Install and Configure Dovecot

April 5, 2011 under Email, Ubuntu

With Postfix installed, I can now install Dovecot, the Mail Delivery Agent that creates a POP3 and IMAP server, which allows users to download their email from the server.

Install and Test Dovecot

iwuser$ apt-get install dovecot-common

I need to configure Dovecot. There is a section that defines the socket to which to listen: That must be uncommented and updated to identify Postfix as the client.

iwuser$ sudo vi /etc/dovecot/dovecot.conf
socket listen {
   client {
      path = /var/spool/postfix/private/auth-client
      mode = 0660
      user = postfix
      group = postfix
   }
}
iwuser$ sudo /etc/init.d/dovecot restart

Before implementing the POP3 and IMAP servers, I want to test the Postfix installation with telnet.

iwuser$ sudo apt-get install telnet
iwuser$ telnet localhost 25
Trying 127.0.0.1...
Connected to istarel.
Escape character is '^]'.
220 istarel ESMTP Postfix (Ubuntu)
ehlo localhost
250-istarel
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: root@localhost
250 2.1.0 Ok
rcpt to: iwuser@localhost
250 2.1.5 Ok
data
354 End data with .
Subject: Ensuring Postfix is installed correctly

Hi, 
This is the test message...
.
250 2.0.0 Ok: queued as 8BCAE3819C
quit
221 2.0.0 Bye
Connection closed by foreign host.
You have new mail in /var/mail/iwuser

Update Postfix with Mailbox Configuration

Dovecot supports the popular maildir format for client mailboxes. The Postfix configuration file must be prepared with this in mind:

iwuser$ sudo postconf -e 'home_mailbox = Maildir/'
iwuser$ sudo postconf -e 'mailbox_command = '

Secure POP3 and IMAP

Dovecot supports four different protocols: POP3, Secure POP3, IMAP, and Secure IMAP. For Istarel Workshop, I am only considering the two secure protocols. The Dovecot configuration must be modified to show which protocols to support, and must be told where the SSL certificates are located (which I created when describing the Postfix installation and configuration).

iwuser$ sudo apt-get install dovecot-imapd dovecot-pop3d
iwuser$ sudo vi /etc/dovecot/dovecot.conf

protocols = pop3s imaps
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/smtpd.crt
ssl_key_file = /etc/ssl/private/smtpd.key
ssl_key_password = secret
disable_plaintext_auth = no

iwuser$ sudo /etc/init.d/postfix restart
iwuser$ sudo /etc/init.d/dovecot restart

Email clients should now be able to connect via POP3 and IMAP to check and manage email.

There is only one housekeeping task left to perform: Though telnet is a convenient tool to verify a working implementation of Postfix and Dovecot, it is also horribly insecure, so I will remove it from the server.

iwuser$ sudo aptitude remove telnet

Install and Configure Postfix

April 4, 2011 under Email, Ubuntu

A working email server has two essential components: a Mail Transfer Agent (MTA) and a Mail Delivery Agent. Postfix is a Mail Transfer Agent: It actually sends email from, and receives email to, the server.

Install Postfix

Installing Postfix is a bit curious. You install Postfix (accepting the default options) and then run a program to configure it (where you make a number of important choices).

iwuser$ sudo apt-get install postfix
iwuser$ sudo dpkg-reconfigure postfix
Mail server configuration type: Internet Site
System mail name: mail.istarelworkshop.com
Root and postmaster mail recipient: webmaster@istarelworkshop.com
Other destinations to accept mail for: mail.istarelworkshop.com, 
    istarelworkshop.com, localhost.localdomain, localhost
Force synchronous updates on mail queue? No
Local networks: 127.0.0.0/8
Mailbox size limit (bytes): 0
Local address extension character: +
Internet protocols to use: all

There are two key questions asked during the reconfiguration: the destinations being accepted for mail, and the local networks. For my server, the local network is a standard "127.0.0.0/8", which really means only 127.0.0.1 (the server itself). For a setup where the server is part of (say) an office network and acts as the mail gateway to the internet, the network parameter might look quite different. The destinations response seems to follow a common pattern: mail.mydomain.com, mydomain.com, localhost.localdomain, localhost.

Authentication Configuration

Those first steps took care of the initial configuration. I now want to define parameters needed by the Mail Delivery Agent (I will be using Dovecot), and prepare Postfix to use authentication. Postfix also provides a command line executable to modify its configuration file: /etc/postfix/main.cf.

iwuser$ sudo postconf -e 'smtpd_sasl_type = dovecot'
iwuser$ sudo postconf -e 'smtpd_sasl_path = private/auth-client'
iwuser$ sudo postconf -e 'smtpd_sasl_local_domain ='
iwuser$ sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
iwuser$ sudo postconf -e 'broken_sasl_auth_clients = yes'
iwuser$ sudo postconf -e 'smtpd_sasl_auth_enable = yes'
iwuser$ sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,
    permit_mynetworks,reject_unauth_destination'
iwuser$ sudo postconf -e 'inet_interfaces = all'

Create Digital Certificates

In order for secure authentication to work, there must be certificates to establish the identity of the mail server. Using openssl, you can create so-called self-signed certificates. For email, this is perfectly acceptable.

iwuser$ sudo openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
Enter pass phrase for smtpd.key: secret
Verifying - Enter pass phrase for smtpd.key: secret

iwuser$ chmod 600 smtpd.key
iwuser$ openssl req -new -key smtpd.key -out smtpd.csr
Enter pass phrase for smtpd.key: secret
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Georgia
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Istarel Workshop LLC
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
A challenge password []: another secret
An optional company name []: Istarel Workshop LLC

iwuser$ sudo openssl x509 -req -days 365 -in smtpd.csr 
    -signkey smtpd.key -out smtpd.crt
Enter pass phrase for smtpd.key: secret

iwuser$ openssl rsa -in smtpd.key -out smtpd.key.unencrypted
Enter pass phrase for smtpd.key: secret
Enter PEM pass phrase: secret
Verifying - Enter PEM pass phrase: secret
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Georgia
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Istarel Workshop LLC
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

iwuser$ sudo mv smtpd.key /etc/ssl/private/
iwuser$ sudo mv smtpd.crt /etc/ssl/certs/
iwuser$ sudo mv cakey.pem /etc/ssl/private/
iwuser$ sudo mv cacert.pem /etc/ssl/certs/

Configure Postfix with Certificates

Now that the certificates have been created and moved to appropriate locations, I have to ensure Postfix has the information it needs to use TLS encryption for both incoming and outgoing email.


iwuser$ sudo postconf -e 'smtpd_tls_auth_only = no'
iwuser$ sudo postconf -e 'smtp_use_tls = yes'
iwuser$ sudo postconf -e 'smtpd_use_tls = yes'
iwuser$ sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
iwuser$ sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
iwuser$ sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
iwuser$ sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
iwuser$ sudo postconf -e 'smtpd_tls_loglevel = 1'
iwuser$ sudo postconf -e 'smtpd_tls_received_header = yes'
iwuser$ sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
iwuser$ sudo postconf -e 'tls_random_source = dev:/dev/urandom'
iwuser$ sudo postconf -e 'myhostname = mail.istarelworkshop.com'

Postfix needs to be restarted for these changes to be recognized.

iwuser$ sudo /etc/init.d/postfix restart