Email with Postfix, Dovecot, and MySQL

Author: Sharon Campbell <mailto:scampbell@linode.com> Description: Setting up a mail server with Postfix, ovecot, and !"S#$ Location: http:%%librar".linode.com%email%postfix%postfix&.'.()dovecot&.*.+')m"s,l eywords: email,mail,postfix,dovecot,m"s,l,ubuntu +&.*-,dovecot &, dovecot &.*.+', postfix &.'.( License: CC ./)0 1.* Pu!lished: !onda", !a" +1th, &*+1 Modified: 2rida", !arch +-th, &*+- b" Sharon Campbell 3his guide shows "ou how to set up a secure mail server on "our $inode with Postfix, ovecot, and !"S#$. ." the time "ou reach the end, "ou4ll 5now how to create mailboxes for "our users and send and receive email for "our domains. /ou4ll learn how to add new domains and users with !"S#$, and how to prevent "our server from being used as an 6open rela"6 spam hub. /our users will be able to securel" connect to their mailboxes with standard email clients li5e !icrosoft 7utloo5 and 8pple !ail. Contents

9etting Started o :hat4s 0ot Covered

o o o o o

Prere,uisites ;ow <t :or5s Configuring 0S <nstalling an SS$ Certificate 2inding the ;ostname

<nstalling Pac5ages !"S#$

o o o

Creating the atabase 8dding ata 3esting

Postfix ovecot 8dding 0ew omains, =mail 8ddresses, and 8liases

o o o

omains =mail 8ddresses 8liases

"ettin# Started
Setting up a mail server is a big pro>ect. .efore installing and configuring the necessar" pac5ages on "our mail server, "ou should learn what ever"thing does and understand how the components wor5 together to
Page 1 of 26

send and receive email. 2or the purposes of this guide, we4ll assume that "ou4ll be using the following pac5ages and operating s"stem:

Postfix: 3his !ail 3ransfer 8gent ?!38@ handles rela"ing mail between different servers. <t decides what to do with email from the outside world, and whether a particular user is allowed to send email using "our server. <t handles both incoming and outgoing S!3P. Postfix hands off local deliver" ?that is, the actual saving of the mail files on the server@ to ovecot4s $ocal !ail 3ransfer Protocol service ?$!3P@. Postfix also lets ovecot ta5e care of authentication before users are allowed to send email from the server. :e4ll use version &.'.(. Dovecot: 3his <!8P%P7P1 server handles re,uests from users who want to log in and chec5 their email. ovecot4s $!3P service functions as the !ail eliver" 8gent ?! 8@ b" saving mail files on the server. ovecot also handles all authoriAation. <t chec5s users4 email addresses and passwords in the !"S#$ database before allowing them to view or send email. :e4ll use version &.*.+'. MySQL: 3his database server stores loo5up tables for domains, usernames and passwords, and aliases on the mail server. :e4ll use version +-.+- istrib B.B.&'. $!untu %&'() L*S: 3hese instructions are designed to wor5 with Cbuntu +&.*- $3S. 7ther distributions can also be made to wor5 with Postfix, ovecot, and !"S#$, but those instructions are outside the scope of this guide.

<f "ou encounter problems while using this guide, please double)chec5 that "ou are using Cbuntu +&.*-, and that the pac5age versions match the ones listed above. /ou can also consult the 3roubleshooting Problems with Postfix, ovecot, and !"S#$ guide.

+hat,s -ot .overed

2or the sa5e of brevit", we4ve decided not to cover the following topics in this guide:

Spam and virus scanning for incoming messages to "our users. /ou could use Spam8ssassin to add that functionalit" later. :ebmail to allow users to access their email from a web browser. 9C<s for administration. /ou could use php!"8dmin for !"S#$ or Postfix 8dmin for Postfix to add that functionalit" later.

Prere/uisites
.efore setting up "our mail server, "ou4ll need to set up "our $inode as specified in the 9etting Started and Securing /our Server guides. /ou4ll also need to verif" that "ou4ve completed the following steps:

.ooted into Cbuntu +&.*- $3S. Set a root password. Set the hostname and updated the %etc%hosts file. Cpdated and upgraded the operating s"stem and all installed pac5ages. Created a $inux user with sudo access. Optional: Created SS; 5e"s for secure SS; sessions. !ade sure that "our firewall is not bloc5ing an" of the standard mail ports ?&B, -(B, BDE, ++*, ''B, +-1, and ''1@.

7nce "ou4ve verified these prere,uisites, "ou4re read" to continue.

Page 2 of 26

0ow 1t +or2s
.efore we dive into the nitt")gritt" of getting ever"thing set up, let4s ta5e a loo5 at how we want ever"thing to wor5 together once it4s installed. 3he following process details what happens when an incoming message from the someone@somewhereelse.com email account ma5es its wa" to "our $inode. +. someone@somewhereelse.com sends an email to me@mydomain.net. &. 0S is chec5ed. 3he !F record for mydomain.net points to m" $inode. 1. 3he message reaches Postfix, the !38. -. Postfix chec5s whether it is allowed to rela" for mydomain.net b" chec5ing the virtual domains table in !"S#$. B. !"S#$ returns a positive response for mydomain.net. (. Postfix rela"s the message using ovecot4s $!3P soc5et. E. ovecot saves the message to the me@mydomain.net mailbox on the server, which is located at /var/mail/mydomain.net/me/.

3he email is now saved in the appropriate mailbox on the server. 0ext let4s see what happens when "ou chec5 mail. 3he process starts when "ou decide "ou want to chec5 "our me3mydomain'net email from "our local email client. +. $ocal !ail Client to ovecot: Can < ma5e a secure <!8P ConnectionG &. ovecot to $ocal !ail Client: Sure. ;ere4s m" SS$ certificate. 0ow < need "our username and password. 1. $ocal !ail Client to ovecot: ;ere4s m" username and password. -. ovecot to !"S#$: !"S#$, are this username and password in the users tableG

B. !"S#$ to ovecot: /es. 3his username and password are in the users table. (. E. D. ovecot accesses the mailbox at /var/mail/mydomain.net/me/. ovecot gets the mail files. ovecot shows the messages to "our local mail client using the <!8P protocol.

Page 3 of 26

0ow "ou can read "our email using 7utloo5, 8pple !ail, 3hunderbird, etc. 2inall", let4s see what happens when "ou send an email message from "our account. $et4s sa" "ou want to send a repl" from me@mydomain.net bac5 to someone@somewhereelse.com. /ou compose a message in "our local mail client and send it. :hat happensG +. $ocal !ail Client to Postfix: Can < ma5e an S!3P connectionG &. Postfix to $ocal !ail Client: Sure. /ou have to use encr"ption. ;ere4s m" SS$ certificate. 0ow < need "our username and password. 1. $ocal !ail Client to Postfix: ;ere4s m" username and password. -. Postfix to ovecot: ovecot, chec5 this username and password for me. B. ovecot to !"S#$: !"S#$, are this username and password in the users tableG

(. !"S#$ to ovecot: /es. 3his username and password are in the users table. E. ovecot to Postfix: Postfix, this user is authenticated.

D. Postfix to $ocal !ail Client: /ou are allowed to send "our message. '. $ocal !ail Client to Postfix: ;ere4s the message.

Page 4 of 26

Postfix sends the email. 3his is 5nown as rela"ing. 3he reason there are so man" processes involved is for securit" ) "ou don4t want >ust an"one to be able to send email through "our server, otherwise the" would ,uic5l" start sending lots of spam. 3he authentication process ma5es it safe for "ou and "our authoriAed users to send email using this server while bloc5ing ever"one else.

.onfi#urin# D-S
Start thin5ing about the best time to switch "our 0S records. 7nce "ou switch the !F records, "ou4ll start sending and receiving mail from "our $inode. <f "ou currentl" have live email accounts on another server, "ou shouldn4t change the 0S until "ou have ever"thing set up and wor5ing. <n the meantime, "ou can test "our mail server setup with the default domain name $inode assigns to "our server. 8nd if "ou4re setting up a new domain, "ou might as well point the 0S records at "our $inode now so "ou don4t have to change an"thing later. =ither wa", "ou can lower the time to live ?33$@ on "our domain4s Aone file now, in anticipation of the upcoming 0S change. 3his will help the 0S records propagate faster when "ou4re read" to switch them. /ou should do this whether "ou are planning to change "our 0S right awa" or later. :hen "ou4re read" to switch the 0S and start sending mail to the server, edit "our domain4s !F record so it points to "our $inode4s domain or <P address, similar to the example below:
example.com example.com mail.example.com MX MX MX 10 10 10 example.com 12.34.56.78 12.34.56.78

!a5e sure "ou do this for all domains and subdomains that might receive email for "our domain. <f "ou use $inode4s 0S !anager, "ou will need to create an !F record that points to the desired domain or subdomain, and then create an 8 record for that domain or subdomain as well, that points to the correct <P address.

1nstallin# an SSL .ertificate

Page 5 of 26

/ou should thin5 about whether "ou need to purchase a valid SS$ certificate or not. <n this guide, "ou4ll use the default self)signed certificate that comes with ovecot for free. 3his certificate encr"pts "our mail connections >ust li5e a purchased certificate, but "our email users will receive warnings about the certificate when the" attempt to set up their email accounts. 3his can be confusing for users, and it ma" encourage bad securit" habits b" forcing them to accept a self) signed certificate. <f "ou4re going to set up all of "our users4 mail clients "ourself, or if "ou have a small number of tech)savv" users, this might not be a problem. /ou4ll need to use "our best >udgement to decide whether "ou need to purchase a signed SS$ certificate or not. 2or information about SS$ certificates, see these guides in the $inode $ibrar".

4indin# the 0ostname

/ou4ll need "our $inode4s hostname to configure ovecot and Postfix. .efore following these instructions, ma5e sure "ou4ve set a hostname. ;ere4s how to find "our $inode4s hostname:
1. 7pen a terminal window and log in to "our $inode via SS;.

&. 2ind "our server4s hostname b" entering the following command, and then ma5e a note of it:
3. hostname

-. 2ind "our server4s full"),ualified domain name ?2# 0@ b" entering the following command, and then ma5e a note of it:
5. hostname -f

Save these hostnames ) "ou4ll need them laterH

1nstallin# Pac2a#es
0ow that "ou understand how ever"thing wor5s and have finished preparing "our $inode to act as a mail server, let4s configure "our server for mail. :e4ll start b" installing all of the necessar" pac5ages. ;ere4s how: +. $og in as the root user b" entering the following command:
2. su

1. =nter the password for the root user when prompted. -. <nstall the re,uired pac5ages b" entering the following command. ;ere4s what "ou4ll install:
5. apt-get install postfix postfix-mys l !o"ecot-co#e !o"ecot-imap! !o"ecot-pop3! !o"ecot-lmtp! !o"ecot-mys l mys l-se#"e#

(. :hen prompted, t"pe a new secure password for the root !"S#$ user, as shown below.

E. 3"pe the password again, as shown below. !a5e sure "ou remember what it is ) "ou4ll need it later.

Page 6 of 26

D. /ou4ll be prompted to select a Postfix configuration. Select 1nternet Site, as shown below.

'. /ou4ll be prompted to enter a System mail name, as shown below. /ou can use "our 2# 0 or an" domain name that resolves to the server. 3his will become "our server4s default domain for mail when none is specified.

/ou >ust installed pac5ages to support three applications: !"S#$, Postfix, and ovecot. 0ow it4s time to configure the individual applications to wor5 together as a mail server.

MySQL
Page 7 of 26

2irst, "ou4ll create a dedicated database in !"S#$ for "our mail server. <t will have three tables: one with domains, one with email addresses and encr"pted passwords, and one with email aliases. /ou4ll also create a dedicated !"S#$ user for Postfix and ovecot. 0ote Strictl" spea5ing, "ou don4t have to use !"S#$ to store this information. /ou could, for example, >ust list it all in the Postfix and ovecot config files. .ut that gets unwield" prett" ,uic5l" when "ou have lots of domains and users. ;aving the information in a database ma5es it easier to access and update, and it should ma5e the maintenance of "our mail server easier in the long run.

.reatin# the Data!ase

;ere4s how to create the necessar" database and tables in !"S#$:
1. Create a new database b" entering the following command. :e4ll call the database mailse#"e# in

this example.
2. mys la!min -p c#eate mailse#"e#

1. =nter the !"S#$ root password. -. $og in to !"S#$ b" entering the following command:
5. mys l -p mailse#"e#

(. =nter the root !"S#$ password. /ou should see a command line prompt that loo5s li5e this:
7. mys l$

8. Create a new !"S#$ user ?mailuse#@ b" entering the following command. /ou4ll grant the user

local, read)level access on the mailserver database, and "ou4ll also set the user4s password, which is mailuse#pass in the example below. Please change this and ma5e a note of the password for future use.
%. &'()* +,-,.* /) mailse#"e#.0 */ 1mailuse#121127.0.0.11 34,)*353,4 67 1mailuse#pass18

+*. Ieload !"S#$4s privileges to ma5e sure the user has been added successfull":
11. 5-9+: ;'3<3-,&,+8

12. =nter the following command to create a table for the domains that will receive mail on "our $inode.

/ou can cop" and paste the whole bloc5 of code at once ) !"S#$ won4t execute it until "ou get to the semicolon ?8@. 3his will create a table called "i#tual=!omains and give it two fields, an i! field, and a name field for the domains.
13. .',(*, *(6-, >"i#tual=!omains> ? 14. >i!> int?11@ )/* )9-- auto=inc#ementA 15. >name> "a#cha#?50@ )/* )9--A 16. ;'3M('7 B,7 ?>i!>@ 17. @ ,)&3),C3nno46 4,5(9-* .:('+,*Cutf88

18. =nter the following command to create a table for all of the email addresses and passwords. 3his

command will create a table called "i#tual=use#s. <t has a !omain=i! field to associate each entr" with a domain, a passDo#! field to hold an encr"pted version of each user4s password, and an email field to hold each user4s email address.
1%. .',(*, *(6-, >"i#tual=use#s> ? 20. >i!> int?11@ )/* )9-- auto=inc#ementA 21. >!omain=i!> int?11@ )/* )9--A 22. >passDo#!> "a#cha#?106@ )/* )9--A 23. >email> "a#cha#?100@ )/* )9--A 24. ;'3M('7 B,7 ?>i!>@A 25. 9)3E9, B,7 >email> ?>email>@A 26. 5/',3&) B,7 ?!omain=i!@ ',5,',).,+ "i#tual=!omains?i!@ /) 4,-,*, .(+.(4, 27. @ ,)&3),C3nno46 4,5(9-* .:('+,*Cutf88

28. =nter the following command to create a table for "our email aliases. 3his lets "ou forward mail

from one email address to another. 3his command will create a table called "i#tual=aliases. <t has
Page 8 of 26

an i! field, a !omain=i! field which will associate each entr" with a domain, a sou#ce field for the original email address, and a !estination field for the target email address.
2%. .',(*, *(6-, >"i#tual=aliases> ? 30. >i!> int?11@ )/* )9-- auto=inc#ementA 31. >!omain=i!> int?11@ )/* )9--A 32. >sou#ce> "a#cha#?100@ )/* )9--A 33. >!estination> "a#cha#?100@ )/* )9--A 34. ;'3M('7 B,7 ?>i!>@A 35. 5/',3&) B,7 ?!omain=i!@ ',5,',).,+ "i#tual=!omains?i!@ /) 4,-,*, .(+.(4, 36. @ ,)&3),C3nno46 4,5(9-* .:('+,*Cutf88

CongratulationsH /ou have successfull" created the database and necessar" tables in !"S#$.

Addin# Data
0ow that "ou4ve created the database and tables, let4s add some data to !"S#$. ;ere4s how:
1. 8dd "our domains to the "i#tual=!omains table. /ou can add as man" domains as "ou want in the
<(-9,+ section of the command below, but in this example "ou4ll add >ust the primar" domain ?example.com@, "our hostname ?hostname@, "our 2# 0 ?hostname.example.com@, and localhost.example.com. ?/ou4ll add localhost in a different file later@. .e sure to replace example.com and hostname with "our own domain name and hostname. /ou4ll need an i! value a name value for each entr". Separate each entr" with a comma ?A@, and close the last one with a semicolon ?8@. 3)+,'* 3)*/ >mailse#"e#>.>"i#tual=!omains> ?>i!> A>name>@ <(-9,+ ?111A 1example.com1@A ?121A 1hostname.example.com1@A ?131A 1hostname1@A ?141A 1localhost.example.com1@8

and

2. 3. 4. 5. 6. 7. 8.

0ote !a5e a note of which i! goes with which domain ) "ou4ll need for the next two steps.
2. 8dd email addresses to the "i#tual=use#s table. <n this example, "ou4ll add two new email

3. 3)+,'* 3)*/ >mailse#"e#>.>"i#tual=use#s> 4. ?>i!>A >!omain=i!>A >passDo#!> A >email>@ 5. <(-9,+ 6. ?111A 111A ,).'7;*?1fi#stpassDo#!1A ./).(*?1F6F1A +96+*'3)&?+:(?'()4?@@A -16@@@A 1email12example.com1@A 7. ?121A 111A ,).'7;*?1secon!passDo#!1A ./).(*?1F6F1A +96+*'3)&?+:(?'()4?@@A -16@@@A 1email22example.com1@8 8. <f "ou want to set up an email alias, add it to the "i#tual=aliases table. Just li5e in the previous step, we4ll need an i! value, and a !omain=i! value chosen from the "i#tual=!omains list in Step +. 3he sou#ce should be the email address "ou want to redirect. 3he !estination should be the

addresses, email12example.com and email22example.com, with the passwords fi#stpassDo#! and secon!passDo#!, respectivel". .e sure to replace the examples with "our own information, but leave the password encr"ption functions intact. 2or each entr" "ou4ll need to suppl" an i! value, a !omain=i!, which should be the i! number for the domain from Step + ?in this case we4re choosing 1 for example.com@, a passDo#! which will be in plain text in this command but which will get encr"pted in the database, and an email, which is the full email address. =ntries should be separated b" a comma, and the final entr" should be closed with a semicolon.

target email address, and can be an" valid email address on "our server or an"where else.
%. 3)+,'* 3)*/ >mailse#"e#>.>"i#tual=aliases> 10. ?>i!>A >!omain=i!>A >sou#ce>A >!estination>@ 11. <(-9,+ 12. ?111A 111A 1alias2example.com1A 1email12example.com1@8

Page 9 of 26

3hat4s itH 0ow "ou4re read" to verif" that the data was successfull" added to !"S#$.

*estin#
0ow that "ou4ve entered all of the information into !"S#$, "ou need to double chec5 that it4s there. ;ere4s how:
1. Chec5 the contents of the "i#tual=!omains table b" entering the following command:
2. +,-,.* 0 5'/M mailse#"e#."i#tual=!omains8

1. Kerif" that "ou see the following output:

4. G----G-----------------------G 5. H i! H name H 6. G----G-----------------------G 7. H 1 H example.com H 8. H 2 H hostname.example.com H %. H 3 H hostname H 10. H 4 H localhost.example.com H 11. G----G-----------------------G 12. 4 #oDs in set ?0.00 sec@ 13. Chec5 the "i#tual=use#s table b" entering

the following command:

14. +,-,.* 0 5'/M mailse#"e#."i#tual=use#s8

+B. Kerif" that "ou see the following output ?the hashed passwords will be longer than the" appear below@:
16. 17. 18. 1%. 20. 21. 22. G----G-----------G-------------------------------------G--------------------G H i! H !omain=i! H passDo#! H email H G----G-----------G-------------------------------------G--------------------G H 1 H 1 H F6F574ef443%73a552%c20616aI7c6828f7 H email12example.com H H 2 H 1 H F6F030fa%4Icfc6554023a%aa!%0a8c%ca1 H email22example.com H G----G-----------G-------------------------------------G--------------------G 2 #oDs in set ?0.01 sec@ 23. Chec5 the "i#tual=use#s table b" entering the following command: 24. +,-,.* 0 5'/M mailse#"e#."i#tual=aliases8

&B. Kerif" that "ou see the following output:

26. 27. 28. 2%. 30. 31. G----G-----------G-------------------G--------------------G H i! H !omain=i! H sou#ce H !estination H G----G-----------G-------------------G--------------------G H 1 H 1 H alias2example.com H email12example.com H G----G-----------G-------------------G--------------------G 1 #oD in set ?0.00 sec@

1&. <f ever"thing loo5s good, "ou4re done with !"S#$H =nter the following command to exit !"S#$:
33. exit

0ow "ou4re read" to set up Postfix so "our server can accept incoming messages for "our domains.

Postfix
8s the !ail 3ransfer 8gent, Postfix decides where to rela" messages that get directed to "our server from an"where else on the <nternet. <t also handles all S!3P connections and sends out messages for "our users. <n this section, "ou4ll modif" some of these Postfix configuration options:

Kirtual domains, aliases, and users, so "ou don4t have to ma5e an actual C0<F user for ever"bod" who needs an email address !"S#$ access, so it can read the list of domains for which it should be handling mail ;and)off for incoming email to ovecot4s $!3P service so it can get saved on the server
Page 10 of 26

S38I33$S encr"ption for all connections, for increased securit" 8ccess to ports -(B and BDE for sending, in addition to the default port &B ;and)off for authentication to ovecot

;ere4s how to configure Postfix: +. .efore doing an"thing else, enter the following command to ma5e a cop" of the default Postfix configuration file. 3his will come in hand" if "ou mess up and need to revert to the default configuration.
2. cp JetcJpostfixJmain.cf JetcJpostfixJmain.cf.o#ig 4. nano JetcJpostfixJmain.cf

1. 7pen the configuration file for editing b" entering the following command:
5. 3he default configuration file loo5s li5e this. 3he myhostname and my!estination lines are specific

to "our server, but ever"thing else should be as it loo5s here: 4ile excerpt:/etc/postfix/main.cf
K +ee Jus#Jsha#eJpostfixJmain.cf.!ist fo# a commente!A mo#e complete "e#sion

K 4eIian specificL +pecifying a file name Dill cause the fi#st K line of that file to Ie use! as the name. *he 4eIian !efault K is JetcJmailname. Kmyo#igin C JetcJmailname smtp!=Ianne# C Fmyhostname ,+M*; Fmail=name ?9Iuntu@ Iiff C no K appen!ing .!omain is the M9(1s MoI. appen!=!ot=my!omain C no K 9ncomment the next line to gene#ate N!elaye! mailN Da#nings K!elay=Da#ning=time C 4h #ea!me=!i#ecto#y C no K *-+ pa#amete#s smtp!=tls=ce#t=fileCJetcJsslJce#tsJssl-ce#t-snaOeoil.pem smtp!=tls=Oey=fileCJetcJsslJp#i"ateJssl-ce#t-snaOeoil.Oey smtp!=use=tlsCyes smtp!=tls=session=cache=!ataIase C It#eeLFP!ata=!i#ecto#yQJsmtp!=scache smtp=tls=session=cache=!ataIase C It#eeLFP!ata=!i#ecto#yQJsmtp=scache K +ee Jus#Jsha#eJ!ocJpostfixJ*-+=',(4M,.gR in the postfix-!oc pacOage fo# K info#mation on enaIling ++- in the smtp client. myhostname C hostname.example.com alias=maps C hashLJetcJaliases alias=!ataIase C hashLJetcJaliases myo#igin C JetcJmailname my!estination C example.comA hostname.example.comA localhost.example.comA localhost #elayhost C mynetDo#Os C 127.0.0.0J8 SLLffffL127.0.0.0TJ104 SLL1TJ128

Page 11 of 26

mailIox=siRe=limit C 0 #ecipient=!elimite# C G inet=inte#faces C all

6. Comment out all of the lines in the K*-+ pa#amete#s section, and then paste in the four new lines

shown below. Since we4re using ovecot for authentication, we4re going to use ovecot4s default certificate rather than Postfix4s default certificate. 2or increased securit", we4re also going to force users to use 3$S encr"ption. 0ote <f "ou have purchased an SS$ certificate for "our mail server, "ou should use the path to that certificate and its corresponding 5e", not the default ovecot certificate. 7therwise, "ou can >ust use the following values. =xplanation of parameters:
o o o o

smtpdLtlsLcertLfile: 3he location of "our SS$ certificate. smtpdLtlsL5e"Lfile: 3he location of "our SS$ certificate4s private 5e". smtpdLuseLtls: 3his tells connecting mail clients that S38I33$S encr"ption is available. smtpdLtlsLauthLonl": 3his forces connecting mail clients to use S38I33$S before users are allowed to authenticate, ensuring that "our users4 passwords are never sent in plain text.

4ile excerpt:/etc/postfix/main.cf
K *-+ pa#amete#s Ksmtp!=tls=ce#t=fileCJetcJsslJce#tsJssl-ce#t-snaOeoil.pem Ksmtp!=tls=Oey=fileCJetcJsslJp#i"ateJssl-ce#t-snaOeoil.Oey Ksmtp!=use=tlsCyes Ksmtp!=tls=session=cache=!ataIase C It#eeLFP!ata=!i#ecto#yQJsmtp!=scache Ksmtp=tls=session=cache=!ataIase C It#eeLFP!ata=!i#ecto#yQJsmtp=scache smtp!=tls=ce#t=fileCJetcJsslJce#tsJ!o"ecot.pem smtp!=tls=Oey=fileCJetcJsslJp#i"ateJ!o"ecot.pem smtp!=use=tlsCyes smtp!=tls=auth=only C yes

7. Cop" and paste the following values into the config file below the 3$S settings. 3his will ease the

restrictions and allow users to send email from their home or office. ." default, onl" users who are logged into the server locall" are able to send email. 3he" will be re,uired to log in with a password before being able to send email ) this is ver" important, or an"one could start using "our server to send spamH 3he smtp!=sasl=type and smtp!=sasl=path lines tell Postfix to use ovecot for user authentication. ovecot alread" authenticates users chec5ing their email, so it ma5es sense to have it handle outgoing authentication too. =xplanation of parameters:
o

smtpdLsaslLt"pe: S8S$ ?Simple 8uthentication and Securit" $a"er@ is the framewor5 for authentication that Postfix uses. 8uthentication is needed so that onl" authoriAed users can use "our server to send mail. <n this case, we4re telling Postfix to use ovecot4s authentication. smtpdLsaslLpath: 3his is the path to the authentication soc5et. 3he path used here is relative to /var/spool/postfix/. 3he soc5et is located at /var/spool/postfix/private/auth, or it will be when we create it with ovecot.

Page 12 of 26

smtpdLsaslLauthLenable: 3his tells Postfix to let people send email using this server if the"4ve successfull" authenticated. <f this was turned off, Postfix would let people send email onl" if the" were alread" on the server ?e.g., the" were logged in with SS;@. smtpdLrecipientLrestrictions: 3his tells Postfix which t"pes of users are allowed to send email to other email addresses using the server. ?Specificall", it applies to messages that have a ICP3 37 component.@ 3he first two parameters we added tell Postfix to allow sending for S8S$)authenticated users and for users connecting from a networ5 listed in the mynetDo#Os parameter ?in our case, >ust the server4s local networ5@. 3he final parameter tells Postfix to re>ect sending email unless the recipient is for someone on this server.

4ile excerpt:/etc/postfix/main.cf
K,naIling +M*; fo# authenticate! use#sA an! han!ing off authentication to 4o"ecot smtp!=sasl=type C !o"ecot smtp!=sasl=path C p#i"ateJauth smtp!=sasl=auth=enaIle C yes smtp!=#ecipient=#est#ictions C pe#mit=sasl=authenticate!A pe#mit=mynetDo#OsA #eMect=unauth=!estination

8. Comment out the existing my!estination line and replace it with one for localhost. 3his allows

"ou to use the virtual domains listed in our !"S#$ table. <t4s important that there is no overlap between the domains in the !"S#$ table and the domains in the my!estination line. Meeping the localhost entr" in my!estination lets "ou 5eep things simple for mail sent within the server using localhost, which could be helpful if "ou4re ever having problems with "our virtual domains. 4ile excerpt:/etc/postfix/main.cf
Kmy!estination C example.comA hostname.example.comA localhost.example.comA localhost my!estination C localhost

'. 8dd a new line for local mail deliver" ?the service that actuall" saves the emails to individual user mailboxes@. :e4re telling Postfix not to use its own $ocal eliver" 8gent ?$ 8@ and instead use ovecot4s $!3P ?$ocal !ail 3ransfer Protocol@ for local deliver". 3his applies to all virtual domains listed in the !"S#$ table. 4ile excerpt:/etc/postfix/main.cf
K:an!ing off local !eli"e#y to 4o"ecot1s -M*;A an! telling it Dhe#e to sto#e mail "i#tual=t#anspo#t C lmtpLunixLp#i"ateJ!o"ecot-lmtp

+*. 8dd the following values to configure "our virtual domains, users, and aliases. 0o changes are necessar". =xplanation of parameters:
o

o o

virtualLmailboxLdomains: ;ere "ou tell Postfix that "ou4re using !"S#$ to store virtual domains, and then give it a path to another file where "ou4ll put all the !"S#$ connection details. virtualLmailboxLmaps: Same as above, but for email users. virtualLaliasLmaps: Same as above, but for aliases.

4ile excerpt:/etc/postfix/main.cf
K<i#tual !omainsA use#sA an! aliases

Page 13 of 26

"i#tual=mailIox=!omains C mys lLJetcJpostfixJmys l-"i#tual-mailIox-!omains.cf "i#tual=mailIox=maps C mys lLJetcJpostfixJmys l-"i#tual-mailIox-maps.cf "i#tual=alias=maps C mys lLJetcJpostfixJmys l-"i#tual-alias-maps.cf

++. Compare "our Postfix configuration file to our final configuration file shown below. <f necessar", ma5e changes to "our file before proceeding. 4ile excerpt:/etc/postfix/main.cf
K +ee Jus#Jsha#eJpostfixJmain.cf.!ist fo# a commente!A mo#e complete "e#sion

K 4eIian specificL +pecifying a file name Dill cause the fi#st K line of that file to Ie use! as the name. *he 4eIian !efault K is JetcJmailname. Kmyo#igin C JetcJmailname smtp!=Ianne# C Fmyhostname ,+M*; Fmail=name ?9Iuntu@ Iiff C no K appen!ing .!omain is the M9(1s MoI. appen!=!ot=my!omain C no K 9ncomment the next line to gene#ate N!elaye! mailN Da#nings K!elay=Da#ning=time C 4h #ea!me=!i#ecto#y C no K *-+ pa#amete#s Ksmtp!=tls=ce#t=fileCJetcJsslJce#tsJssl-ce#t-snaOeoil.pem Ksmtp!=tls=Oey=fileCJetcJsslJp#i"ateJssl-ce#t-snaOeoil.Oey Ksmtp!=use=tlsCyes Ksmtp!=tls=session=cache=!ataIase C It#eeLFP!ata=!i#ecto#yQJsmtp!=scache Ksmtp=tls=session=cache=!ataIase C It#eeLFP!ata=!i#ecto#yQJsmtp=scache smtp!=tls=ce#t=fileCJetcJsslJce#tsJ!o"ecot.pem smtp!=tls=Oey=fileCJetcJsslJp#i"ateJ!o"ecot.pem smtp!=use=tlsCyes smtp!=tls=auth=only C yes K,naIling +M*; fo# authenticate! use#sA an! han!ing off authentication to 4o"ecot smtp!=sasl=type C !o"ecot smtp!=sasl=path C p#i"ateJauth smtp!=sasl=auth=enaIle C yes smtp!=#ecipient=#est#ictions C pe#mit=sasl=authenticate!A pe#mit=mynetDo#OsA #eMect=unauth=!estination K +ee Jus#Jsha#eJ!ocJpostfixJ*-+=',(4M,.gR in the postfix-!oc pacOage fo# K info#mation on enaIling ++- in the smtp client. myhostname C host.example.com alias=maps C hashLJetcJaliases alias=!ataIase C hashLJetcJaliases myo#igin C JetcJmailname

Page 14 of 26

Kmy!estination C example.comA hostname.example.comA localhost.example.comA localhost my!estination C localhost #elayhost C mynetDo#Os C 127.0.0.0J8 SLLffffL127.0.0.0TJ104 SLL1TJ128 mailIox=siRe=limit C 0 #ecipient=!elimite# C G inet=inte#faces C all K:an!ing off local !eli"e#y to 4o"ecot1s -M*;A an! telling it Dhe#e to sto#e mail "i#tual=t#anspo#t C lmtpLunixLp#i"ateJ!o"ecot-lmtp K<i#tual !omainsA use#sA an! aliases "i#tual=mailIox=!omains C mys lLJetcJpostfixJmys l-"i#tual-mailIox-!omains.cf "i#tual=mailIox=maps C mys lLJetcJpostfixJmys l-"i#tual-mailIox-maps.cf "i#tual=alias=maps C mys lLJetcJpostfixJmys l-"i#tual-alias-maps.cf

+&. Save the changes "ou4ve made to the /etc/postfix/main.cf file. +1. Create the three files "ou specified earlier. 3hese files will tell Postfix how to connect to !"S#$ to read the lists of domains, email addresses, and aliases. Create the file for virtual domains b" entering the following command:
14. nano JetcJpostfixJmys l-"i#tual-mailIox-!omains.cf

15. =nter the following values. 8t a minimum, "ou4ll need to change the password entr" to the one "ou

created for mailuse#. <f "ou used a different user, database name, or table name, customiAe those settings as well. 4ile excerpt:/etc/postfix/mysql-virtual-mailbox-domains.cf
use# C mailuse# passDo#! C mailuse#pass hosts C 127.0.0.1 !Iname C mailse#"e# ue#y C +,-,.* 1 5'/M "i#tual=!omains U:,', nameC1Vs1

+(. Save the changes "ou4ve made to the /etc/postfix/mysql-virtual-mailbox-domains.cf file. +E. Iestart Postfix b" entering the following command:
18. se#"ice postfix #esta#t

19. =nter the following command to ensure that Postfix can find "our first domain. .e sure to replace

with "our first virtual domain. 3he command should return 1 if it is successfulN if nothing is returned, "ou have an issue.
example.com 20. postmap example.com mys lLJetcJpostfixJmys l-"i#tual-mailIox-!omains.cf

&+. Create the connection file for "our email addresses b" entering the following command:
22. nano JetcJpostfixJmys l-"i#tual-mailIox-maps.cf

&1. =nter the following values. !a5e sure "ou use "our own password, and ma5e an" other changes as needed. 4ile excerpt:/etc/postfix/mysql-virtual-mailbox-maps.cf
use# C mailuse# passDo#! C mailuse#pass hosts C 127.0.0.1 !Iname C mailse#"e# ue#y C +,-,.* 1 5'/M "i#tual=use#s U:,', emailC1Vs1

&-. Save the changes "ou4ve made to the /etc/postfix/mysql-virtual-mailbox-maps.cf file. &B. Iestart Postfix b" entering the following command:
26. se#"ice postfix #esta#t

Page 15 of 26

27. 3est Postfix to verif" that it can find the first email address in "our !"S#$ table. =nter the following

command, replacing email12example.com with the first email address in "our !"S#$ table. /ou should again receive 1 as the output:
28. postmap email12example.com mys lLJetcJpostfixJmys l-"i#tual-mailIox-maps.cf

&'. Create the file that will allow Postfix to access the aliases in !"S#$ b" entering the following command:
30. nano JetcJpostfixJmys l-"i#tual-alias-maps.cf

1+. =nter the following values. 8gain, ma5e sure "ou use "our own password, and ma5e an" other changes as necessar". 4ile excerpt:/etc/postfix/mysql-virtual-alias-maps.cf
use# C mailuse# passDo#! C mailuse#pass hosts C 127.0.0.1 !Iname C mailse#"e# ue#y C +,-,.* !estination 5'/M "i#tual=aliases U:,', sou#ceC1Vs1

1&. Save the changes "ou4ve made to the /etc/postfix/mysql-virtual-alias-maps.cf file. 11. Iestart Postfix b" entering the following command:
34. se#"ice postfix #esta#t

35. 3est Postfix to verif" that it can find "our aliases b" entering the following command. .e sure to

replace alias2example.com with the actual alias "ou entered:

36. postmap alias2example.com mys lLJetcJpostfixJmys l-"i#tual-alias-maps.cf

3his should return the email address to which the alias forwards, which is email12example.com in this example.
37. !a5e a cop" of the JetcJpostfixJmaste#.cf file:
38. cp JetcJpostfixJmaste#.cf JetcJpostfixJmaste#.cf.o#ig

1'. 7pen the configuration file for editing b" entering the following command:
40. nano JetcJpostfixJmaste#.cf

41. $ocate and uncomment the two lines starting with suImission and smtps. 3his will allow "ou to

send mail securel" on ports BDE and -(B, in addition to port &B ?which is also secure with our SS$ setup@. 3he first section of "our JetcJpostfixJmaste#.cf file should resemble the following: 4ile excerpt:/etc/postfix/master.cf
K K ;ostfix maste# p#ocess configu#ation file. 5o# !etails on the fo#mat K of the fileA see the maste#?5@ manual page ?comman!L Nman 5 maste#N@. K K 4o not fo#get to execute Npostfix #eloa!N afte# e!iting this file. K K CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC K se#"ice type p#i"ate unp#i" ch#oot DaOeup maxp#oc comman! G a#gs K ?yes@ ?yes@ ?yes@ ?ne"e#@ ?100@ K CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC smtp inet n smtp! Ksmtp inet n 1 postsc#een Ksmtp! pass smtp! K!nsIlog unix 0 !nsIlog Ktlsp#oxy unix 0 tlsp#oxy suImission inet n smtp! K -o syslog=nameCpostfixJsuImission

Page 16 of 26

K -o K -o K -o K -o smtps K -o K -o K -o K -o K -o

smtp!=tls=secu#ity=le"elCenc#ypt smtp!=sasl=auth=enaIleCyes smtp!=client=#est#ictionsCpe#mit=sasl=authenticate!A#eMect milte#=mac#o=!aemon=nameC/'3&3)(*3)& inet n smtp! syslog=nameCpostfixJsmtps smtp!=tls=D#appe#mo!eCyes smtp!=sasl=auth=enaIleCyes smtp!=client=#est#ictionsCpe#mit=sasl=authenticate!A#eMect milte#=mac#o=!aemon=nameC/'3&3)(*3)&

42. Save the changes "ou4ve made to the JetcJpostfixJmaste#.cf file.

-1. Iestart Postfix b" entering the following command:

44. se#"ice postfix #esta#t

CongratulationsH /ou have successfull" configured Postfix.

Dovecot
ovecot allows users to log in and chec5 their email using P7P1 and <!8P. <n this section, "ou4ll configure ovecot to force users to use SS$ when the" connect so that their passwords are never sent to the server in plain text. Csers will have to connect using the standard SS$ ports ) ''1 for <!8P and ''B for P7P1 ) and onl" those ports. ovecot4s $!3P service will function as the ! 8 and store incoming messages in the proper locations on the server. ovecot will also be handling all user authentication for mail. ovecot & uses a number of different configuration files. 3he primar" configuration file contains a few directives, and then several inclusions of other configuration files. 3his helps to separate different configuration parameters logicall" so the"4re not all grouped together in one file. 3his is a ma>or change from ovecot +, where virtuall" ever"thing was configured in the same file. <n this section, "ou4ll configure ovecot to:

Set the <!8P, P7P1, and $!3P protocols efine the mail location Cse !"S#$ for username%password loo5ups for authentication Configure needed soc5ets for authentication and $!3P Ie,uire SS$ encr"ption

/ou4ll modif" a total of E ovecot configuration files. ;ere4s the list:

%etc%dovecot%dovecot.conf: ovecot4s main configuration file %etc%dovecot%conf.d%+*)mail.conf: eals with the server4s file s"stem %etc%dovecot%conf.d%+*)auth.conf: efines how user authentication is handled %etc%dovecot%conf.d%auth)s,l.conf.ext: 0ew authentication file for S#$)t"pe authentication %etc%dovecot%dovecot)s,l.conf.ext: 8n included authentication file with the !"S#$ connection parameters %etc%dovecot%conf.d%+*)master.conf: :here soc5ets are configured %etc%dovecot%conf.d%+*)ssl.conf: :here SS$)related parameters are specified

;ere4s how to configure ovecot:

Page 17 of 26

+. Cop" all of the configuration files so that "ou can easil" revert bac5 to them if needed. =nter the following commands, one b" one:
2. 3. 4. 5. 6. 7. cp cp cp cp cp cp JetcJ!o"ecotJ!o"ecot.conf JetcJ!o"ecotJ!o"ecot.conf.o#ig JetcJ!o"ecotJconf.!J10-mail.conf JetcJ!o"ecotJconf.!J10-mail.conf.o#ig JetcJ!o"ecotJconf.!J10-auth.conf JetcJ!o"ecotJconf.!J10-auth.conf.o#ig JetcJ!o"ecotJ!o"ecot-s l.conf.ext JetcJ!o"ecotJ!o"ecot-s l.conf.ext.o#ig JetcJ!o"ecotJconf.!J10-maste#.conf JetcJ!o"ecotJconf.!J10-maste#.conf.o#ig JetcJ!o"ecotJconf.!J10-ssl.conf JetcJ!o"ecotJconf.!J10-ssl.conf.o#ig

D. =nter the following command to open the main configuration file for editing:
%. nano JetcJ!o"ecotJ!o"ecot.conf

0ote Clic5 this lin5 to see the final, complete version of our dovecot.conf example file.
10. Kerif" that !o"ecot.conf is including all of the other configuration files. 3his option should be

enabled b" default: 4ile excerpt:/etc/dovecot/dovecot.conf

Winclu!e conf.!J0.conf

11. 8dd the following line to /etc/dovecot/dovecot.conf so

ovecot 5nows to support <!8P, P7P1, and $!3P. <n this example, we have inserted it below the existing Winclu!e=t#y Jus#Jsha#eJ!o"ecotJp#otocols.!J0.p#otocol line: 4ile excerpt:/etc/dovecot/dovecot.conf
K ,naIle installe! p#otocols Winclu!e=t#y Jus#Jsha#eJ!o"ecotJp#otocols.!J0.p#otocol p#otocols C imap pop3 lmtp

+&. Save "our changes to the /etc/dovecot/dovecot.conf file. +1. 7pen the /etc/dovecot/conf.d/10-mail.conf file for editing b" entering the following command. 3his file allows us to control how ovecot interacts with the server4s file s"stem to store and retrieve messages.
14. nano JetcJ!o"ecotJconf.!J10-mail.conf

0ote Clic5 this lin5 to see the final, complete version of our +*)mail.conf example file. 3his is a long file, so "ou ma" need to use "our editor4s search feature to find the values "ou need to edit.
15. 2ind the mail=location variable, uncomment it, and then set it to the following value. 3his tells

ovecot where to loo5 for mail. <n this case, the mail will be stored in /var/mail/vhosts/example.com/user/, where example.com and use# are variables that get pulled from the connecting email address. 2or example, if someone logs in to the server with the email address email12example.com, ovecot will use example.com for V!, and email1 for Vn. /ou can change this path if "ou want, but "ou4ll have to change it ever"where else the mail storage path is referenced in this tutorial. <t4s useful to 5eep this location in mind if "ou ever need to manuall" download the raw mail files from the server. 4ile excerpt:/etc/dovecot/conf.d/10-mail.conf
mail=location C mail!i#LJ"a#JmailJ"hostsJV!JVn

16. 2ind the mail=p#i"ilege!=g#oup variable. Cncomment it, and then set it to the following value.

3his allows ovecot to write to the /var/mail/ folder.

Page 18 of 26

4ile excerpt:/etc/dovecot/conf.d/10-mail.conf
mail=p#i"ilege!=g#oup C mail

+E. Save "our changes to the /etc/dovecot/conf.d/10-mail.conf file. +D. =nter the following command to verif" the permissions for /var/mail:
1%. ls -l! J"a#Jmail

&*. Kerif" that the permissions for /var/mail are as follows:

21. !#Dx#Ds#-x 2 #oot mail 40%6 Ma# 6 15L08 J"a#Jmail

&&. Create the /var/mail/vhosts/ folder and the folder?s@ for each of "our domains b" entering the following command:
23. mO!i# -p J"a#JmailJ"hostsJexample.com 24. Create the "mail user with a user and group id of

B*** b" entering the following commands, one b" one. 3his user will be in charge of reading mail from the server.

25. g#oupa!! -g 5000 "mail 26. use#a!! -g "mail -u 5000 "mail -! J"a#Jmail

27. Change the owner of the /var/vmail/ folder and its contents to belong to "mail b" entering the

following command:
28. choDn -' "mailL"mail J"a#Jmail

&'. 7pen the user authentication file for editing b" entering the command below. /ou need to set up authentication so onl" authenticated users can read mail on the server. /ou also need to configure an authentication soc5et for outgoing mail, since we told Postfix that ovecot was going to handle that. 3here are a few different files related to authentication that get included in each other.
30. nano JetcJ!o"ecotJconf.!J10-auth.conf

0ote Clic5 the lin5 to see the final, complete version of +*)auth.conf. 1+. isable plain)text authentication b" uncommenting this line: 4ile excerpt:/etc/dovecot/conf.d/10-auth.conf
!isaIle=plaintext=auth C yes

32. Set the auth=mechanisms b" modif"ing the following line:

4ile excerpt:/etc/dovecot/conf.d/10-auth.conf
auth=mechanisms C plain login

33. 8dd a hash tag ?K@ to comment out the s"stem user login line:

4ile excerpt:/etc/dovecot/conf.d/10-auth.conf
KWinclu!e auth-system.conf.ext

34. =nable !"S#$ authentication b" uncommenting the auth-s l.conf.ext line. 3hat section should

loo5 li5e this: 4ile excerpt:/etc/dovecot/conf.d/10-auth.conf

KWinclu!e auth-system.conf.ext Winclu!e auth-s l.conf.ext KWinclu!e auth-l!ap.conf.ext KWinclu!e auth-passD!file.conf.ext KWinclu!e auth-checOpassDo#!.conf.ext KWinclu!e auth-"popmail.conf.ext

Page 19 of 26

KWinclu!e auth-static.conf.ext

1B. Save "our changes to the /etc/dovecot/conf.d/10-auth.conf file. 1(. 0ow "ou need to create the /etc/dovecot/conf.d/auth-sql.conf.ext file with "our authentication information. =nter the following command to create the new file:
37. nano JetcJ!o"ecotJconf.!Jauth-s l.conf.ext

1D. Paste the following lines into in the new file: 4ile excerpt:/etc/dovecot/conf.d/auth-sql.conf.ext
pass!I P !#i"e# a#gs C Q use#!I P !#i"e# a#gs C Q C s l JetcJ!o"ecotJ!o"ecot-s l.conf.ext

C static ui!C"mail gi!C"mail homeCJ"a#JmailJ"hostsJV!JVn

=xplanation of parameters:
o

tells ovecot how to loo5 up users for authentication. :e4re telling ovecot to use !"S#$. <n the a#gs line, we4re also specif"ing the file that contains the !"S#$ connection information. use#!I tells ovecot where to loo5 for users4 mail on the server. :e4re using a static driver since the path will be in the same format for ever"one.
pass!I

1'. Save "our changes to the /etc/dovecot/conf.d/auth-sql.conf.ext file. -*. Cpdate the /etc/dovecot/dovecot-sql.conf.ext file with our custom !"S#$ connection information. 7pen the file for editing b" entering the following command:
41. nano JetcJ!o"ecotJ!o"ecot-s l.conf.ext

0ote Clic5 the lin5 to see the final, complete version of dovecot)s,l.conf.ext.
42. Cncomment and set the !#i"e# line as shown below:

4ile excerpt:/etc/dovecot/dovecot-sql.conf.ext
!#i"e# C mys l

43. Cncomment the connect line and set "our !"S#$ connection information. !a5e sure "ou use "our

own password and an" other custom settings: 4ile excerpt:/etc/dovecot/dovecot-sql.conf.ext

connect C hostC127.0.0.1 !InameCmailse#"e# use#Cmailuse# passDo#!Cmailuse#pass

44. Cncomment the !efault=pass=scheme line and set it to +:(512-.'7;*. 3his tells

ovecot to expect the passwords in an ecr"pted format ?which is how the" are stored in the database@. 4ile excerpt:/etc/dovecot/dovecot-sql.conf.ext
!efault=pass=scheme C +:(512-.'7;*

45. Cncomment the passDo#!= ue#y line and set it to the following. 3his is a !"S#$ ,uer" that

ovecot uses to retrieve the password from the database.

Page 20 of 26

4ile excerpt:/etc/dovecot/dovecot-sql.conf.ext
passDo#!= ue#y C +,-,.* email as use#A passDo#! 5'/M "i#tual=use#s U:,', emailC1Vu18

0ote 3his password ,uer" lets "ou use an email address listed in the "i#tual=use#s table as "our username credential for an email account. 3he primar" email address should still be used as the username, even if "ou have set up "our email client for an alias. <f "ou want to be able to use the alias as "our username instead ?listed in the "i#tual=aliases table@, "ou should first add ever" primar" email address to the "i#tual=aliases table ?directing to themselves@ and then use the following line in JetcJ!o"ecotJ!o"ecot-s l.conf.ext instead:
passDo#!= ue#y C +,-,.* email as use#A passDo#! 5'/M "i#tual=use#s U:,', emailC?+,-,.* !estination 5'/M "i#tual=aliases U:,', sou#ce C 1Vu1@8

-(. Save "our changes to the /etc/dovecot/dovecot-sql.conf.ext file. 47. Change the owner and group of the /etc/dovecot/ director" to "mail and !o"ecot b" entering the following command:
48. choDn -' "mailL!o"ecot JetcJ!o"ecot

-'. Change the permissions on the /etc/dovecot/ director" b" entering the following command:
50. chmo! -' o-#Dx JetcJ!o"ecot

B+. 7pen the soc5ets configuration file b" entering the following command. /ou4ll change the settings in this file to set up the $!3P soc5et for local mail deliver", and the auth soc5et for authentication. Postfix uses these soc5ets to connect to ovecot4s services.
52. nano JetcJ!o"ecotJconf.!J10-maste#.conf

0ote Clic5 the lin5 to see the final, complete version of +*)master.conf. 3here are man" nested bloc5s of code in this file, so please pa" ver" close attention to "our brac5ets. <t4s probabl" better if "ou edit line b" line, rather than cop"ing large chun5s of code. <f there4s a s"ntax error, ovecot will crash silentl", but "ou can chec5 J"a#JlogJupsta#tJ!o"ecot.log to help "ou find the error. B1. isable unencr"pted <!8P and P7P1 b" setting the protocols4 ports to *, as shown below. 3his will force "our users to use secure <!8P or secure P7P on ''1 or ''B when the" configure their mail clients: 4ile excerpt:/etc/dovecot/conf.d/10-master.conf
se#"ice imap-login P inet=listene# imap P po#t C 0 Q ... Q se#"ice pop3-login P inet=listene# pop3 P po#t C 0 Q ... Q

0ote
Page 21 of 26

!a5e sure "ou leave the secure versions alone ) imaps and pop3s ) so their ports still wor5. 3he default settings for imaps and pop3s are fine. /ou can leave the po#t lines commented out, as the default ports are the standard ''1 and ''B.
54. 2ind the se#"ice lmtp section and use the configuration shown below. /ou4ll need to add a few

lines in the unix=listene# bloc5. 3his section ma5es the soc5et for $!3P in the place we told Postfix to loo5 for it. 4ile excerpt:/etc/dovecot/conf.d/10-master.conf
se#"ice lmtp P unix=listene# J"a#JspoolJpostfixJp#i"ateJ!o"ecot-lmtp P mo!e C 0600 use# C postfix g#oup C postfix Q K .#eate inet listene# only if you can1t use the aIo"e 9)3X socOet Kinet=listene# lmtp P K ("oi! maOing -M*; "isiIle fo# the enti#e inte#net Ka!!#ess C Kpo#t C KQ Q

55. $ocate the se#"ice auth section and use the configuration shown below. /ou4ll need to create a

new unix=listene# bloc5, modif" the existing one, and then uncomment and set the use#. 3his section ma5es the authoriAation soc5et where we told Postfix to loo5 for it: 4ile excerpt:/etc/dovecot/conf.d/10-master.conf
se#"ice auth P K auth=socOet=path points to this use#!I socOet Iy !efault. 3t1s typically K use! Iy !o"ecot-l!aA !o"ea!mA possiIly imap p#ocessA etc. 3ts !efault K pe#missions maOe it #ea!aIle only Iy #ootA Iut you may nee! to #elax these K pe#missions. 9se#s that ha"e access to this socOet a#e aIle to get a list K of all use#names an! get #esults of e"e#yone1s use#!I looOups. unix=listene# J"a#JspoolJpostfixJp#i"ateJauth P mo!e C 0666 use# C postfix g#oup C postfix Q unix=listene# auth-use#!I P mo!e C 0600 use# C "mail Kg#oup C Q K ;ostfix smtp-auth Kunix=listene# J"a#JspoolJpostfixJp#i"ateJauth P K mo!e C 0666 KQ K (uth p#ocess is #un as this use#. use# C !o"ecot Q

56. <n the se#"ice auth-Do#Oe# section, uncomment the use# line and set it to "mail, as shown below. Page 22 of 26

4ile excerpt:/etc/dovecot/conf.d/10-master.conf
se#"ice auth-Do#Oe# P K (uth Do#Oe# p#ocess is #un as #oot Iy !efaultA so that it can access K JetcJsha!oD. 3f this isn1t necessa#yA the use# shoul! Ie change! to K F!efault=inte#nal=use#. use# C "mail Q

BE. Save "our changes to the /etc/dovecot/conf.d/10-master.conf file. BD. Kerif" that the default ovecot SS$ certificate and 5e" exist b" entering the following commands, one b" one:
5%. ls JetcJsslJce#tsJ!o"ecot.pem 60. ls JetcJsslJp#i"ateJ!o"ecot.pem

0ote <f "ou are using a different SS$ certificate, "ou should upload the certificate to the server and ma5e a note of its location and the 5e"4s location. (+. 7pen the SS$ configuration file for editing b" entering the following command. 3his is where we tell ovecot where to find our SS$ certificate and 5e", and an" other SS$)related parameters.
62. nano JetcJ!o"ecotJconf.!J10-ssl.conf

0ote Clic5 the lin5 to see the final, complete version of +*)ssl.conf.
63. Kerif" that the ssl=ce#t setting has the path to "our certificate, and that the ssl=Oey setting has the

path to "our 5e". 3he default setting here uses ovecot4s built)in certificate, so "ou can leave this as) is if "ou are using the ovecot certificate. /ou should update the paths if "ou are using a different certificate and 5e". 4ile excerpt:/etc/dovecot/conf.d/10-ssl.conf
ssl=ce#t C XJetcJsslJce#tsJ!o"ecot.pem ssl=Oey C XJetcJsslJp#i"ateJ!o"ecot.pem

64. 2orce "our clients to use SS$ encr"ption for all connections. Set ssl to #e ui#e!:

4ile excerpt:/etc/dovecot/conf.d/10-ssl.conf
ssl C #e ui#e!

(B. Save "our changes to the /etc/dovecot/conf.d/10-ssl.conf file. ovecot has been configuredH ((. Iestart ovecot b" entering the following command:
67. se#"ice !o"ecot #esta#t

(D. Set up a test account in an email client to ma5e sure ever"thing is wor5ing. /ou4ll need to use the following parameters:
o o o o o

/our full email address, including the 2example.com part, is "our username. /our password should be the one "ou added to the !"S#$ table for this email address. 3he incoming and outgoing server names must be a domain that resolves to "our $inode. .oth the incoming and outgoing servers re,uire authentication and SS$ encr"ption. /ou should use Port ''1 for secure <!8P, Port ''B for secure P7P1, and Port &B with SS$ for S!3P.
Page 23 of 26

('. 3r" sending an email to this account from an outside email account and then repl" to it. <f it wor5s, "ou4re in businessH /ou can chec5 "our mail log file in /var/log/mail.log, where "ou should see something li5e this ?the first bloc5 is for an incoming message, and the second bloc5 for an outgoing message@: 4ile excerpt:/var/log/mail.log
Ma# 22 18L18L15 host postfixJsmtp!S22574TL connect f#om mail1.lino!e.comS%6.126.108.55T Ma# 22 18L18L15 host postfixJsmtp!S22574TL 2641%283%6L clientCmail1.lino!e.comS%6.126.108.55T Ma# 22 18L18L15 host postfixJcleanupS22583TL 2641%283%6L message-i!CX44887(5,4,(.-45.,-6445-3.8%4,(842362example.com$ Ma# 22 18L18L15 host postfixJ mg#S15878TL 2641%283%6L f#omCXsuppo#t2lino!e.com$A siReC1156A n#cptC1 ? ueue acti"e@ Ma# 22 18L18L15 host postfixJsmtp!S22574TL !isconnect f#om mail1.lino!e.comS%6.126.108.55T Ma# 22 18L18L15 host !o"ecotL lmtp?22587@L .onnect f#om local Ma# 22 18L18L15 host !o"ecotL lmtp?22587A email12example.com@L 5&M#4af7*5,7U(((6f1gB(L msgi!CX44887(5,-4,(.-45.,-6445-3.8%4,(842362lino!e.com$L sa"e! mail to 3)6/X Ma# 22 18L18L15 host !o"ecotL lmtp?22587@L 4isconnect f#om localL .lient uit ?in #eset@ Ma# 22 18L18L15 host postfixJlmtpS22586TL 2641%283%6L toCXemail12example.com$A #elayChost.example.comSp#i"ateJ!o"ecot-lmtpTA !elayC0.0%A !elaysC0.03J0.02J0.03J0.01A !snC2.0.0A statusCsent ?250 2.0.0 Xemail12example.com$ 5&M#4af7*5,7U(((6f1gB( +a"e!@ Ma# 22 18L18L15 host postfixJ mg#S15878TL 2641%283%6L #emo"e!

4ile excerpt:/var/log/mail.log
Ma# 22 18L20L2% host postfixJsmtp!S225%0TL connect f#om 173-161-1%%-4%;hila!elphia.hfc.comcastIusiness.netS173.161.1%%.4%T Ma# 22 18L20L2% host !o"ecotL auth-Do#Oe#L mys l?127.0.0.1@L .onnecte! to !ataIase mailse#"e# Ma# 22 18L20L2% host postfixJsmtp!S225%0TL ((10(283%6L clientC173-161-1%%-4%;hila!elphia.hfc.comcastIusiness.netS173.161.1%%.4%TA sasl=metho!C;-(3)A sasl=use#nameCemail12example.com Ma# 22 18L20L2% host postfixJcleanupS225%%TL ((10(283%6L message-i!CX5662135(6513-4%(8-(544-5324(45.5%,%2example.com$ Ma# 22 18L20L2% host postfixJ mg#S15878TL ((10(283%6L f#omCXemail12example.com$A siReC%20A n#cptC1 ? ueue acti"e@ Ma# 22 18L20L2% host postfixJsmtpS22601TL ((10(283%6L toCXsuppo#t2lino!e.com$A #elayCmail1.lino!e.comS%6.126.108.55TL25A !elayC0.14A !elaysC0.08J0.01J0.05J0.01A !snC2.0.0A statusCsent ?250 2.0.0 /OL ueue! as .4232266.%@ Ma# 22 18L20L2% host postfixJ mg#S15878TL ((10(283%6L #emo"e!

CongratulationsH /ou now have a functioning mail server that can securel" send and receive email. <f things are not wor5ing smoothl", "ou ma" also want to consult the 3roubleshooting Problems with Postfix, ovecot, and !"S#$ guide. 8t this point, "ou ma" want to consider adding spam and virus filtering and a webmail client. <f "ou haven4t switched the 0S records for "our mail server "et, "ou should be able to do so now. 7nce the 0S records have propagated, "ou will start receiving email for "our domain on the server.

Page 24 of 26

Addin# -ew Domains, Email Addresses, and Aliases

0ow "our mail server is up and running, but eventuall" "ou4ll probabl" need to add new domains, email addresses, and aliases for "our users. 3o do this, all "ou4ll have to do is add a new line to the appropriate !"S#$ table. 3hese instructions are for command)line !"S#$, but "ou can >ust as easil" use php!"8dmin to add new entries to "our tables as well.

Domains
;ere4s how to add a new domain to "our Postfix and ovecot setup:
1. 7pen a terminal window and log in to "our $inode via SS;. 2. $og in to "our !"S#$ server with an appropriatel" privileged user. <n this example, we4ll use the
#oot

user:

3. mys l -u #oot -p mailse#"e#

-. =nter "our root !"S#$ password when prompted.

5. /ou should alwa"s view the contents of the table before adding new entries. =nter the following

command to view the current contents of an" table, replacing "i#tual=!omains with "our table:
6. +,-,.* 0 5'/M mailse#"e#."i#tual=!omains8

E. 3he output should resemble the following:

8. G----G-----------------------G %. H i! H name H 10. G----G-----------------------G 11. H 1 H example.com H 12. H 2 H hostname.example.com H 13. H 3 H hostname H 14. H 4 H localhost.example.com H 15. G----G-----------------------G

16. 3o add another domain, enter the following command, replacing neD!omain.com with "our domain

name:
17. 3)+,'* 3)*/ >mailse#"e#>.>"i#tual=!omains> 18. ?>name>@ 1%. <(-9,+ 20. ?1neD!omain.com1@8

&+. Kerif" that the new domain has been added b" entering the following command. /ou should see the new domain name in the output.
22. +,-,.* 0 5'/M mailse#"e#."i#tual=!omains8

&1. 3o exit !"S#$, enter the following command:

24. uit

CongratulationsH /ou have successfull" added the new domain to "our Postfix and ovecot setup.

Email Addresses
;ere4s how to add a new email address to "our Postfix and ovecot setup:
1. =nter the following command in !"S#$, replacing neDpassDo#! with the user4s password, and
email32neD!omain.com with the user4s email address: 2. 3)+,'* 3)*/ >mailse#"e#>.>"i#tual=use#s> 3. ?>!omain=i!>A >passDo#!> A >email>@ 4. <(-9,+

Page 25 of 26

5.

?151A ,).'7;*?1neDpassDo#!1A ./).(*?1F6F1A +96+*'3)&?+:(?'()4?@@A -16@@@ A 1email32neD!omain.com1@8

0ote .e sure to use the correct number for the !omain=i!. <n this case, we are using 5, because we want to ma5e an email address for neD!omain.com, and neD!omain.com has an i! of 5 in the "i#tual=!omains table. &. Kerif" that the new email address has been added b" entering the following command. /ou should see the new email address in the output.
3. +,-,.* 0 5'/M mailse#"e#."i#tual=use#s8

-. 3o exit !"S#$, enter the following command:

5. uit

CongratulationsH /ou have successfull" added the new email address to "our Postfix and ovecot setup.

Aliases
;ere4s how to add a new alias to "our Postfix and ovecot setup:
1. =nter the following command in !"S#$, replacing alias2neD!omain.com with the address from

which "ou want to forward email, and myemail2gmail.com with the address that "ou want to forward the mail to. 3he alias2neD!omain.com needs to be an email address that alread" exists on "our server.
2. 3)+,'* 3)*/ >mailse#"e#>.>"i#tual=aliases> 3. ?>!omain=i!>A >sou#ce>A >!estination>@ 4. <(-9,+ 5. ?151A 1alias2neD!omain.com1A 1myemail2gmail.com1@8

0ote /ou will need to use the correct number for the !omain=i!. /ou should use the i! of the domain for this email addressN see the explanation in the email users section above. &. Kerif" that the new alias has been added b" entering the following command. /ou should see the new alias in the output.
3. +,-,.* 0 5'/M mailse#"e#."i#tual=aliases8

-. 3o exit !"S#$, enter the following command:

5. uit

CongratulationsH /ou have successfull" added the new alias to "our Postfix and ovecot setup.

3his guide is licensed under a Creative Commons 8ttribution)0o erivs 1.* Cnited States $icense. $ast edited b" Sharon Campbell on 2rida", !arch +-th, &*+- ?r-111@.

Page 26 of 26