There is a point to this story, but it has temporarily escaped my mind...
Contact Me MyFaceBook MyLinkedIn MyGitHub MyTwitter

Install and Configure Postfix as a Simple Mailbox Server

  1. Make Sure All of the Latest Patches Are Installed:
    sudo apt-get update
    sudo apt-get dist-upgrade
    sudo reboot
  2. Set Firewall up:
    sudo ufw allow smtp
    sudo ufw allow submission
    sudo ufw allow imaps
  3. Next, configure some variables:
    MAIL_DOMAIN=example.com
    MAIL_HOST=mail.$MAIL_DOMAIN
    MAIL_SMTP=smtp.$MAIL_DOMAIN
    MAIL_IMAP=imap.$MAIL_DOMAIN
  4. Get a SSL/TLS Certificate ready for secure communication:

    Use Your Own Certificate

    • First, create the OpenSSL configuration:
      cat > /tmp/san.cnf << EOF
      [ req ]
      default_bits       = 2048
      distinguished_name = req_distinguished_name
      req_extensions     = req_ext
       
      [ req_distinguished_name ]
      countryName         = Country Name (2 letter code)
      stateOrProvinceName = State or Province Name (full name)
      localityName        = Locality Name (eg, city)
      organizationName    = Organization Name (eg, company)
      commonName          = Common Name (e.g. server FQDN or YOUR name)
       
      [ req_ext ]
      subjectAltName = @alt_names
       
      [alt_names]
      DNS.1  = $(hostname --fqdn)
      DNS.2  = $MAIL_HOST
      DNS.3  = $MAIL_SMTP
      DNS.4  = $MAIL_IMAP
      EOF
       
      MAIL_KEY=/etc/ssl/private/mail.key
      MAIL_CERT=/etc/ssl/certs/mail.pem
    • Create a self-signed test certificate:
      sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -config /tmp/san.cnf \
          -keyout $MAIL_KEY -out $MAIL_CERT
    • Use A Certificate From a Certificate Authority:
      sudo openssl req -nodes -days 365 -sha256 -newkey rsa:2048 -config /tmp/san.cnf \
          -keyout $MAIL_KEY -out /tmp/cert.csr

    Use Let's Encrypt Certbot and NGINX Certificates

    Install NGINX to handle the ACME challenges. Set the environment variable DOMAIN to match the main domain name that the mail server will handle and then Configure NGINX to use Let's Encrypt for SSL Certificates. with the exception of creating the certificate and the SSL NGINX configuration file.

    MAIL_KEY=/etc/letsencrypt/live/$MAIL_HOST/privkey.pem
    MAIL_CERT=/etc/letsencrypt/live/$MAIL_HOST/cert.pem
     
    sudo ufw allow http

    After NGINX and Certbot are installed:

    sudo certbot certonly --no-eff-email --webroot --agree-tos --email you@example.com -w /var/www/letsencrypt \
        -d $MAIL_HOST -d $MAIL_SMTP -d $MAIL_IMAP
  5. Install Postfix:
    sudo DEBIAN_FRONTEND=noninteractive apt-get -y install postfix
     
    sudo postfix stop
     
    sudo rm -f /etc/aliases
     
    echo postmaster: root | sudo tee -a /etc/aliases
    echo mailer-daemon: postmaster | sudo tee -a /etc/aliases
    echo hostmaster: root | sudo tee -a /etc/aliases
    echo abuse: root | sudo tee -a /etc/aliases
     
    echo root: $USER | sudo tee -a /etc/aliases
     
    sudo newaliases
     
    sudo postconf -e 'smtpd_banner = $myhostname ESMTP $mail_name'
    sudo postconf -e "mydomain = $MAIL_DOMAIN"
    sudo postconf -e 'myorigin = $mydomain'
    sudo postconf -e "mydestination = \$myhostname, `hostname`, localhost.localdomain, , localhost, $MAIL_DOMAIN"
     
    sudo postconf -e 'delay_warning_time=3h'
    sudo postconf -e 'maximal_queue_lifetime=2d'
    sudo postconf -e 'bounce_queue_lifetime=1d'
     
    sudo postconf -e "home_mailbox = Maildir/"
    sudo postconf -e "mailbox_command = "
     
    # Increase the message size limit from 10MB to 128MB.
    sudo postconf -e 'message_size_limit=134217728'
     
    # Who can send mail to us?
     
    sudo postconf -e 'smtpd_sender_restrictions=permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org'
    sudo postconf -e 'smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rhsbl_reverse_client dbl.spamhaus.org,reject_rhsbl_helo dbl.spamhaus.org,reject_rhsbl_sender dbl.spamhaus.org'
     
    # Enable SASL Authentication
    sudo sed -i 's/START=no/START=yes/' /etc/default/saslauthd
     
    # Prevent non-authenticated users from sending mail
     
    sudo postconf -e 'smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
    sudo postconf -e 'smtpd_sasl_type=dovecot'
    sudo postconf -e 'smtpd_sasl_path=private/auth'
    sudo postconf -e 'smtpd_sasl_auth_enable=yes'
    sudo postconf -e 'smtpd_sasl_security_options=noanonymous'
    sudo postconf -e 'smtpd_sasl_local_domain=$myhostname'
    #sudo postconf -e 'smtpd_sasl_application_name=smtpd'
    sudo postconf -e 'broken_sasl_auth_clients=yes'
     
    # Enable TLS for SMTPD and SUBMISSION
    sudo postconf -M submission/inet="submission   inet   n   -   -   -   -   smtpd"
    sudo postconf -P "submission/inet/smtpd_sasl_auth_enable=yes"
    sudo postconf -P "submission/inet/syslog_name=postfix/submission"
    sudo postconf -P "submission/inet/smtpd_tls_security_level=encrypt"
    sudo postconf -P "submission/inet/smtpd_tls_ciphers=high"
    sudo postconf -P "submission/inet/smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4"
    sudo postconf -P "submission/inet/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3"
     
    sudo postconf -e 'smtp_use_tls=yes'
    sudo postconf -e 'smtpd_use_tls=yes'
    sudo postconf -e 'smtp_tls_note_starttls_offer=yes'
    sudo postconf -e 'smtpd_tls_received_header=yes'
     
    sudo postconf -e 'smtpd_tls_security_level=may'
    sudo postconf -e 'smtpd_tls_auth_only=yes'
    sudo postconf -e "smtpd_tls_cert_file=$MAIL_CERT"
    sudo postconf -e "smtpd_tls_key_file=$MAIL_KEY"
    sudo postconf -e 'smtpd_tls_dh1024_param_file=/etc/ssl/certs/dh2048.pem'
    sudo postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3'
    sudo postconf -e 'smtpd_tls_ciphers=medium'
    sudo postconf -e 'smtpd_tls_exclude_ciphers=aNULL,RC4'
    sudo postconf -e 'smtpd_tls_received_header=yes'
     
    # When connecting to remote SMTP servers, prefer TLS and use DANE if available.
     
    sudo postconf -e 'smtp_tls_protocols=!SSLv2,!SSLv3'
    sudo postconf -e 'smtp_tls_mandatory_protocols=!SSLv2,!SSLv3'
    sudo postconf -e 'smtp_tls_ciphers=medium'
    sudo postconf -e 'smtp_tls_exclude_ciphers=aNULL,RC4'
    sudo postconf -e 'smtp_tls_security_level=dane'
    sudo postconf -e 'smtp_dns_support_level=dnssec'
    sudo postconf -e 'smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt'
    sudo postconf -e 'smtp_tls_loglevel=2'
  6. Install Dovecot:
    sudo apt install -y dovecot-imapd
     
    sudo systemctl stop dovecot
     
    sudo sed -i "s/#default_process_limit = 100/default_process_limit=$(echo "`nproc` * 250" | bc)/" \
        /etc/dovecot/conf.d/10-master.conf
     
    sudo sed -i \
        "s/#default_vsz_limit = 256M/default_vsz_limit=$(echo "`free -tm  | tail -1 | awk '{print $2}'` / 3" | bc)M/" \
        /etc/dovecot/conf.d/10-master.conf
     
    sudo sed -i "s/#log_path = syslog/log_path=\/var\/log\/mail.log/" /etc/dovecot/conf.d/10-logging.conf
     
    echo fs.inotify.max_user_instances=1024 | sudo tee -a /etc/sysctl.conf
     
    sudo sed -i "s/mail_location = mbox:~\/mail:INBOX=\/var\/mail\/%u/mail_location = maildir:~\/Maildir/" \
        /etc/dovecot/conf.d/10-mail.conf
     
    cat > /tmp/15-mailboxes.conf << EOF
    namespace inbox {
      mailbox INBOX {
        auto = subscribe
      }
      mailbox Spam {
        special_use = \Junk
        auto = subscribe
      }
      mailbox Drafts {
        special_use = \Drafts
        auto = subscribe
      }
      mailbox Sent {
        special_use = \Sent
        auto = subscribe
      }
      mailbox Trash {
        special_use = \Trash
        auto = subscribe
      }
      mailbox Archive {
        special_use = \Archive
        auto = subscribe
      }
      mailbox "Sent Messages" {
        special_use = \Sent
      }
      mailbox Junk {
        special_use = \Junk
      }
    }
    EOF
     
    sudo rm -f /etc/dovecot/conf.d/15-mailboxes.conf
    sudo mv /tmp/15-mailboxes.conf /etc/dovecot/conf.d
     
    # Require passwords are only sent over TLS.
    sudo sed -i "s/#disable_plaintext_auth = yes/disable_plaintext_auth = yes/" /etc/dovecot/conf.d/10-auth.conf
    sudo sed -i "s/auth_mechanisms = plain/auth_mechanisms = plain login/" /etc/dovecot/conf.d/10-auth.conf
     
    # Enable TLS
    sudo sed -i 's/ssl = yes/ssl=required/' /etc/dovecot/conf.d/10-ssl.conf
    sudo sed -i "s|ssl_cert = </etc/dovecot/private/dovecot.pem|ssl_cert=<$MAIL_CERT|" /etc/dovecot/conf.d/10-ssl.conf
    sudo sed -i "s|ssl_key = </etc/dovecot/private/dovecot.key|ssl_key=<$MAIL_KEY|" /etc/dovecot/conf.d/10-ssl.conf
    sudo sed -i 's/#ssl_protocols = !SSLv3/ssl_protocols=!SSLv3 !SSLv2/' /etc/dovecot/conf.d/10-ssl.conf
    sudo sed -i 's/#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL/ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS/' /etc/dovecot/conf.d/10-ssl.conf
    sudo sed -i 's/#ssl_prefer_server_ciphers = no/ssl_prefer_server_ciphers = yes/' /etc/dovecot/conf.d/10-ssl.conf
    sudo sed -i 's/#ssl_dh_parameters_length = 1024/ssl_dh_parameters_length = 2048/' /etc/dovecot/conf.d/10-ssl.conf
     
    # Disable in-the-clear IMAP/POP
    sudo sed -i 's/#port = 143/port = 0/' /etc/dovecot/conf.d/10-master.conf
    sudo sed -i 's/#port = 110/port = 0/' /etc/dovecot/conf.d/10-master.conf
     
    # Make IMAP IDLE slightly more efficient.
    sudo sed -i 's/#imap_idle_notify_interval = 2 mins/imap_idle_notify_interval="4 mins"/' /etc/dovecot/conf.d/20-imap.conf
     
    cat > /tmp/99-imap.conf << EOF;
    protocol imap {
      mail_max_userip_connections = 20
    }
    EOF
     
    sudo mv /tmp/99-imap.conf /etc/dovecot/conf.d
     
    # Have Dovecot provide an authorization service that Postfix can access & use.
    cat > /tmp/99-local-auth.conf << EOF
    service auth {
      unix_listener /var/spool/postfix/private/auth {
        mode = 0666
        user = postfix
        group = postfix
      }
    }
    EOF
     
    sudo mv /tmp/99-local-auth.conf /etc/dovecot/conf.d/

Now Start All Of The Services

sudo openssl dhparam -out /etc/ssl/certs/dh2048.pem 2048
 
sudo systemctl start saslauthd
 
sudo systemctl start postfix
 
sudo systemctl start dovecot
Copyright © 2019 by Julian Easterling. SOME RIGHTS RESERVED.
Privacy Policy              Terms of Use             


Creative Commons License
Except where otherwise noted, content on this site is
licensed under a Creative Common Attribution-Share Alike 4.0 International License.


All of the opinions expressed on this website are those of Julian Easterling and
do not represent the views of any of my current and previous clients or employers in any way.

If you notice an error on the site or content that has not been properly attributed, bring
it to my attention using the contact page and I will endeavor to fix it as soon as I can.

I accept no responsibility or liability for any damages incurred by following any of
my advice or by using any of the information on my site or of those sites that I link to.