How To: Setup Email Services on Ubuntu Using Postfix (TLS+SASL) and Dovecot

March 26, 2009 · 78 comments

Here is a guide on getting Email services running on Ubuntu Intrepid. I used Postfix for core services (SMTP wtih TLS and SASL) and Dovecot for fast IMAP and POP3. This tutorial has been tested on a bare bones Ubuntu 8.10 slice from Slicehost.

Preamble

Estimated Time Required: 10-15 minutes

This guide makes several assumptions. For example, it assumes that you will use Maildir. If you decide to make any changes, just keep an eye out for any subsequent changes that might be needed down the line. If you are upgrading from another system, such as Courier, please look at Appendix A.

If you prefer Postfix and Courier, refer to my older tutorial which is reported to work with Ubuntu Intrepid.

Postfix

Let’s get core email functionality going with Postfix:

1
aptitude install postfix sasl2-bin

You will be asked a few questions with a nice graphical interface. Here are the answers for some of them. Replace all occurrences of example.com with your root FQDN (e.g. jonsview.com), and server1.example.com with your server’s FQDN (e.g. swift.jonsview.com).

  • General type of mail configuration? Internet Site
  • System mail name? server1.example.com

Unfortunately, the graphical configuration interface that was automatically launched was a condensed version. You will need to run the full graphical configuration utility.

1
dpkg-reconfigure postfix

Again, you will be asked some questions:

  • General type of mail configuration? Internet Site
  • System mail name? server1.example.com
  • Root and postmaster mail recipient? Leave blank
  • Other destinations to accept mail for? server1.example.com, example.com, localhost.example.com, localhost
  • Force synchronous updates on mail queue? No
  • Local networks? Leave default (127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128)
  • Mailbox size limit (bytes)? 0
  • Local address extension character? Leave default (+)
  • Internet protocols to use? ipv4 (most likely)

Next, let’s take care of certificates for TLS. You will be asked several questions during this process. Fill them in as you see fit.

1
2
3
4
5
6
7
8
9
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Finish configuring Postfix for TLS and SASL.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = server1.example.com'
postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='

Finally, restart Postfix

1
/etc/init.d/postfix restart

SASL

Authentication will be done by saslauthd which will need to be configured to support a chrooted Postfix setup. Edit /etc/default/saslauthd and add or change the following settings so that they match:

1
2
START=yes
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Finish up SASL by creating the chroot directory, adding the postfix user to the sasl group, and then starting saslauthd.

1
2
3
4
mkdir -p /var/spool/postfix/var/run/saslauthd
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl
/etc/init.d/saslauthd start

Testing

At this point, core email services should be up and running. Let’s make sure that you’re in good shape before moving on. First, establish a connection with the mail server.

1
telnet localhost 25

After establsihing a connection with the Postfix service, run:

1
ehlo localhost

You should see a few lines of output. Make sure that the two most important lines are there:

1
2
3
4
. . .
250-STARTTLS
250-AUTH PLAIN LOGIN
. . .

Type quit to get out.

Dovecot

Note: If you followed my last guide and are migrating from Courier, please see Appendix A before continuing.

Install and configure Dovecot.

1
2
3
aptitude install dovecot-imapd dovecot-pop3d
perl -pi -e 's/#mail_location =/mail_location = maildir:\/home\/\%u\/Maildir/' /etc/dovecot/dovecot.conf
/etc/init.d/dovecot restart

If everything went smoothly you should now be in email nirvana. Each user has their own email account and you can move on to virtual accounts if you desire.

Appendix A: Courier to Dovecot Conversion

Please refer to this Dovecot wiki article for detailed information, but in a nutshell:

1
2
3
wget http://www.dovecot.org/tools/courier-dovecot-migrate.pl
chmod 755 courier-dovecot-migrate.pl
./courier-dovecot-migrate.pl --to-dovecot --recursive /home

If everything looks good, then perform the actual conversion.

Note: Even if 0 mailbox changes are shown, the script may still be working. If there aren’t any explicit errors, run the conversion and then check the Maildirs for dovecot indexes.

1
./courier-dovecot-migrate.pl --to-dovecot --convert --recursive /home

For a transparent conversion you will need to setup Dovecot to use INBOX as the namespace for private mailboxes. Edit /etc/dovecot/dovecot.conf and uncomment the namespace private { block (and corresponding } ). Uncomment #prefix = and change to prefix = INBOX. (include the period). Finally, change #inbox = no to inbox = yes. In essence, it should look like the following, which has been stripped of comments for brevity.

1
2
3
4
namespace private {
prefix = INBOX.
inbox = yes
}

Appendix B: SMTP Troubleshooting

If core email services and IMAP are working, but not SMTP, then it’s most likely that sasl is not set up properly. Log entries like the following in /var/log/mail.warn will confirm this:

1
Mar 27 00:36:56 swift postfix/smtpd[12537]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

Last words

I’ve always found setting up email services on Linux a pain, so hopefully this has helped you get up and running. Please let me know if you find any errors, or have suggestions that would make this guide easier to understand.

{ 74 comments… read them below or add one }

ice January 18, 2012 at 3:25 am

Hey Jon,

I messed up. For system mail name, I typed in server1.example.com. I don’t have my own website. Should I have written localhost? I want to be able to localmail myself. I’m just learning to build a contact form with php. Should I change system mail name to localhost? Or leave it blank? In either case, how can I amend system mail name? Thanks.

Reply

Jon Stacey January 19, 2012 at 3:59 pm

ice, this guide and setup are extreme overkill if you only need to send emails. If that’s the case you only need a simple MTA such as postfix. It won’t allow you to deliver mail locally, but you can deliver to another valid email address (e.g. a gmail account) and will save yourself a lot of unnecessary headaches.

Reply

Hamda January 16, 2012 at 4:45 am

when I type /etc/init.d/saslauthd start it tells me “no such file or directory” what should I do? please help :(

Reply

Jon Stacey January 19, 2012 at 3:49 pm

Sounds like you didn’t install it. apt-get install sasl2-bin

Reply

jenkinbr November 9, 2011 at 11:27 pm

I’m trying to follow this on Ubunttu Server 10.04 LTS (I assume it should work and that not much has changed compatibility-wise over a year). However, when I get to the part where I run ‘ehlo localhost’ in the telnet session, I do not get the two lines you mentioned that are important. I copied and pasted everything as you posted it, and received no errors, but these two lines don’t show up.

Any ideas?

Reply

Jon Stacey November 10, 2011 at 8:12 am

Jenkinbr, I’m running 10.04 LTS on this very server, but I’ve been upgrading along the way consistently. I took a quick look at the Postfix TLS Documentation and it appears that some of the configuration directives have changed. For example, smtpd_use_tls has been replaced, but it should still work.

I would start by combing through the configuration file double checking everything related to TLS. It’s also possible that postfix is generating errors silently in /var/log, so check there. Also make sure that the saslauthd service is running and isn’t generating any errors saved to the logs.

Let us know how it turns out. The guide probably needs a bit of updating.

Reply

Amit Shah February 17, 2011 at 6:46 am

Im getting some issue while installing postfix on my Ubuntu server. Below find log for same. Can anyone help me out?

apt-get install postfix
Reading package lists… Done
Building dependency tree
Reading state information… Done
Suggested packages:
postfix-cdb postfix-ldap postfix-mysql postfix-pcre postfix-pgsql resolvconf sasl2-bin
The following NEW packages will be installed:
postfix
0 upgraded, 1 newly installed, 0 to remove and 993 not upgraded.
1 not fully installed or removed.
Need to get 0B/1160kB of archives.
After this operation, 2695kB of additional disk space will be used.
Preconfiguring packages …
Selecting previously deselected package postfix.
(Reading database … 153695 files and directories currently installed.)
Unpacking postfix (from …/postfix_2.5.1-2ubuntu1.2_i386.deb) …
Setting up tomcat5.5 (5.5.25-5ubuntu1.2) …
chown: tomcat55:adm': invalid group
dpkg: error processing tomcat5.5 (--configure):
subprocess post-installation script returned error exit status 1
Setting up postfix (2.5.1-2ubuntu1.2) ...
chown:
root:root’: invalid group
dpkg: error processing postfix (–configure):
subprocess post-installation script returned error exit status 1
Processing triggers for libc6 …
ldconfig deferred processing now taking place
Errors were encountered while processing:
tomcat5.5
postfix
E: Sub-process /usr/bin/dpkg returned an error code (1)

Reply

Jon Stacey February 17, 2011 at 8:36 am

Amit,

Just a hunch, but it looks like you have unresolved issues with the package manager and Tomcat. Those need to be taken care of before installing new packages. For example force the abortion of the failing tomcat installation. This service is unrelated to this email setup guide.

Reply

Jon Stacey January 8, 2011 at 12:20 pm

There’s no easy answer to that. It really depends on what you deem as safe and acceptable risk. I don’t know the gory details of that option but it does imply that the password is going to be sent in plaintext.

Reply

Chris Eiffel January 8, 2011 at 2:20 am

I had to add this

disable_plaintext_auth = no

To my /etc/dovecot/dovecot.conf file to get pop3 working from gmail. Is this safe? I get the same

250-STARTTLS
250-AUTH PLAIN LOGIN

I assume this means my password is being transmitted in plaintext from gmail everytime it checks?

Reply

Anonymous July 31, 2010 at 10:12 am

Jon —

http://www.checktls.com/TestReceiver?LEVEL=2

Feel free to add this link in the body of your wonderful tutorial.

Simple annotated mail server test. Site is free with a good privacy policy.

Reply

Martin July 16, 2010 at 10:04 pm

Thanks for this. After trying a number of other tutorials without success, I finally got my mail server up and running. I had Postfix and Dovecot running, and I could send email from the command line, but I couldn’t connect with Thunderbird from another computer. Turns out it was SASL that I was missing.

Reply

Sohail September 2, 2011 at 2:29 pm

I have installed everything successfully. But I am still having trouble sending email from the command line. I am not sure if I am doing it right. Can anyone please explain me how to do this ?
At the moment, I am just trying this:
mail my@self.com < emailmessage.html
mutt -e "set content_type=text/html" my@self.com < emailmessage.html
I am a newbie, so please forgive me for my basic questions.

Reply

Doles July 9, 2010 at 10:59 pm

At the bottom of my /var/log/mail.warn I get the error:
dovecot: Killed with signal 15 (by pid=1793 uid=0 code=kill)

I feel it’s so close to working!

Reply

Alexei Pashkovsky June 11, 2010 at 11:50 am

Great info !
Thanks a lot, it was always so painfully complicated, this time I really spent no more than 10min setting all up, amazing!

Reply

Joe June 2, 2010 at 5:13 pm

Hi, Do i have to go through each user’s directory and create the Maildir directory, or will they already be there when i setup dovecot for Maildir?

Reply

Jon Stacey June 2, 2010 at 5:36 pm

If I recall correctly, the directories will be created for you the first time you setup the account for the user. You might want to refer to the dovecot wiki for confirmation.

Reply

Eliecer December 18, 2009 at 4:44 am

I have no words to say thank you, you has done a great job, may God bless you, hugs from Cuba

Reply

lanzelotti December 9, 2009 at 4:54 pm
rekha September 5, 2009 at 2:56 am

Hi,
im a newbie.. using linux for the past three months.. currently working with django-postgresql application..

i followed all the steps given by u, to set up email server in my machine. im using ubuntu9.04.. when i give ” telnet localhost 25 ” it shows me like this,
Trying ::1…
Trying ::1…
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
Connection closed by foreign host.
what could be the problem?

Reply

rossi August 9, 2009 at 5:30 am

I just wondering where i can get ehlo tool coz I using ubuntu 9.04 server and istalled postfix separate or whats included in ubuntu package no socha thing as EHLO..

Reply

rossi August 9, 2009 at 6:39 am

ok never mind about ehlo i just discover another problem after
./courier-dovecot-migrate.pl –to-dovecot –recursive /home

i’ve got error No maildirs found

i justed fixed perl version.

thx

Reply

Jon Stacey August 9, 2009 at 1:04 pm

rossi,
If you’re migrating from courier be sure to read the wiki for the latest information: http://wiki.dovecot.org/Migration/Courier.

You only need to follow the instructions in Appendix A if you’re migrating from an existing setup. If this truly is the case, one possibility is that your courier configuration is using the older mailbox format rather than Maildir, but that migration is outside the scope of this article.

Reply

rossi August 9, 2009 at 3:11 pm

is it any mail server program which would be easy to setup i mean without these mile long config files, some nice gui just add FQDNs, IP, users/passwd some mail dir quota, something loke that.

Reply

Jon Stacey August 9, 2009 at 4:07 pm

GMail, MobileMe? You could always splurge for a control panel that will assist with some of this, but mile long config files are just a typical day in the life of a Linux systems administrator… Have you considered a managed service from someone like MediaTemple?

Reply

mistert July 24, 2009 at 8:18 am

Well this works nicely, except for SSL on SMTP.
Is there any way to enable this?

Thanks for a great guide!

Reply

mistert July 25, 2009 at 12:23 am

Sorry, TLS is what I wanted.

Seems that my virus-scanner doesnt support TLS, so i disabled scanning of outgoing messages.

Everything works now!! wee

Reply

oiboy July 2, 2009 at 7:53 pm

Is there any special way to add users to the email system? Aside of sudo useradd name?

Reply

Jon Stacey July 2, 2009 at 9:08 pm

olboy, yes, virtual user/boxes are possible. It’s been years since I’ve used them (and on a Exim setup), but Dovecot appears to have a similar capability. Here’s the link: http://wiki.dovecot.org/VirtualUsers.

Reply

blue bell June 27, 2009 at 8:47 am

Jon:
I think that you saved me from institutionalization. Thank you very much for your help. If you need to learn how hard to push the power switch on a Pavilion, let me know: I (modestly) consider myself somewhat of an expert.

blue

Reply

Sam May 11, 2009 at 12:36 am

Nevermind! Figured it out!

Reply

Jon Stacey May 11, 2009 at 8:10 am

Excellent! Glad to hear that you got it working.

Reply

Jon Stacey May 10, 2009 at 10:55 pm

Sam, you would use something like mail.mywebsite.org. For example, the hostname of the server running this blog is “bamboo” so I use the FQDN (bamboo.jonsview.com) in the Postfix configuration. Also keep in mind that the address used for email should match the reverse DNS and MX records, both of which use the same FQDN.

Another little side tip: the hostname should not match any domain that is intended for use on the server. For example, if you wanted to use user@example.org, then the hostname should not be example.org but something unique such as server1.example.org.

Reply

Sam May 10, 2009 at 11:53 pm

Ok, I set it up using mail.mywebsite.org (my website being http://www.mywebsite.org in this example).

I wanted to do all of this so I could use mail on my phpbb forum hosted on my dedicated server. Basically mail wasn’t working (user authenticating emails and such). I’m not quite sure what settings to use now, though. I’ve set it up to work through the local smtp server, however there are 3 boxes I’m unsure what to put in.

Authentication method for SMTP – options are PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5, POP-BEFORE-SMTP – “Only used if a username/password is set, ask your provider if you are unsure which method to use.”

SMTP username – “Only enter a username if your SMTP server requires it.”

SMTP password – “Only enter a password if your SMTP server requires it.”

Considering I did my install pretty much EXACTLY as you wrote above (with the exception of my own passkey in the ssl directory), what do you think my settings may be?

Reply

Sam May 10, 2009 at 9:37 pm

Hi, thanks for a great tut.

Where you said the stuff about setting it up with your root FQDN and server1.example.com (server FQDN), what if my slicehost server is simply mywebsite.org? I don’t have any subdomain for it. Would I set mywebsite.org in both cases, or did you mean for me to setup something like mywebsite.org as root and mail.mywebsite.org as the system mail name?

Reply

david April 18, 2009 at 7:25 pm

yes! It is okay now!
Enh…., but using OE is still a problem in receiving an email

Reply

Jon Stacey April 19, 2009 at 3:52 am

The behavior of continually asking for the password seems to indicate that a connection is being made. I would head to the server logs which should indicate why the authorization is being rejected.

Reply

daniel May 9, 2009 at 6:56 am

Is this configuration supported / easily set up on 64-bit hardware and Ubuntu OS?

Reply

Jon Stacey May 10, 2009 at 11:16 am

Daniel, yes. In fact I wrote the guide walking through my x86_64 Ubuntu install. I would imagine that the Ubuntu setup and configuration would be the same for both 32 and 64-bit.

Reply

Jon Stacey April 18, 2009 at 1:09 pm

David, Looks like I forgot to escape the forward slashes. Try this:

[cc lang="bash"]perl -pi -e ‘s/#mail_location =/mail_location = maildir:\/home\/\%u\/Maildir/’ /etc/dovecot/dovecot.conf[/cc]

and then restart Dovecot.

Reply

david April 18, 2009 at 10:54 am

BTW, ignoring the errors above, I can use evaluation to send and receive the email from my configured server, but when I try to use Outlook Express in Windows, I can only send out email but can not receive one, the OE always prompt me about the password. What’s the problem in this case?

Thanks!

Reply

david April 18, 2009 at 10:37 am

when I try to run this command “perl -pi -e ‘s/#mail_location =/mail_location = maildir:/home/%u/Maildir/’ /etc/dovecot/dovecot.conf”, I got an error and can not proceed.
Here is the details:
syntax error at -e line 1, near “s/#mail_location =/ mail_location = maildir:/home”
Execution of -e aborted due to compilation errors.

Can you give me some suggestions?

Reply

Leave a Comment

{ 4 trackbacks }

Previous post:

Next post: