A Simple Mailserver On Arch Linux (Postfix + Dovecot)

Want to support HowtoForge? Become a subscriber!
 
Submitted by dengar (Contact Author) (Forums) on Thu, 2008-07-24 14:10. :: Anti-Spam/Virus | Linux | Email | Postfix

A Simple Mailserver On Arch Linux (Postfix + Dovecot)

Author: Jeffrey Gelens
Version: 1.3 
Date: 04-12-2009

Introduction

This tutorial describes how to install a complete mailserver using Postfix and Dovecot on an Arch Linux machine or VPS. This specific tutorial is based on my 256MB VPS. Basic linux knowledge is required as I'm not describing every step in detail.

 

Base System

The base image is Arch Linux 2008.06. After booting it's better to disable root-logins in your SSH-server and create a new user as follows:

adduser <username>
usermod -a -G wheel,users,nobody,mail <username>

It's optional to rank the Arch Linux mirrors by speed, but it might speed up the installation:

pacman -Sy
pacman -S python
sed -ie'' 's/^#S/S/g' /etc/pacman.d/mirrorlist
rankmirrors -v /etc/pacman.d/mirrorlist | tee /etc/pacman.d/mirrorlist.new && mv /etc/pacman.d/mirrorlist.new /etc/pacman.d/mirrorlist

Install the essential packages for this setup:

pacman -Syu
pacman -S sudo base-devel abs

 

Email Servers

Now that we installed the basic packages, the next step is installing the email servers. As SMTP-server we will install Postgrey are the best tools against spam, so let's also install these too. Greylisting is at the moment a very effective way to block spam without scanning the message itself, therefore it is not wasting any CPU cycles. On my server it is blocking about 95% of all spam, the other 5% is been taken care of by Spamassassin. The only downside of greylisting is that incoming emails are being delayed a couple of minutes.

pacman -S postfix dovecot spamassassin procmail
groupadd -g 5001 spamd
useradd -u 5001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin -m spamd
chown spamd:spamd /var/lib/spamassassin

 

Spamassassin

Edit the --max-children to your liking. Spamassassin uses a lot of memory, so for a mail server with just a couple of users 1 child is plenty.

 

/etc/conf.d/spamd

SAHOME="/var/lib/spamassassin/"
SPAMD_OPTS="-c --max-children 1 --username spamd -H ${SAHOME} -s ${SAHOME}spamd.log --pidfile /var/run/spamd.pid"

 

Certificates

First we have to generate some self-signed certificates for Dovecot and Postfix. It will ask for a passphrase, any random string is fine, you don't have to remember it.

cd /etc/ssl/certs
openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout mail.key -out mail.crt
openssl rsa -in mail.key -out mail.key
mv mail.key /etc/ssl/private

 

Dovecot

We'll set-up Dovecot and Postfix to use the Maildir structure to store emails. This stores every users' email in their homedirectory and not in a database. This is fine for this setup, but for a greater number of users it's better to use MySQL or PostgreSQL for storage. Dovecot will be set-up so that users can use IMAP and IMAPs (SSL). Also Dovecot has an SASL authentication server build-in, so that we don't have to set-up a seperate SASL server, thus saving memory.

 

/etc/dovecot/dovecot.conf

protocols = imap imaps
disable_plaintext_auth = yes
log_timestamp = "%b %d %H:%M:%S "
ssl = yes
ssl_cert_file = /etc/ssl/certs/mail.crt
ssl_key_file = /etc/ssl/private/mail.key
mail_location = maildir:~/Maildir
mail_access_groups = mail
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}
auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }
  user = root
  socket listen {
    client {
      path = /var/run/dovecot/auth-client
      user = postfix
      group = postfix
      mode = 0660
    }
  }
}

 

Postfix

Next is Postfix, the configuration-file is very complex. Lucky for you I did all research, so that you can copy and paste almost everything. The following settings still have to be changed:

myhostname
This is the location of your mail servers (e.g. mail.example.com).
myorigin
This is the domain after the @ in the email-addresses (e.g. jeffrey@ example.com).
virtual_alias_domains
The same as myorigin.

 

/etc/postfix/main.cf

# Paths
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
# Domain settings
myhostname = mail.example.com
myorigin = example.com
mydestination = $myhostname, localhost.$mydomain, localhost
# Timeout settings and other limits
delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
minimal_backoff_time = 300s
maximal_backoff_time = 1200s
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
smtp_helo_timeout = 60s
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12
# SMTP settings
smtpd_tls_cert_file=/etc/ssl/certs/mail.crt
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_tls_loglevel = 1
smtpd_sasl_auth_enable = yes
#smtp_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination,
                               check_policy_service inet:127.0.0.1:10030
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_sasl_security_options = noanonymous
# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
# Network settings
inet_interfaces = all
inet_protocols = ipv4
mynetworks = 127.0.0.0/8
relayhost =
# Email and mailbox settings
alias_maps = hash:/etc/postfix/aliases
alias_database = $alias_maps
home_mailbox = Maildir/
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_size_limit = 0
# Misc
mailbox_command = /usr/bin/procmail
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
debug_peer_level = 2
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/man
sample_directory = /etc/postfix/sample
readme_directory = no
recipient_delimiter = +

Edit master.cf to let Postfix filter emails through Postgrey (which we will talk about the next chapter) and Spamassassin.

 

/etc/postfix/master.cf

Replace the following line:

smtp      inet  n       -       n       -       -       smtpd

with these two lines:

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=spamassassin

And add the following three lines to the end of the file:

spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/perlbin/vendor/spamc -f -e
        /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Set the Spamassassin rules. You might have to tweak the required_score a little. The default 6.31 seems great for me.

 

/etc/mail/spamassassin/local.cf

rewrite_header Subject *****SPAM*****
required_score 6.31
report_safe 1
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

/etc/procmailrc

Spam can be copied to the Junk folder automatically by creating this file:

DROPPRIVS=yes
DEFAULT=$HOME/Maildir/
MAILDIR=$HOME/Maildir/

:0:
* ^X-Spam-Status: Yes
.Junk/

 

Create user accounts

For each email-user create the appropriated accounts, create your own script if you don't want to do everything manually.

useradd -m -G mail -s /sbin/nologin <username>
cd ~<username>
umask 077
mkdir -p Maildir/{cur,new,tmp}
mkdir -p Maildir/.Drafts/{cur,new,tmp}
mkdir -p Maildir/.Sent/{cur,new,tmp}
mkdir -p Maildir/.Trash/{cur,new,tmp}
chmod 0700 Maildir/{cur,new,tmp}
chmod 0700 Maildir/.Drafts/{cur,new,tmp}
chmod 0700 Maildir/.Sent/{cur,new,tmp}
chmod 0700 Maildir/.Trash/{cur,new,tmp}
chown -R <username>:users *

Make sure the new users email-addresses are added to the virtual user map.

 

/etc/postfix/virtual

jeffrey@example.com jeffrey@localhost

Execute

postmap /etc/postfix/virtual

after saving this file.

 

Postgrey

Postgrey is not in the default pacman repositories, so let's download it from AUR. Make sure you execute the following commands as a normal user and not as root.

cd ~
wget http://aur.archlinux.org/packages/yaourt/yaourt.tar.gz
tar xzvf yaourt.tar.gz
cd yaourt
makepkg -i
yaourt --noconfirm -S postgrey

Optionally the files /etc/postfix/postgrey_whitelist_recipients can be editted to whitelist domains and email-addresses you trust. This is useful as these addresses won't be delayed because of greylisting.

 

Starting the Servers

Finally! We're done. Now let's start all the servers and hope they all work.

Edit /etc/rc.conf and make sure you add the daemons listed:

DAEMONS=(spamd postgrey dovecot postfix)

This makes sure all daemons will be started automatially when rebooting. For now, start them manually:

/etc/rc.d/spamd start
/etc/rc.d/postgrey start
/etc/rc.d/dovecot start
/etc/rc.d/postfix start

Add mail.example.com to your favourite email clients, enter your user account settings, optionally enable SSL and your personal fully-featured mail-server is ready!


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Murph (not registered) on Sat, 2011-11-05 22:49.

Thanks to the author for the detailed how-to, but unfortunately some of the info seems to be out of date. I followed the tutorial step by step on an Arch VPS I have and it didn't work. The problem seems to be with SASL, but other than that, I have no idea.

In /var/log/mail.log I have the following messages:

warning: SASL: Connect to /var/run/dovecot/auth-client failed: No such file or directory

fatal: no SASL authentication mechanisms

Submitted by Srinivas (not registered) on Mon, 2011-08-29 06:18.

Good post.

It may be better to add some configuration information on Postgrey.

Submitted by Carlwill (not registered) on Fri, 2009-12-04 19:48.

Dovecot no longer supports your conifuration entry on line #4.

Change "ssl_disable = no" to "ssl = yes".

 Do you have a guide to add Amavisd-new and ClamAV? I would love that to my mail server!

Submitted by Ben Brown (registered user) on Wed, 2009-03-18 15:50.

Just what I was after - and Arch linux is pretty cool too.