Install and Configure Postfix
A working email server has two essential components: a Mail Transfer Agent (MTA) and a Mail Delivery Agent. Postfix is a Mail Transfer Agent: It actually sends email from, and receives email to, the server.
Install Postfix
Installing Postfix is a bit curious. You install Postfix (accepting the default options) and then run a program to configure it (where you make a number of important choices).
sudo apt-get install postfix sudo dpkg-reconfigure postfix
Mail server configuration type: Internet Site System mail name: mail.istarelworkshop.com Root and postmaster mail recipient: webmaster@istarelworkshop.com Other destinations to accept mail for: mail.istarelworkshop.com, istarelworkshop.com, localhost.localdomain, localhost Force synchronous updates on mail queue? No Local networks: 127.0.0.0/8 Mailbox size limit (bytes): 0 Local address extension character: + Internet protocols to use: all
There are two key questions asked during the reconfiguration: the destinations being accepted for mail, and the local networks. For my server, the local network is a standard "127.0.0.0/8", which really means only 127.0.0.1 (the server itself). For a setup where the server is part of (say) an office network and acts as the mail gateway to the internet, the network parameter might look quite different. The destinations response seems to follow a common pattern: mail.mydomain.com, mydomain.com, localhost.localdomain, localhost.
Authentication Configuration
Those first steps took care of the initial configuration. I now want to define parameters needed by the Mail Delivery Agent (I will be using Dovecot), and prepare Postfix to use authentication. Postfix also provides a command line executable to modify its configuration file: /etc/postfix/main.cf.
sudo postconf -e 'smtpd_sasl_type = dovecot' sudo postconf -e 'smtpd_sasl_path = private/auth-client' sudo postconf -e 'smtpd_sasl_local_domain =' sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination' sudo postconf -e 'inet_interfaces = all'
Create Digital Certificates
In order for secure authentication to work, there must be certificates to establish the identity of the mail server. Using openssl, you can create so-called self-signed certificates. For email, this is perfectly acceptable.
sudo openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
Enter pass phrase for smtpd.key: secret Verifying - Enter pass phrase for smtpd.key: secret
chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr
Enter pass phrase for smtpd.key: secret Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Georgia Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Istarel Workshop LLC Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: A challenge password []: another secret An optional company name []: Istarel Workshop LLC
sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
Enter pass phrase for smtpd.key: secret
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
Enter pass phrase for smtpd.key: secret Enter PEM pass phrase: secret Verifying - Enter PEM pass phrase: secret Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Georgia Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Istarel Workshop LLC Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []:
sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/
Configure Postfix with Certificates
Now that the certificates have been created and moved to appropriate locations, I have to ensure Postfix has the information it needs to use TLS encryption for both incoming and outgoing email.
sudo postconf -e 'smtpd_tls_auth_only = no' sudo postconf -e 'smtp_use_tls = yes' sudo postconf -e 'smtpd_use_tls = yes' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s' sudo postconf -e 'tls_random_source = dev:/dev/urandom' sudo postconf -e 'myhostname = mail.istarelworkshop.com'
Postfix needs to be restarted for these changes to be recognized.
sudo /etc/init.d/postfix restart