This is a guide for setting up a mail server with a mysql backend for users and domains using Dovecot for the IMAP Server, Postfix for the MTA and SpamAssassin for preventing spam and all with SSL client-server encryption.

I'll also assume you have a MySQL server ready for use.

This guide was written for these versions on Debian 5.0.3 (Lenny):

• Postfix 2.5.5-1.1
• Dovecot 1.01.15-2.3
• SASL Auth Server 2.1.22
• Spamassassin 3.2.5-2

This should also go for any Debian derivates such as Ubuntu.

Updates

29/11/2009 - Fixed SASL location/permissions for postfix

Contents

• Files
• MySQL
• SASL
• Postfix
• Dovecot
• Spamassassin
• Notes

Files

• mail-server-config-files.zip (Not Required)
• maildb.sql
• mail.cf

MySQL

Create a new user and database, either through phpMyAdmin or using the SQL below.

It is best to use a randomly generated password for this through a utility such as pwgen (may need to be installed).

    CREATE USER 'maildb'@'localhost' IDENTIFIED BY 'mailpassword';
    CREATE DATABASE IF NOT EXISTS `maildb` ;
    GRANT ALL PRIVILEGES ON `maildb`.* TO 'maildb'@'localhost';

Make a note of the mailpassword, as you will need it later.

Download and change maildb.sql:

• Change the admin password
• Change your initial domain name
• Set the initial email address and password (must be CRYPT format).

To generate CRYPT Passwords run: perl -e 'print(crypt("<password>","<salt>")."\n");'
The salt must be 2 random characters.

Import the maildb.sql to your server either through phpMyAdmin or via the following.

Command Line: mysql maildb -u root -p < maildb.sql
SQL : source /dir/to/maildb.sql

Your MySQL database is now ready to use!

SASL

Install needed packages: apt-get install libsasl2-2 libsasl2-modules sasl2-bin

Edit /etc/default/saslauthd

...
Start=yes
...
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Setup saslauthd run directory.

mkdir -p /var/spool/postfix/var/run/saslauthd
chgrp sasl /var/spool/postfix/var/run/saslauthd

Add postfix to the sasl group.

adduser postfix sasl

Start SASL: /etc/init.d/saslauthd start

Postfix

Install needed packages: apt-get install postfix postfix-mysql
Choose Internet Site when installing postfix.

Stop postfix: /etc/init.d/postfix stop

Install this main.cf file to /etc/postfix and alter as neccessary (instructions within, only ssl cert location, hostname to be changed).

Create the directory /etc/postfix/mysql, install the files from postfix-mysql.zip into it and alter each cf file to use the password for the maildb MySQL user.

Put the following into a new file at /etc/postfix/sasl/smtpd.conf

saslauthd_path: /var/run/saslauthd/mux
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: maildb
sql_passwd: <maildb-password>
sql_database: maildb
sql_select: select password from users where email = '%u'

Create the mail directory:

mkdir /var/mail/vdomains
chown mail:mail /var/mail/vdomains
chmod g+w /var/mail/vdomains

Add postfix to the mail group: adduser postfix mail

Secure your files:

chown postfix:postfix /etc/postfix/*.cf
chown -R postfix:postfix /etc/postfix/mysql
chown postfix:postfix /etc/postfix/sasl
chmod -R o-r /etc/postfix/mysql # deny read access to your mysql password
chmod o-r /etc/postfix/sasl/smtpd.conf

Start postfix /etc/init.d/postfix start

netstat -tapn should show these 2 lines:

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      nnnn/master
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      nnnn/master

To verify its working run: telnet mail.yourdomain.com 25

After the server sends: 220 mail.yourdomain.com ESMTP Postfix biff = no

Reply With: EHLO example.com

The server will then send:

250-mail.yourdomain.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Dont worry about no AUTH header, this is only presented after the client starts encryption with the server.

You can change this by running the command: postconf -e smtpd_tls_auth_only=no and restarting the server: /etc/init.d/postfix restart

Dovecot

Install needed packages: apt-get install dovecot-imapd

Stop Dovecot: /etc/init.d/dovecot stop

Change /etc/dovecot/dovecot.conf to:

## Dovecot configuration file
protocols = imap imaps
log_path = /var/log/mail.err
info_log_path =  /var/log/mail.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl_listen = 0.0.0.0
ssl_disable = no
ssl_cert_file = /etc/ssl/imapd.crt
#ssl_cert_file = /etc/ssl/imapd.pem ## for chained certs
ssl_key_file = /etc/ssl/imapd.key
verbose_ssl = no
login_greeting = Dovecot IMAP Server Ready.
first_valid_uid = 8
last_valid_uid = 8
first_valid_gid = 8
last_valid_gid = 8

auth default {
  mechanisms = plain login
  passdb sql {
    args = /etc/dovecot/sql.conf
  }
  userdb sql {
    args = /etc/dovecot/sql.conf
  }
}

Add the sql configuration to /etc/dovecot/sql.conf:

driver = mysql    
connect = host=/var/run/mysqld/mysqld.sock dbname=maildb user=maildb password=<maildb-password>
default_pass_scheme = CRYPT
password_query = SELECT email as user, password FROM users WHERE email = '%u' AND active = 1
user_query = SELECT 'maildir:/var/mail/vdomains/%d/users/%n/Maildir/' as mail, 8 as gid, 8 as uid  FROM users WHERE email='%u'

Although the user_query doesnt actually return anything from the database, it is required to make sure the email account exists.

Add dovecot to the mail group adduser dovecot mail

Secure the configuration:

chown dovecot:dovecot /etc/dovecot/*
chmod o-r /etc/dovecot/sql.conf

Start Dovecot: /etc/init.d/dovecot start

Verify using a mail client or simply running: telnet mail.yourdomain.com 143

netstat -tapn should show these 2 lines:

tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      nnnn/imap-login
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      nnnn/imap-login

SpamAssassin

Install needed packages: apt-get install spamassassin

Edit /etc/default/spamassassin

Change ENABLED=0 to ENABLED=1
And CRON=0 to CRON=1

Change the options to:

HOMEDIR="/var/lib/spamassassin"
OPTIONS="-m 3 -u spamd -g spamd -x -i 127.0.0.1 -H ${HOMEDIR}"

Options Explained

• -m 3 will create 3 child processes to process spam
• -u and -g will force spamassassin to run as user spamd
• -x disables user configuration
• -i binds to localhost
• -H sets where spamasssassin will keep its learnt spam and ham rules

Create new spamd user

adduser --system --home /var/lib/spamassassin --group --disabled-login spamd

Edit /etc/postfix/master.cf to process incoming mail through spamassassin.

smtp      inet  n       -       -       -       -       smtpd
        -o content_filter=spamd

Add the content filter spamd to the end of the file.

spamd     unix  -       n       n       -       -       pipe
   user=nobody argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Start SpamAssassin: /etc/init.d/spamassassin start

netstat -tapn should show this line:

tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      nnnnn/spamd.pid

Notes

• A new email account must recieve an email before it can be used, this is to force postfix to create the users mail directory, otherwise Dovecot cannot find it.
• You'll have to work out your own way of managing the database, either through phpMyAdmin or your own custom solution.

END

You should now have a fully function Mail server running, enjoy!

I hope you found this guide useful, if I've omitted something or got the details wrong please correct me through the comments :)