The following article aims into installing and configuring a simple POP3/IMAP/SMTP mail server in your Debian VPS using Postfix, Dovecot and SASL.
What is Postfix? It is a drop in replacement for the old and mature Sendmail. Postfix also attempts to be very fast, easy to administer, and secure.
What is Dovecot? It is an open source IMAP and POP3 server for *NIX-like systems, written primarily with security in mind.
What is SASL? SASL, the Simple Authentication and Security Layer, is a generic mechanism for protocols to accomplish authentication.
Table of Contents
1.) Pre-Requirements
– You may want to check if your hostname/domainname is a valid FQDN (fully qualified domain name) and it has a valid MX DNS record.
# dig +short MX mydomain.com 10 mydomain.com.
ok the hostname ‘mydomain.com’ has an MX record and:
# dig +short A $(dig +short MX mydomain.com | head -1 | cut -d' ' -f2) 12.34.56.78
the MX record set resolves back to our Debian Server’s IP (12.34.56.78)
2.) Update the system and install the required packages
– Before we proceed any further we need to make sure we have a fully up-to-date system.
# apt-get update # apt-get upgrade # apt-get dist-upgrade
2.a) Install postfix
# apt-get install postfix
(when prompted, choose ‘Internet Site’ and then set ‘mydomain.com’ as a system mail name.)
2.b) Install dovecot
# apt-get install dovecot-common dovecot-imapd dovecot-pop3d
2.c) Install sasl for authentication of users
# apt-get install libsasl2-2 libsasl2-modules sasl2-bin
(enable the sasl daemon by setting START=yes in /etc/default/saslauthd. you may also want to reduce the number of threads by setting THREADS=3 for example)
or if you’re feeling brave:
# sed -i -e 's/START=no/START=yes/' -e 's/THREADS=5/THREADS=3/' /etc/default/saslauthd
setup /etc/postfix/sasl/smtpd.conf
# echo -e "pwcheck_method: saslauthd\nmech_list: plain login cram-md5 digest-md5" > /etc/postfix/sasl/smtpd.conf
restart SASL
# /etc/init.d/saslauthd restart
3.) Create system user For handling incoming mails and has access to the mailboxes only.
– create group used for virtual mailboxes
# groupadd vmail -g 2222
– create user used for virtual mailboxes
# useradd vmail -r -g 2222 -u 2222 -d /var/vmail -m -c "mail user"
4.) Prepare SSL certificate for using SSL transport
– copy/move your ssl to some directory for example /etc/sample-ssl/
# mkdir /etc/sample-ssl # rsync -Waq /path/to/certs/ /etc/sample-ssl/
5.) Postfix configuration
– before doing anything else make sure you have backup of original configuration file
# cp /etc/postfix/main.cf{,.orig}
5.a) setup main postfix configuration file (/etc/postfix/main.cf)
– make sure you change ‘mydomain.com’ with your domainname and also set the ssl paths appropriately
# vim /etc/postfix/main.cf
myhostname=mydomain.com mydomain=mydomain.com myorigin=$mydomain mydestination = localhost mynetworks = 127.0.0.0/8 inet_interfaces = all mailbox_size_limit = 0 recipient_delimiter = + debug_peer_level=2 smtpd_banner=$myhostname ESMTP $mail_name biff=no relayhost= show_user_unknown_table_name=no append_dot_mydomain = no alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases virtual_mailbox_base=/var/vmail virtual_mailbox_domains=hash:/etc/postfix/vmail_domains virtual_mailbox_maps=hash:/etc/postfix/vmail_mailbox virtual_alias_maps=hash:/etc/postfix/vmail_aliases virtual_minimum_uid=100 virtual_uid_maps=static:2222 virtual_gid_maps=static:2222 virtual_transport=dovecot smtpd_tls_cert_file=/etc/sample-ssl/ssl.crt smtpd_tls_key_file=/etc/sample-ssl/ssl.key smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt smtp_use_tls=yes smtpd_use_tls=yes smtpd_tls_loglevel=1 smtpd_tls_received_header=yes tls_random_source=dev:/dev/urandom smtp_tls_note_starttls_offer=yes smtpd_tls_session_cache_timeout=3600s smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache queue_directory=/var/spool/postfix smtpd_sasl_type=dovecot smtpd_sasl_path=private/auth smtpd_sasl_auth_enable=yes broken_sasl_auth_clients=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_tls_security_options=$smtpd_sasl_security_options smtpd_sasl_local_domain=$myhostname smtpd_sasl_application_name=smtpd smtpd_helo_required=yes smtpd_helo_restrictions=reject_invalid_helo_hostname smtpd_recipient_restrictions=reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
5.b) create /etc/postfix/vmail_domains containing the domains for which postfix will accept emails
– the format is 2 columns. domain left, status right. if there is nothing on the right side, the domain is disabled.
# vim /etc/postfix/vmail_domains
mydomain.com OK my-otherdomain.com OK
5.c) create /etc/postfix/vmail_mailbox containing the accepted mailboxes
# vim /etc/postfix/vmail_mailbox
info@mydomain.com mydomain.com/info admin@mydomain.com mydomain.com/admin webmaster@my-otherdomain.com my-otherdomain.com/webmaster
5.d) create /etc/postfix/vmail_aliases containing the virtual aliases
# vim /etc/postfix/vmail_aliases
info@mydomain.com info@mydomain.com admin@mydomain.com admin@mydomain.com webmaster@my-otherdomain.com admin@mydomain.com
hash the configuration files
# postmap /etc/postfix/vmail_domains # postmap /etc/postfix/vmail_mailbox # postmap /etc/postfix/vmail_aliases
6.) Dovecot configuration
– before doing anything else make sure you have backup of original configuration file
# cp /etc/dovecot/dovecot.conf{,.orig}
– create main dovecot configuration file
# vim /etc/dovecot/dovecot.conf
protocols = imap imaps pop3 pop3s log_timestamp = "%Y-%m-%d %H:%M:%S " first_valid_uid=2222 last_valid_uid=2222 first_valid_gid=2222 last_valid_gid=2222 mail_privileged_group = vmail disable_plaintext_auth=yes auth_executable = /usr/lib/dovecot/dovecot-auth auth_verbose = yes mail_location = maildir:/var/vmail/%d/%n/Maildir ssl_cert_file = /etc/sample-ssl/sample-chained.crt ssl_key_file = /etc/sample-ssl/sample.key protocol lda { auth_socket_path = /var/run/dovecot/auth-master postmaster_address = postmaster@yourdomain.com mail_plugins = sieve log_path = } auth default { mechanisms = plain login passdb passwd-file { args = scheme=SHA1 /etc/dovecot/users.conf } userdb static { #args = /etc/dovecot/users.conf args = uid=2222 gid=2222 home=/var/vmail/%d/%n allow_all_users=yes } socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail group = vmail } client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } }
make sure you set the configuration to match your paths and needs
– create our user’s file:
# touch /etc/dovecot/users.conf
– next, use the following command in order to generate password hash for a particular user:
# dovecotpw -s SHA1
(generated password add to users.conf without the {SHA1} part, for example:)
# cat /etc/dovecot/users.conf admin@mydomain.com:7mh/MbZGZf7pc2pV6To7WuHJY8E=
7.) Setting up permissions and completing installation
# chgrp vmail /etc/dovecot/dovecot.conf # chmod g+r /etc/dovecot/dovecot.conf # chown root:root /etc/dovecot/users.conf # chmod 600 /etc/dovecot/users.conf
– deliver incoming mails to dovecot
# vim /etc/postfix/master.cf
(append the following)
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
– while at it, you may also want to enable the submission port by uncommenting the following line:
submission inet n - - - - smtpd
– reload the services
# /etc/init.d/dovecot restart # /etc/init.d/postfix restart
Of course you don’t have to do any of this if you use one of our Debian Optimized VPS Hosting services, in which case you can simply ask our expert Linux admins to install this for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.
Following this guide on the Latest Debian learning this process, on step 7, Reload the services, I get the following error while restarting Dovecot.
Fatal: service(auth) access(/usr/lib/dovecot/dovecot-auth) failed: No such file or directory
Try creating the ‘/usr/lib/dovecot/dovecot-auth’ file.
I’m getting dovecot: master: Fatal: execv(/usr/lib/dovecot/dovecot-auth) failed: Permission denied
when i try to telnet localhost pop3
any ideas?
What is the output of the following command:
ls -l /usr/lib/dovecot/dovecot-auth
also please provide the output of the following commands:
dpkg -S /usr/lib/dovecot/dovecot-auth
dovecot -n
and post any relevant lines from
/var/log/mail.log
hi why try to send mail i get
SMTP Error (554): Failed to add recipient (5.7.1 : Relay access denied)
what’s logged in your mail server log file? how did you try to send the email? did you complete all steps in the article?
Hi!
First of all, this article was really helpful.
However, something went wrong with the vmail user.
When I try to send a test email, the authetication fails, and I find the following entry in ma /var/mail/mail.log:
dovecot: auth: Error: passwd-file /etc/dovecot/users.conf: open(/etc/dovecot/users.conf) failed: Permission denied (euid=111(dovecot) egid=116(dovecot) missing +r perm: /etc/dovecot/users.conf, dir owned by 0:0 mode=0755)
In your tutorial, you make this file owned by root:root and have a 600 mask, which causes this situation. Now I am confused. What do you suggest?
What is the output of the following command:
dovecot -n
Warning for everyone using Debian 7: The dovecot configuration in this article won’t work in Dovecot 2. I just tried it and it threw all sorts of warning messages about obsolete settings, then aborted because /usr/lib/dovecot-auth doesn’t exist.
# /etc/init.d/dovecot restart
doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: ‘imaps’ protocol is no longer necessary, remove it
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: ‘pop3s’ protocol is no longer necessary, remove it
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:9: auth_executable has been replaced by service auth { executable }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:12: ssl_cert_file has been replaced by ssl_cert = <file
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:13: ssl_key_file has been replaced by ssl_key = dovecot-new.conf
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: ‘imaps’ protocol is no longer necessary, remove it
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: ‘pop3s’ protocol is no longer necessary, remove it
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:9: auth_executable has been replaced by service auth { executable }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:12: ssl_cert_file has been replaced by ssl_cert = <file
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:13: ssl_key_file has been replaced by ssl_key = <file
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:20: add auth_ prefix to all settings inside auth {} and remove the auth {} section completely
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:22: passdb passwd-file {} has been replaced by passdb { driver=passwd-file }
doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:25: userdb static {} has been replaced by userdb { driver=static }
Fatal: service(auth) access(/usr/lib/dovecot/dovecot-auth) failed: No such file or directory
failed!
Also, the dovecotpw command doesn't exist in Dovecot 2, so you will have to use "doveadm pw".
hi Amos Batto,
well, of course it will not work in Debian 7. This article covers setup and configuration of Dovecot 1. It will not work with Dovecot 2.
Hi,
Great job. Thank you for the article. It works great.
Is there any update to setup a mail server on Debian 7 (dovecot2)?
Petr
Hi,
we are glad you found the article helpful. We do not have an article for Debian Wheezy but we do have one for CentOS 6 here.
It should not be that hard to port the set-up from CentOS 6 to Debian Wheezy
Thanks.
Could you explain “- copy/move your ssl to some directory for example /etc/sample-ssl/” in more detail? What SSL are you referring to? I have no idea what this will relate to /path/to/certs/
:-/
Hopefully someone can help me here, I’ve spent hours upon hours trying to get a mail server working so far, starting with qmail, then sendmail, now postfix.
Thanks in advance!
Nick
If you want to enable secure network traffic using SSL transport, you need to use an SSL certificate, so generate a self-signed SSL certificate or purchase an SSL certificate (we offer Genuine GeoTrust SSL certificates up to 35% off GeoTrust’s retail prices at https://www.rosehosting.com/ssl-certificates.html), then copy/move your SSL certificate to some directory on your server, (for example /etc/sample-ssl/).
I have configured Postfix in my debian7 server. But now i can send mail outside of my Lan only like gmail etc.. When i am sending any mail to my Lan its going to Mail Queue with below error :
host *********** [***.***.254.17] refused to talk to me: 554 dropsmtpd – Your mail is being dropped as spam.
Add an SPF record to your domain’s DNS zone file. It will keep your messages from getting flagged as spam before they reach your recipients. Also, install and configure openDKIM as described at https://www.rosehosting.com/blog/install-and-configure-opendkim-on-debian-squeeze/
May I ask what next? how can I send and receive emails after that?
You can use some free email application like Thunderbird for example.
Very Helpful , thanks for posting this great article !!