How to setup simple but yet powerful mail server using Postfix, Dovecot and Sasl in Debian 9 or Fedora 26

The following article aims into installing and configuring a simple POP3/IMAP/SMTP mail server in your Debian 9 using Postfix, Dovecot (v2) and SASL.
What is Postfix? It is a drop in replacement for the old and mature Sendmail. Postfix also attempts to be very fast, easy to administer, and secure.
What is Dovecot? It is an open source IMAP and POP3 server for *NIX-like systems, written primarily with security in mind.
What is SASL? SASL, the Simple Authentication and Security Layer, is a generic mechanism for protocols to accomplish authentication.

1.) Pre-Requirements

– You may want to check if your hostname/domainname is a valid FQDN (fully qualified domain name) and it has a valid MX DNS record.
# dig +short MX

ok the hostname ‘’ has an MX record and:
# dig +short A $(dig +short MX | head -1 | cut -d' ' -f2)

the MX record set resolves back to our Debian Server’s IP (

2.) Update the system and install the required packages

– Before we proceed any further we need to make sure we have a fully up-to-date system.
# apt-get update
# apt-get upgrade
# apt-get dist-upgrade

2.a) Install postfix / Instalacíon de postfix

# apt-get install postfix
(when prompted, choose ‘Internet Site’ and then set ‘’ as a system mail name.)

2.b) Install dovecot / Instalacíon de devecot

# apt-get install dovecot-common dovecot-imapd dovecot-pop3d

2.c) Install sasl for authentication of users

# apt-get install libsasl2-2 libsasl2-modules sasl2-bin

(enable the sasl daemon by setting START=yes in /etc/default/saslauthd. you may also want to reduce the number of threads by setting THREADS=3 for example)
or if you’re feeling brave:
# sed -i -e 's/START=no/START=yes/' -e 's/THREADS=5/THREADS=3/' /etc/default/saslauthd
setup /etc/postfix/sasl/smtpd.conf
# echo -e "pwcheck_method: saslauthd\nmech_list: plain login cram-md5 digest-md5" > /etc/postfix/sasl/smtpd.conf
restart SASL
# /etc/init.d/saslauthd restart

  2.d: setting up SSL certificates (optional)

In this section we'll see how to create SSL certificate files in order for our server to support secure communications. Note that this is optional, and you will not need to purchase a commercial certificate or anything (unless you want to). I'm going to show you how to generate the certificate files required by Postfix and Dovecot. First, run the following command, replacing by your own domain obviously:
openssl req -new -x509 -days 3650 -nodes -out "" -keyout ""
Some questions will be asked regarding the information you want to appear in the certificate, feel free to answer them any way you want to. You'll now have two files: "" and ""; we need to concatenate those two files into a third file, by running the following command:
cat >
These files will be required at different stages of the configuration. Right now, you need to move these files to the following folder: /etc/ssl/private/

3.) Create system user For handling incoming mails and has access to the mailboxes only.

– create group used for virtual mailboxes
# groupadd vmail -g 2222
– create user used for virtual mailboxes
# useradd vmail -r -g 2222 -u 2222 -d /var/vmail -m -c "mail user"

4.) Prepare SSL certificate for using SSL transport

– copy/move your ssl to some directory for example /etc/sample-ssl/
# mkdir /etc/sample-ssl
# rsync -Waq /path/to/certs/ /etc/sample-ssl/

5.) Postfix configuration

– before doing anything else make sure you have backup of original configuration file
# cp /etc/postfix/{,.orig}

5.a) setup main postfix configuration file (/etc/postfix/

– make sure you change ‘’ with your domainname and also set the ssl paths appropriately
# nano /etc/postfix/
# ---------------- Start ------------------
mydestination = localhost
mynetworks =
inet_interfaces = all
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_banner=$myhostname ESMTP $mail_name
append_dot_mydomain = no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_recipient_restrictions=reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

5.b) create /etc/postfix/vmail_domains containing the domains for which postfix will accept emails

– the format is 2 columns. domain left, status right. if there is nothing on the right side, the domain is disabled.
# nano /etc/postfix/vmail_domains      OK     OK

5.c) create /etc/postfix/vmail_mailbox containing the accepted mailboxes

# nano /etc/postfix/vmail_mailbox

5.d) create /etc/postfix/vmail_aliases containing the virtual aliases

# nano /etc/postfix/vmail_aliases

hash the configuration files

# postmap /etc/postfix/vmail_domains
# postmap /etc/postfix/vmail_mailbox
# postmap /etc/postfix/vmail_aliases

6.) Dovecot configuration

– before doing anything else make sure you have backup of original configuration file
# cp /etc/dovecot/dovecot.conf{,.orig}
 – create main dovecot configuration file
# nano /etc/dovecot/dovecot.conf
protocols = imap imaps pop3 pop3s
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
auth_executable = /usr/lib/dovecot/dovecot-auth
auth_verbose = yes
mail_location = maildir:/var/vmail/%d/%n/Maildir
ssl_cert_file = /etc/sample-ssl/sample-chained.crt
ssl_key_file = /etc/sample-ssl/sample.key
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  postmaster_address =
  mail_plugins = sieve
  log_path =
auth default {
    mechanisms = plain login
    passdb passwd-file {
        args = scheme=SHA1 /etc/dovecot/users.conf
    userdb static {
        #args = /etc/dovecot/users.conf
        args = uid=2222 gid=2222 home=/var/vmail/%d/%n allow_all_users=yes
    socket listen {
        master {
            path = /var/run/dovecot/auth-master
            mode = 0600
            user = vmail
            group = vmail
        client {
            path = /var/spool/postfix/private/auth
            mode = 0660
            user = postfix
            group = postfix

make sure you set the configuration to match your paths and needs

– create our user’s file:
# touch /etc/dovecot/users.conf

– next, use the following command in order to generate password hash for a particular user:
# doveadm pw -s SHA1 -u
(Optional more secure)
# doveadm pw -s ssha256 -u
(generated password add to users.conf without the {SHA1} part, for example:)
# cat /etc/dovecot/users.conf{SHA1}7mh/MbZGZf7pc2pV6To7WuHJY8E=
#Use more secure{SSHA256}lxpRnZZDuWki5y/rDDHCcVdvY3RpCO/mSvylt5GR1a08/JZd 

7.) Setting up permissions and completing installation

# chgrp vmail /etc/dovecot/dovecot.conf
# chmod g+r /etc/dovecot/dovecot.conf
# chown root:root /etc/dovecot/users.conf
# chmod 644 /etc/dovecot/users.conf
– deliver incoming mails to dovecot
# nano /etc/postfix/

(append the following)
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

– while at it, you may also want to enable the submission port by uncommenting the following line:
submission inet n       -       -       -       -       smtpd

– reload the services
# /etc/init.d/dovecot restart
# /etc/init.d/postfix restart

Update: 10/7/2017
Use on Debian 9 and Fedora 26 UPDATE and correct errors version 2 dovecot command!!!

Original Author: OLD post!


Entradas más populares de este blog

BBS - Boletin Board Sistem