How to set up a mail server

From Salix OS
Jump to: navigation, search

This mail server guide shows how to setup a small mail server on Salix, that can be used for a small group of users, e.g. a developer team or some friends. Software used in this guide consists of:

  • postfix (SMTP mail transfer agent): accepts mails from the outside world and sends mail to the outside
  • postgrey (Postfix greylisting policy server): a simple spam filter, that greylists mail.
  • dovecot (IMAP and POP3 server): delivers mail to e-mail clients
  • roundcube (webmail interface)

This guide does not aim on big installations with many users, because it uses a real Linux account for every mail account. For systems with many users you may want to use virtual mail accounts. More information can be found here. Also note that Linux accounts have full system access via ssh unless you forbid them in sshd_config or by a restricted login shell.

This guide shows how to use a encrypted TLS/SSL connection for all data, that is send over the internet.


Create TLS/SSL certificates

For encrypted communication a certificate is needed, so you have to create one. Detailed informations about creating self signed certificates can be found here. But it should be enough to do the following:

cd /root
openssl req -new -x509 -days 365 -nodes -out "example.cert" -keyout "example.key"

For web services, the Common Name field usually must exactly match the hostname of the system the certificate will be used on; otherwise, clients should complain about a certificate to hostname mismatch. The -days argument specifies how long the certificate will be valid for.


Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Salix OS
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []
Email Address []

As the .key file is private, change it's permissions:

chmod 600 example.key



Install postfix with the usual commands:

slapt-get -u
slapt-get -i postfix

Standard configuration

The official Postfix standard configuration documentation can be found here. As this is only a quick how-to there won't be much explanation about the single configuration parameters. Take a look to the official documentation if you want to know more.

Some notes before we begin:

  • The command postconf shows the currently used Postfix configuration settings
  • The command postfix reload reloads the configuration files, so you don't have to restart Postfix after changing settings
  • Postfix uses *.db databases for many config files (e.g. aliases or virtual). After editing these files you have to rebuild the databases by postmap /etc/postfix/$FILENAME)
  • Many settings are already in the config file. Search for them!
  • You can run tail -f /var/log/maillog on a second terminal to see what happens.

First thing to do is telling Postfix where it can find it's aliases file. It maps usernameX to usernameY so that mail for usernameX will be delivered to usernameY. Open the /etc/postfix/ and set:

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

Furthermore you should set an alias for root in /etc/postfix/aliases, so that root does not receive mail:

# Person who should get root's mail. Don't receive mail as root!
root:           usernameX

Run postmap /etc/postfix/aliases or newaliases after editing the files.

Now you have to set some hostname parameters. You probably just have single vServer with a single domain name, so you could set things like this:

myhostname =
mydomain = $myhostname
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks_style = host

I'd recommend to use the maildir format fo mailboxes. See here for informations. With this setting the mailbox will be in the users' home directory in a sub folder "Maildir":

home_mailbox = Maildir/

NOTE: Don't forget the trailing /

TLS/SSL configuration

First copy the .cert and .key file to /etc/postfix/ssl/:

cp -a /root/example.cert /etc/postfix/ssl/postfix.cert
cp -a /root/example.key /etc/postfix/ssl/postfix.key

Then tell Postfix where it cat find the certificates (in /etc/postfix/

smtpd_tls_cert_file = /etc/postfix/ssl/postfix.cert
smtpd_tls_key_file = /etc/postfix/ssl/postfix.key

And enable TLS:

smtpd_tls_security_level  = may



Install dovecot with the usual commands:

slapt-get -u
slapt-get -i dovecot

Standard configuration

Open /etc/dovecot/dovecot.conf and change some settings. As protocol you probably only want to use imap and imaps (encrypted):

protocols = imap imaps

Of course you have to tell Dovecot, where it can find the users' mailboxes:

mail_location = maildir:~/Maildir

Salix/Slackware does not use PAM, so it's important to change the authentication mechanism from pam to shadow:

auth default {
  mechanisms = plain login
    passdb shadow {
    userdb passwd {

In this example 2 authentication methods are enabled to support the majority of mail clients: plain and login. You can find more information about auth methods in this document.

TLS/SSL configuration

Copy the .cert and .key file to the subdirs in /etc/dovecot/ssl/ (note the changed suffix .pem):

cp -a /root/example.cert /etc/postfix/ssl/certs/dovecot.pem
cp -a /root/example.key /etc/postfix/ssl/private/dovecot.pem

SASL authentication in the Postfix SMTP server

To connect to your Postfix SMTP server from other hosts (e.g. from your e-mail client at home) you have to configure SASL authentication. The official documentation about this topic can be found here. There are two SASL implementations, that could be used:

  • Cyrus SASL
  • Dovecot SASL


The Postfix server in Salix repository is build with support for Dovecot SASL and as we want to use Dovecot for IMAP anyway, we'll use this SASL method.

In /etc/postfix/ you have to set:

smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes

You can use the same settings for TLS-encrypted SMTP sessions:

smtpd_sasl_tls_security_options = $smtpd_sasl_security_options

Now SASL logins are allowed, but what to do with them? You have to tell Postfix, that SASL authenticated users are allowed to send mail to every other domains. Do this by changing smtpd_recipient_restrictions from it's default:

smtpd_recipient_restrictions = 

to (note the added permit_sasl_authenticated, it has to be before the reject rule):

smtpd_recipient_restrictions = 

Please run postfix reload now.

As noted before, we are using Dovecot SASL, so Dovecot has to be configured for this and has to be running. Open /etc/dovecot/dovecot.conf and change the auth default section to:

auth default {
  mechanisms = plain login
    passdb shadow {
    userdb passwd {
    socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix

Restart Dovecot with /etc/rc.d/rc.dovecot restart. To test your SASL login, go to the official documentation and search for telnet. There is a method described how to do it.

Restrict the use of wrong e-mail addresses

SMTP clients provide the sender address along with the authentication. So the could login with it's own authentication but provide as sender address. To restrict users to their own e-mail addresses you have to add:

smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders

Furthermore the smtpd_recipient_restrictions has to be tweaked. Add reject_sender_login_mismatch:

smtpd_recipient_restrictions = 

And of course you need a file /etc/postfix/controlled_envelope_senders with following content:

# sender                owners (SASL login names)        john        mary     john, mary

This way john can send with address and, mary can send with and

To get this changes applied you have to run postmap /etc/postfix/controlled_envelope_senders and postfix reload.

Enable submission

Submission is the name of a service on port 587. It is intended to split some functionality away from SMTP standard port 25 and should help to avoid spam. Long story short the submission port should be used to receive mail from mail client's of authenticated users, while the SMTP port receives mail unauthenticated from other mail servers to deliver it to local users. Some internet service providers even start to block port 25 for home users to avoid spam. To enable the submission port in postfix you have to edit the /etc/postfix/ file. It may be a good idea to require enryption with STARTTLS for users on the submission port. The beginning of the file should look like this:

smtp       inet n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt

After editing the file run postfix reload.


Roundcube setup is pretty simple and has a good README and INSTALL file included in the tarball. Prerequisits are a running webserver, that supports php (e.g. cherokee, apache, lighttpd) and a working MySQL server.

MySQL database setup

Setting up the mysql database can be done by creating an empty database, importing the table layout and granting the proper permissions to the roundcube user. Here is an example of that procedure:

# mysql -p
> CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'password';
> quit
# mysql roundcubemail -p < SQL/mysql.initial.sql

Note 1: 'password' is the master password for the roundcube user. It is strongly recommended you replace this with a more secure password. Please keep in mind: You need to specify this password later in 'config/'.

Note 2: For MySQL version 4.1 and up, it's recommended to create the database for RoundCube with utf-8 charset.


  1. Decompress and put this folder somewhere inside your document root
  2. Make sure that the following directories (and the files within) are writable by the webserver
    • /temp
    • /logs
  3. Create a new database and a database user for RoundCube (see DATABASE SETUP)
  4. Point your browser to http://url-to-roundcube/installer/
  5. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
  6. After creating and testing the configuration, remove the installer directory
  7. Done!

Check interval

Every open Roundcube session checks for new mails in a given interval. As Roundcube is a php script, the IMAP connection only lasts for the time the script is running. So it has to login to the IMAP server for every login (desktop IMAP clients only connect once and hold the connection). This results in a log entry for every login like this:

Mar 17 13:52:51 hostname dovecot: imap-login: Login: user=<username>, method=PLAIN, rip=, lip=, secured
Mar 17 13:52:51 hostname dovecot: IMAP(username): Disconnected: Logged out bytes=71/834

To reduce server load and log entries you could increase the check interval in Search for the two values 'keep_alive' and 'min_keep_alive' and set both to 180 for a 180 seconds interval.


Install postgrey with the usual commands:

slapt-get -u
slapt-get -i postgrey

There is nothing to configure about postgrey itself, but you have to add a rule to the postfix configuration file First take a look into /etc/rc.d/rc.postgrey. There you'll find the postgrey start command beginning with

/usr/sbin/postgrey -d -i 10023 ...

In this example postgrey uses the port 10023. Now you have to add the following rule to the end of smtpd_recipient_restrictions:

smtpd_recipient_restrictions = 
       check_policy_service inet:

NOTE: Make sure to block the postgrey port from the outer world with your firewall!

Mail sorting/filtering with Sieve

Sieve is a programming language that can be used to create filters for e-mail, e.g. it is possible to automatically sort your mails from a "mailing list A" to a subfolder Mailing list/List A (read this for more information). Sieve has a nice advantage over methods like Procamail or Maildrop: With Sievemanage it is possible to set the filter rules from the mail client (e.g. KMail, Roundcube). There is no need for the users to edit files in their home directories. Dovecot provides a Sieve plugin (but not sievemanage yet, will come in version 2.0), so first install it:

slapt-get -u
slapt-get -i dovecot-sieve

To use the Sieve plugin you have to use Dovecot's deliver as LDA (local delivery agent, see this for more information) for Postfix. So first open /etc/dovecot/dovecot.conf and search for the LDA settings. Edit them like this:

protocol lda {
  postmaster_address = postmaster
  mail_plugins = sieve
  sendmail_path = /usr/sbin/sendmail

Restart your Dovecot server: /etc/rc.d/rc.dovecot restart

Then set Dovecot's deliver as your local delivery agent in Postfix' file:

mailbox_command = /usr/libexec/dovecot/deliver

Run the usual postfix reload after editing the file.

To test your setup you have to create a Sieve script in the home folder of your mail user: ~/.dovecot.sieve. Try a script that files all messages from a recipient into a folder:

require "fileinto";
if address :is "From" "" {
  fileinto "INBOX.My Freinds";

This should create a subdir My Friends in your INBOX and store all mails from there. Remember to update your IMAP folder tree in your mail client after receiving this mail.


When everything is set up it probably is a good idea to do at least some security tests. Do an internet search for "open relay test". You'll find some websites, that will test if your server is an open relay (and therefore a spammer's paradise).