A Simple Mailserver On Arch Linux (Postfix + Dovecot)
Author: Jeffrey Gelens
Version: 1.3
Date: 04-12-2009
Introduction
This tutorial describes how to install a complete mailserver using Postfix and Dovecot on an Arch Linux machine or VPS. This specific tutorial is based on my 256MB VPS. Basic linux knowledge is required as I'm not describing every step in detail.
Base System
The base image is Arch Linux 2008.06. After booting it's better to disable root-logins in your SSH-server and create a new user as follows:
adduser <username>
usermod -a -G wheel,users,nobody,mail <username>
It's optional to rank the Arch Linux mirrors by speed, but it might speed up the installation:
pacman -Sy
pacman -S python
sed -ie'' 's/^#S/S/g' /etc/pacman.d/mirrorlist
rankmirrors -v /etc/pacman.d/mirrorlist | tee /etc/pacman.d/mirrorlist.new && mv /etc/pacman.d/mirrorlist.new /etc/pacman.d/mirrorlist
Install the essential packages for this setup:
pacman -Syu
pacman -S sudo base-devel abs
Email Servers
Now that we installed the basic packages, the next step is installing the email servers. As SMTP-server we will install Postgrey are the best tools against spam, so let's also install these too. Greylisting is at the moment a very effective way to block spam without scanning the message itself, therefore it is not wasting any CPU cycles. On my server it is blocking about 95% of all spam, the other 5% is been taken care of by Spamassassin. The only downside of greylisting is that incoming emails are being delayed a couple of minutes.
pacman -S postfix dovecot spamassassin procmail
groupadd -g 5001 spamd
useradd -u 5001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin -m spamd
chown spamd:spamd /var/lib/spamassassin
Spamassassin
Edit the --max-children to your liking. Spamassassin uses a lot of memory, so for a mail server with just a couple of users 1 child is plenty.
/etc/conf.d/spamd
SAHOME="/var/lib/spamassassin/" SPAMD_OPTS="-c --max-children 1 --username spamd -H ${SAHOME} -s ${SAHOME}spamd.log --pidfile /var/run/spamd.pid"
Certificates
First we have to generate some self-signed certificates for Dovecot and Postfix. It will ask for a passphrase, any random string is fine, you don't have to remember it.
cd /etc/ssl/certs
openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout mail.key -out mail.crt
openssl rsa -in mail.key -out mail.key
mv mail.key /etc/ssl/private
Dovecot
We'll set-up Dovecot and Postfix to use the Maildir structure to store emails. This stores every users' email in their homedirectory and not in a database. This is fine for this setup, but for a greater number of users it's better to use MySQL or PostgreSQL for storage. Dovecot will be set-up so that users can use IMAP and IMAPs (SSL). Also Dovecot has an SASL authentication server build-in, so that we don't have to set-up a seperate SASL server, thus saving memory.
/etc/dovecot/dovecot.conf
protocols = imap imaps disable_plaintext_auth = yes log_timestamp = "%b %d %H:%M:%S " ssl = yes ssl_cert_file = /etc/ssl/certs/mail.crt ssl_key_file = /etc/ssl/private/mail.key mail_location = maildir:~/Maildir mail_access_groups = mail auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep } auth default { mechanisms = plain login passdb pam { } userdb passwd { } user = root socket listen { client { path = /var/run/dovecot/auth-client user = postfix group = postfix mode = 0660 } } }
Postfix
Next is Postfix, the configuration-file is very complex. Lucky for you I did all research, so that you can copy and paste almost everything. The following settings still have to be changed:
- myhostname
- This is the location of your mail servers (e.g. mail.example.com).
- myorigin
- This is the domain after the @ in the email-addresses (e.g. jeffrey@ example.com).
- virtual_alias_domains
- The same as myorigin.
/etc/postfix/main.cf
# Paths queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix mail_owner = postfix # Domain settings myhostname = mail.example.com myorigin = example.com mydestination = $myhostname, localhost.$mydomain, localhost # Timeout settings and other limits delay_warning_time = 4h unknown_local_recipient_reject_code = 450 minimal_backoff_time = 300s maximal_backoff_time = 1200s maximal_queue_lifetime = 1d bounce_queue_lifetime = 1d smtp_helo_timeout = 60s smtpd_soft_error_limit = 3 smtpd_hard_error_limit = 12 # SMTP settings smtpd_tls_cert_file=/etc/ssl/certs/mail.crt smtpd_tls_key_file=/etc/ssl/private/mail.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtpd_tls_loglevel = 1 smtpd_sasl_auth_enable = yes #smtp_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:10030 smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_sasl_security_options = noanonymous # SASL smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client # Network settings inet_interfaces = all inet_protocols = ipv4 mynetworks = 127.0.0.0/8 relayhost = # Email and mailbox settings alias_maps = hash:/etc/postfix/aliases alias_database = $alias_maps home_mailbox = Maildir/ virtual_alias_domains = example.com virtual_alias_maps = hash:/etc/postfix/virtual mailbox_size_limit = 0 # Misc mailbox_command = /usr/bin/procmail smtpd_banner = $myhostname ESMTP biff = no append_dot_mydomain = no debug_peer_level = 2 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop html_directory = no manpage_directory = /usr/man sample_directory = /etc/postfix/sample readme_directory = no recipient_delimiter = +
Edit master.cf to let Postfix filter emails through Postgrey (which we will talk about the next chapter) and Spamassassin.
/etc/postfix/master.cf
Replace the following line:
smtp inet n - n - - smtpd
with these two lines:
smtp inet n - n - - smtpd -o content_filter=spamassassin
And add the following three lines to the end of the file:
spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/perlbin/vendor/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
Set the Spamassassin rules. You might have to tweak the required_score a little. The default 6.31 seems great for me.
/etc/mail/spamassassin/local.cf
rewrite_header Subject *****SPAM***** required_score 6.31 report_safe 1 use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1
/etc/procmailrc
Spam can be copied to the Junk folder automatically by creating this file:
DROPPRIVS=yes DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir/ :0: * ^X-Spam-Status: Yes .Junk/
Create user accounts
For each email-user create the appropriated accounts, create your own script if you don't want to do everything manually.
useradd -m -G mail -s /sbin/nologin <username>
cd ~<username>
umask 077
mkdir -p Maildir/{cur,new,tmp}
mkdir -p Maildir/.Drafts/{cur,new,tmp}
mkdir -p Maildir/.Sent/{cur,new,tmp}
mkdir -p Maildir/.Trash/{cur,new,tmp}
chmod 0700 Maildir/{cur,new,tmp}
chmod 0700 Maildir/.Drafts/{cur,new,tmp}
chmod 0700 Maildir/.Sent/{cur,new,tmp}
chmod 0700 Maildir/.Trash/{cur,new,tmp}
chown -R <username>:users *
Make sure the new users email-addresses are added to the virtual user map.
/etc/postfix/virtual
[email protected] jeffrey@localhost
Execute
postmap /etc/postfix/virtual
after saving this file.
Postgrey
Postgrey is not in the default pacman repositories, so let's download it from AUR. Make sure you execute the following commands as a normal user and not as root.
cd ~
wget http://aur.archlinux.org/packages/yaourt/yaourt.tar.gz
tar xzvf yaourt.tar.gz
cd yaourt
makepkg -i
yaourt --noconfirm -S postgrey
Optionally the files /etc/postfix/postgrey_whitelist_recipients can be editted to whitelist domains and email-addresses you trust. This is useful as these addresses won't be delayed because of greylisting.
Starting the Servers
Finally! We're done. Now let's start all the servers and hope they all work.
Edit /etc/rc.conf and make sure you add the daemons listed:
DAEMONS=(spamd postgrey dovecot postfix)
This makes sure all daemons will be started automatially when rebooting. For now, start them manually:
/etc/rc.d/spamd start
/etc/rc.d/postgrey start
/etc/rc.d/dovecot start
/etc/rc.d/postfix start
Add mail.example.com to your favourite email clients, enter your user account settings, optionally enable SSL and your personal fully-featured mail-server is ready!