Fast Postfix and Dovecot setup on Ubuntu 18.04

postfix

More than a year ago I did a comprehensive multiseries walkthrough about how to setup a mailserver using Postfix and Dovecot, with antispam, database backend, etc. I’ve been running it ever since without a hiccup.

For my recent LFCS certification I had to brush up on this knowledge a bit and wanted to find out how to do a quick but quite clean mailserver setup using both Postfix and Dovecot, but without some of the bells and whistles from the above mentioned post.

If you want a fast and simple setup, via SSL/TLS, this guide is for you.

Before installing anything, be sure that your hostname is your fully qualified domain name. Something like this:

# hostname -f

Should output something like that:

mail.cloudpro.vm

If this is not the case, change it:

# hostnamectl set-hostname mail.cloudpro.vm

For my test environment I’ve also setup 2 users, just like you would setup any Linux user with a home, shell, etc.

Then we can install postfix:

# apt install postfix

It will prompt you for 2 basic settings which will simply be:

  • Internet site
  • cloudpro.vm (YOUR domain name of course)

This will setup your /etc/postfix/main.cf file for a bit. There are still some other settings to do. Change the below settings, leave the rest:

smtpd_banner = $myhostname
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
inet_protocols = ipv4

The 1st option is a small security related setting and the 4th option is optional, but essential for me because my setup doesn’t have IPv6.

The /etc/postfix/aliases is an interesting one because for me this was 100% new. I always worked with the /etc/aliases file and the ‘newaliases’ command, but have read a couple of times now that the new and improved way for postfix is the /etc/postfix/aliases file and the ‘postalias’ command.

So let’s say I want my ‘user1’ and ‘user2’ email to go to root as well, I’ll setup my /etc/postfix/aliases file like:

postmaster: root
user1: user1, root
user2: user2, root

Delete the original files and generate the new database:

# rm /etc/aliases*
# postalias /etc/postfix/aliases

For dovecot later on we can do some prepping in the /etc/postfix/master.cf file. This part stinks a bit because not all needed lines are commented, so you have to add some yourself – which is not a problem while copy and pasting, but is when you need to know them by hearth for an exam:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

Restart service and reload (the latter can show you warnings you might not notice with the former):

# systemctl restart postfix
# postfix reload

Important note before we go on: what this guide does NOT take into account and is outside the scope, is that your DNS records should be set (A, PTR, MX, SPF, DKIM and DMARC) and your firewall passes through all needed ports (25, 143, 465, 587 and 993). This really is about how to setup your server, all important MX and SMTP related stuff you should know OR find in the provided links.

Anyway, send your first test email:

# apt install mailutils
# su user1
$ echo "Hi, this is a test!" | mailx -s "Test subject" user2
$ exit
# mail

This will install the ‘mailx’ package, switch to user 1, send a test mail to user2, which will end up at user2 AND root (see aliases file), switch back to root and read the email. This really should go without a problem.

With a little bit of luck, you can even send mail to an external address, but this heavily depends on your IP number, IP reputation and all the above mentioned DNS records! Test and check:

# echo "Hi, this is another test!" | mailx -s "External test" myemail@externaldomain.com
# cat /var/log/mail.log

Let’s get going with Dovecot next.

# apt install dovecot-core dovecot-imapd

This will create a lot of (not needed) config files. Navigate to /etc/dovecot/conf.d/ and edit the 10-auth file. Edit these lines while leaving the rest:

disable_plaintext_auth = yes
auth_username_format = %n
auth_mechanisms = plain login

In the same directory, in 10-master.conf, make sure that the ‘service auth’ section reads as below and comment out the rest:

service auth {
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}

Doublecheck if SSL is required in 10-ssl.conf

In 15-mailboxes.conf you can make sure all (standard) email boxes get created by adding

auto = create

to them. Like so:

  mailbox Drafts {
    auto = create
    special_use = \Drafts
  }
  mailbox Junk {
    auto = create
    special_use = \Junk
  }
  mailbox Trash {
    auto = create
    special_use = \Trash
  }
  mailbox Sent {
    auto = create
    special_use = \Sent
  }

This is all. There are a lot of tutorials out there where you have to do a lot more, but for Ubuntu 18.04 this is all there is to it. Restart your services, check them, check your ports, send some test mails via CLI en check your logs:

# postfix reload
# systemctl restart postfix dovecot
# systemctl status postfix dovecot
# ss -tulpen | grep master
# ss -tulpen | grep dovecot
# echo "This is a testmail to user1" | mailx -s "Test user1" user1@cloudpro.vm
# echo "This is a testmail to user2" | mailx -s "Test user2" user2@cloudpro.vm
# su user1
$ mail
$ exit
# su user2
$ mail
# exit

Any mail client should be able to connect now as well. Just try it! I’ve been using Mail.app from macOS and while writing the post I had to adjust some things here and there, but the above should be 100%.

When in trouble, just tail your log and go from there:

# tail -f /var/log/mail.log

One last note about security. The above setup is SSL/TLS enabled which is good. But there are a lot more settings possible, for Dovecot as well as for Postfix. This is outside the scope of my post, because then it would defeat the ‘quick setup’ purpose of this guide. If I have to make 1 final recommendation though, it would be to use a valid certificate and not the default, self signed certificates that we’ve used now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.