{"id":132,"date":"2025-12-20T05:09:57","date_gmt":"2025-12-20T05:09:57","guid":{"rendered":"https:\/\/blogs.giamkichsan.com\/?p=132"},"modified":"2025-12-21T01:31:37","modified_gmt":"2025-12-21T01:31:37","slug":"132","status":"publish","type":"post","link":"https:\/\/blogs.giamkichsan.com\/index.php\/2025\/12\/20\/132\/","title":{"rendered":"C\u00e0i \u0111\u1eb7t email server tr\u00ean Ubuntu"},"content":{"rendered":"\n

B\u01b0\u1edbc 1: C\u00e0i \u0111\u1eb7t Postfix (n\u1ebfu ch\u01b0a c\u00f3)<\/strong><\/h3>\n\n\n\n
sudo apt update\nsudo apt install postfix mailutils -y<\/code><\/pre>\n\n\n\n
    \n
  • <\/li>\n<\/ul>\n\n\n\n
    \n
    Khi c\u00e0i \u0111\u1eb7t:<\/p>\n\n\n\n
      \n
    • Ch\u1ecdn Internet Site<\/code><\/li>\n\n\n\n
    • System mail name: mail.giamkichsan.com<\/strong><\/li>\n<\/ul>\n\n\n\n
      \u0110\u00e2y l\u00e0 hostname mail server c\u1ee7a b\u1ea1n.<\/p>\n\n\n\n
      3\ufe0f\u20e3 Ki\u1ec3m tra hostname<\/strong><\/h4>\n\n\n\n
      hostnamectl set-hostname mail.giamkichsan.com\nhostname<\/code><\/pre>\n\n\n\n
        \n
      • mail.giamkichsan.com<\/code> ph\u1ea3i l\u00e0 hostname server.<\/li>\n\n\n\n
      • Ki\u1ec3m tra DNS A record: mail.giamkichsan.com<\/code> tr\u1ecf t\u1edbi IP server c\u1ee7a b\u1ea1n.<\/li>\n<\/ul>\n<\/blockquote>\n\n\n\n
        B\u01b0\u1edbc 2: T\u1ea1o ho\u1eb7c d\u00f9ng ch\u1ee9ng ch\u1ec9 SSL\/TLS<\/strong><\/h3>\n\n\n\n
        B\u1ea1n c\u00f3 th\u1ec3 d\u00f9ng Let’s Encrypt<\/strong> ho\u1eb7c ch\u1ee9ng ch\u1ec9 t\u1ef1 k\u00fd (self-signed).<\/p>\n\n\n\n
        A. Ch\u1ee9ng ch\u1ec9 Let’s Encrypt: Y\u00eau c\u1ea7u ch\u1ee9ng ch\u1ec9 s\u1eed d\u1ee5ng ch\u1ebf \u0111\u1ed9 --standalone<\/code> (y\u00eau c\u1ea7u t\u1ea1m d\u1eebng m\u00e1y ch\u1ee7 web n\u1ebfu \u0111ang ch\u1ea1y tr\u00ean c\u1ed5ng 80)<\/h5>\n\n\n\n
        sudo apt install certbot\nsudo certbot certonly --standalone -d mail.giamkichsan.com<\/code><\/pre>\n\n\n\n
        Ch\u1ee9ng ch\u1ec9 s\u1ebd n\u1eb1m \u1edf:<\/p>\n\n\n\n
        \/etc\/letsencrypt\/live\/mail.giamkichsan.com\/fullchain.pem\n\/etc\/letsencrypt\/live\/mail.giamkichsan.com\/privkey.pem<\/code><\/pre>\n\n\n\n
        \n\n\n\n
        B\u01b0\u1edbc 3: C\u1ea5u h\u00ecnh Postfix \u0111\u1ec3 d\u00f9ng SSL\/TLS<\/strong><\/h3>\n\n\n\n
        M\u1edf file c\u1ea5u h\u00ecnh ch\u00ednh c\u1ee7a Postfix:<\/p>\n\n\n\n
        sudo nano \/etc\/postfix\/main.cf<\/code><\/pre>\n\n\n\n
        Th\u00eam ho\u1eb7c s\u1eeda c\u00e1c d\u00f2ng sau:<\/p>\n\n\n\n
        # Domain ch\u00ednh\nmyhostname = mail.giamkichsan.com\nmydomain = giamkichsan.com\nmyorigin = \/etc\/mailname\n\n# M\u00e1y ch\u1ee7 c\u1ee7a b\u1ea1n s\u1ebd g\u1eedi mail \u0111i t\u1eeb domain\ninet_interfaces = all\ninet_protocols = all\n\n# Mail \u0111\u1ecba ph\u01b0\u01a1ng\nmydestination = $myhostname, localhost.$mydomain, localhost, $mydomain\n\n# C\u00e1c m\u00e1y ch\u1ee7 m\u00e0 mail c\u1ee7a b\u1ea1n s\u1ebd relay\n#relayhost = \n\n# TLS (SSL)\nsmtp_tls_cert_file=\/etc\/letsencrypt\/live\/mail.giamkichsan.com\/fullchain.pem\nsmtp_tls_key_file=\/etc\/letsencrypt\/live\/mail.giamkichsan.com\/privkey.pem\nsmtp_use_tls=yes\nsmtp_tls_loglevel = 2\nsmtp_tls_security_level=may\nsmtp_tls_session_cache_database = btree:${data_directory}\/smtp_scache\n\n# TLS cho Postfix SMTPD (receiving)\nsmtpd_tls_cert_file = \/etc\/letsencrypt\/live\/mail.giamkichsan.com\/fullchain.pem\nsmtpd_tls_key_file = \/etc\/letsencrypt\/live\/mail.giamkichsan.com\/privkey.pem\nsmtpd_use_tls=yes\nsmtpd_tls_loglevel = 2\nsmtpd_tls_security_level = may\nsmtpd_tls_session_cache_database = btree:${data_directory}\/smtpd_scache\nsmtpd_tls_auth_only = yes\nsmtpd_recipient_restrictions = \n    permit_mynetworks,\n    permit_sasl_authenticated,\n    reject_unauth_destination\n\n# My networks (ch\u1ec9 m\u1ea1ng n\u1ed9i b\u1ed9 g\u1eedi mail)\n# mynetworks = 127.0.0.0\/8 [::1]\/128<\/code><\/pre>\n\n\n\n
        \n\n\n\n
        B\u01b0\u1edbc 4: B\u1eadt STARTTLS cho c\u1ed5ng SMTP<\/strong><\/h3>\n\n\n\n
        Trong file \/etc\/postfix\/master.cf<\/code>, \u0111\u1ea3m b\u1ea3o d\u00f2ng SMTPS (465) c\u00f3 STARTTLS:<\/p>\n\n\n\n
        smtps inet n       -       y       -       -       smtpd\n  -o syslog_name=postfix\/smtps\n  -o smtpd_tls_wrappermode=yes\n  -o smtpd_sasl_auth_enable=yes\n  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject<\/code><\/pre>\n\n\n\n
        \u0110i\u1ec1u n\u00e0y cho ph\u00e9p c\u00e1c client k\u1ebft n\u1ed1i v\u00e0 n\u00e2ng c\u1ea5p l\u00ean TLS.<\/p>\n\n\n\n
        \n\n\n\n
        B\u01b0\u1edbc 5: Ki\u1ec3m tra c\u1ea5u h\u00ecnh<\/strong><\/h2>\n\n\n\n
        Ki\u1ec3m tra c\u1ea5u h\u00ecnh Postfix:<\/p>\n\n\n\n
        sudo systemctl restart postfix\nsudo systemctl status postfix\nsudo postfix check<\/code><\/pre>\n\n\n\n
        B\u01b0\u1edbc 7: Ki\u1ec3m tra SSL\/TLS<\/strong><\/h3>\n\n\n\n
        B\u1ea1n c\u00f3 th\u1ec3 d\u00f9ng openssl<\/code> \u0111\u1ec3 ki\u1ec3m tra:<\/p>\n\n\n\n
        openssl s_client -connect mail.giamkichsan.com:465 -starttls smtp\n<\/code><\/pre>\n\n\n\n
        N\u1ebfu th\u00e0nh c\u00f4ng, b\u1ea1n s\u1ebd th\u1ea5y th\u00f4ng tin ch\u1ee9ng ch\u1ec9 v\u00e0 k\u1ebft n\u1ed1i \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a TLS.<\/p>\n\n\n\n
        B\u01b0\u1edbc 8:  C\u00e1ch gi\u1ea3i quy\u1ebft Gmail t\u1eeb ch\u1ed1i email v\u00ec domain mail.giamkichsan.com<\/code> ch\u01b0a c\u00f3 SPF\/DKIM<\/h3>\n\n\n\n
        1a. C\u1ea5u h\u00ecnh SPF cho domain<\/h4>\n\n\n\n
        \ud83d\udc49 V\u00e0o DNS c\u1ee7a giamkichsan.com<\/strong> ki\u1ec3m tra SPF<\/p>\n\n\n\n
        dig txt giamkichsan.com<\/code><\/pre>\n\n\n\n
        N\u1ebfu ch\u01b0a c\u00f3 th\u00ec add DNS record (TXT) cho giamkichsan.com<\/code>:<\/p>\n\n\n\n
        Type: TXT\nName: @\nValue:\nv=spf1 ip4:109.199.101.177 -all<\/code><\/pre>\n\n\n\n
        L\u01b0u \u00fd:<\/p>\n\n\n\n
          \n
        • 109.199.101.177<\/code> = IP VPS g\u1eedi mail<\/li>\n\n\n\n
        • -all<\/code> = ch\u1ec9 cho ph\u00e9p IP n\u00e0y g\u1eedi mail<\/li>\n<\/ul>\n\n\n\n
          <\/p>\n\n\n\n
          1b. SPF l\u00e0 g\u00ec<\/h4>\n\n\n\n
            \n
          • SPF x\u00e1c th\u1ef1c IP n\u00e0o \u0111\u01b0\u1ee3c ph\u00e9p g\u1eedi mail thay domain<\/strong>.<\/li>\n\n\n\n
          • N\u00f3 ki\u1ec3m tra mail \u0111\u1ebfn t\u1eeb server h\u1ee3p l\u1ec7 hay kh\u00f4ng.<\/li>\n\n\n\n
          • SPF ch\u1ec9 d\u1ef1a tr\u00ean \u0111\u1ecba ch\u1ec9 g\u1eedi (envelope sender), kh\u00f4ng ki\u1ec3m tra n\u1ed9i dung.<\/li>\n<\/ul>\n\n\n\n
            2. C\u00e0i \u0111\u1eb7t DKIM (n\u1ebfu mu\u1ed1n t\u0103ng uy t\u00edn)<\/h4>\n\n\n\n
            1\ufe0f\u20e3 C\u00e0i OpenDKIM<\/h4>\n\n\n\n
            sudo apt update\nsudo apt install opendkim opendkim-tools -y<\/code><\/pre>\n\n\n\n
            2\ufe0f\u20e3 T\u1ea1o th\u01b0 m\u1ee5c l\u01b0u key DKIM<\/h4>\n\n\n\n
            sudo mkdir -p \/etc\/opendkim\/keys\/giamkichsan.com\nsudo chown -R opendkim:opendkim \/etc\/opendkim\nsudo chmod -R 700 \/etc\/opendkim<\/code><\/pre>\n\n\n\n
            3\ufe0f\u20e3 T\u1ea1o DKIM key<\/h4>\n\n\n\n
            cd \/etc\/opendkim\/keys\/giamkichsan.com\nsudo opendkim-genkey -s mail -d giamkichsan.com\nsudo chown opendkim:opendkim mail.private\nsudo chmod 600 mail.private\n<\/code><\/pre>\n\n\n\n
              \n
            • -s mail<\/code> \u2192 selector (b\u1ea1n c\u00f3 th\u1ec3 \u0111\u1ed5i t\u00ean)<\/li>\n\n\n\n
            • -d giamkichsan.com<\/code> \u2192 domain c\u1ee7a b\u1ea1n<\/li>\n\n\n\n
            • Sau khi ch\u1ea1y xong, b\u1ea1n s\u1ebd c\u00f3 2 file:<\/li>\n\n\n\n
            • mail.private<\/code> \u2192 private key<\/li>\n\n\n\n
            • mail.txt<\/code> \u2192 public key \u0111\u1ec3 th\u00eam v\u00e0o DNS<\/li>\n<\/ul>\n\n\n\n
              4\ufe0f\u20e3 C\u1ea5u h\u00ecnh OpenDKIM<\/h4>\n\n\n\n
              M\u1edf file \/etc\/opendkim.conf<\/code> v\u00e0 ch\u1ec9nh \/ th\u00eam c\u00e1c d\u00f2ng:<\/p>\n\n\n\n
              sudo nano \/etc\/opendkim.conf<\/span><\/code><\/pre>\n\n\n\n
              # Phi\u00ean b\u1ea3n OpenDKIM\nSyslog                  yes\nUMask                   002\nUserID                  opendkim:opendkim\n\n# Th\u01b0 m\u1ee5c ch\u1ee9a key ri\u00eang\nKeyTable                \/etc\/opendkim\/KeyTable\nSigningTable            \/etc\/opendkim\/SigningTable\nExternalIgnoreList      \/etc\/opendkim\/TrustedHosts\nTrustedHosts            \/etc\/opendkim\/TrustedHosts\n\n# Ch\u1ebf \u0111\u1ed9 t\u1ef1 \u0111\u1ed9ng ch\u1ecdn selector n\u1ebfu c\u00f3 nhi\u1ec1u key\nAutoRestart             yes\nAutoRestartRate         10\/1h\nMode                    sv\nCanonicalization        relaxed\/simple\n\n##\nDomain                  giamkichsan.com\nSocket                  inet:12301@localhost \/\/ Chinh sua phu hop server<\/code><\/pre>\n\n\n\n
              \n\n\n\n
              ** T\u1ea1o c\u00e1c file h\u1ed7 tr\u1ee3<\/h4>\n\n\n\n
              a) KeyTable<\/code><\/h4>\n\n\n\n
              sudo nano \/etc\/opendkim\/KeyTable<\/code><\/pre>\n\n\n\n
              Th\u00eam ho\u1eb7c s\u1eeda d\u00f2ng:<\/p>\n\n\n\n
              #c\u00fa ph\u00e1p chu\u1ea9n: keyname  domain:selector:\/duong\/dan\/toi\/private.key\nmail._domainkey.giamkichsan.com giamkichsan.com:mail:\/etc\/opendkim\/keys\/giamkichsan.com\/mail.private\n<\/code><\/pre>\n\n\n\n