Appbead Blog

How to Setup Mail Server on Debian 8 Jessie with Postfix + Dovecot (1)

Introduction

Recently, I have moved my website from a shared hosting to a VPS, it saved me $4 USD per month :-). Another obvious advantage is that I am in full control with the server, so that I can setup my own email system. With such mail server, I can take control of my privacy, and promote decentralization on the internet.

However, it is daunting to configure a full featured mail server. Still remember many years ago, I had managed to setup a mail server on a dedicated CentOS 4.x machine. Many programs were involved in setting up that mail system, they are postfix, cyrus-sasl, courier-imap, courier-authlib, maildrop, postgresql, httpd, php, web-cyradm, and roundcube etc. Configuring such complex system is full of frustrations, as I have not a clear view of it, even though I’ve read a few books of Postfix, and several blog posts about configure mail server.

For a SOHO or individuals, a simple and secure email solution is acceptable. After consultation with the official documents and a few blog posts, I finally have my own mail server up and running. It took me several days to make things done. This time, I’d like to organize my ideas of setup mail server, and write all I learnt things down, so that it would not be a pain to set everything up again in future.

What We Will Get?

A lightweight, efficient and secure mail server with following features.

  • Debian 8.1 + Postfix 2.11 + Dovecot 2.2 + Postgrey 1.35 + postfix-policyd-spf-python 1.3.1
  • Send and receive E-mail from outside of server with a MUA
  • Force SSL/TLS encryption for IMAP and SMTP authentication
  • Mail account and password stores in a plain text file, password is encrypted
  • Support multiple domains
  • Support email alias
  • Receive E-mail from programs which is running on the server
  • Basic Spam filter

Just for your information, the mail server of appbead.com only take about 64MB RAM, and received 6 junk messages in the first month.

Concept in Mind

Before setup mail system, it's important to know that how the whole mail server works, and what software handles what job. Without a concept in mind, you may be very confused about what you are doing then.

It took me a week to figure out how it works, the following diagram presents what I learnt. The numbers with pentagonal background shows a sequence events while sending email, and the numbers with hexagonal background for receiving email.

Postfix-Dovecot

Sending Email

When you composes a message, and clicks the Send button in your MUA (Mozilla Thunderbird), the following events takes place.

  1. The MUA use SMTP protocol send request of authentication to the Submission port 587 on our mail server (mx.appbead.com). The handler of that port is called a MSA, it's a process of smtpd in Postfix.
  2. The MSA handing off request of authentication to Dovecot use SASL protocol, and the auth process of Dovecot is responsible for authentication.
  3. The auth process check the pair of user name and password with passdb (in this case it's a passwd-file), and return a result indicate that the authentication is successful or not.
  4. When the user is authenticated, the MSA queue this message.
  5. Postfix sends all messages in the queue to their destination automatically. You may check the section Operation overview of Email on Wikipedia, for more details.

Receiving Email

  1. The outside mail server mail.example.com, query our DNS server for any MX records of our domain appbead.com, to get the IP of our mail server. And then use SMTP protocol sends message to the port 25 on our mail server, the handler of port 25 is called MTA, it's another process of smtpd in Postfix.
  2. The MTA apply all restrictions on the message, to determine the message should be rejected or relay to LDA. It checks access control, authenticated destination, RBL, RHSBL, SPF and Postgrey etc.
  3. If the message should not be rejected, then the MTA uses the LMTP protocol to transmit the message to a LDA/MDA. Here, a lmtp process of Dovecot takes the LDA/MDA task.
  4. The lmtp process query the auth process, to get information of mailbox for the recipient. The auth process read passdb and userdb to get that information.
  5. If auth returns a valid path of mailbox, the message will be stored to its mailbox. Otherwise, lmtp will reject a message as it is not deliverable, then Postfix will send a mailer-daemon message to sender for notification.
  6. The MUA use IMAPS protocol send request of authentication to the IMAPS port 993 on our mail server mx.appbead.com, and the handler of that port is a process of imap-login in Dovecot.
  7. The imap-login process handing off request of authentication to the auth process, then auth check passdb and return result to imap-login.
  8. If the authentication is successful, the imap-login process keep proxying the connection to a imap process. Then the imap process read messages from mailbox, and transmit it to the MUA.

Reference

http://wiki2.dovecot.org/MailServerOverview
http://wiki2.dovecot.org/Design/Processes
http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

Prerequisites

  • A FQDN with configurable DNS record (A, MX, and TXT)
    Most domain name registrar provides control pannel to manage DNS records.
  • SSL/TLS Certificate for mail server
    I requested a free of charge StartSSL certificate for mx.appbead.com.
  • A Debian 8 Linux server with root privilege
    It's great to have a dedicated server. However, a VPS with 256MB RAM is enough for running mail server, and it's more cheaper. Remember to check if it's support Debian or your favorite Linux distro.
  • A static IP with configurable rDNS/PTR record
    Confirm your IP is exclusive, and the ISP providing a way to configure rDNS/PTR record. Without rDNS/PTR record, your emails send to Gmail/Hotmail/Yahoo will be rejected.
  • The mail ports (25, 587, and 993) are not blocked
    Choose a hosting provider carefully, some of them block all mail ports, and some of them is expressly NOT allow to run mail server. So read through their Terms of Service carefully, before you buy.

As for fulfilling the last 3 requirements, I chose the $5/mo VPS plan of DigitalOcean. It provides 512MB Memory, 20GB SSD Disk, and 1TB Transfer. As a reference, the mx.appbead.com mail server only used 2.9GB Disk and about 64MB Memory.

Use this Referral Link to Sign up DigitalOcean, you will get $10 credits after activation.

Test Port 25

You may like to check if your outbound mail is blocked:

$ dig mx +short yahoo.com |awk -F ' '  '{print $2}'
mta6.am0.yahoodns.net.
mta5.am0.yahoodns.net.
mta7.am0.yahoodns.net.

$ telnet mta6.am0.yahoodns.net 25
Trying 98.138.112.34...
Connected to mta6.am0.yahoodns.net.
Escape character is '^]'.
220 mta1278.mail.ne1.yahoo.com ESMTP ready

If your connection times out, you're blocked.

Prepare SSL Certificate

When request the certificate, I use following command to create CSR:

$ openssl req -new -newkey rsa:2048 -nodes -keyout appbead.com.key -out appbead.com.csr

And then save the issued certificate as appbead.com.pem. And ensure it end with a newline:

$ sed -i -e '$a\' appbead.com.pem

For OS X sed:

$ sed -i '' -e '$a\' appbead.com.pem

Without above step, you may run into an error later:

imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
imap-login: Fatal: Can't load ssl_cert: error:0906D066:PEM routines:PEM_read_bio:bad end line
master: Error: service(imap-login): command startup failed, throttling for 2 secs

The free StartSSL certificate is required to chain with the Class 1 Intermediate Server CA file. So firstly we download it, and then create a chained certificate file (Beware of the order of chain), then delete the downloaded intermediate CA file:

$ wget https://www.startssl.com/certs/sub.class1.server.ca.pem
$ cat appbead.com.pem sub.class1.server.ca.pem > appbead.com.chain.crt
$ rm sub.class1.server.ca.pem

Note 1: Use the suffix .crt to avoid being hashed by c_rehash accidentally.
Note 2: The StartCom Root CA is already shipped on Debian 8, it can be located at /etc/ssl/certs/StartCom_Certification_Authority.pem, and also has been included in /etc/ssl/certs/ca-certificates.crt.

Upload the key and certificate file onto the mail server:

$ scp appbead.com.{key,chain.crt} <your_user_name>@<your_host>:~/

On the server side, Change the permit of files, and place to appropriate directories.

$ chmod 644 appbead.com.chain.crt
$ chmod 640 appbead.com.key
$ sudo chown :ssl-cert appbead.com.key
$ sudo mv appbead.com.chain.crt /etc/ssl/certs/
$ sudo mv appbead.com.key /etc/ssl/private/

Install Softwares

Run following commands to install:

$ sudo apt-get install dovecot-imapd dovecot-lmtpd
$ sudo apt-get install postfix postgrey postfix-policyd-spf-python

Choose following values for Postfix configuration:

  • General type of mail configuration: Internet Site
  • System mail name: appbead.com    <-- Replace with your domain here

After postfix installed, remove the Exim packages and its configuration files, which we'll not use it any longer.

$ sudo apt-get purge exim4 exim4-*

Now, let's take a deep breath, then navigate to the next page to configure mail server:

Next Page >

 

Comments