Postfix and Dovecot on Ubuntu Dapper Drake
his document shows how to install Postfix and Dovecot on Ubuntu Dapper Drake (and possibly Debian or other Debian-based distros) with features that are essential to efficient and secure email processing.
I have partitioned this text into independent sections so that you can configure only the parts you need, e.g. omit TLS for Postfix.
First of all, I am cheating a bit. To follow this HOWTO you must have Postfix installed and configured to work properly in a way that you find most suitable. You need postfix-tls version, which in Dapper Drake is provided by postfix, so casual install goes fine. Usually it is enough to tweak myhostname, mynetworks and similar options in /etc/postfix/main.cf. Send yourself test message, try emailing someone outside. Do not continue until it is perfect.
Note that most commands presented below have to be run as root user, either by prefixing them with sudo, or using sudo -s to get shell with superuser privileges. (Ubuntu doesn't enable root account password by default, so su doesn't work.) Of course, root is not required for telnetting to 25th port, or generating SSL certificates.
TLS on Postfix
Once you have Postfix working, you may enable TLS. To do that, edit /etc/postfix/main.cf and add (or uncomment) the following lines:
smtpd_tls_cert_file=/etc/ssl/certs/mail-cert.pem
smtpd_tls_key_file=/etc/ssl/private/mail-key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
I assume you have generated/ordered SSL certificate and have the files that are mentioned above (cert and key). If you don't, search the web for “openssl generate certificate” just to find zillions of tutorials on generating self-signed certificates (e.g. Anand Vaidya recommends one from debian-administration.org). One note: when entering certificate details, put your mail server FQDN into “common name” field (it's the hostname that you advertise to your users, e.g. mail.foo.com).
And dont't forget to reload Postfix:
postfix reload
SMTP authentication with Postfix
This is achieved by using SASL, version 2. First, install required libraries and programs:
apt-get install libsasl2 libsasl2-modules sasl2-bin
Configure saslauthd, which will dispatch our authentication requests. Open /etc/default/saslauthd. Uncomment the following line:
START=yes
Since may operations in Postfix run in chrooted environment, we have to tune saslauthd for that. Open /etc/init.d/saslauthd. Find a line with PARAMS="... and add at the end, just before the closing quote:
-m /var/spool/postfix/var/run/saslauthd
(Anand Vaidya tells me you have to use OPTIONS instead of PARAMS under Debian Etch.)
Create and chown appopriate directories in Postfix spool directory:
mkdir /var/spool/postfix/var
mkdir /var/spool/postfix/var/run
mkdir /var/spool/postfix/var/run/saslauthd
chown -R root.sasl /var/spool/postfix/var/run/saslauthd
Restart saslauthd now:
/etc/init.d/saslauthd restart
Check to see if it is running fine:
ps -ef | grep saslauthd
Check if additional sockets are created:
ls -lh /var/spool/postfix/var/run/saslauthd
Next, Postfix side. You must have directory /etc/postfix/sasl. Create file smtpd.conf in it and write this inside:
pwcheck_method: saslauthd
Next, open /etc/postfix/main.cf and enter the following options:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_relay_domains
These options practically speak for themselves. Reload Postfix:
postfix reload
Generate string for testing (you will need to substitute your system account name and password):
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
It prints something like:
dXNlcm5hbWUAdXNlcm5hbWUMb29iYXI=
Copy that string and simulate a login session:
telnet localhost 25
Example session transcript is below (bold is to be typed by you):
220 mail.foo.com ESMTP Postfix
EHLO my.host
250-mail.foo.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250-XVERP
250 8BITMIME
AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUMb29iYXI=
235 Authentication successful
QUIT
221 Bye
However, if you don't get Authentication successful, double-check previous steps and take a look at Postfix log (/var/log/mail.log).
Installing Dovecot
Dovecot is an IMAP server of my choice. It is pretty fast, secure and easy to configure. However, for larger installations you might consider Cyrus or Courier IMAP. So, install Dovecot:
apt-get install dovecot-imapd
Next, open /etc/dovecot/dovecot.conf and find commented line that starts with protocols =. You can simply uncomment it, or write this below:
protocols = imap imaps
In this and following sections, do not forget to restart Dovecot after tweaking configs:
/etc/init.d/dovecot restart
You can now test if IMAP works by using mutt:
mutt -f imap://username@hostname/
It will possibly cry about SSL certificates, but in the end you should be able to see list of emails. In fact, mutt has all the fancy stuff that you might ever need. But that's another topic.
Maildirs in Postfix and Dovecot
(This section, while optional, is highly required, and I have not tested system setup without it.)
By default, Postfix (and many other MTAs, for that matter) use mbox format which is simply all email messages concatenated and held in one file, often /var/mail/username.
While that is fine for small systems, mbox files are not efficient for reading/reordering (image deleting message somewhere in the middle of file). There are also some problems with file locking. However, for me it was most important to have folders accessible via IMAP, a task that cannot be achieved using mbox file (well, okay, with Dovecot you could use multiple mbox files and list them manually). So I went with Maildir.
Maildir, on the other hand, is not a file, it is (guess) a directory. Messages are stored as separate files, folder structure is implemented by casual directories, there are other enchanchements with locking etc.
In Postfix, edit /etc/postfix/main.cf, and add the following line:
home_mailbox = Maildir/
Restart Postfix. Note that this option is global, and since now all mail is delivered to ~user/Maildir for local user. If you only want Maildir for yourself, procmail is acceptable solution. If you put / at the end of target mailbox name in .procmailrc, procmail recognizes it's Maildir.
You might have to create ~/Maildir manually. Test if it works by sending yourself mail via Postfix, and using, e.g. mutt to verify:
mutt -f ~/Maildir
Dovecot. Edit /etc/dovecot/dovecot.conf, search and uncomment this:
default_mail_env = maildir:~/Maildir
Restart Dovecot.
SSL in Dovecot
Since we enabled IMAPS once Dovecot was installed, it is wise to use your own SSL certificates. Edit /etc/dovecot/dovecot.conf again and uncomment/modify these lines:
ssl_cert_file = /etc/ssl/certs/mail-cert.pem
ssl_key_file = /etc/ssl/private/mail-key.pem
Note I use same certificate for both SMTP (in Postfix, see somewhere above) and IMAP. That is of course not neccesary. Restart Dovecot now:
/etc/init.d/dovecot restart
Configuring Mozilla Thunderbid for full setup
I use Mozilla Thunderbird sometimes, and below are instructions on how to make it use all the power of system that we have just configured. I assume all sections were followed.
Add IMAP account.
In account properties (Server Settings), select SSL.
Add SMTP server in Outgoing Server, select it to use TLS. I have also entered my username, because I stick to one. ;-)
Screenshots? Well, it's not that difficult. Of course, check everything from the terminal first.
Other stuff
Though not documented here, on my system I also use:
Virtual users for Postfix
Self-generated authority certificate that I use to sign all server certificates so that I can import CA into mail program and it doesn't exclaim anymore.
SpamAssissin (via spamd)
Final word
Okay, it took me about an hour to configure all this on my system and half of that to write this document. I hope this was/will be useful to you. Thanks letters are welcome. :-)
However, please do not ask me if something doesn't work. I have a lot of work to do, and these instructions worked for me, so check your software versions, watch logs, double check all points, and if that doesn't work, search the web for more information. If you happen to write another HOWTO about “Installing Postfix 5.0 and Dovecot 21.9 on Ubuntu Smelly Snake”, I'd be glad if you add link to this page too. (And I will too, of course.)
I have partitioned this text into independent sections so that you can configure only the parts you need, e.g. omit TLS for Postfix.
First of all, I am cheating a bit. To follow this HOWTO you must have Postfix installed and configured to work properly in a way that you find most suitable. You need postfix-tls version, which in Dapper Drake is provided by postfix, so casual install goes fine. Usually it is enough to tweak myhostname, mynetworks and similar options in /etc/postfix/main.cf. Send yourself test message, try emailing someone outside. Do not continue until it is perfect.
Note that most commands presented below have to be run as root user, either by prefixing them with sudo, or using sudo -s to get shell with superuser privileges. (Ubuntu doesn't enable root account password by default, so su doesn't work.) Of course, root is not required for telnetting to 25th port, or generating SSL certificates.
TLS on Postfix
Once you have Postfix working, you may enable TLS. To do that, edit /etc/postfix/main.cf and add (or uncomment) the following lines:
smtpd_tls_cert_file=/etc/ssl/certs/mail-cert.pem
smtpd_tls_key_file=/etc/ssl/private/mail-key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
I assume you have generated/ordered SSL certificate and have the files that are mentioned above (cert and key). If you don't, search the web for “openssl generate certificate” just to find zillions of tutorials on generating self-signed certificates (e.g. Anand Vaidya recommends one from debian-administration.org). One note: when entering certificate details, put your mail server FQDN into “common name” field (it's the hostname that you advertise to your users, e.g. mail.foo.com).
And dont't forget to reload Postfix:
postfix reload
SMTP authentication with Postfix
This is achieved by using SASL, version 2. First, install required libraries and programs:
apt-get install libsasl2 libsasl2-modules sasl2-bin
Configure saslauthd, which will dispatch our authentication requests. Open /etc/default/saslauthd. Uncomment the following line:
START=yes
Since may operations in Postfix run in chrooted environment, we have to tune saslauthd for that. Open /etc/init.d/saslauthd. Find a line with PARAMS="... and add at the end, just before the closing quote:
-m /var/spool/postfix/var/run/saslauthd
(Anand Vaidya tells me you have to use OPTIONS instead of PARAMS under Debian Etch.)
Create and chown appopriate directories in Postfix spool directory:
mkdir /var/spool/postfix/var
mkdir /var/spool/postfix/var/run
mkdir /var/spool/postfix/var/run/saslauthd
chown -R root.sasl /var/spool/postfix/var/run/saslauthd
Restart saslauthd now:
/etc/init.d/saslauthd restart
Check to see if it is running fine:
ps -ef | grep saslauthd
Check if additional sockets are created:
ls -lh /var/spool/postfix/var/run/saslauthd
Next, Postfix side. You must have directory /etc/postfix/sasl. Create file smtpd.conf in it and write this inside:
pwcheck_method: saslauthd
Next, open /etc/postfix/main.cf and enter the following options:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_relay_domains
These options practically speak for themselves. Reload Postfix:
postfix reload
Generate string for testing (you will need to substitute your system account name and password):
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
It prints something like:
dXNlcm5hbWUAdXNlcm5hbWUMb29iYXI=
Copy that string and simulate a login session:
telnet localhost 25
Example session transcript is below (bold is to be typed by you):
220 mail.foo.com ESMTP Postfix
EHLO my.host
250-mail.foo.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250-XVERP
250 8BITMIME
AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUMb29iYXI=
235 Authentication successful
QUIT
221 Bye
However, if you don't get Authentication successful, double-check previous steps and take a look at Postfix log (/var/log/mail.log).
Installing Dovecot
Dovecot is an IMAP server of my choice. It is pretty fast, secure and easy to configure. However, for larger installations you might consider Cyrus or Courier IMAP. So, install Dovecot:
apt-get install dovecot-imapd
Next, open /etc/dovecot/dovecot.conf and find commented line that starts with protocols =. You can simply uncomment it, or write this below:
protocols = imap imaps
In this and following sections, do not forget to restart Dovecot after tweaking configs:
/etc/init.d/dovecot restart
You can now test if IMAP works by using mutt:
mutt -f imap://username@hostname/
It will possibly cry about SSL certificates, but in the end you should be able to see list of emails. In fact, mutt has all the fancy stuff that you might ever need. But that's another topic.
Maildirs in Postfix and Dovecot
(This section, while optional, is highly required, and I have not tested system setup without it.)
By default, Postfix (and many other MTAs, for that matter) use mbox format which is simply all email messages concatenated and held in one file, often /var/mail/username.
While that is fine for small systems, mbox files are not efficient for reading/reordering (image deleting message somewhere in the middle of file). There are also some problems with file locking. However, for me it was most important to have folders accessible via IMAP, a task that cannot be achieved using mbox file (well, okay, with Dovecot you could use multiple mbox files and list them manually). So I went with Maildir.
Maildir, on the other hand, is not a file, it is (guess) a directory. Messages are stored as separate files, folder structure is implemented by casual directories, there are other enchanchements with locking etc.
In Postfix, edit /etc/postfix/main.cf, and add the following line:
home_mailbox = Maildir/
Restart Postfix. Note that this option is global, and since now all mail is delivered to ~user/Maildir for local user. If you only want Maildir for yourself, procmail is acceptable solution. If you put / at the end of target mailbox name in .procmailrc, procmail recognizes it's Maildir.
You might have to create ~/Maildir manually. Test if it works by sending yourself mail via Postfix, and using, e.g. mutt to verify:
mutt -f ~/Maildir
Dovecot. Edit /etc/dovecot/dovecot.conf, search and uncomment this:
default_mail_env = maildir:~/Maildir
Restart Dovecot.
SSL in Dovecot
Since we enabled IMAPS once Dovecot was installed, it is wise to use your own SSL certificates. Edit /etc/dovecot/dovecot.conf again and uncomment/modify these lines:
ssl_cert_file = /etc/ssl/certs/mail-cert.pem
ssl_key_file = /etc/ssl/private/mail-key.pem
Note I use same certificate for both SMTP (in Postfix, see somewhere above) and IMAP. That is of course not neccesary. Restart Dovecot now:
/etc/init.d/dovecot restart
Configuring Mozilla Thunderbid for full setup
I use Mozilla Thunderbird sometimes, and below are instructions on how to make it use all the power of system that we have just configured. I assume all sections were followed.
Add IMAP account.
In account properties (Server Settings), select SSL.
Add SMTP server in Outgoing Server, select it to use TLS. I have also entered my username, because I stick to one. ;-)
Screenshots? Well, it's not that difficult. Of course, check everything from the terminal first.
Other stuff
Though not documented here, on my system I also use:
Virtual users for Postfix
Self-generated authority certificate that I use to sign all server certificates so that I can import CA into mail program and it doesn't exclaim anymore.
SpamAssissin (via spamd)
Final word
Okay, it took me about an hour to configure all this on my system and half of that to write this document. I hope this was/will be useful to you. Thanks letters are welcome. :-)
However, please do not ask me if something doesn't work. I have a lot of work to do, and these instructions worked for me, so check your software versions, watch logs, double check all points, and if that doesn't work, search the web for more information. If you happen to write another HOWTO about “Installing Postfix 5.0 and Dovecot 21.9 on Ubuntu Smelly Snake”, I'd be glad if you add link to this page too. (And I will too, of course.)
Comments
Post a Comment