Want to install and configure Postfix with Dovecot on CentOS 6? Or are you wondering whatPostfix orDovecot is?
In case you are wondering (i hope not, since you stumbled on this page), Postfix is a mail server or a bit more fancy word for it – Mail Transfer Agent (MTA). Actually MTA tells you what this application does. It transfers the mail around, from local users (same domain) to other domain users and transfers incoming mail from other users to local users. Actually for the emails to be transfered to and from your domain, Postfix is all you need, but these emails will only be stored on the server and also will only be able to sent from the server where Postfix is running.
This is why we need an additional application called Dovecot. Dovecot is a Message Store Access application. It enables us to get to the email messages in a more “human friendly” way.
Dovecot supports IMAP(s) and POP(s) messaging protocols (also secure versions of both protocol of course). By running IMAP or POP, we can configure a client to retrieve and send messages via our Postfix/Dovecot mail server. A client can be a mobile device with an email mobile application or some other desktop client as Microsoft Outlook or Thunderbird. With Postfix and Dovecot we can read our emails on our mobile device or desktop computer and this is as friendly as it gets, don’t you think? 🙂
We will configure Postfix with Dovecot:
virtual domains (serving multiple domain mail server)
virtual users (no need for Postfix users to have OS accounts)
Are you now sure, you want to install and configure Postfix with Dovecot? If so, keep reading…
Let’s Install and Configure Postfix with Dovecot!
1. Install Postfix
Postfix in the default MTA in CentOS 6, so you probably already have Postfix installed, but you can issue this command anyway – if it is already installed it will say so.
[root@geekpeek ~]# yum install postfix
If postfix is already installed it is probably also started at boot, but run this command anyway, just to make sure.
[root@geekpeek ~]# chkconfig postfix on
2. Create User to Access Mailboxes
We need to create an OS user that will access the mailboxes and we will disable logon for this user.
[root@geekpeek ~]# useradd -s /sbin/nologin mboxuser
Check the user UID and GID number and remember it, we will need it in the following steps:
[root@geekpeek ~]# grep mboxuser /etc/passwd mboxuser:x:500:500::/home/mboxuser:/sbin/nologin
3. Edit Postfix Configuration
First move into “/etc/postfix” folder and make a backup copy of the original “main.cf” configuration file.
[root@geekpeek ~]# cd /etc/postfix/ [root@geekpeek postfix]# cp main.cf main.cf.ORIG
Next edit“main.cf” file – the following lines should be uncommented and edited to fit your environment. Note that some lines are already configured on default Postfix install:
# Leave as it is queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix
# Edit and change to your hostname and domain myhostname = server.geekpeek.net mydomain = geekpeek.net
# Uncomment myorigin = $mydomain
# Change to all or just the one you want inet_interfaces = all
# Change to the protocols you use inet_protocols = ipv4
# Leave as it is mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550
# Uncomment and add or remove your local network if needed mynetworks = 127.0.0.0/8
# Leave as it is alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases
# Uncomment home_mailbox = Maildir/
# Leave as it is debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/samples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
# Add the following lines at the bottom # Virtual domain config virtual_mailbox_domains = /etc/postfix/virtual_domains virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmailbox
# Replace UID:GID numbers with ones from Step 2 virtual_minimum_uid = 500 virtual_maximum_uid = 500 virtual_uid_maps = static:500 virtual_gid_maps = static:500 virtual_alias_maps = hash:/etc/postfix/virtual
4. Create Virtual Domains File
We will now create a file which holds all of the domains our mail server will serve. The virtual domains file location is defined by “virtual_mailbox_domains” parameter in“main.cf” configuration file, so in our case this is “/etc/postfix/virtual_domains”.
Please make sure, that the MX records from all of your domains point to this server. Virtual_domains file should hold all your domains, each in new line.
my-domain1.com my-domain2.net my-domain3.org
5. Create Mailbox File
This is the file “/etc/postfix/vmailbox” defined in our“main.cf” and in here where we must enter all of the users with their domains, that will recieve their mails on this server.
Every line must end with “/” otherwise the users will not recieve their emails into their mailboxes.
info@my-domain1.com my-domain1.com/info/ test1@my-domain1.com my-domain1.com/test1/ info@my-domain2.net my-domain2.net/info/ user1@my-domain2.net my-domain2.net/user1/ name.surname@my-domain3.org my-domain3.org/name.surname/
We can also implement a “catch-all” account, to catch all emails for recipients not listed in “virtual_domains” file:
@my-domain3.org my-domain.org/all
6. Create Mail Folders and Fix Permissions
Next we need to create the virtual domain folders where user emails will be delivered to and add rights to access this folder and files to the user defined with UID and GID in“main.cf”.
You can rename this folder to anything you like and also relocate it but be sure to fix the path to it in main.cf also. Do not worry about creating additional directories inside vhosts/domain/ folder since Postfix will create this automatically.
[root@geekpeek ~]# mkdir /var/mail/vhosts [root@geekpeek ~]# chown -R root:mboxuser /var/mail/ [root@geekpeek ~]# mkdir /var/mail/vhosts/my-domain1.com [root@geekpeek ~]# mkdir /var/mail/vhosts/my-domain1.net [root@geekpeek ~]# mkdir /var/mail/vhosts/my-domain1.org [root@geekpeek ~]# chown mboxuser:mboxuser -R /var/mail/vhosts/
7. Update Postfix Lookup Table
Next we should run “postmap” to update the Postfix lookup table. We should run this everytime we make a change to these files. This creates a hashed .db instances of these files.
[root@geekpeek ~]# postmap /etc/postfix/virtual [root@geekpeek ~]# postmap /etc/postfix/vmailbox
8. Restart Postfix
Let’s restart Postfix for configuration changes to take effect:
[root@geekpeek ~]# /etc/init.d/postfix restart Shutting down postfix: [ OK ] Starting postfix: [ OK ]
..and make sure Postfix is listening on port 25 and 465 (the last is secure SMTP port):
[root@geekpeek ~]# netstat -anp |grep 25 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1146/master [root@geekpeek ~]# netstat -anp |grep 465 tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 1515/master
9. Reconfigure IPTables
We must reconfigure IPTables to allow connections on port 25 (SMTP) and 465 (SMTPs). Read more on how to reconfigure IPTables HERE.
10. Testing Postfix
You can try testing our Postfix configuration by sending an email to existing recipient from Gmail.
Please make sure your DNS records are configured properly for this test to work. You should see something like this in “/var/log/maillog” – but with your email addresses of course:
Oct 28 09:20:28 geekpeek postfix/smtpd[1226]: connect from unknown[192.168.1.20] Oct 28 09:20:52 geekpeek postfix/smtpd[1226]: 7A1B640AFD: client=unknown[192.168.1.20] Oct 28 09:20:58 geekpeek postfix/cleanup[1244]: 7A1B640AFD: message-id=<> Oct 28 09:20:58 geekpeek postfix/qmgr[1149]: 7A1B640AFD: from=<testing@123.com>, size=190, nrcpt=1 (queue active) Oct 28 09:20:58 geekpeek postfix/virtual[1245]: 7A1B640AFD: to=<info@my-domain1.com>, relay=virtual, delay=19, delays=19/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) Oct 28 09:20:58 geekpeek postfix/qmgr[1149]: 7A1B640AFD: removed Oct 28 09:21:00 geekpeek postfix/smtpd[1226]: disconnect from unknown[192.168.1.20]
The “delivered to maildir” line means, the message was successfully delivered to “/var/mail/vhosts/my-domain1.com/info/new” folder.
10. Install Dovecot
Comming to the second part of tutorial on running Postfix with Dovecot. Let’s install Dovecot and make it start at boot.
[root@geekpeek ~]# yum install dovecot [root@geekpeek ~]# chkconfig dovecot on
11. Edit Main Dovecot Configuration File
Before making any changes to Dovecot configuration file make a backup of it.
Main Dovecot configuration file is “/etc/dovecot/dovecot.conf”, additional config files are located in “/etc/dovecot/conf.d” directory. Main Dovecot configuration file should look like this:
# Uncomment and edit this line protocols = imap pop3 # Uncomment and edit - make dovecot only listen on ipv4 listen = *
# Leave as it is
dict {
}
!include conf.d/*.conf12. Edit Additional Dovecot Configuration Files
There are additional Dovecot configuration files located in “/etc/dovecot/conf.d” directory. We need to edit some of them as follows.
/etc/dovecot/10-auth.conf
# Uncomment disable_plaintext_auth = yes
# Leave as it is auth_mechanisms = plain login
# Comment this line #!include auth-system.conf.ext
# Uncomment !include auth-passwdfile.conf.ext !include auth-checkpassword.conf.ext
/etc/dovecot/conf.d/10-logging.conf
# Uncomment and edit log_path = /var/log/dovecot.log auth_verbose = yes auth_verbose_passwords = no auth_debug = no auth_debug_passwords = no mail_debug = no verbose_ssl = no
# Leave as it is
plugin {
}/etc/dovecot/conf.d/10-mail.conf
# Uncomment and edit to reflect previous configuration mail_location = maildir:/var/mail/vhosts/%d/%n mail_uid = 500 mail_gid = 500 mail_privileged_group = mboxuser
# Leave as it is mbox_write_locks = fcntl
/etc/dovecot/conf.d/10-master.conf
# Leave as it is
service imap-login {
inet_listener imap {
}
inet_listener imaps {
}
}
service pop3-login {
inet_listener pop3 {
}
inet_listener pop3s {
}
}
# Comment this out
#service lmtp {
# unix_listener lmtp {
# }
#}
# Leave as it is
service imap {
}
service pop3 {
}
# Edit and change
service auth {
unix_listener auth-userdb {
mode = 0600
user = postfix
group = postfix
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
service auth-worker {
}
service dict {
unix_listener dict {
}
}/etc/dovecot/conf.d/10-ssl.conf
# Uncomment ssl = yes # Leave this for now - we will change this in Step 16 ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem
13. Generate Passwords for Dovecot Users
The Dovecot users password file location is defined in “/etc/dovecot/conf.d/auth-passwdfile.conf.ext”. By default this is “/etc/dovecot/users” file. We can generate a password for user using the following command:
[root@geekpeek ~]# doveadm pw -s SHA512-CRYPT
Enter new password:
Retype new password:
{SHA512-CRYPT}$6$7iU6C9qP.Ba2R3bz$3cw0qRM4Q0s1Nh15xaJYzj8qA7AR4KjqQuE4vbMup4Ncg8rIFsnGGNvjH1huYw3.6ijkNWibp51N6N1FTxbJ01We chose to use the strongest SHA512 encryption and as we can see, this command only encrypts the string you entered as password.
Next we need to edit or create a “/etc/dovecot/users” file and enter the information about a user as follows:
info@my-domain1.com:{SHA512-CRYPT}$6$7iU6C9qP.Ba2R3bz$3cw0qRM4Q0s1Nh15xaJYzj8qA7AR4KjqQuE4vbMup4Ncg8rIFsnGGNvjH1huYw3.6ijkNWibp51N6N1FTxbJ01::::We must not forget to add the “::::” at the end of the line to make this work!!
Repeat the process for every mail user on the server.
14. Start Dovecot
We are finally ready to start Dovecot for the first time.
[root@geekpeek ~]# /etc/init.d/dovecot start Starting Dovecot Imap: [ OK ]
Check that Dovecot is listening on IMAP(s) and POP(s) ports:
[root@geekpeek ~]# netstat -anpt |grep dovecot tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 1397/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1397/dovecot tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1397/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 1397/dovecot
15. Generate Postfix Self-Signed Certificate
We need to generate a self-signed SSL certificate to be used with Postfix and Dovecot.
Follow these steps to do this:
[root@geekpeek ~]# mkdir /etc/postfix/ssl [root@geekpeek ~]# cd /etc/postfix/ssl/ [root@geekpeek ssl]# openssl genrsa -out postfix.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ .............+++ e is 65537 (0x10001) [root@geekpeek ssl]# openssl req -new -key postfix.key -out postfix.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:SI State or Province Name (full name) []: Locality Name (eg, city) [Default City]:Ljubljana Organization Name (eg, company) [Default Company Ltd]:GeekPeek.Net Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:server.geekpeek.net Email Address []:info@geekpeek.net
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@geekpeek ssl]# openssl x509 -req -days 3650 -in postfix.csr -signkey postfix.key -out postfix.crt Signature ok subject=/C=SI/L=Ljubljana/O=GeekPeek.Net/CN=server.geekpeek.net/emailAddress=info@geekpeek.net Getting Private key
16. Reconfigure Postfix
To wrap things up, we must reconfigure Postfix to work with Dovecot.
This requires some additional changes to Postfix main.cf and master.cf configuration files as follows.
Add the following lines to the bottom of the “/etc/postfix/main.cf” file:
# SSL/TLS smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/postfix.key smtpd_tls_cert_file = /etc/postfix/ssl/postfix.crt smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom # SASL smtpd_sasl_type = dovecot broken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous
# HELO restrictions: smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
# Sender restrictions: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
# Recipient restrictions: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
# Relay restrictions smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination permit
# Limit DOS default_process_limit = 100 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 queue_minfree = 20971520 header_size_limit = 51200 message_size_limit = 10485760 smtpd_recipient_limit = 100
These are mostly security checks and restrictions for our mail server. With these, we only allow authenticated users to send mail from our servers. Also we are checking if the senders and recipients are comming from a valid domain and more.
We have also configured a basic DOS security just to bounce off any unwanted attacks.
Also we need to edit “/etc/postfix/master.cf” file and uncomment the following lines:
/etc/postfix/master.cf
submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
17. Reconfigure Dovecot
Please change the SSL certificate used in Dovecot with the newly generated self-signed certificate as follows. If you leave
Dovecot pointing to default certificate you might encounter some SSL errors:
/etc/dovecot/conf.d/10-ssl.conf
# Uncomment ssl = yes # Change to point to SSL cert generated in Step 15 ssl_cert = </etc/postfix/ssl/postfix.crt ssl_key = </etc/postfix/ssl/postfix.key
18. Reconfigure IPTables
We must reconfigure IPTables to allow connections on ports 110 (POP3), 993 (POP3s), 143 (IMAP) and 993 (IMAPs). Read more on how to reconfigure IPTables HERE.
19. Restart Postfix and Dovecot
As a final step before testing out our new mail server, we need to restart Postfix and Dovecot services for changes to take effect.
[root@geekpeek ~]# /etc/init.d/postfix restart Shutting down postfix: [ OK ] Starting postfix: [ OK ] [root@geekpeek ~]# /etc/init.d/dovecot restart Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: [ OK ]
Voila! We have successfully installed and configured Postfix with Dovecot!
You can now configure your IMAP or POP clients to use your server as a mail server. You can do this on your mobile or desktop clients such as MS Outlook or Thunderbird.
BIG thanks to Kliment Andreev and his blog for useful information on this topic which i used in this turorial too!