• Home
  • Tags
  • RSS
  • About
  • simple email setup

    Timestamp:
    Tags: config debian

    I was unable to find a good place that describes how to create a simple self-hosted email setup. The most surprising discovery was, how much already works after:

    apt-get install postfix dovecot-imapd
    

    Right after having finished the installation I was able to receive email (but only in in /var/mail in mbox format) and send email (bot not from any other host). So while I expected a pretty complex setup, it turned out to boil down to just adjusting some configuration parameters.

    Postfix

    The two interesting files to configure postfix are /etc/postfix/main.cf and /etc/postfix/master.cf. A commented version of the former exists in /usr/share/postfix/main.cf.dist. Alternatively, there is the ~600k word strong man page postconf(5). The latter file is documented in master(5).

    /etc/postfix/main.cf

    I changed the following in my main.cf

    @@ -37,3 +37,9 @@
     mailbox_size_limit = 0
     recipient_delimiter = +
     inet_interfaces = all
    +
    +home_mailbox = Mail/
    +smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination permit_sasl_authenticated
    +smtpd_sasl_type = dovecot
    +smtpd_sasl_path = private/auth
    +smtp_helo_name = my.reverse.dns.name.com
    

    At this point, also make sure that the parameters smtpd_tls_cert_file and smtpd_tls_key_file point to the right certificate and private key file. So either change these values or replace the content of /etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key.

    The home_mailbox parameter sets the default path for incoming mail. Since there is no leading slash, this puts mail into $HOME/Mail for each user. The trailing slash is important as it specifies ``qmail-style delivery’’ which means maildir.

    The default of the smtpd_recipient_restrictions parameter is permit_mynetworks reject_unauth_destination so this just adds the permit_sasl_authenticated option. This is necessary to allow users to send email when they successfully verified their login through dovecot. The dovecot login verification is activated through the smtpd_sasl_type and smtpd_sasl_path parameters.

    I found it necessary to set the smtp_helo_name parameter to the reverse DNS of my server. This was necessary because many other email servers would only accept email from a server with a valid reverse DNS entry. My hosting provider charges USD 7.50 per month to change the default reverse DNS name, so the easy solution is, to instead just adjust the name announced in the SMTP helo.

    /etc/postfix/master.cf

    The file master.cf is used to enable the submission service. The following diff just removes the comment character from the appropriate section.

    @@ -13,12 +13,12 @@
     #smtpd     pass  -       -       -       -       -       smtpd
     #dnsblog   unix  -       -       -       -       0       dnsblog
     #tlsproxy  unix  -       -       -       -       0       tlsproxy
    -#submission inet n       -       -       -       -       smtpd
    -#  -o syslog_name=postfix/submission
    -#  -o smtpd_tls_security_level=encrypt
    -#  -o smtpd_sasl_auth_enable=yes
    -#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -#  -o milter_macro_daemon_name=ORIGINATING
    +submission inet n       -       -       -       -       smtpd
    +  -o syslog_name=postfix/submission
    +  -o smtpd_tls_security_level=encrypt
    +  -o smtpd_sasl_auth_enable=yes
    +  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    +  -o milter_macro_daemon_name=ORIGINATING
     #smtps     inet  n       -       -       -       -       smtpd
     #  -o syslog_name=postfix/smtps
     #  -o smtpd_tls_wrappermode=yes
    

    Dovecot

    Since above configuration changes made postfix store email in a different location and format than the default, dovecot has to be informed about these changes as well. This is done in /etc/dovecot/conf.d/10-mail.conf. The second configuration change enables postfix to authenticate users through dovecot in /etc/dovecot/conf.d/10-master.conf. For SSL one should look into /etc/dovecot/conf.d/10-ssl.conf and either adapt the parameters ssl_cert and ssl_key or store the correct certificate and private key in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem, respectively.

    The dovecot-core package (which dovecot-imapd depends on) ships tons of documentation. The file /usr/share/doc/dovecot-core/dovecot/documentation.txt.gz gives an overview of what resources are available. The path /usr/share/doc/dovecot-core/dovecot/wiki contains a snapshot of the dovecot wiki at http://wiki2.dovecot.org/. The example configurations seem to be the same files as in /etc/ which are already well commented.

    /etc/dovecot/conf.d/10-mail.conf

    The following diff changes the default email location in /var/mail to a maildir in ~/Mail as configured for postfix above.

    @@ -27,7 +27,7 @@
     #
     # <doc/wiki/MailLocation.txt>
     #
    -mail_location = mbox:~/mail:INBOX=/var/mail/%u
    +mail_location = maildir:~/Mail
     
     # If you need to set multiple mailbox locations or want to change default
     # namespace settings, you can do it by defining namespace sections.
    

    /etc/dovecot/conf.d/10-master.conf

    And this enables the authentication socket for postfix:

    @@ -93,9 +93,11 @@
       }
     
       # Postfix smtp-auth
    -  #unix_listener /var/spool/postfix/private/auth {
    -  #  mode = 0666
    -  #}
    +  unix_listener /var/spool/postfix/private/auth {
    +    mode = 0660
    +    user = postfix
    +    group = postfix
    +  }
     
       # Auth process is run as this user.
       #user = $default_internal_user
    

    Aliases

    Now Email will automatically put into the ‘~/Mail’ directory of the receiver. So a user has to be created for whom one wants to receive mail…

    $ adduser josch
    

    …and any aliases for it to be configured in /etc/aliases.

    @@ -1,2 +1,4 @@
    -# See man 5 aliases for format
    -postmaster:    root
    +root:       josch
    +postmaster: josch
    +hostmaster: josch
    +webmaster:  josch
    

    After editing /etc/aliases, the command

    $ newaliases
    

    has to be run. More can be read in the aliases(5) man page.

    Finishing up

    Everything is done and now postfix and dovecot have to be informed about the changes. There are many ways to do that. Either restart the services, reboot or just do:

    $ postfix reload
    $ doveadm reload
    

    SPF

    $ apt-get install postfix-policyd-spf-python
    

    /etc/postfix/main.cf

    policy-spf_time_limit = 3600s
    

    /etc/postfix/master.cf

    policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf

    DNS TXT record with value:

    v=spf1 ip4:62.75.219.19 -all
    

    /etc/postfix-policyd-spf-python/policyd-spf.conf

    debugLevel = 1 
    defaultSeedOnly = 1
    
    HELO_reject = SPF_Not_Pass
    Mail_From_reject = Fail
    
    PermError_reject = False
    TempError_Defer = False
    
    skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128
    

    FIXME: the skip_addresses field should also list all hosts that I get email forwarded from. For example if I get my josch@debian.org email forwarded to this server, then I should list the debian.org mail relay servers. A list of these can be found by doing:

    ldapsearch -x -LLL -b dc=debian,dc=org -h db.debian.org 'purpose=mail relay' ipHostNumber
    

    Otherwise, senders with an SPF record with only their own IP and a final -all will see their mail rejected by the server. This is because the email was forwarded by the debian.org relay but that IP was not in their SPF record.

    DKIM

    $ apt-get install opendkim opendkim-tools
    $ mkdir /etc/mail
    $ cd /etc/mail
    $ opendkim-genkey -t -s mail -d mister-muffin.de
    $ cat mail.txt
    

    /etc/opendkim.conf

    Domain mister-muffin.de KeyFile /etc/mail/mail.private Selector mail Canonicalization relaxed/relaxed

    /etc/default/opendkim

    SOCKET=“inet:8891@localhost”

    /etc/postfix/main.cf

    milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891

    $ service opendkim restart
    $ service postfix restart