Home / guides   Print version

Mail server setup on Debian

Written on 05/09/2014

This tutorial is written with the following version:

  • Debian 6.2 (Kernel 2.6.32-5)
  • Postfix is the actual mail daemon that accepts the mail and saves the emails in the users mail box.
  • Dovecot 1.2.15 is the pop3/imap server that allows users to download their email to their PC.
  • #saslauthd 2.1.23 Simple Authentication and Security Layer will manage the passwords.
  • procmail is a mail delivery agent (MDA) capable of sorting incoming mail into various directories and filtering out spam messages.
  • SpamAssassin is a spam-filter (optional).

There is a new version written for postfix and Dovecot 2.2.13.
Check it out

 

Postfix

Install postfix:

apt-get install postfix

setting up SSL certificates (optional)

Here are a few steps to create a SSL certificate files in order for our server to support secure communications.
You can use a commercial certificate, but it is not needed.
This how to setup your own free certificate:

openssl req -new -x509 -days 3650 -nodes -out "example.com.cert" -keyout "example.com.key"
Some questions will be asked regarding the information you want to appear in the certificate, feel free to answer them any way you want to. You'll now have two files: "example.com.cert" and "example.com.key"; we need to concatenate those two files into a third file, by running the following command:
cat example.com.cert example.com.key > example.com.pem
These files will be required at different stages of the configuration. Right now, you need to move these files to the following folder: /etc/ssl/private/

The configuration file of Postfix is /etc/postfix/main.cf
A lot of settings can be adapted, the most important are listed here.


# Your hostname and domain name here
myhostname=example.com
mydomain=example.com
myorigin=$mydomain

# Virtual mailbox configuration (/var/email is the dir where you store the mails, need to be created)
virtual_mailbox_base=/var/email
virtual_mailbox_domains=hash:/etc/postfix/vmail_domains
virtual_mailbox_maps=hash:/etc/postfix/vmail_mailbox
virtual_alias_maps=hash:/etc/postfix/vmail_aliases
virtual_minimum_uid=100
virtual_uid_maps=static:7788
virtual_gid_maps=static:7788
virtual_transport=dovecot

# SSL configuration, make sure to use the certificates from step 2 (optional)
smtpd_tls_cert_file=/etc/ssl/private/example.com.cert
smtpd_tls_key_file=/etc/ssl/private/example.com.key
smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_use_tls=yes
smtpd_use_tls=yes
smtpd_tls_loglevel=1
smtpd_tls_received_header=yes
tls_random_source=dev:/dev/urandom
smtp_tls_note_starttls_offer=yes
smtpd_tls_session_cache_timeout=3600s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
queue_directory=/var/spool/postfix

# Authentication settings, making use of SASL
queue_directory=/var/spool/postfix
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_security_options=noanonymous
smtpd_sasl_tls_security_options=$smtpd_sasl_security_options
smtpd_sasl_local_domain=$myhostname
smtpd_sasl_application_name=smtpd
smtpd_helo_required=yes
smtpd_helo_restrictions=reject_invalid_helo_hostname
smtpd_recipient_restrictions=reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Now you also need to set a your virtual domains and aliases for the mailboxes.
nano /etc/postfix/vmail_domains List you domains with OK

example.com     OK
example.net     OK
nano /etc/postfix/vmail_mailbox List the users with the folder where the mails need to be put:
webmaster@example.com  example.com/webmaster
me@example.com		example.com/me
@example.com		example.com/webmaster
The last on is a catch all. A mail send to test@example.com or dontknow@example.com will be put in the account of webmaster.

 

nano /etc/postfix/vmail_aliases Here you can create aliases:
webmaster@example.com   webmaster@example.com
@example.com    webmaster@example.com

webmaster@example.net   webmaster@example.com
@example.net    webmaster@example.com
Now that you have updated your user database, it's time to apply the changes. Run the following commands for Postfix to acknowledge your newly created mailboxes:

postmap /etc/postfix/vmail_domains
postmap /etc/postfix/vmail_mailbox
postmap /etc/postfix/vmail_aliases

 

Dovecot

Dovecot that allows users to get there emails by POP account or imap.

apt-get install dovecot-common dovecot-imapd dovecot-pop3d

Create a new user and group "mailman"


groupadd mailman -g 7788
useradd mailman -u 7788 -g 7788 -r -d /var/email -m -c "mail user"
The configuration file has a lot of options: /etc/dovecot/dovecot.conf

# Basic configuration
protocols = imap imaps pop3 pop3s
log_timestamp = "%Y-%m-%d %H:%M:%S "
disable_plaintext_auth=yes

# User and group permissions
first_valid_uid=7788
last_valid_uid=7788
first_valid_gid=7788
last_valid_gid=7788
mail_location = maildir:/var/email/%d/%n/Maildir
mail_privileged_group = email
auth_executable = /usr/lib/dovecot/dovecot-auth
auth_verbose = yes

# SSL config
ssl_cert_file = /etc/ssl/private/example.com.cert
ssl_key_file = /etc/ssl/private/example.com.key

# LDA config
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  postmaster_address = postmaster@example.com
  mail_plugins = sieve
  log_path =
}

# Authentication configuration
auth default {
    mechanisms = plain login
    passdb passwd-file {
        args = scheme=SHA1 /etc/dovecot/users.conf
    }
    userdb static {
        #args = /etc/dovecot/users.conf
        args = uid=7788 gid=7788 home=/var/email/%d/%n allow_all_users=yes
    }
    socket listen {
        master {
            path = /var/run/dovecot/auth-master
            mode = 0600
            user = email
            group = email
        }
        client {
            path = /var/spool/postfix/private/auth
            mode = 0660
            user = postfix
            group = postfix
        }
    }
}

Next we need to create an empty users file, so create a blank file /etc/dovecot/users.conf. We will update it during the next step. To finish with this step, ensure that your configuration files have the proper permissions, by running the following commands:


chgrp mailman /etc/dovecot/dovecot.conf
chmod g+r /etc/dovecot/dovecot.conf
chown root:root /etc/dovecot/users.conf
chmod 600 /etc/dovecot/users.conf

Create the password: dovecotpw -s SSHA256 It will produce a string that looks like this: qUqP5cyxm6ctTAYz05Hph5gvu9M=

to enter in /etc/dovecot/users.conf
webmaster@example.com:qUqP5cyxm6ctTAYz05Hph5gvu9M=

A handy command too check the config of dovecot is.
it shows the configuration in short:
dovecot -n

Same for postfix:
postconf -n make sure that the user (mailman) has write access to the mail-directory. (/var/email)

Handy logs

tail /var/log/mail.err
tail /var/log/mail.info

 

#saslauthd

SASL authentication daemon. SASL stands for Simple Authentication and Security Layer. It's the mechanism that will allow us to manage passwords in a simple way by storing them in a file (encrypted). There are other authentication layers such as MySQL and others.

apt-get install libsasl2-2 libsasl2-modules sasl2-bin

 

procmail

Procmail allows you to filter email as it is received from a remote email server, or placed in your spool file on a local or remote email server. It is powerful, gentle on system resources, and widely used. Procmail, commonly referred to as a Local Delivery Agent (LDA), plays a small role in delivering email to be read by an MUA.

The command to install is:

apt-get install procmail

First we configure procmail as an available transport type in postfix's /etc/postfix/master.cf Add this to the file.


procmail  unix  -       n       n       -       -       pipe
 -o flags=RO user=mailman argv=/usr/bin/procmail -t -m USER=${user} NEXTHOP=${nexthop} EXTENSION=${extension} /etc/postfix/procmailrc.common
The default transport type for virtual users will be set to be "procmail" in /etc/postfix/main.cf.
Change the value of virtual_transport

virtual_transport=procmail
With the above configuration, procmail run the procmail script at /etc/postfix/procmailrc.common for all virtual users.
/etc/postfix/procmailrc.common:

#MAILDIR="$HOME/mydomain.com/$USER"
MAILDIR="/var/email/$NEXTHOP/$USER"
DEFAULT="$MAILDIR/Maildir/"
#VERBOSE=ON
#general logfile
LOGFILE="/var/log/proclog.log"
LOGABSTRACT=all

#get external procmail files; for each user :-)
INCLUDERC=/var/mail/$NEXTHOP/$USER@$NEXTHOP/.procmail

#use dovecot to deliver
DELIVER="/usr/lib/dovecot/deliver"
:0 w
| $DELIVER -d $USER@$NEXTHOP
The trailing slash at DEFAULT is important, it descides to use maildir-format or mbox-format (all in one file).
Make sure that the .procmail-file can be read by the user.

 

SpamAssassin

SpamAssassin is the application that filters the spam out mails based on rules.

The command to install:

apt-get install spamc spamassassin

By default spamassassin will run under the ‘root’ user and running it like that is not as secure as it can be, so to make it more secure we should run it under different unprivileged user/group.


groupadd -g 5555 spamd
useradd -u 5555 -g spamd -s /sbin/nologin -d /usr/local/spamassassin spamd
mkdir -p /usr/local/spamassassin/log
chown spamd:spamd -R /usr/local/spamassassin

edit the ‘/etc/default/spamassassin’ configuration file and make it looks like the one below:


# /etc/default/spamassassin

# WARNING: please read README.spamd before using.
# There may be security risks.

# Change to one to enable spamd
ENABLED=1
SPAM_HOME="/usr/local/spamassassin"

# Options
# See man spamd for possible options. The -d option is automatically added.

# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="--create-prefs --max-children 5 --helper-home-dir ${SPAM_HOME} --username spamd -s ${SPAM_HOME}/log/spamd.log"

# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="${SPAM_HOME}/spamd.pid"

# Set nice level of spamd
#NICE="--nicelevel 15"

# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=0

The next think we need to do is to configure spamassassin. you do this by editing the ‘/etc/spamassassin/local.cf’ and changing/adding the following:


rewrite_header Subject *****SPAM*****
required_score 3.0
report_safe 0
use_bayes 1
# Enable Bayes auto-learning
bayes_auto_learn 1
# Enable or disable network checks
skip_rbl_checks 0
use_razor2 0
use_dcc 0
use_pyzor 0
We disable the network checks. They will allow to catch more spam, but it is also a big performance hit.

Now we still need to configure Postfix to use SpamAssassin, edit /etc/postfix/master.cf and change the following:


smtp 	inet  n 	-	-	-	- 	smtpd -o content_filter=spamassassin
and add the following to the end of the file:

spamassassin	unix	-	n	n	-	-	pipe
  user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

finally, restart the services by:


/etc/init.d/spamassassin restart
/etc/init.d/postfix restart

 

TOP