The Perfect Server - Ubuntu Karmic Koala (Ubuntu 9.10) [ISPConfig 2] - Page 5

15 Postfix With SMTP-AUTH And TLS

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

aptitude install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail

You will be asked two questions. Answer as follows:

General type of mail configuration: <-- Internet Site
System mail name: <--

Then run

dpkg-reconfigure postfix

Again, you'll be asked some questions:

General type of mail configuration: <-- Internet Site
System mail name: <--
Root and postmaster mail recipient: <-- [blank]
Other destinations to accept mail for (blank for none): <--,, localhost.localdomain, localhost
Force synchronous updates on mail queue? <-- No
Local networks: <-- [::ffff:]/104 [::1]/128
Use procmail for local delivery? <-- Yes
Mailbox size limit (bytes): <-- 0
Local address extension character: <-- +
Internet protocols to use: <-- all

Next, do this:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):

postconf -e 'myhostname ='

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

The file /etc/postfix/ should now look like this:

cat /etc/postfix/

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =,, localhost.localdomain, localhost
relayhost =
mynetworks = [::ffff:]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":

vi /etc/default/saslauthd

# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.

# Should saslauthd run automatically on startup? (default: no)

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)

# Which authentication mechanisms should saslauthd use? (default: pam)
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
# Only one option may be used at a time. See the saslauthd man page
# for more information.
# Example: MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):

adduser postfix sasl

Now restart Postfix and start saslauthd:

/etc/init.d/postfix restart
/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines




everything is fine.

The output on my system looks like this:

root@server1:/etc/postfix/ssl# telnet localhost 25
Trying ::1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 ESMTP Postfix (Ubuntu)
ehlo localhost
250-SIZE 10240000
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.



to return to the system's shell.


16 Courier-IMAP/Courier-POP3

Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):

aptitude install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

You will be asked two questions:

Create directories for web-based administration? <-- No
SSL certificate required <-- Ok

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname ( in this tutorial), delete the certificates...

cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem

... and modify the following two files; replace CN=localhost with (you can also modify the other values, if necessary):

vi /etc/courier/imapd.cnf


vi /etc/courier/pop3d.cnf


Then recreate the certificates...


... and restart Courier-IMAP-SSL and Courier-POP3-SSL:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user's Maildir*:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

Share this page:

15 Comment(s)

Add comment


From: the_guv at: 2009-11-25 14:35:44
From: QSC at: 2009-12-24 00:38:20

I couldn't agree more. The latest release of Ubuntu (9.10) has been a tremendous disappointment, haven't spent this much time fixing a distro since Gentoo or CRUX. 

From: the_guv at: 2009-11-18 18:50:36

cos for an Ubuntu server edition, never install anything other than a LTS edition ..

.. so the best choice of Ubuntu server to date would be Hardy Heron 8.04.

Just my tuppency ha'penny :)

(Oh, and Nginx is way more perfect than Apache for most of us too)

From: Anonymous at: 2009-11-08 16:35:38

Karmic Koala aka 9.10 is worst ever release of UBUNTU ever.

Every package has some problem or the other.  Ridiculous!  The users (first adopters) are serving as the unit testers.

Bugs are crawling all over the place.

From: anatoly pugachev at: 2010-01-18 14:43:47

Well, I suggest not to use ubuntu on servers, and my point of view is explained on my kerneltrap note , really better to use Centos or Fedora.

From: ree at: 2009-12-30 13:35:53


Jamie S. is right. Do not do it. And one thing more: I prefer 8.x LTS over 9.10


From: Anonymous at: 2010-03-09 18:51:40

You did everything, byut you should really explain on how to install and configure IspConfig...

All that you did is that you linked to their official documentation, and their official documentation is linking bacck to this tutorial and now I am lost... I did everything but i cannot install ispconfig... since there isn't a documentation on how to do it... 

From: Jamie Strandboge at: 2009-12-28 15:43:35

I noticed that this tutorial recommends to disable all of AppArmor. Unless you have a very specific need to do so, this is not recommended. The apparmor profiles shipped in Ubuntu are designed to work with the default installation. If a particular profile is causing you trouble, please disable the profile or put it in complain mode, and leave the other profiles that are not causing problems to do their jobs. Better yet, file a bug. :) See my blog entry at for details.

From: Vladimir Stanojevic at: 2010-02-25 11:57:42

Out of words of praise for the author!!!

From: at: 2010-04-28 13:39:51


Disable AppArmor framework

Systems should not generally need to have AppArmor disabled entirely. It is highly recommended that users leave AppArmor enabled and put the problematic profile into complain mode (see above), then file a bug using the procedures found in If AppArmor must be disabled (eg to use SELinux instead), users can:

sudo invoke-rc.d apparmor kill
sudo update-rc.d -f apparmor remove

On Ubuntu 8.04 (Hardy), Ubuntu 8.10 (Intrepid) and Ubuntu 9.04 (Jaunty):

sudo invoke-rc.d apparmor stop
sudo update-rc.d -f apparmor remove

Using kill with Ubuntu 8.10 or later gives the following error:

Killing AppArmor module - failed, AppArmor is builtin: Failed.

On Ubuntu 9.10 and later, you can either:

  • adjust your kernel boot command line (see /boot/grub/menul.lst for Grub or /boot/grub/grub.cfg for Grub 2) to include either

  • * 'apparmor=0'
  • * 'security=XXX' where XXX can be "" to disable AppArmor or an alternative LSM name, eg. 'security="selinux"'

  • remove the apparmor package with your package manager. Do not 'purge' apparmor if you think you might want to reenable AppArmor at a later date

From: at: 2009-12-08 07:17:34


I found out after chrooting the bind9, the status cannot be checked.


root@ns1:/etc/bind# /etc/init.d/bind9 status
 * could not access PID file for bind9

i resolved this by editing the /etc/init.d/bind9

i changed #PIDFILE=/var/run/named/ to

Where your pid file is, you may find by doing : find / -name

When found, it will show you the exact path. (To find it, bind must be running)

Good luck.

From: yuqi at: 2010-08-26 03:09:02

root@server:/etc/bind# /etc/init.d/bind9 restart
 * Stopping domain name service... bind9                                                                                                                                         rndc: connect failed: connection refused
[: 131: 2652: unexpected operator
                                                                                                                                                                          [ OK ]
 * Starting domain name service... bind9                                                                                                                                  [ OK ]
root@server:/etc/bind# /etc/init.d/bind9 status
 * bind9 is running

how i fix it


From: Dwain Blazej at: 2010-01-20 02:49:49

If you're getting this error:

 rndc: connect failed: connection refused

re-run the command:

 chown -R bind:bind /var/lib/named/etc/bind


While editing the config files, you may have accidentally made the config files unreadable by the "bind" user.

From: Kevin at: 2010-04-01 12:30:32

I have had great success in the past following the perfect server guides for Ubuntu. This time however it has been over a week of going through the steps over and over again with no luck. Maybe it is because I am setting it up on Ubuntu desktop instead of Ubuntu server, I don't know. What I do know now is this:

1. In step 10 after disabling Apparmor you need to edit the file /etc/apparmor/initramfs or it will keep trying to start up Apparmor. Comment out these lines:

set -e

. /etc/apparmor/functions

mount -n -t securityfs none "${SECURITYFS}"


2. In step 12 when installing Journaled Quota It kept giving me this error:

quotacheck: Scanning /dev/??? [/] quotacheck: lstat Cannot stat `//home/?????/.gvfs': Permission denied
Guess you'd better run fsck first !

It made it so I could not install quota properly which meant ispconfig also wouldnt install. If I rebooted I was in a world of hurt. Answer was not easy to find either cause others in the forum just ignored it like it was silly or something. Thank goodness for Melask:

Just log off from your graphical environment and switch to e.g. tty1 window with the ctrl+alt+F1 keys. Run all the commands there (after u login ofc) and u are ok.

Switch back to kde/gnome with ctrl+alt+F7


3. If you want to use Apparmor you will probably have troubles with Bind9. The fix for that is here:


Now because of this great guide and a couple of fixes here and there I am running this perfect server on an Acer laptop with Ubuntu Netbook Remix.....don't laugh....i have to find something to do.

From: Christian at: 2009-11-24 09:41:59

please, don't suggest ntpdate... upstream developers are making it obsolete. :)