Tags Archives: imap

Installing Dovecot IMAP Server

These are my notes for installing and configuring Dovecot IMAP Server on a postfix emailserver system running Linux Ubuntu 20 LTS.

 

Install Dovecot Packages

 

Enter the following command to install Dovecot core package and the IMAP daemon package on Ubuntu server.

apt install -y dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd

 

If you use POP3 to fetch emails, then also install the dovecot-pop3d package.

 

sudo apt install dovecot-pop3d

 

Check Dovecot version:

 

dovecot –version

 

Enabling IMAP/POP3 Protocol

 

Edit the main config file. 

 

sudo nano /etc/dovecot/dovecot.conf

 

Add the following line to enable IMAP protocol.

 

protocols = imap

 

If you use POP3 to fetch emails, then also add POP3 protocol.

 

protocols = imap pop3

 

Configuring Mailbox Location

 

By default, Postfix and Dovecot use mbox format to store emails. Each user’s emails are stored in a single file /var/mail/username. You can run the following command to find the mail spool directory.

 

 

postconf mail_spool_directory

 

 

root@gemini:/etc/apache2/sites-enabled# postconf mail_spool_directory
mail_spool_directory = /var/mail
root@gemini:/etc/apache2/sites-enabled#

 

 

However, it is more usual to use the Maildir format to store email messages.

 

The config file for mailbox location is /etc/dovecot/conf.d/10-mail.conf.

 

nano /etc/dovecot/conf.d/10-mail.conf

 

The default configuration uses mbox mail format.

 

mail_location = mbox:~/mail:INBOX=/var/mail/%u

 

Change it to the following to make Dovecot use the Maildir format. Email messages will be stored under the Maildir directory under each user’s home directory.

 

mail_location = maildir:~/Maildir

 

We need to add the following line in the file. (On Ubuntu 18.04 and 20.04, this line is already in the file.)

 

mail_privileged_group = mail

 

Save and close the file. Then add dovecot to the mail group so that Dovecot can read the INBOX.

 

adduser dovecot mail

 

root@gemini:~# adduser dovecot mail
Adding user `dovecot’ to group `mail’ …
Adding user dovecot to group mail
Done.
root@gemini:~#

 

 

Using Dovecot to Deliver Email to Message Store

 

Although we configured Dovecot to store emails in Maildir format, by default, Postfix uses its built-in local delivery agent (LDA) to move inbound emails to the message store (inbox, sent, trash, Junk, etc), and this is by default saved in mbox format.

 

We need to configure Postfix to pass incoming emails to Dovecot, via the LMTP protocol, which is a simplified version of SMTP, so incoming emails will saved in Maildir format by Dovecot.

 

LMTP allows for a more scalable and reliable mail system. It also allows use of the sieve plugin to filter inbound messages to different folders.

 

Install the Dovecot LMTP Server

 

apt install dovecot-lmtpd

 

Edit the Dovecot main configuration file.

 

nano /etc/dovecot/dovecot.conf

 

Add lmtp to the supported protocols.

 

protocols = imap lmtp

 

Save and close the file. Then edit the Dovecot 10-master.conf file.

 

nano /etc/dovecot/conf.d/10-master.conf

 

Change the lmtp service definition to the following.

 

service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}

 

Next, edit the Postfix main configuration file.

 

nano /etc/postfix/main.cf

 

Add the following lines to the end of the file.

 

The first line tells Postfix to deliver incoming emails to local message store via the Dovecot LMTP server.

 

The second line disables SMTPUTF8 in Postfix, because Dovecot-LMTP doesn’t support this email extension.

 

mailbox_transport = lmtp:unix:private/dovecot-lmtp

smtputf8_enable = no

 

Save and close the file.

 

Configure the Dovecot Authentication Mechanism

 

Edit the authentication config file.

 

nano /etc/dovecot/conf.d/10-auth.conf

 

Uncomment the following line.

 

disable_plaintext_auth = yes

 

This will disable plaintext authentication when there’s no SSL/TLS encryption.

 

Then find the following line:

 

#auth_username_format = %Lu

 

 

Uncomment it and change its value to %n.

auth_username_format = %n

 

 

By default, when Dovecot tries to find or deliver emails for a user, it uses the full email address.

 

Since in this part, we only set up canonical mailbox users (using OS users as mailbox users), Dovecot can’t find the mailbox user in full domain format (username@your-domain.com).

 

So we need to set auth_username_format = %n to drop the domain part, then Dovecot should be able to find the mailbox user. This also allows us to use the full email address (username@your-domain.com) to log in.

 

ubuntu dovecot auth_username_format

 

Next, find the following line.

 

auth_mechanisms = plain

 

This line only enables the PLAIN authentication mechanism. LOGIN is another authentication mechanism you probably want to add to support older email clients.

 

auth_mechanisms = plain login

 

Save and close the file.

 

Configuring SSL/TLS Encryption

 

Next, edit SSL/TLS config file.

 

nano /etc/dovecot/conf.d/10-ssl.conf

 

Change ssl = yes to ssl = required to enforce encryption.

 

ssl = required

 

Then find the following lines.

 

ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key

 

By default, Dovecot uses a self-signed TLS certificate. Replace them with the following values, which specify the location of your Let’s Encrypt TLS certificate and private key. Don’t leave out the < character, this is necessary.

 

ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem

 

ssl_cert = </etc/letsencrypt/live/mail.kevwells.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.kevwells.com/privkey.pem

Next, find the following line.

#ssl_prefer_server_ciphers = no

It’s good practice to use the server order of ciphers over that of clients, so uncomment this line and change the value to yes.

 

ssl_prefer_server_ciphers = yes

We can also disable inscure SSLv3, TLSv1 and TLSv1.1 by adding the following line.

ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1

Note: If using Dovecot version 2.3.x or above (as in Ubuntu 20.04), then you should add the following line instead.

This forces Dovecot to use TLSv1.2 or TLSv1.3.

Please don’t add this line if you use Dovecot version 2.2.x. ssl_min_protocol = TLSv1.2

Save and close the file.

Configuring SASL Authentication

Edit the following file.

nano /etc/dovecot/conf.d/10-master.conf

 

Change service auth section to the following so that Postfix can find the Dovecot authentication server.

Please be careful about the syntax.

Every opening bracket should be terminated by a closing bracket.

service auth

{ unix_listener /var/spool/postfix/private/auth

{ mode = 0660 user = postfix group = postfix }

}

Save and close the file.

Auto-create Sent and Trash Folder

 

Edit the below config file.

nano /etc/dovecot/conf.d/15-mailboxes.conf

To auto-create a folder, simply add the following line in the mailbox section.

auto = create

Example:

mailbox Trash

{

auto = create special_use = \Trash

}

 

Some common folders you will want to create includes:

 

Drafts, Junk, Trash and Sent.

 

The Sent folder will be created under the user’s home directory when the user send the first email.

 

The Trash folder will be created when the user deletes an email for the first time, etc.

 

 

After you save and close all above config files, restart Postfix and Dovecot.

systemctl restart postfix dovecot

 

Dovecot will be listening on port 143 (IMAP) and 993 (IMAPS),

 

as can be seen with:

 

ss -lnpt | grep dovecot

 

If there’s a configuration error, dovecot will fail to restart, so it’s a good idea to check if Dovecot is running with the following command.

 

systemctl status dovecot

 

root@gemini:/etc/dovecot/conf.d# systemctl status postfix

 

● postfix.service – Postfix Mail Transport Agent Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)

 

Active: active (exited) since Wed 2022-03-09 20:34:54 UTC; 4s ago Process: 190752 ExecStart=/bin/true (code=exited, status=0/SUCCESS)

 

Main PID: 190752 (code=exited, status=0/SUCCESS)

 

Mar 09 20:34:54 gemini systemd[1]: Starting Postfix Mail Transport Agent… Mar 09 20:34:54 gemini systemd[1]: Finished Postfix Mail Transport Agent.

 

root@gemini:/etc/dovecot/conf.d# systemctl status dovecot

 

● dovecot.service – Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)

 

Active: active (running) since Wed 2022-03-09 20:34:51 UTC; 11s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/

 

Main PID: 189907 (dovecot) Tasks: 4 (limit: 2274) Memory: 6.5M CGroup: /system.slice/dovecot.service ├─189907 /usr/sbin/dovecot -F ├─189921 dovecot/anvil ├─189922 dovecot/log └─189923 dovecot/config Mar 09 20:34:51

 

gemini systemd[1]: Started Dovecot IMAP/POP3 email server. Mar 09 20:34:51 gemini dovecot[189907]:

doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf
Mar 09 20:34:51 gemini dovecot[189907]: doveconf:

 

Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:97: ssl_protocols has been replaced by ssl_min_protocol

 

Mar 09 20:34:51 gemini dovecot[189907]: master: Dovecot v2.3.7.2 (3c910f64b) starting up for imap, lmtp (core dumps disabled)

 

Mar 09 20:34:51 gemini dovecot[189922]: config: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf

 

Mar 09 20:34:51 gemini dovecot[189922]: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:97: ssl_protocols has been replaced by ssl_min_protocol

 

root@gemini:/etc/dovecot/conf.d#

 

root@gemini:/etc/postfix# systemctl restart postfix
root@gemini:/etc/postfix# ss -lnpt | grep dovecot
LISTEN 0 100 0.0.0.0:143 0.0.0.0:* users:((“dovecot”,pid=192085,fd=35))
LISTEN 0 100 0.0.0.0:993 0.0.0.0:* users:((“dovecot”,pid=192085,fd=37))
LISTEN 0 100 [::]:143 [::]:* users:((“dovecot”,pid=192085,fd=36))
LISTEN 0 100 [::]:993 [::]:* users:((“dovecot”,pid=192085,fd=38))
root@gemini:/etc/postfix#

 

Create Virtual Mail Box Domains

 

 

The main.cf configuration file instructs postfix to look for email domains in the /etc/postfix/virtual_mailbox_domains file. Create the file:

 

 

$ sudo nano /etc/postfix/virtual_mailbox_domains

 

Add the information below to the file and replace example.com with your domain name.

 

example.com #domain

 

Use the postmap command to change /etc/postfix/virtual_mailbox_domains to a format recognizable by Postfix. Run this command every time you edit the file, for instance, after adding more domains to the file.

 

 

$ sudo postmap /etc/postfix/virtual_mailbox_domains

 

Edit the /etc/postfix/master.cf configuration file to enable the SMTP service.

 

 

$ sudo nano /etc/postfix/master.cf

 

Find the entry below.

 

 


#submission inet n – y – – smtpd

Remove the pound symbol at the beginning of the line.

 

 


submission inet n – y – – smtpd

Save and close the file.

 

 

Configure Dovecot to use secure authentication. Edit the Dovecot 10-auth.conf file.

 

$ sudo nano /etc/dovecot/conf.d/10-auth.conf

Find the entry below.

 

# disable_plaintext_auth = yes

Uncomment the setting above by removing the # character to disable plain text authorization.

 

disable_plaintext_auth = yes

 

Find the entry below.

 

auth_mechanisms = plain

Change the authentication mechanisms from plain to plain login.

 

auth_mechanisms = plain login

Disable the Dovecot default authentication behavior that requires users to have a system account to use the email service. Find the line:

 

!include auth-system.conf.ext

Add a pound symbol at the beginning of the line to comment it out.

 

#!include auth-system.conf.ext

Find the line:

 

#!include auth-passwdfile.conf.ext

Remove the # symbol at the beginning to enable Dovecot to use a password file.

 

!include auth-passwdfile.conf.ext

 

Save and close the file.

 

Edit the Dovecot password file, auth-passwdfile.conf.ext.

 

$ sudo nano /etc/dovecot/conf.d/auth-passwdfile.conf.ext

 

The file looks similar to the one shown below.

 

passdb {

driver = passwd-file

args = scheme=CRYPT username_format=%u /etc/dovecot/users

}

 

userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users

}

 

Make the changes to the file, as shown below.

 

passdb {
driver = passwd-file
args = scheme=PLAIN username_format=%u /etc/dovecot/dovecot-users
}

 

userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}

 

Save and close the file.

 

Create the /etc/dovecot/dovecot-users password file. This file is a plain text database that holds email users on your server.

 

 

nano /etc/dovecot/dovecot-users

 

Add the users that you want to use the email service to the file by following the format below. Replace EXAMPLE_PASSWORD with a strong password. Also, replace example.com with your domain name.

 

admin@example.com:{plain}EXAMPLE_PASSWORD
info@example.com:{plain}EXAMPLE_PASSWORD
billing@example.com:{plain}EXAMPLE_PASSWORD

 

Save and close the file.

 

Configure Dovecot to Use the SSL Certificate. Open the /etc/dovecot/conf.d/10-ssl.conf file.

 

$ sudo nano /etc/dovecot/conf.d/10-ssl.conf
Find the line:

 

ssl = yes
Change the ssl value from yes to required.

 

ssl = required
Locate the two entries below.

 

#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem
Change the two entries above and make sure they are pointing to the SSL certificate for your domain. For instance, if you are using the Let’s Encrypt certificate, your entries will be similar to those shown below. Replace example.com with your domain name.

 

ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
Save and close the file.
Restart the postfix and dovecot services to use the new settings.

 

$ sudo service postfix restart
$ sudo service dovecot restart

 

root@gemini:/etc/postfix# echo “This is a test email.” | mail -s “Test email” -r kevin@kevwells.com kevin@kevwells.com
root@gemini:/etc/postfix#

 

The final thing to set up is forwarding, so you’ll get emails sent to root on the system at your personal, external email address.

 

To configure Postfix so that system-generated emails will be sent to your email address, you need to edit the /etc/aliases file.

 

sudo nano /etc/aliases

 

The full contents of the file on a default installation of Ubuntu 16.04 are as follows:

 

/etc/aliases
# See man 5 aliases for format
postmaster: root

 

With that setting, system generated emails are sent to the root user. What you want to do is edit it so that those emails are rerouted to your email address.

 

To accomplish that, edit the file so that it reads:

 

/etc/aliases

 

# See man 5 aliases for format
postmaster: root
root: your_email_address

 

Replace your_email_address with your personal email address. When finished, save and close the file. For the change to take effect, run the following command:

 

sudo newaliases

 

You may now test that it works by sending an email to the root account using:

 

echo “This is the body of the email” | mail -s “This is the subject line” root

 

root@gemini:/# cat /etc/aliases
# See man 5 aliases for format
postmaster: root
root: kevin@kevwells.com
root@gemini:/#
root@gemini:/# newaliases
root@gemini:/#

 

You should receive the email at your email address. If not, check your spam folder.

 

Continue Reading

Installation and Configuration of Postfix Emailserver

The following are my notes on installing and configuring a Postfix emailserver for Linux Ubuntu 20 LTS

 

Install mailutils package

 

First install mailutils:

 

root@gemini:~# apt install mailutils
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages were automatically installed and are no longer required:
javascript-common libao-common libao4 libevent-core-2.1-7 libevent-pthreads-2.1-7 libflac8 libjs-cropper libjs-jquery
libjs-prototype libjs-scriptaculous libjs-underscore libmecab2 libspeex1 libvorbisenc2 linux-headers-5.4.0-99
linux-headers-5.4.0-99-generic linux-image-5.4.0-99-generic linux-modules-5.4.0-99-generic linux-modules-extra-5.4.0-99-generic
mecab-ipadic mecab-ipadic-utf8 mecab-utils php-gd php-getid3 vorbis-tools wordpress-theme-twentynineteen
Use ‘apt autoremove’ to remove them.
The following additional packages will be installed:
guile-2.2-libs libgc1c2 libgsasl7 libkyotocabinet16v5 libmailutils6 libntlm0 mailutils-common postfix

 

Suggested packages:
mailutils-mh mailutils-doc procmail postfix-mysql postfix-pgsql postfix-ldap postfix-pcre postfix-lmdb postfix-sqlite sasl2-bin
| dovecot-common resolvconf postfix-cdb postfix-doc
The following NEW packages will be installed:
guile-2.2-libs libgc1c2 libgsasl7 libkyotocabinet16v5 libmailutils6 libntlm0 mailutils mailutils-common postfix
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,540 kB of archives.
After this operation, 56.3 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://gb.clouds.archive.ubuntu.com/ubuntu focal/main amd64 libgc1c2 amd64 1:7.6.4-0.4ubuntu1 [83.9 kB]
Get:2 http://gb.clouds.archive.ubuntu.com/ubuntu focal/main amd64 guile-2.2-libs amd64 2.2.7+1-4 [4,962 kB]
Get:3 http://gb.clouds.archive.ubuntu.com/ubuntu focal-updates/universe amd64 libntlm0 amd64 1.5-2ubuntu0.1 [14.7 kB]
Get:4 http://gb.clouds.archive.ubuntu.com/ubuntu focal/universe amd64 libgsasl7 amd64 1.8.1-1 [114 kB]
Get:5 http://gb.clouds.archive.ubuntu.com/ubuntu focal/universe amd64 libkyotocabinet16v5 amd64 1.2.76-4.2build1 [318 kB]
Get:6 http://gb.clouds.archive.ubuntu.com/ubuntu focal/universe amd64 mailutils-common all 1:3.7-2.1 [272 kB]
Get:7 http://gb.clouds.archive.ubuntu.com/ubuntu focal/universe amd64 libmailutils6 amd64 1:3.7-2.1 [437 kB]
Get:8 http://gb.clouds.archive.ubuntu.com/ubuntu focal/universe amd64 mailutils amd64 1:3.7-2.1 [138 kB]
Get:9 http://gb.clouds.archive.ubuntu.com/ubuntu focal-updates/main amd64 postfix amd64 3.4.13-0ubuntu1.2 [1,201 kB]
Fetched 7,540 kB in 0s (50.8 MB/s)

 

Preconfiguring packages …
Selecting previously unselected package libgc1c2:amd64.
(Reading database … 172976 files and directories currently installed.)
Preparing to unpack …/0-libgc1c2_1%3a7.6.4-0.4ubuntu1_amd64.deb …
Unpacking libgc1c2:amd64 (1:7.6.4-0.4ubuntu1) …
Selecting previously unselected package guile-2.2-libs:amd64.
Preparing to unpack …/1-guile-2.2-libs_2.2.7+1-4_amd64.deb …
Unpacking guile-2.2-libs:amd64 (2.2.7+1-4) …
Selecting previously unselected package libntlm0:amd64.
Preparing to unpack …/2-libntlm0_1.5-2ubuntu0.1_amd64.deb …
Unpacking libntlm0:amd64 (1.5-2ubuntu0.1) …
Selecting previously unselected package libgsasl7:amd64.
Preparing to unpack …/3-libgsasl7_1.8.1-1_amd64.deb …
Unpacking libgsasl7:amd64 (1.8.1-1) …
Selecting previously unselected package libkyotocabinet16v5:amd64.
Preparing to unpack …/4-libkyotocabinet16v5_1.2.76-4.2build1_amd64.deb …
Unpacking libkyotocabinet16v5:amd64 (1.2.76-4.2build1) …
Selecting previously unselected package mailutils-common.
Preparing to unpack …/5-mailutils-common_1%3a3.7-2.1_all.deb …
Unpacking mailutils-common (1:3.7-2.1) …
Selecting previously unselected package libmailutils6:amd64.
Preparing to unpack …/6-libmailutils6_1%3a3.7-2.1_amd64.deb …
Unpacking libmailutils6:amd64 (1:3.7-2.1) …
Selecting previously unselected package mailutils.
Preparing to unpack …/7-mailutils_1%3a3.7-2.1_amd64.deb …
Unpacking mailutils (1:3.7-2.1) …
Selecting previously unselected package postfix.
Preparing to unpack …/8-postfix_3.4.13-0ubuntu1.2_amd64.deb …
Unpacking postfix (3.4.13-0ubuntu1.2) …
Setting up libgc1c2:amd64 (1:7.6.4-0.4ubuntu1) …
Setting up libkyotocabinet16v5:amd64 (1.2.76-4.2build1) …
Setting up libntlm0:amd64 (1.5-2ubuntu0.1) …
Setting up mailutils-common (1:3.7-2.1) …
Setting up postfix (3.4.13-0ubuntu1.2) …
Adding group `postfix’ (GID 121) …
Done.
Adding system user `postfix’ (UID 117) …
Adding new user `postfix’ (UID 117) with group `postfix’ …
Not creating home directory `/var/spool/postfix’.
Creating /etc/postfix/dynamicmaps.cf
Adding group `postdrop’ (GID 122) …
Done.
setting myhostname: gemini
setting alias maps
setting alias database
changing /etc/mailname to kevwells.com
setting myorigin
setting destinations: $myhostname, kevwells.com, gemini, localhost.localdomain, localhost
setting relayhost:
setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
setting mailbox_size_limit: 0
setting recipient_delimiter: +
setting inet_interfaces: all
setting inet_protocols: all
/etc/aliases does not exist, creating it.
WARNING: /etc/aliases exists, but does not have a root alias.

 

Postfix (main.cf) is now set up with a default configuration. If you need to
make changes, edit /etc/postfix/main.cf (and others) as needed. To view
Postfix configuration values, see postconf(1).

 

After modifying main.cf, be sure to run ‘systemctl reload postfix’.

 

Running newaliases
Created symlink /etc/systemd/system/multi-user.target.wants/postfix.service → /lib/systemd/system/postfix.service.
Setting up guile-2.2-libs:amd64 (2.2.7+1-4) …
Setting up libgsasl7:amd64 (1.8.1-1) …
Setting up libmailutils6:amd64 (1:3.7-2.1) …
Setting up mailutils (1:3.7-2.1) …
update-alternatives: using /usr/bin/frm.mailutils to provide /usr/bin/frm (frm) in auto mode
update-alternatives: using /usr/bin/from.mailutils to provide /usr/bin/from (from) in auto mode
update-alternatives: using /usr/bin/messages.mailutils to provide /usr/bin/messages (messages) in auto mode
update-alternatives: using /usr/bin/movemail.mailutils to provide /usr/bin/movemail (movemail) in auto mode
update-alternatives: using /usr/bin/readmsg.mailutils to provide /usr/bin/readmsg (readmsg) in auto mode
update-alternatives: using /usr/bin/dotlock.mailutils to provide /usr/bin/dotlock (dotlock) in auto mode
update-alternatives: using /usr/bin/mail.mailutils to provide /usr/bin/mailx (mailx) in auto mode
Processing triggers for rsyslog (8.2001.0-1ubuntu1.1) …
Processing triggers for ufw (0.36-6ubuntu1) …
Processing triggers for systemd (245.4-4ubuntu3.15) …
Processing triggers for man-db (2.9.1-1) …
Processing triggers for libc-bin (2.31-0ubuntu9.7) …
root@gemini:~#

 

root@gemini:~#
root@gemini:~# ps -ef | grep post
root 156623 1 0 12:02 ? 00:00:00 /usr/lib/postfix/sbin/master -w
postfix 156627 156623 0 12:02 ? 00:00:00 pickup -l -t unix -u -c
postfix 156628 156623 0 12:02 ? 00:00:00 qmgr -l -t unix -u
postfix 157699 156623 0 12:07 ? 00:00:00 cleanup -z -t unix -u -c
postfix 157700 156623 0 12:07 ? 00:00:00 trivial-rewrite -n rewrite -t unix -u -c
postfix 157702 156623 0 12:07 ? 00:00:00 local -t unix
postfix 157703 156623 0 12:07 ? 00:00:00 bounce -z -t unix -u -c
postfix 157704 156623 0 12:07 ? 00:00:00 bounce -z -t unix -u -c
root 157729 139671 0 12:08 pts/0 00:00:00 grep –color=auto post
root@gemini:~# systemctl status postfix
● postfix.service – Postfix Mail Transport Agent
Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2022-03-09 12:02:12 UTC; 6min ago
Main PID: 156624 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 2274)
Memory: 0B
CGroup: /system.slice/postfix.service

 

Mar 09 12:02:12 gemini systemd[1]: Starting Postfix Mail Transport Agent…
Mar 09 12:02:12 gemini systemd[1]: Finished Postfix Mail Transport Agent.
root@gemini:~# netstat -ltnp | grep 25
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 156623/master
tcp6 0 0 :::25 :::* LISTEN 156623/master

 

 

 

SMTP and Port 25 for Outgoing Mail

 

Port 25 is used as standard for SMTP mail server communication across the internet, so you need to first open port 25 on your network/server firewall, 

 

However, if your server platform provider does not permit traffic through port 25 then you will need to arrange to relay your outgoing emails to the SMTP mail server of another willing organization.

 

Many will require payment for this service, or at the very least some indication and assurance of your bona-fide intentions.

 

This is because SMTP mail relay is a sensitive issue, as is also allowing smtp traffic to pass through the network of cloud service, server infrastructure, and virtual server providers.

 

 

SMTP mail server relays can be used for email spamming operations, which can cause the IP addresses on which these servers are located to become blacklisted by email-spam-server database listing services and agents – and which can in turn have disastrous consequences for those affected, both in IT technical as well as business terms.

 

To open port 25 on the ubuntu firewall

 

root@gemini:~# ufw allow 25
Rule added
Rule added (v6)
root@gemini:~#

 

check the port is now open by telnetting to port 25:

 

root@gemini:~# telnet kevwells.com 25
Trying 78.141.200.190…
Connected to kevwells.com.
Escape character is ‘^]’.
220 localhost ESMTP Postfix (Ubuntu)
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@gemini:~#

 

Check MX Records on your DNS Server

 

 

Before configuring postfix to forward mails for your domain, check the MX records for your domain on your DNS server are pointing to the right server.

 

You can do this the dig command:

 

root@gemini:~#
root@gemini:~#
root@gemini:~# dig kevwells.com mx

 

; <<>> DiG 9.16.1-Ubuntu <<>> kevwells.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15606
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;kevwells.com. IN MX

 

;; ANSWER SECTION:
kevwells.com. 300 IN MX 10 kevwells.com.

 

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Mar 09 12:11:55 UTC 2022
;; MSG SIZE rcvd: 57

 

root@gemini:~#

 

The ‘ANSWER SECTION’ shows kevwells.com is defined as the mail server for kevwells.com (in some environments they could be separate machines).

 

Next, check the A records for the domain kevwells.com to see the server ip it points to.

 

root@gemini:~# dig kevwells.com a

 

; <<>> DiG 9.16.1-Ubuntu <<>> kevwells.com a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53586
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;kevwells.com. IN A

 

;; ANSWER SECTION:
kevwells.com. 300 IN A 78.141.200.190

 

;; Query time: 19 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Mar 09 12:14:52 UTC 2022
;; MSG SIZE rcvd: 57

 

root@gemini:~#

 

check your hostname with

 

root@gemini:/etc/postfix# hostname -f
gemini
root@gemini:/etc/postfix#

 

you will need to add this to the postfix config

 

 

Configure postfix to forward mails

 

Locate the configuration directory using the postconf command:

 

root@gemini:~# postconf | grep config_directory
config_directory = /etc/postfix
root@gemini:~#

 

Edit the /etc/postfix/main.cf file, adding the following lines to the end of it:

 

virtual_alias_domains = mydomain.com myanotherdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual

 

So in our case we add:

 

virtual_alias_domains = kevwells.com
virtual_alias_maps = hash:/etc/postfix/virtual

 

The first line virtual_alias_domains defines the domains for which postfix will accept mail. Multiple domains are separated by a space.

 

The second line virtual_alias_maps defines the path to the file which will contain mappings specifying how to forward emails for these domains.

 

Next edit the /etc/postfix/virtual file (create one if it does not yet exist) and add to it the emails you want to forward along with the destination emails.

 

The first email is the address on which postfix will receive mail, and the second is the address to which postfix will forward these mails.

 

eg, to forward:

 

root@kevwells.com kevrwells@gmail.com
kevin@kevwells.com kevrwells@gmail.com

 

If you want to receive and forward aLL mails to any address for a specific domain, use the following definition format:

 

@mydomain.com myself@gmail.com mycolleagues@gmail.com

 

After entering the forwarding rules, save the file and then Update the postfix lookup table:

 

root@gemini:~# postmap /etc/postfix/virtual
root@gemini:~#

 

then reload the postfix configuration:

 

systemctl restart postfix

 

root@gemini:~# systemctl restart postfix
root@gemini:~# systemctl status postfix
● postfix.service – Postfix Mail Transport Agent
Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2022-03-09 12:25:54 UTC; 5s ago
Process: 159667 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 159667 (code=exited, status=0/SUCCESS)

 

Mar 09 12:25:54 gemini systemd[1]: Starting Postfix Mail Transport Agent…
Mar 09 12:25:54 gemini systemd[1]: Finished Postfix Mail Transport Agent.
root@gemini:~#

 

Next, verify using the postconf command that the domain aliases and alias file are correct:

 

root@gemini:~# postconf -n | grep virtual
virtual_alias_domains = kevwells.com
virtual_alias_maps = hash:/etc/postfix/virtual
root@gemini:~#

 

Next, test mail forwarding by sending an email from somewhere outside to the address of your domain.

 

You should then see the same mail forwarded to the gmail account you specified, usually within a few seconds or sometimes a little longer.

 

If you want to relay to for example gmail.com, then add the gmail server in the file

 

root@gemini:/var/mail# nano /etc/postfix/main.cf
root@gemini:/var/mail#

 

mydestination = $myhostname, kevwells.com, gemini, localhost.localdomain, localhost
relayhost = [smtp.gmail.com]:587

 

then restart the postfix server service:

 

root@gemini:/var/mail# systemctl restart postfix

 

Next, create a /etc/postfix/sasl_passwd file with the following content.

 

[smtp.gmail.com]:587 kevrwells@gmail.com:password

 

password is your Google gmail password for that gmail account.

 

Note. This Google Account requires disabled settings under Security – Sign in to Google – go to Security Verification and set two factor OFF,

 

and access to the Google Account when accessed by less secure apps must be ON.

 

Then run postmap to create the file sasl_passwd as a Berkeley DB file.

 

root@gemini:/var/mail# postmap /etc/postfix/sasl_passwd
root@gemini:/var/mail#

 

then restart Postfix

 

root@gemini:/var/mail#
root@gemini:/var/mail# systemctl restart postfix
root@gemini:/var/mail# systemctl status postfix
● postfix.service – Postfix Mail Transport Agent
Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2022-03-09 12:50:38 UTC; 4s ago
Process: 164711 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 164711 (code=exited, status=0/SUCCESS)

 

Mar 09 12:50:38 gemini systemd[1]: Starting Postfix Mail Transport Agent…
Mar 09 12:50:38 gemini systemd[1]: Finished Postfix Mail Transport Agent.
root@gemini:/var/mail#

 

Test the Postfix configuration with this command string issued on the shell command line:

 

echo “This is a test email.” | mail -v -s “Test email” -r kevrwells@gmail.com root@kevwells.com

 

Obtaining TLS Certificate with Apache Web Server

 

You need to have an Apache virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate.

Create the virtual host file:

 

sudo nano /etc/apache2/sites-available/mail.your-domain.com.conf

 

Then paste the following text into the file.

 

ServerName mail.your-domain.com

 

DocumentRoot /var/www/html/

 

Save and close the file. Enable this virtual host.

 

Open the imap port 143 on your firewall:

 

root@gemini:/etc/postfix# ufw allow 143
Rule added
Rule added (v6)
root@gemini:/etc/postfix# netstat -tulpn | grep 143
root@gemini:/etc/postfix# ufw allow 80,443,587,465,143,993/tcp
Rule added
Rule added (v6)
root@gemini:/etc/postfix# cd ..
root@gemini:/etc# cd apache2/
root@gemini:/etc/apache2# ls
apache2.conf conf-available conf-enabled envvars magic mods-available mods-enabled ports.conf sites-available sites-enabled
root@gemini:/etc/apache2# cd sites-enabled/

root@gemini:/etc/apache2/sites-enabled# ls
000-default.conf 000-default.conf.save default-ssl.conf
root@gemini:/etc/apache2/sites-enabled# nano 000-default.conf

So you add the following entry:

ServerName mail.kevwells.com

DocumentRoot /var/www/html/

root@gemini:/etc/apache2/sites-enabled# systemctl reload apache2
root@gemini:/etc/apache2/sites-enabled# certbot certonly -a apache –agree-tos –no-eff-email –staple-ocsp –email kevrwells@gmail.com -d mail.kevwells.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.kevwells.com
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.kevwells.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.kevwells.com/privkey.pem
Your cert will expire on 2022-06-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:

 

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

root@gemini:/etc/apache2/sites-enabled#

 

To send emails from a desktop email client, you need to enable the submission service of Postfix so the email client can submit emails to Postfix SMTP server.

 

Edit the master.cf file:

 

nano /etc/postfix/master.cf

 

In the submission section, uncomment or add the following lines.

 

Allow at least one whitespace (tab or spacebar) before -o. In postfix configurations, a preceding whitespace character means the line is a continuation of the previous line.

 

(By default the submission section is commented out. You can copy the following lines and paste them into the file, so you don’t have to manually uncomment or add new text.)

 

submission inet n – y – – smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth

 

The above configuration enables the submission daemon of Postfix and requires TLS encryption.

 

So later on our desktop email client can connect to the submission daemon in TLS encryption.

 

The submission daemon listens on TCP port 587. STARTTLS is used to encrypt communications between email client and the submission daemon.

 

Next, we need to specify the location of our TLS certificate and private key in the Postfix configuration file.

 

Edit the main.cf file:

 

nano /etc/postfix/main.cf

 

Edit the TLS parameter as follows.

 

Remember to replace mail.your-domain.com with your real hostname.

 

#Enable TLS Encryption when Postfix receives incoming emails

 

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_security_level=may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

 

#Enable TLS Encryption when Postfix sends outgoing emails

 

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

 

#Enforce TLSv1.3 or TLSv1.2

 

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

 

Your Let’s Encrypt certificate and private key are stored under /etc/letsencrypt/live/mail.your-domain.com/ directory.

 

#Enable TLS Encryption when Postfix receives incoming emails

 

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.kevwells.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.kevwells.com/privkey.pem
smtpd_tls_security_level=may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

 

#Enable TLS Encryption when Postfix sends outgoing emails

 

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

 

#Enforce TLSv1.3 or TLSv1.2

 

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

 

Your Let’s Encrypt certificate and private key are stored under /etc/letsencrypt/live/mail.kevwells.com/ directory.

 

Then restart Postfix:

 

systemctl restart postfix

 

If you run the following command, you will see Postfix is now listening on port 587 and 465.

 

ss -lnpt | grep master

 

root@gemini:/etc/apache2/sites-enabled#
root@gemini:/etc/apache2/sites-enabled# ss -lnpt | grep master
LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:((“master”,pid=173714,fd=13))
LISTEN 0 100 0.0.0.0:587 0.0.0.0:* users:((“master”,pid=173714,fd=18))
LISTEN 0 100 [::]:25 [::]:* users:((“master”,pid=173714,fd=14))
LISTEN 0 100 [::]:587 [::]:* users:((“master”,pid=173714,fd=19))
root@gemini:/etc/apache2/sites-enabled#

 

To kill all mails waiting to be sent:

 

postsuper -d ALL

 

root@gemini:/etc/postfix# postsuper -d ALL
postsuper: Deleted: 7 messages
root@gemini:/etc/postfix#

Continue Reading