Setup Postfix and Dovecot on Debian Etch
Imagine this: Alice, Bob and Charly are sharing a root server. They all three have their own domains and need some simple setup to send and receive mail for a couple of addresses.
This article explains how to do a basic mail setup using Postfix (SMTP) and Dovecot (IMAP). Virtual mail users will be mapped to a single system account. Because only a handful of addresses are needed, no database is involved – all users are stored in a text file.
The installation method and paths assume a Debian system. But most of this tutorial should apply to any other Linux system as well. Some general knowledge on how mail and MTAs work is recommended ;-).
I plan to follow up this article with post(s) on how to setup mail filtering, spam checking and adding SSL support.
To ease the following description, let's assume the following values:
The server is named mail.alice.xom
All automatic mails will be sent from the domain alice.xom
It should accept mails for the domains alice.xom, bob.xom and charly.xom 1)
All mail directories shall be stored below /vmail//
Installation
This is the simplest step2). Just install the needed packages:
#> apt-get install dovecot-imapd postfix-pcre
When asked by debconf, just answer with “No configuration”.
Virtual Users
All users will be managed through Dovecot. Dovecot supports various user databases – for the needs of Alice, Bob and Charly the passwd-file method fits best.
As the name suggests, it uses a simple text file which is formatted similar to the system's passwd(5) file. In this file all virtual users will be listed in the following form:
:::::
and specify the system user and group which will hold all virtual users. I recommend to use a dedicated vmail user and place him in the standard mail group:
#> useradd -r -c 'virtual mail users' -m -d /vmail -g mail vmail
#> mkdir /vmail
#> chown vmail:mail /vmail
Use the id command to get this new user's uid:
#> id vmail
uid=104(vmail) gid=8(mail) groups=8(mail)
Time to create the user file. All passwords in this file should be stored as a crypted hash. You can create such a hash with the dovecotpw tool:
#> dovecotpw -s SHA1
Enter new password:
Retype new password:
{SHA1}5en6G6MezRroT3XKqkdPOmY/BfQ=
Now create your user file in /etc/dovecot/users.conf:
alice@alice.xom:{SHA1}5en6G6MezRroT3XKqkdPOmY/BfQ=:104:8:Alice:/vmail/alice.xom/alice
bob@bob.xom:{SHA1}C+7Hteo/D9vJXQ3UfzxbwnXaijM=:104:8:Bob:/vmail/bob.xom/bob
charly@charly.xom:{SHA1}oh02RQodeuOCLqogCBqNBr1+GvY=:104:8:Charly:/vmail/charly.xom/charly
carol@charly.xom:{SHA1}Jin7bSOE2ol5akgR72218qxle6s=:104:8:Carol:/vmail/charly.xom/carol
For security reasons (and because Dovecot will complain otherwise) nobody except root should be able to open this file:
#> chown root:root /etc/dovecot/users.conf
#> chmod 600 /etc/dovecot/users.conf
Configuring Dovecot
After having set up the users, continue with editing Dovecot's config file in /etc/dovecot/dovecot.conf:
protocols = imap
# We only allow our virtual user to login
first_valid_uid = 104
last_valid_uid = 104
first_valid_gid = 8
last_valid_gid = 8
mail_location = maildir:~/Maildir
mail_extra_groups = mail
# debugging - comment in when needed
log_timestamp = "%Y-%m-%d %H:%M:%S "
#mail_debug = yes
#auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = yes
#verbose_ssl = no
protocol lda {
# Address to use when sending rejection mails.
postmaster_address = postmaster@alice.xom
}
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/dovecot/users.conf
}
userdb passwd-file {
args = /etc/dovecot/users.conf
}
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = vmail
group = mail
}
client {
# make auth info available for postfix
path = /var/spool/postfix/private/auth
mode = 0600
user = postfix
group = mail
}
}
}
The config is pretty straight forward. First it is made sure that only the system account dedicated to the virtual mail user is allowed to access the IMAP server. Then the mail storage format (Maildir) and path to the mail folder is set up.
Later the protocol lda block defines the behavior for accepting incoming mails from postfix via the LDA protocol. Nothing fancy here.
The third part finally configures the authentication mechanism as described in the previous section. The socket listen options are most important. Those make the authentication info available to Postfix which will use them to handle SMTP-Auth. This way all IMAP passwords will be valid for SMTP auth, too.
That's it for Dovecot so far. Just (re)start:
#> /etc/init.d/dovecot restart
Postfix
Next step is Postfix. Before you continue, a word of warning: Postfix reloads its config periodically – keep this in mind when working on a running mail system!
First you need to create Postfix's main configuration in /etc/postfix/main.cf. Here is the full listing first – explanations below.
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# setup for local generated mails
append_dot_mydomain = yes
masquerade_domains = alice.xom
myorigin = alice.xom
# general stuff
myhostname = mail.alice.xom
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = mail.alice.xom,
mail,
localhost,
localhost.localdomain,
alice.xom,
bob.xom,
charly.xom
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# helo restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
permit
# sender restrictions
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
# recipient restriction
smtpd_recipient_restrictions =
reject_unauth_pipelining,
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
#enable SMTP auth for relaying
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# deliver with dovecot
dovecot_destination_recipient_limit = 1
mailbox_transport = dovecot
local_recipient_maps =
Again we start with some generic setup, like the SMTP banner and how mails generated at the local system should be treated. The name of the system is set up and all domains the server should accept mails for are listed in the mydestination setting.
Then a few restrictions follow. These are very important (order does matter) as they will make sure your server is not an open relay and will accept mail only from permitted senders. Only mails generated on the server itself (from mynetworks) and from users who authenticated through SMTP auth first are accepted.
This SMTP auth is set up after the restriction checks. It tells postfix to authenticate via Dovecot's authentication socket we set up earlier.
Received mails are passed over to Dovecot through Dovecot's own delivery agent. This allows us to use Dovecot plugins for filtering incoming mails (more on that in a follow-up post).
To make the last setting work, we need to tell postfix were to find Dovecot's delivery agent. This is done in /etc/postfix/master.cf were we add the following at the very end (leave everything else as is):
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
That's it. Before we restart postfix, we'll make sure the alias database exists:
#> newaliases
#> /etc/init.d/postfix restart
Testing
Now you can setup a mail client to test the system. You need to give the full email address as username (alice@alice.xom) for IMAP and SMTP.
If it does not work, check /var/lib/mail.log on the server for any error messages.
Tags:
tutorial,
debian,
postfix,
dovecot
Similar posts:
Securing your Mail Services with SSL
Using eCryptfs on the B3
Moved from Debian to Arch Linux
1) using .xom instead of .com to avoid any problems with the real domain owners
2) This is why I love Debian ;-)
Posted on Thursday, January the 31st 2008 (4 years ago).
Comments?
1
This set-up seems very clean, as you let dovecot handle most things (auth, delivery,...). Just one remark: if Alice or her friends use Outlook Express (presently Windows Mail) you will need to enable the login mechanism for dovecot's auth, or it mysteriously won't work, see the remark at the bottom:
http://wiki.dovecot.org/HowTo/ … ovecotSASL
On my system, I combine system users with virtual users. I was surprised how flexible postfix and dovecot can be in this regard. For postfix, everything starts here:
http://www.postfix.org/postcon … ox_domains
For dovecot, you can configure a system passdb and userdb below the virtual ones.
I still use procmail as a delivery agent, since I prefer its filtering capabilities (for system users).
2008-02-01 10:25:17
Bruno
2
First of thanks for this nice tutorial, it helped me a lot to setup my MTA (I even got pop3 working and the whole SSL stuff :D). I have one question though: I only got it fully working for a system user when I put 2 lines in the user.conf file ala:
foo@foobar.baz:pass:
foo:pass:
@Bruno, that's interesting, I've also tried to use virtual users by using the virtual_alias_domains, but that somehow didn't work. Maybe the virtual_maildox_domains is the right thing to do here?
2008-02-01 11:33:35
Michael Klier
3
Thanks for the tutorial! Now I'm eagerly waiting for part 2, this might finally lead me to also move my mail service to my VPS, right now I'm only running a LAMP setup without mail on it because Postfix and Spam always seemed a little too scary. :)
2008-02-01 13:26:25
zylox
4
According to http://lwn.net/Alerts/273674/ one should use
mail_privileged_group = mail
instead of
mail_extra_groups = mail
in /etc/dovecot/dovecot.conf
2008-05-01 19:10:49
David Andel
5
Great guide! Using thunderbird as my client, I'm able to send mail anywhere with my addresses. However, it always says I have no mail on the server. I tried to check /vmail/my.xom/me but it doesn't exist. It's almost as if it receives the mail and throws it away. Any ideas? Maybe my /etc/aliases file? Thanks!
2009-07-23 07:18:58
Charlie
6
correction to the above, according to /var/log/mail.log, the error is:
Mail storage creation failed with mail_location: mailder:/vmmail/domain.xom/user/Maildir
Jul 23 09:45:09 localhost dovecot: child 22223 (imap) returned error 89
2009-07-23 07:50:58
Charlie
7
Charlie,
This is a shot in the dark but I noticed your error says:
"...failed with mail_location: mailder:/..."
Did you type-o 'mailder' instead of 'maildir'?
2009-08-29 00:44:20
Adam
8
Hi Andreas
I am having vit problem in configuring Dovecot as MDA
my main.cf
mail_full_filesystem_access = yes
mail_debug = yes
myhostname = mail.vqlc.net
virtual_transport = dovecot
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-aliases.cf
virtual_mailbox_base = /usr/local/vmail/
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_minimum_uid = 100
virtual_uid_maps = static:1006
virtual_gid_maps = static:1006
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_relay_domains
#local_transport = dovecot
#######################dovecot config
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
#smtpd_sasl_path = smtp
$mydestination = localhost,
mail.vqlc.net
mailbox_command = /usr/local/libexec/dovecot/deliver
My mails get deliver to the /usr/local/libexec/dovecot/deliver
Now in master.cf when i give the command
dovecot unix - n n - - pipe
flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
it gives mefatal: /etc/postfix/master.cf: line 123: bad transport type: user=vmail:mail
I have user created vmail
please help me
This article explains how to do a basic mail setup using Postfix (SMTP) and Dovecot (IMAP). Virtual mail users will be mapped to a single system account. Because only a handful of addresses are needed, no database is involved – all users are stored in a text file.
The installation method and paths assume a Debian system. But most of this tutorial should apply to any other Linux system as well. Some general knowledge on how mail and MTAs work is recommended ;-).
I plan to follow up this article with post(s) on how to setup mail filtering, spam checking and adding SSL support.
To ease the following description, let's assume the following values:
The server is named mail.alice.xom
All automatic mails will be sent from the domain alice.xom
It should accept mails for the domains alice.xom, bob.xom and charly.xom 1)
All mail directories shall be stored below /vmail/
Installation
This is the simplest step2). Just install the needed packages:
#> apt-get install dovecot-imapd postfix-pcre
When asked by debconf, just answer with “No configuration”.
Virtual Users
All users will be managed through Dovecot. Dovecot supports various user databases – for the needs of Alice, Bob and Charly the passwd-file method fits best.
As the name suggests, it uses a simple text file which is formatted similar to the system's passwd(5) file. In this file all virtual users will be listed in the following form:
#> useradd -r -c 'virtual mail users' -m -d /vmail -g mail vmail
#> mkdir /vmail
#> chown vmail:mail /vmail
Use the id command to get this new user's uid:
#> id vmail
uid=104(vmail) gid=8(mail) groups=8(mail)
Time to create the user file. All passwords in this file should be stored as a crypted hash. You can create such a hash with the dovecotpw tool:
#> dovecotpw -s SHA1
Enter new password:
Retype new password:
{SHA1}5en6G6MezRroT3XKqkdPOmY/BfQ=
Now create your user file in /etc/dovecot/users.conf:
alice@alice.xom:{SHA1}5en6G6MezRroT3XKqkdPOmY/BfQ=:104:8:Alice:/vmail/alice.xom/alice
bob@bob.xom:{SHA1}C+7Hteo/D9vJXQ3UfzxbwnXaijM=:104:8:Bob:/vmail/bob.xom/bob
charly@charly.xom:{SHA1}oh02RQodeuOCLqogCBqNBr1+GvY=:104:8:Charly:/vmail/charly.xom/charly
carol@charly.xom:{SHA1}Jin7bSOE2ol5akgR72218qxle6s=:104:8:Carol:/vmail/charly.xom/carol
For security reasons (and because Dovecot will complain otherwise) nobody except root should be able to open this file:
#> chown root:root /etc/dovecot/users.conf
#> chmod 600 /etc/dovecot/users.conf
Configuring Dovecot
After having set up the users, continue with editing Dovecot's config file in /etc/dovecot/dovecot.conf:
protocols = imap
# We only allow our virtual user to login
first_valid_uid = 104
last_valid_uid = 104
first_valid_gid = 8
last_valid_gid = 8
mail_location = maildir:~/Maildir
mail_extra_groups = mail
# debugging - comment in when needed
log_timestamp = "%Y-%m-%d %H:%M:%S "
#mail_debug = yes
#auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = yes
#verbose_ssl = no
protocol lda {
# Address to use when sending rejection mails.
postmaster_address = postmaster@alice.xom
}
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/dovecot/users.conf
}
userdb passwd-file {
args = /etc/dovecot/users.conf
}
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = vmail
group = mail
}
client {
# make auth info available for postfix
path = /var/spool/postfix/private/auth
mode = 0600
user = postfix
group = mail
}
}
}
The config is pretty straight forward. First it is made sure that only the system account dedicated to the virtual mail user is allowed to access the IMAP server. Then the mail storage format (Maildir) and path to the mail folder is set up.
Later the protocol lda block defines the behavior for accepting incoming mails from postfix via the LDA protocol. Nothing fancy here.
The third part finally configures the authentication mechanism as described in the previous section. The socket listen options are most important. Those make the authentication info available to Postfix which will use them to handle SMTP-Auth. This way all IMAP passwords will be valid for SMTP auth, too.
That's it for Dovecot so far. Just (re)start:
#> /etc/init.d/dovecot restart
Postfix
Next step is Postfix. Before you continue, a word of warning: Postfix reloads its config periodically – keep this in mind when working on a running mail system!
First you need to create Postfix's main configuration in /etc/postfix/main.cf. Here is the full listing first – explanations below.
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# setup for local generated mails
append_dot_mydomain = yes
masquerade_domains = alice.xom
myorigin = alice.xom
# general stuff
myhostname = mail.alice.xom
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = mail.alice.xom,
mail,
localhost,
localhost.localdomain,
alice.xom,
bob.xom,
charly.xom
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# helo restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
permit
# sender restrictions
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
# recipient restriction
smtpd_recipient_restrictions =
reject_unauth_pipelining,
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
#enable SMTP auth for relaying
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# deliver with dovecot
dovecot_destination_recipient_limit = 1
mailbox_transport = dovecot
local_recipient_maps =
Again we start with some generic setup, like the SMTP banner and how mails generated at the local system should be treated. The name of the system is set up and all domains the server should accept mails for are listed in the mydestination setting.
Then a few restrictions follow. These are very important (order does matter) as they will make sure your server is not an open relay and will accept mail only from permitted senders. Only mails generated on the server itself (from mynetworks) and from users who authenticated through SMTP auth first are accepted.
This SMTP auth is set up after the restriction checks. It tells postfix to authenticate via Dovecot's authentication socket we set up earlier.
Received mails are passed over to Dovecot through Dovecot's own delivery agent. This allows us to use Dovecot plugins for filtering incoming mails (more on that in a follow-up post).
To make the last setting work, we need to tell postfix were to find Dovecot's delivery agent. This is done in /etc/postfix/master.cf were we add the following at the very end (leave everything else as is):
# Dovecot LDA
dovecot unix - n n - - pipe
flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
That's it. Before we restart postfix, we'll make sure the alias database exists:
#> newaliases
#> /etc/init.d/postfix restart
Testing
Now you can setup a mail client to test the system. You need to give the full email address as username (alice@alice.xom) for IMAP and SMTP.
If it does not work, check /var/lib/mail.log on the server for any error messages.
Tags:
tutorial,
debian,
postfix,
dovecot
Similar posts:
Securing your Mail Services with SSL
Using eCryptfs on the B3
Moved from Debian to Arch Linux
1) using .xom instead of .com to avoid any problems with the real domain owners
2) This is why I love Debian ;-)
Posted on Thursday, January the 31st 2008 (4 years ago).
Comments?
1
This set-up seems very clean, as you let dovecot handle most things (auth, delivery,...). Just one remark: if Alice or her friends use Outlook Express (presently Windows Mail) you will need to enable the login mechanism for dovecot's auth, or it mysteriously won't work, see the remark at the bottom:
http://wiki.dovecot.org/HowTo/ … ovecotSASL
On my system, I combine system users with virtual users. I was surprised how flexible postfix and dovecot can be in this regard. For postfix, everything starts here:
http://www.postfix.org/postcon … ox_domains
For dovecot, you can configure a system passdb and userdb below the virtual ones.
I still use procmail as a delivery agent, since I prefer its filtering capabilities (for system users).
2008-02-01 10:25:17
Bruno
2
First of thanks for this nice tutorial, it helped me a lot to setup my MTA (I even got pop3 working and the whole SSL stuff :D). I have one question though: I only got it fully working for a system user when I put 2 lines in the user.conf file ala:
foo@foobar.baz:pass:
foo:pass:
@Bruno, that's interesting, I've also tried to use virtual users by using the virtual_alias_domains, but that somehow didn't work. Maybe the virtual_maildox_domains is the right thing to do here?
2008-02-01 11:33:35
Michael Klier
3
Thanks for the tutorial! Now I'm eagerly waiting for part 2, this might finally lead me to also move my mail service to my VPS, right now I'm only running a LAMP setup without mail on it because Postfix and Spam always seemed a little too scary. :)
2008-02-01 13:26:25
zylox
4
According to http://lwn.net/Alerts/273674/ one should use
mail_privileged_group = mail
instead of
mail_extra_groups = mail
in /etc/dovecot/dovecot.conf
2008-05-01 19:10:49
David Andel
5
Great guide! Using thunderbird as my client, I'm able to send mail anywhere with my addresses. However, it always says I have no mail on the server. I tried to check /vmail/my.xom/me but it doesn't exist. It's almost as if it receives the mail and throws it away. Any ideas? Maybe my /etc/aliases file? Thanks!
2009-07-23 07:18:58
Charlie
6
correction to the above, according to /var/log/mail.log, the error is:
Mail storage creation failed with mail_location: mailder:/vmmail/domain.xom/user/Maildir
Jul 23 09:45:09 localhost dovecot: child 22223 (imap) returned error 89
2009-07-23 07:50:58
Charlie
7
Charlie,
This is a shot in the dark but I noticed your error says:
"...failed with mail_location: mailder:/..."
Did you type-o 'mailder' instead of 'maildir'?
2009-08-29 00:44:20
Adam
8
Hi Andreas
I am having vit problem in configuring Dovecot as MDA
my main.cf
mail_full_filesystem_access = yes
mail_debug = yes
myhostname = mail.vqlc.net
virtual_transport = dovecot
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-aliases.cf
virtual_mailbox_base = /usr/local/vmail/
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_minimum_uid = 100
virtual_uid_maps = static:1006
virtual_gid_maps = static:1006
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_relay_domains
#local_transport = dovecot
#######################dovecot config
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
#smtpd_sasl_path = smtp
$mydestination = localhost,
mail.vqlc.net
mailbox_command = /usr/local/libexec/dovecot/deliver
My mails get deliver to the /usr/local/libexec/dovecot/deliver
Now in master.cf when i give the command
dovecot unix - n n - - pipe
flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
it gives mefatal: /etc/postfix/master.cf: line 123: bad transport type: user=vmail:mail
I have user created vmail
please help me
Comments
Post a Comment