How to: postfix, dovecot with imap, smtp sasl authentication, encryption

06 Feb 2010 at 00:00:00 - 3 comment(s)

This is a great how-to if you want to install and configure an email server. If you are struggling to do so, this post will put an end to it. I myself was struggling getting everything to work as I wanted especially for the smtp to do authentication and solve the relay access denied error message I was getting even with the authentication working. On top of having a working email server with encryption and authentication we will configure spamassassin in order to get rid of the SPAM. Configuration files are available for download and it is guarantee to work not like the thousand of tutorials I read.

Installation

The easiest part. You need to install just four things: postfix, dovecot, procmail and spamassassin.

procmail is an automail processing. It will take care of delivering the emails to the right mailbox.

dovecot is an IMAP and POP3 server written with security primarily in mind.

postfix is the email server which is going to use dovecot and procmail.

So to install nothing easier. As I am using archlinux I am giving the command to install the packages on archlinux and then I'll give it debian based distribution such as Ubuntu

pacman -S dovecot, postfix, procmail, spamassassin-spamc

And for debian distribs:

apt-get install dovecot, postfix, procmail, spamassassin

Configuration

That's the hard part but as you'll have everything in this post it will be easy and smooth. First thing is to create a mailbox for your user so let's say you have a user marc and its home directory is /home/marc. Here is how you do it

cd /home/marc/
maildirmake mail

You need this folder to belong to the user marc

chown -R marc:marc mail

Now we're going to do something in order procmail can deliver the emails to this user. For doing so you need to create the file .procmailrc in its home folder.

vi /home/marc/.procmailrc

Here is the content of this file:

PATH=/bin:/usr/bin:/usr/local/bin:/usr/sbin
DROPPRIVS=yes
MAILDIR=$HOME/mail/
DEFAULT=$HOME/mail/
MAILLISTFOLDER=$MAILDIR/.mail-lists

:0
* ^X-Spam-Status: Yes
.Junk/

First part of the file is easy to understand. Second part is for spamassassin. It is a filter saying to procmail to deliver the folder marked as spam to the folder Junk of your mailbox.

That's it for procmail. Now let's configure dovecot.

vi /etc/dovecot/dovecot.conf

The content of dovecot.conf

protocols = imap imaps
disable_plaintext_auth = no
log_timestamp = "%b %d %H:%M:%S "
ssl = yes
ssl_cert_file = /etc/ssl/certs/mail.crt
ssl_key_file = /etc/ssl/private/mail.key
mail_location = maildir:~/mail
mail_access_groups = mail
auth_username_chars = abcdefghijklmnopqrstuvwxyz
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}
auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      user = postfix
      group = postfix
      mode = 0660
    }
  }
}

I think most of what is here is clear, if not leave a comment. Just you need to check the path /var/spool/postfix/private/auth exists and as you can see we have an ssl certificate and a key. We need to generate these.

openssl genrsa -des3 -rand /etc/hosts -out mail.key 1024
openssl req -new -key mail.key -out mail.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey mail.key -out mail.crt

Don't forget to move those generated files at the right place. We're done with dovecot. Let's move to postfix.

There are essentially 2 configuration files for postfix: main.cf and master.cf

Edit main.cf

vi /etc/postfix/main.cf

The content of main.cf

daemon_directory = /usr/lib/postfix

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h

myhostname = test.com
mydomain = test.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = test.com
mydestination = localhost, localhost.localdomain, test.com

mynetworks = 127.0.0.1

mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

smtpd_use_tls = yes
smtpd_tls_loglevel = 2
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_sasl_auth_enable = yes
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

I was struggling for 4 days before I got it to work. Indeed I was getting relay access denied though my authentication was working fine. The only thing I was missing was:
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

Now you need to edit master.cf

vi /etc/postfix/master.cf

The content of master.cf

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
smtps     inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/perlbin/vendor/spamc -f -e
        /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Almost done. The only thing left is spamassassin. I personally kept the default configuration as it works pretty well for me but if you want to do some customization there, just edit /etc/mail/spamassassin/local.cf

Finally just start it up (on debian distribs you would replace rc.d by init.d)

/etc/rc.d/dovecot start
/etc/rc.d/postfix start

Download the configuration files

main.cf
master.cf
dovecot.conf
.procmailrc

Conclusion

In this post we have been through the installation and the configuration of an email server using postfix, dovecot, procmail and spamassassin. We got imap with ssl encryption working as well as sasl authentication for smtp with tls encryption. All what you need to have a good and robust email server.

3 comments

Notify me of follow up comments