Set up SPF, DKIM and DMARC Inside CyberPanel?

The second link you posted seems right on the money (btw, you can leave out the [] around urls).

The email server used by Cyberpanel is postfix and the configuration file is /etc/postfix/main.cf. If you make changes to it, you need to restart postfix afterwards:

systemctl restart postfix

Creating DNS records for SPF and DMARC is only about half the job… If you want to enforce SPF and DMARC you'll have to add milters to the postfix configuration to take care of that as well. If you want to do greylisting, you'll need to see here: https://linoxide.com/setup-greylisting-service-postfix-mail-server/ (postgrey is not a milter).

If you want to be totally compliant, DMARC has other admin stuff that you have to do periodically outside the bubble of the mail server as well.

-- sw

Thx. One thing at a time.
Im a complete beginner and I know nothing. When we see that as an example:

smtpd_recipient_restrictions =
permit_mynetworks,
check_policy_service unix:postgrey/socket,
permit

Is it one command or 3 command line?? We just copy paste it?

I'll check the second link and will get back to you.

btw, is 2FA for cyberpanel is crackable?
I think yes. I would like to create a very strong password for Cyberpanel in the terminal but the only thing is that we cant see what we are typing as we do so. My goal would be to create a 32 random characters password on a txt file and copy paste it in the terminal so that it will be uncrackable. Each time I create a Cyberpanel account, I get hacked by bots. I have to start all over again by rebuilding the linode. :-(
It's tedious especially when you're a beginner. What do you suggest?

Is it one command or 3 command line?? We just copy paste it?

See my example of this option here:

https://www.linode.com/community/questions/23246/security-issue-for-new-email-server

It's a single option with an equals (=) separating the option name and the value. This option can have multiple values separated by commas. A value without a comma is considered to be the last one.

You could write it like this:

smtpd_recipient_restrictions = permit_mynetworks, check_policy_service unix:postgrey/socket, permit

Just FYI, permit is understood if you leave it off.

Each time I create a Cyberpanel account, I get hacked by bots. I have to start all over again by rebuilding the linode. :-(

You're going to have to take this up with Cyberpanel. I don't have a clue. If what you say is the abstract truth (not a result of your lack of understanding), I would seriously re-evaluate my relationship with them as a user.

It's been my experience that "friendly front-ends" for system admin tasks just get in the way of what you're trying to do. You have to conform to the (mostly unwritten) rules the front-end's developer(s) decided to put in place and not write down or tell anyone about (they expect you to be clairvoyant I guess).

I also don't trust them to do the right thing in the first place…whether it be by design or defect. I've been burned too many times for that. This goes for distro-provided stuff like ufw, firewalld/firewall-config & the various package managers (although I use package managers, I’m very wary of them).

My advice would be to stop relying on Cyberpanel as a crutch and learn to do this stuff the old-fashioned way. While this may be tough at the beginning, when you're done you will be in a much better place…and know EXACTLY what's going on…not what Cyberpanel support (such as it is…given your status as a free-tier user) tells you what they think is going on (if they even respond to you in the first place, they don't really know and 9 times out of 10 they're just going to shine you on so they can close the call).

-- sw

Thx for your example. So you can write an unfinished command and press on the down arrow key to keep going to the second line.

So it's interesting you're saying that Cyberpanel can hack my account. You dont trust them. It's quite logical. They may keep the logs. It's logical. One way to be 75% sure is to create a 50 random character password with 2FA authenticator app. If the account gets hacked, then Cyberpanel keeps log. But they can spy without changing the password…

So what's the old-fashioned way? Any source? videos? a link?

I followed a Linode tutorial when I first set up my mail server many moons ago. The server (and the ecosystem I've built around it) has evolved greatly over the last 10 years but the basic guts are the same. I can't find it right now. Search the list of Linode tutorials. Since these are all free, you should sample any that interest you. Whatever you learn (or not) in the time spent on them will be valuable.

Of course, during the last stages of my working life, I had exposure to sendmail. While it may work well and be fast, it's a nightmare to understand and configure. postfix/dovecot are much (MUCH!) easier…

I worked a lot with apache in the early days of the web so it was learn or die…build custom modules, etc. There are lots of books about apache2 & how to configure it. Just do a search on amazon.com for a pretty comprehensive list. Pay attention your goals and skill level when picking one of them.

For that matter, there are several good books on postfix/dovecot too.

Absolutely, get familiar with git.

I've been a Unix user since the ATT 6th Edition in 1975 (I'm prob old enough to be your grandfather) so there's that too… My advice would be to learn some programming before trying to become an expert sysadmin. This doesn't mean C/C++ (although that would be immensely helpful). In todays world, you can start off with shell scripting and perl and/or python (and maybe php). There's so much stuff print-published and online, that I couldn't even begin to give you a list.

-- sw

PS. Try your hand at bringing Linux up on physical hardware…not a VPS. Since Linux runs just about everywhere, you can buy used hardware at a place like discountcomputerdepot.com for not a lot of cash. Don't be afraid to screw up or change distros or try something like FreeBSD just because you can.

I have 2 HP EliteDesk 800 G3 Micro Desktops in my living room that run FreeBSD 13.1. I use one to write code, one to stage/test code for my Linode and I have my Linode (which also runs FreeBSD).

thx a lot for that detailed answer!
I don't want to become a pro. I just want to take shortcuts. I really dont want to become a programmer. All I need is to setup a mail server and install a setup to protect it. Not more. I prefer a VPS over a hardware.
Why are you saying it's better to own an hardware?

If I undertand your point, you're telling me to use

Linode and postfix/dovecot? I can find tutorial about it?

I just want to take shortcuts.

Did you learn to drive before you could walk? Take it from someone who’s been there…the only way you’ll know it’s a shortcut is if you’ve done it the hard way first.

What you’re describing is impatience…always a vice when embarking on a new endeavor. No amount of knowledge or expertise comes to anyone instantaneously.

Why are you saying it's better to own an hardware?

Your own hardware makes a good test/experimentation/development platform…much better that a VPS that you’re using to provide service to others.

A second Linode would serve the same purpose if that’s what you wanted to use it for ($5 is prob less than that venti, half-caf extra foam, 120º, pumpkin spice latte you bought this morning).

If I understand your point, you're telling me to use Linode and postfix/dovecot? I can find tutorial about it?

First question: yes. Second question: look in Linode’s repository of tutorials.

I really dont want to become a programmer.

Well…that may be your desire but it’s going to be damn near impossible to achieve because of the necessity of understanding shell scripting to automate routine tasks in a Unix/Linux environment. It’s unavoidable.

And you should still become familiar with git…

— sw

PS. @acanton77 has mentioned something he used several times called Mail in a Box. Perhaps you can investigate that as a shortcut:

https://www.linode.com/docs/guides/how-to-create-an-email-server-with-mail-in-a-box/

The problem of routine maintenance still remains…even the simplest server needs regular feeding/grooming. Mail in a Box includes spamassassin…what are you going to do if you want to implement a statistical spam filter too (say bogofilter)…or you want to turn on smtps?

I wasn't self-explanatory enough.
It's not impatience. It's because I do other things in my life that require time. Video montage, learning 3D modeling, having a Youtube channel, Building a functional BB8. When I say shortcut, I mean copy pasting the right commands to achieve goals for the minimum requirements to create a email server and protect it.

Finding the right resources to do so would be the holy grail. Thx for the links. :-)

When I say shortcut, I mean copy pasting the right commands to achieve goals for the minimum requirements to create a email server and protect it.

You don't want help or advice or even to learn…you just want one of us to do it for you (for free, I might add).

If you want a consultant, hire one. I can guarantee you can't afford me… Please accept my responses in the spirit in which they were given -- increasing the knowledge of the broader community. I had considered deleting them all but decided against it. You shan't receive any more.

Good luck to you.

Cautionary note to all the other contributors here.

-- sw

I don't want to learn programming. But I learned a lot since I'm here. Nobody will create an email server for me. I just search for some resources to copy paste codes. I didn't ask you to write the codes for me. I asked you specific questions about security as to what to do about it. Only then, I will search by myself the necessary codes.

By the way, a BB8 is a droid from Star wars. Video montage, 3D modeling, Youtube channel, there is 24 hours in a day. I prefer to know a bit of everything and manage to create something then be an expert at something.
As I can understand you, You want me to become an expert at programming so that I can help others to do the same?
Will that be enough?