Migrating Exim4/Courier to Postfix/Dovecot; issues receiving mail/security.

July 19, 2015 901 views
Email Firewall Security Debian

Hi Everyone,

I'm trying to migrate an Exim4/Courier install to Postfix/Dovecot and I'm having a lot of trouble. I've read all of the DO guides, and plenty of others, but the differences in configuration files, commands, and setups, make it very difficult to migrate settings.

Here's what I need to accomplish:

  • Multiple domains
  • Multiple email addresses
  • Email forwarding
  • User accounts
  • Password authentication only through email and webmail over...
  • TLS/SSL only
  • Maildir format (I need to migrate emails from server A to server B, so I need to retain the directories.)
  • SpamAssassin
  • ClamAV on attachments

This is what I've done so far:

  • Created two files: /etc/postfix/domains and /etc/postfix/virtual. The format for /etc/postfix/domains is simply each domain delimited by a new line. The format for /etc/postfix/virtual is each email address attached to a linux user account (hash format.)
  • Basic postfix configuration changes (
    home_mailbox = Maildir/
    mailbox_command = /usr/lib/dovecot/deliver
    mydestination = localhost, /etc/postfix/domains
    virtual_alias_maps = hash:/etc/postfix/virtual
  • Created new certificate to /etc/postfix/mail.key and /etc/postfix/mail.pem.
  • Setup TLS:
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_auth_only = yes
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_tls_auth_only = yes
    smtp_tls_security_level = may
    smtpd_helo_required = yes
  • Restrictions:
    smtpd_client_restrictions = reject_unknown_client_hostname, permit_sasl_authenticated
    smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
    smtpd_sender_restrictions = reject_unknown_sender_domain
    smtpd_recipient_restrictions =permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_sasl_authenticated, reject_unauth_destination
    smtpd_data_restrictions = reject_unauth_pipelining


Uncommented smtp and submission.

Now, as for dovecot, this is what I've setup so far:


mail_location = maildir:~/Maildir:LAYOUT=fs


disable_plaintext_auth = yes


ssl = required
ssl_cert = </etc/postfix/mail.pem
ssl_key = </etc/postfix/mail.key

Some helpful notes:

  • There is no firewall installed yet, but I would like SMTP to send over 587 and IMAP over 993/143.
  • The following commands output OK, and that there is a certificate:
openssl s_client -starttls smtp -crlf -connect localhost:587
openssl s_client -starttls -connect localhost:993

  • Local mail relay works fine:
    Jul 19 17:43:58 hostname postfix/pickup[2666]: BE5E440DAB: uid=0 from=<root>
    Jul 19 17:43:58 hostname postfix/cleanup[2717]: BE5E440DAB: message-id=<>
    Jul 19 17:43:58 hostname postfix/qmgr[2667]: BE5E440DAB: from=<>, size=406, nrcpt=1 (queue active)
    Jul 19 17:43:58 hostname dovecot: lda(user): msgid=<>: saved mail to INBOX
    Jul 19 17:43:58 hostname postfix/local[2719]: BE5E440DAB: to=<>, relay=local, delay=0.07, delays=0.03/0.01/0/0.03, dsn=2.0.0, status=sent (delivered to command: /usr/lib/dovecot/deliver)
  • External mail does not:
    Jul 19 17:45:53 hostname postfix/smtpd[2721]: connect from[]
    Jul 19 17:45:53 hostname postfix/smtpd[2721]: warning: SASL: Connect to private/auth failed: No such file or directory
    Jul 19 17:45:53 hostname postfix/smtpd[2721]: fatal: no SASL authentication mechanisms

    ==> /var/log/mail.err <==
    Jul 19 17:45:53 hostname postfix/smtpd[2721]: fatal: no SASL authentication mechanisms

So I'm a bit confused:

  1. Why can't I receive mail from outside sources?
  2. Why does Google attempt SMTP? Is that what is happening?
  3. Where do I set SASL authentication mechanisms?
  4. Does anyone have an idea, or a way that I could accomplish what I need to? I'm not new to linux, but I'm not well versed in mail server creation.

Any help would be appreciated. Thank you.


I have an update:

I followed this setup:


unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix

Which now results in this error message from an email sent via gmail:

Jul 19 18:15:59 hostname postfix/postscreen[3881]: CONNECT from []:34912 to [localhost]:25
Jul 19 18:16:05 hostname postfix/postscreen[3881]: PASS NEW []:34912
Jul 19 18:16:05 hostname postfix/postscreen[3881]: warning: cannot connect to service private/smtpd: No such file or directory
Jul 19 18:16:06 hostname postfix/postscreen[3881]: PASS NEW []:34912
Jul 19 18:16:06 hostname postfix/postscreen[3881]: DISCONNECT []:3491
Jul 19 18:17:46 hostname postfix/postscreen[3881]: close database /var/lib/postfix/postscreen_cache.db: No such file or directory (possible Berkeley DB bug)

Even more confused, now. Sigh.


Uncommenting smtpd in solved that problem. It appears to work, but I'll now have to try imap and see about sending and receiving mail remotely.

1 Answer

Everything appears to work just fine. For those wondering how I set it up:

ClamAV (Source Compile)

The settings in this thread were almost perfect. Setting up amavisd was a problem because I thought that clamd wasn't running, so I used OSEClamd as a script to run it.

Have another answer? Share your knowledge.