Setup Postfix and Dovecot on Debian Etch
Imagine this: Alice, Bob and Charly are sharing a root server. They all three have their own domains and need some simple setup to send and receive mail for a couple of addresses.
This article explains how to do a basic mail setup using Postfix (SMTP) and Dovecot (IMAP). Virtual mail users will be mapped to a single system account. Because only a handful of addresses are needed, no database is involved – all users are stored in a text file.
The installation method and paths assume a Debian system. But most of this tutorial should apply to any other Linux system as well. Some general knowledge on how mail and MTAs work is recommended .
I plan to follow up this article with post(s) on how to setup mail filtering, spam checking and adding SSL support.
To ease the following description, let's assume the following values:
- The server is named
mail.alice.xom
- All automatic mails will be sent from the domain
alice.xom
- All mail directories shall be stored below
/vmail/<domain>/<user>
Installation
This is the simplest step2). Just install the needed packages:
#> apt-get install dovecot-imapd postfix-pcre
When asked by debconf, just answer with “No configuration”.
Virtual Users
All users will be managed through Dovecot. Dovecot supports various user databases – for the needs of Alice, Bob and Charly the passwd-file
method fits best.
As the name suggests, it uses a simple text file which is formatted similar to the system's passwd(5) file. In this file all virtual users will be listed in the following form:
<user>:<password>:<uid>:<gid>:<name>:<homedir>
<uid> and <gid> specify the system user and group which will hold all virtual users. I recommend to use a dedicated vmail
user and place him in the standard mail
group:
#> useradd -r -c 'virtual mail users' -m -d /vmail -g mail vmail #> mkdir /vmail #> chown vmail:mail /vmail
Use the id command to get this new user's uid:
#> id vmail uid=104(vmail) gid=8(mail) groups=8(mail)
Time to create the user file. All passwords in this file should be stored as a crypted hash. You can create such a hash with the dovecotpw
tool:
#> dovecotpw -s SHA1 Enter new password: Retype new password: {SHA1}5en6G6MezRroT3XKqkdPOmY/BfQ=
Now create your user file in /etc/dovecot/users.conf
:
alice@alice.xom:{SHA1}5en6G6MezRroT3XKqkdPOmY/BfQ=:104:8:Alice:/vmail/alice.xom/alice bob@bob.xom:{SHA1}C+7Hteo/D9vJXQ3UfzxbwnXaijM=:104:8:Bob:/vmail/bob.xom/bob charly@charly.xom:{SHA1}oh02RQodeuOCLqogCBqNBr1+GvY=:104:8:Charly:/vmail/charly.xom/charly carol@charly.xom:{SHA1}Jin7bSOE2ol5akgR72218qxle6s=:104:8:Carol:/vmail/charly.xom/carol
For security reasons (and because Dovecot will complain otherwise) nobody except root should be able to open this file:
#> chown root:root /etc/dovecot/users.conf #> chmod 600 /etc/dovecot/users.conf
Configuring Dovecot
After having set up the users, continue with editing Dovecot's config file in /etc/dovecot/dovecot.conf
:
protocols = imap # We only allow our virtual user to login first_valid_uid = 104 last_valid_uid = 104 first_valid_gid = 8 last_valid_gid = 8 mail_location = maildir:~/Maildir mail_extra_groups = mail # debugging - comment in when needed log_timestamp = "%Y-%m-%d %H:%M:%S " #mail_debug = yes #auth_verbose = yes #auth_debug = yes #auth_debug_passwords = yes #verbose_ssl = no protocol lda { # Address to use when sending rejection mails. postmaster_address = postmaster@alice.xom } auth default { mechanisms = plain passdb passwd-file { args = /etc/dovecot/users.conf } userdb passwd-file { args = /etc/dovecot/users.conf } socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail group = mail } client { # make auth info available for postfix path = /var/spool/postfix/private/auth mode = 0600 user = postfix group = mail } } }
The config is pretty straight forward. First it is made sure that only the system account dedicated to the virtual mail user is allowed to access the IMAP server. Then the mail storage format (Maildir) and path to the mail folder is set up.
Later the protocol lda
block defines the behavior for accepting incoming mails from postfix via the LDA protocol. Nothing fancy here.
The third part finally configures the authentication mechanism as described in the previous section. The socket listen
options are most important. Those make the authentication info available to Postfix which will use them to handle SMTP-Auth. This way all IMAP passwords will be valid for SMTP auth, too.
That's it for Dovecot so far. Just (re)start:
#> /etc/init.d/dovecot restart
Postfix
Next step is Postfix. Before you continue, a word of warning: Postfix reloads its config periodically – keep this in mind when working on a running mail system!
First you need to create Postfix's main configuration in /etc/postfix/main.cf
. Here is the full listing first – explanations below.
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # setup for local generated mails append_dot_mydomain = yes masquerade_domains = alice.xom myorigin = alice.xom # general stuff myhostname = mail.alice.xom alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = mail.alice.xom, mail, localhost, localhost.localdomain, alice.xom, bob.xom, charly.xom relayhost = mynetworks = 127.0.0.0/8 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all # helo restrictions smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit # sender restrictions smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit # recipient restriction smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination #enable SMTP auth for relaying smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth # deliver with dovecot dovecot_destination_recipient_limit = 1 mailbox_transport = dovecot local_recipient_maps =
Again we start with some generic setup, like the SMTP banner and how mails generated at the local system should be treated. The name of the system is set up and all domains the server should accept mails for are listed in the mydestination
setting.
Then a few restrictions follow. These are very important (order does matter) as they will make sure your server is not an open relay and will accept mail only from permitted senders. Only mails generated on the server itself (from mynetworks
) and from users who authenticated through SMTP auth first are accepted.
This SMTP auth is set up after the restriction checks. It tells postfix to authenticate via Dovecot's authentication socket we set up earlier.
Received mails are passed over to Dovecot through Dovecot's own delivery agent. This allows us to use Dovecot plugins for filtering incoming mails (more on that in a follow-up post).
To make the last setting work, we need to tell postfix were to find Dovecot's delivery agent. This is done in /etc/postfix/master.cf
were we add the following at the very end (leave everything else as is):
# Dovecot LDA dovecot unix - n n - - pipe flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
That's it. Before we restart postfix, we'll make sure the alias database exists:
#> newaliases #> /etc/init.d/postfix restart
Testing
Now you can setup a mail client to test the system. You need to give the full email address as username (alice@alice.xom
) for IMAP and SMTP.
If it does not work, check /var/lib/mail.log
on the server for any error messages.