Mail Story 1: Debian + Postfix (SMTP) + Courier (IMAP) + SSL

Here is a quick tutorial to build your own mail server using a Debian GNU/Linux.

Disclaimer

Configuring its own mail server can be fun, but remember that there are a lot of bad guys on the internet. I’m no expert on mail server configuration, don’t forget that you must not allow relaying mails to domains you don’t own and from people you haven’t authenticated in order to avoid spam relay. Of course, keep your softwares (operating system, mail server, etc.) up to date in order to keep your computer safe from being cracked.

Goal

I have a domain name (desgrange.net as you can see) and I would like to use it for my mails. It’s not that I don’t trust service providers, but I would like to be in charge of the mail server configuration (so I would be able to tune it as I want).

For instance, I want to be able to send mails using SMTP over SSL and retrieve emails using IMAP over SSL.

For those tasks I chose:

  • Debian as operating system (tested on Debian 5.0 and Debian testing)
  • Postfix (2.5.5) as SMTP server
  • Courier-imap (4.4.0) as IMAP server

In this tutorial I assume that I’m installing a mail server for domain example.com on a computer named mailserver. Allowed users are the standard unix users created on the mail server.

DNS

First make sure that your DNS has your MX record pointing to your mail server. See with your domain name provider for that part. I’m using OVH so I did it on their website (which sucks a bit for that).

Postfix

Postfix is a well known SMTP server. As a lot of mail servers, it has several hundreds parameters, but here, all of them have good default values, so we just need to change some of them to get it working like we want. Let’s start with postfix installation:

$ sudo apt-get install postfix
-> General type of mail configuration: internet with smarthost
-> System mail name: example.com
-> SMTP relay host: <blank>

Now we need to install the authentication system saslauthd.

$ sudo apt-get install sasl2-bin libsasl2-modules

As told by the installation process, to enable saslauthd, edit /etc/default/saslauthd and set START=yes.

To tell postfix to use saslauthd, create a file /etc/postfix/sasl/smtpd.conf containing:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

As postfix is running chrooted, to allow it to talk to saslauthd we need to move some files (or change the directory specified in OPTIONS in /etc/default/saslauthd):

$ sudo mkdir -p /var/spool/postfix/var/run/
$ sudo mv /var/run/saslauthd /var/spool/postfix/var/run/
$ sudo ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd
$ sudo adduser postfix sasl

Postfix is configured to run on the standard port 25 so other mail servers can transfer mails to you. This postfix process can’t use SSL only because other mail servers may not support it. So we need to start an other postfix process running over SSL, so we can use this one when we want to send an email. To allow this process to start, just uncomment the submission lines in /etc/postfix/master.cf.

Check that /etc/mailname contains your domain name. It’s used by postfix for some parameters (seems to be debian specific).

Most of postfix configuration is done in /etc/postfix/main.cf, you can edit this file directly or use the following commands:

1 $ sudo postconf -e 'smtpd_tls_security_level = may'
2 $ sudo postconf -e 'smtpd_tls_mandatory_ciphers = high'
3 $ sudo postconf -e 'smtpd_tls_mandatory_exclude_ciphers = aNULL'
4 $ sudo postconf -e 'smtpd_tls_mandatory_protocols = TLSv1'
5 $ sudo postconf -e 'mydestination = $myhostname localhost.$mydomain localhost $mydomain'
6 $ sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination'
7 $ sudo postconf -e 'relay_domains ='
8 $ sudo postconf -e 'home_mailbox = Maildir/'
9 $ sudo postconf -e 'mailbox_command ='
  • Line 1 tells postfix to use TLS on standard SMTP port (25) if remote server support it.
  • Line 2 restricts TLS ciphers to only “HIGH” ciphers.
  • Line 3 excludes aNULL cipher (no encryption).
  • Line 4 tells to use TLSv1 as protocol for the postfix over SSL process.
  • Line 5 list domain names for which the server will accept mails.
  • Line 6 tells postfix to send mails only from authenticated users or to domains postfix is in charge of.
  • Line 7 postfix must not relay mails to other domains.
  • Line 8 and 9 are for Courier which use a specific type of mailboxes.

You can have a look at the postfix configuration parameters documentation.

Courier-IMAP

Courier is a full mail server but here I’m going to use only Courier’s IMAP server component. Installation:

$ sudo apt-get install courier-imap-ssl
-> Create directories for web-based administration?: no

By default IMAP and IMAP over SSL processes are started but I don’t want the first one. To disable the standard IMAP process, set IMAPDSTART to NO in /etc/courier/imapd.

Some parameters have to be changed for the IMAP over SSL process, edit the file /etc/courier/imapd-ssl and set the following values:

# (…)
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=SSL23
TLS_CIPHER_LIST=HIGH
# (…)

For TLS_PROTOCOL and TLS_STARTTLS_PROTOCOL I use SSL23 because I’m using Apple Mail and it does not handle TLS very well. If you use a mail client supporting TLS, replace SSL23 with TLS1.

Finishing the installation

First we need to restart everything:

$ sudo /etc/init.d/saslauthd restart
$ sudo /etc/init.d/postfix restart
$ sudo /etc/init.d/courier-authdaemon restart
$ sudo /etc/init.d/courier-imap restart
$ sudo /etc/init.d/courier-imap-ssl restart

If you type sudo netstat -lntp you should see something like that:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      12718/master
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      12718/master
tcp6       0      0 :::993                  :::*                    LISTEN      12440/couriertcpd

There are two processes for postfix (master on ports 25 and 587 (SSL)) and one for courier on port 993.

Create your mailbox. You may want to initialize your own mailbox directory on the server:

$ maildirmake ~/Maildir

Certificates

I didn’t say anything about SSL certificates, you need certificates for all your SSL connections, here some default ones are created, but when you connect with your mail client, it may complain about the certificate not being trustworthy.

It may prevent you to read/send mails (for instance I had to tell Apple Mail to trust the certificate in order to be able to send emails).

Trouble shooting

While configuring my mail server I ran in several problems, mainly due to Apple Mail, TLS and certificates. So, if you have any trouble, don’t forget to have a look at log files in /var/log/, use netstat and ps to be sure that your servers are running and listening on the right ports.

You may even try to manually connect to the IMAP server with a command like this one:

$ openssl s_client -tls1 -connect mailserver:993 -state -debug

Have a look to the IMAP commands to check if it works.

Some of the errors I had:

  • SASL authentication failure: cannot connect to saslauthd server: No such file or directory because I didn’t had moved saslauthd files to /var/spool/postfix/var/run.
  • imapd-ssl: Unexpected SSL connection shutdown because Apple Mail was not trusting the certificate.
  • imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number because Apple Mail does not support SSL3/TLS1 on IMAP.

Update (2010-05-09):

My father’s mail client was displaying the following error message:

Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library)

A quick solution to solve that is to replace FAM with Gamin:

$ sudo apt-get install gamin

And to restart courier.

Update (2012-05-31)

For a month the IMAP connection was freezing after some time. The solution? According to this post and this one: replace gamin with FAM ;-).

$ sudo apt-get install fam libfam0

Links

Some useful resources:

Mail Stories posts

Comments Add one by sending me an email.

  • From cga ·
    hi,

    i’m trying to make OVH MX point to my postfix in order to use my own mail server.

    apparently you did succed in this.

    can you contact me to talk about it? anything i try doesn’t work and ovh documentation sucks a lot.

    please thanks.

  • From Mike ·
    Have ran into 2 problems,
    1. postfix would look up odd hostnames

    FIX: run dpkg-reconfigure postfix

    Go through the setup with your valid domain name

    1. Clarification

    Iphone would not sent out mail

    FIX:

    edit /etc/postfix/master.cf and uncomment all of these

    submission inet n       -       -       -       -       smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    
  • From Fabrizio ·
    Thanks very much for your post, I was with a problem with FAM/gamin and it was just simple as you told.