Servers 101: Emailify your server - Part 2 (Setting up postfix)
In the previous part of "Emailify your server", we installed our packages and created the MySQL database we need for authentication. Naturally, we have to configure all our software before puting it to use!
Other stuff in the Server 101 series:
- Intro and getting into your server - Single Article
- Basic Server Security - 3 Parts
- Setting up a Web Server - 4 Parts
- Managing Your Server - 4 Parts
- caddy - Lightweight Web Server - 1 Part
In this part...
We will configure postfix. Dovecot will be configured in the next part, otherwise the post will get very very long! As in the previous part, we need root access (sudo su)
Setting up postfix
First step: create a backup copy of the original config file. You can find it here: /etc/postfix/main.cf
(If you are lazy to write the copy command, here it is: cp /etc/postfix/main.cf /etc/postfix/main.cf.bak)
Open up for editing and first change...
I'm gonna use nano, as always! We need to make a few changes, such as specify our server's hostname (mail.example.com) as well set the default domain (if you host more than 1 domains, choose one of them, doesn't matter which one)
nano /etc/postfix/main.cf
Your file won't look exactly like this... This is what we need it to look like. You can do the changes line by line, OR you can copy/paste this into notepad, do the changes I describe below, empty the /etc/postfix/main.cf (you already know how, right? ;) ) and paste the final result inside.
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_cert_file=/etc/dovecot/dovecot.pem
smtpd_tls_key_file=/etc/dovecot/private/dovecot.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
#Enabling SMTP for authenticated users, and handing off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = hostname.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = example.com, hostname.example.com, localhost.example.com, localhost
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
#Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
mysql:/etc/postfix/mysql-virtual-email2email.cf
We need to change any "example.com" reference to our default domain. Also, we have to change the line reading "myhostname = ..." to our mailserver's hostname. In the previous part, I set the hostname to mail.example.com, so the line must read "myhostname = mail.example.com".
By the end of this post, these lines will allow us to use our MySQL database for authentication!
Save and exit the file.
Setting up the virtual_mailbox_domains file
For this part as well as the next 3 parts, we will have to use our MySQL password on the files. If you followed my previous post with the only change being the password and domains, then you are set by changing just the password.
Our email domains reside on the table "virtual_domains" of our database named "mailserver". Username is "mailuser".
nano /etc/postfix/mysql-virtual-mailbox-domains.cf
Inside this file paste the following lines:
user = mailuser
password = changeme
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_domains WHERE name='%s'
REMEMBER TO CHANGE THE PASSWORD!
Save and exit!
Setting up the virtual_mailbox_maps file
This file holds the connection to our defined and allowed users, on the table "virtual_users".
nano /etc/postfix/mysql-virtual-mailbox-maps.cf
Inside this file paste the following lines:
user = mailuser
password = changeme
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_users WHERE email='%s'
REMEMBER TO CHANGE THE PASSWORD!
Save and exit!
Setting up the virtual_alias_maps file
virtual_alias_maps is on 2 files. The first file holds the connection to the aliases table, from which our mailserver will check where the email should go.
Our aliases reside on the table "virtual_aliases" of our database named "mailserver".
nano /etc/postfix/mysql-virtual-alias-maps.cf
Inside this file paste the following lines:
user = mailuser
password = mailuserpass
hosts = 127.0.0.1
dbname = mailserver
query = SELECT destination FROM virtual_aliases WHERE source='%s'
REMEMBER TO CHANGE THE PASSWORD!
Save and exit!
Setting up the virtual_alias_maps second file
Last but not least, the second virtual_alias_maps file holds the connection to our users table, to check if the address really exists and forward the email from the alias
nano /etc/postfix/mysql-virtual-email2email.cf
Inside this file paste the following lines:
user = mailuser
password = mailuserpass
hosts = 127.0.0.1
dbname = mailserver
query = SELECT email FROM virtual_users WHERE email='%s'
REMEMBER TO CHANGE THE PASSWORD!
Save and exit!
Restart postfix
We now have to restart postfix, in order to apply our changes!
service postfix restart
Verify if our configuration works correctly!
We will now run 3 tests to check if everything works as it should!
Run this command by changing "example.com" to your main domain (the one you added on the first line when we were adding domains to our database)
postmap -q example.com mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
You should get 1 as a result. If you used a different domain, you would get a different number. If an error or nothing is returned, something went wrong in the configuration, so try doing the steps above again.
Running this command, by changing "[email protected]" to one of the emails you specified in the previous part will help us see if this step was also configured correctly.
postmap -q [email protected] mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
You should get a number in return.
Last, but not least, we have to check our aliases! As always specify an actual alias instead of "[email protected]"
postmap -q [email protected] mysql:/etc/postfix/mysql-virtual-alias-maps.cf
The result should be the destination email of the alias.
A few more changes!
We also have to enable smtps (secure smtp) and uncomment a few lines as well. To do this, create a copy of /etc/postfix/master.cf (no cheat this time, please do it yourself!), and then open it for edit:
nano /etc/postfix/master.cf
This is what the beginning of the file looks like.
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
You have to uncomment (remove the # in front of each line) all the lines from submission inet n to -o milter_macro_daemon_name=ORIGINATING (22 lines in total). This will enable secure smtp.
Save and exit!
Wrapping it up!
We have to make the postfix directory as well as the files inside, readable/writable by the owning user and group. This will increase the security a little bit.
chmod -R o-rwx /etc/postfix
and then, restart postfix for the final time on this post!
service postfix restart
That's it for now. Postfix is now configured, and n the next part we will configure dovecot!
If you need a place to host your servers consider Vultr, Digital Ocean and BuyVM.
These are affiliate links. If you sign up through them, you support me and I will have more free time to write more content like this.
Also If you signup for Digital Ocean through my affiliate link, you will get $10 to try them out. Note: to battle abusers of this offer, you'll have to make a $5 deposit via Paypal or add your credit/debit card, so they can confirm that you are a new user. I did a deposit via Paypal to test them out, and then I added my credit card so I won't have to deposit money manually every now and then.
