Table of Contents

Ubuntu - Email - Install Postfix Mail Server

Postfix is responsible for interacting with the other email servers in the world. It sends or receives mail from other servers.

Dovecot interacts with your email client (Thunderbird, etc.), and is the intermediary between your email client and Postfix.

Install Postfix

sudo apt install postfix

Virtual Mailboxes

Create a user that will actually own all the virtual mailboxes. 

useradd -m -r -s /sbin/nologin vmail

NOTE: This creates the user and gives it a home directory: ~vmail.

The virtual mailboxes will be placed in this directory.

Virtual mailboxes allow us to unlink the users of the email system from the users on the underlying operating system. This means that there can be mailboxes associated with users that do not have Linux accounts, and those users that do have Linux accounts can have multiple email accounts.

Configuring Postfix

The configuration files for Postfix are usually found in /etc/postfix.

The two most important files are main.cf and master.cf.

Basic Configuration

The file main.cf will be completely replaced.

It should start with the basic configuration:

/etc/postfix/main.cf
mydomain = sharewiz.net
myhostname = mail2.$mydomain
myorigin = $mydomain
mydestination = $myhostname, localhost, localhost.$mydomain, localhost.localdomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
mailbox_size_limit = 0
home_mailbox = mail/
 
# Prevent bad guys from querying for valid email addresses.
disable_vrfy_command = yes

NOTE:

  • myorigin defines the domain used for outgoing messages.
  • mydestination gives the non-virtual domains for which mail will be accepted. mydestination should not contain any of your virtual mail domains.
    • $mydomain is not contained in mydestination. That is intentional. It will instead be placed in the list of virtual mail domains (described later).

Postfix will reject any mail that it receives that is not destined for a domain or machine that is not listed in mydestination (or in the virtual mail domains defined later) unless it comes from a machine on the local network. In this way, mail from the local network can be sent to anyone out onto the open internet and mail from anyone on the open internet can be delivered to a known user, but Postfix will not act as an open relay.

  • mynetworks defines the local network. In this case the local network is confined to the server itself.
  • mailbox_size_limit = 0 is used to disable limits on the size of the mail that can be received into a mailbox.
  • home_mailbox define the name of the mailbox used for local users. In this case the mail will be placed in a hidden directory in the users home directory and it will take the form of a directory itself (the trailing slash indicates that the maildir format should be used).

Local Aliases

/etc/postfix/main.cf
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
 
# Configure list of users/recipients
local_recipient_maps = proxy:unix:passwd.byname $alias_maps

NOTE: This requires than an aliases file /etc/aliases exists.

You should not have to create this file nor change it, but if you do change it, you will need to run the following before the changes will take effect: 

postalias /etc/aliases

Virtual Mailboxes

How should local delivery be performed?

Local delivery is that act of moving a piece of email from Postfix to the users mailbox.

For Local Delivery, we could use:

Using the Postfix LDA

To configure the Postfix local delivery agent for virtual mailboxes, add the following to main.cf:

/etc/postfix/main.cf
virtual_mailbox_domains = sharewiz.net abcd.com
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_maps
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
virtual_mailbox_base=/home/vmail
virtual_uid_maps = static:997
virtual_gid_maps = static:997
virtual_minimum_uid = 997

NOTE:

  • virtual_mailbox_domains defines the virtual mail domains for which Postfix will accept mail.
  • virtual_mailbox_maps defines where the actual virtual mailboxes are defined. An example of this file is:
    /etc/postfix/virtual_mailbox_maps
    peter@sharewiz.net      sharewiz.net/peter/mail/
peter@abcd.net          abcd.com/peter/mail/
admin@sharewiz.net      sharewiz.net/admin/mail/
    • Each line defines a virtual mailbox and consists of two items.
      • The first item is the email address of the virtual mailbox (should be lowercase).
      • The second item is the physical address on disk.
        • Each of the second entries ends with a slash. This indicates that the maildir format should be used rather than the mbox format (maildir places the mail into individual files inside the maildir whereas mbox is one giant file that contains the all of the mail messages).
        • The mail directory for peter@sharewiz.net would be /home/vmail/sharewiz.net/peter/mail/.
    • Whenever you modify this file you must run postmap in order to Postfix to be aware of the changes: 
      postmap /etc/postfix/virtual_mailbox_maps
  • virtual_uid_maps defines the user of the owner of the mail files. This is the number of the vmail user as found in /etc/passwd.
  • virtual_gid_maps defines the group of the owner of the mail files. This is the number of the vmail group as found in /etc/group.
  • virtual_minimum_uid must be equal to or smaller than the UID specified in virtual_uid_maps. It is associated with a sanity check that make more sense if you were using more sophisticated set ups.

Using the Dovecot LDA

/etc/postfix/main.cf
....
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
 
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_maps
virtual_mailbox_domains = sharewiz.net abcd.com
virtual_transport=dovecot
 
# Uncomment the following if dovecot-lda seems to hang.
#dovecot_destination_concurrency_limit = 1

NOTE:

  • mailbox_command indicates that dovecot-lda should be used for delivering mail to local (not virtual) mailboxes.
  • virtual_mailbox_maps is the same file as given above in the Postfix LDA, but the value given for the second entry is ignored (it must still be present, but the actual value has no effect).
    /etc/postfix/virtual_mailbox_maps
    peter@sharewiz.net      sharewiz.net/peter/mail/
peter@abcd.net          abcd.com/peter/mail/
admin@sharewiz.net      sharewiz.net/admin/mail/
  • virtual_transport gives the name of the process entry in the master.cf file that is used to deliver mail to the virtual mailboxes. That entry is (this should be added to master.cf):
    /etc/postfix/master.cf
    dovecot   unix -        n       n       -       -       pipe
  flags=DRhu
  user=vmail:vmail
  argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}

Virtual Aliases

virtual_alias_maps is a file that contains aliases for the virtual mailboxes.

An example file is:

/etc/postfix/virtual_alias_maps
admin@abcd.com             admin@sharewiz.net
admin@mail2.abcd.com       admin@sharewiz.net
admin@mail2.sharewiz.net   admin@sharewiz.net
peter@mail2.abcd.com       peter@abcd.com
peter@mail2.sharewiz.net   peter@sharewiz.net

NOTE: Each line defines an alias, and the alias contains two items.

  • The first part is the address that represents the alias.
  • The second part is the destination, which may either be a virtual mailbox or another alias.

Transport Layer Security (SSL)

This assumes that you have already created an certificate using OpenSSL.

The one I am using is named ssl-cert-mail.

/etc/postfix/main.cf
# Configure TLS.
tls_random_source=dev:/dev/urandom
 
# Settings that control how email is received when using TLS.
smtpd_tls_cert_file=/etc/pki/tls/certs/ssl-cert-mail.crt
smtpd_tls_key_file=/etc/pki/tls/private/ssl-cert-mail.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_eecdh_grade = strong
 
# Settings that control how email is sent when using TLS.
smtp_tls_cert_file=/etc/pki/tls/certs/ssl-cert-mail.crt
smtp_tls_key_file=/etc/pki/tls/private/ssl-cert-mail.key
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls=yes
 
# Settings that control authentication.
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_security_options=noanonymous

NOTE: smtpd_sasl_path must correspond to the last part of the auth-client listener path given in the Dovecot configuration file.

Normally, Postfix listens for email on port 25 (smtp).

This email may either be sent in plain text or may be encrypted (with STARTTLS).

In addition, two other ports can be observed if desired.

These three ports are configured in master.cf with:

/etc/postfix/master.cf
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

NOTE: You can confirm that TLS is being used for email by examining the headers of a received message.

In the Received field, if it says with ESMTPS then TLS was used.

Remember that for TLS to be used both the source and the destination must support it, and many email servers still do not; Gmail does, so you can use that to send your test message.

Header Checks

The following settings define restrictions that are applied to the email header information to determine whether the email should be permitted or rejected.

They are chosen to provide a reasonable level of security:

/etc/postfix/master.cf
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        permit
 
smtpd_client_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        warn_if_reject reject_unknown_client,
        permit
 
smtpd_sender_restrictions =
        permit_mynetworks,
        reject_non_fqdn_sender,
        warn_if_reject reject_unknown_sender_domain,
        permit
 
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_pipelining,
        reject_non_fqdn_recipient,
        reject_non_fqdn_sender,
        warn_if_reject reject_unknown_recipient_domain,
        warn_if_reject reject_unknown_sender_domain,
        reject_unauth_destination,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client dnsbl.njabl.org,
        reject_rbl_client cbl.abuseat.org,
        permit
 
smtpd_data_restrictions =
        reject_unauth_pipelining,
        permit

Firewall Configuration

In order for Postfix to operate some firewall ports need to be opened:

Running Postfix

Before starting Postfix you should make sure that you have run postmap on all appropriate files; in this case on virtual_mailbox_maps and virtual_alias_maps: 

postmap virtual_mailbox_maps
postmap virtual_alias_maps

NOTE: This should also be done whenever these files change.

Start Postfix using: 

systemctl start postfix

If Postfix is already running, and you have changed a configuration file, you can get Postfix to reread these files using: 

systemctl reload postfix

You can stop Postfix with: 

systemctl stop postfix

You can get Postfix status with: 

systemctl status postfix

Once Postfix is running, you should verify that it is capable of receiving email and storing it into the appropriate virtual mailbox.

Once Postfix is running properly, you can enable it so that it starts automatically when the server starts using: 

systemctl enable postfix