I needed to have my own mail server. So I did it all again. This time, I’m going to write it down somewhere so I won’t have to search everywhere for documentation again. Warning; this is a WorkInProgress. It only acheive a functioning mail server; not a secure one.
It was not as easy as I remebered.
Before starting
- A server running an updated Debian 12 with a valid hostname
- A domain name with an A and MX record (MX:mail.YOUR_DOMAIN)
- A valid SSL certificate by, example, Certbot by the EFF.
Installations
- Postfix;
apt-get install postfix
. In the install post-action, select “internet site” and enter your domain name (Without the “mail.”). - Mailutils to test/use the new mailserver localy;
apt-get install mailutils
. - Dovecot;
apt install dovecot-core dovecot-imapd
. - Saslauthd;
apt install sasl2-bin
Configurations
Postfix
Warning; this file implies a Certbot certificate.
# file: /etc/postfix/main.cf
# ----------------------------------------
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6
smtpd_sasl_path = smtpd
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/letsencrypt/live/_DOMAIN_NAME_/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/_DOMAIN_NAME_/privkey.pem
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/letsencrypt/live/_DOMAIN_NAME_/
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = mail._YOUR_SERVER_DOMAIN_
mydomain = _YOUR_SERVER_DOMAIN_
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydestination = $myhostname, $mydomain, mx.$mydomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = Maildir/
# file: /etc/postfix/master.cf
# ----------------------------------------
smtp inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
Dovecot
# file: /etc/dovecot/conf.d/10-mail.conf
# ----------------------------------------
mail_location = maildir:~/Maildir
namespace inbox {
inbox = yes
}
mail_privileged_group = mail
protocol !indexer-worker {
}
# file: /etc/dovecot/conf.d/10-auth.conf
# ----------------------------------------
disable_plaintext_auth = no
auth_username_format = %n
auth_mechanisms = plain login
!include auth-system.conf.ext
In the file /etc/dovecot/dovecot.conf
, change “listen” for listen = *, ::
.
# file: /etc/dovecot/conf.d/10-ssl.conf
# ----------------------------------------
ssl = yes
ssl_cert = </etc/letsencrypt/live/ggenois.dev/fullchain.pem
ssl_key = </etc/letsencrypt/live/ggenois.dev/privkey.pem
local_name ggenois.dev {
ssl_cert = </etc/letsencrypt/live/_domain_/fullchain.pem
ssl_key = </etc/letsencrypt/live/_domain_/privkey.pem
}
ssl_client_ca_dir = /etc/letsencrypt/live/_domain_/
ssl_dh = </etc/letsencrypt/ssl-dhparams.pem
# file: /etc/dovecot/conf.d/10-master.conf
# ----------------------------------------
...
service auth {
...
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
...
...
Test it out
Postfix
Enable the service; systemctl enable postfix
then launch it; systemctl start postfix
.
- Show current configuration;
postconf -n
. - Check current service status;
systemctl status postfix
. - Check current status;
postfix status
. - Reload configuration;
postfix reload
. - Check logs:
grep postfix /var/log/syslog
. - Check SSL connection:
openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25
.
Dovecot
Enable the service; systemctl enable dovecot
. then start the service; systemctl start dovecot
.
- Check the service status:
systemctl status dovecot
.
SaslAuth
- Test local installation;
testsaslauthd -u username -p password
.
Test everyting else
- Send a mail;
echo "mail body yep"| mail -s "test mail new" bob@bob.bob
. - Check mails;
mail
. - Check “Queue”;
mailq
. - Test telnet connection;
telnet _VOTRE_DOMAINE_ 25
. There should be the welcome headline from our server.
If the server is running but nothing shows in telnet, it’s usually a SSL error.