Details: Setting up Email Servers

Email Servers are much harder to configure than webservers. First of all, we need to creating two servers, an SMTP server for sending mail and a POP3 server for receiving it. Secondly, a complete mail service involves more than these alone. We need to discuss how to set up other parts of a complete mail system that our servers will need to be able to do anything useful. This includes setting up an MTA (Mail-Transfer-Agent) and a means of authenticating who is authorized to use our servers.

There are two applications that often are discussed together and these are postfix and dovecot. This is not necessarily what you will read elsewhere, but as I see it, dovecot provides the actual SMTP and POP3 servers, as well as an IMAP server, if desired, and postfix provides the MTA. They work well together, so long as they are configured properly to do so. This will require a little work on your part.

Installing postfix

When you install postfix in a Debian environment, it presents you with the option of configuring as an Internet Site or as a SmartHost. Both have a slightly different configuration in /etc/postfix/main.cf and both can be made to work. I am not sure, but i think that Debian requires that for the Internet Site choice, the computer the software is installed on should have a FQDN, or fully-qualified-domain-name. In Debian this is set not with the domainname command, which is reserved for the yellowpage software, but by putting the following lines at the top of the /etc/hosts file.

127.0.0.1         localhost
127.0.1.1         mydomainname.tld   nickname

where mydomainname.tld is your FQDN, and nickname can be anything you choose. I remind both newbies and veterans alike, that mydomainname.tld is not a name you make up, but must be domain registered to you, usually for a fee, by an appropriate authority, usually called a domain name registrar. Before things can work, you, at some point, need to log into your account with your registrar, and add or modify your Zone DNS record so you have an A record that tells the world that your FQDN should by directed to the fixed IP address your ISP assigned to your server. There are alternative ways of accomplishing this, but if you know about them, you likely do not need any help from me.

Now let's finish configuring postfix by hand.   I strongly recommend, in this day and age, to use only secure communication for both the SMTP and POP3 protocols. This requires telling postfix the location of the private key and fullchain of your security certificate by adding the following two lines to /etc/postfix/mail.cf.

smtpd_tls_key_file = /path/to/security/certificate/privkey.pem
smtpd_tls_cert_file = /path/to/security/certificate/fullchain.pem

We need also to add a few lines to /etc/postfix/mail.cf to tell it how to determine who is authorized to use the email servers and here I took a path less-travelled. The recommended way of doing this involves using a database of users and passwords, and Debian currently recommends using mariaDB.   I chose not to do this, not because I thought it was a bad idea, but because I knew nothing about databases and it seemed like a poor idea, when I was struggling to learn about servers, also to start learning about databases when the database would have only a single entry, mine. I instead chose to use the same authorization method used when logging into the system in the first place, which I think is referred to as auth/PAM. I initially tried using /etc/passwd as my authorized user/password database, but either postfix or dovecot complained that root could not be a user. I then copied /etc/passwd to /etc/passwd.dovecot and deleted the line for root, and while I was at it, the lines of about 40 other standard linux useraccounts. I left my own account, as well as dovecot and dovenull, and configured postfix and dovecot accordingly. For postfix, that meant adding the following lines to the end of /etc/postfix/mail.cf.

smtp_sasl_type = dovecot
smtp_sasl_path = private/auth
smtp_sasl_auth_enable = yes

I believe that how auth/PAM authentification works, changed for me on 7 May, 2020, with the PureOS-10 upgrade to cracklib-runtime version 2.9.2-3.2+b1. Prior to that, if the pop3 username was given as userA@mydomain.tld, PAM compared the password given to that of userA in the /etc/passwd.dovecot file I created and if there was a match, authority was granted. After the upgrade, the both the username (userA in our example) and password given to the pop3 server both had to be identical to those in /etc/passwd.dovecot for authority to be given.

In simpler language, whenever I paid someone to set up a pop3 server for me, I told cpanel that the username for the email account I wanted to establish was "myname@mydomain.tld", and that was the username I told my email client to use. When I initially set up my own pop3 server using PAM authorization, I did the same thing and PAM checked the password I gave against that for user "myname" on the computer hosting my servers. This worked fine until a software upgrade on 7 May 2020, after which, for things to work, it was necessary for my email client to tell the pop3 server my username was "myname", not "myname@mydomain.tld".

If you want to enable secure smtp, and I recommend strongly you do, you should uncomment (by removing the leading # that starts) the five lines defining smtps in /etc/postfix/master.cf so they look as follows.

smtps     inet     n     -     y     -     -     smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_reject_unlisted_recipient=no

Installing and configuring dovecot

Different distributions provide diffent ways of doing this.   In some, all the configuration is accomplished in a single configuration file, etc/dovecot/dovecot.conf.   In others, including Debian, the dovecot.conf file is fairly vanilla and directs the system to look for multiple configuration files in the /etc/dovecot/conf.d directory.

To install dovecot on Debian-based systems issue the command "sudo apt install dovecot-core dovecot-dev dovecot-pop3d".   I did not install or configure dovecot-imapd, but you may wish to.

To configure dovecot:

In /etc/dovecot/conf.d/10-mail.conf, set first_valid_uid = 1000 and last_valid_uid = 2000. Comment out the first_valid_gid and last_valid_gid lines, and uncomment (remove the #) from "#mailbox_list_index_very_dirty_syncs = yes".

In /etc/dovecot/conf.d/10-auth.conf, where it says "auth_mechanisms = plain", I recommend changing this to "auth_mechanisms = plain login". This allows both the "AUTH PLAIN" and the older "AUTH LOGIN" protocol to be used, whereas the deafult allows just "AUTH PLAIN".   If any of the clients you will use to contact your server require the CRAM-MD5 mechanism, also add "cram-md5" to auth_mechanisms and follow these directions. A good description of the various auth_mechanisms is found at https://www.samlogic.net/articles/smtp-commands-reference-auth.htm.

In /etc/dovecot/conf.d/auth-system.conf.ext, in the first passdb section, uncomment args = dovecot. Much further down, in the User databases section, there is the option after driver = passwd of uncommenting #[blocking=no], and #args =  .   If you are following my unusal way to do authentification, change "driver = passwd" to "driver = passwd-file" and set "args = /etc/password.dovecot". Do not uncomment "#[blocking = no]".

In /etc/dovecot/conf.d/10-master.conf, go to the section Postfix smtp-auth and uncomment the first two lines, add the two lines below

user = postfix
group = postfix

and finally, uncomment the trailing closing bracket "}".

In /etc/dovecot/conf.d/10-ssl.conf, near the top, make sure you have ssl = yes. Uncomment the ssl_cert and ssl_key entries and correct them to give the correct locations for your configuration, i. e., the ones you entered in the /etc/postfix/mail.cf file.

One suggestion that may be helpful, but does not have to be followed is to edit /etc/dovecot/conf.d/10-logging.conf and set auth_debug = yes. I found the extra debugging information logged to the log files to be helpful during the debugging phase.   Afterwards I set it to "no" so that the log files were less cluttered.

Hopefully, the above configuration options should enable the postfix and dovecot services to working properly. To initiate both services immediately, enter the commands "sudo systemctl start postfix" and "sudo systemctl start dovecot". These commands will need to be repeated whenever any changes are made to the configuration files. To enable these services to start each time the system boots up, issue the commands "sudo systemctl enable postfix" and "sudo systemctl enable dovecot".

Email Addons: SPF, DKIM, and DMARC

SPK, DKIM, and DMARC are programs that influence postfix and are designed to reduce the amount of spam circulating throughout the Internet. Debian offers packages like openspf, opendkim, and opendmarc for installing them. Good directions for installing and configuring these packages, and making the necessary changes to the postfix configuration files is available at Linode.

If things do not work as expected, a good guide for debugging things is Trouble-shooting Problems with Postfix, Dovecot, and Mysql, also at Linode. If you install and want to check your SPF and DKIM implementation, do not use an Internet site for that. Simply send a simple email to auth-results@verifier.port25.com and you will receive, by return email, a very clear and detailed ctitique of your implementation.

Return to menu     Next in series    


| Emmes Technologies Home |


Last updated 11 May, 2020