Home / guides   Print version

Mail server setup on Debian

Written on 28/03/2016

This tutorial is written with the following version:

  • Debian 8 (jessie) (Kernel 3.16.0-4)
  • Postfix is the actual mail daemon that accepts the mail and saves the emails in the users mail box.
  • Dovecot 2.2.13 is the pop3/imap server that allows users to download their email to their PC.
  • saslauthd 2.1.26 Simple Authentication and Security Layer will manage the passwords.
  • procmail is a mail delivery agent (MDA) capable of sorting incoming mail into various directories and filtering out spam messages.
  • SpamAssassin 3.4.0 is a spam-filter (optional).



Install postfix:

apt-get install postfix

setting up SSL certificates (optional)

Here are a few steps to create a SSL certificate files in order for our server to support secure communications.
You can use a commercial certificate, but it is not needed.
This how to setup your own free certificate:

openssl req -new -x509 -days 3650 -nodes -out "example.com.cert" -keyout "example.com.key"
Some questions will be asked regarding the information you want to appear in the certificate, feel free to answer them any way you want to. You'll now have two files: "example.com.cert" and "example.com.key"; we need to concatenate those two files into a third file, by running the following command:
cat example.com.cert example.com.key > example.com.pem
These files will be required at different stages of the configuration. Right now, you need to move these files to the following folder: /etc/ssl/private/

The configuration file of Postfix is /etc/postfix/main.cf
A lot of settings can be adapted, the most important are listed here.

# Your hostname and domain name here

# Virtual mailbox configuration (/var/email is the dir where you store the mails, need to be created)

# SSL configuration, make sure to use the certificates from step 2 (optional)
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Authentication settings, making use of SASL
smtpd_recipient_restrictions=reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Now you also need to set a your virtual domains and aliases for the mailboxes.
nano /etc/postfix/vmail_domains List you domains with OK

example.com     OK
example.net     OK
nano /etc/postfix/vmail_mailbox List the users with the folder where the mails need to be put:
webmaster@example.com  example.com/webmaster
me@example.com		example.com/me
@example.com		example.com/webmaster
The last on is a catch all. A mail send to test@example.com or dontknow@example.com will be put in the account of webmaster.


nano /etc/postfix/vmail_aliases Here you can create aliases:
webmaster@example.com   webmaster@example.com
@example.com    webmaster@example.com

webmaster@example.net   webmaster@example.com
@example.net    webmaster@example.com
Now that you have updated your user database, it's time to apply the changes. Run the following commands for Postfix to acknowledge your newly created mailboxes:

postmap /etc/postfix/vmail_domains
postmap /etc/postfix/vmail_mailbox
postmap /etc/postfix/vmail_aliases



Dovecot that allows users to get there emails by POP account or imap.

apt-get install dovecot-common dovecot-imapd dovecot-pop3d

Create a new user and group "mailman".

groupadd mailman -g 7788
useradd mailman -u 7788 -g 7788 -r -d /var/email -m -c "mail user"

You now have different config-files in /etc/dovecot/conf.d/ The configuration file has a lot of options: /etc/dovecot/dovecot.conf
and the main config-file: /etc/dovecot/dovecot.conf.

in /etc/dovecot/dovecot.conf
uncomment or add the following lines.

!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap pop3 lmtp
!include conf.d/*.conf
!include_try local.conf

in /etc/dovecot/conf.d/10-auth.conf
we are going to set what type of authentication we will use.

disable_plaintext_auth = yes
auth_mechanisms = plain
!include auth-passwdfile.conf.ext

in /etc/dovecot/conf.d/auth-passwdfile.conf.ext
we set what type of passwordfile we will use.

passdb {
  driver = passwd-file
  args = scheme=SHA username_format=%u /etc/dovecot/private/users.conf

userdb {
  driver = static
  args = uid=7788 gid=7788 home=/var/email/%d/%n allow_all_users=yes

in /etc/dovecot/conf.d/10-mail.conf
we can set the mailboxes, where the mails are saved.

mail_location = maildir:/var/email/%d/%n
namespace inbox {
  inbox = yes
mail_privileged_group = mailman #user need write access on /var/email/
mbox_write_locks = fcntl

in /etc/dovecot/conf.d/10-master.conf
we set the protocols we want to use.
if you only want to use the ssl-protocols, set the other ports to 0.

service imap-login {
  inet_listener imap {
    port = 143
  inet_listener imaps {
service pop3-login {
  inet_listener pop3 {
    port = 110
  inet_listener pop3s {
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  unix_listener auth-userdb {
   mode = 0600
   user = mailman
  user = dovecot
service auth-worker {
  user = mailman
service dict {
  unix_listener dict {

In /etc/dovecot/conf.d/10-ssl.conf (replace the certificate and key paths with your own)

ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

There are other things you can set in the config files, but this are the ones we need to get it working.

Next we need to create an empty users file, so create a blank file /etc/dovecot/users.conf. We will update it during the next step. To finish with this step, ensure that your configuration files have the proper permissions, by running the following commands:

chgrp mailman /etc/dovecot/dovecot.conf
chmod g+r /etc/dovecot/dovecot.conf
chown root:root /etc/dovecot/users.conf
chmod 600 /etc/dovecot/users.conf

Create the password: dovecotpw -s SSHA256 It will produce a string that looks like this: qUqP5cyxm6ctTAYz05Hph5gvu9M=
doveadm pw -s SHA512-CRYPT -u webmaster@example.com

to enter in /etc/dovecot/users.conf

A handy command too check the config of dovecot is.
dovecot -n
it shows the configuration in short.

Same for postfix:
postconf -n make sure that the user (mailman) has write access to the mail-directory. (/var/email)

Handy logs

tail /var/log/mail.err
tail /var/log/mail.log



SASL authentication daemon. SASL stands for Simple Authentication and Security Layer. It's the mechanism that will allow us to manage passwords in a simple way by storing them in a file (encrypted). There are other authentication layers such as MySQL and others.

apt-get install libsasl2-2 libsasl2-modules sasl2-bin



Procmail allows you to filter email as it is received from a remote email server, or placed in your spool file on a local or remote email server. It is powerful, gentle on system resources, and widely used. Procmail, commonly referred to as a Local Delivery Agent (LDA), plays a small role in delivering email to be read by an MUA.

The command to install is:

apt-get install procmail

First we configure procmail as an available transport type in postfix's /etc/postfix/master.cf Add this to the file.

procmail  unix  -       n       n       -       -       pipe
 -o flags=RO user=mailman argv=/usr/bin/procmail -t -m USER=${user} NEXTHOP=${nexthop} EXTENSION=${extension} /etc/postfix/procmailrc.common
The default transport type for virtual users will be set to be "procmail" in /etc/postfix/main.cf.
Change the value of virtual_transport

With the above configuration, procmail run the procmail script at /etc/postfix/procmailrc.common for all virtual users.

#general logfile

#get external procmail files; for each user :-)

#use dovecot to deliver
:0 w
The trailing slash at DEFAULT is important, it descides to use maildir-format or mbox-format (all in one file).
Make sure that the .procmail-file can be read by the user.



SpamAssassin is the application that filters the spam out mails based on rules.

The command to install:

apt-get install spamc spamassassin

By default spamassassin will run under the ‘root’ user and running it like that is not as secure as it can be, so to make it more secure we should run it under different unprivileged user/group.

groupadd -g 5555 spamd
useradd -u 5555 -g spamd -s /sbin/nologin -d /usr/local/spamassassin spamd
mkdir -p /usr/local/spamassassin/log
chown spamd:spamd -R /usr/local/spamassassin

edit the ‘/etc/default/spamassassin’ configuration file and make it looks like the one below:

# /etc/default/spamassassin

# WARNING: please read README.spamd before using.
# There may be security risks.

# Change to one to enable spamd

# Options
# See man spamd for possible options. The -d option is automatically added.

# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="--create-prefs --max-children 5 --helper-home-dir ${SPAM_HOME} --username spamd -s ${SPAM_HOME}/log/spamd.log"

# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.

# Set nice level of spamd
#NICE="--nicelevel 15"

# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis

The next think we need to do is to configure spamassassin. you do this by editing the ‘/etc/spamassassin/local.cf’ and changing/adding the following:

rewrite_header Subject *****SPAM*****
required_score 3.0
report_safe 0
use_bayes 1
# Enable Bayes auto-learning
bayes_auto_learn 1
# Enable or disable network checks
skip_rbl_checks 0
use_razor2 0
use_dcc 0
use_pyzor 0
We disable the network checks. They will allow to catch more spam, but it is also a big performance hit.

Now we still need to configure Postfix to use SpamAssassin, edit /etc/postfix/master.cf and change the following:

smtp 	inet  n 	-	-	-	- 	smtpd -o content_filter=spamassassin
and add the following to the end of the file:

spamassassin	unix	-	n	n	-	-	pipe
  user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

finally, restart the services by:

/etc/init.d/spamassassin restart
/etc/init.d/dovecot restart
/etc/init.d/postfix restart