Install and Configure Postfix

A working email server has two essential components: a Mail Transfer Agent (MTA) and a Mail Delivery Agent. Postfix is a Mail Transfer Agent: It actually sends email from, and receives email to, the server.

Install Postfix

Installing Postfix is a bit curious. You install Postfix (accepting the default options) and then run a program to configure it (where you make a number of important choices).

sudo apt-get install postfix
sudo dpkg-reconfigure postfix

Mail server configuration type: Internet Site
System mail name: mail.istarelworkshop.com
Root and postmaster mail recipient: webmaster@istarelworkshop.com
Other destinations to accept mail for: mail.istarelworkshop.com,
    istarelworkshop.com, localhost.localdomain, localhost
Force synchronous updates on mail queue? No
Local networks: 127.0.0.0/8
Mailbox size limit (bytes): 0
Local address extension character: +
Internet protocols to use: all

There are two key questions asked during the reconfiguration: the destinations being accepted for mail, and the local networks. For my server, the local network is a standard "127.0.0.0/8", which really means only 127.0.0.1 (the server itself). For a setup where the server is part of (say) an office network and acts as the mail gateway to the internet, the network parameter might look quite different. The destinations response seems to follow a common pattern: mail.mydomain.com, mydomain.com, localhost.localdomain, localhost.

Authentication Configuration

Those first steps took care of the initial configuration. I now want to define parameters needed by the Mail Delivery Agent (I will be using Dovecot), and prepare Postfix to use authentication. Postfix also provides a command line executable to modify its configuration file: /etc/postfix/main.cf.

sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth-client'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,
    permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'

Create Digital Certificates

In order for secure authentication to work, there must be certificates to establish the identity of the mail server. Using openssl, you can create so-called self-signed certificates. For email, this is perfectly acceptable.

sudo openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

Enter pass phrase for smtpd.key: secret
Verifying - Enter pass phrase for smtpd.key: secret

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

Enter pass phrase for smtpd.key: secret
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Georgia
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Istarel Workshop LLC
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
A challenge password []: another secret
An optional company name []: Istarel Workshop LLC

sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

Enter pass phrase for smtpd.key: secret

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

Enter pass phrase for smtpd.key: secret
Enter PEM pass phrase: secret
Verifying - Enter PEM pass phrase: secret
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Georgia
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Istarel Workshop LLC
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

Configure Postfix with Certificates

Now that the certificates have been created and moved to appropriate locations, I have to ensure Postfix has the information it needs to use TLS encryption for both incoming and outgoing email.

sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_use_tls = yes'
sudo postconf -e 'smtpd_use_tls = yes'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo postconf -e 'myhostname = mail.istarelworkshop.com'

Postfix needs to be restarted for these changes to be recognized.

sudo /etc/init.d/postfix restart