PostFix Tutorial

From ArchWiki

Jump to: navigation, search

Contents

Introduction

This tutorial describes how to install a complete mailserver using Postfix and Dovecot on a Arch Linux machine or VPS. This specific tutorial is based on my 256MB VPS, however it will work for any machine. Basic linux knowledge is required as I'm not describing every step in detail.

Base System

The base image is Arch Linux 2008.06. After booting it's better to disable root-logins in your SSH-server and create a new user as follows:

adduser <username>
usermod -a -G wheel,users,nobody,mail <username>

It's optional to rank the Arch Linux mirrors by speed, but it might speed up the installation:

pacman -Sy
pacman -S python
sed -ie 's/^#S/S/g' /etc/pacman.d/mirrorlist
rankmirrors -v /etc/pacman.d/mirrorlist | tee /etc/pacman.d/mirrorlist.new && mv /etc/pacman.d/mirrorlist.new /etc/pacman.d/mirrorlist

Install the essential packages for this setup:

pacman -Syu
pacman -S sudo base-devel abs

Email Servers

Now that we installed the basic packages, the next step is installing the email servers. As SMTP-server we will install Postfix and for IMAP Dovecot. Spamassassin and Postgrey are the best tools against spam, so let's also install these too. Greylisting is at the moment a very effective way to block spam without scanning the message itself, therefore it is not wasting any CPU cycles. On my server it is blocking about 95% of all spam, the other 5% is been taken care of by Spamassassin. The only downside of greylisting is that incoming emails are being delayed a couple of minutes.


pacman -S postfix dovecot spamassassin
groupadd -g 5001 spamd
useradd -u 5001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin -m spamd
chown spamd:spamd /var/lib/spamassassin

Spamassassin

Edit the /etc/conf.d/spamd file and set --max-children to your liking. Spamassassin uses a lot of memory, so for a mail server with just a couple of users 1 child is plenty.

/etc/conf.d/spamd

SAHOME="/var/lib/spamassassin/"
SPAMD_OPTS="-c --max-children 1 --username spamd -H ${SAHOME} -s ${SAHOME}spamd.log --pidfile /var/run/spamd.pid"

Certificates

First we have to generate some self-signed certificates for Dovecot and Postfix. It will ask for a passphrase. Any random string is fine, you don't have to remember it; you will have to verify it by typing it a second time, though. You will also have to type it to write the RSA key.

cd /etc/ssl/certs
openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout mail.key -out mail.crt
openssl rsa -in mail.key -out mail.key
mv mail.key /etc/ssl/private

Dovecot

We'll set-up Dovecot and Postfix to use the Maildir structure to store emails. This stores every users' email in their homedirectory and not in a database. This is fine for this setup, but for a greater number of users it's better to use MySQL or PostgreSQL for storage. Dovecot will be set-up so that users can use IMAP and IMAPs (SSL). Also Dovecot has an SASL authentication server build-in, so that we don't have to set-up a seperate SASL server, thus saving memory.

/etc/dovecot/dovecot.conf

protocols = imap imaps
disable_plaintext_auth = yes
log_timestamp = "%b %d %H:%M:%S "
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/mail.crt
ssl_key_file = /etc/ssl/private/mail.key
mail_location = maildir:~/Maildir
mail_access_groups = mail
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}
auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }
  user = root
  socket listen {
    client {
      path = /var/run/dovecot/auth-client
      user = postfix
      group = postfix
      mode = 0660
    }
  }
}

Postfix

Next is Postfix, the configuration-file is very complex. Lucky for you I did all research, so that you can copy and paste almost everything. The following settings still have to be changed:

myhostname: This is the location of your mail servers (e.g. mail.example.com).

myorigin: This is the domain after the @ in the email-addresses (e.g. jeffrey@ **example.com**).

virtual_alias_domains: The same as *myorigin*.

/etc/postfix/main.cf

# Paths
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
# Domain settings
myhostname = mail.example.com
myorigin = example.com
mydestination = $myhostname, localhost.$mydomain, localhost
# Timeout settings and other limits
delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
minimal_backoff_time = 300s
maximal_backoff_time = 1200s
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
smtp_helo_timeout = 60s
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12
# SMTP settings
smtpd_tls_cert_file=/etc/ssl/certs/mail.crt
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_tls_loglevel = 1
smtpd_sasl_auth_enable = yes
#smtp_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination,
                               check_policy_service inet:127.0.0.1:10030
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_sasl_security_options = noanonymous
# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
# Network settings
inet_interfaces = all
inet_protocols = ipv4
mynetworks = 127.0.0.0/8
relayhost =
# Email and mailbox settings
alias_maps = hash:/etc/postfix/aliases
alias_database = $alias_maps
home_mailbox = Maildir/
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_size_limit = 0
# Misc
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
debug_peer_level = 2
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/man
sample_directory = /etc/postfix/sample
readme_directory = no
recipient_delimiter = +

Edit master.cf to let Postfix filter emails through Postgrey (which we will talk about the next chapter) and Spamassassin.

/etc/postfix/master.cf

# Replace the following line:
smtp      inet  n       -       n       -       -       smtpd
# with these two lines:
smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=spamassassin
# And add the following three lines to the end of the file:
spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/perlbin/vendor/spamc -f -e
        /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Set the Spamassassin rules. You might have to tweak the *required_score* a little. The default 6.31 seems great for me.

/etc/mail/spamassassin/local.cf

rewrite_header Subject *****SPAM*****
required_score 6.31
report_safe 1
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1


Create user accounts

For each email-user create the appropriated accounts, create your own script if you don't want to do everything manually.


useradd -m -G mail -s /sbin/nologin <username>
cd ~<username>
umask 077
mkdir -p Maildir/{cur,new,tmp}
mkdir -p Maildir/.Drafts/{cur,new,tmp}
mkdir -p Maildir/.Sent/{cur,new,tmp}
mkdir -p Maildir/.Trash/{cur,new,tmp}
chmod 0700 Maildir/{cur,new,tmp} 
chmod 0700 Maildir/.Drafts/{cur,new,tmp}
chmod 0700 Maildir/.Sent/{cur,new,tmp}
chmod 0700 Maildir/.Trash/{cur,new,tmp}
chown -R <username>:users *

Make sure the new users email-addresses are added to the virtual user map.

/etc/postfix/virtual

jeffrey@example.com jeffrey@localhost

Execute postmap /etc/postfix/virtual after saving this file.

Postgrey

Postgrey is in the community repository and can be installed via pacman:

pacman -Sy postgrey

Optionally the files /etc/postfix/postgrey_whitelist_clients and /etc/postfix/postgrey_whitelist_recipients can be editted to whitelist domains and email-addresses you trust. This is useful as these addresses won't be delayed because of greylisting.

Starting the Servers

Finally! We're done. Now let's start all the servers and hope they all work.

Edit /etc/rc.conf and make sure you *add* the daemons listed:

DAEMONS=(spamd postgrey dovecot postfix)

This makes sure all daemons will be started automatially when rebooting. For now, start them manually:

/etc/rc.d/spamd start
/etc/rc.d/postgrey start
/etc/rc.d/dovecot start
/etc/rc.d/postfix start

Add mail.example.com to your favourite email clients, enter your user account settings, optionally enable SSL and your personal fully-featured mail-server is ready!

© Copyright Jeffrey Gelens 2008 under a Creative Commons BY-NC-SA License unless otherwise noted.

Personal tools