Share, , Google Plus, Pinterest,

Print

Posted in:

Install and Configure Postfix with Dovecot on CentOS 6

Want to install and configure Postfix with Dovecot on CentOS 6? Or are you wondering whatPostfix orDovecot is?

In case you are wondering (i hope not, since you stumbled on this page), Postfix is a mail server or a bit more fancy word for it – Mail Transfer Agent (MTA). Actually MTA tells you what this application does. It transfers the mail around, from local users (same domain) to other domain users and transfers incoming mail from other users to local users. Actually for the emails to be transfered to and from your domain, Postfix is all you need, but these emails will only be stored on the server and also will only be able to sent from the server where Postfix is running.

This is why we need an additional application called Dovecot. Dovecot is a Message Store Access application. It enables us to get to the email messages in a more “human friendly” way.

Dovecot supports IMAP(s) and POP(s) messaging protocols (also secure versions of both protocol of course). By running IMAP or POP, we can configure a client to retrieve and send messages via our Postfix/Dovecot mail server. A client can be a mobile device with an email mobile application or some other desktop client as Microsoft Outlook or Thunderbird. With Postfix and Dovecot we can read our emails on our mobile device or desktop computer and this is as friendly as it gets, don’t you think? 🙂

We will configure Postfix with Dovecot:

  • virtual domains (serving multiple domain mail server)

  • virtual users (no need for Postfix users to have OS accounts)

Install and Configure Postfix with Dovecot
Install and Configure Postfix with Dovecot

Are you now sure, you want to install and configure Postfix with Dovecot? If so, keep reading…

Let’s Install and Configure Postfix with Dovecot!

1. Install Postfix

Install and Configure Postfix with Dovecot
Postfix with Dovecot

Postfix in the default MTA in CentOS 6, so you probably already have Postfix installed, but you can issue this command anyway – if it is already installed it will say so.

[root@geekpeek ~]# yum install postfix

If postfix is already installed it is probably also started at boot, but run this command anyway, just to make sure.

[root@geekpeek ~]# chkconfig postfix on

2. Create User to Access Mailboxes

We need to create an OS user that will access the mailboxes and we will disable logon for this user.

[root@geekpeek ~]# useradd -s /sbin/nologin mboxuser

Check the user UID and GID number and remember it, we will need it in the following steps:

[root@geekpeek ~]# grep mboxuser /etc/passwd
mboxuser:x:500:500::/home/mboxuser:/sbin/nologin

3. Edit Postfix Configuration

First move into “/etc/postfix” folder and make a backup copy of the original “main.cf” configuration file.

[root@geekpeek ~]# cd /etc/postfix/
[root@geekpeek postfix]# cp main.cf main.cf.ORIG

Next edit“main.cf” file – the following lines should be uncommented and edited to fit your environment. Note that some lines are already configured on default Postfix install:

# Leave as it is
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
# Edit and change to your hostname and domain
myhostname = server.geekpeek.net
mydomain = geekpeek.net
# Uncomment
myorigin = $mydomain
# Change to all or just the one you want
inet_interfaces = all
# Change to the protocols you use
inet_protocols = ipv4
# Leave as it is
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
# Uncomment and add or remove your local network if needed
mynetworks = 127.0.0.0/8
# Leave as it is
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Uncomment
home_mailbox = Maildir/
# Leave as it is
debug_peer_level = 2
debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
# Add the following lines at the bottom
# Virtual domain config
virtual_mailbox_domains = /etc/postfix/virtual_domains
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
# Replace UID:GID numbers with ones from Step 2
virtual_minimum_uid = 500
virtual_maximum_uid = 500
virtual_uid_maps = static:500
virtual_gid_maps = static:500
virtual_alias_maps = hash:/etc/postfix/virtual

4. Create Virtual Domains File

We will now create a file which holds all of the domains our mail server will serve. The virtual domains file location is defined by “virtual_mailbox_domains” parameter in“main.cf” configuration file, so in our case this is “/etc/postfix/virtual_domains”.

Please make sure, that the MX records from all of your domains point to this server. Virtual_domains file should hold all your domains, each in new line.

my-domain1.com
my-domain2.net
my-domain3.org

5. Create Mailbox File

This is the file “/etc/postfix/vmailbox” defined in our“main.cf” and in here where we must enter all of the users with their domains, that will recieve their mails on this server.

Every line must end with “/” otherwise the users will not recieve their emails into their mailboxes.

info@my-domain1.com my-domain1.com/info/
test1@my-domain1.com my-domain1.com/test1/
info@my-domain2.net my-domain2.net/info/
user1@my-domain2.net my-domain2.net/user1/
name.surname@my-domain3.org my-domain3.org/name.surname/

We can also implement a “catch-all” account, to catch all emails for recipients not listed in “virtual_domains” file:

@my-domain3.org my-domain.org/all

6. Create Mail Folders and Fix Permissions

Next we need to create the virtual domain folders where user emails will be delivered to and add rights to access this folder and files to the user defined with UID and GID in“main.cf”.

You can rename this folder to anything you like and also relocate it but be sure to fix the path to it in main.cf also. Do not worry about creating additional directories inside vhosts/domain/ folder since Postfix will create this automatically.

[root@geekpeek ~]# mkdir /var/mail/vhosts
[root@geekpeek ~]# chown -R root:mboxuser /var/mail/
[root@geekpeek ~]# mkdir /var/mail/vhosts/my-domain1.com
[root@geekpeek ~]# mkdir /var/mail/vhosts/my-domain1.net
[root@geekpeek ~]# mkdir /var/mail/vhosts/my-domain1.org
[root@geekpeek ~]# chown mboxuser:mboxuser -R /var/mail/vhosts/

7. Update Postfix Lookup Table

Next we should run “postmap” to update the Postfix lookup table. We should run this everytime we make a change to these files. This creates a hashed .db instances of these files.

[root@geekpeek ~]# postmap /etc/postfix/virtual
[root@geekpeek ~]# postmap /etc/postfix/vmailbox

8. Restart Postfix

Let’s restart Postfix for configuration changes to take effect:

[root@geekpeek ~]# /etc/init.d/postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]

..and make sure Postfix is listening on port 25 and 465 (the last is secure SMTP port):

[root@geekpeek ~]# netstat -anp |grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1146/master
[root@geekpeek ~]# netstat -anp |grep 465
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 1515/master

9. Reconfigure IPTables

We must reconfigure IPTables to allow connections on port 25 (SMTP) and 465 (SMTPs). Read more on how to reconfigure IPTables HERE.

10. Testing Postfix

You can try testing our Postfix configuration by sending an email to existing recipient from Gmail.

Please make sure your DNS records are configured properly for this test to work. You should see something like this in “/var/log/maillog” – but with your email addresses of course:

Oct 28 09:20:28 geekpeek postfix/smtpd[1226]: connect from unknown[192.168.1.20]
Oct 28 09:20:52 geekpeek postfix/smtpd[1226]: 7A1B640AFD: client=unknown[192.168.1.20]
Oct 28 09:20:58 geekpeek postfix/cleanup[1244]: 7A1B640AFD: message-id=<>
Oct 28 09:20:58 geekpeek postfix/qmgr[1149]: 7A1B640AFD: from=<testing@123.com>, size=190, nrcpt=1 (queue active)
Oct 28 09:20:58 geekpeek postfix/virtual[1245]: 7A1B640AFD: to=<info@my-domain1.com>, relay=virtual, delay=19, delays=19/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Oct 28 09:20:58 geekpeek postfix/qmgr[1149]: 7A1B640AFD: removed
Oct 28 09:21:00 geekpeek postfix/smtpd[1226]: disconnect from unknown[192.168.1.20]

The “delivered to maildir” line means, the message was successfully delivered to “/var/mail/vhosts/my-domain1.com/info/new” folder.

10. Install Dovecot

Postfix with Dovecot
Postfix with Dovecot

Comming to the second part of tutorial on running Postfix with Dovecot. Let’s install Dovecot and make it start at boot.

[root@geekpeek ~]# yum install dovecot
[root@geekpeek ~]# chkconfig dovecot on

11. Edit Main Dovecot Configuration File

Before making any changes to Dovecot configuration file make a backup of it.

Main Dovecot configuration file is “/etc/dovecot/dovecot.conf”, additional config files are located in “/etc/dovecot/conf.d” directory. Main Dovecot configuration file should look like this:

# Uncomment and edit this line
protocols = imap pop3

# Uncomment and edit - make dovecot only listen on ipv4
listen = *
# Leave as it is
dict {
}
!include conf.d/*.conf

12. Edit Additional Dovecot Configuration Files

There are additional Dovecot configuration files located in “/etc/dovecot/conf.d” directory. We need to edit some of them as follows.

/etc/dovecot/10-auth.conf

# Uncomment
 disable_plaintext_auth = yes
# Leave as it is
 auth_mechanisms = plain login
# Comment this line
#!include auth-system.conf.ext
# Uncomment
 !include auth-passwdfile.conf.ext
 !include auth-checkpassword.conf.ext

/etc/dovecot/conf.d/10-logging.conf

# Uncomment and edit
 log_path = /var/log/dovecot.log
 auth_verbose = yes
 auth_verbose_passwords = no
 auth_debug = no
 auth_debug_passwords = no
 mail_debug = no
 verbose_ssl = no
# Leave as it is
 plugin {
 }

/etc/dovecot/conf.d/10-mail.conf

# Uncomment and edit to reflect previous configuration
 mail_location = maildir:/var/mail/vhosts/%d/%n
 mail_uid = 500
 mail_gid = 500
 mail_privileged_group = mboxuser
# Leave as it is
 mbox_write_locks = fcntl

/etc/dovecot/conf.d/10-master.conf

# Leave as it is
 service imap-login {
  inet_listener imap {
  }
  inet_listener imaps {
  }
 }
 service pop3-login {
  inet_listener pop3 {
  }
  inet_listener pop3s {
  }
 }
 # Comment this out
 #service lmtp {
 # unix_listener lmtp {
 # }
 #}
 # Leave as it is
 service imap {
 }
 service pop3 {
 }
 # Edit and change
 service auth {
 unix_listener auth-userdb {
 mode = 0600
 user = postfix
 group = postfix
 }
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
 }
 }
 service auth-worker {
 }
 service dict {
 unix_listener dict {
 }
 }

/etc/dovecot/conf.d/10-ssl.conf

# Uncomment
 ssl = yes
 # Leave this for now - we will change this in Step 16
 ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
 ssl_key = </etc/pki/dovecot/private/dovecot.pem

13. Generate Passwords for Dovecot Users

The Dovecot users password file location is defined in “/etc/dovecot/conf.d/auth-passwdfile.conf.ext”. By default this is “/etc/dovecot/users” file. We can generate a password for user using the following command:

[root@geekpeek ~]# doveadm pw -s SHA512-CRYPT
Enter new password: 
Retype new password: 
{SHA512-CRYPT}$6$7iU6C9qP.Ba2R3bz$3cw0qRM4Q0s1Nh15xaJYzj8qA7AR4KjqQuE4vbMup4Ncg8rIFsnGGNvjH1huYw3.6ijkNWibp51N6N1FTxbJ01

We chose to use the strongest SHA512 encryption and as we can see, this command only encrypts the string you entered as password.

Next we need to edit or create a “/etc/dovecot/users” file and enter the information about a user as follows:

info@my-domain1.com:{SHA512-CRYPT}$6$7iU6C9qP.Ba2R3bz$3cw0qRM4Q0s1Nh15xaJYzj8qA7AR4KjqQuE4vbMup4Ncg8rIFsnGGNvjH1huYw3.6ijkNWibp51N6N1FTxbJ01::::

We must not forget to add the “::::” at the end of the line to make this work!!

Repeat the process for every mail user on the server.

14. Start Dovecot

We are finally ready to start Dovecot for the first time.

[root@geekpeek ~]# /etc/init.d/dovecot start
Starting Dovecot Imap: [ OK ]

Check that Dovecot is listening on IMAP(s) and POP(s) ports:

[root@geekpeek ~]# netstat -anpt |grep dovecot
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 1397/dovecot 
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1397/dovecot 
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1397/dovecot 
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 1397/dovecot

15. Generate Postfix Self-Signed Certificate

We need to generate a self-signed SSL certificate to be used with Postfix and Dovecot.

Follow these steps to do this:

[root@geekpeek ~]# mkdir /etc/postfix/ssl
[root@geekpeek ~]# cd /etc/postfix/ssl/
[root@geekpeek ssl]# openssl genrsa -out postfix.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
.............+++
e is 65537 (0x10001)
[root@geekpeek ssl]# openssl req -new -key postfix.key -out postfix.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SI
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Ljubljana
Organization Name (eg, company) [Default Company Ltd]:GeekPeek.Net
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server.geekpeek.net
Email Address []:info@geekpeek.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@geekpeek ssl]# openssl x509 -req -days 3650 -in postfix.csr -signkey postfix.key -out postfix.crt
Signature ok
subject=/C=SI/L=Ljubljana/O=GeekPeek.Net/CN=server.geekpeek.net/emailAddress=info@geekpeek.net
Getting Private key

16. Reconfigure Postfix

To wrap things up, we must reconfigure Postfix to work with Dovecot.

This requires some additional changes to Postfix main.cf and master.cf configuration files as follows.

Add the following lines to the bottom of the “/etc/postfix/main.cf” file:

# SSL/TLS
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/postfix.key
smtpd_tls_cert_file = /etc/postfix/ssl/postfix.crt
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
 
# SASL
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
# HELO restrictions:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_helo_hostname,
 reject_invalid_helo_hostname,
 permit
# Sender restrictions:
smtpd_sender_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 permit
# Recipient restrictions:
smtpd_recipient_restrictions =
 reject_unauth_pipelining,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination,
 permit
# Relay restrictions
smtpd_relay_restrictions =
 permit_mynetworks
 permit_sasl_authenticated
 reject_unauth_destination
 permit
# Limit DOS
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100

These are mostly security checks and restrictions for our mail server. With these, we only allow authenticated users to send mail from our servers. Also we are checking if the senders and recipients are comming from a valid domain and more.

We have also configured a basic DOS security just to bounce off any unwanted attacks.

Also we need to edit “/etc/postfix/master.cf” file and uncomment the following lines:

/etc/postfix/master.cf

submission inet n - n - - smtpd
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING

17. Reconfigure Dovecot

Please change the SSL certificate used in Dovecot with the newly generated self-signed certificate as follows. If you leave

Dovecot pointing to default certificate you might encounter some SSL errors:

/etc/dovecot/conf.d/10-ssl.conf

# Uncomment
 ssl = yes
 # Change to point to SSL cert generated in Step 15
 ssl_cert = </etc/postfix/ssl/postfix.crt
 ssl_key = </etc/postfix/ssl/postfix.key

18. Reconfigure IPTables

We must reconfigure IPTables to allow connections on ports 110 (POP3), 993 (POP3s), 143 (IMAP) and 993 (IMAPs). Read more on how to reconfigure IPTables HERE.

19. Restart Postfix and Dovecot

As a final step before testing out our new mail server, we need to restart Postfix and Dovecot services for changes to take effect.

[root@geekpeek ~]# /etc/init.d/postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@geekpeek ~]# /etc/init.d/dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]

Voila! We have successfully installed and configured Postfix with Dovecot!

You can now configure your IMAP or POP clients to use your server as a mail server. You can do this on your mobile or desktop clients such as MS Outlook or Thunderbird.

BIG thanks to Kliment Andreev and his blog for useful information on this topic which i used in this turorial too!

Share, , Google Plus, Pinterest,

9 Comments

Leave a Reply

One Ping

  1. Pingback: