How to setup or working a mail server where Postfix is the SMTP service, and Dovecot provides IMAP and POP services. We will configure our mail server to use secure connection only (SMTPS, IMAPS, POP3S). The configuration has been tested and it’s also based on our personal experience so it’s fully functional and operational mail server.
Before we proceed to setup a mail server, the following DNS Records are most important for delivering email to destination so the email originates from your server will not land up on Junk folders in major free email providers.
1. DNS Entry for your mail server with MX record
2. Setup an SPF record (see openspf.org )
3. Reverse IP for your Mail Server
NOTE: If you are using some firewall don’t forget to make exception on the appropriate ports.
POSTFIX
Postfix is a free open source mail transfer agent (MTA), a computer program for the routing and delivery of email. It is intended as a fast, easy-to-administer, and secure alternative to the widely-used Sendmail MTA which is installed by default with CentOS.
- so first we need to remove the Sendmail MTA
yum remove sendmail
Install Postfix
# yum install postfix -y
We have to also setup SASL with our postfix to authenticate our users who want to send email outside of the permitted network. We don’t want our mail server to be open relay and thereby restricting sending mail only to the local users. Without SASL authentication postfix will give relay access denied error if you attempt to send mail outside of the network.
Installation Of Required Packages for SMTP AUTH
# yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain -y
Postfix configuration files are stored in /etc/postfix. The two main postfix configuration files are master.cf and main.cf. First we are going to make some additions or changes to the main.cf configuration file as below
# vim /etc/postfix/main.cf
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
home_mailbox = Maildir/
mailbox_command =
mynetworks = 127.0.0.0/8
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
relay_domains =
local_recipient_maps =
NOTE: Make sure you uncomment inet_interfaces = all if you are enabling all option. It’s often made mistake leaving both uncommented!
Next we configure SMTP-AUTH
For this edit /etc/postfix/main.cf and make changes as given below
# vim /etc/postfix/main.cf
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
Then edit /etc/postfix/master.cf and paste this under SMTP
# vim /etc/postfix/master.cf
smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes
We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 64Bit CentOS you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should look like this:
pwcheck_method: saslauthd
mech_list: plain login
Afterwards we create the certificates for TLS
# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl/
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 2048
# chmod 600 smtpd.key
# openssl req -new -key smtpd.key -out smtpd.csr
# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
# mv -f smtpd.key.unencrypted smtpd.key
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS:
The following lines should be added, edited or uncommented in main.cf file
# vim /etc/postfix/main.cf
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# service saslauthd start
# chkconfig saslauthd on
DOVECOT
It’s an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind.
Install Dovecot (POP3S/IMAPS Server)
# yum install dovecot -y
Open the dovecot config file /etc/dovecot.conf and make the following changes. You may need to comment or uncomment certain lines, we intend to use secure connection only so we remove IMAP and POP3; if you want to use them please configure Dovecot to do so.
# vim /etc/dovecot/dovecot.conf
Uncomment the following line:
## Line 20 - umcomment ##
protocols = imap pop3 lmtp
Edit file /etc/dovecot/conf.d/10-mail.conf file
# vim /etc/dovecot/conf.d/10-mail.conf
Make the changes as shown below:
## Line 24 - uncomment ##
mail_location = maildir:~/Maildir
Edit /etc/dovecot/conf.d/10-auth.conf
# vim /etc/dovecot/conf.d/10-auth.conf
And make the changes as shown below:
## line 9 - uncomment##
disable_plaintext_auth = yes
Line 97 - Add a letter "login"
auth_mechanisms = plain login
Edit file /etc/dovecot/conf.d/10-master.conf,
# vim /etc/dovecot/conf.d/10-master.conf
Make changes as shown below:
Line 83, 84 - Uncomment and add "postfix"
#mode = 0600
user = postfix
group = postfix
Start Dovecot service:
# service dovecot start
# chkconfig dovecot on
CREATE LOCAL USERS/MAILDIR
1. Create a localuser with adduser
# adduser milon
2. Update the password of ‘milon’ using
# passwd milon
chkconfig postfix on
chkconfig dovecot on
OR type ntsysv for GUI tool
- to start run
/etc/init.d/postfix start
/etc/init.d/dovecot start
Test:
1. Check if the mail server is listening on the apriopriate ports (SMTP:25, SMTPS:465, IMAPS:993, POP3S:995)
netstat -ntpl
To see if SMTP-AUTH and TLS work properly now run the following command (you can also run the telnet command on the other ports to test if TLS and AUTH is working)
# telnet localhost 25
To test further, set up an account in Evolution / Thunderbird / Outlook and test the SMTP with the username and password you set up earlier.
Remember that because you are using a self signed certificate, your email client will prompt you each time about an untrusted certificate so you can use the client certificate you created to suppress these warnings.
NOTE: If you encounter any problems, check the log file at /var/log/maillog.
FINAL NOTE:
Postfix is an extremely powerful and versatile mail transport agent. In this tutorial we have seen how to implement email server using postfix and dovecot for a single domain based on system user accounts.
Before we proceed to setup a mail server, the following DNS Records are most important for delivering email to destination so the email originates from your server will not land up on Junk folders in major free email providers.
1. DNS Entry for your mail server with MX record
2. Setup an SPF record (see openspf.org )
3. Reverse IP for your Mail Server
NOTE: If you are using some firewall don’t forget to make exception on the appropriate ports.
POSTFIX
Postfix is a free open source mail transfer agent (MTA), a computer program for the routing and delivery of email. It is intended as a fast, easy-to-administer, and secure alternative to the widely-used Sendmail MTA which is installed by default with CentOS.
- so first we need to remove the Sendmail MTA
yum remove sendmail
Install Postfix
# yum install postfix -y
We have to also setup SASL with our postfix to authenticate our users who want to send email outside of the permitted network. We don’t want our mail server to be open relay and thereby restricting sending mail only to the local users. Without SASL authentication postfix will give relay access denied error if you attempt to send mail outside of the network.
Installation Of Required Packages for SMTP AUTH
# yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain -y
Postfix configuration files are stored in /etc/postfix. The two main postfix configuration files are master.cf and main.cf. First we are going to make some additions or changes to the main.cf configuration file as below
# vim /etc/postfix/main.cf
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
home_mailbox = Maildir/
mailbox_command =
mynetworks = 127.0.0.0/8
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
relay_domains =
local_recipient_maps =
NOTE: Make sure you uncomment inet_interfaces = all if you are enabling all option. It’s often made mistake leaving both uncommented!
Next we configure SMTP-AUTH
For this edit /etc/postfix/main.cf and make changes as given below
# vim /etc/postfix/main.cf
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
Then edit /etc/postfix/master.cf and paste this under SMTP
# vim /etc/postfix/master.cf
smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes
We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 64Bit CentOS you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should look like this:
pwcheck_method: saslauthd
mech_list: plain login
Afterwards we create the certificates for TLS
# mkdir /etc/postfix/ssl
# cd /etc/postfix/ssl/
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 2048
# chmod 600 smtpd.key
# openssl req -new -key smtpd.key -out smtpd.csr
# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
# openssl rsa -in smtpd.key -out smtpd.key.unencrypted
# mv -f smtpd.key.unencrypted smtpd.key
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS:
The following lines should be added, edited or uncommented in main.cf file
# vim /etc/postfix/main.cf
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# service saslauthd start
# chkconfig saslauthd on
DOVECOT
It’s an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind.
Install Dovecot (POP3S/IMAPS Server)
# yum install dovecot -y
Open the dovecot config file /etc/dovecot.conf and make the following changes. You may need to comment or uncomment certain lines, we intend to use secure connection only so we remove IMAP and POP3; if you want to use them please configure Dovecot to do so.
# vim /etc/dovecot/dovecot.conf
Uncomment the following line:
## Line 20 - umcomment ##
protocols = imap pop3 lmtp
Edit file /etc/dovecot/conf.d/10-mail.conf file
# vim /etc/dovecot/conf.d/10-mail.conf
Make the changes as shown below:
## Line 24 - uncomment ##
mail_location = maildir:~/Maildir
Edit /etc/dovecot/conf.d/10-auth.conf
# vim /etc/dovecot/conf.d/10-auth.conf
And make the changes as shown below:
## line 9 - uncomment##
disable_plaintext_auth = yes
Line 97 - Add a letter "login"
auth_mechanisms = plain login
Edit file /etc/dovecot/conf.d/10-master.conf,
# vim /etc/dovecot/conf.d/10-master.conf
Make changes as shown below:
Line 83, 84 - Uncomment and add "postfix"
#mode = 0600
user = postfix
group = postfix
Start Dovecot service:
# service dovecot start
# chkconfig dovecot on
CREATE LOCAL USERS/MAILDIR
1. Create a localuser with adduser
# adduser milon
2. Update the password of ‘milon’ using
# passwd milon
chkconfig postfix on
chkconfig dovecot on
OR type ntsysv for GUI tool
- to start run
/etc/init.d/postfix start
/etc/init.d/dovecot start
Test:
1. Check if the mail server is listening on the apriopriate ports (SMTP:25, SMTPS:465, IMAPS:993, POP3S:995)
netstat -ntpl
To see if SMTP-AUTH and TLS work properly now run the following command (you can also run the telnet command on the other ports to test if TLS and AUTH is working)
# telnet localhost 25
To test further, set up an account in Evolution / Thunderbird / Outlook and test the SMTP with the username and password you set up earlier.
Remember that because you are using a self signed certificate, your email client will prompt you each time about an untrusted certificate so you can use the client certificate you created to suppress these warnings.
NOTE: If you encounter any problems, check the log file at /var/log/maillog.
FINAL NOTE:
Postfix is an extremely powerful and versatile mail transport agent. In this tutorial we have seen how to implement email server using postfix and dovecot for a single domain based on system user accounts.
Thanks Jashim Bhai for your tutorial. it is working fine.
ReplyDeleteThanks Jashim Bhai, its realy helpfull.special for authentication.gr8 job man
ReplyDeleteHere are two things I'm going to fix.Which may benefit others in the future.This configuration I tested on centos 7
ReplyDelete#vim /etc/dovecot/conf.d/10-ssl.conf
And make the changes as shown below:
#ssl = required
ssl = yes
# vim /etc/postfix/master.cf
smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
-o broken_sasl_auth_clients=yes