If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It’s fast, simple to set up, requires no special administration and it uses very little memory.
When sending mail, the Postfix SMTP client can look up the remote SMTP server hostname or destination domain (the address right-hand part) in a SASL password table, and if a username/password is found, it will use that username and password to authenticate to the remote SMTP server. And as of version 2.3, Postfix can be configured to search its SASL password table by the sender email address.
SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
Note : If you install Postfix/Dovecot mail server you will ONLY be able to send mail within your network. You can only send mail externally if you install SASL authentication with TLS. As otherwise you get “Relay Access Denied” error.
Install Postfix MTA (Mail Transfer Agent)
Use the following command to install postfix in debian
#aptitude install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules popa3d
During installation, postfix will ask for few questions like name of server and answer those questions by entering your domain name and select Internet site for postfix.
Postfix configuration file is located at:/etc/postfix/main.cf. You can edit this file using popular text editor vi /etc/postfix/main.cf
Restart Postfix Server using the following command
#/etc/init.d/postfix restart
Install Dovecot
Dovecot is POP3/IMAP server which needs MTA like Postfix to work properly.
#aptitude install dovecot-imapd dovecot-pop3d dovecot-common
Dovecot configuration file is located at: /etc/dovecot/dovecot.conf
Before we proceed we need to make some changes with dovecot configuration file. Double check the following entries in the file if the values are entered properly.
Edit the dovecot configuration file using the following command
#vi /etc/dovecot/dovecot.conf
# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap
# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv
Now, create a user to test our pop3 mail with outlook:
#adduser user_name
Note: Always create a separate user to test your mail or ftp.
Restart Dovecot using the following command
#/etc/init.d/dovecot restart
Now, you can use your outlook express to test whether your new mail server is working or not. Just enter username: with password in outlook.
Remember you will NOT be able to send email outside your network, you will be only be able to send within your domain or local network. If you attempt to send email you get “relay access denied” error from outlook express. However, you should have no problems in receiving your email from outlook. Inorder to send email external email you will need to configure SASL authentication as described below.
Configure SASL Authentication with TLS
SASL Configuration + TLS (Simple authentication security layer with transport layer security) used mainly to authenticate users before sending email to external server, thus restricting relay access. If your relay server is kept open, then spammers could use your mail server to send spam. It is very essential to protect your mail server from misuse.
Let us set up SMTP authentication for our users with postfix and dovecot.
Edit the postfix configuration file /etc/postfix/main.cf and enter the few lines to enable authentication of our users
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = yourdomain.com
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
postfix does a chroot so it can’t communicate with saslauthd.
#rm -r /var/run/saslauthd/
#mkdir -p /var/spool/postfix/var/run/saslauthd
#ln -s /var/spool/postfix/var/run/saslauthd /var/run
#chgrp sasl /var/spool/postfix/var/run/saslauthd
#adduser postfix sasl
On the Dovecot side you also need to specify the dovecot authentication daemon socket. In this case we specify an absolute pathname. Refer to this postfix manual here
Edit /etc/dovecot/dovecot.conf file
#vi /etc/dovecot/dovecot.conf
Look for the line that starts with auth default, before that insert the lines below.
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Now, rename previous auth default to auth default2. If you dont rename this then dovecot server will give you error like multiple instances of auth default.
Now restart all the following components of mail server
#/etc/init.d/saslauthd restart
#/etc/init.d/postfix restart
#/etc/init.d/dovecot restart
Test whether your mail server works or not with your outlook express. Configure a user with a user name (without @domain) and make sure that you select my server requires authentication. Under settings select same as incoming mail server
Note:
1. If you dont enable My server requires authentication in outlook you cannot send emails to external recipients and you get relay access denied error.
2. Do not use root login to login to your mail server.
3. Dont forget to create a new user before you authenticate using outlook.
Forwarding Mails
Ever wondered how to forward your mails especially if you are a webmaster managing number of sites. You might need to forward any email sent to your primary email address. Its that easy. Just create a .forward file on your home directory. Insert list of emails addresses separated by commas, where you want to get forwarded.
Login as user and type
echo ‘destination_email_address’ > .forward
or you can use vi to create .forward file. Just Delete .forward file if you dont want any forwarding.
Installing Squirrel Web Mail
Before installing Squirrel Web Mail you need to make sure you have installed apache2 with php support
#aptitude install apache2
#aptitude install libapache2-mod-php5 php5-cli php5-common php5-cgi
#aptitude install squirrelmail
Squirrelmail configuration file is located in: /etc/squirrelmail/ folder. By default all settings are preloaded.
# Run squirrelmail configuration utility as ROOT
/usr/sbin/squirrelmail-configure
Now we want to setup to run under apache. Edit apache configuration file /etc/apache2/apache2.conf and insert the following line
Include /etc/squirrelmail/apache.conf
Restart the webserver using the following command
#/etc/init.d/apache2 restart
Access your webmail using the following link
http://yourdomain or server ip/squirrelmail
Create a separate local user and login as a new user.
Mail Server Logs
Always refer to logs located in /var/log/mail.log so that you can identify what the problem is before you can troubleshoot.
You may also be interested in...
February 24th, 2008 at 8:37 pm
In regards to the section on editing dovecot.conf for auth
“auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}”
needs to have two more } signs so that it will not fail.
The exact line should be:
“auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}”
Caused me many a headache :[
February 24th, 2008 at 11:06 pm
nice catch and i have updated the article
February 26th, 2008 at 9:31 am
what about to add spamassassin to this configuration?
February 27th, 2008 at 4:02 pm
yes you can try this http://www.debianadmin.com/how-to-filter-spam-with-spamassassin-and-postfix-in-debian.html
March 3rd, 2008 at 11:46 pm
Why does Outlook Express fail to work after enabling SASL? Whenever I try to Send/Receive mail, I get a prompt to enter a user name and password that I am assuming is checking for the Outgoing Mail Server authentication. It worked fine with Postfix and Dovecot installed, but after enabling SASL it stopped. I followed this tutorial exactly. Any ideas?
March 4th, 2008 at 12:10 am
Nevermind, apparently its a problem with Outlook Express, I used Office Outlook and all is well. Good tutorial
April 2nd, 2008 at 2:00 pm
I have the same issue like Amras86. Everything worked until SASL enabled. I tried to use Outlook instead of Outlook Express but result is the same (outlook shows me dialog to enter username and password). Help, please!
Thanks a lot.
PaoloS
April 19th, 2008 at 11:07 am
Well …I’ve checked and rechecked … It seems to be a problem with the sasldb2 … the log (at /var/log/mail.log) says exactly
“warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory”
But the file, of course, is there. That’s the problem I see … dk if there is any other.
Now, it’s too late, I’m too tired and wanna go to bed.
Hope that the Debian Admin can solve this.
Despite this error, It’s a really nice guide, and I’m happy that I’ve found it.
Thanks! … Hope you answer soon.
April 20th, 2008 at 10:46 am
I found solution, for your problem, Leonard. Missing two lines in /etc/postfix/main.cf:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
Strange, for others works configuration as described in this howto?
April 21st, 2008 at 7:51 am
Tomas … thanks for the answer.
With the things you added, everything went ok.
I’ll leave you some things that happend to me in the process.
The idea of this comments it’s to help you make a perfect (or at least the best it can be) guide. Below is the list of the unexpected and unexplained things.
Thanks again for this simple guide.
At the first step, exim4, exim4-base and exim4-config are recomended to
be removed. (I removed them)
At the second step, popa3d is recomended to be removed. (DK for sure, but
I removed it)
Then, when editing /etc/dovecot/dovecot.conf it appears
# If you only want to use dovecot-auth, you can set this to “none”.
#protocols = imap imaps
and not pop3 pop3s
When restarting dovecot for the first time, It gives you out a warning
saying that it’s fixing permissions, I guess that’t ok.
When executing rm -r /var/run/saslauthd/ It says that the directory
doesn’t exists.
Another kinda warning that appears is
“To enable saslauthd, edit /etc/default/saslauthd and set START=yes”
Changed it to yes
May 9th, 2008 at 7:05 am
A couple things…
The proper Postfix configuration is given at
http://www.postfix.org/SASL_README.html#server_dovecot
and is much the same a Thomas V noted.
Linking *out* of jail is just asking for trouble. The whole reason programs chroot is to (try to) prevent access to “more sensitive” parts of the filesystem.
These two taken in concert suggest that the reason the outlined approach works is that it is using saslauthd, not dovecot’s SASL.
May 9th, 2008 at 7:16 am
Several ways around
Note : If you install Postfix/Dovecot mail server you will ONLY be able to send mail within your network. You can only send mail externally if you install SASL authentication with TLS. As otherwise you get “Relay Access Denied” error.
as well. See
http://www.postfix.org/SMTPD_ACCESS_README.html
for details beyond the quick outline in
http://www.postfix.org/SASL_README.html
In order to allow mail relaying by authenticated remote SMTP clients:
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
On the issue with M$ clients not behaving nicely, the Postfix SASL page covers that as well:
Older Microsoft SMTP client software implements a non-standard version of the AUTH protocol syntax, and expects that the SMTP server replies to EHLO with “250 AUTH=mechanism-list” instead of “250 AUTH mechanism-list”. To accommodate such clients (in addition to conformant clients) use the following:
/etc/postfix/main.cf:
broken_sasl_auth_clients = yes