Mail Server – Postfix + Dovecot with TLS/SSL

http://www.jeffmould.com/wp-content/uploads/2013/10/Postfix_logo.pngLong awaited howto, Postfix is probably the most popular mail server and is usually coupled with Dovecot or Courier and in some cases, with Anti SPAM and Anti Virus. (We will see that in another article)

My previous tutorial on how to setup a mail server was based on Courier-imap, but as Dovecot became more and more popular, I had to give it a try !

Both mail systems are good but they have their own plus and minus from my experience and reading:

Courier Dovecot + Extremely reliable + Trashmail box automatically expunged

  • Powerful maildrop

    • Low memory footprint + Good IMAP performance through indexing
  • Highly configurable

    – Larger memory footpring – Trashmail box not automatically expunged These are obviously only my observations and I know they actually found some turnaround to their minuses.

As I’m a big IMAP user and usually never delete my mail, indexing is a big plus for me and I wanted to give it a shot, this is why I’ve migrated to Dovecot.

The tutorial below will be for a Postfix + Dovecot for IMAP with SSL security. The user management will be based on users created on the system. (No SQL database or text file as it will be for few users only)

Installation

Debian comes with the default MTA (Mail Transfer Agent) called Exim which will not be useful anymore as we will replace it with Postfix.

sudo apt-get remove exim4 && apt-get install postfix dovecot-core dovecot-imapd

then you will need to select a type of configuration, just choose “Internet Site”

 

and you will need to type your System mail name. I suggest you to create a dedicated sub domain and to use it here, in my case it will be mail.freedif.org.

Doing so allow you to be ready adding server mails or changing more easily.

Configuration

We will assume, you want to create an email account for your regular Debian or Ubuntu user. We will see later in this guide how to create new users.

SSL:

You can generate your own self-signed certificate by running the following command:

(In Root)

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/myblog.key -out /etc/ssl/certs/myblog.pem

This will create a pairs of key and certificates based on RSA encryption 2048 bit.

You will need to enter some info such as:

Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Freedif    
Organizational Unit Name (eg, section) []:Freedif
Common Name (e.g. server FQDN or YOUR name) []:freedif.org  #### Your domain name !
Email Address []:karibu@freedif.org

You will use these 2 key in Postfix conf and Dovecot conf.

Postfix:

The main configuration file of Postfix is located as /etc/postfix/main.cf. I suggest you to remove all its content and to replace by this one:

biff = no
myhostname = mail.fredif.org
myorigin = /etc/mailname
mydestination = mail.freedif.org, freedif.org, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

smtpd_tls_cert_file=/etc/ssl/certs/freedif.pem
smtpd_tls_key_file=/etc/ssl/private/freedif.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes

home_mailbox = Maildir/

Obviously replace freedif.org by your own domain name and same thing for TLS certificate and key you have just created.

Then, you need to modify the master file to do the bridge with Dovecot and allow sending mails.

nano /etc/postfix/master.cf

and replace the #submission part by this one:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Aliases:

You may want to set some aliases, meaning if we send an email to root@yourdomain or webmaster@yourdomain, to make sure mails will drop into your account. If you want to make some changes, you can modify the file /etc/aliases.

# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: MYUSER!!

Basically it says, mailer-daemon will be redirected to postmaster user (You may not have a real user called postmaster), never mind, it also says postmaster will be redirected to root and root to “MYSUER!!”. Just make sure this user suits your needs.

As it suits my need, I didn’t change anything there. But if you make any changes, don’t forget to update the configuration with the command:

<pre class="lang:default decode:true">newaliases

Dovecot:

Now you need to configure Dovecot through the file /etc/dovecot/dovecot.conf. Here again I suggest you to remove everything and use mine. (The original file contains a lot of links to sub conf file located in /etc/dovecot/conf.d

<pre class="lang:default decode:true">nano /etc/dovecot/dovecot.conf

and replace with:

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = maildir:~/Maildir
userdb {
  driver = passwd
}

passdb {
  driver = pam
}

protocols = imap

#protocol imap {
#   mail_plugins = "autocreate"
#}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
        user=postfix
        group=postfix
  }
 }
ssl=required
ssl_cert = </etc/ssl/certs/freedif.pem
ssl_key = </etc/ssl/private/freedif.key

You will need to change ssl certificate location. (Last part of the file)

And finally, restart Postfix and Dovecot to update all your changes

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

Users Management:

In the case you want to create a new email box for a dedicated user, you can simply create a new user on your system and mails will work immediately.

In root, type:

useradd --create-home -s /sbin/nologin youruser
passwd youruser

The /sbin/nologin option will prevent the user from logging in to your server via ssh.

And that’s all at this stage.

You should now have a working email setting that you could try with Thunderbird for example. Thunderbird should recognize the server setting and you will be using STARTTLS for both IMAP and SMTP.

The next tutorial will cover how to add SPAM protection and Virus Scanning (Although Linux is well protected against viruses, you may still want to add an antivirus scan for your Windows users or when you will be accessing your mails from a Windows system.)

EDIT: The next tutorial is ready:

Reduce SPAM and improve security – Amavis + SpamAssassin + ClamAV + Procmail + PostScreen

Suspicion

Gravatar

Loves to discover web-based apps to install on his own server@home and write articles about it

0 Comments:

Add a comment