How to setup simple but yet powerful mail server using Postfix, Dovecot and Sasl in Debian 9 or Fedora 26

The following article aims into installing and configuring a simple POP3/IMAP/SMTP mail server in your Debian 9 using Postfix, Dovecot (v2) and SASL.
What is Postfix? It is a drop in replacement for the old and mature Sendmail. Postfix also attempts to be very fast, easy to administer, and secure.
What is Dovecot? It is an open source IMAP and POP3 server for *NIX-like systems, written primarily with security in mind.
What is SASL? SASL, the Simple Authentication and Security Layer, is a generic mechanism for protocols to accomplish authentication.

1.) Pre-Requirements

– You may want to check if your hostname/domainname is a valid FQDN (fully qualified domain name) and it has a valid MX DNS record.

# dig +short MX mydomain.com
10 mydomain.com.

ok the hostname ‘mydomain.com’ has an MX record and:

# dig +short A $(dig +short MX mydomain.com | head -1 | cut -d' ' -f2) 12.34.56.78

the MX record set resolves back to our Debian Server’s IP (12.34.56.78)

2.) Update the system and install the required packages

– Before we proceed any further we need to make sure we have a fully up-to-date system.

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade

2.a) Install postfix / Instalacíon de postfix

# apt-get install postfix

(when prompted, choose ‘Internet Site’ and then set ‘mydomain.com’ as a system mail name.)

2.b) Install dovecot / Instalacíon de devecot

# apt-get install dovecot-common dovecot-imapd dovecot-pop3d

2.c) Install sasl for authentication of users

# apt-get install libsasl2-2 libsasl2-modules sasl2-bin

(enable the sasl daemon by setting START=yes in /etc/default/saslauthd. you may also want to reduce the number of threads by setting THREADS=3 for example)
or if you’re feeling brave:

# sed -i -e 's/START=no/START=yes/' -e 's/THREADS=5/THREADS=3/' /etc/default/saslauthd

setup /etc/postfix/sasl/smtpd.conf

# echo -e "pwcheck_method: saslauthd\nmech_list: plain login cram-md5 digest-md5" > /etc/postfix/sasl/smtpd.conf

restart SASL

# /etc/init.d/saslauthd restart

2.d: setting up SSL certificates (optional)

In this section we'll see how to create SSL certificate files in order for our server to support secure communications. Note that this is optional, and you will not need to purchase a commercial certificate or anything (unless you want to). I'm going to show you how to generate the certificate files required by Postfix and Dovecot. First, run the following command, replacing example.com by your own domain obviously:

openssl req -new -x509 -days 3650 -nodes -out "example.com.cert" -keyout "example.com.key"

Some questions will be asked regarding the information you want to appear in the certificate, feel free to answer them any way you want to. You'll now have two files: "example.com.cert" and "example.com.key"; we need to concatenate those two files into a third file, by running the following command:

cat example.com.cert example.com.key > example.com.pem

These files will be required at different stages of the configuration. Right now, you need to move these files to the following folder: /etc/ssl/private/

3.) Create system user For handling incoming mails and has access to the mailboxes only.

– create group used for virtual mailboxes

# groupadd vmail -g 2222

– create user used for virtual mailboxes

# useradd vmail -r -g 2222 -u 2222 -d /var/vmail -m -c "mail user"

4.) Prepare SSL certificate for using SSL transport

– copy/move your ssl to some directory for example /etc/sample-ssl/

# mkdir /etc/sample-ssl
# rsync -Waq /path/to/certs/ /etc/sample-ssl/

5.) Postfix configuration

– before doing anything else make sure you have backup of original configuration file

# cp /etc/postfix/main.cf{,.orig}

5.a) setup main postfix configuration file (/etc/postfix/main.cf)

– make sure you change ‘mydomain.com’ with your domainname and also set the ssl paths appropriately

# nano /etc/postfix/main.cf

# ---------------- Start ------------------

myhostname=mydomain.com
mydomain=mydomain.com
myorigin=$mydomain
mydestination = localhost
mynetworks = 127.0.0.0/8
inet_interfaces = all
mailbox_size_limit = 0
recipient_delimiter = +
debug_peer_level=2
smtpd_banner=$myhostname ESMTP $mail_name
biff=no
relayhost=
show_user_unknown_table_name=no
append_dot_mydomain = no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_mailbox_base=/var/vmail
virtual_mailbox_domains=hash:/etc/postfix/vmail_domains
virtual_mailbox_maps=hash:/etc/postfix/vmail_mailbox
virtual_alias_maps=hash:/etc/postfix/vmail_aliases
virtual_minimum_uid=100
virtual_uid_maps=static:2222
virtual_gid_maps=static:2222
virtual_transport=dovecot
smtpd_tls_cert_file=/etc/sample-ssl/ssl.crt
smtpd_tls_key_file=/etc/sample-ssl/ssl.key
smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_use_tls=yes
smtpd_use_tls=yes
smtpd_tls_loglevel=1
smtpd_tls_received_header=yes
tls_random_source=dev:/dev/urandom
smtp_tls_note_starttls_offer=yes
smtpd_tls_session_cache_timeout=3600s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
queue_directory=/var/spool/postfix
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_security_options=noanonymous
smtpd_sasl_tls_security_options=$smtpd_sasl_security_options
smtpd_sasl_local_domain=$myhostname
smtpd_sasl_application_name=smtpd
smtpd_helo_required=yes
smtpd_helo_restrictions=reject_invalid_helo_hostname
smtpd_recipient_restrictions=reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

#----------------------------END----------------------------------------

5.b) create /etc/postfix/vmail_domains containing the domains for which postfix will accept emails

– the format is 2 columns. domain left, status right. if there is nothing on the right side, the domain is disabled.

# nano /etc/postfix/vmail_domains

mydomain.com      OK
my-otherdomain.com     OK

5.c) create /etc/postfix/vmail_mailbox containing the accepted mailboxes

# nano /etc/postfix/vmail_mailbox

info@mydomain.com  mydomain.com/info
admin@mydomain.com  mydomain.com/admin
webmaster@my-otherdomain.com  my-otherdomain.com/webmaster

5.d) create /etc/postfix/vmail_aliases containing the virtual aliases

# nano /etc/postfix/vmail_aliases

info@mydomain.com    info@mydomain.com
admin@mydomain.com   admin@mydomain.com
webmaster@my-otherdomain.com  admin@mydomain.com

hash the configuration files

# postmap /etc/postfix/vmail_domains
# postmap /etc/postfix/vmail_mailbox
# postmap /etc/postfix/vmail_aliases

6.) Dovecot configuration

– before doing anything else make sure you have backup of original configuration file

# cp /etc/dovecot/dovecot.conf{,.orig}

– create main dovecot configuration file

# nano /etc/dovecot/dovecot.conf

#-------------------------------------------------------------------

protocols = imap imaps pop3 pop3s
log_timestamp = "%Y-%m-%d %H:%M:%S "
first_valid_uid=2222
last_valid_uid=2222
first_valid_gid=2222
last_valid_gid=2222
mail_privileged_group = vmail
disable_plaintext_auth=yes
auth_executable = /usr/lib/dovecot/dovecot-auth
auth_verbose = yes
mail_location = maildir:/var/vmail/%d/%n/Maildir
ssl_cert_file = /etc/sample-ssl/sample-chained.crt
ssl_key_file = /etc/sample-ssl/sample.key
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  postmaster_address = postmaster@yourdomain.com
  mail_plugins = sieve
  log_path =
}
auth default {
    mechanisms = plain login
    passdb passwd-file {
        args = scheme=SHA1 /etc/dovecot/users.conf
    }
    userdb static {
        #args = /etc/dovecot/users.conf
        args = uid=2222 gid=2222 home=/var/vmail/%d/%n allow_all_users=yes
    }
    socket listen {
        master {
            path = /var/run/dovecot/auth-master
            mode = 0600
            user = vmail
            group = vmail
        }
        client {
            path = /var/spool/postfix/private/auth
            mode = 0660
            user = postfix
            group = postfix
        }
    }
}

#-----------------------------------------------------------------------------------------------------
make sure you set the configuration to match your paths and needs

– create our user’s file:

# touch /etc/dovecot/users.conf

– next, use the following command in order to generate password hash for a particular user:

# doveadm pw -s SHA1 -u user@mydomain.com

(Optional more secure)

# doveadm pw -s ssha256 -u  user@mydomain.com

(generated password add to users.conf without the {SHA1} part, for example:)

# cat /etc/dovecot/users.conf

user@mydomain.com:{SHA1}7mh/MbZGZf7pc2pV6To7WuHJY8E=

#Use more secure

user@mydomain.com:{SSHA256}lxpRnZZDuWki5y/rDDHCcVdvY3RpCO/mSvylt5GR1a08/JZd

7.) Setting up permissions and completing installation

# chgrp vmail /etc/dovecot/dovecot.conf
# chmod g+r /etc/dovecot/dovecot.conf
# chown root:root /etc/dovecot/users.conf
# chmod 644 /etc/dovecot/users.conf

– deliver incoming mails to dovecot

# nano /etc/postfix/master.cf

(append the following)

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

– while at it, you may also want to enable the submission port by uncommenting the following line:

submission inet n       -       -       -       -       smtpd

– reload the services

# /etc/init.d/dovecot restart
# /etc/init.d/postfix restart

Update: 10/7/2017
Use on Debian 9 and Fedora 26 UPDATE and correct errors version 2 dovecot command!!!

Original Author: OLD post!
https://www.rosehosting.com/blog/how-to-setup-simple-but-yet-powerful-mail-server-using-postfix-dovecot-and-sasl-in-debian-6-squeeze/

http://cnedelcu.blogspot.com/2014/01/how-to-set-up-simple-mail-server-debian-linux.html

Blog Efectolinux

Buscar este blog