Postfix MTA Dovecot IMAP/POP3 Server with SSL for IMAP,POP3, and SMTP Auth
Goal: Have a working SMTP process that can accept mail from remote MTAs for locally hosted domains as well as relay mail for SMTP authenticated clients to the appropriate destinations. We want to be able to use the same username and password for SMTP auth clients (such as Outlook or Thunderbird or handhelds) as we use for incoming imap.
A. Install the needed packages:
apt-get install \ libsasl2-2 libsasl2-modules postfix dovecot-common dovecot-imapd dovecot-pop3d
B. Setup /etc/postfix/main.cf
B1. Basic postfix settings for users and maps:
# relayhost = mynetworks = 127.0.0.0/8 myhostname = esoomllub.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost, hash:/etc/postfix/mydestination virtual_maps = hash:/etc/postfix/virtual/addresses
The mydestination hash file: /etc/postfix/mydestination will contain a list of the domains that the system will accept mail locally for. Edit this file and put each domain or subdomain on a line by itself, followed by a tab and then the domain again. Run this command to refresh this database: cd /etc/postfix; postmap mydestination The virtual_maps database allows you to map an incoming email address to a local system account (an entry in /etc/passwd - i.e. a valid user). Format is email alias, tab, then the local user account. You can also use this file to redirect or forward emails. In this case the right hand side would be one or more accounts and/or fully qualified email addresses. example: dev@abc.com dbrooks,testman@example.com,kent This is how you would create a mailing list. Run this command to refresh this database: cd /etc/postfix/virtual/; postmap addresses B2. Tuning - these settings help keep system usage reasonable and make sure not to abuse remote MTAs. Note that the max number of recipients an email passing thru the system can deliver to is set to 100.
## tweaks to improve delivery to yahoo.com: default_process_limit = 10 local_destination_concurrency_limit = 2 default_destination_concurrency_limit = 2 initial_destination_concurrency = 2 smtpd_client_connection_count_limit = 10 default_destination_recipient_limit = 100 smtp_pix_workaround_delay_time = 10s smtp_pix_workaround_threshold_time = 225s disable_vrfy_command = yes smtpd_timeout = 180s smtpd_error_sleep_time = 3s smtpd_helo_required = yes # The message_size_limit parameter limits the total size in bytes of # a message, including envelope information. message_size_limit = 45000000
C. sasl (smtp auth) configuration
SMTP AUTH allows mail clients that have user accounts to login and relay mail. C1. In the master dovecot (imap) server we configure a socket in the postfix chroot dir that the postfix process will be able to use to ask dovecot whether the SMTP Auth login and password should be accepted. /etc/dovecot/dovecot.conf The settings are in the auth default stanza:
auth default {
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi
# NOTE: See also disable_plaintext_auth setting.
mechanisms = plain login
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
C2. Restart dovecot: /etc/init.d/dovecot stop /etc/init.d/dovecot start tail -f /var/log/mail.log Ensure that there are no errors. C3. Configure postfix to talk to dovecot. Add these settings to /etc/postfix/main.cf: smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination /etc/init.d/postfix stop /etc/init.d/postfix start tail -f /var/log/mail.log Ensure that there are no errors. C4. postfix master.cf process configuration: Ensure that the smtp and smtpd service lines are uncommented. They should look like this: smtp inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING You will need to restart postfix again and check for errors after/if changing this config file. C5. At this point we can test the configuration using swaks: This test should fail - since we are NOT an open relay: swaks -f jlarsen@richweb.com -t jlarsen@richweb.com -s 208.73.137.146 AND we see: <** 554 5.7.1
: Relay access denied which is good. swaks -f jlarsen@richweb.com -t customseo@esoomllub.com -s 208.73.137.146 And that works since customseo@esoomllub.com is a valid recipient: <- 250 2.0.0 Ok: queued as F3632C38096 Now we test with smtp auth. jlarsen@richweb.com is NOT a local destination, so we are asking the server to relay for us, just liek a mail client would that is using this server for relay: swaks -f customseo@esoomllub.com -t jlarsen@richweb.com -s 208.73.137.146 \ -au jlarsen -ap 99test99 -apt jlarsen is a local valid user account 99test99 is the password, so this works as expected: <- 250 2.0.0 Ok: queued as F3632C38096 Now we break the password intentionally: swaks -f customseo@esoomllub.com -t jlarsen@richweb.com -s 208.73.137.146 -au jlarsen -ap 99test9XX -apt <** 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 -> AUTH PLAIN \0jlarsen\099test9XX <** 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 *** No authentication type succeeded And we see that it is blocked due to login failure (correct). C6. We use an open relay checker such as: http://www.dnsgoodies.com/ just to be sure our server is not open in any way. Good News! All tests for an open relay on your mail server failed. Your mail server does not allow open relay.
D. Using SSL to secure IMAP and SMTP Auth
D1. Generate a key: cd /etc/postfix; openssl rand -out rand_seed 131072 ps aux | md5sum >> rand_seed wait some time ... a few sec or a minute ps aux | md5sum >> rand_seed wait some time ... a few sec or a minute ps aux | md5sum >> rand_seed Generate the key: openssl genrsa -rand file:rand_seed2 -rand file:rand_seed -out esoomllub.key 2048 rm -f rand_seed* Generate and Self Sign the cert: openssl req -new -x509 -nodes -sha1 -days 1460 -key esoomllub.key -out esoomllub.com.crt Used these parameters in the dialogue: Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Virginia Locality Name (eg, city) []:Glen Allen Organization Name (eg, company) [Internet Widgits Pty Ltd]:Richweb, Inc Organizational Unit Name (eg, section) []:Richweb Hosting Common Name (eg, YOUR name) []:esoomllub.com Email Address []:kallen@richweb.com D2. Edit /etc/postfix/main.cf: # TLS parameters smtpd_tls_cert_file=/etc/postfix/esoomllub.com.crt smtpd_tls_key_file=/etc/postfix/esoomllub.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache D3. Edit /etc/dovecot/dovecot.conf protocols = imaps pop3s disable_plaintext_auth = yes # Disable SSL/TLS support. ssl_disable = no # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. ssl_cert_file = /etc/postfix/esoomllub.com.crt ssl_key_file = /etc/postfix/esoomllub.key ssl_verify_client_cert = no # How often to regenerate the SSL parameters file. Generation is quite CPU # intensive operation. The value is in hours, 0 disables regeneration # entirely. #ssl_parameters_regenerate = 168 # SSL ciphers to use ssl_cipher_list = ALL:!LOW # Show protocol level SSL errors. #verbose_ssl = no D4. Restart dovecot and postfix
E. Mail Client Setup
I suggest testing with Mozilla Thunderbird. If jlarsen is the unix/user account, then the smtp auth and imap settings should use jlarsen as the username. E1. IMAP Settings: ServerName: esoomllub.com Port: 993 User Name: jlarsen Use Secure connection: SSL E2. Outgoing SMTP Server Settings: ServerName: esoomllub.com Port: 587 User Name: jlarsen Use Secure connection: TLS E3. Thunderbird quirks Dont select the TLS; if available, as you may end up using the connection unsecured, in which case your password could be stolen. You can setup pop3s instead of imaps if you prefer. In Thunderbird select pop3 instead of imap, and use port 995 (pop3s - pop3 over ssl). The only catch I found was that you need to check SSL, and not TSL for IMAP and POP3 in Thunderbird. The TSL negotiation was failing for some reason. But the logs on the server side showed successful SSL negotiation when SSL was checked so it should be very secure (no passwords in clear text) which is the goal.