install and configure postfix and dovecot on CentOS
Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail, intended as an alternative to Sendmail MTA.
Remove sendmail if it was already installed on your system
yum remove sendmailyum install postfixchkconfig postfix on
#2 Create user to access mailbox
Lets create system user that will have access to mailbox with shell login disabled.
useradd -s /sbin/nologin mboxuser
Make a note of UID & GID of this user
grep mboxuser /etc/passwd
mboxuser:x:500:500::/home/mboxuser:/sbin/nologin
#3. Edit Postfix Config file
If its a production server, takef a backup of main.cf
cd /etc/postfix/
cp main.cf main.cf.BKP-DATE
Now open and edit main.cf file. You have to make sure uncomment or edit lines to fit your environment.
myhostname = server.mydomain.com mydomain = mydomain.com myorigin = $mydomain inet_interfaces = all inet_protocols = ipv4 # Uncomment and add or remove your local network if needed mynetworks = 127.0.0.0/8, [::1]/128 # Uncomment home_mailbox = Maildir/ # Add the following lines at the bottom # Virtual domain config virtual_mailbox_domains = /etc/postfix/virtual_domains virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmailbox # Replace UID:GID numbers with ones from Step 2 virtual_minimum_uid = 500 virtual_maximum_uid = 500 virtual_uid_maps = static:500 virtual_gid_maps = static:500 virtual_alias_maps = hash:/etc/postfix/virtual
#4. Create Virtual Domains File
Lets create a file /etc/postfix/virtual_domains which will hold all domains of our mail server. The file localtion should be defined in main.cf for virtual_mailbox_domains. Update the virtual_domains file with domain names.
my-domain.com my-domain.net
#5. Create Mailbox File
This is the file “/etc/postfix/vmailbox” defined in our“main.cf” and in here where we must enter all of the users with their domains, that will recieve their mails on this server.
info@my-domain.com my-domain.com/info/ name.surname@my-domain.org my-domain.org/name.surname/
Every line must end with “/” otherwise the users will not recieve their emails into their mailboxes.
We can also implement a “catch-all” account, to catch all emails for recipients not listed in “virtual_domains” file:
@my-domain3.org my-domain.org/all
#6. Create Mail Folders and Fix Permissions
Next we need to create the virtual domain folders where user emails will be delivered to and add rights to access this folder and files to the user defined with UID and GID in“main.cf”.
You can rename this folder to anything you like and also relocate it but be sure to fix the path to it in main.cf also. Do not worry about creating additional directories inside vhosts/domain/ folder since Postfix will create this automatically.
mkdir /var/mail/vhosts
chown -R root:mboxuser /var/mail/
mkdir /var/mail/vhosts/my-domain1.com
mkdir /var/mail/vhosts/my-domain1.org
chown mboxuser:mboxuser -R /var/mail/vhosts/
#7. Update Postfix Lookup Table
Next we should run “postmap” to update the Postfix lookup table. We should run this everytime we make a change to these files. This creates a hashed .db instances of these files.
postmap /etc/postfix/virtual
postmap /etc/postfix/vmailbox
#8. Restart Postfix
Let’s restart Postfix for configuration changes to take effect:
/etc/init.d/postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
..and make sure Postfix is listening on port 25 and 465 (the last is secure SMTP port):
netstat -anp |grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1146/master
netstat -anp |grep 465
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 1515/master
#9. Reconfigure IPTables
We must reconfigure IPTables to allow connections on port 25 (SMTP) and 465 (SMTPs).
#10. Testing Postfix
You can try testing our Postfix configuration by sending an email to existing recipient from Gmail. You can verify the log from /var/log/maillog.
Install and Configure Postfix with Dovecot
yum install dovecot
chkconfig dovecot on
#11. Edit Main Dovecot Configuration File
Before making any changes to Dovecot configuration file make a backup of it.
Main Dovecot configuration file is “/etc/dovecot/dovecot.conf”, additional config files are located in “/etc/dovecot/conf.d” directory. Main Dovecot configuration file should look like this:
# Uncomment and edit this line protocols = imap pop3 # Uncomment and edit - make dovecot only listen on ipv4 listen = *
#12. Edit Additional Dovecot Configuration Files
There are additional Dovecot configuration files located in “/etc/dovecot/conf.d” directory. We need to edit some of them as follows.
/etc/dovecot/10-auth.conf
# Uncomment disable_plaintext_auth = yes # Comment this line #!include auth-system.conf.ext # Uncomment !include auth-passwdfile.conf.ext !include auth-checkpassword.conf.ext
/etc/dovecot/conf.d/10-logging.conf
# Uncomment and edit log_path = /var/log/dovecot.log auth_verbose = yes auth_verbose_passwords = no auth_debug = no auth_debug_passwords = no mail_debug = no verbose_ssl = no
/etc/dovecot/conf.d/10-mail.conf
# Uncomment and edit to reflect previous configuration mail_location = maildir:/var/mail/vhosts/%d/%n mail_uid = 500 mail_gid = 500 mail_privileged_group = mboxuser
/etc/dovecot/conf.d/10-master.conf
# Comment this out
#service lmtp {
# unix_listener lmtp {
# }
#}
# Edit and change
service auth {
unix_listener auth-userdb {
mode = 0600
user = postfix
group = postfix
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
service auth-worker {
}
service dict {
unix_listener dict {
}
}
/etc/dovecot/conf.d/10-ssl.conf
# Uncomment ssl = yes # Leave this for now - we will change this in Step 16 ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem
#13. Generate Passwords for Dovecot Users
The Dovecot users password file location is defined in “/etc/dovecot/conf.d/auth-passwdfile.conf.ext”. By default this is “/etc/dovecot/users” file. We can generate a password for user using the following command:
doveadm pw -s SHA512-CRYPT
Enter new password:
Retype new password:
{SHA512-CRYPT}$6$7iU6C9qP.Ba2R3bz$3cw0qRM4Q0s1Nh15xaJYzj8qA7AR4KjqQuE4vbMup4Ncg8rIFsnGGNvjH1huYw3.6ijkNWibp51N6N1FTxbJ01
We chose to use the strongest SHA512 encryption and as we can see, this command only encrypts the string you entered as password.
Next we need to edit or create a “/etc/dovecot/users” file and enter the information about a user as follows:
info@my-domain1.com:{SHA512-CRYPT}$6$7iU6C9qP.Ba2R3bz$3cw0qRM4Q0s1Nh15xaJYzj8qA7AR4KjqQuE4vbMup4Ncg8rIFsnGGNvjH1huYw3.6ijkNWibp51N6N1FTxbJ01::::
We must not forget to add the “::::” at the end of the line to make this work!!
Repeat the process for every mail user on the server.
#14. Start Dovecot
We are finally ready to start Dovecot for the first time.
/etc/init.d/dovecot start
Starting Dovecot Imap: [ OK ]
Check that Dovecot is listening on IMAP(s) and POP(s) ports:
netstat -anpt |grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 1397/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1397/dovecot
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1397/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 1397/dovecot
#15. Generate Postfix Self-Signed Certificate
We need to generate a self-signed SSL certificate to be used with Postfix and Dovecot.
Follow these steps to do this:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -out postfix.key 2048
Generating RSA private key, 2048 bit long modulus
…..+++
………….+++
e is 65537 (0x10001)
openssl req -new -key postfix.key -out postfix.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:SI
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Ljubljana
Organization Name (eg, company) [Default Company Ltd]:domain.net
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:server.domain.net
Email Address []:info@domain.net
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
openssl x509 -req -days 3650 -in postfix.csr -signkey postfix.key -out postfix.crt
Signature ok
subject=/C=SI/L=Ljubljana/O=domain.Net/CN=server.domain.net/emailAddress=info@domain.net
Getting Private key
#16. Reconfigure Postfix
To wrap things up, we must reconfigure Postfix to work with Dovecot.
This requires some additional changes to Postfix main.cf and master.cf configuration files as follows.
Add the following lines to the bottom of the “/etc/postfix/main.cf” file:
# SSL/TLS smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/postfix.key smtpd_tls_cert_file = /etc/postfix/ssl/postfix.crt smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom # SASL smtpd_sasl_type = dovecot broken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous # HELO restrictions: smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit # Sender restrictions: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit # Recipient restrictions: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit # Relay restrictions smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination permit # Limit DOS default_process_limit = 100 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 queue_minfree = 20971520 header_size_limit = 51200 message_size_limit = 10485760 smtpd_recipient_limit = 100
These are mostly security checks and restrictions for our mail server. With these, we only allow authenticated users to send mail from our servers. Also we are checking if the senders and recipients are comming from a valid domain and more.
We have also configured a basic DOS security just to bounce off any unwanted attacks.
Also we need to edit “/etc/postfix/master.cf” file and uncomment the following lines:
/etc/postfix/master.cf
submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
#17. Reconfigure Dovecot
Please change the SSL certificate used in Dovecot with the newly generated self-signed certificate as follows. If you leave
Dovecot pointing to default certificate you might encounter some SSL errors:
/etc/dovecot/conf.d/10-ssl.conf
# Uncomment ssl = yes # Change to point to SSL cert generated in Step 15 ssl_cert = </etc/postfix/ssl/postfix.crt ssl_key = </etc/postfix/ssl/postfix.key
#18. Reconfigure IPTables
We must reconfigure IPTables to allow connections on ports 110 (POP3), 993 (POP3s), 143 (IMAP) and 993 (IMAPs). Read more on how to reconfigure IPTables HERE.
#19. Restart Postfix and Dovecot
As a final step before testing out our new mail server, we need to restart Postfix and Dovecot services for changes to take effect.
/etc/init.d/postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
/etc/init.d/dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
Voila! We have successfully installed and configured Postfix with Dovecot!
You can now configure your IMAP or POP clients to use your server as a mail server. You can do this on your mobile or desktop clients such as MS Outlook or Thunderbird.
