CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig (a.k.a. The Perfect Server) - Page 5

11 Postfix With SMTP-AUTH And TLS

Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Next we configure SMTP-AUTH and TLS:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks ='

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 64Bit Centos 5.1 you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should look like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):

postconf -e 'myhostname = server1.example.com'

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
mynetworks =
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server1.example.com

By default, CentOS' Dovecot daemon provides only IMAP and IMAPs services. Because we also want POP3 and POP3s we must configure Dovecot to do so. We edit /etc/dovecot.conf and enable the line protocols = imap imaps pop3 pop3s:

vi /etc/dovecot.conf

# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Protocols we want to be serving: imap imaps pop3 pop3s
# If you only want to use dovecot-auth, you can set this to "none".
protocols = imap imaps pop3 pop3s

# IP or host address where to listen in for connections. It's not currently
# possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
# "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4
# interfaces depending on the operating system.

Now start Postfix, saslauthd, and Dovecot:

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines




everything is fine.

[root@server1 ssl]# telnet localhost 25
Connected to localhost.localdomain (
Escape character is '^]'.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-SIZE 10240000
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#



to return to the system's shell.


11.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)):

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

Share this page:

16 Comment(s)

Add comment


From: Richard at: 2009-02-01 10:26:37

Thanks, just moved over to Centos from Windows Server 2003 (I KNOW) and you made it a hell of a lot easier. Thanks man! Now I can start hosting my free online store service :D

From: Nanda at: 2011-01-29 16:00:32

Nice tutorial

From: teddy at: 2009-02-07 18:34:21

[root@teddy ~]# /etc/init.d/proftpd start
Starting proftpd:  - warning: unable to determine IP address of 'teddy'
 - error: no valid servers configured
 - Fatal: error processing configuration file '/etc/proftpd.conf'

what's wrong with my configuration ???

please help me ....

send to my email t.eddy.mi04@gmail.com


From: Anonymous at: 2009-02-12 19:23:54

Seems that you haven't asigned an ip to you network interface, and tries to get an ip trought DHCP with no luck.  You asign ip's in the first page of this tutorial ( http://images.howtoforge.com/images/perfect_server_centos_5.1/10.png ).

From: shytex.com at: 2010-10-13 07:26:08
From: at: 2008-08-04 13:06:11

With CentOS 5.2 the new Bind version is 9.3.4 so the commands to configure it should be modified as:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
cp /usr/share/doc/bind-9.3.4/sample/var/named/named.local /var/named/chroot/var/named/named.local
cp /usr/share/doc/bind-9.3.4/sample/var/named/named.root /var/named/chroot/var/named/named.root
touch /var/named/chroot/etc/named.conf
chkconfig --levels 235 named on
/etc/init.d/named start


From: Jon Pastore at: 2008-11-14 20:53:31

I'm trying to set this up in a VE under open vz.

The /etc/fstab file only contains:

# cat /etc/fstab
none    /dev/pts        devpts  rw      0 0

How do I enable quotas?



From: Anonymous at: 2010-03-04 13:15:10

Dont worry, that package version keeps changing.

While we have CentOS 5.3  the package is 9.3.6 and so on.

From: David at: 2008-12-06 22:10:58

I had to install php-mysql also. Being a newbie to Linux this took a little searching around to find. Might want to add that to the list of things to do for other newbies... Thanks

From: EnKK at: 2008-12-25 10:12:47

On CentOS, there are three root accounts for MySQL:

root@localhost - pass set by the first command

root@server1.example.com - pass set by the second command

root@ - the password for this should be set like

# mysqladmin -h -u root password xxxxxx

Check your accounts:

# mysql -p -u root
mysql> select host,user,password from mysql.user;

From: Anonymous at: 2011-10-12 20:22:37

Far better (IF your doing this for production) is to use the provided command:


Asks you to set a root password / Disable root remote access / Remove test DB / Remove annonymous user

A lot more secure :)



From: Anonymous at: 2009-04-23 05:20:02

What if it does not start?

 trying ::1 ...

connect to address ::1 Connection Refused


From: at: 2008-01-30 13:51:12

Since you are running dovecot, you can eliminate saslauthd all together and run postfix with dovecot sasl. The you run less services and eliminate a service that runs as root (saslauthd).

From: at: 2008-04-20 14:43:38

If you receive the following dovecot error:

dovecot: imap-login: imap-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory

See this link for details: 


It saved me a lot of time!

Thanks, Falko, for the excellent ISPConfig and the how-to!

From: Martin at: 2011-06-07 09:23:57

How To import cert in windows outlook express ?

From: Ton Poppe at: 2010-09-25 07:42:45

Beste falko,

 Ik zag in het script /etc/init.d/proftpd het volgende staan
config: /etc/proftp.conf
moet dit niet zijn??
config: /etc/proftpd.conf

Mvg, Ton