There is a point to this story, but it has temporarily escaped my mind...
Contact Me MyFaceBook MyLinkedIn MyGitHub MyTwitter
You are here: Home » Linux » PostFix Articles » Install and Configure Postfix as a Simple Mailbox Server My Internal Area

Install and Configure Postfix as a Simple Mailbox Server

  1. Make Sure All of the Latest Patches Are Installed:
    sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot
  2. Set Firewall up:
    sudo ufw allow smtp
sudo ufw allow submission
sudo ufw allow imaps
  3. Next, configure some variables:
    MAIL_DOMAIN=example.com
MAIL_HOST=mail.$MAIL_DOMAIN
MAIL_SMTP=smtp.$MAIL_DOMAIN
MAIL_IMAP=imap.$MAIL_DOMAIN
  4. Get a SSL/TLS Certificate ready for secure communication:

    Use Your Own Certificate

    • First, create the OpenSSL configuration:
      cat > /tmp/san.cnf << EOF
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
 
[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName        = Locality Name (eg, city)
organizationName    = Organization Name (eg, company)
commonName          = Common Name (e.g. server FQDN or YOUR name)
 
[ req_ext ]
subjectAltName = @alt_names
 
[alt_names]
DNS.1  = $(hostname --fqdn)
DNS.2  = $MAIL_HOST
DNS.3  = $MAIL_SMTP
DNS.4  = $MAIL_IMAP
EOF
 
MAIL_KEY=/etc/ssl/private/mail.key
MAIL_CERT=/etc/ssl/certs/mail.pem
    • Create a self-signed test certificate:
      sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -config /tmp/san.cnf \
    -keyout $MAIL_KEY -out $MAIL_CERT
    • Use A Certificate From a Certificate Authority:
      sudo openssl req -nodes -days 365 -sha256 -newkey rsa:2048 -config /tmp/san.cnf \
    -keyout $MAIL_KEY -out /tmp/cert.csr

    Use Let's Encrypt Certbot and NGINX Certificates

    Install NGINX to handle the ACME challenges. Set the environment variable DOMAIN to match the main domain name that the mail server will handle and then Configure NGINX to use Let's Encrypt for SSL Certificates. with the exception of creating the certificate and the SSL NGINX configuration file. 

    MAIL_KEY=/etc/letsencrypt/live/$MAIL_HOST/privkey.pem
MAIL_CERT=/etc/letsencrypt/live/$MAIL_HOST/cert.pem
 
sudo ufw allow http

    After NGINX and Certbot are installed: 

    sudo certbot certonly --no-eff-email --webroot --agree-tos --email you@example.com -w /var/www/letsencrypt \
    -d $MAIL_HOST -d $MAIL_SMTP -d $MAIL_IMAP
  5. Install Postfix:
    sudo DEBIAN_FRONTEND=noninteractive apt-get -y install postfix
 
sudo postfix stop
 
sudo rm -f /etc/aliases
 
echo postmaster: root | sudo tee -a /etc/aliases
echo mailer-daemon: postmaster | sudo tee -a /etc/aliases
echo hostmaster: root | sudo tee -a /etc/aliases
echo abuse: root | sudo tee -a /etc/aliases
 
echo root: $USER | sudo tee -a /etc/aliases
 
sudo newaliases
 
sudo postconf -e 'smtpd_banner = $myhostname ESMTP $mail_name'
sudo postconf -e "mydomain = $MAIL_DOMAIN"
sudo postconf -e 'myorigin = $mydomain'
sudo postconf -e "mydestination = \$myhostname, `hostname`, localhost.localdomain, , localhost, $MAIL_DOMAIN"
 
sudo postconf -e 'delay_warning_time=3h'
sudo postconf -e 'maximal_queue_lifetime=2d'
sudo postconf -e 'bounce_queue_lifetime=1d'
 
sudo postconf -e "home_mailbox = Maildir/"
sudo postconf -e "mailbox_command = "
 
# Increase the message size limit from 10MB to 128MB.
sudo postconf -e 'message_size_limit=134217728'
 
# Who can send mail to us?
 
sudo postconf -e 'smtpd_sender_restrictions=permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org'
sudo postconf -e 'smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rhsbl_reverse_client dbl.spamhaus.org,reject_rhsbl_helo dbl.spamhaus.org,reject_rhsbl_sender dbl.spamhaus.org'
 
# Enable SASL Authentication
sudo sed -i 's/START=no/START=yes/' /etc/default/saslauthd
 
# Prevent non-authenticated users from sending mail
 
sudo postconf -e 'smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'smtpd_sasl_type=dovecot'
sudo postconf -e 'smtpd_sasl_path=private/auth'
sudo postconf -e 'smtpd_sasl_auth_enable=yes'
sudo postconf -e 'smtpd_sasl_security_options=noanonymous'
sudo postconf -e 'smtpd_sasl_local_domain=$myhostname'
#sudo postconf -e 'smtpd_sasl_application_name=smtpd'
sudo postconf -e 'broken_sasl_auth_clients=yes'
 
# Enable TLS for SMTPD and SUBMISSION
sudo postconf -M submission/inet="submission   inet   n   -   -   -   -   smtpd"
sudo postconf -P "submission/inet/smtpd_sasl_auth_enable=yes"
sudo postconf -P "submission/inet/syslog_name=postfix/submission"
sudo postconf -P "submission/inet/smtpd_tls_security_level=encrypt"
sudo postconf -P "submission/inet/smtpd_tls_ciphers=high"
sudo postconf -P "submission/inet/smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4"
sudo postconf -P "submission/inet/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3"
 
sudo postconf -e 'smtp_use_tls=yes'
sudo postconf -e 'smtpd_use_tls=yes'
sudo postconf -e 'smtp_tls_note_starttls_offer=yes'
sudo postconf -e 'smtpd_tls_received_header=yes'
 
sudo postconf -e 'smtpd_tls_security_level=may'
sudo postconf -e 'smtpd_tls_auth_only=yes'
sudo postconf -e "smtpd_tls_cert_file=$MAIL_CERT"
sudo postconf -e "smtpd_tls_key_file=$MAIL_KEY"
sudo postconf -e 'smtpd_tls_dh1024_param_file=/etc/ssl/certs/dh2048.pem'
sudo postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3'
sudo postconf -e 'smtpd_tls_ciphers=medium'
sudo postconf -e 'smtpd_tls_exclude_ciphers=aNULL,RC4'
sudo postconf -e 'smtpd_tls_received_header=yes'
 
# When connecting to remote SMTP servers, prefer TLS and use DANE if available.
 
sudo postconf -e 'smtp_tls_protocols=!SSLv2,!SSLv3'
sudo postconf -e 'smtp_tls_mandatory_protocols=!SSLv2,!SSLv3'
sudo postconf -e 'smtp_tls_ciphers=medium'
sudo postconf -e 'smtp_tls_exclude_ciphers=aNULL,RC4'
sudo postconf -e 'smtp_tls_security_level=dane'
sudo postconf -e 'smtp_dns_support_level=dnssec'
sudo postconf -e 'smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt'
sudo postconf -e 'smtp_tls_loglevel=2'
  6. Install Dovecot:
    sudo apt install -y dovecot-imapd
 
sudo systemctl stop dovecot
 
sudo sed -i "s/#default_process_limit = 100/default_process_limit=$(echo "`nproc` * 250" | bc)/" \
    /etc/dovecot/conf.d/10-master.conf
 
sudo sed -i \
    "s/#default_vsz_limit = 256M/default_vsz_limit=$(echo "`free -tm  | tail -1 | awk '{print $2}'` / 3" | bc)M/" \
    /etc/dovecot/conf.d/10-master.conf
 
sudo sed -i "s/#log_path = syslog/log_path=\/var\/log\/mail.log/" /etc/dovecot/conf.d/10-logging.conf
 
echo fs.inotify.max_user_instances=1024 | sudo tee -a /etc/sysctl.conf
 
sudo sed -i "s/mail_location = mbox:~\/mail:INBOX=\/var\/mail\/%u/mail_location = maildir:~\/Maildir/" \
    /etc/dovecot/conf.d/10-mail.conf
 
cat > /tmp/15-mailboxes.conf << EOF
namespace inbox {
  mailbox INBOX {
    auto = subscribe
  }
  mailbox Spam {
    special_use = \Junk
    auto = subscribe
  }
  mailbox Drafts {
    special_use = \Drafts
    auto = subscribe
  }
  mailbox Sent {
    special_use = \Sent
    auto = subscribe
  }
  mailbox Trash {
    special_use = \Trash
    auto = subscribe
  }
  mailbox Archive {
    special_use = \Archive
    auto = subscribe
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Junk {
    special_use = \Junk
  }
}
EOF
 
sudo rm -f /etc/dovecot/conf.d/15-mailboxes.conf
sudo mv /tmp/15-mailboxes.conf /etc/dovecot/conf.d
 
# Require passwords are only sent over TLS.
sudo sed -i "s/#disable_plaintext_auth = yes/disable_plaintext_auth = yes/" /etc/dovecot/conf.d/10-auth.conf
sudo sed -i "s/auth_mechanisms = plain/auth_mechanisms = plain login/" /etc/dovecot/conf.d/10-auth.conf
 
# Enable TLS
sudo sed -i 's/ssl = yes/ssl=required/' /etc/dovecot/conf.d/10-ssl.conf
sudo sed -i "s|ssl_cert = </etc/dovecot/private/dovecot.pem|ssl_cert=<$MAIL_CERT|" /etc/dovecot/conf.d/10-ssl.conf
sudo sed -i "s|ssl_key = </etc/dovecot/private/dovecot.key|ssl_key=<$MAIL_KEY|" /etc/dovecot/conf.d/10-ssl.conf
sudo sed -i 's/#ssl_protocols = !SSLv3/ssl_protocols=!SSLv3 !SSLv2/' /etc/dovecot/conf.d/10-ssl.conf
sudo sed -i 's/#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL/ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS/' /etc/dovecot/conf.d/10-ssl.conf
sudo sed -i 's/#ssl_prefer_server_ciphers = no/ssl_prefer_server_ciphers = yes/' /etc/dovecot/conf.d/10-ssl.conf
sudo sed -i 's/#ssl_dh_parameters_length = 1024/ssl_dh_parameters_length = 2048/' /etc/dovecot/conf.d/10-ssl.conf
 
# Disable in-the-clear IMAP/POP
sudo sed -i 's/#port = 143/port = 0/' /etc/dovecot/conf.d/10-master.conf
sudo sed -i 's/#port = 110/port = 0/' /etc/dovecot/conf.d/10-master.conf
 
# Make IMAP IDLE slightly more efficient.
sudo sed -i 's/#imap_idle_notify_interval = 2 mins/imap_idle_notify_interval="4 mins"/' /etc/dovecot/conf.d/20-imap.conf
 
cat > /tmp/99-imap.conf << EOF;
protocol imap {
  mail_max_userip_connections = 20
}
EOF
 
sudo mv /tmp/99-imap.conf /etc/dovecot/conf.d
 
# Have Dovecot provide an authorization service that Postfix can access & use.
cat > /tmp/99-local-auth.conf << EOF
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}
EOF
 
sudo mv /tmp/99-local-auth.conf /etc/dovecot/conf.d/

Now Start All Of The Services

sudo openssl dhparam -out /etc/ssl/certs/dh2048.pem 2048
 
sudo systemctl start saslauthd
 
sudo systemctl start postfix
 
sudo systemctl start dovecot
Copyright © 2022 by Julian Easterling. SOME RIGHTS RESERVED.
Privacy Policy              Terms of Use             


Creative Commons License
Except where otherwise noted, content on this site is
licensed under a Creative Common Attribution-Share Alike 4.0 International License.


All of the opinions expressed on this website are those of Julian Easterling and
do not represent the views of any of my current and previous clients or employers in any way.

If you notice an error on the site or content that has not been properly attributed, bring
it to my attention using the contact page and I will endeavor to fix it as soon as I can.

I accept no responsibility or liability for any damages incurred by following any of
my advice or by using any of the information on my site or of those sites that I link to.