How to setup a mail server on Debian 8 (jessie) using postfix, dovecot and LMTP

Putting thoughts and deeds into words greatly improves my understanding of topics and thus I am writing this post. It will cover setting up a mail server on Debian 8.7 (jessie) server using postfix, dovecot, LMTP and virtual mailboxes. Another blog post including quota, sieve, spam filtering (through SpamAssassin and various restrictions) is soon™ to follow.

This tutorial assumes the following setup:

  • a Debian 8.7 (jessie) server with root privileges
  • a static IP address and FQDN with configurable r/DNS record, a valid TLS/SSL certificate (covered in this post)
  • non blocked mail ports for SMTP (25), Submission (587), IMAPS (993)

Make sure to:

sudo apt-get update && upgrade

and ssh on your machine (make sure to append sudo if you don’t use root privileges).

Test if port 25 is blocked / your r/DNS record configuration is working as intended:

 

Your outbound mail is blocked if your connections times out:

dig +short mx google.com
10 aspmx.l.google.com.
50 alt4.aspmx.l.google.com.
30 alt2.aspmx.l.google.com.
40 alt3.aspmx.l.google.com.
20 alt1.aspmx.l.google.com.
telnet aspmx.l.google.com 25
Trying 2a00:1450:400c:c07::1b..
Connected to aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP 7si6442403wmr.85 - gsmtp

Exit telnet by typing QUIT.

DNS record configuration:

dig +short mx helenenhof.org
10 mail.helenenhof.org.
dig +short a mx.helenenhof.org
srv01.helenenhof.org.
80.131.240.119
dig +short -x 80.131.240.119
ns1.helenenhof.org.

Install postfix

Postfix is an MTA (Mail Transfer Agent) – it’s routing and delivering mails on Linux systems, it’s lightweight, efficient and secure when configured appropriately.

apt-get install postfix && postfix stop && purge exim4

Please choose Internet site as general type of mail configuration and enter your FQDN as system mail name (in our case “helenenhof.org”) while completing the install wizard. Postfix will be stopped afterwards because there is no need to have it running at this stage.

Exim4 is the default mail service used by Debian which won’t be needed any more and is thus removed.

Configure postfix

There are two main configuration files to be edited in /etc/postfix/. The master.cf is used to define how a program connects to a service and which daemon program runs when a service is requested. The main.cf controls several hundred configuration parameters (which can be shown by postconf -d).

Open master.cf and uncomment line 17 to enable the submission service (also called MSA (Mail Submission Agent)):

.......
#tlsproxy  unix  -      -       -       -       -       tlsproxy
submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
.......

Backup the original main.cf file:

cp /etc/postfix/main.cf /etc/postfix/main.cf.orig

Specify the location of your certificates and add security levels for smtpd and smtp:

smtpd_tls_cert_file = /etc/letsencrypt/live/helenenhof.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/helenenhof.org/privkey.pem
smtpd_tls_security_level = may
smtp_tls_security_level = may

Add mydomain = helenenhof.org and adjust the remaining parameters accordingly:

mydomain = helenenhof.org
myhostname = mx.$mydomain
myorigin = $mydomain
mydestination = localhost

Install dovecot

Dovecot acts as an open source IMAP and POP3 server that includes an MDA (Mail Delivery Agent), it is used to get mails from postfix to a local recipient’s mailbox and has it’s own administration utility tool – doveadm:

apt-get install dovecot-core dovecot-imapd dovecot-lmtpd
  • dovecot-imapd allows users to use the IMAP protocol
  • dovecot-lmtpd enables dovecot to receive LMTP connections

Configure dovecot

Backup the initial configuration file:

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig

and copy the output of dovecot -n to to dovecot.conf:

dovecot -n > /etc/dovecot/dovecot.conf.new
mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
mv /etc/dovecot/dovecot.conf.new /etc/dovecot/dovecot.conf

Force using TLS/SSL, specify your certificates, disable IMAP (by setting the port equal to 0) and let the service imap-login listen on port 993 (IMAPS):

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
  }
}

ssl = required
ssl_cert = </etc/letsencrypt/live/helenenhof.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/helenenhof.org/privkey.pem

Testing your configuration:

Local

The client tool of OpenSSL offers a way to connect to and diagnose servers, a more detailed explanation of the options can be found here:

openssl s_client -starttls smtp -connect helenenhof.org:587
openssl s_client -connect helenenhof:993

both commands should output Verify return code: 0 (ok) as one of the last lines.

Server

Open a new terminal, connect to your machine and:

tail -f /var/log/mail.log

to check if postfix and dovecot are (re-)starting without issues:

service postfix restart
service dovecot restart

Next we check if port 25, 587 and 993 are listed the column ‘Local Address’:

netstat -ltnp

Create the user vmail that owns all virtual mailboxes:

groupadd -g 2000 vmail
useradd -g vmail -u 2000 vmail -d /var/vmail -m
You can check this by:
ls - l /var/

which should output:

drwxrwxrwt  3 root  root  4096 Apr 27 00:27 tmp
drwxr-xr-x  3 vmail vmail 4096 Apr 23 13:37 vmail
drwxr-xr-x  3 root  root  4096 Apr 17 12:29 www

Configuring mail location, passdb, userdb and authentication

Add this to the main.cf file of postfix to hand the authentication to dovecot:

smtpd_sasl_auth_only = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Insert this block into your dovecot.conf to allow plain text authentication only when TLS/SSL has been used before and to bind the auth service to the socket found in /private/auth:

auth_mechanisms = plain login
disable_plaintext_auth = yes

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    user = postfix
    mode = 0666
  }
}

Next we adjust mail_location to use the maildir format, set the driver of userdb to static and the driver of passdb to a passwd-file (the scheme will be overwritten by the file), which we will create soon – information on the variables can be found here:

mail_location = maildir:/var/vmail/%d/%n
passdb {
  driver = passwd-file
  args = scheme=CRYPT username_format=%u /etc/dovecot/userdb-file
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}

Create the first mail account and input your password using the SHA512-CRYPT scheme:

doveadm pw -s SHA512-CRYPT

Example output:

{SHA512-CRYPT}$6$xVscOkS.Nch5xE.y$Svjfd/X8ATyIrTwRdME8qHgoWhU/G56soWsUMLMtyujrAdpy.1LXNNpYiWY.RoaAe68Vu4.711SiKvn2fDBlR5WC0

Create a new file userdb-file in /etc/dovecot and insert:

cirmscher@helenenhof.org:{SHA512-CRYPT}$6$xVscOkS.Nch5xE.y$Sv/X8ATyIrTwRdME8qHgoWhU/G56soWsUMLMtyujrAdpy.1LXNNpYiWY.RoaAe68Vu4.711SiKvn2fDBlR5WC0

Dovecot doesn’t care about domains, thus you can use multiple / no domains. Users can be administered using this file.

Mail delivery via dovecot’s LMTP server

Insert this in main.cf to tell postfix to use this socket, virtual domain and virtual alias mapping:

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual_aliases

Let’s create the virtual_aliases file and insert (adjust to your needs):

postmaster          root
webmaster           root
info                root
abuse               root
# redirect to the user that should get root's mails
root                cirmscher

Don’t forget to:

postmap /etc/postfix/virtual_aliases
service postfix restart

afterwards to create the .db file which is expected by postfix.

Adjust your dovecot.conf like this to bind the LMTP service to the unix socket, which is set inside the postfix spool:

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0666
    user = postfix
    group = postfix
  }
}
protocol lmtp { 
  postmaster_address = cirmscher@helenenhof.org
}
Testing your configuration

 

Make sure the terminal running tail -f /var/log/mail.log is still open – otherwise open a new one. Restart postfix and dovecot:

service postfix restart
service dovecot restart

Install mailutils:

apt-get install mailutils

and:

echo test | mail cirmscher@helenenhof.org

Your output should look similar to this:

postfix/pickup[27532]: 61632100FBB: uid=0 from=<root@www>
postfix/cleanup[28168]: 61632100FBB: message-id=<20170415183532.61632100FBB@letsfloat.org>
postfix/qmgr[27531]: 61632100FBB: from=<root@www.org>, size=318, nrcpt=1 (queue active)
dovecot: lmtp(28171): Connect from local
dovecot: lmtp(28171, cirmscher@helenenhof.org): QAUkGfRn8lgLbgAA9v3IoA: msgid=<20170415183532.61632100FBB@helenenhof.org>: saved mail to INBOX
www postfix/lmtp[28170]: 61632100FBB: to=<cirmscher@helenenhof.org>, relay=helenenhof.org[private/dovecot-lmtp], delay=0.07, delays=0.03/0.01/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <cirmscher@helenenhof.org> QAUkGfRn8lgLbgAA9v3IoA Saved)
dovecot: lmtp(28171): Disconnect from local: Successful quit
postfix/qmgr[27531]: 61632100FBB: removed

Setup MUA (Mail User Agent) e.g. Mozilla Thunderbird

Create a new account with the following settings:

Incoming IMAP:

Server hostname: helenenhof.org
Port: 993
SSL: SSL/TLS
Authentication: Normal password
Username: cirmscher@helenenhof.org

Outgoing SMTP:

Server hostname: helenenhof.org
Port: 587
SSL: STARTTLS
Authentication: Normal password
Username: cirmscher@helenenhof.org

Sending mails to Gmail users might result in this:

Our system has detected 550-5.7.1 that this message is likely unsolicited mail.  
To reduce the amount of 550-5.7.1 spam sent to Gmail, this message has been  
blocked. Please visit 550-5.7.1  
http://support.google.com/mail/bin/answer.py?hl=en&answer=188131  
for 550 5.7.1 more information.  
kn5si24189651wjc.75 - gsmtp (in reply to end of DATA command)) 

which can be fixed by adding and verifying your domain, just follow the instructions (either add a DNS TXT or a DNS CNAME).

 

Final thoughts

I hope this was helpful to some of you. As always – comments / constructive criticism and overall feedback are very welcome. Feel free to check our other howto’s – there is plenty to come tho.

One Reply to “How to setup a mail server on Debian 8 (jessie) using postfix, dovecot and LMTP”

Leave a Reply

Your email address will not be published. Required fields are marked *