Mail Story 1: Debian + Postfix (SMTP) + Courier (IMAP) + SSL
Here is a quick tutorial to build your own mail server using a Debian GNU/Linux.
Disclaimer
Configuring its own mail server can be fun, but remember that there are a lot of bad guys on the internet. I'm no expert on mail server configuration, don't forget that you must not allow relaying mails to domains you don't own and from people you haven't authenticated in order to avoid spam relay. Of course, keep your softwares (operating system, mail server, etc.) up to date in order to keep your computer safe from being cracked.
Goal
I have a domain name (desgrange.net
as you can see) and I would like to use it for my mails. It's not that I don't trust service providers, but I would like to be in charge of the mail server configuration (so I would be able to tune it as I want).
For instance, I want to be able to send mails using SMTP over SSL and retrieve emails using IMAP over SSL.
For those tasks I chose:
- Debian as operating system (tested on Debian 5.0 and Debian testing)
- Postfix (2.5.5) as SMTP server
- Courier-imap (4.4.0) as IMAP server
In this tutorial I assume that I'm installing a mail server for domain example.com
on a computer named mailserver
. Allowed users are the standard unix users created on the mail server.
DNS
First make sure that your DNS has your MX record pointing to your mail server. See with your domain name provider for that part. I'm using OVH so I did it on their website (which sucks a bit for that).
Postfix
Postfix is a well known SMTP server. As a lot of mail servers, it has several hundreds parameters, but here, all of them have good default values, so we just need to change some of them to get it working like we want. Let's start with postfix installation:
$ sudo apt-get install postfix
-> General type of mail configuration: internet with smarthost
-> System mail name: example.com
-> SMTP relay host: <blank>
Now we need to install the authentication system saslauthd
.
$ sudo apt-get install sasl2-bin libsasl2-modules
As told by the installation process, to enable saslauthd
, edit /etc/default/saslauthd
and set START=yes
.
To tell postfix to use saslauthd
, create a file /etc/postfix/sasl/smtpd.conf
containing:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
As postfix is running chrooted, to allow it to talk to saslauthd
we need to move some files (or change the directory specified in OPTIONS
in /etc/default/saslauthd
):
$ sudo mkdir -p /var/spool/postfix/var/run/
$ sudo mv /var/run/saslauthd /var/spool/postfix/var/run/
$ sudo ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd
$ sudo adduser postfix sasl
Postfix is configured to run on the standard port 25 so other mail servers can transfer mails to you. This postfix process can't use SSL only because other mail servers may not support it. So we need to start an other postfix process running over SSL, so we can use this one when we want to send an email. To allow this process to start, just uncomment the submission
lines in /etc/postfix/master.cf
.
Check that /etc/mailname
contains your domain name. It's used by postfix for some parameters (seems to be debian specific).
Most of postfix configuration is done in /etc/postfix/main.cf
, you can edit this file directly or use the following commands:
|
|
- Line 1 tells postfix to use TLS on standard SMTP port (25) if remote server support it.
- Line 2 restricts TLS ciphers to only "HIGH" ciphers.
- Line 3 excludes aNULL cipher (no encryption).
- Line 4 tells to use TLSv1 as protocol for the postfix over SSL process.
- Line 5 list domain names for which the server will accept mails.
- Line 6 tells postfix to send mails only from authenticated users or to domains postfix is in charge of.
- Line 7 postfix must not relay mails to other domains.
- Line 8 and 9 are for Courier which use a specific type of mailboxes.
You can have a look at the postfix configuration parameters documentation.
Courier-IMAP
Courier is a full mail server but here I'm going to use only Courier's IMAP server component. Installation:
$ sudo apt-get install courier-imap-ssl
-> Create directories for web-based administration?: no
By default IMAP and IMAP over SSL processes are started but I don't want the first one. To disable the standard IMAP process, set IMAPDSTART
to NO
in /etc/courier/imapd
.
Some parameters have to be changed for the IMAP over SSL process, edit the file /etc/courier/imapd-ssl
and set the following values:
# (…)
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=SSL23
TLS_CIPHER_LIST=HIGH
# (…)
For TLS_PROTOCOL
and TLS_STARTTLS_PROTOCOL
I use SSL23
because I'm using Apple Mail and it does not handle TLS very well. If you use a mail client supporting TLS, replace SSL23
with TLS1
.
Finishing the installation
First we need to restart everything:
$ sudo /etc/init.d/saslauthd restart
$ sudo /etc/init.d/postfix restart
$ sudo /etc/init.d/courier-authdaemon restart
$ sudo /etc/init.d/courier-imap restart
$ sudo /etc/init.d/courier-imap-ssl restart
If you type sudo netstat -lntp
you should see something like that:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 12718/master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 12718/master
tcp6 0 0 :::993 :::* LISTEN 12440/couriertcpd
There are two processes for postfix (master
on ports 25 and 587 (SSL)) and one for courier on port 993.
Create your mailbox. You may want to initialize your own mailbox directory on the server:
$ maildirmake ~/Maildir
Certificates
I didn't say anything about SSL certificates, you need certificates for all your SSL connections, here some default ones are created, but when you connect with your mail client, it may complain about the certificate not being trustworthy.
It may prevent you to read/send mails (for instance I had to tell Apple Mail to trust the certificate in order to be able to send emails).
Trouble shooting
While configuring my mail server I ran in several problems, mainly due to Apple Mail, TLS and certificates. So, if you have any trouble, don't forget to have a look at log files in /var/log/
, use netstat
and ps
to be sure that your servers are running and listening on the right ports.
You may even try to manually connect to the IMAP server with a command like this one:
$ openssl s_client -tls1 -connect mailserver:993 -state -debug
Have a look to the IMAP commands to check if it works.
Some of the errors I had:
SASL authentication failure: cannot connect to saslauthd server: No such file or directory
because I didn't had movedsaslauthd
files to/var/spool/postfix/var/run
.imapd-ssl: Unexpected SSL connection shutdown
because Apple Mail was not trusting the certificate.imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
because Apple Mail does not support SSL3/TLS1 on IMAP.
Update (2010-05-09):
My father's mail client was displaying the following error message:
Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library)
A quick solution to solve that is to replace FAM with Gamin:
$ sudo apt-get install gamin
And to restart courier
.
Update (2012-05-31)
For a month the IMAP connection was freezing after some time. The solution? According to this post and this one: replace gamin with FAM ;-).
$ sudo apt-get install fam libfam0
Links
Some useful resources:
- Postfix Howtos and FAQs
- Postfix Documentation
- A tutorial on SMTP authentication over SSL
- A tutotial including a postfix/courier-imap installation
Comments Add one by sending me an email.
hi,
i'm trying to make OVH MX point to my postfix in order to use my own mail server.
apparently you did succed in this.
can you contact me to talk about it? anything i try doesn't work and ovh documentation sucks a lot.
please thanks.
Have ran into 2 problems,
postfix would look up odd hostnames
FIX: run dpkg-reconfigure postfix
Go through the setup with your valid domain name
Clarification
Iphone would not sent out mail
FIX:
edit
/etc/postfix/master.cf
and uncomment all of thesesubmission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING