Postfix & Dovecot

Postfix

To install Postfix with SMTP-AUTH and TLS, first install the postfix by doing these commands.

apt-get install postfix
dpkg-reconfigure postfix

Fill the following details when asked: (System mail name your Domain)

General type of mail configuration: Internet Site
System mail name: ronald.patan.t311
Root and postmaster mail recipient:
Other destinations for mail: ronald.patan.t311, patan.t311, localhost.patan.t311, localhost
Force synchronous updates on mail queue: No
Local networks: 127.0.0.0/8
Yes doesn't appear to be requested in current config
Mailbox size limit (bytes): 0
Local address extension character: +
Internet protocols to use: all

To configure the mailbox format for Maildir:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='

The new mail Directory is in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.

Configure Posfix with SMTP AUTH Using SASL. Run this commands in command line.

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
Edit /etc/postfix/sasl/smtpd.conf and add these lines to it.
pwcheck_method: saslauthd
mech_list: DIGEST-MD5

Generate the TLS encryption certification.

touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
mv smtpd.key /etc/ssl/private/
mv smtpd.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/

Edit /etc/postfix/main.cf to do TLS encryption for both incoming and outgoing mail:

# TLS parameters
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
tls_random_source = dev:/dev/urandomsmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Your main.cf file should look like this.

# TLS parameters
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
tls_random_source = dev:/dev/urandomsmtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = ronald.patan.t311
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = ronald.patan.t311, patan.t311, localhost.patan.t311, localhost
relayhost =
mailbox_command =
home_mailbox = Maildir/
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.1.1.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
#allmailbox_command =
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_header_checks = regexp:/etc/postfix/headercheck

Restart Postfix daemon

service postfix restart

Authentication

The next steps are to configure Postfix to use SASL for SMTP AUTH. 51

apt-get install libsasl2-2 sasl2-bin libsasl2-modules

First we edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes, add the PWDIR, PARAMS, and PIDFILE lines and edit the OPTIONS line at the end:

# This needs to be uncommented before saslauthd will be run automatically
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"
# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
#OPTIONS="-c"
#make sure you set the options here otherwise it ignores params above and will not work
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Next, we update the dpkg “state” of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:

dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

This may report an error that “–update given” and the “/var/spool/postfix/var/run/saslauthd” directory does not exist. You can ignore this because when you start saslauthd next it will be created.

Finally, start saslauthd:

/etc/init.d/saslauthd restart

To remove the IP from the mail header the following lines were added in a file and linked in main.cf file.

/^Received: .*Authenticated sender.*/m IGNORE
/^X-192.168.8.115:/ IGNORE
/^Received:.*[192.168.[0-9]*.[0-9]*/ IGNORE
/^s*User-Agent/ IGNORE
/^s*X-Enigmail/ IGNORE
/^s*X-Mailer/ IGNORE
/^s*X-Originating-IP/ IGNORE
/^s*User-Agent/ IGNORE
/^s*X-Enigmail/ IGNORE
/^s*X-Mailer/ IGNORE

To test a mail, follow these commands.

telnet localhost 25
ehlo localhost
mail from: root@localhost
rcpt to: ronald@localhost
data
Subject: My first mail on Postfix
Hi, Are you there?
regards, Admin
.
quit

Check mail for ronald

su ronald
mail

Dovecot

apt-get install dovecot-imapd dovecot-pop3d

Edit /etc/dovecot/dovecot.conf and add these lines at the bottom of the file.

protocols = imap imaps pop3 pop3s
pop3_uidl_format = %08Xu%08Xv
mail_location = Maildir/

Pre-create the Maildir for future users:

maildirmake.dovecot /etc/skel/Maildir
maildirmake.dovecot /etc/skel/Maildir/.Drafts
maildirmake.dovecot /etc/skel/Maildir/.Sent
maildirmake.dovecot /etc/skel/Maildir/.Trash
maildirmake.dovecot /etc/skel/Maildir/.Templates

Then, for an existing user:

cp -r /etc/skel/Maildir /home/ronald/
chown -R ronald:ronald/home/ronald/Maildir
chmod -R 700 /home/ronald/Maildir

Restart dovecot using

service dovecot restart

To test it, if you see dovecot was seccessfull you will see message like this when running telnet localhost 110.

root@ronald:~# telnet localhost 110
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.

Pop3

telnet localhost 110
user ronald
root@ronald:~# telnet ronald.patan.t311 110
Trying 127.0.1.1...
Connected to ronald.patan.t311.
Escape character is '^]'.
+OK Dovecot ready.
user ronald
-ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

IMAP

telnet localhost 143
a1 login ronald password
root@ronald:~# telnet ronald.patan.t311 143
Trying 127.0.1.1...
Connected to ronald.patan.t311.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
a1 login ronald password
* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
a1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

Leave a Reply

Your email address will not be published.