Webmaster2020

Webmaster
2020

Home / guides Print version

Mail server setup on Debian
Written on 28/03/2016
This tutorial is written with the following version:

Debian 8 (jessie) (Kernel 3.16.0-4)

Postfix is the actual mail daemon that accepts the mail and saves the emails in the users mail box.

Dovecot 2.2.13 is the pop3/imap server that allows users to download their email to their PC.

saslauthd 2.1.26 Simple Authentication and Security Layer will manage the passwords.

procmail is a mail delivery agent (MDA) capable of sorting incoming mail into various directories and filtering out spam messages.

SpamAssassin 3.4.0 is a spam-filter (optional).

Postfix

Install postfix:
apt-get install postfix

setting up SSL certificates (optional)

Here are a few steps to create a SSL certificate files in order for our server to support secure communications.
You can use a commercial certificate, but it is not needed.
This how to setup your own free certificate:
openssl req -new -x509 -days 3650 -nodes -out "example.com.cert" -keyout "example.com.key"
Some questions will be asked regarding the information you want to appear in the certificate, feel free to answer them any way you want to. You'll now have two files: "example.com.cert" and "example.com.key"; we need to concatenate those two files into a third file, by running the following command:
cat example.com.cert example.com.key > example.com.pem
These files will be required at different stages of the configuration. Right now, you need to move these files to the following folder: /etc/ssl/private/
The configuration file of Postfix is /etc/postfix/main.cf
A lot of settings can be adapted, the most important are listed here.
# Your hostname and domain name here
myhostname=example.com
mydomain=example.com
myorigin=$mydomain

# Virtual mailbox configuration (/var/email is the dir where you store the mails, need to be created)
virtual_mailbox_base=/var/email
virtual_mailbox_domains=hash:/etc/postfix/vmail_domains
virtual_mailbox_maps=hash:/etc/postfix/vmail_mailbox
virtual_alias_maps=hash:/etc/postfix/vmail_aliases
virtual_minimum_uid=100
virtual_uid_maps=static:7788
virtual_gid_maps=static:7788
virtual_transport=dovecot

# SSL configuration, make sure to use the certificates from step 2 (optional)
smtpd_tls_cert_file=/etc/ssl/private/example.com.cert
smtpd_tls_key_file=/etc/ssl/private/example.com.key
smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_use_tls=yes
smtpd_use_tls=yes
smtpd_tls_loglevel=1
smtpd_tls_received_header=yes
tls_random_source=dev:/dev/urandom
smtp_tls_note_starttls_offer=yes
smtpd_tls_session_cache_timeout=3600s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
queue_directory=/var/spool/postfix

# Authentication settings, making use of SASL
queue_directory=/var/spool/postfix
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_security_options=noanonymous
smtpd_sasl_tls_security_options=$smtpd_sasl_security_options
smtpd_sasl_local_domain=$myhostname
smtpd_sasl_application_name=smtpd
smtpd_helo_required=yes
smtpd_helo_restrictions=reject_invalid_helo_hostname
smtpd_recipient_restrictions=reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
Now you also need to set a your virtual domains and aliases for the mailboxes.
nano /etc/postfix/vmail_domains List you domains with OK
example.com     OK
example.net     OK
nano /etc/postfix/vmail_mailbox List the users with the folder where the mails need to be put:
webmaster@example.com  example.com/webmaster
me@example.com		example.com/me
@example.com		example.com/webmaster
The last on is a catch all. A mail send to test@example.com or dontknow@example.com will be put in the account of webmaster.

nano /etc/postfix/vmail_aliases Here you can create aliases:
webmaster@example.com   webmaster@example.com
@example.com    webmaster@example.com

webmaster@example.net   webmaster@example.com
@example.net    webmaster@example.com
Now that you have updated your user database, it's time to apply the changes. Run the following commands for Postfix to acknowledge your newly created mailboxes:
postmap /etc/postfix/vmail_domains
postmap /etc/postfix/vmail_mailbox
postmap /etc/postfix/vmail_aliases
Dovecot

Dovecot that allows users to get there emails by POP account or imap.
apt-get install dovecot-common dovecot-imapd dovecot-pop3d

Create a new user and group "mailman".
groupadd mailman -g 7788
useradd mailman -u 7788 -g 7788 -r -d /var/email -m -c "mail user"
You now have different config-files in /etc/dovecot/conf.d/ The configuration file has a lot of options: /etc/dovecot/dovecot.conf
and the main config-file: /etc/dovecot/dovecot.conf.
in /etc/dovecot/dovecot.conf
uncomment or add the following lines.
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap pop3 lmtp
!include conf.d/*.conf
!include_try local.conf
in /etc/dovecot/conf.d/10-auth.conf
we are going to set what type of authentication we will use.
disable_plaintext_auth = yes
auth_mechanisms = plain
!include auth-passwdfile.conf.ext
in /etc/dovecot/conf.d/auth-passwdfile.conf.ext
we set what type of passwordfile we will use.
passdb {
  driver = passwd-file
  args = scheme=SHA username_format=%u /etc/dovecot/private/users.conf
}

userdb {
  driver = static
  args = uid=7788 gid=7788 home=/var/email/%d/%n allow_all_users=yes
}
in /etc/dovecot/conf.d/10-mail.conf
we can set the mailboxes, where the mails are saved.
mail_location = maildir:/var/email/%d/%n
namespace inbox {
  inbox = yes
}
mail_privileged_group = mailman #user need write access on /var/email/
mbox_write_locks = fcntl
in /etc/dovecot/conf.d/10-master.conf
we set the protocols we want to use.
if you only want to use the ssl-protocols, set the other ports to 0.
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
  unix_listener auth-userdb {
   mode = 0600
   user = mailman
  }
  user = dovecot
}
service auth-worker {
  user = mailman
}
service dict {
  unix_listener dict {
  }
}
In /etc/dovecot/conf.d/10-ssl.conf (replace the certificate and key paths with your own)
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
There are other things you can set in the config files, but this are the ones we need to get it working.

Next we need to create an empty users file, so create a blank file /etc/dovecot/users.conf. We will update it during the next step. To finish with this step, ensure that your configuration files have the proper permissions, by running the following commands:
chgrp mailman /etc/dovecot/dovecot.conf
chmod g+r /etc/dovecot/dovecot.conf
chown root:root /etc/dovecot/users.conf
chmod 600 /etc/dovecot/users.conf
Create the password: dovecotpw -s SSHA256 It will produce a string that looks like this: qUqP5cyxm6ctTAYz05Hph5gvu9M=
or:
doveadm pw -s SHA512-CRYPT -u webmaster@example.com

to enter in /etc/dovecot/users.conf
webmaster@example.com:{SSHA512}qUqP5cy.....TAYz05Hph5gvu9M=
A handy command too check the config of dovecot is.
dovecot -n
it shows the configuration in short.
Same for postfix:
postconf -n make sure that the user (mailman) has write access to the mail-directory. (/var/email)

Handy logs
tail /var/log/mail.err
tail /var/log/mail.log
#saslauthd

SASL authentication daemon. SASL stands for Simple Authentication and Security Layer. It's the mechanism that will allow us to manage passwords in a simple way by storing them in a file (encrypted). There are other authentication layers such as MySQL and others.
apt-get install libsasl2-2 libsasl2-modules sasl2-bin

procmail

Procmail allows you to filter email as it is received from a remote email server, or placed in your spool file on a local or remote email server. It is powerful, gentle on system resources, and widely used. Procmail, commonly referred to as a Local Delivery Agent (LDA), plays a small role in delivering email to be read by an MUA.
The command to install is:
apt-get install procmail

First we configure procmail as an available transport type in postfix's /etc/postfix/master.cf Add this to the file.
procmail  unix  -       n       n       -       -       pipe
 -o flags=RO user=mailman argv=/usr/bin/procmail -t -m USER=${user} NEXTHOP=${nexthop} EXTENSION=${extension} /etc/postfix/procmailrc.common
The default transport type for virtual users will be set to be "procmail" in /etc/postfix/main.cf.
Change the value of virtual_transport
virtual_transport=procmail
With the above configuration, procmail run the procmail script at /etc/postfix/procmailrc.common for all virtual users.
/etc/postfix/procmailrc.common:
#MAILDIR="$HOME/mydomain.com/$USER"
MAILDIR="/var/email/$NEXTHOP/$USER"
DEFAULT="$MAILDIR/Maildir/"
#VERBOSE=ON
#general logfile
LOGFILE="/var/log/proclog.log"
LOGABSTRACT=all

#get external procmail files; for each user :-)
INCLUDERC=/var/mail/$NEXTHOP/$USER@$NEXTHOP/.procmail

#use dovecot to deliver
DELIVER="/usr/lib/dovecot/deliver"
:0 w
| $DELIVER -d $USER@$NEXTHOP
The trailing slash at DEFAULT is important, it descides to use maildir-format or mbox-format (all in one file).
Make sure that the .procmail-file can be read by the user.

SpamAssassin

SpamAssassin is the application that filters the spam out mails based on rules.
The command to install:
apt-get install spamc spamassassin

By default spamassassin will run under the ‘root’ user and running it like that is not as secure as it can be, so to make it more secure we should run it under different unprivileged user/group.
groupadd -g 5555 spamd
useradd -u 5555 -g spamd -s /sbin/nologin -d /usr/local/spamassassin spamd
mkdir -p /usr/local/spamassassin/log
chown spamd:spamd -R /usr/local/spamassassin
edit the ‘/etc/default/spamassassin’ configuration file and make it looks like the one below:
# /etc/default/spamassassin

# WARNING: please read README.spamd before using.
# There may be security risks.

# Change to one to enable spamd
ENABLED=1
SPAM_HOME="/usr/local/spamassassin"

# Options
# See man spamd for possible options. The -d option is automatically added.

# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="--create-prefs --max-children 5 --helper-home-dir ${SPAM_HOME} --username spamd -s ${SPAM_HOME}/log/spamd.log"

# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="${SPAM_HOME}/spamd.pid"

# Set nice level of spamd
#NICE="--nicelevel 15"

# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=0
The next think we need to do is to configure spamassassin. you do this by editing the ‘/etc/spamassassin/local.cf’ and changing/adding the following:
rewrite_header Subject *****SPAM*****
required_score 3.0
report_safe 0
use_bayes 1
# Enable Bayes auto-learning
bayes_auto_learn 1
# Enable or disable network checks
skip_rbl_checks 0
use_razor2 0
use_dcc 0
use_pyzor 0
We disable the network checks. They will allow to catch more spam, but it is also a big performance hit.
Now we still need to configure Postfix to use SpamAssassin, edit /etc/postfix/master.cf and change the following:
smtp 	inet  n 	-	-	-	- 	smtpd -o content_filter=spamassassin
and add the following to the end of the file:
spamassassin	unix	-	n	n	-	-	pipe
  user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
finally, restart the services by:
/etc/init.d/spamassassin restart
/etc/init.d/dovecot restart
/etc/init.d/postfix restart
TOP