Mail server setup on Debian
Written on 05/09/2014This tutorial is written with the following version:
- Debian 6.2 (Kernel 2.6.32-5)
- Postfix is the actual mail daemon that accepts the mail and saves the emails in the users mail box.
- Dovecot 1.2.15 is the pop3/imap server that allows users to download their email to their PC.
- #saslauthd 2.1.23 Simple Authentication and Security Layer will manage the passwords.
- procmail is a mail delivery agent (MDA) capable of sorting incoming mail into various directories and filtering out spam messages.
- SpamAssassin is a spam-filter (optional).
There is a new version written for postfix and Dovecot 2.2.13.
Check it out
Postfix
Install postfix:
apt-get install postfix
setting up SSL certificates (optional)
Here are a few steps to create a SSL certificate files in order for our server to support secure communications.
You can use a commercial certificate, but it is not needed.
This how to setup your own free certificate:Some questions will be asked regarding the information you want to appear in the certificate, feel free to answer them any way you want to. You'll now have two files: "example.com.cert" and "example.com.key"; we need to concatenate those two files into a third file, by running the following command:openssl req -new -x509 -days 3650 -nodes -out "example.com.cert" -keyout "example.com.key"
These files will be required at different stages of the configuration. Right now, you need to move these files to the following folder: /etc/ssl/private/cat example.com.cert example.com.key > example.com.pem
The configuration file of Postfix is /etc/postfix/main.cf
A lot of settings can be adapted, the most important are listed here.# Your hostname and domain name here myhostname=example.com mydomain=example.com myorigin=$mydomain # Virtual mailbox configuration (/var/email is the dir where you store the mails, need to be created) virtual_mailbox_base=/var/email virtual_mailbox_domains=hash:/etc/postfix/vmail_domains virtual_mailbox_maps=hash:/etc/postfix/vmail_mailbox virtual_alias_maps=hash:/etc/postfix/vmail_aliases virtual_minimum_uid=100 virtual_uid_maps=static:7788 virtual_gid_maps=static:7788 virtual_transport=dovecot # SSL configuration, make sure to use the certificates from step 2 (optional) smtpd_tls_cert_file=/etc/ssl/private/example.com.cert smtpd_tls_key_file=/etc/ssl/private/example.com.key smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt smtp_use_tls=yes smtpd_use_tls=yes smtpd_tls_loglevel=1 smtpd_tls_received_header=yes tls_random_source=dev:/dev/urandom smtp_tls_note_starttls_offer=yes smtpd_tls_session_cache_timeout=3600s smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache queue_directory=/var/spool/postfix # Authentication settings, making use of SASL queue_directory=/var/spool/postfix smtpd_sasl_type=dovecot smtpd_sasl_path=private/auth smtpd_sasl_auth_enable=yes broken_sasl_auth_clients=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_tls_security_options=$smtpd_sasl_security_options smtpd_sasl_local_domain=$myhostname smtpd_sasl_application_name=smtpd smtpd_helo_required=yes smtpd_helo_restrictions=reject_invalid_helo_hostname smtpd_recipient_restrictions=reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
Now you also need to set a your virtual domains and aliases for the mailboxes.
nano /etc/postfix/vmail_domains
List you domains with OKexample.com OK example.net OK
nano /etc/postfix/vmail_mailbox
List the users with the folder where the mails need to be put:The last on is a catch all. A mail send to test@example.com or dontknow@example.com will be put in the account of webmaster.webmaster@example.com example.com/webmaster me@example.com example.com/me @example.com example.com/webmaster
nano /etc/postfix/vmail_aliases
Here you can create aliases:Now that you have updated your user database, it's time to apply the changes. Run the following commands for Postfix to acknowledge your newly created mailboxes:webmaster@example.com webmaster@example.com @example.com webmaster@example.com webmaster@example.net webmaster@example.com @example.net webmaster@example.com
postmap /etc/postfix/vmail_domains postmap /etc/postfix/vmail_mailbox postmap /etc/postfix/vmail_aliases
Dovecot
Dovecot that allows users to get there emails by POP account or imap.
apt-get install dovecot-common dovecot-imapd dovecot-pop3d
Create a new user and group "mailman"
The configuration file has a lot of options: /etc/dovecot/dovecot.confgroupadd mailman -g 7788 useradd mailman -u 7788 -g 7788 -r -d /var/email -m -c "mail user"
# Basic configuration protocols = imap imaps pop3 pop3s log_timestamp = "%Y-%m-%d %H:%M:%S " disable_plaintext_auth=yes # User and group permissions first_valid_uid=7788 last_valid_uid=7788 first_valid_gid=7788 last_valid_gid=7788 mail_location = maildir:/var/email/%d/%n/Maildir mail_privileged_group = email auth_executable = /usr/lib/dovecot/dovecot-auth auth_verbose = yes # SSL config ssl_cert_file = /etc/ssl/private/example.com.cert ssl_key_file = /etc/ssl/private/example.com.key # LDA config protocol lda { auth_socket_path = /var/run/dovecot/auth-master postmaster_address = postmaster@example.com mail_plugins = sieve log_path = } # Authentication configuration auth default { mechanisms = plain login passdb passwd-file { args = scheme=SHA1 /etc/dovecot/users.conf } userdb static { #args = /etc/dovecot/users.conf args = uid=7788 gid=7788 home=/var/email/%d/%n allow_all_users=yes } socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = email group = email } client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } }
Next we need to create an empty users file, so create a blank file /etc/dovecot/users.conf. We will update it during the next step. To finish with this step, ensure that your configuration files have the proper permissions, by running the following commands:
chgrp mailman /etc/dovecot/dovecot.conf chmod g+r /etc/dovecot/dovecot.conf chown root:root /etc/dovecot/users.conf chmod 600 /etc/dovecot/users.conf
Create the password:
dovecotpw -s SSHA256
It will produce a string that looks like this: qUqP5cyxm6ctTAYz05Hph5gvu9M=
to enter in /etc/dovecot/users.conf
webmaster@example.com:qUqP5cyxm6ctTAYz05Hph5gvu9M=
A handy command too check the config of dovecot is.
it shows the configuration in short:
dovecot -n
Same for postfix:
postconf -n
make sure that the user (mailman) has write access to the mail-directory. (/var/email)Handy logs
tail /var/log/mail.err tail /var/log/mail.info
#saslauthd
SASL authentication daemon. SASL stands for Simple Authentication and Security Layer. It's the mechanism that will allow us to manage passwords in a simple way by storing them in a file (encrypted). There are other authentication layers such as MySQL and others.
apt-get install libsasl2-2 libsasl2-modules sasl2-bin
procmail
Procmail allows you to filter email as it is received from a remote email server, or placed in your spool file on a local or remote email server. It is powerful, gentle on system resources, and widely used. Procmail, commonly referred to as a Local Delivery Agent (LDA), plays a small role in delivering email to be read by an MUA.
The command to install is:
apt-get install procmail
First we configure procmail as an available transport type in postfix's /etc/postfix/master.cf Add this to the file.
The default transport type for virtual users will be set to be "procmail" in /etc/postfix/main.cf.procmail unix - n n - - pipe -o flags=RO user=mailman argv=/usr/bin/procmail -t -m USER=${user} NEXTHOP=${nexthop} EXTENSION=${extension} /etc/postfix/procmailrc.common
Change the value of virtual_transportWith the above configuration, procmail run the procmail script at /etc/postfix/procmailrc.common for all virtual users.virtual_transport=procmail
/etc/postfix/procmailrc.common:The trailing slash at DEFAULT is important, it descides to use maildir-format or mbox-format (all in one file).#MAILDIR="$HOME/mydomain.com/$USER" MAILDIR="/var/email/$NEXTHOP/$USER" DEFAULT="$MAILDIR/Maildir/" #VERBOSE=ON #general logfile LOGFILE="/var/log/proclog.log" LOGABSTRACT=all #get external procmail files; for each user :-) INCLUDERC=/var/mail/$NEXTHOP/$USER@$NEXTHOP/.procmail #use dovecot to deliver DELIVER="/usr/lib/dovecot/deliver" :0 w | $DELIVER -d $USER@$NEXTHOP
Make sure that the .procmail-file can be read by the user.
SpamAssassin
SpamAssassin is the application that filters the spam out mails based on rules.
The command to install:
apt-get install spamc spamassassin
By default spamassassin will run under the ‘root’ user and running it like that is not as secure as it can be, so to make it more secure we should run it under different unprivileged user/group.
groupadd -g 5555 spamd useradd -u 5555 -g spamd -s /sbin/nologin -d /usr/local/spamassassin spamd mkdir -p /usr/local/spamassassin/log chown spamd:spamd -R /usr/local/spamassassin
edit the ‘/etc/default/spamassassin’ configuration file and make it looks like the one below:
# /etc/default/spamassassin # WARNING: please read README.spamd before using. # There may be security risks. # Change to one to enable spamd ENABLED=1 SPAM_HOME="/usr/local/spamassassin" # Options # See man spamd for possible options. The -d option is automatically added. # SpamAssassin uses a preforking model, so be careful! You need to # make sure --max-children is not set to anything higher than 5, # unless you know what you're doing. OPTIONS="--create-prefs --max-children 5 --helper-home-dir ${SPAM_HOME} --username spamd -s ${SPAM_HOME}/log/spamd.log" # Pid file # Where should spamd write its PID to file? If you use the -u or # --username option above, this needs to be writable by that user. # Otherwise, the init script will not be able to shut spamd down. PIDFILE="${SPAM_HOME}/spamd.pid" # Set nice level of spamd #NICE="--nicelevel 15" # Cronjob # Set to anything but 0 to enable the cron job to automatically update # spamassassin's rules on a nightly basis CRON=0
The next think we need to do is to configure spamassassin. you do this by editing the ‘/etc/spamassassin/local.cf’ and changing/adding the following:
We disable the network checks. They will allow to catch more spam, but it is also a big performance hit.rewrite_header Subject *****SPAM***** required_score 3.0 report_safe 0 use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 0 use_dcc 0 use_pyzor 0
Now we still need to configure Postfix to use SpamAssassin, edit /etc/postfix/master.cf and change the following:
and add the following to the end of the file:smtp inet n - - - - smtpd -o content_filter=spamassassin
spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
finally, restart the services by:
/etc/init.d/spamassassin restart /etc/init.d/postfix restart