How to setup simple but yet powerful mail server using Postfix, Dovecot and Sasl in Debian 6 (Squeeze)

How to setup simple but yet powerful mail server using Postfix, Dovecot and Sasl in Debian 6 (Squeeze) The following article aims into installing and configuring a simple POP3/IMAP/SMTP mail server in your Debian VPS using Postfix, Dovecot and SASL.

What is Postfix? It is a drop in replacement for the old and mature Sendmail. Postfix also attempts to be very fast, easy to administer, and secure.

What is Dovecot? It is an open source IMAP and POP3 server for *NIX-like systems, written primarily with security in mind.

What is SASL? SASL, the Simple Authentication and Security Layer, is a generic mechanism for protocols to accomplish authentication.

1.) Pre-Requirements

– You may want to check if your hostname/domainname is a valid FQDN (fully qualified domain name) and it has a valid MX DNS record.

# dig +short MX mydomain.com
10 mydomain.com.

ok the hostname ‘mydomain.com’ has an MX record and:

# dig +short A $(dig +short MX mydomain.com | head -1 | cut -d' ' -f2)
12.34.56.78

the MX record set resolves back to our Debian Server’s IP (12.34.56.78)

2.) Update the system and install the required packages

– Before we proceed any further we need to make sure we have a fully up-to-date system.

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade

2.a) Install postfix

# apt-get install postfix

(when prompted, choose ‘Internet Site’ and then set ‘mydomain.com’ as a system mail name.)

2.b) Install dovecot

# apt-get install dovecot-common dovecot-imapd dovecot-pop3d

2.c) Install sasl for authentication of users

# apt-get install libsasl2-2 libsasl2-modules sasl2-bin

(enable the sasl daemon by setting START=yes in /etc/default/saslauthd. you may also want to reduce the number of threads by setting THREADS=3 for example)
or if you’re feeling brave:

# sed -i -e 's/START=no/START=yes/' -e 's/THREADS=5/THREADS=3/' /etc/default/saslauthd

setup /etc/postfix/sasl/smtpd.conf

# echo -e "pwcheck_method: saslauthd\nmech_list: plain login cram-md5 digest-md5" > /etc/postfix/sasl/smtpd.conf

restart SASL

# /etc/init.d/saslauthd restart

3.) Create system user For handling incoming mails and has access to the mailboxes only.

– create group used for virtual mailboxes

# groupadd vmail -g 2222

– create user used for virtual mailboxes

# useradd vmail -r -g 2222 -u 2222 -d /var/vmail -m -c "mail user"

4.) Prepare SSL certificate for using SSL transport

– copy/move your ssl to some directory for example /etc/sample-ssl/

# mkdir /etc/sample-ssl
# rsync -Waq /path/to/certs/ /etc/sample-ssl/

5.) Postfix configuration

– before doing anything else make sure you have backup of original configuration file

# cp /etc/postfix/main.cf{,.orig}

5.a) setup main postfix configuration file (/etc/postfix/main.cf)

– make sure you change ‘mydomain.com’ with your domainname and also set the ssl paths appropriately

# vim /etc/postfix/main.cf
myhostname=mydomain.com
mydomain=mydomain.com
myorigin=$mydomain
mydestination = localhost
mynetworks = 127.0.0.0/8
inet_interfaces = all
mailbox_size_limit = 0
recipient_delimiter = +
debug_peer_level=2
smtpd_banner=$myhostname ESMTP $mail_name
biff=no
relayhost=
show_user_unknown_table_name=no
append_dot_mydomain = no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_mailbox_base=/var/vmail
virtual_mailbox_domains=hash:/etc/postfix/vmail_domains
virtual_mailbox_maps=hash:/etc/postfix/vmail_mailbox
virtual_alias_maps=hash:/etc/postfix/vmail_aliases
virtual_minimum_uid=100
virtual_uid_maps=static:2222
virtual_gid_maps=static:2222
virtual_transport=dovecot
smtpd_tls_cert_file=/etc/sample-ssl/ssl.crt
smtpd_tls_key_file=/etc/sample-ssl/ssl.key
smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_use_tls=yes
smtpd_use_tls=yes
smtpd_tls_loglevel=1
smtpd_tls_received_header=yes
tls_random_source=dev:/dev/urandom
smtp_tls_note_starttls_offer=yes
smtpd_tls_session_cache_timeout=3600s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
queue_directory=/var/spool/postfix
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes
broken_sasl_auth_clients=yes
smtpd_sasl_security_options=noanonymous
smtpd_sasl_tls_security_options=$smtpd_sasl_security_options
smtpd_sasl_local_domain=$myhostname
smtpd_sasl_application_name=smtpd
smtpd_helo_required=yes
smtpd_helo_restrictions=reject_invalid_helo_hostname
smtpd_recipient_restrictions=reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

5.b) create /etc/postfix/vmail_domains containing the domains for which postfix will accept emails

– the format is 2 columns. domain left, status right. if there is nothing on the right side, the domain is disabled.

# vim /etc/postfix/vmail_domains
mydomain.com      OK
my-otherdomain.com     OK

5.c) create /etc/postfix/vmail_mailbox containing the accepted mailboxes

# vim /etc/postfix/vmail_mailbox
info@mydomain.com 	mydomain.com/info
admin@mydomain.com 	mydomain.com/admin
webmaster@my-otherdomain.com 	my-otherdomain.com/webmaster

5.d) create /etc/postfix/vmail_aliases containing the virtual aliases

# vim /etc/postfix/vmail_aliases
info@mydomain.com    info@mydomain.com
admin@mydomain.com   admin@mydomain.com
webmaster@my-otherdomain.com 	admin@mydomain.com

hash the configuration files

# postmap /etc/postfix/vmail_domains
# postmap /etc/postfix/vmail_mailbox
# postmap /etc/postfix/vmail_aliases

6.) Dovecot configuration

– before doing anything else make sure you have backup of original configuration file

# cp /etc/dovecot/dovecot.conf{,.orig}

– create main dovecot configuration file

# vim /etc/dovecot/dovecot.conf
protocols = imap imaps pop3 pop3s
log_timestamp = "%Y-%m-%d %H:%M:%S "
first_valid_uid=2222
last_valid_uid=2222
first_valid_gid=2222
last_valid_gid=2222
mail_privileged_group = vmail
disable_plaintext_auth=yes
auth_executable = /usr/lib/dovecot/dovecot-auth
auth_verbose = yes
mail_location = maildir:/var/vmail/%d/%n/Maildir
ssl_cert_file = /etc/sample-ssl/sample-chained.crt
ssl_key_file = /etc/sample-ssl/sample.key
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  postmaster_address = postmaster@yourdomain.com
  mail_plugins = sieve
  log_path =
}
auth default {
    mechanisms = plain login
    passdb passwd-file {
        args = scheme=SHA1 /etc/dovecot/users.conf
    }
    userdb static {
        #args = /etc/dovecot/users.conf
        args = uid=2222 gid=2222 home=/var/vmail/%d/%n allow_all_users=yes
    }
    socket listen {
        master {
            path = /var/run/dovecot/auth-master
            mode = 0600
            user = vmail
            group = vmail
        }
        client {
            path = /var/spool/postfix/private/auth
            mode = 0660
            user = postfix
            group = postfix
        }
    }
}

make sure you set the configuration to match your paths and needs

– create our user’s file:

# touch /etc/dovecot/users.conf

– next, use the following command in order to generate password hash for a particular user:

# dovecotpw -s SHA1

(generated password add to users.conf without the {SHA1} part, for example:)

# cat /etc/dovecot/users.conf
admin@mydomain.com:7mh/MbZGZf7pc2pV6To7WuHJY8E=

7.) Setting up permissions and completing installation

# chgrp vmail /etc/dovecot/dovecot.conf
# chmod g+r /etc/dovecot/dovecot.conf
# chown root:root /etc/dovecot/users.conf
# chmod 600 /etc/dovecot/users.conf

– deliver incoming mails to dovecot

# vim /etc/postfix/master.cf

(append the following)

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

– while at it, you may also want to enable the submission port by uncommenting the following line:

submission inet n       -       -       -       -       smtpd

– reload the services

# /etc/init.d/dovecot restart
# /etc/init.d/postfix restart

Of course you don’t have to do any of this if you use one of our Debian Optimized VPS Hosting services, in which case you can simply ask our expert Linux admins to install this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

19 thoughts on “How to setup simple but yet powerful mail server using Postfix, Dovecot and Sasl in Debian 6 (Squeeze)”

  1. Following this guide on the Latest Debian learning this process, on step 7, Reload the services, I get the following error while restarting Dovecot.

    Fatal: service(auth) access(/usr/lib/dovecot/dovecot-auth) failed: No such file or directory

    Reply
  2. I’m getting dovecot: master: Fatal: execv(/usr/lib/dovecot/dovecot-auth) failed: Permission denied

    when i try to telnet localhost pop3

    any ideas?

    Reply
    • What is the output of the following command:

      ls -l /usr/lib/dovecot/dovecot-auth

      also please provide the output of the following commands:

      dpkg -S /usr/lib/dovecot/dovecot-auth
      dovecot -n

      and post any relevant lines from

      /var/log/mail.log

      Reply
  3. Hi!

    First of all, this article was really helpful.
    However, something went wrong with the vmail user.
    When I try to send a test email, the authetication fails, and I find the following entry in ma /var/mail/mail.log:
    dovecot: auth: Error: passwd-file /etc/dovecot/users.conf: open(/etc/dovecot/users.conf) failed: Permission denied (euid=111(dovecot) egid=116(dovecot) missing +r perm: /etc/dovecot/users.conf, dir owned by 0:0 mode=0755)
    In your tutorial, you make this file owned by root:root and have a 600 mask, which causes this situation. Now I am confused. What do you suggest?

    Reply
  4. Warning for everyone using Debian 7: The dovecot configuration in this article won’t work in Dovecot 2. I just tried it and it threw all sorts of warning messages about obsolete settings, then aborted because /usr/lib/dovecot-auth doesn’t exist.

    # /etc/init.d/dovecot restart
    doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: ‘imaps’ protocol is no longer necessary, remove it
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: ‘pop3s’ protocol is no longer necessary, remove it
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:9: auth_executable has been replaced by service auth { executable }
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:12: ssl_cert_file has been replaced by ssl_cert = <file
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:13: ssl_key_file has been replaced by ssl_key = dovecot-new.conf
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: ‘imaps’ protocol is no longer necessary, remove it
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:1: ‘pop3s’ protocol is no longer necessary, remove it
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:9: auth_executable has been replaced by service auth { executable }
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:12: ssl_cert_file has been replaced by ssl_cert = <file
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:13: ssl_key_file has been replaced by ssl_key = <file
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:20: add auth_ prefix to all settings inside auth {} and remove the auth {} section completely
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:22: passdb passwd-file {} has been replaced by passdb { driver=passwd-file }
    doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:25: userdb static {} has been replaced by userdb { driver=static }
    Fatal: service(auth) access(/usr/lib/dovecot/dovecot-auth) failed: No such file or directory
    failed!

    Also, the dovecotpw command doesn't exist in Dovecot 2, so you will have to use "doveadm pw".

    Reply
    • hi Amos Batto,

      well, of course it will not work in Debian 7. This article covers setup and configuration of Dovecot 1. It will not work with Dovecot 2.

      Reply
      • Hi,

        Great job. Thank you for the article. It works great.
        Is there any update to setup a mail server on Debian 7 (dovecot2)?

        Petr

        Reply
        • Hi,

          we are glad you found the article helpful. We do not have an article for Debian Wheezy but we do have one for CentOS 6 here.

          It should not be that hard to port the set-up from CentOS 6 to Debian Wheezy

          Thanks.

          Reply
  5. Could you explain “- copy/move your ssl to some directory for example /etc/sample-ssl/” in more detail? What SSL are you referring to? I have no idea what this will relate to /path/to/certs/

    :-/

    Hopefully someone can help me here, I’ve spent hours upon hours trying to get a mail server working so far, starting with qmail, then sendmail, now postfix.

    Thanks in advance!

    Nick

    Reply
    • If you want to enable secure network traffic using SSL transport, you need to use an SSL certificate, so generate a self-signed SSL certificate or purchase an SSL certificate (we offer Genuine GeoTrust SSL certificates up to 35% off GeoTrust’s retail prices at https://www.rosehosting.com/ssl-certificates.html), then copy/move your SSL certificate to some directory on your server, (for example /etc/sample-ssl/).

      Reply
  6. I have configured Postfix in my debian7 server. But now i can send mail outside of my Lan only like gmail etc.. When i am sending any mail to my Lan its going to Mail Queue with below error :
    host *********** [***.***.254.17] refused to talk to me: 554 dropsmtpd – Your mail is being dropped as spam.

    Reply
    • Add an SPF record to your domain’s DNS zone file. It will keep your messages from getting flagged as spam before they reach your recipients. Also, install and configure openDKIM as described at https://www.rosehosting.com/blog/install-and-configure-opendkim-on-debian-squeeze/

      Reply

Leave a Comment