How To: Setup Email Services on Ubuntu Using Postfix (TLS+SASL) and Dovecot

and revised October 6, 2014

Here is a guide on getting Email services running on Ubuntu Intrepid. I used Postfix for core services (SMTP wtih TLS and SASL) and Dovecot for fast IMAP and POP3. This tutorial has been tested on a bare bones Ubuntu 8.10 slice from Slicehost.

Preamble

Estimated Time Required: 10-15 minutes

This guide makes several assumptions. For example, it assumes that you will use Maildir. If you decide to make any changes, just keep an eye out for any subsequent changes that might be needed down the line. If you are upgrading from another system, such as Courier, please look at Appendix A.

If you prefer Postfix and Courier, refer to my older tutorial which is reported to work with Ubuntu Intrepid.

Postfix

Let’s get core email functionality going with Postfix:

1
aptitude install postfix sasl2-bin

You will be asked a few questions with a nice graphical interface. Here are the answers for some of them. Replace all occurrences of example.com with your root FQDN (e.g. jonsview.com), and server1.example.com with your server’s FQDN (e.g. swift.jonsview.com).

  • General type of mail configuration? Internet Site
  • System mail name? server1.example.com

Unfortunately, the graphical configuration interface that was automatically launched was a condensed version. You will need to run the full graphical configuration utility.

1
dpkg-reconfigure postfix

Again, you will be asked some questions:

  • General type of mail configuration? Internet Site
  • System mail name? server1.example.com
  • Root and postmaster mail recipient? Leave blank
  • Other destinations to accept mail for? server1.example.com, example.com, localhost.example.com, localhost
  • Force synchronous updates on mail queue? No
  • Local networks? Leave default (127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128)
  • Mailbox size limit (bytes)? 0
  • Local address extension character? Leave default (+)
  • Internet protocols to use? ipv4 (most likely)

Next, let’s take care of certificates for TLS. You will be asked several questions during this process. Fill them in as you see fit.

1
2
3
4
5
6
7
8
9
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Finish configuring Postfix for TLS and SASL.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = server1.example.com'
postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='

Finally, restart Postfix

1
/etc/init.d/postfix restart

SASL

Authentication will be done by saslauthd which will need to be configured to support a chrooted Postfix setup. Edit /etc/default/saslauthd and add or change the following settings so that they match:

1
2
START=yes
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Finish up SASL by creating the chroot directory, adding the postfix user to the sasl group, and then starting saslauthd.

1
2
3
4
mkdir -p /var/spool/postfix/var/run/saslauthd
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl
/etc/init.d/saslauthd start

Testing

At this point, core email services should be up and running. Let’s make sure that you’re in good shape before moving on. First, establish a connection with the mail server.

1
telnet localhost 25

After establsihing a connection with the Postfix service, run:

1
ehlo localhost

You should see a few lines of output. Make sure that the two most important lines are there:

1
2
3
4
. . .
250-STARTTLS
250-AUTH PLAIN LOGIN
. . .

Type quit to get out.

Dovecot

Note: If you followed my last guide and are migrating from Courier, please see Appendix A before continuing.

Install and configure Dovecot.

1
2
3
aptitude install dovecot-imapd dovecot-pop3d
perl -pi -e 's/#mail_location =/mail_location = maildir:\/home\/\%u\/Maildir/' /etc/dovecot/dovecot.conf
/etc/init.d/dovecot restart

If everything went smoothly you should now be in email nirvana. Each user has their own email account and you can move on to virtual accounts if you desire.

Appendix A: Courier to Dovecot Conversion

Please refer to this Dovecot wiki article for detailed information, but in a nutshell:

1
2
3
wget http://www.dovecot.org/tools/courier-dovecot-migrate.pl
chmod 755 courier-dovecot-migrate.pl
./courier-dovecot-migrate.pl --to-dovecot --recursive /home

If everything looks good, then perform the actual conversion.

Note: Even if 0 mailbox changes are shown, the script may still be working. If there aren’t any explicit errors, run the conversion and then check the Maildirs for dovecot indexes.

1
./courier-dovecot-migrate.pl --to-dovecot --convert --recursive /home

For a transparent conversion you will need to setup Dovecot to use INBOX as the namespace for private mailboxes. Edit /etc/dovecot/dovecot.conf and uncomment the namespace private { block (and corresponding } ). Uncomment #prefix = and change to prefix = INBOX. (include the period). Finally, change #inbox = no to inbox = yes. In essence, it should look like the following, which has been stripped of comments for brevity.

1
2
3
4
namespace private {
prefix = INBOX.
inbox = yes
}

Appendix B: SMTP Troubleshooting

If core email services and IMAP are working, but not SMTP, then it’s most likely that sasl is not set up properly. Log entries like the following in /var/log/mail.warn will confirm this:

1
Mar 27 00:36:56 swift postfix/smtpd[12537]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

Last words

I’ve always found setting up email services on Linux a pain, so hopefully this has helped you get up and running. Please let me know if you find any errors, or have suggestions that would make this guide easier to understand.

74 comments… add one

  • ice Jan 18, 2012

    Hey Jon,

    I messed up. For system mail name, I typed in server1.example.com. I don’t have my own website. Should I have written localhost? I want to be able to localmail myself. I’m just learning to build a contact form with php. Should I change system mail name to localhost? Or leave it blank? In either case, how can I amend system mail name? Thanks.

    • Jon Stacey Jan 19, 2012

      ice, this guide and setup are extreme overkill if you only need to send emails. If that’s the case you only need a simple MTA such as postfix. It won’t allow you to deliver mail locally, but you can deliver to another valid email address (e.g. a gmail account) and will save yourself a lot of unnecessary headaches.

  • Hamda Jan 16, 2012

    when I type /etc/init.d/saslauthd start it tells me “no such file or directory” what should I do? please help :(

    • Jon Stacey Jan 19, 2012

      Sounds like you didn’t install it. apt-get install sasl2-bin

  • jenkinbr Nov 9, 2011

    I’m trying to follow this on Ubunttu Server 10.04 LTS (I assume it should work and that not much has changed compatibility-wise over a year). However, when I get to the part where I run ‘ehlo localhost’ in the telnet session, I do not get the two lines you mentioned that are important. I copied and pasted everything as you posted it, and received no errors, but these two lines don’t show up.

    Any ideas?

    • Jon Stacey Nov 10, 2011

      Jenkinbr, I’m running 10.04 LTS on this very server, but I’ve been upgrading along the way consistently. I took a quick look at the Postfix TLS Documentation and it appears that some of the configuration directives have changed. For example, smtpd_use_tls has been replaced, but it should still work.

      I would start by combing through the configuration file double checking everything related to TLS. It’s also possible that postfix is generating errors silently in /var/log, so check there. Also make sure that the saslauthd service is running and isn’t generating any errors saved to the logs.

      Let us know how it turns out. The guide probably needs a bit of updating.

  • Amit Shah Feb 17, 2011

    Im getting some issue while installing postfix on my Ubuntu server. Below find log for same. Can anyone help me out?

    apt-get install postfix
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Suggested packages:
    postfix-cdb postfix-ldap postfix-mysql postfix-pcre postfix-pgsql resolvconf sasl2-bin
    The following NEW packages will be installed:
    postfix
    0 upgraded, 1 newly installed, 0 to remove and 993 not upgraded.
    1 not fully installed or removed.
    Need to get 0B/1160kB of archives.
    After this operation, 2695kB of additional disk space will be used.
    Preconfiguring packages …
    Selecting previously deselected package postfix.
    (Reading database … 153695 files and directories currently installed.)
    Unpacking postfix (from …/postfix_2.5.1-2ubuntu1.2_i386.deb) …
    Setting up tomcat5.5 (5.5.25-5ubuntu1.2) …
    chown: tomcat55:adm': invalid group
    dpkg: error processing tomcat5.5 (--configure):
    subprocess post-installation script returned error exit status 1
    Setting up postfix (2.5.1-2ubuntu1.2) ...
    chown:
    root:root': invalid group
    dpkg: error processing postfix (–configure):
    subprocess post-installation script returned error exit status 1
    Processing triggers for libc6 …
    ldconfig deferred processing now taking place
    Errors were encountered while processing:
    tomcat5.5
    postfix
    E: Sub-process /usr/bin/dpkg returned an error code (1)

    • Jon Stacey Feb 17, 2011

      Amit,

      Just a hunch, but it looks like you have unresolved issues with the package manager and Tomcat. Those need to be taken care of before installing new packages. For example force the abortion of the failing tomcat installation. This service is unrelated to this email setup guide.

  • Jon Stacey Jan 8, 2011

    There’s no easy answer to that. It really depends on what you deem as safe and acceptable risk. I don’t know the gory details of that option but it does imply that the password is going to be sent in plaintext.

  • Chris Eiffel Jan 8, 2011

    I had to add this

    disable_plaintext_auth = no

    To my /etc/dovecot/dovecot.conf file to get pop3 working from gmail. Is this safe? I get the same

    250-STARTTLS
    250-AUTH PLAIN LOGIN

    I assume this means my password is being transmitted in plaintext from gmail everytime it checks?

  • Anonymous Jul 31, 2010

    Jon —

    http://www.checktls.com/TestReceiver?LEVEL=2

    Feel free to add this link in the body of your wonderful tutorial.

    Simple annotated mail server test. Site is free with a good privacy policy.

  • Martin Jul 16, 2010

    Thanks for this. After trying a number of other tutorials without success, I finally got my mail server up and running. I had Postfix and Dovecot running, and I could send email from the command line, but I couldn’t connect with Thunderbird from another computer. Turns out it was SASL that I was missing.

    • Sohail Sep 2, 2011

      I have installed everything successfully. But I am still having trouble sending email from the command line. I am not sure if I am doing it right. Can anyone please explain me how to do this ?
      At the moment, I am just trying this:
      mail my@self.com < emailmessage.html
      mutt -e "set content_type=text/html" my@self.com < emailmessage.html
      I am a newbie, so please forgive me for my basic questions.

  • Doles Jul 9, 2010

    At the bottom of my /var/log/mail.warn I get the error:
    dovecot: Killed with signal 15 (by pid=1793 uid=0 code=kill)

    I feel it’s so close to working!

  • Alexei Pashkovsky Jun 11, 2010

    Great info !
    Thanks a lot, it was always so painfully complicated, this time I really spent no more than 10min setting all up, amazing!

  • Joe Jun 2, 2010

    Hi, Do i have to go through each user’s directory and create the Maildir directory, or will they already be there when i setup dovecot for Maildir?

    • Jon Stacey Jun 2, 2010

      If I recall correctly, the directories will be created for you the first time you setup the account for the user. You might want to refer to the dovecot wiki for confirmation.

  • Eliecer Dec 18, 2009

    I have no words to say thank you, you has done a great job, may God bless you, hugs from Cuba

  • lanzelotti Dec 9, 2009
  • rekha Sep 5, 2009

    Hi,
    im a newbie.. using linux for the past three months.. currently working with django-postgresql application..

    i followed all the steps given by u, to set up email server in my machine. im using ubuntu9.04.. when i give ” telnet localhost 25 ” it shows me like this,
    Trying ::1…
    Trying ::1…
    Trying 127.0.0.1…
    Connected to localhost.
    Escape character is ‘^]’.
    Connection closed by foreign host.
    what could be the problem?

  • rossi Aug 9, 2009

    I just wondering where i can get ehlo tool coz I using ubuntu 9.04 server and istalled postfix separate or whats included in ubuntu package no socha thing as EHLO..

    • rossi Aug 9, 2009

      ok never mind about ehlo i just discover another problem after
      ./courier-dovecot-migrate.pl –to-dovecot –recursive /home

      i’ve got error No maildirs found

      i justed fixed perl version.

      thx

      • Jon Stacey Aug 9, 2009

        rossi,
        If you’re migrating from courier be sure to read the wiki for the latest information: http://wiki.dovecot.org/Migration/Courier.

        You only need to follow the instructions in Appendix A if you’re migrating from an existing setup. If this truly is the case, one possibility is that your courier configuration is using the older mailbox format rather than Maildir, but that migration is outside the scope of this article.

        • rossi Aug 9, 2009

          is it any mail server program which would be easy to setup i mean without these mile long config files, some nice gui just add FQDNs, IP, users/passwd some mail dir quota, something loke that.

        • Jon Stacey Aug 9, 2009

          GMail, MobileMe? You could always splurge for a control panel that will assist with some of this, but mile long config files are just a typical day in the life of a Linux systems administrator… Have you considered a managed service from someone like MediaTemple?

  • mistert Jul 24, 2009

    Well this works nicely, except for SSL on SMTP.
    Is there any way to enable this?

    Thanks for a great guide!

    • mistert Jul 25, 2009

      Sorry, TLS is what I wanted.

      Seems that my virus-scanner doesnt support TLS, so i disabled scanning of outgoing messages.

      Everything works now!! wee

  • oiboy Jul 2, 2009

    Is there any special way to add users to the email system? Aside of sudo useradd name?

  • blue bell Jun 27, 2009

    Jon:
    I think that you saved me from institutionalization. Thank you very much for your help. If you need to learn how hard to push the power switch on a Pavilion, let me know: I (modestly) consider myself somewhat of an expert.

    blue

  • Sam May 11, 2009

    Nevermind! Figured it out!

    • Jon Stacey May 11, 2009

      Excellent! Glad to hear that you got it working.

  • Jon Stacey May 10, 2009

    Sam, you would use something like mail.mywebsite.org. For example, the hostname of the server running this blog is “bamboo” so I use the FQDN (bamboo.jonsview.com) in the Postfix configuration. Also keep in mind that the address used for email should match the reverse DNS and MX records, both of which use the same FQDN.

    Another little side tip: the hostname should not match any domain that is intended for use on the server. For example, if you wanted to use user@example.org, then the hostname should not be example.org but something unique such as server1.example.org.

    • Sam May 10, 2009

      Ok, I set it up using mail.mywebsite.org (my website being http://www.mywebsite.org in this example).

      I wanted to do all of this so I could use mail on my phpbb forum hosted on my dedicated server. Basically mail wasn’t working (user authenticating emails and such). I’m not quite sure what settings to use now, though. I’ve set it up to work through the local smtp server, however there are 3 boxes I’m unsure what to put in.

      Authentication method for SMTP – options are PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5, POP-BEFORE-SMTP – “Only used if a username/password is set, ask your provider if you are unsure which method to use.”

      SMTP username – “Only enter a username if your SMTP server requires it.”

      SMTP password – “Only enter a password if your SMTP server requires it.”

      Considering I did my install pretty much EXACTLY as you wrote above (with the exception of my own passkey in the ssl directory), what do you think my settings may be?

  • Sam May 10, 2009

    Hi, thanks for a great tut.

    Where you said the stuff about setting it up with your root FQDN and server1.example.com (server FQDN), what if my slicehost server is simply mywebsite.org? I don’t have any subdomain for it. Would I set mywebsite.org in both cases, or did you mean for me to setup something like mywebsite.org as root and mail.mywebsite.org as the system mail name?

  • david Apr 18, 2009

    yes! It is okay now!
    Enh…., but using OE is still a problem in receiving an email

    • Jon Stacey Apr 19, 2009

      The behavior of continually asking for the password seems to indicate that a connection is being made. I would head to the server logs which should indicate why the authorization is being rejected.

      • daniel May 9, 2009

        Is this configuration supported / easily set up on 64-bit hardware and Ubuntu OS?

        • Jon Stacey May 10, 2009

          Daniel, yes. In fact I wrote the guide walking through my x86_64 Ubuntu install. I would imagine that the Ubuntu setup and configuration would be the same for both 32 and 64-bit.

  • Jon Stacey Apr 18, 2009

    David, Looks like I forgot to escape the forward slashes. Try this:

    [cc lang="bash"]perl -pi -e ‘s/#mail_location =/mail_location = maildir:\/home\/\%u\/Maildir/’ /etc/dovecot/dovecot.conf[/cc]

    and then restart Dovecot.

  • david Apr 18, 2009

    BTW, ignoring the errors above, I can use evaluation to send and receive the email from my configured server, but when I try to use Outlook Express in Windows, I can only send out email but can not receive one, the OE always prompt me about the password. What’s the problem in this case?

    Thanks!

  • david Apr 18, 2009

    when I try to run this command “perl -pi -e ‘s/#mail_location =/mail_location = maildir:/home/%u/Maildir/’ /etc/dovecot/dovecot.conf”, I got an error and can not proceed.
    Here is the details:
    syntax error at -e line 1, near “s/#mail_location =/ mail_location = maildir:/home”
    Execution of -e aborted due to compilation errors.

    Can you give me some suggestions?

Leave a Comment


+ seven = 13