Postfix + Dovecot + OpenDKIM + SPF/DKIM/DMARC + Roundcube (Nginx + MariaDB)
Disusun untuk Pemula – Aman, Terstruktur, dan Siap Produksi
Di bawah ini adalah panduan lengkap, detail, tanpa emoji, dengan contoh konfigurasi penuh untuk:
- Postfix
- Dovecot
- OpenDKIM
- Roundcube
- Nginx
- MariaDB
- Let’s Encrypt
Semua konfigurasi ditulis lengkap dan siap digunakan sebagai referensi blog teknis.
Contoh domain yang digunakan:
domain: alfasmk.my.id
hostname mail: mail.alfasmk.my.id
webmail: webmail.alfasmk.my.id
Silakan sesuaikan dengan domain Anda.
1. PERSIAPAN SERVER
Update Sistem
sudo apt update && sudo apt upgrade -y
sudo reboot
Install Paket Dasar
sudo apt install postfix dovecot-core dovecot-imapd \
opendkim opendkim-tools \
nginx mariadb-server php-fpm php-mysql \
php-intl php-mbstring php-xml php-zip php-curl php-gd \
fail2ban firewalld certbot python3-certbot-nginx -y
2. KONFIGURASI POSTFIX SECARA LENGKAP
File utama:
/etc/postfix/main.cf
Berikut contoh konfigurasi FULL minimal aman produksi:
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
myhostname = mail.alfasmk.my.id
mydomain = alfasmk.my.id
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
relayhost =
mailbox_size_limit = 0
recipient_delimiter = +
home_mailbox = Maildir/
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.alfasmk.my.id/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.alfasmk.my.id/privkey.pem
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/opendkim/opendkim.sock
non_smtpd_milters = unix:/opendkim/opendkim.sock
Penjelasan penting:
mynetworkshanya localhost untuk mencegah open relay.home_mailbox = Maildir/agar Postfix simpan email ke Maildir.smtpd_tls_auth_only = yesmemaksa login hanya lewat TLS.- Bagian milter menghubungkan OpenDKIM.
File master.cf
File:
/etc/postfix/master.cf
Pastikan konfigurasi submission aktif dan aman:
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Penjelasan:
- Port 25 (smtp) untuk server-to-server.
- Port 587 (submission) wajib TLS dan login.
- AUTH tidak digunakan untuk port 25.
Restart:
sudo postfix check
sudo systemctl restart postfix
3. KONFIGURASI DOVECOT LENGKAP
dovecot.conf
File:
/etc/dovecot/dovecot.conf
protocols = imap
listen = *
10-mail.conf
File:
/etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
namespace inbox {
inbox = yes
}
10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-system.conf.ext
Penjelasan:
- Login hanya lewat TLS.
- Gunakan user Linux sebagai akun email.
10-ssl.conf
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.alfasmk.my.id/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.alfasmk.my.id/privkey.pem
10-master.conf
Bagian paling penting untuk integrasi Postfix:
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
Restart:
sudo systemctl restart dovecot
4. KONFIGURASI OPENDKIM LENGKAP
File utama:
/etc/opendkim.conf
Isi lengkap minimal:
Syslog yes
UMask 002
Mode sv
Canonicalization relaxed/simple
SubDomains no
Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
UserID opendkim:postfix
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
InternalHosts /etc/opendkim/trusted.hosts
trusted.hosts
127.0.0.1
localhost
*.alfasmk.my.id
signing.table
*@alfasmk.my.id default._domainkey.alfasmk.my.id
key.table
default._domainkey.alfasmk.my.id alfasmk.my.id:default:/etc/opendkim/keys/alfasmk.my.id/default.private
Generate key:
sudo mkdir -p /etc/opendkim/keys/alfasmk.my.id
cd /etc/opendkim/keys/alfasmk.my.id
sudo opendkim-genkey -s default -d alfasmk.my.id
sudo chown opendkim:opendkim default.private
sudo chmod 600 default.private
Restart:
sudo systemctl restart opendkim
sudo systemctl restart postfix
5. DNS RECORD WAJIB
A Record:
mail.alfasmk.my.id -> IP VPS
MX:
alfasmk.my.id -> mail.alfasmk.my.id
SPF:
"v=spf1 ip4:ip_vps ~all"
DKIM:
Isi dari default.txt ke DNS TXT.
DMARC:
"v=DMARC1; p=none; rua=mailto:dmarc@alfasmk.my.id"
6. ROUNDcube + NGINX
Database
CREATE DATABASE roundcube;
CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'passwordkuat';
GRANT ALL PRIVILEGES ON roundcube.* TO 'roundcube'@'localhost';
FLUSH PRIVILEGES;
Nginx Virtual Host
File:
/etc/nginx/sites-available/webmail.alfasmk.my.id
server {
listen 80;
server_name webmail.alfasmk.my.id;
root /var/www/roundcube/public_html;
index index.php;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
}
location ~ /\. {
deny all;
}
}
Aktifkan HTTPS:
sudo certbot --nginx -d webmail.alfasmk.my.id
7. TESTING FINAL
Cek port:
ss -tulpn
Test SMTP TLS:
openssl s_client -connect mail.alfasmk.my.id:587 -starttls smtp
Test IMAP:
openssl s_client -connect mail.alfasmk.my.id:993
Cek header Gmail:
Harus PASS:
- SPF
- DKIM
- DMARC
PENUTUP
Dengan konfigurasi lengkap di atas:
- Postfix aman dari open relay
- Dovecot aman dengan TLS wajib
- SMTP AUTH hanya lewat port 587
- DKIM aktif dan terintegrasi
- SPF dan DMARC valid
- Webmail aman dengan HTTPS