Postfix Introduction


This tutorial will tell you how to setup a basic mail server and teach you a bit about the Postfix MTA (Mail Transfer Agent) in the process.

Postfix is extremely flexible. Its architecture is based on a loose composition of services that receive emails and pass them on to other services (with services like “smtp” on the receiving outer edge, and “local” and “virtual” on the delivering outer edge, if you’re looking at receiving mail). Postfix itself implements the core requirements to receive, route, and deliver mail, and relies on third-party extensions to do the rest.

Postfix has several hundred configuration parameters. If you want to administer a mail server that reliably delivers business requirements to a sizable organization, you should make yourself intimate with all of them (man 5 postconf). This tutorial will not be enough, on its own, to make you a competent professional email admin. However, if you want to become familiar with postfix or set up a mail server for yourself and a few friends, this tutorial, and the ones to follow, will be your friend.

Dovecot Introduction


I’m not going to spend a lot of introductory words on dovecot. Dovecot is also huge (here is the wiki for dovecot 2), but we only want a very small set of features from dovecot.

This article explains almost every single setting to be set in detail. You can go ahead and skim over the explanations if you want - at your own risk.

This tutorial assumes (and was built using) the following setup:

  • Debian 7.1 wheezy x64_86
  • Postfix 2.9.6-2
  • dovecot 1:2.1.7-7

While any Debian-based OS should be fine, Postfix is in use in a wide array of versions, including Postfix 1.x, Postfix 2.9, and Postfix 2.10, which have some mutually incompatible settings and features - and using Postfix 2.9, this tutorial is not on the bleeding edge.

This tutorial also assumes a few things about you:

  • That you are comfortable on a GNU/Linux commandline and with the general layout and working principles of a GNU/Linux system like Debian.

  • That your local system is a GNU/Linux or reasonably compatible (MinGW, Cygwin, Mac OS X, *BSD)

  • That you know how to get a rootshell on your droplet

  • That you know how to use a text editor (e.g. vim, nano, emacs, or the standard editor, ed) on linux


    By default, commands will be entered and files edited from a rootshell on the droplet. As in most other DigitalOcean articles, parts of commands that you need to customize will be highlighted in red.

System Setup


The following ingredients are necessary to make your droplet ready to be a mail server:

  • A domain, let’s assume it is “mydomain.com”

  • A hostname for your mail server, let’s assume “mail.mydomain.com”

  • An SSL certificate that is valid for “mail.mydomain.com”

Setting up SSL certificate


For SSL, you need a certificate and a private key. In this tutorial, we’re going to assume that the certificate is saved in /etc/ssl/certs/mailcert.pem and the key is saved in /etc/ssl/private/mail.key. Make sure the key is only readable by the root user!

How to set up SSL certificates for your website and e-mail depends on your website structure and the CA you use (self-signed, organisational (sub)-ca, or commercial ca for example). Creating a self-signed test certificate is as easy as executing

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mail.key -out /etc/ssl/certs/mailcert.pem

and leaving the default values in by just hitting enter on all questions asked. Don’t use this certificate in production!

Most CAs will require you to submit a certificate signing request. (CSR) You can generate one like this:

sudo openssl req -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mail.key -out mailcert.csr

Fill in the information queried properly, like in this transcript: (Check with the CA you intend to use on what information needs to be in the CSR)

Generating a 2048 bit RSA private key
.............................+++
................+++
writing new private key to 'mail.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Virginia
Locality Name (eg, city) []: Langley
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Network Services Association
Organizational Unit Name (eg, section) []: Infrastructure Services
Common Name (e.g. server FQDN or YOUR name) []: mail.mydomain.com
Email Address []: postmaster@mydomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(Note that this way you cannot create a certificate valid for more than one domain using the subjectAltName field without some additional work - again, check the CA’s documentation!)

Setting up DNS


You have to set up your DNS with an A record that points to your mail server IP and an MX record that points to the mail servers hostname.

Here is how to do it if you’re using DigitalOcean’s DNS:

  • Go to the “DNS” area in your DigitalOcean panel
  • Create a new domain or select one you’ve created before
  • Click the “Add record” button in the top right
  • Add an A record:

Adding an A record

  • Click “Add record” again and add an MX record that points to the A record:

Adding an MX record

Additional information can be found in the Host Name setup and DNS tips and tricks articles.

Verify DNS


DNS will take a few hours to propagate all over the internet, but it should be set on your DNS server after a few minutes. You can check with dig & host:

[root@yourbase] ~# dig MX mydomain.com +short @ns1.digitalocean.com
50 mail.mydomain.com.
[root@yourbase] ~# host mail.mydomain.com ns1.digitalocean.com
Using domain server:
Name: ns1.digitalocean.com
Address: 198.199.120.125#53
Aliases:

mail.mydomain.com has address 82.196.9.119

Postfix


We will now set up Postfix to receive and deliver mail for local users.

Packages


The default MTA on Debian is exim. Off with it! We’ll also stop postfix after it has been installed, because we don’t want it to be running yet.

aptitude remove exim4 && aptitude install postfix && postfix stop

A small insert: Postfix manages its daemons by itself and doesn’t need the service (init.d) system. postfix start, postfix stop, and postfix reload are equivalent to service postfix start, service postfix stop and service postfix reload.

Postfix Configuration


Postfix has two main config files: main.cf, which specifies what you would think of as config options, and master.cf, which specifies the services postfix should run.

First, configure the master.cf file (in /etc/postfix/). Add an extra “smtpd” instance called “submission” that will take mail from trusted clients for delivery to the world at large, which we don’t allow for anyone else.
To do that, open master.cf (take a look at man 5 master if you want to understand what’s going on) and uncomment the submission config and add options to enable SASL:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

This warrants a bit of explanation. The -o ... options override the settings that are taken from defaults or define in the config, which we’ll set later.
In a nutshell what happens here is that this enables the “submission” daemon with TLS to secure the outer connection, and dovecot-mediated SASL to check the username and password of connecting clients. (We will set that up in dovecot later).

The important detail is one that can’t be seen: The smtpd_recipient_restrictions is missing reject_unauth_destination, which is present as a default and restricts relaying.

Then we move on to main.cf. We’ll start with a clean slate here - run cp /etc/postfix/main.cf /etc/postfix/main.cf.orig if you want to save the default config file (it’s also in /usr/share/postfix/main.cf.dist though), then open it and clear it out!

Let’s first set the network information: (information about the domains postfix is handling mail for, and a bit of extra info)

myhostname = mail.domain.com
myorigin = /etc/mailname
mydestination = mail.domain.com, domain.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

We set the hostname and the default origin, which is sourced from /etc/mailname by debian convention. You can set it explicitly if you don’t have /etc/mailname. The default origin is used to construct the ‘From’ address for local users. mydestination sets the domains that postfix accepts emails for as final destination, and we set “relayhost” empty to disable relaying mail (relaying means accepting mail and then forwarding to a mail server that is not the final destination for the mail and we have no need for that; that is useful e.g. in a corporate intranet where a central mail server should check mail before it leaves the network.)

Additional note: This has nothing to do with the term “open relay”, which is a mail server that accepts email from anybody without authentication and sends it to MTAs for domains that aren’t in their own network - for this the other `relay_` settings are used, which we leave on default and disabled)

Let’s now set the local alias maps. We don’t have to set this setting since we’re just keeping the default setting, but it’s good to make it explicit in case we later want to add another method of defining alias maps. (like a real DBMS)

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

Then we set up SSL:

smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3

We set the cert file and the key for it, enable tls, and set the cache files. Then we make TLS optional, because we’re not allowed to make TLS required on a public smtp server per RFC2487. We also disallow SSLv2 and SSLv3, so that only TLSv1.0 and higher is allowed (read a SSL tutorial if you want to know why - in a nutshell, SSLv2 and SSLv3 are obsolete).

Another setting that is fine as default but should be specified explicitly in case you want to add to it later is the localrecipientmaps:

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

This setting tells Postfix to check a lookup table and reject email to users that cannot be found in the table. This is important because the alternative behaviour, if local_recipient_maps is unset, is to accept mail first and then bounce it later. This causes “backscatter”: If postfix cannot determine all valid users immediately (in the smtpd service), like when local_recipients_maps is unset, it will accept mail and then send a non-delivery notice later (when it finds out the mail is undeliverable after it has been handed off by smptd). These non-delivery notices usually hit innocent people whose addresses have been spoofed in spam and scam mails and contribute to the spam problem.

Sane Alias Config


There are a few mail accounts you should set up in your alias config that are important. For example the SMTP RFC mandates that any publicly accessible mailserver that accepts any mail at all must also accept mail to the 'postmaster’ account, and some people might expect “hostmaster”, “abuse”, “webmaster”, and other mailboxes to be present. You can either redirect those mail addresses to root, or to a specific user. Here is a sane default for /etc/aliases, presuming that you check email for root:

mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root

If you want to redirect all of that to a specific local user, say, “yourname” just add

root: yourname

Postfix will resolve the entire chain of aliases for you and forward all those mail addresses to “yourname”. (This is done by the local daemon using the aliases specification.)

As “aliases” says, after updating the /etc/aliases file, you have to run

newaliases

to compile the file into the database Postfix uses for fast lookup.

Dovecot


This one will be less wall-of-text-y! Take a deep breath, we’re almost done.

Packages


aptitude install dovecot-core dovecot-imapd

Should do it. If you want all the default packages, run

aptitude install dovecot-common

Then go into /etc/dovecot/dovecot.conf and clear out the file again. (that’s important this time - the default config includes a bunch of subordinate config files in /etc/dovecot/conf.d that we don’t want).

Now enter the following config:

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb {
  driver = passwd
}
passdb {
  args = %s
  driver = pam
}
protocols = " imap"

This enables plaintext auth (The “plaintext” authentication will be tunneled through TLS), tells dovecot to use the mail system group for accessing the local mailboxes (plus the location of the mailboxes), use the unix authentication system to authenticate users, and enable imap only.

If you want, you can have dovecot automatically add a Trash and Sent folder to mailboxes:

protocol imap {
  mail_plugins = " autocreate"
}
plugin {
  autocreate = Trash
  autocreate2 = Sent
  autosubscribe = Trash
  autosubscribe2 = Sent
}

Next, we need to open a socket that postfix can use to piggy-back on dovecot’s authentication:

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}

And finally the ssl config:

ssl=required
ssl_cert = </etc/ssl/certs/mailcert.pem
ssl_key = </etc/ssl/private/mail.key

Note the angle brackets! They tell dovecot to read from a file.

The End


Save and close all the config files, and execute

newaliases
postfix start
service dovecot restart

And you should be good to go. Test your config with a mail client, e.g. Mozilla Thunderbird. You should be able to send and receive mails from everywhere and to everywhere!

Continued


If you want to add virtual mailboxes (mail boxes that are not tied to a local user account, but can instead be configured using a local database) continue with Part 2.***

You can now test that sending e-mail both ways works, from a terminal on the droplet:

~# mail someotheremail@gmail.com
Subject: test email from postfix
this is a test
.
EOT

The mail from “root@yourdomain.com” should shortly arrive at “someotheremail@gmail.com” (fill in an email adress you control, obviously). If you reply to it and call mail again, you should see this: (it might take a minute for the mail to arrive).

~# mail
Heirloom mailx version 12.5 6/20/10.  Type ? for help.
"/var/mail/root": 1 message
>N  1 Your Name          Wed Nov 13 23:45   41/1966  Re: test email from postf

And if you hit the Enter key, it will show the message. (then type q and hit Enter to leave the mail client)

The same thing will work with a local e-mail client. Set up a new system user:

~# adduser joe
Adding user `joe' ...
Adding new group `joe' (1001) ...
Adding new user `joe' (1001) with group `joe' ...
Creating home directory `/home/joe' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: Enter password here
Retype new UNIX password: Enter password here
passwd: password updated successfully
Changing the user information for joe
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y

The password you entered here is the password to use for e-mail. Joe can now use the address joe@yourdomain.com with a local mail client like Thunderbird. In Thunderbird, just add a new Account (File -> New -> Existing Mail Account) and enter joe@yourdomain.com and the password in the dialog.

If your mail client doesn’t auto-detect the necessary settings: The username for the IMAP connection is joe, the port is 143, and the authentication method is unencrypted password via STARTTLS. For SMTP it’s the same, but port 587.

If anything isn’t working, check for error messages in the system log with tail -n 50 /var/log/syslog and in the mail log with tail -n 50 /var/log/mail.log.

Submitted by: Lukas Erlacher

152 Comments

  • I have to put: mail_location = mbox:~/mail:INBOX=/var/mail/%u at the end of "dovecot.conf"
  • Thanks for the note. I don't have that set, that's weird - I'll do some testing and check it out!
  • It appears you are correct - I'll try to get that fixed in the article!
  • @Lukas, ethno-urban: Thanks, I've updated the article :]
  • Just tested this out on my Droplet and it all worked on the first try! Thanks for the detailed instructions.
  • Thanks! Now I finally have a self configured mail server up. :)
  • Is there any GUI for setting up new mail accounts so anyone don't need to enter ssh for account creation?
  • No - in this setup, mail accounts are directly tied to system users. I am working on a follow-up article to allow adding users to a database!
  • Hi, For SMTP, should I use smtp.yourdomain.com, or mail.yourdomain.com? I can send mail from the server fine now, just not from a remote location.
  • Postfix is running smtp directly on the mail server you configured, so at 'mail.yourdomain.com'. It will accept mail for delivery to **local** mail addresses via standard smtp on port 25, and it will receive mail for delivery to **any** mail addresses via authenticated, encrypted submission server (which is also smtp, postfix just calls it submission) on port 587. Make sure that your mail client uses port 587 with plain password auth and starttls.
  • Great tutorial. I have just one issue. I can send with 'sendmail somebody@gmail.com', but with 'mail somebody@gmail.com' -> -bash: mail: command not found. I am root user. Could you help me with this?
  • I'm trying to setup a simple mail server on a debian vps with postfix and dovecot. I can send and receive email from the server via mutt but when i try to connect to IMAP via Thunderbird for example, it does not work: Nov 22 11:45:22 localhost dovecot: imap-login: Fatal: Can't load ssl_cert: The file contains a private key (you've mixed ssl_cert and ssl_key settings) Nov 22 11:45:22 localhost dovecot: master: Error: service(imap-login): command startup failed, throttling for 16 secs Extract from main.cf postifx file: smtpd_tls_cert_file = /etc/ssl/private/dovecot.pem smtpd_tls_key_file = /etc/ssl/private/dovecot.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_security_level=may smtpd_tls_protocols = !SSLv2, !SSLv3 Extract from dovecot.conf: protocols = "imap" protocol imap { mail_plugins = " autocreate" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl=required ssl_cert =
  • @mkhitar.mikaelyan: Run
    sudo apt-get install mailutils
  • @alexandru.vladoiu:
    Nov 22 11:45:22 localhost dovecot: imap-login: Fatal: Can't load ssl_cert: The file contains a private key (you've mixed ssl_cert and ssl_key settings)
    The SSL file you configured dovecot to use is invalid.
  • When can we find part 2 and 3? Cheers,
  • I have this error on Thunderbird setup, dovecot: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one What probably went wrong? Thanks!
  • @alifaziz: Please pastebin dovecot's config file.
  • same as Alifaziz, in my logs in have dovecot: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one postfix seems to be able to send and receive mails ok but can't get past this probelm with dovecot this is my dovecot conf file disable_plaintext_auth = no mail_privileged_group = mail mail_location = mbox:~/mail:INBOX=/var/mail/%u userdb { driver = passwd } protocols = " imap" protocol imap { mail_plugins = " autocreate" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl=required ssl_cert =
  • opps last bit of fiel went wrong here it is ssl=required ssl_cert =
  • taken the angle brackets off after ssl_cert = and ssl_key = in the hope it posts this time ssl=required ssl_cert = /etc/ssl/certs/mailcert.pem ssl_key = /etc/ssl/private/mail.key mail_location = mbox:~/mail:INBOX=/var/mail/%u
  • I got dovecot working, I needed this in the conf file passdb { args = max_requests=100 driver = pam } now however i have a different problem. Postfix failing with a Relay Access denied
  • fixed that i need this in my main.cf smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
  • What's up with the links to Parts 2 and 3, in this article? Assuming those articles have yet to be written, what's the ETA on them?
  • I have 2 questions : 1- For myorigin = /etc/mailname in main.cf, if I create a user called joe, would it be something like this ; myorigin = /etc/joe ? 2. From this website https://wiki.debian.org/Postfix, postconf -e "myorigin = example.com" . It uses domain name instead of directory name (/etc/mailname). Can I use domain name ?
  • @maszuari:
    1- For myorigin = /etc/mailname in main.cf, if I create a user called joe, would it be something like this ; myorigin = /etc/joe ?
    No, it would still be mailname, you shouldn't change it.
    2. From this website https://wiki.debian.org/Postfix, postconf -e "myorigin = example.com" . It uses domain name instead of directory name (/etc/mailname). Can I use domain name ?
    It's recommended that you use /etc/mailname because you'll be having virtual mailboxes.
  • @Pablo: They are not published yet, no ETA sadly.
  • Is there a reason you are not using the dovecot-postfix stack? http://packages.ubuntu.com/saucy/dovecot-postfix I would infer that there's some advantage to installing the stack over the two packages separately...
  • "Don't use this [self-signed] certificate in production!" Why?
  • I think it's because you can never be sure that it's your server that you're connecting to, and since it's self-signed, some MTAs might disconnect from your server once they realize that it's not "verified".
  • Do I have the put the IP Address on the mail A record? And if so, how do I stop mail.mydomain.com from being accessed from a browser?
  • @migmarshall: You can name it whatever you want instead of "mail" but it has to be an A record—just make sure you update the MX record to point to it.
  • @Kamal Nasser but does it have to point to the IP address of the server?
  • I followed the tutorial to the letter (with self signed cert), I can send mail, and reveice it too, but all received mails are in /var/mail/nobody even though I have set up the aliases to redirect to root. If I type the "mail" command as root user i get the message that no emails have been received for root (instead they are in /var/mail/nobody)
  • Hello, can I install squirelmail to manage my emails easily and if yes how please?
  • It's working for me from thunderbird, but can't get it running in microsoft outlook for mac ... Keeps saying Authentication failed because Outlook doesn't support any of the available authentication methods. Any ideas?
  • It's working for me from thunderbird, but can't get it running in microsoft outlook for mac
    Is there anything stopping you from using thunderbird on mac?
  • Can you explain why I need to have the A record set up for mail? I'm serving a website from one IP address, and want to use the same domain name on another machine as a mail server. My understanding was the A record is for port 80 and the MX record is for the mail ports.
  • Also there's a stray } in the code box with protocols = " imap"
  • @alia: DNS records are not related to ports at all. An A record maps a domain name to an IP address. The port is left up to the user. MX records tell users what mail server to send the mail to, however, it doesn't accept IPs so you will have to create a "mail" A record to point to your mail server.
    Also there's a stray } in the code box with protocols = " imap"
    That's supposed to be there. :]
  • I don't think it is.... # service dovecot restart doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 8: Unexpected '}' [....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 8: Unexpected '}' failed! (Thanks for the DNS clarification, though.)
  • @alia: Hmm. It's probably the config files being different on each OS. It worked fine for me with the stray "}" when I tried it.
  • I used this tutorial to setup postfix and dovecot on a Digital Ocean server. But I'm getting "Connection Timed out" when postfix/smtp tries to deliver an email to a remote host like gmail or yahoo.. ---------------------------------------- RECEIVING A NEW MESSAGE /var/log/mail.log ------------------------------------------ Feb 2 22:33:38 localhost dovecot: auth-worker: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Feb 2 22:33:38 localhost dovecot: auth-worker: Debug: pam(app,189.63.49.XXX): lookup service=dovecot Feb 2 22:33:38 localhost dovecot: auth-worker: Debug: pam(app,189.63.49.XXX): #1/1 style=1 msg=Password: Feb 2 22:33:38 localhost dovecot: auth: Debug: client out: OK#0111#011user=app Feb 2 22:33:40 localhost postfix/submission/smtpd[1045]: E9AA724264: client=unknown[189.63.49.XXX], sasl_method=PLAIN, sasl_username=app Feb 2 22:33:43 localhost postfix/cleanup[1052]: E9AA724264: message-id=<52eee3dd754bd_12df11b3e788267e@newx.mail> Feb 2 22:33:43 localhost postfix/qmgr[32661]: E9AA724264: from=, size=485, nrcpt=1 (queue active) Feb 2 22:33:45 localhost postfix/submission/smtpd[1045]: disconnect from unknown[189.63.49.XXX] Feb 2 22:34:14 localhost postfix/smtp[1053]: connect to mta5.am0.yahoodns.net[98.136.216.25]:25: Connection timed out ----------------------- Feb 2 22:24:21 localhost postfix/smtp[1013]: connect to mta6.am0.yahoodns.net[98.136.217.202]:25: Connection timed out Feb 2 22:24:21 localhost postfix/smtp[1014]: connect to gmail-smtp-in.l.google.com[173.194.76.27]:25: Connection timed out Feb 2 22:24:21 localhost postfix/smtp[1015]: connect to gmail-smtp-in.l.google.com[173.194.76.27]:25: Connection timed out Feb 2 22:24:21 localhost postfix/smtp[1012]: connect to aspmx.l.google.com[173.194.68.27]:25: Connection timed out ------------- Here is /etc/postfix/main.cf http://pastebin.com/nHQhh8Bp /etc/postfix/master.cf http://pastebin.com/nnJBP9mh
  • Did anyone had this issue and fixed it?
  • @newxhost: Try rebooting your droplet. Does that fix it?
  • I was having the same passdb error: dovecot: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one Added to dovecot.conf: passdb { driver = passwd-file args = scheme=SHA512-CRYPT username_format=%n /etc/imap.passwd } Then to generate the SHA512-CRYPT password: doveadm pw -s SHA512-CRYPT -u user1 Put in /etc/imap.passwd user1:{SHA512-CRYPT}$6$8mCTNxpjLRayJKJ4$Q.........(the whole string returned from the doveadm pw command) And now I can connect with IMAP! It looks like there are probably better ways of dealing with the passdb, but this was the fastest/easiest for just making it all work. The dovecot docs that helped me: http://wiki2.dovecot.org/AuthDatabase/PasswdFile http://wiki2.dovecot.org/Authentication/PasswordSchemes
  • Ok so I have this working for one domain, what do I need to do to get this to work with multiple domains that I have working on my Ubuntu droplet? do I just add the A and MX records then add the email address to the postgresql database (I've completed stage 2 now)? or is there anything else I need to do?
  • After struggling with setups, I finally got correct combination working for dovecot: disable_plaintext_auth = yes mail_privileged_group = mail userdb { driver = passwd } passdb { args = max_requests=100 driver = pam } protocols = " imap" protocol imap { mail_plugins = " autocreate" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl=required ssl_cert =
  • @nikolakirincic thanks very much, worked for me too
  • The link for "wiki for dovecot 2" is dead.
  • Hey, I would like to make it so that people can only access mail on my server via SquirrelMail on my site. However, I keep getting "connection refused errors" which I trace back to ssl configurations on Dovecot. Now, since all the IMAP connections will be done locally, I'd like to remove SSL on Dovecot. I can share the configuration files for SquirrelMail, Dovecot, and Postfix via Google Drive, editing enabled, but I'd prefer to do it for one person who knows what they are doing. I can provide any other configuration files. So, my goals are to: 1) remove ssl on IMAP only and 2) change the ports to non standard numbers
  • Hey, FYI, the zeusmaster account is an old DigitalOcean account of mine, that Chrome saved the details for. I had trouble with Paypal, so I made a new DO.
  • Hello i configured my vps like that guide but only i can send, i can't recevie emails. What can i do? thsnks!
  • @dahalpi: What's your domain name and droplet IP?
  • @jsouc94: Try deleting the three ssl lines in dovecot's config file and restarting it. Does that work?
  • I can recieve and send mail just fine, but I cannot connect to my server externally. It seems that dovecot is not accepting connections on 143. telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Running debian wheezy. It is listening on the port.
  • Hello I have followed all the instructions carefully and think I have everything set correctly. I wasn't sure if there was a rogue bracket before the line below but I have tried it with and without. I can send and receive mail using the MAIL command but I cannot connect using Outlook or Thunderbird. It just says the connection failed. I have tried restarting the services too. I can telnet to port 25 ok but then if I type ELHO or HELO it just says it doesn't recognise the command. [code] } protocols = " imap" [/code] Should this extra bracket definitely be there as it doesn't seem to match up to anything? Thanks Robin
  • Hello Kamal Nasser, my domain name is cultura-libre.cl, my droplet has ip: 95.85.61.6 Postfix send me now the following error: Transcript of session follows. Out: 220 mail.cultura-libre.cl ESMTP Postfix (Debian/GNU) In: EHLO mail-qc0-f178.google.com Out: 250-mail.cultura-libre.cl Out: 250-PIPELINING Out: 250-SIZE 10240000 Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: STARTTLS Out: 454 4.7.0 TLS not available due to local problem In: QUIT Out: 221 2.0.0 Bye For other details, see the local mail logfile And my files are: DOVECOT.conf disable_plaintext_auth = no mail_privileged_group = mail mail_location = mbox:~/mail:INBOX=/var/mail/%u userdb { driver = passwd } protocols = " imap" protocol imap { mail_plugins = " autocreate" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl=required ssl_cert =
  • Now i can send and receive internally, can send to a gmail, but i can't receive externally.
  • @darkened35: Looks like it's able to connect. The timeout is probably set to a low value, try piping in the commands instead of typing them manually.
  • Sorry mine does work with the ELHO command actually I set it up as per the instructions with the additional section for passdb. I can send email and see received email but I just can't connect with any email clients. I am using Ubuntu 13.10 and my domain is rothburydrive.co.uk with an IP of 188.226.173.109 Thanks for any help Robin
  • I have now solved my problem I was trying to connect as root but I didn't realise Dovecot blocks connections as root. You need to create another user and use that one. The only problem now is that I need to get users to select TLS in the IMAP settings for Outlook before it will connect as auto doesn't seem to pick up the right option.
  • When I do dovecot restart I get this error: "doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 5: Expecting '='" I have this in my dovecot.conf file disable_plaintext_auth = no mail_privileged_group = mail mail_location = mbox:~/mail:INBOX=/var/mail/%u userdb { driver = passwd } } protocols = " imap" protocol imap { mail_plugins = " autocreate" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl=required ssl_cert =
  • I have followed this tutorial two times but I can't connect to my server via Thunderbird. This is my dovecot.conf: http://pastebin.com/d2kP0JzB Thunderbird fails with "trying common server names"... When I send e-mail from my hotmail to server I don't see them anywhere, but they don't bounce.
  • Hello Buffedbysatan I have had a look at your file and it is because there are two errors in this guide. You need to remove the spurious bracket above the protocols section and also need to add a passdb section - I put mine above userdb. It needs to be: passdb { args = max_requests=100 driver = pam } After I made these changes and restarted the service it started to work. Hopefully the guide can be updated to fix this as apart from this it is really helpful. Robin
  • Hello! I've followed all the steps, but I'm getting this errors in the log file: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert Any help on this? Thanks!
  • @info: You're using a key and certificate that do not belong to each other. Have you replaced any of the files?
  • Hello Kamal! Thanks for the answer, no I haven't replaced them, when I try to configure the mail into a mail client, the program ask me to accept the certificate so I think until this point, this works, but, I'm not getting any mail and on the logs I always see this two lines: dovecot: imap-login: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert dovecot: master: Error: service(imap-login): command startup failed, throttling for 2 secs I'm pretty here's the error but don't know what to do...
  • Robin Wilson, thank you for your help. Unfortunately this doesn't work for me. When I try to connect with Thunderbird I still get the error: "Thunderbird failed to find the settings for your email account." Adding "passdb { args = max_requests=100 driver = pam }" gives me the following "error: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: passdb is missing driver". Googled the problem but can't find any help, seems like an uncommon error. Just love running in to more and more errors when trying to launch a new site :p. Thanks for any help.
  • @Insignia Studio: I was stumped by exactly the same thing. In the end I found out it was because I was following the instructions too closely... If you look at the key creation part of the tutorial the first bit is for creating a self-signed key, and the second bit is for creating a key that can be certified by a Certificate Authority (CA). If you run both sections then the self-signed key gets overwritten with the CA key. All you need to do is re-run the first part and ignore the CA part (until you go into production anyway, and might need to buy an SSL certificate): sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mail.key -out /etc/ssl/certs/mailcert.pem
  • I think I'm missing something here but what credentials do I need to use to connect to the email address I've created using a mail client?
  • Amazing guide however this does not work with apple mail.app
  • In the interest of full disclosure : Skill level : absolute email beginner, terminal comfortable, programming comfortable. Worked straight out of the box for me, thanks. Email arrives from my yahoo acc to my Digital Ocean acc perfectly when addressed to 'user@mydomain.org'. Email sent from the command line as user@mydomain.org goes to Yahoo perfectly but shows a return address of 'user@mail.mydomain.org' I would like that to appear as 'user@mydomain.org', can I just change the certificate or is there more involved? Also in the tutorial it shows how to setup a development certificate but states not to use it in production; what are the differences I should implement to make a production one? Thanks.
  • Still waiting for some help with the above question...anybody?
  • Just a heads up. The links to the wiki and stuff don't work because they don't have http:// preceding them. They just try to link to local digitalocean pages.
  • jk, it's only the dovecot wiki link.
  • @msnow, Thanks for catching that! We'll get that fixed.
  • It looks like the link to "Part 3" is broken.
  • @sergeysn: Thanks for pointing it out! Part 3 isn't published yet, sadly.
  • Hi, I am keen to set up my VPS with a mail server but I want to make sure this series of tutorials is what I need before I dive in! I already have Apache Virtual Hosting set up for two websites. A third domain is in the process of propagating to DigitalOcean DNS, one that I intend to use as mail.thirddomain.com I would like to use this third domain exclusively for services other than www, i.e email My desire is to use mail.thirddomain.com as the mail server for all domains I use for Virtual Hosting, so that it would capture and deliver email for user@domainone.com and user@domaintwo.com plus anymore Virtual Hosts I add in the future (PLUS anymore addresses I may add to these domains, i.e user2@domainone.com) The big idea here is that I will be predominantly providing web design and development services but would also like to offer email. I am currently routing email through GoDaddy by altering the MX records through the DigitalOcean control panel. I'm not really wanting to do this long-term as it doesn't provide much flexibility. Thanks Andrew
  • I have a really strange problem: I have used this tutorial and I can send email from the server's terminal as well as receive email from anywhere. I have tried repeatedly to use smtp on this server remotely as an authenticated user, but this has not worked either with thunderbird or the mac mail.app. I can however send relayed authenticated email when using gnutls-cli as a shell tool (enables encrypted auth) and enter the test message on the command-line (see http://www.moeding.net/archives/15-Testing-SMTP-AUTH-after-STARTTLS.html). When I try to set up my smtp server with authentication in mail.app it the smtp is marked as offline as soon as I enter my username and/or password. It only works without auth when I send an email remotely back to my own server based email address (which is expected based on the postfix settings). so basically I know that sasl auth works, but I can't get it to work with any mail client. Any thoughts? Andreas
  • I figured out my problem. First I am using postfix version 2.10.2 Second I am using dovecot 2.1.7 I followed every detail of the above tutorial including the following: "...The important detail is one that can't be seen: The smtpd_recipient_restrictions is missing reject_unauth_destination, which is present as a default and restricts relaying..." It appears that my postfix version does not allow auth to work if reject_unauth_destination is missing from the smtpd_recipient_restrictions. After adding this, the authentication worked just fine. Thought this might help someone who is stuck with the same issue.
  • I am having an issue after completion of this tutorial. I am able to send and receive email via the terminal. However, when I attempt to connect on my phone I get auth failure and when I attempt to login to via roundcube I get a IMAP Server Failure. Any assistance would be greatly appreciated
  • I have a problem after follow this tutorial. When I send mail from root or other accounts in system to other mail server like gmail or hotmail. It show the sender address as root@domain.domain.com instead of root@domail.com anyone know what's happen?
  • @crossRT: Could you pastebin your /etc/postfix/main.cf file?
  • Hello, i have registered domain for incoming mail only. now m trying to configure SMTP server in debian 7. m using ISP dns also. Plz help me.
  • @salahuddin.nit: We'd able to help you better if you tell us what steps you've already taken and the problems you've run into.
  • iredmail peeps! it works! no hassle! defaults with postfix, dovecot and roundcube
  • Hi, I followed this how to but on Ubuntu 12.04. I had to make a few changes but I got it up and running, well, almost up and running. I ran into the following issue: I can mail out from the command line and I can get mail and check it on command line. I cannot connect with an email client (thunderbird), well I can get emails in thunderbird but I cant send. # tail -n 50 /var/log/mail.log|grep reject Apr 30 19:55:48 localhost postfix/submission/smtpd[7183]: NOQUEUE: reject: RCPT from foobar.fr[96.xx.xx.xx]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= postconf -d | grep mail_version mail_version = 2.9.6 master.cf https://cryptob.in/?346e4ed6fa1c5e99#FOaLKw77vgzNVAjfhMIMC8S5K/plxngV+WDMleOAEuY= main.cf https://cryptob.in/?fe23a43ca471c4a3#Ar14ELiJ7RtNWvuyrPpjLUEB1u3aQaAvuFl/5LWshMg= Any advise is welcome!
  • A little correction: I can send mail from Thunderbird but only to my domain. Like from foo@mydomain.fr to postmaster@mydomain.fr. I cant sent mail to any other domain when sent from an email client. From the command line its working like it should.
  • @Mike: It sounds like you might need to set up authentication on outgoing mail in Thunderbird. See: http://kb.mozillazine.org/Thunderbird_:_FAQs_:_SMTP_Authentication
  • @Andrew SB: Thats not the issue. I checked the logs and the authentication is successful at port 587.
  • Well, I found the answer! :-) I had smtpd_client_restrictions instead of smtpd_recipient_restrictions. I just added smtpd_recipient_restrictions= permit_mynetworks,permit_sasl_authenticated,reject to the master.cf But following this how to I had to adjust 2 things in Ubuntu 12.04 to get it working: - I had to chmod /var/mail/username to 600 - By default SMTP (port 25) was commented out in master.cf. I had to activate this line: smtp inet n - - - - smtpd
  • @Mike: Great! Thanks for sharing your fix. It will help the next person.
  • i have a cuestión!... the ip in the firs step, is the ip address of your host in your network? or is the ip public of you router ?
  • when you add a record in DigitalOcean's DNS... more specific
  • For the record, I was getting authentication failures when trying to send mail through Mail.app (receiving worked fine). It was fixed by adding these lines to the end of `/etc/postfix/main.cf` : smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth And then `sudo postfix restart`.
  • @eliyou_: It's the IP address of your DigitalOcean VPS, not of your own router.
  • May 8 05:05:38 localhost postfix/submission/smtpd[18758]: warning: cannot get RSA private key from file /etc/ssl/private/mail.key: disabling TLS support May 8 05:05:38 localhost postfix/submission/smtpd[18758]: warning: TLS library problem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:330: That's what I'm getting when trying to send e-mail over SMTP (from the command line with the mail command works fine) or when someone tries to connect through IMAP. I checked, and the file /etc/ssl/private/mail.key definitely exists. I have tried to regenerate my key several times. What else can I try?
  • @Robin: Could you pastebin the output of "postconf -n" ? Make sure "smtpd_recipient_restrictions" doesn't include "reject_unauth_destination"
  • @Mike Thank you very much for sharing you fix. I had same problem. I spend a lot of time searching and any result.
  • I have configured Postfix in my debian7 server. But now i can send mail outside of my Lan only like gmail etc.. When i am sending any mail to my Lan its going to Mail Queue with below error : host *********** [***.***.254.17] refused to talk to me: 554 dropsmtpd - Your mail is being dropped as spam.
  • Can't receive Email from a remote server (gmail). Anyone could help me please?
  • Thanks for this guide, I followed everything and now it works to a certain level: I can send email form the server to arcor.de, but not to gmail.com. I can receive emails on the server. I can receive email with evolution from the new email account, but I can not send email with this account. How to set up email client for sending email with the new account and why is this not working for gmail, even the log says, email is sent: when I try to send from evolution: NOQUEUE: reject: RCPT from ...Relay access denied ...lost connection after RCPT and when I am sending email from the server to gmail (no email arrives): ...relay=gmail-smtp-in.l.google.com[74.125.136.27]:25, delay=31, delays=0.05/0/30/0.94, dsn=2.0.0, status=sent... Please help me out. Regards Nick
  • @mladenoff: What do you see when you enter your droplet's IP address here?
  • Worked perfectly on Ubuntu 14.04. Thanks!
  • (debian os)
    In order to get it work I had to use this solution.. http://serverfault.com/questions/433003/postfix-warning-cannot-get-rsa-private-key-from-file

    I couldn’t get e-mail from a gmail account. I had a warning as the post title is. The solution was to generate ssl files from the command topic starter gives and use the right permissions for that as Ansgar says.

  • hello,

    first of all thanks for the tutorial. I am newbie to mail things so I will be grateful for any help.

    I followed the instructions,
    when I try to send mail to any e-mail adress via “mail somemail@somedomain.com” command I got these lines from mail error log and having trouble to findout what the problem is..

    what I am missing?

    ps: sorry for bad english.

    postfix/pickup[14327]: CE11B20971: uid=0 from=<root>

    postfix/cleanup[14414]: CE11B20971: message-id=20140625213453.CE11B20971@mail.mydomain.com

    postfix/qmgr[14328]: CE11B20971: from=<root@ </etc/mydomainmail.mydomain.com>, size=455, nrcpt=1 (queue active)

    postfix/smtp[14416]: CE11B20971: to=<ozgun_a@windowslive.com>, relay=mx1.hotmail.com[65.55.37.120]:25, delay=0.64, delays=0.01/0/0.48/0.15, dsn=5.0.0, status=bounced (host mx1.hotmail.com[65.55.37.120] said: 501 Invalid Address (in reply to MAIL FROM command))

    postfix/cleanup[14414]: C520A20972: message-id=20140625213454.C520A20972@mail.mydomain.com

    postfix/qmgr[14328]: C520A20972: from=<>, size=2367, nrcpt=1 (queue active)

    postfix/bounce[14417]: CE11B20971: sender non-delivery notification: C520A20972

    postfix/qmgr[14328]: CE11B20971: removed

    postfix/error[14418]: C520A20972: to=<root@ </etc/mydomainmail.mydomain.com>, relay=none, delay=1, delays=1/0.01/0/0, dsn=5.1.3, status=bounced (bad address syntax)

    postfix/qmgr[14328]: C520A20972: removed

  • This tutorial is great. You didn’t mention about workarounds for outlook and outlook express, but I figured it out (thanks to google). How to make simple mailing list using aliases table? Using file it would be one line:
    my-mailing-list@mydomain.com user1@mydomain.com, user2@mydomain.com, user3@mydomain.com, user4@mydomain.com

    On some other site I’ve found that using database table it should be 4 records:
    my-mailing-list@mydomain.com user1@mydomain.com
    my-mailing-list@mydomain.com user2@mydomain.com
    my-mailing-list@mydomain.com user3@mydomain.com
    my-mailing-list@mydomain.com user4@mydomain.com

    Using file the mail server will probably use first line with LHS my-mailing-list@mydomain.com, right? What if in the database table it would look like:
    my-mailing-list@mydomain.com user1@mydomain.com
    my-mailing-list@mydomain.com user2@mydomain.com
    userA@mydomain.com userB@mydomain.com
    my-mailing-list@mydomain.com user3@mydomain.com
    userX@mydomain.com user2@mydomain.com
    my-mailing-list@mydomain.com user4@mydomain.com

    I guess that SQL query will return RHS for all LHS that equals my-mailing-list@mydomain.com.

    What if in this mailing list definition RHS value in some record will be another alias (not the real account)?

  • beating my head off the wall. this is not working for any connection at all for me.
    from the server I can send using mail, I can log into a different than root account and send using mail, I can read messages from any account, all seems like it’s actually working.
    until I try to connect. I fail at every connect attempt, have tried every sort of variation from all the above suggestions. MacBook, tried with Mail, and with Thunderbird. I can ping mail.cantseeme.ninja , checking for the server works, mx seems right, everything else seems like it works.

  • Followed this tutorial (Part 1 & 2) and after troubleshooting all last night and this morning, finally have a working email. Thanks for the writeup.

    Some issues I faced on Ubuntu 14.04 that may help others:
    For whatever reason, my SSL certs I generated through sudo opessl would NOT work whatsoever. Luckily I have two droplets I’m using as playgrounds and was able to get it to work via the certs that Dovecot and Postfix generate for you if you select “yes” during the install when it comes to that option. Probably user error, but using the Dovecot- and Postfix-generated certs worked great if you’re a bit of a ape (like me) and can’t get it working.

    I constantly got the “SASL Authentication failed” error, indicating that SMTP authentication was failing. Thunderbird just kept telling me that it couldn’t connect and to check my credentials. Finally got it thanks to the comment above by @clov3rly, which indicated adding:

    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    

    to /etc/postfix/main.cf. This did the trick and caused the most headache, so hopefully both my comment and his comment can help someone out.

    Thanks again for the awesome tutorial!

  • The autocreate plugin is deprecated (and should have been deprecated in version of Ubuntu after I think it was 13.04.) One one only need do auto = subscribe in 15-mailboxses.conf and it will auto-create and auto-subscribe.

  • can anyone help. After boot I am able to send postfix email from server to gmail and from gmail to server as postfix, dovecot, saslauth is already started at boot but php script mail gives error and requires lampp to be restarted once and then php mail is sent continuously. Logs show postfix is started but no entry log error for uid nobody but once I restart lampp I get log entry uid nobody and php mail is sent thereon.

    rajeev
    rajshardel@gmail.com

  • Pl help. I can receive virtual domain emails on server in path /home/vmail/ in my virtual domain folders (abc.com et ) in new folder (cur temp new ) . But I cannot receive any email on outlook. But if I include jobseasily.com which is also my hostname and also listed in virtual domains /etc/postfix/vhosts in my destination folder I receive outlook mail only for jobseasily.com but not for other virtual domains. Log error shows do not mention virtual domain in both mydestination and virtualmailboxdomains. Hence removing jobseasily.com from mydestination removes log error but I cant receive any mail.

    What is wrong in dovecot configuration path for receiving virtual domain emails in outlook. Postfix has vhosts listing all virtual domains and vmaps defining email for all virtual domains and virtualmailboxbase =/home/vmail receives the virtual domain emails.

    Possible dovecot mail location path mail_location = Maildir:~/Maildir is not set right to receive virtual domain mails from postfix.

    Postfix conf file is

    myhostname = jobseasily.com
    mydomain = localhost
    myorigin = $mydomain
    mydestination = localhost.$mydomain, localhost, $mydomain
    virtualmailboxdomains = /etc/postfix/vhosts
    virtualmailboxmaps = hash:/etc/postfix/vmaps
    virtualmailboxbase = /home/vmail
    virtualuidmaps = static:5000
    virtualgidmaps= static:5000
    mynetworks = 192.168.0.0/24, 127.0.0.0/8, 192.168.1.0/24
    inetinterfaces = all
    relay
    domains =
    homemailbox = Maildir/
    mail
    owner = postfix
    daemondirectory = /usr/libexec/postfix
    command
    directory = /usr/sbin
    queuedirectory = /var/spool/postfix
    config
    directory = /usr/etc/postfix
    smtpdsasllocaldomain = $mydomain
    smtpd
    saslauthenable = yes
    brokensaslauthclients = yes
    smtpd
    recipientrestrictions = permitmynetworks, permitsaslauthenticated, permitinetinterfaces, rejectunauthdestination
    smtpdsaslsecurityoptions = noanonymous
    smtpd
    sasltype = dovecot
    smtpd
    saslpath = private/auth
    data
    directory = /var/lib/postfix
    setgidgroup = postdrop
    alias
    maps = hash:/etc/aliases

    dovecot configuration file is

    basedir = /var/run/dovecot/
    disable
    plaintextauth = no
    listen = *
    mail
    location = Maildir:~/Maildir
    passdb {
    driver = pam
    }
    passdb {
    driver = pam
    }

    protocols = imap pop3
    service auth {
    unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
    }
    }

    service imap-login {
    inetlistener imap {
    address = *
    }
    inet
    listener imaps {
    address = *
    }
    }
    service pop3-login {
    inetlistener pop3 {
    address = *
    }
    }
    ssl = no
    ssl
    cert = </etc/pki/dovecot/certs/dovecot.pem
    sslkey = </etc/pki/dovecot/private/dovecot.pem
    userdb {
    driver = passwd
    }
    userdb {
    driver = passwd
    }
    protocol pop3 {
    pop3
    uidlformat = %08Xu%08Xv
    }
    protocol lda {
    postmaster
    address = postmaster@jobseasily.com
    }

    How can i receive mails from all virtual domain mails including my hostname domain jobseasily.com in outlook

    Thanks

    Rajeev
    rajshardel@gmail.com
    +919810744101

  • My mail server is rejecting email, from everywhere.
    “Recipient address rejected: Access denied;”

    Also port 587 isn’t open, so although Thunderbird can log into the imap to see the empty inbox, it can’t send anything.

    dovecote config:
    http://pastebin.com/Mak5yNyX
    postfix master.cf:
    http://pastebin.com/0VhMXjW0
    postfix main.cf:
    http://pastebin.com/01qXz2qg

  • not works on my server !

  • It works like charm :):)

    I only use a private ssl key, so I ommitted these line:

    in postfix : smtpdtlscert_file=/etc/ssl/certs/mailcert.pem

    in dovecot : ssl_cert = /etc/ssl/certs/mailcert.pem

    I have a question, every time I open the ssh terminal (for example in Windows, the Putty) to write an email ,I cannot find the way to close it:)
    Let me be specif:

    ~# mail someotheremail@gmail.com
    Subject: test email from postfix
    this is a test
    etc
    etc

    Then I have to close the terminal. Is there any other way to send that email WITHOUT need to close the terminal?

    As I said I followed these tutorials and even that I omitted the ssl Cert (I wanted to test it ASAP and that is why I only used the private ssl ) I can send and receive emails:)

    I just need to find the way to send the email without need to close the terminal every time. Any suggestions? Thanx

  • dovecot-imapd pulls dovecot-core as a dependency (at least in Debian), so you don’t need to explicitly install dovecot-core.

  • Very nice.
    This article helped me a lot. Good work.
    But i need also to setup DKIM.
    Lucky for me i find this good article on how to configure DKIM.
    I hope someone will be helped with this.

  • Great post, but I’m having an issue with dovecot (in Ubuntu 14.04 droplet):

    Oct 20 17:27:43 art4software-droplet dovecot: imap-login: Fatal: Couldn’t parse private sslkey: error:0906D06C:PEM routines:PEMread_bio:no start line: Expecting: ANY PRIVATE KEY
    Oct 20 17:27:43 art4software-droplet dovecot: master: Error: service(imap-login): command startup failed, throttling for 2 secs

    It seems that dovecot has a problem with the ssl_key and crash, so I can not connect with roundcube.

    Any idea?

    Thank you.

  • Ok, it’s solved.

    If someone tries to follow this tutorial using Ubuntu, he must to use a ’<’ character in sslcert and sslkey parameters of Dovecot.

    ssl_cert = </etc/ssl/certs/mailcert.pem
    ssl_key = </etc/ssl/private/mail.key
    
    

    This solves the error of :

     Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
    

    that you can see in /var/log/syslog when you try to access to the email using roundcube.

  • The ssl config of dovecot is missing the angle brackets in your tutorial. I am pretty sure you added it but possibly the system markup has eaten it.

    It should be,

    sslcert = </etc/ssl/certs/mailcert.pem
    ssl
    key = </etc/ssl/private/mail.key

    This ate up 20 minutes of my time at the end of setting up as thunderbird was refusing to connect to the mail server. It took a bit of googling to find out the issue.

  • Love your tutorials. They’ve helped me resolve a couple of issues that I haven’t been able to fix myself or via other peoples tutorials.

    Keep up the good work!

  • I meticulously followed the tutorial, but am confronted with the following error:

    postfix/smtpd[8364]: warning: cannot get RSA private key from file /etc/ssl/private/mail.key: disabling TLS support
    postfix/smtpd[8364]: warning: TLS library problem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:
    postfix/smtpd[8364]: connect from mail-wi0-f175.google.com[209.85.212.175]
    postfix/smtpd[8364]: lost connection after STARTTLS from mail-wi0-f175.google.com[209.85.212.175]
    

    Any thoughts?

  • If you want support for sub-folder you should specifiy this in your dovecot.conf file

    mail_location = maildir:~/Maildir

  • Hi everyone,
    I have a problem with post program configuration, for example Email app in Android Phone. When I send e-mail to my post server, they come. but when I want to configure in Post App I see: wrong name user or password. Where the begin diagnosis? In /var/log/mail.log when I try to connect with my mobile phone, logged: vps dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>. What does it mean?
    Best Regards

  • Great article. It helps me more than many blogs found on google.

  • Hey! Got the most part working, thanks! I can receive mail and read it with mutt and Thunderbird.
    I can also send mail with mutt but not, for some reason, with Thunderbird as it won’t send it away but gets a timeout error (could not send because the connection to SMTP server mail.example.com timed out).

    The only thing I get in the mail.log is this:
    Warning: autocreate plugin is deprecated, use mailbox { auto } setting instead
    Could this warning be realted to my problem?

  • i used this tutorial and i cant get tls to work

  • Hey there,
    i created an ubuntu server, and followed you tutorial: all went fine, except when i opened thunderbird to test it
    I can read and access all messages in my server, but when sendind, hotmail just blocked me … i would like to use this for both personal and semi-professional use (just to say i have a “private mail” :P)

    Is there anything i can do in order to use it normally? if i were to contact a company with a microsoft email, will i get blocked all the time?
    this is the error i got:

    Reporting-MTA: dns; my.domain
    X-Postfix-Queue-ID: B61DA8C0B68
    X-Postfix-Sender: rfc822; user@my.domain
    Arrival-Date: Wed, 24 Jun 2015 15:37:46 +0100 (WEST)
    
    Final-Recipient: rfc822; my_test_mail@hotmail.com
    Original-Recipient: rfc822;my_test_mail@hotmail.com
    Action: failed
    Status: 5.0.0
    Remote-MTA: dns; mx4.hotmail.com
    Diagnostic-Code: smtp; 550 OU-002 (COL004-MC4F40) Unfortunately, messages from
        my.public.ip.address weren't sent. Please contact your Internet service provider
        since part of their network is on our block list. You can also refer your
        provider to http://mail.live.com/mail/troubleshooting.aspx#errors.
    

    I switched to both 587 and 25 ports (none resolved the problem i guess)

    Thanks in advance :]

  • One thing i noticed, your comments’ section is “backwards”, as for when i’m looking for my comment, i have to keep “show more comments” forever, and if i want to know if some recent helpful comment is out there, i have so much wasted time doing that… [sugestion] you could either put it backwards, or mark some as important comments (so they stay on top), or just put a toogle button for most-recent->older-comments and vice versa…

    Thanks again :]

  • Note that the autocreate plugin is deprecated - using it will fill up your log files with warnings every time someone logs in through dovecot. Instead, enable the folders via the /etc/dovecot/conf.d/15-mailboxes.conf file

  • Is there any similar tutorial for CentOS?

  • The Basics to have a web server running with functional with all services?

    wordpress multiple instalations,
    multiple domains,
    multiple emails,
    and security?

    Linux, ngnix, mysql, php, wordpress,

    mail server: postfix,

    POP IMAP server: Dovecot

    email authenticator: DKIM, SPF,

    Email Security: SpamAssassin, Fail2ban

    BIND?

    firewall ??

    CloudFlare is a proxy-cloud service that lets you keep cache of a website on their servers for quick access from any country. One of the advantages of using CloudFlare is security, the vast majority of attacks are blocked by the service (some examples are spammers attacks, bots, spam and spoofers that decrease a lot).

    I want you to please tell me what else to forget, that I might need on my server to have a secure web with all served in emails and safety
    activated.

    I see many people who take care of own hosting is very complicated, not just PML and Wordpress .. as long served as efficient auto responders and others .. so that will work right if you have a service pack installed and configured properly.

  • POODLE!? SSL/TLS security vulnerability.

  • I know it’s been awhile, but I feel an obligation to help those hit by the following error.

    dovecot: imap-login: Fatal: Can’t load private sslkey: Key is for a different cert than sslcert
    dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs

    I found the solution with the guys of StackOverFlow. following URL
    http://stackoverflow.com/questions/23652680/postfix-cannot-get-rsa-private-key-from-file-etc-ssl-private-server-key-disabl

    :-)

  • Thank you, everything works fine, except 1 thing:

    1. (Minor) If I send an email using the mail command, it actually sends it from name@hostname.domain.tld instead of name@domain.tld

    (2. (Major) If I try to use it in Apples mail program it fails.)
    Edit: It was just the self signed certificate, now it works

  • Hi Guys,

    I follow this amazing tutorial and everything work fine :) thank you DigitalOcean

    Just one doubt
    Im able to receive emails from IMAP using SSL/TLS at port 993

    But to send emails it uses the SMTP with STARTTLS at port 587, And this cause gmail always says that my email is not secured.

    What should I do to force postfix and dovecot to use SSL/TLS to send emails?

  • Hi Guys,

    Thanks for this amazing tutorial I have a email server now :)

    I guess one good point to show on tutorial is that u may have to copy 2 files
    /etc/services
    and
    /etc/resolv.conf
    to /var/spool/postfix/etc/

    My server only works after that

    Also there is another point, my emails always goes to the spam and gmail says that is unsecured.
    Is there a way to configure the SMTP to use TSL/SSL instead of STARTTLS?

    Here is my master.cf

    submission inet n - - - - smtpd
    -o syslogname=postfix/submission
    -o smtpdtlswrappermode=no
    -o smtpdtlssecuritylevel=encrypt
    -o smtpdsaslauthenable=yes
    -o smtpdrecipientrestrictions=permitmynetworks,permitsaslauthenticated,reject
    -o miltermacrodaemonname=ORIGINATING
    -o smtpdsasltype=dovecot
    -o smtpdsaslpath=private/auth
    -o smtpdenforcetls=yes
    -o smtpduse_tls=yes


    main.cf
    myhostname = mail.xxxx.com
    myorigin = /etc/mailname
    mydestination = mail.xxxx.com, xxxx.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailboxsizelimit = 0
    recipientdelimiter = +
    inet
    interfaces = all

    aliasmaps = hash:/etc/aliases
    alias
    database = hash:/etc/aliases

    smtpdtlscertfile=/etc/ssl/certs/mailcert.pem
    smtpd
    tlskeyfile=/etc/ssl/private/mail.key
    smtpdusetls=yes
    smtpdtlssessioncachedatabase = btree:${datadirectory}/smtpdscache
    smtptlssessioncachedatabase = btree:${datadirectory}/smtpscache
    smtpdtlssecuritylevel=encrypt
    smtpd
    tls_protocols = !SSLv2, !SSLv3

    localrecipientmaps = proxy:unix:passwd.byname $alias_maps


    dovecot.conf

    disableplaintextauth = no
    mailprivilegedgroup = mail
    maillocation = mbox:~/mail:INBOX=/var/mail/%u
    userdb {
    driver = passwd
    }
    passdb {
    args = %s
    driver = pam
    }
    protocols = “ imap”
    protocol imap {
    mail
    plugins = “ autocreate”
    }
    plugin {
    autocreate = Trash
    autocreate2 = Sent
    autosubscribe = Trash
    autosubscribe2 = Sent
    }
    service auth {
    unixlistener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
    }
    }
    ssl=required
    ssl
    cert = </etc/ssl/certs/mailcert.pem
    ssl_key = </etc/ssl/private/mail.key

  • Hi!
    I hope I have correctly followed your tutorials… if not, so sorry for bothering you with this help request.
    After the simple sending mail test, the mail did not arrived and /var/log/mail.log records the following lines:

    *Jul 13 15:42:14 digitalocean postfix/qmgr[6795]: 3BDABA06EA: from=root@debian-1gb-fra1-A01.cognitia.com.ar, size=406, nrcpt=1 (queue active)
    Jul 13 15:42:14 digitalocean postfix/smtp[9561]: fatal: unknown service: smtp/tcp
    Jul 13 15:42:15 digitalocean postfix/qmgr[6795]: warning: private/smtp socket: malformed response
    Jul 13 15:42:15 digitalocean postfix/qmgr[6795]: warning: transport smtp failure – see a previous warning/fatal/panic logfile record for theproblem description
    Jul 13 15:42:15 digitalocean postfix/master[6793]: warning: process /usr/lib/postfix/smtp pid 9561 exit status 1
    Jul 13 15:42:15 digitalocean postfix/master[6793]: warning: /usr/lib/postfix/smtp: bad command startup – throttling
    Jul 13 15:42:15 digitalocean postfix/error[9562]: 3BDABA06EA: to=alecfunes@hotmail.com, relay=none, delay=1016, delays=1015/1/0/0.01, dsn=4.3.0, status=deferred (unknown mail transport error) *

    I understand the problem would be “fatal: unknown service: smtp/tcp”. If this is the case, I don’t know what to do in order to fix it. Would you be kind enough to help me?
    Thanks!

  • Hi,
    I have followed the Digtial Ocean tutorial for setting up postfix on ubuntu 16.04, (this one: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-on-ubuntu-16-04?comment=49648 ) but I also need dovecot also installed, but there was no tutorial (that I seen on digtial ocean) but this one, but it’s not for ubuntu, is there another tutorial somewhere I can follow for installing dovecot after postifix is already installed on Ubuntu 16.04?

    Thank you
    Brian

    by Justin Ellingwood
    Postfix is a popular open-source Mail Transfer Agent (MTA) that can be used to route and deliver email on a Linux system. It is estimated that around 25% of public mail servers on the internet run Postfix. In this guide, we'll teach you how to get up and running quickly...
  • I can not connect with thunderbird- connection times out. in logs I found this.
    warning: SASL: Connect to private/auth failed: Connection refused

  • I can not connect to smtp using Thunderbird.
    I set 143 for imap, 587 for smtp. starttls for both.
    there is no option for unencrypted password, so i selected “password”
    I also could not get it to work in evolution.
    the test from the command line works both ways

  • the link to the dovecot wiki is broken.

    curl “http://wiki2.dovecot.org/” –head
    < HTTP/1.1 503 Service Temporarily Unavailable

  • Thanks Lukas for that great tutorial.

    One remark: I have a letsencrypt cert for the mail domain. And it looks like it does work with:

    ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/cert.pem
    ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
    

    Any hint, how I can use 2 domains on one server / ip? I guess adding the second domain to “mydestination” in /etc/postfix/master.cf isn’t all I have to do?

  • Thanks how we can configure Exim with dovecot in our server?

Creative Commons License