Setting Up A Spam-Proof Home Email Server (The Somewhat Alternate Way) (Debian Squeeze) - Page 2

Set Up Postfix

We made sure to this point, that we have a domain name, that the domain can be hosted on a dynamic ip address and that the resolution of the domain name works from inside the lan as well as outside. Now we can put our focus on how to actually setup the mail server. The mail server usually consists of two parts. For me this was in the beginning a bit confusing and I try to explain it quickly.

One part that makes up the mail server is the MTA. The MTA in this case is postfix. It's job is to actually send emails between different servers. What MTAs (usually) don't provide is "end user access". So if you want with thunderbird to connect to your email account and check your mail or send mail, you will also need a pop3 or imap server. Their job is just the transfer of emails between you as enduser and the mailserver.

In this part we'll first setup postfix and make it ready to be used in a secured way (STARTTLS).


(1) Install the required packages

apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail

During this you'll be asked two questions:

General type of mail configuration: <-- Select "Internet Site"

System mail name: <-- Enter: "MYDOMAIN.COM"


(2) Reconfigure postfix

dpkg-reconfigure postfix

Again, you'll be asked some questions:

General type of mail configuration: <-- Select "Internet Site"

System mail name: <-- Enter: "MYDOMAIN.COM"

Root and postmaster mail recipient: <-- Leave blank

Other destinations to accept mail for (blank for none): <-- Enter: "MYDOMAIN.COM, localhost.MYDOMAIN.COM, localhost.localdomain, localhost"

Force synchronous updates on mail queue? <-- Select "No"

Local networks: <-- Leave as default

Use procmail for local delivery? <-- Select "Yes"

Mailbox size limit (bytes): <-- Enter "0"

Local address extension character: <-- Enter "+"

Internet protocols to use: <-- Select "all"


(3) Enhance the postfix configuration

Make sure to replace MYDOMAIN.COM with your domain name

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'myhostname = MYDOMAIN.COM'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'home_mailbox = Maildir/'
postconf -e 'virtual_maps = hash:/etc/postfix/virtual'
postconf -e 'mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf


(4) Generate certificates for TLS

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

A problem I've encountered on Debian Squeeze is that from the second OpenSSL generation with the previously created certificate always an error comes. It will prompt you for the password for the smtpd.key and if you enter it, you'll get an error. What I ended up doing was first to not enter passwords when asked for the one for smtpd key -> it'll just continue demainding one. Then press ctrl-c to abort and rerun it but this time I enter the password. That seems to have worked for me just fine.


(5) Adjust SASL

mkdir -p /var/spool/postfix/var/run/saslauthd

Edit /etc/default/saslauthd.

In order to activate saslauthd and set START to yes and alter options to this:

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"


(6) Add postfix user to SASL group

adduser postfix sasl


(7) Creating virtual.db

touch /etc/postfix/virtual
postmap /etc/postfix/virtual

Before restarting postfix, the virtual.db must exist. For more info about it, skip ahead to the Setup Email Address Management section.


(8) Restart daemons

/etc/init.d/postfix restart
/etc/init.d/saslauthd restart


(9) Check if it works correctly

telnet localhost 25

And enter:

ehlo localhost

You should get an output that contain STARTTLS and two times AUTH LOGIN PLAIN (one time with a "="). Exit by typing



(10) Add port 587

Edit the file /etc/postfix/ and copy this line

smtp      inet  n       -       -       -       -       smtpd 


587      inet  n       -       -       -       -       smtpd 

You have now the smtp and the 587 line there.


Set Up Outgoing SMTP

While the postfix MTA would work now just fine, there is still a problem with dynamic ip addresses. Most mailservers will not accept incoming email from a mailserver on a dynamic ip address. If you have a static ip address, you can simply skip this part.

In order to successfully send email, you can use your ISPs email server for relaying. That means postfix won't contact the recipient email server directly, but it will authenticate against your IPSs email server and send (better: relay) the email through it. It's unlikely that your ISP is blocked.

Instead of using your ISPs email server you could also relay through google and maybe even other free providers.

(1) Enhance postfix config

postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_security_options = noanonymous'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd'
postconf -e 'smtp_always_send_ehlo = yes'
postconf -e 'relayhost = SMTP.YOURISP.COM'

Of course replace SMTP.YOURISP.COM with your ISPs actual smtp server.

In some cases ISPs allow to being submitted emails from their customers only on a given port. Very often the "submission" port 587 is being used.

In that case use as relayhost the following:


The edgy brackets around SMTP.YOURISP.COM are required. Replace port with the one given by your ISP and necessarly adjust your routers portforwarding.


(2) Edit /etc/postfix/saslpasswd

And add


You usually can get an email account with your ISP. When doing so you should get also a username and password to login. The username can be the full email address or something else. Just set according login info there.


(3) Hash the saslpasswd file

postmap /etc/postfix/saslpasswd


(4) Restart postfix

/etc/init.d/postfix restart

Now all outgoing email is being sent through your ISP.


Set Up Inital Maildir

(1) Change to USER

su USER cd ~


(2) Create the Maildir folder

maildirmake.dovecot Maildir


(3) Create Maildir subfolders

maildirmake.dovecot Maildir/.Drafts
maildirmake.dovecot Maildir/.Sent
maildirmake.dovecot Maildir/.Trash
maildirmake.dovecot Maildir/.Templates

You can create more subfolders. The leading "." for the subfolder is required.

If you plan not to be the only email user on the system, then it's wise to create the structure in the /etc/skel folder also. This enables for all future generated users that they have the Maildir directly available.


(4) Change back to root and create the maildirs

maildirmake.dovecot /etc/skel/Maildir
maildirmake.dovecot /etc/skel/Maildir/.Drafts
maildirmake.dovecot /etc/skel/Maildir/.Sent
maildirmake.dovecot /etc/skel/Maildir/.Trash
maildirmake.dovecot /etc/skel/Maildir/.Templates


(5) If you already have more existing users on the system, just repeate step 1-3 for them.



Procmail is a local delivery agent. Simply said procmail can filter email based on rules. It can pre-sort them into different folders or even discard email. In the postfix setup section the groundwork for procmail filtering is already laid out. If you want to make use of serverside filtering with procmail, then do the following as actual USER and not as root.


(1) Change to USER

su USER cd ~


(2) Edit ~/.procmailrc and add


The first four lines just are some variables, don't worry about them. The next three lines indicate that all incoming email matching "*[email protected]" should be put into the SOMEONE folder. Then you have another rule for the sender MAILLIST.

Those are just two simple rules. The web is full with more examples.

Procmail seems meanwhile unmaintained and Dovecot has an own local delivery agent which also updates the according dovecot index files. I have no experience yet with it or how to set it up, hence I skip this part here. If someone is willing to enhance this howto with Dovecote LDA, please do so.

Share this page:

0 Comment(s)