Details: Setting up Email Servers

Email Servers are much harder to configure than webservers. First of all, we need to creating two servers, an SMTP server for sending mail and a POP3 server for receiving it. Secondly, a complete mail service involves more than these alone. It includes setting up an MTA (Mail-Transfer-Agent) and also a means of authenticating who is authorized to use our servers.

Although there are other options, I believe that dovecot is the application most frequently used to suppLy the POP3 and SMTP mail servers, and is the application I used. It also can be used to set up an IMAP server, which I did not do. There are a number of applications that provide the MTA: sendmail is the oldest, easiest to configure, and still under active development; exim, which was written as and frequently used as a replacement for sendmail, but whose confuration is insane; and postfix, which is the most modern and while not offering as much flexibility as one might like, is much easier to configure than exim. Postfix works well with dovecot, so long as they both are configured properly to do so. That will require a little work on your part.

Installing and configuring postfix

To install postfix for a Debian-based OS, simply issue the command "sudo apt install postfix."   The installation will presents you with the option of configuring as an Internet Site or as a SmartHost. Both have a slightly different configuration in /etc/postfix/main.cf and both can be made to work. I am not sure, but I think that Debian requires that for the Internet Site choice, the computer the software is installed on should have a hostname which is a FQDN, or fully-qualified-domain-name. The installation also will prompt you for this.   In Debian the fully-qualified domainname is set not with the domainname command, which is reserved for the yellowpage software, but by putting the following lines at the top of the /etc/hosts file.

127.0.0.1         localhost
127.0.1.1         mydomainname.tld   nickname

where mydomainname.tld is your FQDN, and nickname can be anything you choose.   If, after a reboot, the hostname command is still not giving you the correct hostname, you can issue the command "sudo hostnamectl set-hostname YOUR-FULLY-QUALIFIED-DOMAINNAME". I think this always should work, but make sure by issuing the hostname command again which should output YOUR-FULLY-QUALIFIED-DOMAINNAME.

I remind both newbies and veterans alike, that mydomainname.tld is not a name you make up, but must be domain registered to you, usually for a fee, by an appropriate authority, usually called a domain name registrar. Before things can work, you, at some point, need to log into your account with your registrar, and add or modify your Zone DNS record so you have an A record that tells the world that your FQDN should by directed to the fixed IP address your ISP assigned to your server. There are alternative ways of accomplishing this, but if you know about them, you likely do not need any help from me.

Now let's discuss configuring postfix by hand.   I strongly recommend, in this day and age, to use only secure communication for both the SMTP and POP3 protocols. This requires telling postfix the location of the private key and fullchain of your security certificate by adding the following two lines to /etc/postfix/main.cf.

smtpd_tls_key_file = /path/to/security/certificate/privkey.pem
smtpd_tls_cert_file = /path/to/security/certificate/fullchain.pem

We need also to add a few lines to /etc/postfix/main.cf to tell it how to determine who is authorized to use the email servers and here I took a path less-travelled. The recommended way of doing this involves using a database of users and passwords, and Debian currently recommends using mariaDB.   I chose not to do this, not because I thought it was a bad idea, but because I knew nothing about databases and it seemed like a poor idea, when I was struggling to learn about servers, also to start learning about databases when the database would have only a single entry, mine. I instead chose to use the same authorization method used when logging into the system in the first place, which I think is referred to as auth/PAM. To do this, the following lines should be added to /etc/postfix/main.cf.

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

It then is necessary, as discussed below, also to configure dovecot to use auth/PAM.

To my knowledge, there is no reason why, in theory, userA cannot use the pop3 server on serverA to retrieve mail for userB on serverB, but to accomplish this I believe you would need to use a database solution rather than auth/PAM, since PAM just knows the passwords for users on serverA and you cannot enter usernames like someotheruser@someotherserver.

If you want to enable secure smtp, and I recommend strongly you do, you should uncomment (by removing the leading # that starts) the five lines defining smtps in /etc/postfix/master.cf so they look as follows.

smtps     inet     n     -     y     -     -     smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_recipient=no

Installing and configuring dovecot

Different distributions provide diffent ways of doing this.   In some, all the configuration is accomplished in a single configuration file, etc/dovecot/dovecot.conf.   In others, including Debian, the dovecot.conf file is fairly vanilla and directs the system to look for multiple configuration files in the /etc/dovecot/conf.d directory.

To install dovecot on Debian-based systems issue the command "sudo apt install dovecot-core dovecot-dev dovecot-pop3d".   I did not install or configure dovecot-imapd, but you may wish to.

To configure dovecot:

In /etc/dovecot/conf.d/10-mail.conf, set first_valid_uid = 1000 and last_valid_uid = 2000. Comment out the first_valid_gid and last_valid_gid lines, and uncomment (remove the #) from "#mailbox_list_index_very_dirty_syncs = yes".

In /etc/dovecot/conf.d/10-auth.conf, where it says "auth_mechanisms = plain", I recommend changing this to "auth_mechanisms = plain login". This allows both the "AUTH PLAIN" and the older "AUTH LOGIN" protocol to be used, whereas the default allows just "AUTH PLAIN".   If any of the clients you will use to contact your server require the CRAM-MD5 mechanism, also add "cram-md5" to auth_mechanisms and follow these directions. A good description of the various auth_mechanisms is found at https://www.samlogic.net/articles/smtp-commands-reference-auth.htm.

In /etc/dovecot/conf.d/auth-system.conf.ext, in the first passdb section, uncomment args = dovecot. Much further down, in the User databases section, there is the option after driver = passwd of uncommenting #[blocking=no], and #args =  .   If you are following my unusal way to do authentification, change "driver = passwd" to "driver = passwd-file" and set "args = /etc/passwd". Do not uncomment "#[blocking = no]".

PAM does not like to see user root. This is not a problem if you have set the variable, first_valid_uid, as recommended above, to something that excludes the root user, whose uid is 0. If you want to exclude certain users who have accounts on your server from being able to use the smtp server you are configuring, simply copy /etc/passwd to /etc/passwd.dovecot, edit out those users' lines from /etc/passwd.dovecot, and enter "args = /etc/passwd.dovecot" rather than "args = /etc/passwd" in auth-system.conf.ext.

In /etc/dovecot/conf.d/10-master.conf, go to the section Postfix smtp-auth and uncomment the first two lines and also add the two lines below

user = postfix
group = postfix

and finally, uncomment the trailing closing bracket "}".

In /etc/dovecot/conf.d/10-ssl.conf, near the top, make sure you have ssl = yes. Uncomment the ssl_cert and ssl_key entries and correct them to give the correct locations for your configuration, i. e., the ones you entered in the /etc/postfix/main.cf file.

One suggestion that may be helpful, but does not have to be followed is to edit /etc/dovecot/conf.d/10-logging.conf and set auth_debug = yes. I found the extra debugging information logged to the log files to be helpful during the debugging phase.   Afterwards I set it to "no" so that the log files were less cluttered.

Hopefully, the above configuration options should enable the postfix and dovecot services to working properly. To initiate both services immediately, enter the commands "sudo systemctl start postfix" and "sudo systemctl start dovecot". These commands will need to be repeated whenever any changes are made to the configuration files. To enable these services to start each time the system boots up, issue the commands "sudo systemctl enable postfix" and "sudo systemctl enable dovecot".

Email Addons: SPF, DKIM, and DMARC

SPK, DKIM, and DMARC are programs that influence postfix and are designed to reduce the amount of spam circulating throughout the Internet. Debian offers packages like openspf, opendkim, and opendmarc for installing them. Good directions for installing and configuring these packages, and making the necessary changes to the postfix configuration files is available at Linode.

If things do not work as expected, a good guide for debugging things is Trouble-shooting Problems with Postfix, Dovecot, and Mysql, also at Linode. If you install and want to check your SPF and DKIM implementation, do not use an Internet site for that. Simply send a simple email to check-auth2@verifier.port25.com and you will receive, by return email, a very clear and detailed critique of your implementation, which will appear to come from auth-results@verifier.prt25.com.

Return to menu    

| Emmes Technologies Home |


Last updated 15 Sep, 2020