Debian Mail Server with Postfix and Dovecot

In this post, we will configure personal email hosting on a Debian Gnu/Linux 7 (wheezy) server. The server will be able to:

  • send and receive emails (SMTP with Postfix 2.9.x)
  • read emails from clients (IMAP with Dovecot 2.x)
  • secure connections (SSL/TLS)
  • authenticate users using system usernames and passwords (PAM)

We assume that you already have your domain name, say example.com, and that the MX records of your DNS configuration point to your server. You can check this quickly using dig:

dig +short MX example.com

Generating SSL certificates

You have two options here: generate a self-signed certificate, which should be OK for personal email usage, or get a certificate signed by an Certification Authority (the smoothest way to get one now is maybe Let's Encrypt).

For a self-signed certificate, you can use:

openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -out /etc/ssl/certs/mailcert.pem -keyout /etc/ssl/private/mail.key

Note that we chose a validity period of 3650 days for the certificate here. Certification Authorities (CA) will need a Certificate Signing Request (CSR). You can generate one with:

openssl req -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/mail.key -out mailcert.csr

Then send the CSR to your CA, who will send you back a proper certificate (CRT). Concatenate your certificate with the one of your CA to get a mailcert.pem file and, as above, move it to /etc/ssl/certs/. For example:

wget https://www.my-ca-authority.com/sub.class1.server.ca.pem
cat mailcert.crt sub.class1.server.ca.pem > /etc/ssl/certs/mailcert.pem

For more details on SSL certification, I refer you to Switch to HTTPS Now, For Free from Eric Mill's blog.

Configuring Postfix

Postfix is a Mail Transfer Agent (MTA), that is, software that sends and receives emails to and from other computers on the network using the Simple Mail Transfer Protocol (SMTP). From the point of view of an email client, POP/IMAP are the protocols used for receiving messages, and SMTP is used for sending. However, it is not true that "POP/IMAP = receive" and "SMTP = send": email servers use SMTP to exchange messages between themselves, that is, both sending and receiving. What is correct is that:

  • POP/IMAP are used by a client to read messages from an email server;
  • SMTP is used to exchange emails between computers.

If your computer was on and connected to the network all the time, you could use SMTP to receive messages to your machine. However, as your computer can be turned off or disconnected, the most common pattern is that you ask your email server to keep messages for you, and read them later on using POP/IMAP.

This being said, let us install Postfix!

sudo apt-get install postfix

An ncurses GUI will pop up with some configuration questions. Answer as follows:

  • General type of mail configuration: "Internet Site";
  • Mail name: enter your domain name, example.com in our example;
  • Leave the default values to other questions.

Go to your configuration file /etc/postfix/main.cf and make sure your domain name and SSL configuration fields are correct. Here are some snippets from my configuration file (beware: it is not a complete configuration file):

# Hostname and domain name
myhostname=mymachine.example.com
mydomain=example.com
myorigin=$mydomain

# SSL/TLS certificates
smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_auth_only=yes

# Anti-SPAM rules adapted from https://wiki.debian.org/Postfix
smtpd_recipient_restrictions = permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_rbl_client sbl.spamhaus.org,
        permit
smtpd_helo_restrictions = reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname
smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net

# Mail will be stored in users ~/Maildir directories
home_mailbox = Maildir/
mailbox_command =

# From http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

Here we are forcing secure authentication here with smtpd_tls_auth_only (just comment it out to allow for unencrypted traffic). An important field is the list of smtpd_recipient_restrictions (note that it is specific to Postfix 2.9.x, which comes by default on Debian Wheezy; for later versions of Postfix, use smtpd_relay_restrictions). It is a list of instructions, such as "permit" or "reject", that the server will apply in this order to received e-mails.

Later on, you may want to look at aliases (used to forward emails) or virtual email addresses (used to create mailboxes not tied to a Unix account), both of which are described in the Debian Wiki page for Postfix.

Next, go to /etc/postfix/master.cf and uncomment the lines starting with #submission and #smtps. On my machine, it was:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Also, add the following line at the bottom of the file for Dovecot:

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=email:email argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

Configuring Dovecot

To install Dovecot with the IMAP stack:

sudo apt-get install dovecot-common dovecot-imapd

(You can throw in dovecot-pop3d if you want the POP3 server as well; however, we will focus on IMAP in this tutorial.) Dovecot's configuration files are in /etc/dovecot/conf.d/. To configure the SSL certificates, open 10-ssl.conf and complete as follows:

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
ssl_cert = </etc/ssl/certs/mailcert.pem
ssl_key = </etc/ssl/private/mail.key

To force SSL/TLS encryption, open 10-auth.conf and make sure you have the line disable_plaintext_auth = yes.

Next, open the main configuration file 10-master.conf and uncomment the paragraph for Postfix in the auth service block:

service auth {
  # Postfix smtp-auth (was commented)
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

This will create the private/auth path that we set up in the SASL configuration of Postfix. (Postfix runs chrooted in /var/spool/postfix, which is why we put a relative path.)

Client Configuration

For email clients, your server configuration should now be:

  • Server: example.com
  • User account: user@example.com (full email address)
  • Password: the user's Unix password
  • Protocol: SMTP for sending (authentication required), IMAP for receiving
  • Ports: SMTPS 587 and IMAPS 993

And that's it! You should be good to go, or, most likely and otherwise, able to debug your next configuration errors ;p You can follow them at:

tail -f /var/log/mail.log

You may need some extra configuration for your e-mail server to survive in the wild, that is to say: defend yourself against spam, and get the proper credentials so that other e-mail providers do not treat you as a spammer. See the follow-up post on SPF and DKIM for instructions on how to do that.

Webography

At the time of writing this post, I learned from articles of the Debian Wiki and the Dovecot Wiki. The tutorial How to set up a simple mail server on Debian in 5 easy steps also helped.

Pages of this website are under the CC-BY 4.0 license.