Home / guides   Print version

Mail server setup on Debian

Written on 05/09/2014

This tutorial is written with the following version:

  • Debian 6.2 (Kernel 2.6.32-5)
  • Postfix is the actual mail daemon that accepts the mail and saves the emails in the users mail box.
  • Dovecot 1.2.15 is the pop3/imap server that allows users to download their email to their PC.
  • #saslauthd 2.1.23 Simple Authentication and Security Layer will manage the passwords.
  • procmail is a mail delivery agent (MDA) capable of sorting incoming mail into various directories and filtering out spam messages.
  • SpamAssassin is a spam-filter (optional).

There is a new version written for postfix and Dovecot 2.2.13.
Check it out



Install postfix:

apt-get install postfix

setting up SSL certificates (optional)

Here are a few steps to create a SSL certificate files in order for our server to support secure communications.
You can use a commercial certificate, but it is not needed.
This how to setup your own free certificate:

openssl req -new -x509 -days 3650 -nodes -out "example.com.cert" -keyout "example.com.key"
Some questions will be asked regarding the information you want to appear in the certificate, feel free to answer them any way you want to. You'll now have two files: "example.com.cert" and "example.com.key"; we need to concatenate those two files into a third file, by running the following command:
cat example.com.cert example.com.key > example.com.pem
These files will be required at different stages of the configuration. Right now, you need to move these files to the following folder: /etc/ssl/private/

The configuration file of Postfix is /etc/postfix/main.cf
A lot of settings can be adapted, the most important are listed here.

# Your hostname and domain name here

# Virtual mailbox configuration (/var/email is the dir where you store the mails, need to be created)

# SSL configuration, make sure to use the certificates from step 2 (optional)
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Authentication settings, making use of SASL
smtpd_recipient_restrictions=reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Now you also need to set a your virtual domains and aliases for the mailboxes.
nano /etc/postfix/vmail_domains List you domains with OK

example.com     OK
example.net     OK
nano /etc/postfix/vmail_mailbox List the users with the folder where the mails need to be put:
webmaster@example.com  example.com/webmaster
me@example.com		example.com/me
@example.com		example.com/webmaster
The last on is a catch all. A mail send to test@example.com or dontknow@example.com will be put in the account of webmaster.


nano /etc/postfix/vmail_aliases Here you can create aliases:
webmaster@example.com   webmaster@example.com
@example.com    webmaster@example.com

webmaster@example.net   webmaster@example.com
@example.net    webmaster@example.com
Now that you have updated your user database, it's time to apply the changes. Run the following commands for Postfix to acknowledge your newly created mailboxes:

postmap /etc/postfix/vmail_domains
postmap /etc/postfix/vmail_mailbox
postmap /etc/postfix/vmail_aliases



Dovecot that allows users to get there emails by POP account or imap.

apt-get install dovecot-common dovecot-imapd dovecot-pop3d

Create a new user and group "mailman"

groupadd mailman -g 7788
useradd mailman -u 7788 -g 7788 -r -d /var/email -m -c "mail user"
The configuration file has a lot of options: /etc/dovecot/dovecot.conf

# Basic configuration
protocols = imap imaps pop3 pop3s
log_timestamp = "%Y-%m-%d %H:%M:%S "

# User and group permissions
mail_location = maildir:/var/email/%d/%n/Maildir
mail_privileged_group = email
auth_executable = /usr/lib/dovecot/dovecot-auth
auth_verbose = yes

# SSL config
ssl_cert_file = /etc/ssl/private/example.com.cert
ssl_key_file = /etc/ssl/private/example.com.key

# LDA config
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  postmaster_address = postmaster@example.com
  mail_plugins = sieve
  log_path =

# Authentication configuration
auth default {
    mechanisms = plain login
    passdb passwd-file {
        args = scheme=SHA1 /etc/dovecot/users.conf
    userdb static {
        #args = /etc/dovecot/users.conf
        args = uid=7788 gid=7788 home=/var/email/%d/%n allow_all_users=yes
    socket listen {
        master {
            path = /var/run/dovecot/auth-master
            mode = 0600
            user = email
            group = email
        client {
            path = /var/spool/postfix/private/auth
            mode = 0660
            user = postfix
            group = postfix

Next we need to create an empty users file, so create a blank file /etc/dovecot/users.conf. We will update it during the next step. To finish with this step, ensure that your configuration files have the proper permissions, by running the following commands:

chgrp mailman /etc/dovecot/dovecot.conf
chmod g+r /etc/dovecot/dovecot.conf
chown root:root /etc/dovecot/users.conf
chmod 600 /etc/dovecot/users.conf

Create the password: dovecotpw -s SSHA256 It will produce a string that looks like this: qUqP5cyxm6ctTAYz05Hph5gvu9M=

to enter in /etc/dovecot/users.conf

A handy command too check the config of dovecot is.
it shows the configuration in short:
dovecot -n

Same for postfix:
postconf -n make sure that the user (mailman) has write access to the mail-directory. (/var/email)

Handy logs

tail /var/log/mail.err
tail /var/log/mail.info



SASL authentication daemon. SASL stands for Simple Authentication and Security Layer. It's the mechanism that will allow us to manage passwords in a simple way by storing them in a file (encrypted). There are other authentication layers such as MySQL and others.

apt-get install libsasl2-2 libsasl2-modules sasl2-bin



Procmail allows you to filter email as it is received from a remote email server, or placed in your spool file on a local or remote email server. It is powerful, gentle on system resources, and widely used. Procmail, commonly referred to as a Local Delivery Agent (LDA), plays a small role in delivering email to be read by an MUA.

The command to install is:

apt-get install procmail

First we configure procmail as an available transport type in postfix's /etc/postfix/master.cf Add this to the file.

procmail  unix  -       n       n       -       -       pipe
 -o flags=RO user=mailman argv=/usr/bin/procmail -t -m USER=${user} NEXTHOP=${nexthop} EXTENSION=${extension} /etc/postfix/procmailrc.common
The default transport type for virtual users will be set to be "procmail" in /etc/postfix/main.cf.
Change the value of virtual_transport

With the above configuration, procmail run the procmail script at /etc/postfix/procmailrc.common for all virtual users.

#general logfile

#get external procmail files; for each user :-)

#use dovecot to deliver
:0 w
The trailing slash at DEFAULT is important, it descides to use maildir-format or mbox-format (all in one file).
Make sure that the .procmail-file can be read by the user.



SpamAssassin is the application that filters the spam out mails based on rules.

The command to install:

apt-get install spamc spamassassin

By default spamassassin will run under the ‘root’ user and running it like that is not as secure as it can be, so to make it more secure we should run it under different unprivileged user/group.

groupadd -g 5555 spamd
useradd -u 5555 -g spamd -s /sbin/nologin -d /usr/local/spamassassin spamd
mkdir -p /usr/local/spamassassin/log
chown spamd:spamd -R /usr/local/spamassassin

edit the ‘/etc/default/spamassassin’ configuration file and make it looks like the one below:

# /etc/default/spamassassin

# WARNING: please read README.spamd before using.
# There may be security risks.

# Change to one to enable spamd

# Options
# See man spamd for possible options. The -d option is automatically added.

# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="--create-prefs --max-children 5 --helper-home-dir ${SPAM_HOME} --username spamd -s ${SPAM_HOME}/log/spamd.log"

# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.

# Set nice level of spamd
#NICE="--nicelevel 15"

# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis

The next think we need to do is to configure spamassassin. you do this by editing the ‘/etc/spamassassin/local.cf’ and changing/adding the following:

rewrite_header Subject *****SPAM*****
required_score 3.0
report_safe 0
use_bayes 1
# Enable Bayes auto-learning
bayes_auto_learn 1
# Enable or disable network checks
skip_rbl_checks 0
use_razor2 0
use_dcc 0
use_pyzor 0
We disable the network checks. They will allow to catch more spam, but it is also a big performance hit.

Now we still need to configure Postfix to use SpamAssassin, edit /etc/postfix/master.cf and change the following:

smtp 	inet  n 	-	-	-	- 	smtpd -o content_filter=spamassassin
and add the following to the end of the file:

spamassassin	unix	-	n	n	-	-	pipe
  user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

finally, restart the services by:

/etc/init.d/spamassassin restart
/etc/init.d/postfix restart