How To: Setup Email Services on Ubuntu Using Postfix (TLS+SASL) and Dovecot

Here is a guide on getting Email services running on Ubuntu Intrepid. I used Postfix for core services (SMTP wtih TLS and SASL) and Dovecot for fast IMAP and POP3. This tutorial has been tested on a bare bones Ubuntu 8.10 slice from Slicehost.

Preamble

Estimated Time Required: 10-15 minutes

This guide makes several assumptions. For example, it assumes that you will use Maildir. If you decide to make any changes, just keep an eye out for any subsequent changes that might be needed down the line. If you are upgrading from another system, such as Courier, please look at Appendix A.

If you prefer Postfix and Courier, refer to my older tutorial which is reported to work with Ubuntu Intrepid.

Postfix

Let’s get core email functionality going with Postfix:

aptitude install postfix sasl2-bin

You will be asked a few questions with a nice graphical interface. Here are the answers for some of them. Replace all occurrences of example.com with your root FQDN (e.g. jonsview.com), and server1.example.com with your server’s FQDN (e.g. swift.jonsview.com).

* General type of mail configuration? Internet Site
* System mail name? server1.example.com

Unfortunately, the graphical configuration interface that was automatically launched was a condensed version. You will need to run the full graphical configuration utility.

dpkg-reconfigure postfix

Again, you will be asked some questions:

* General type of mail configuration? Internet Site
* System mail name? server1.example.com
* Root and postmaster mail recipient? Leave blank
* Other destinations to accept mail for? server1.example.com, example.com, localhost.example.com, localhost
* Force synchronous updates on mail queue? No
* Local networks? Leave default (127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128)
* Mailbox size limit (bytes)? 0
* Local address extension character? Leave default (+)
* Internet protocols to use? ipv4 (most likely)

Next, let’s take care of certificates for TLS. You will be asked several questions during this process. Fill them in as you see fit.

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Finish configuring Postfix for TLS and SASL.

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = server1.example.com'
postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='

Finally, restart Postfix

/etc/init.d/postfix restart

SASL

Authentication will be done by saslauthd which will need to be configured to support a chrooted Postfix setup. Edit /etc/default/saslauthd and add or change the following settings so that they match:

START=yes
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Finish up SASL by creating the chroot directory, adding the postfix user to the sasl group, and then starting saslauthd.

mkdir -p /var/spool/postfix/var/run/saslauthd
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
adduser postfix sasl
/etc/init.d/saslauthd start

Testing

At this point, core email services should be up and running. Let’s make sure that you’re in good shape before moving on. First, establish a connection with the mail server.

telnet localhost 25

After establsihing a connection with the Postfix service, run:

ehlo localhost

You should see a few lines of output. Make sure that the two most important lines are there:

. . .
250-STARTTLS
250-AUTH PLAIN LOGIN
. . .

Type quit to get out.

Dovecot

Note: If you followed my last guide and are migrating from Courier, please see Appendix A before continuing.

Install and configure Dovecot.

aptitude install dovecot-imapd dovecot-pop3d
perl -pi -e 's/#mail_location =/mail_location = maildir:\/home\/\%u\/Maildir/' /etc/dovecot/dovecot.conf
/etc/init.d/dovecot restart

If everything went smoothly you should now be in email nirvana. Each user has their own email account and you can move on to virtual accounts if you desire.

Appendix A: Courier to Dovecot Conversion

Please refer to this Dovecot wiki article for detailed information, but in a nutshell:

wget http://www.dovecot.org/tools/courier-dovecot-migrate.pl
chmod 755 courier-dovecot-migrate.pl
./courier-dovecot-migrate.pl --to-dovecot --recursive /home

If everything looks good, then perform the actual conversion.

Note: Even if 0 mailbox changes are shown, the script may still be working. If there aren’t any explicit errors, run the conversion and then check the Maildirs for dovecot indexes.

./courier-dovecot-migrate.pl --to-dovecot --convert --recursive /home

For a transparent conversion you will need to setup Dovecot to use INBOX as the namespace for private mailboxes. Edit /etc/dovecot/dovecot.conf and uncomment the namespace private { block (and corresponding } ). Uncomment #prefix = and change to prefix = INBOX. (include the period). Finally, change #inbox = no to inbox = yes. In essence, it should look like the following, which has been stripped of comments for brevity.

namespace private {
prefix = INBOX.
inbox = yes
}

Appendix B: SMTP Troubleshooting

If core email services and IMAP are working, but not SMTP, then it’s most likely that sasl is not set up properly. Log entries like the following in /var/log/mail.warn will confirm this:

Mar 27 00:36:56 swift postfix/smtpd[12537]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

Last words

I’ve always found setting up email services on Linux a pain, so hopefully this has helped you get up and running. Please let me know if you find any errors, or have suggestions that would make this guide easier to understand.

81 comments… add one
  • Sachin Bhaderia May 30, 2018 Link Reply

    Jon Stacey,
    Thank you so much, I was running with lot of problem and you came like super hero for me.

    Now, I am facing only one problem, from my postfix office 365 smtp, The mails are not being received on gmail only. and I am not getting any error.
    I have tried with :
    inet_protocols = all or
    inet_protocols = ipv4 or
    inet_protocols = ipv6

    Please let me know, If you can help me to solve the problem.

    Thank you once again.
    Have a great day.

  • artsdefrance.org Mar 31, 2016 Link Reply

    Thank you for the auspicious writeup. It in truth used to be a
    leisure account it. Look advanced to far added agreeable from you!

    By the way, how could we keep in touch?

  • Justin May 19, 2014 Link Reply

    Hi Jon, thankyou for the instruction, but im having a problem on my server, i can send email but i cant receive or find the reply when i type ‘mail’ to view my mbox,
    i just copy paste everything and edit what is necessary and everything seems fine except for the receive email, i dont get a mailer deamon error reply as well

    here is my syslog
    connect from mail-vc0-f182.google.com[209.85.220.182]
    01589940067: message-id=20140519095639.01589940067@five.ph
    disconnect from mail-vc0-f182.google.com[209.85.220.182]
    01589940067: from=double-bounce@five.ph, size=867, nrcpt=1 (queue active)
    01589940067: to=campadmin@five.ph, orig_to=, relay=local, delay=0.07, delays=0.03/0/0/0.04, dsn=2.0.0, status=sent (delivered to maildir)
    removed

  • kanny Apr 17, 2014 Link Reply

    Hi Jon….
    thank you very much…
    you safe my life.. 🙂

  • ayush Nov 17, 2013 Link Reply

    How should I move now ? CAn I use postfixadmin to manage users ?

    • Jon Stacey Nov 17, 2013 Link Reply

      Hi Ayush, that’s one possible next step. I’ve never used Postfix Admin since I only have a handful of email accounts that I manage [all mine]. So editing config files directly doesn’t bug me. If I had dozens or more accounts to manage then I would probably look into Postfix Admin, or perhaps Webmin to make those tasks easier.

Leave a Comment

Time limit is exhausted. Please reload CAPTCHA.