[TUTORIAL] How To Set Up Your Own Linux SMTP Server - With IP Rotation - rDNS - SPF - DKIM

Discussion in 'Making Money' started by dariobl, Oct 1, 2012.

  1. dariobl

    dariobl BANNED BANNED

    Jul 11, 2012
    Likes Received:
    Hello my dear BHW fellas,

    since i have noticed that a lot of guys, even some from this forum, are charging 100's of dollars for setting up a good Linux Smtp server with ip rotation i decided to write a nice tutorial for all you who does not have 100's of $ to spend on that.

    Some of the things i'm going to write here are, actually, copy/pasted from other sources, simply can't be arsed to rewrite something that is really common :).

    Ok, so what you gonna need ?

    1) A linux server ( obviously lol :D), i have used CentOS as a OS, so i suggest you to with it also, you can buy either VPS either Dedicated it does not really matter, we don't need some killing machine for this, postfix will not take a lot of resources, but i do recommend to buy at last 512 MB of ram and 20 GB of HDD. You need to buy a VPS with many ip addresses, nowadays, ips become expensive and hard to get, you need to fill stupid justification and other stuff to get a lot of ips, but you can still find a providers which won't ask you for that.

    Here is one good hoster : http://www.host1plus.com/vps-hosting/

    They DO ALLOW mass mailing, however, they are not saying they allow SPAM, but since they can't prove do you really have opt-in lists or now, just make sure to make your emails looks legit with opt-out link, some fake company info and make them looks good and not spam like with just a banner image inside lol.

    They are hosted in Germany and price per ip is 2$, you can find them cheaper, but these guys are quality and their TOS allow mass mailing, so it's up on you where are you going to buy VPS.

    If you are going to spend some time on Google you will also find very cheap VPS's which comes with 4 or even 8 ip's by default, they are also good solution.

    But i highly recommend you to buy at last 50 ip's, that will increase your inbox ratio a lot and won't lead your ips to blacklists fast. You will get blacklisted, that's a matter of time, but - more ips - more time without blacklisting. If you can afford your self 200 ips and if you will send only 100 emails per day per ip ( 20000 / day ), you won't get blacklisted ever.

    Also at the end of this topic i will explain how to get whitelisted on some ISP's, mail providers and spam filters.

    1 Install Postfix

    This tutorial is for Debian, everything is same like with other Linuxes, just don't use sudo command :).


    You will be shocked at how simple it is to install the Postfix mail server. All you have to do is follow these steps:

    1) Open up a terminal window (or, if you are using a GUI-less server just log in).

    2) Issue the command sudo apt-get install postfix.

    That's it! Of course, depending upon the current state of your distribution, the installation may or may not have to install some dependencies. But this will happen automatically for you. The installation will also automatically start the Postfix daemon for you. So as soon as installation is complete you can test to make sure you can connect to your Postfix server with the command:

    telnet localhost 25

    You should see something like this:

    Connected to http://www.mymail.com.
    Escape character is '^]'.
    220 localhost.localdomain ESMTP Postfix (Ubuntu)

    Now you might want to first make sure you can also connect to your domain in the same way with the command:

    telnet http://www.mymail.com 25

    Of course you will use your own FDQN in the above command (instead of mymail.com). Hopefully you will see the same output you did when you used localhost. If not, you will have to check to make sure your domain is pointing to your server or that port 25 traffic can get to your server from your router, switch, or firewall. Those issues are beyond the scope of this article however.

    Now it is time to start configuration.

    Configuring Postfix

    The Postfix mail server has one main configuration file /etc/postfix/main.cf. This is where you will do the bulk of your configurations. Open this file up in your favorite text editor (mine is Nano) and look for the following section:

    myhostname =
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination =
    relayhost =
    mynetworks =
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all

    This is the section of the configuration file you must focus on. And, believe it or not, there isn't much to do. Below are the sections you need to configure:

    myhostname: This is the hostname of your machine. But don't put the full hostname. If your machine hostname is mail.mydomain.com you will only use mydomain.

    mydestination: This parameter specifies what destinations this machine will deliver locally. The default is:

    mydestination = $myhostname localhost.$mydomain localhost

    You could also use something like what I have used in the past (for simplicity's sake):

    mydomain.com mydomain localhost.localdomain localhost

    This call is up to you. Either way will work; but the latter line will help to avoid mailloops.

    mynetworks: This line is a bit trickier. This entry will define authorized destinations that mail can be relayed from. You would think that adding your subnet here would work. Sometimes that is the case; sometimes not. You could go with a mynetworks entry that looks like:

    mynetworks =

    The above entry is a safe entry and defines local machines only.

    You could also have an entry that looks like:

    mynetworks =

    The above entry would authorize local machines and your internal network addresses.

    I have found, however, that the above entries will cause problems with relaying due to constantly changing dhcp addresses. Because of this I have used the following, specialized entry which will avoid this issue:

    mynetworks = [::ffff:]/104 [::1]/128

    Now, if your mail server serves up mail to your entire domain, you will need to add another entry to that section above. That entry is:

    mydomain = mydomain.com

    Again, as in all configurations above, the mydomain.com will be substituted with your real domain.

    Now, save that configuration file and restart your mail server with the command:

    sudo /etc/init.d/postfix reload

    Your mail server should be up and running.


    Since this is a Linux mail server, you will need to make sure you have a user name that corresponds with every email address you need. If your server has a GUI you can just use the GUI tool for this. If your server is a GUI-less server you can create users with the command:

    sudo useradd -m USERNAME

    Where USERNAME is the actual name of the user. The next step is to give the username a password with the command:

    sudo passwd USERNAME

    Again, where USERNAME is the actual username. You will be prompted to enter the new password twice.

    2) Set Up DKIM On Postfix With dkim-milter (CentOS 5.2)

    This howto has been superseded by http://www.topdog.za.net/postfix_dkim_milter
    DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

    We will be using the milter implementation of dkim http://dkim-milter.sf.net on CentOS 5.2.

    I provide Centos rpms for Dkim-milter at http://www.topdog-software.com/oss/ so we will install the latest version.

    Install the rpm, ( 32bit and 64bit intel supported )
    # wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_key.txt
    # rpm --import andrew_topdog-software.com_key.txt
    # http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.2-0.$(uname -i).rpm

    Generate the Keys
    # sh /usr/share/doc/dkim-milter-2.8.2/dkim-genkey.sh -r -d <domain_name>

    Replace <domain_name> with the domain name you will be signing the mail for. The command will create two files.

    default.txt - contains the public key you publish via DNS
    default.private - the private key you use for signing your email
    Move the private key to the dkim-milter directory and secure it.

    # mv default.private /etc/mail/dkim/default.key.pem
    # chmod 600 /etc/mail/dkim/default.key.pem
    # chown dkim-milt.dkim-milt /etc/mail/dkim/default.key.pem

    DNS Setup
    You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of default.txt is the line you need to add to your zone file a sample, is below

    default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB"

    ; ----- DKIM default for topdog-software.com
    Also add this to your zone file.

    _ssp._domainkey IN TXT "t=y; dkim=unknown"

    Create the file /etc/sysconfig/dkim-milter with the contents below overwriting the existing sample file that was installed by the rpm, Make sure you set the SIGNING_DOMAIN variable to the domain or domains you will be signing mail for.
    PORT="inet:[email protected]"

    EXTRA_ARGS="-h -l -D"

    Configure Postfix
    You need to add the following options to the postfix main.cf file to enable it to use the milter.

    smtpd_milters = inet:localhost:20209
    non_smtpd_milters = inet:localhost:20209
    Append the dkim-milter options to the existing milters if you have other milters already configured.

    Start dkim-milter and restart postfix

    # service dkim-milter start
    # service postfix restart

    Send an email to [email protected] or [email protected], you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by "your domain" if your setup was done correctly.

    3) SPF

    This tutorial shows how to implement SPF (Sender Policy Framework) in a Postfix 2.x installation. The Sender Policy Framework is an open standard specifying a technical method to prevent sender address forgery (see http://www.openspf.org/Introduction). There are lots of SPF extensions and patches available for Postfix, but most require that you recompile Postfix. Therefore we will install the postfix-policyd-spf-perl package from openspf.org which is a Perl package and can be implemented in existing Postfix installations (no Postfix compilation required).

    I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

    1 Preliminary Note
    I assume that you have already set up a working Postfix mail server.

    The following procedure is distribution-independent, i.e., it should work on any Linux distribution (however, I tested this on Debian Etch).

    2 Install Required Perl Modules
    The postfix-policyd-spf-perl package depends on the Mail::SPF and the NetAddr::IP Perl modules. Therefore we are going to install them now using the Perl shell. Start the Perl shell like this:

    perl -MCPAN -e shell

    If you run the Perl shell for the first time, you will be asked a few questions. You can accept all default values. You will also be asked about the CPAN repositories to use. Select repositories that are close to you.

    After the initial Perl shell configuration, we can start to install the needed modules. To install Mail::SPF, simply run

    install Mail::SPF

    In my case, it tried to install Module::Build (which is a dependency), but then it failed. If this happens to you, simply quit the Perl shell by typing


    Then start the Perl shell again:

    perl -MCPAN -e shell

    and try to install Mail::SPF again:

    install Mail::SPF

    This time it should succeed, and you should see that it also installs the modules Net::DNS::Resolver::programmable and NetAddr::IP on which Mail::SPF depends.

    A successful installation of Mail:SPF should end like this:

    Installing /usr/local/bin/spfquery
    Writing /usr/local/lib/perl/5.8.8/auto/Mail/SPF/.packlist
    /usr/bin/make install -- OK

    Because NetAddr::IP has already been installed, we can now leave the Perl shell:


    3 Install postfix-policyd-spf-perl
    Next we download postfix-policyd-spf-perl from http://www.openspf.org/Software to the /usr/src/ directory and install it to the /usr/lib/postfix/ directory like this:

    cd /usr/src
    wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.001.tar.gz
    tar xvfz postfix-policyd-spf-perl-2.001.tar.gz
    cd postfix-policyd-spf-perl-2.001
    cp postfix-policyd-spf-perl /usr/lib/postfix/policyd-spf-perl

    Then we edit /etc/postfix/master.cf and add the following stanza at the end:

    vi /etc/postfix/master.cf

    policy unix - n n - - spawn
    user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl
    (The leading spaces before user=nobody are important so that Postfix knows that this line belongs to the previous one!)

    Then open /etc/postfix/main.cf and search for the smtpd_recipient_restrictions directive. You should have reject_unauth_destination in that directive, and right after reject_unauth_destination you add check_policy_service unix:private/policy like this:

    vi /etc/postfix/main.cf

    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy
    or like this:

    smtpd_recipient_restrictions =
    check_policy_service unix:private/policy
    It is important that you specify check_policy_service AFTER reject_unauth_destination or else your system can become an open relay!

    Then restart Postfix:

    /etc/init.d/postfix restart

    That's it already. You should check the README file that comes with the postfix-policyd-spf-perl package, it contains some important details about how postfix-policyd-spf-perl processes emails, e.g. like this part from the postfix-policyd-spf-perl-2.0001 README:

    This version of the policy server always checks HELO before Mail From (older
    versions just checked HELO if Mail From was null). It will reject mail that
    fails either Mail From or HELO SPF checks. It will defer mail if there is a
    temporary SPF error and the message would othersise be permitted
    (DEFER_IF_PERMIT). If the HELO check produces a REJECT/DEFER result, Mail From
    will not be checked.

    If the message is not rejected or deferred, the policy server will PREPEND the
    appropriate SPF Received header. In the case of multi-recipient mail, multiple
    headers will get appended. If Mail From is anything other than completely empty
    (i.e. ) then the Mail From result will be used for SPF Received (e.g. Mail
    From None even if HELO is Pass).

    The policy server skips SPF checks for connections from the localhost (127.) and
    instead prepends and logs 'SPF skipped - localhost is always allowed.'


    First we need creating Interface aliases for your public IPs.

    Let's say you have 5 ips

    #ifup eth0:1
    #ifup eth0:2
    #ifup eth0:3
    #ifup eth0:4

    Now the iptables part.make sure your iptables support for statistic match module.

    # iptables -m statistic -h
    statistic match options:
    --mode mode Match mode (random, nth)
    random mode:
    --probability p Probability
    nth mode:
    --every n Match every nth packet
    --packet p Initial counter value (0 <= p <= n-1, default 0)
    Next continue with iptables rule for rotating source IP addresses.

    # iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.2
    # iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.3
    # iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.4
    # iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.5
    # iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.6


    The easiest way to get rDNS is to buy a domain with your VPS and ask you hosted to set up rDNS with your VPS, they will do it for free, a domain is not really expensive and it will save you some time :).

    7) Whitelisting

    Whitelisting can help you to get your emails reach inbox instead of spam folder,

    i will teach you now how to whitelist your self on some spam filter systems and some email providers.

    First of all you must have a domain which have valid rDNS with your server, and you must have a web site on your domain. This may takes you some time, but i highly recommend you to make a fake marketing agency web site, i know this may sounds unethical and, maybe even, illegal ( okay, it's hard to believe it could illegal since there is tons of hosting companies, web design agency and so on, which are not registered anywhere ), and you can make some simple looking web site explaining that you are providing email marketing services to your clients. Make sure you make it clear that you have a ZERO tolerance to spam and that all emails you have in your lists are generated by you, bla bla, opt in, bla bla, cpan spam, bla bla, just google some email marketing agency and see what they say :). This will helps you A LOT to get whitelisted almost anywere.


    URL : http://postmaster.aol.com/cgi-bin/whitelist/whitelist_guides.pl

    It's very easy to get on their whitelist, but if they get tons of spam complains about your message, you will be removed to blacklist list very fast ^^


    URL : http://help.yahoo.com/l/us/yahoo/mail/postmaster/bulkv2.html

    It's hard to get whitelisted on Yahoo, but give it a try.


    URL : https://support.msn.com/eform.aspx?productKey=edfsjmrpp&ct=eformts


    - http://v4bl.org/

    http://www.spamhauswhitelist.com/en/ - only with invite, so it's almost impossible to get there, but it's worth if you can

    Basically here is the list of, almost, all spam filter systems, so Google their unblacklistening or whitelistening pages :

    EFnet RBL

    So that's it guys, if you followed my tutorial correctly you have just saved your self 100's of $ and learned something very useful.

    Have fun and make some cash ;)

    Till next tutorial

    • Thanks Thanks x 80
    Last edited: Oct 1, 2012
  2. kuzmanin

    kuzmanin Regular Member

    Jul 17, 2010
    Likes Received:
    wow that is a massive tutorial
    10x for sharing
    maybe i am going to use it in next 2-3 months
  3. Riders On The Storm

    Riders On The Storm Jr. VIP Jr. VIP

    Feb 27, 2012
    Likes Received:
    thanks bro. Ctrl+S :)
  4. pasenseoso

    pasenseoso Power Member

    Aug 19, 2011
    Likes Received:
    - - P I L I P I N A S - -
    Home Page:
    i'm not ready to use this but for sure others will find this very very useful. :)

    rep'd! :)
  5. thejake

    thejake Power Member

    Nov 13, 2009
    Likes Received:
    The least you can do if you're going to try to pass off a bunch of copypasta as a tutorial is make sure you're c&p'ing the latest version of stuff.
  6. dariobl

    dariobl BANNED BANNED

    Jul 11, 2012
    Likes Received:
    At last i put everything in one place and i have NICELY TOLD that most of this is copy / paste, so i was not claiming that this is all mine.

    Besides, this is hot stuff for years, NOBODY HAVE EVER posted a complete tutorial for this ANYWHERE, and it's hard as hell to find all the information on Google.

    Also i have told you how to do Ip rotation, that information is not shared anywhere so far on any forum, do you know why? Because that script cost 350 $ for Interspire.

    Besides, take a look at something like this : http://www.freelancer.com/job-search/dkim-domain-keys-spf-rdns-senderid/

    And about the "latest version" i don't care what is latest or what is newest version, i'm posting the one which worked for me in the past...

    I don't understand why does people have to be so fucking retarded....
    • Thanks Thanks x 7
    Last edited: Oct 2, 2012
  7. thejake

    thejake Power Member

    Nov 13, 2009
    Likes Received:
    You C&P'd some iptables rules from the postfix mailing list from years ago that have the minor flaw of not working. For the past 4 years or so postfix uses the smtp_bind_address directive to use multiple IPs and ip rotation can be achieved with route balancing.
  8. dariobl

    dariobl BANNED BANNED

    Jul 11, 2012
    Likes Received:
    Well guess what, it works for me, and it works for years, never had a problem with it.

    Besides, if you are so smart, go ahead and write a tutorial so the people could learn something from you ?
    • Thanks Thanks x 1
  9. John.

    John. Power Member

    Feb 9, 2008
    Likes Received:
    very detailed work, well done
  10. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Jan 27, 2009
    Likes Received:
    I 'm pretty sure I 've seen both before on the forum :eek:

    That said, sharing is good. Taking extra care of the quality of the share, even better.
  11. Amsterdammer

    Amsterdammer Power Member

    Aug 9, 2011
    Likes Received:
    Personally I don't care if the guide needs updating at release, Windows does it every time too. At the very least this guide shows a way to proceed in setting something like this up and at least he did share it, better than pointing your finger and shouting " You are wrong!"
    Haters will be haters but I think that by including the link to an updated version of that part in the guide just makes sure the people who can read and think will be able to use it while the people just smart enough to be potty trained will fail. Spoonfeeding has its limits.

    OP, have a chill pill and relax. There will always be people hating you for what you do.
    Thank you for sharing. :)

    • Thanks Thanks x 1
    Last edited: Oct 2, 2012
  12. sirgold

    sirgold BANNED BANNED

    Jun 25, 2010
    Likes Received:
    +5 rep for sure: excellent job summing up a working guide, solid and touching on most of the critical issues to get started. If ppl need to adjust a few firewall tables that's no big deal, plenty of info on any linux board dealing with iptables: that's a non-problem... The big (and only) issue is/was finding all this wealth of info nicely packaged together like OP did and guess the cut-paste is a scapegoat accusation: we all know how tightly ppl try to keep this kind of info from prying eyes even if saturation will surely NEVER EVER be an issue in this specific field.. ;) If talking about this topic is against the ToS of the forum, it'definitely a whole different story.. But if you have ever put hours researching this stuff (even for those that are not ehm, exactly first-time noobs..) you know for sure HOW HARD it is to gather enough "intel" to end up with a -practical- guide to start and how valuable this post is. Spot on, great job!
    • Thanks Thanks x 2
    Last edited: Oct 2, 2012
  13. zhaosaccount

    zhaosaccount BANNED BANNED

    Mar 6, 2009
    Likes Received:
    dariobl, you are really good guy, thx for your sharing.
    • Thanks Thanks x 1
  14. ShabbySquire

    ShabbySquire Power Member

    Nov 30, 2011
    Likes Received:
    Thanks for this tut!
    Last edited: Oct 2, 2012
  15. Miss Seoretician

    Miss Seoretician Jr. VIP Jr. VIP

    Aug 27, 2009
    Likes Received:
    excellent share , enjoy the +4 rep ;)
  16. skibio

    skibio Registered Member

    Apr 27, 2008
    Likes Received:
    Excellent share mate everything is clear in this tutorial But how to implement ip rotation on my phplist or in IEM can you point me to good article like this one Thanks in advance
  17. dariobl

    dariobl BANNED BANNED

    Jul 11, 2012
    Likes Received:
    Answered on pm :)
  18. Userabuser

    Userabuser Newbie

    Feb 27, 2011
    Likes Received:
    Excellent share , exactly what i was searching for , Thanks :)
  19. Paranoid Android

    Paranoid Android Jr. VIP Jr. VIP

    Jun 20, 2010
    Likes Received:
    Pantie Thief
    Native America
    apt-get install postfix is a debian/ubuntu command format, and you provide an rpm for the dkim installer?
  20. naveensingh

    naveensingh Power Member

    Feb 15, 2010
    Likes Received:
    Wordpress & Magento Expert
    United States