Howto/Setup Postfix + dovecot sasl + dovecot imaps + maildir + virtual accounts + mysql + postfixadmin + PositiveSSL certificate + Roundcube on Ubuntu 10.04
This howto attemps to document the steps I took to get my email server up and running using, as the title suggests, the Postfix SMTP server with authentication provided by dovecot SASL, the dovecot imaps (imap over SSL) server for client access, maildir storage of virtual accounts, the mysql database for storing account information, postfixadmin for managing virtual accounts, domains and aliases via a web interface, a PostiveSSL certificate for trusted encryption and Roundcube for a pretty webmail user interface.
The motivations for this guide
Setting up an email server on a fresh install of Ubuntu is THE step I dread the most, by far. The first time I did it was in 2009, a good 5+ years after having been introduced to Linux and setting up my first server. In my mind, I remember it taking me the better part of a week and even then I never got it fully working the way I wanted.
For one, I was authenticating SMTP connections using Cyrus-SASL which necessitated periodic restarts (/etc/init.d/saslauthd restart) via cron otherwise it would suddenly refuse authentication requests (the process would still be running but would simply refuse valid requests). Second, my valid Postive SSL certificates were being detected as untrusted requiring clients to force an exception when using imaps and stmps. Lastly, stmps refused to connect via SSL (like Google, Yahoo and my university's imap servers), accepting only TLS connections.
These last two points, it turns out, are quite easy to fix, following the yesterday's experience. The first point, however, I still do not know the solution to and do not care anymore because, as I will describe shortly, I have switched to Dovecot-SASL and do not intend on looking back.
The second and most recent time setting up the email server on a fresh Ubuntu install, as documented next, took me a full day and a half to resolve all issues in order to achieve my near perfect email setup. Near perfect because I am still missing a backup MX server where mail could pool whenever the main server goes offline. I hope to address this last point when I have more time.
- smtp on port 25
- smtps on port 465
- dovecot imaps server on port 993
- no pop3, no pop3s, no imap
- vmail user with uid 5000 (may need to be created with useradd)
- mail group with gid 8 (should be already created)
- maildir at /mnt/Remote1/Other/maildir (chown -R vmail:mail)
- mysql server on default port
- smtp(s) and imaps servers all on the same server: interpause.com
- PositiveSSL certificate for interpause.com in /etc/ssl/curr/ssl.crt
- PositiveSSL key for interpause.com in /etc/ssl/curr/ssl.key
- username includes domain ie. firstname.lastname@example.org as opposed to just andrew.phan
- A standard home router that requires port forwarding
The steps, from memory
Note 1: The following steps have been written from my memory, therefore some parts are vague, missing or wrong. The purpose of the following is for me to be able to easily recreate the server on a fresh install of Ubuntu. I regret if I cannot help you but you may always write me an email suggesting improvements or corrections that I may or may not add below.
Note 2: It is likely that some files or config settings are either extra, redundant or contradictory. The are several reasons for this. First, I tried many things to get the server working the way I wanted so it is likely that some useless stuff are left over from previous failed attempts. Second, I switched from Cyrus SASL to Dovecot SASL so, again, possible duplicates there as well.
Install the necessary packages
This list is most likely incomplete but should help get started.
sudo apt-get install dovecot-postfix postfix postfix-mysql dovecot-common dovecot-imapd php5-mysql
Prepare SSL certificate
- Place bundled SSL certificates in PEM format in /etc/ssl/curr/ssl.crt/dovecot.pem and key in /etc/ssl/curr/ssl.key/dovecot.pem
- bundled or chanined SSL certificates should follow the order specified by http://wiki.dovecot.org/SSL/DovecotConfiguration
- FYI, the first time I installed the email server I only placed the interpause.com certificate as opposed to the BUNDLED certificate which is why I would get untrusted encryption errors.
- Dovecot pem file order
- Issuing CA cert
- Issuing CA CRL
- Intermediate CA cert
- Intermediate CA CRL
- Root CA cert
- Root CA CRL
- Comodo PositiveSSL example pem file order 1:
- Comodo PositiveSSL example pem file order 2:
- Create a database user
- Create two databases: postfix and roundcubemail
- Check that the database user has sufficient privileges to modify the two databases.
Configure Postfix and Postfixadmin
- You may or may not find the info at the following links helpful:
- Use postfixadmin to populate the necessary tables in the postfix database
- Edit postfix config files in /etc/postfix/. I have configured Postfix to access the Mysql server as well the dovecot sasl socket via the chroot private/auth file. Attached below are files that I have modified in some way.
- FYI, the line in master.cf that says wrappermode=yes is to allow smtps connections over SSL instead of TLS (I didn't know this the first time I installed the email server).
- In addition, create the following files for postfix to access the data in the database. NOTE: I am not sure if this is still necessary with Dovecot SASL which uses a file socket (?), but I know it was necessary with Cyrus SASL. So this might be one of the aforementioned relics from the previous setup. If any case, go to https://wiki.frugalware.org/index.php/Virtual_Users_and_Domains_with_Postfix_and_MySQL for more details on each. Note that the info at the link places all files in the /etc/postfix folder whereas I have placed 6 of mine in /etc/postfix/sql. It does not matter as long as it is properly specificed in main.cf. Note also that the user and password fields must be the user that has access to the postfix database.
For Dovecot version 1
- Again, you may or may not find the info at the following link helpful: http://postfixmail.com/blog/index.php/postfixadmin-on-ubuntu-9-10/
- Dovecot needs to 1) make itself available to Postfix via a socket, at private/auth, for sasl authentication, 2) access the sql server to check passwords and what not, 3) handle imaps client access. Here are a bunch of files I modified in some way.
For Dovecot version 2
Todo: Update howto
Forward necessary ports through router
- Each router is different, but Google is a good friend.
- Forward the following TCP ports through the router to email server: 25 for smtp, 465 for smtps and 993 for imaps
Test the email server
You should have a working setup now but I know the chances of this are slim due to the large number of configuration parameters and components. All I can say is good luck. Anyways, here's what you can do to test it.
- Create an email account using postfixadmin
- Confirm that the user has been created by checking the database (I use the phpMyAdmin web interface) but you may use a command-line client.
- Send yourself an email from another email server such as yahoo mail to the newly created email account.
- Confirm that you have received the email, in my case it appears in /mnt/Remote1/Other/Maildiremail@example.com/new/
- Check the logs for any errors /var/log/mail.log and /var/log/mail.err
- If all went well, use an imaps email client such as Mozilla Thunderbird and add a new mail client. In my case, username: firstname.lastname@example.org, password: mypassword, server: interpause.com, imaps port: 993, SSL encryption. You should be able to load the email that was sent to yourself from the other email server. Try sending an email. Refer to the logs in case of problems.
- If you've managed to get this far, the rest is almost trivial so I won't go into any details. If you require details, Google is a good friend.
- Check database config settings and imap server settings. Use roundcube setup script to populate the tables. Since this was for me an upgrade, I had to use the upgrade script roundcube/bin/installto.sh in order update the tables in the database and check for obsolete configuration parameters.