnl

dnl *******************
dnl MK Spamassassin
dnl Tipp: run sa-update
dnl *******************
INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass/spamass.sock,T=S:4m;R:4m;E:10m')dnl

dnl ****
dnl DKIM
dnl ****
INPUT_MAIL_FILTER(`dkim-milter', `S=local:/var/run/opendkim/opendkim.sock,F=,T=C:10m;S:10m;R:20m;E:20m')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')dnl

dnl *****
dnl DMARC
dnl *****
INPUT_MAIL_FILTER(`milter-opendkim',`S=unix:/var/run/opendmarc/opendmarc.sock, F=, T=R:2m')
 
dnl the below eliminates the mesage:
dnl Could not retrieve sendmail macro "b"!.  Please add it to confMILTER_MACROS_ENVRCPT for better spamassassin results
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, {auth_type}')dnl
define(`confMILTER_MACROS_ENVFROM',`{auth_type}, i')dnl
 
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl
 
dnl *********************************
dnl Debug logging on demand only
dnl define(`confLOG_LEVEL', `98')dnl
dnl *********************************
 
dnl *****************
dnl Supported Domains
dnl *****************
Cwanydomain.com

dnl Add because of poodle attack https://disablessl3.com/ - 28Okt2014
LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
O PrivacyOptions=goaway

Sasl

• /etc/default/saslauthd

START=yes
MECHANISMS="pam"

Spamd

• Add systemuser spamd

useradd -M spamd
usermod -L spamd

• Modify defaults
• /etc/default/spamassassin

OPTIONS="-q -x --max-children 10 -u spamd"

Roundcube

Fix to allow mailsent from roundcube

• /etc/roundcube/config.inc.php

$config['smtp_user'] = ''

Dovecot (Imap)

• Needed for Jira or Clients who wants to use unencrypted IMAP via port 143
• /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no

DNS Configuration

• /etc/hosts, the very first record

127.0.0.1       vm-mail01.anydomain.com vm-mail01

• Check

# hostname -f
vm-mail01.anydomain.com

On the DNS Server

• A Record

#  host anydomain.com
anydomain.com has address x.y.z.x

• PTR Record

# nslookup x.y.z.z
x.y.z.z.in-addr.arpa       name = anydomain.com.

• MX Record

# host -t mx anydomain.com
anydomain.com mail is handled by 10 vm-mail01.anydomain.com.

• TXT Record for DKIM

host -t txt mail._domainkey.anydomain.com
mail._domainkey.anydomain.com descriptive text "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlQCpa4N7LELD6fBhX5BLxUoIqlxkasJ52mMyJR7ZXVXe603mZQ4oUeVDXLPGUPfUxLmG5VPsCO8o5hrj18pwe+F3W9Y5wH8U9HzHNzLmj8HM9oYBKfMIryeUmzuC/uKVrtLGMih9zz67t7iis590U3eYfuLZFdAS6U9wbV1PeTwIDAQAB"

• TXT Record for DMARC

host -t txt    _dmarc.anydomain.com
_anydomain.com descriptive text "v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400 ;rua=mailto:mailauth-reports@anydomain.com"

• TXT Record for SPF

host -t txt anydomain.com
anydomain.com descriptive text "v=spf1 ip4:x.x.x.x/27 ip4:x.x.x.x/27 include:spf.nl2go.com -all"

DKIM

Configuration

• /etc/opendkim.conf

Syslog           yes
SyslogSuccess    Yes
Mode             sv
SubDomains       yes
Socket           local:/var/run/opendkim/opendkim.sock
PidFile          /run/opendkim/opendkim.pid
OversignHeaders  From
TrustAnchorFile  /usr/share/dns/root.key
UserID           opendkim
LogWhy           yes
Nameservers      x.x.x.x
KeyTable         /etc/opendkim/KeyTable
SigningTable     /etc/opendkim/SigningTable
InternalHosts    /etc/opendkim/TrustedHosts

• /etc/opendkim/KeyTable

mail._domainkey.anydomain.com anydomain.com:mail:/etc/opendkim/keys/anydomain.com/mail.private

• /etc/opendkim/SigningTable

anydomain.com mail._domainkey.anydomain.com

• /etc/opendkim/TrustedHosts

127.0.0.1
localhost
192.168.100.0/255.255.255.0

Letsencrypt

Two sertficates are installed.
vm-mail01.anydomain.com is used for the MTA encryption for sendmail.
test.anydomain.com is used for Imap and Roundcube.

Renew:

/root/certbot-auto certonly --webroot --webroot-path /var/www/html --renew-by-default --text --agree-tos -d test.anydomain.com
/root/certbot-auto certonly --webroot --webroot-path /var/www/html --renew-by-default --text --agree-tos -d vm-mail01.anydomain.com

Copy certs for sendmail:

FQDN=vm-mail01.anydomain.com
cp /etc/letsencrypt/live/$FQDN/privkey.pem  /etc/mail/tls/sendmail-common.key
cp /etc/letsencrypt/live/$FQDN/cert.pem  /etc/mail/tls/sendmail-client.crt
cp /etc/letsencrypt/live/$FQDN/cert.pem  /etc/mail/tls/sendmail-server.crt
cp /etc/letsencrypt/live/$FQDN/fullchain.pem  /etc/mail/tls/fullchain.pem

Run Sendmailconfig and dovecot after:

sendmailconfig
/etc/init.d/dovecot restart

Dovecot

• /etc/dovecot/conf.d/10-auth.conf

ssl_cert = </etc/letsencrypt/live/mail.anydomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.anydomain.com/privkey.pem

Testing

• Test cert for sasl

openssl s_client -crlf -connect test.anydomain.com:993

• Test cert for imap

openssl s_client -starttls smtp -connect test.anydomain.com:587

• Test TLS

https://www.checktls.com/TestReceiver

• Dkim
• http://dkimvalidator.com/
• Other web sites
• https://esmtp.email/tools/mta-sts/?#
• https://starttls-everywhere.org
• https://luxsci.com/smtp-tls-checker
• http://multirbl.valli.org/
• https://intodns.com/mailtower.de
• https://mxtoolbox.com/
• https://dmarcly.com/tools/

Client Configuration Example

Thunderbird

Imap Imap

Jira

Imap