Mail Story 1: Debian + Postfix (SMTP) + Courier (IMAP) + SSL
Configuring its own mail server can be fun, but remember that there are a lot of bad guys on the internet. I’m no expert on mail server configuration, don’t forget that you must not allow relaying mails to domains you don’t own and from people you haven’t authenticated in order to avoid spam relay. Of course, keep your softwares (operating system, mail server, etc.) up to date in order to keep your computer safe from being cracked.
I have a domain name (
desgrange.net as you can see) and I would like to use it for my mails. It’s not that I don’t trust service providers, but I would like to be in charge of the mail server configuration (so I would be able to tune it as I want).
For those tasks I chose:
- Debian as operating system (tested on Debian 5.0 and Debian testing)
- Postfix (2.5.5) as SMTP server
- Courier-imap (4.4.0) as IMAP server
In this tutorial I assume that I’m installing a mail server for domain
example.com on a computer named
mailserver. Allowed users are the standard unix users created on the mail server.
First make sure that your DNS has your MX record pointing to your mail server. See with your domain name provider for that part. I’m using OVH so I did it on their website (which sucks a bit for that).
Postfix is a well known SMTP server. As a lot of mail servers, it has several hundreds parameters, but here, all of them have good default values, so we just need to change some of them to get it working like we want. Let’s start with postfix installation:
$ sudo apt-get install postfix -> General type of mail configuration: internet with smarthost -> System mail name: example.com -> SMTP relay host: <blank>
Now we need to install the authentication system
$ sudo apt-get install sasl2-bin libsasl2-modules
As told by the installation process, to enable
/etc/default/saslauthd and set
To tell postfix to use
saslauthd, create a file
pwcheck_method: saslauthd mech_list: PLAIN LOGIN
As postfix is running chrooted, to allow it to talk to
saslauthd we need to move some files (or change the directory specified in
$ sudo mkdir -p /var/spool/postfix/var/run/ $ sudo mv /var/run/saslauthd /var/spool/postfix/var/run/ $ sudo ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd $ sudo adduser postfix sasl
Postfix is configured to run on the standard port 25 so other mail servers can transfer mails to you. This postfix process can’t use SSL only because other mail servers may not support it. So we need to start an other postfix process running over SSL, so we can use this one when we want to send an email. To allow this process to start, just uncomment the
submission lines in
/etc/mailname contains your domain name. It’s used by postfix for some parameters (seems to be debian specific).
Most of postfix configuration is done in
/etc/postfix/main.cf, you can edit this file directly or use the following commands:
1 $ sudo postconf -e 'smtpd_tls_security_level = may' 2 $ sudo postconf -e 'smtpd_tls_mandatory_ciphers = high' 3 $ sudo postconf -e 'smtpd_tls_mandatory_exclude_ciphers = aNULL' 4 $ sudo postconf -e 'smtpd_tls_mandatory_protocols = TLSv1' 5 $ sudo postconf -e 'mydestination = $myhostname localhost.$mydomain localhost $mydomain' 6 $ sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination' 7 $ sudo postconf -e 'relay_domains =' 8 $ sudo postconf -e 'home_mailbox = Maildir/' 9 $ sudo postconf -e 'mailbox_command ='
- Line 1 tells postfix to use TLS on standard SMTP port (25) if remote server support it.
- Line 2 restricts TLS ciphers to only “HIGH” ciphers.
- Line 3 excludes aNULL cipher (no encryption).
- Line 4 tells to use TLSv1 as protocol for the postfix over SSL process.
- Line 5 list domain names for which the server will accept mails.
- Line 6 tells postfix to send mails only from authenticated users or to domains postfix is in charge of.
- Line 7 postfix must not relay mails to other domains.
- Line 8 and 9 are for Courier which use a specific type of mailboxes.
You can have a look at the postfix configuration parameters documentation.
$ sudo apt-get install courier-imap-ssl -> Create directories for web-based administration?: no
By default IMAP and IMAP over SSL processes are started but I don’t want the first one. To disable the standard IMAP process, set
Some parameters have to be changed for the IMAP over SSL process, edit the file
/etc/courier/imapd-ssl and set the following values:
# (…) IMAP_TLS_REQUIRED=1 TLS_PROTOCOL=SSL23 TLS_STARTTLS_PROTOCOL=SSL23 TLS_CIPHER_LIST=HIGH # (…)
TLS_STARTTLS_PROTOCOL I use
SSL23 because I’m using Apple Mail and it does not handle TLS very well. If you use a mail client supporting TLS, replace
Finishing the installation
First we need to restart everything:
$ sudo /etc/init.d/saslauthd restart $ sudo /etc/init.d/postfix restart $ sudo /etc/init.d/courier-authdaemon restart $ sudo /etc/init.d/courier-imap restart $ sudo /etc/init.d/courier-imap-ssl restart
If you type
sudo netstat -lntp you should see something like that:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 12718/master tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 12718/master tcp6 0 0 :::993 :::* LISTEN 12440/couriertcpd
There are two processes for postfix (
master on ports 25 and 587 (SSL)) and one for courier on port 993.
Create your mailbox. You may want to initialize your own mailbox directory on the server:
$ maildirmake ~/Maildir
I didn’t say anything about SSL certificates, you need certificates for all your SSL connections, here some default ones are created, but when you connect with your mail client, it may complain about the certificate not being trustworthy.
While configuring my mail server I ran in several problems, mainly due to Apple Mail, TLS and certificates. So, if you have any trouble, don’t forget to have a look at log files in
ps to be sure that your servers are running and listening on the right ports.
You may even try to manually connect to the IMAP server with a command like this one:
$ openssl s_client -tls1 -connect mailserver:993 -state -debug
Have a look to the IMAP commands to check if it works.
Some of the errors I had:
SASL authentication failure: cannot connect to saslauthd server: No such file or directorybecause I didn’t had moved
imapd-ssl: Unexpected SSL connection shutdownbecause Apple Mail was not trusting the certificate.
imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version numberbecause Apple Mail does not support SSL3/TLS1 on IMAP.
My father’s mail client was displaying the following error message:
Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library)
$ sudo apt-get install gamin
And to restart
$ sudo apt-get install fam libfam0
Some useful resources:
- Postfix Howtos and FAQs
- Postfix Documentation
- A tutorial on SMTP authentication over SSL
- A tutotial including a postfix/courier-imap installation