Full Mail Server Solution w/ Virtual Domains & Users (Debian Etch, Postfix, Mysql, Dovecot, DSpam, ClamAV, Postgrey, RBL) - Page 11

B. Secure Postfix+TLS

To begin with, we're going to need to install postfix on secure-mail.example.com. This particular install doesn't need quota support (It doesn't handle local delivery), but just to keep things simple, we're going to install it the same way we did above:

# dpkg -i postfix_2.3.8-2_i386.deb
# dpkg -i postfix-mysql_2.3.8-2_i386.deb

If/when the auto-configuration asks you questions about postfix during the installation, just select "No Configuration"

dpkg is going to install all of the configuration files for Postfix into /etc/postfix, so go there, and create the file main.cf:

# cd /etc/postfix
# touch main.cf

The main.cf file can be edited using two different methods. You can use your favorite text editor, or you can use the built-in postfix toolpostconf. We've already used postconf once to determine our version in subsection IV.A above.

The real benefit of the postconf tool is that it has some built in error checking, and it eliminates the possibility of 'weirdness' due to carriage returns, line feeds, odd quotes, etc. We'll be using it in this guide, but there really is no requirement.

Start by filling in the basic information:

# postconf -e 'myhostname = secure-mail.example.com'
# postconf -e 'smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)'
# postconf -e 'biff = no'
# postconf -e 'append_dot_mydomain = no'
# postconf -e 'myorigin = example.com'
# postconf -e 'inet_interfaces = all'
# postconf -e 'local_recipient_maps ='
# postconf -e 'local_transport = error:local mail delivery is disabled'
# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, reject'

You'll notice that this time we disabled local delivery.  Since this is basically just an outbound relay server, we don't want it trying to 'deliver'
any mail... just send it forward.  We also set the SMTP server to only permit SASL authenticated sessions, and reject any other sessions.

Now we'll want to fill in the information for SASL (SMTP Authentication). This does NOT encrypt the connection, it just requires the users to log in:

# postconf -e 'smtpd_sasl_auth_enable = yes'
# postconf -e 'smtpd_sasl_security_options = noanonymous'
# postconf -e 'broken_sasl_auth_clients = yes'
# postconf -e 'smtpd_sasl_type = dovecot'
# postconf -e 'smtpd_sasl_path = private/auth'

So now your postfix install will query dovecot for all of it's authentication needs, but it's still not encrypted. Let's go ahead and change that...

# postconf -e 'smtpd_tls_cert_file = /etc/ssl/example.com/mailserver/mail-cert.pem'
# postconf -e 'smtpd_tls_key_file = /etc/ssl/example.com/mailserver/mail-key.pem'
# postconf -e 'smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache'
# postconf -e 'smtpd_tls_security_level = encrypt'
# postconf -e 'smptd_tls_received_header = no'
# postconf -e 'smtpd_tls_loglevel = 0'
# postconf -e 'tls_random_source = dev:/dev/urandom'

Go ahead and reload postfix...

# postfix reload

And then let's get Dovecot up and running...

Share this page:

Sub pages

5 Comment(s)

Add comment


From: at: 2008-03-27 06:06:28

Hi Vector,

I would just like to know how the mail gets transferred from the MX's to the delivery server (postman). I'm trying to understand how this full mail server setup works because I would like to implement something similar to this but using centos and ldap users.  

From: Stefan at: 2008-11-01 18:07:49

There is no explanation on how the mail is actually transfered from the MX server to the Mail Delivery Server. Using the steps in the guide will make the MX server try to deliver the mail directory into the NFS shared vmail folder, which isn't the desired behaviour.

From: Matt at: 2009-06-15 13:16:16

"NOTE: This is a temporary setup, just because we hadn't finished the DSPAM virtual user install prior to writing this guide. Ideally, you'd want DSPAM looking at the same virtual user table as Postfix in order to get all the token information stored correctly. I'll update the guide as soon as we've completed that change-over."

 Has this been updated anywhere? can anyone shed some light on what changes should be made?


From: mbsouth at: 2009-09-10 10:02:01

Would be nice to have an updated howto (based an this one) with Debian Lenny, Postfix 2.5(6), Dovecot 1.1(2) on three nodes (2xSMTP Postfix, 1x Dovecot IMAP/POP3)


From: at: 2007-11-15 20:55:15

Heads up when using the configuration examples for the mailbox path. Since maildir:/vmail/%d/%u is used in dovecot.conf, you should do the same in dovecot-sql.conf.

Such as:

# Get the mailbox
user_query = SELECT '/vmail/%d/%u' AS home, 'maildir:/vmail/%d/%u' AS mail, 150 AS uid, 8 AS gid, CONCAT('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
# Get the password
password_query = SELECT username AS user, password, '/vmail/%d/%u' AS userdb_home, 'maildir:/vmail/%d/%u' AS userdb_mail, 150 AS userdb_uid, 8 AS userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'

Otherwise mail is delivered to /vmail/domain/user@domain and then IMAP checks /vmail/domain/user

Or change dovecot.conf to maildir:/vmail/%d/%n if you prefer the latter.