====== Postfix + Dovecot on CentOS ======
* CentOS-7
* Possible on one system, or on two separate systems (all connections between Postfix and Dovecot are over the network).
* One user-database (SASL serviced by Dovecot).
* virtual-users (no unix-users on the system for the users of the mailstore).
* Delivery from Postfix to Dovecot with LMTP over localhost or the public-ip with 24/tcp
* SASL username/pw lookups over localhost or the public-ip with 12345/tcp
* 2 mailboxes (2 mailadresses each).
| - | mailbox1: | mailbox2: |
| | | |
| username: | sv | ln |
| adresses: | info@example.com | info@example2.com |
| | sv@example.com | ln@example2.com |
===== Postfix =====
Hostname: vps1.laboratory.local
Software:
yum install postfix
Make x509 certs:
openssl req -utf8 -newkey rsa:2048 -keyout /etc/postfix/tls.key -nodes -x509 -days 3650 -out /etc/postfix/tls.crt -set_serial 0
Firewall ports:
firewall-cmd --add-port={25/tcp,587/tcp} --permanent
firewall-cmd --reload
In: /etc/postfix/master.cf
#
smtp inet n - n - - smtpd
#
587 inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
In: /etc/postfix/main.cf
data_directory = /var/lib/postfix
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
smtpd_tls_cert_file = /etc/postfix/tls.crt
smtpd_tls_key_file = /etc/postfix/tls.key
smtpd_use_tls = yes
smtpd_banner = postoffice.laboratory.local ESMTP
disable_vrfy_command = yes
biff = no
append_dot_mydomain = no
myhostname = vps1.laboratory.local
myorigin = laboratory.local
mydestination = vps1.laboratory.local, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
virtual_alias_domains = /etc/postfix/virtual-domains
virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:vps2.laboratory.local:12345
smtpd_sasl_auth_enable = no
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
In: /etc/postfix/virtual-domains
example.com
example2.com
In: /etc/postfix/virtual
# e-mail addr.: username @ servername (of the Dovecot-server):
info@example.com sv@vps2.laboratory.local
sv@example.com sv@vps2.laboratory.local
info@example2.com ln@vps2.laboratory.local
ln@example2.com ln@vps2.laboratory.local
After editting:
postmap /etc/postfix/virtual
In: /etc/postfix/transport
sv@vps2.laboratory.local lmtp:vps2.laboratory.local:24
ln@vps2.laboratory.local lmtp:vps2.laboratory.local:24
After editting:
postmap /etc/postfix/transport
===== Dovecot =====
//The SE-Linux configuration is out of the scope of this howto.//
Hostname: vps2.laboratory.local
firewall:
firewall-cmd --add-port={24/tcp,143/tcp,993/tcp,4190/tcp,12345/tcp} --permanent
firewall-cmd --reload
Software:
yum install dovecot
En voeg toe voor Sieve:
yum install dovecot-pigeonhole
Create directories and files:
mkdir /var/dovecot/
mkdir /var/dovecot/mail
mkdir /var/dovecot/sieve
mkdir /var/dovecot/conf
#
touch /var/dovecot/conf/users
#
chown -R dovecot:dovecot /var/dovecot
touch /var/log/dovecot.log
chown dovecot:dovecot /var/log/dovecot.log
Make x509 certs:
openssl req -utf8 -newkey rsa:2048 -keyout /var/dovecot/conf/tls.key -nodes -x509 -days 3650 -out /var/dovecot/conf/tls.crt -set_serial 0
Create usernames and pw's (for the SASL-db):
The IMAP-users are created by adding a line in the users file. It has two columns, separated by a colon. The first column is the username, the second line contans the sha512-crypt which can be generated by executing:
doveadm pw -s SHA512-CRYPT
The result in /var/dovecot/conf/users will be like:
...
sv:{SHA512-CRYPT}$6$T5tUmkrjF2mAbo9G$3EEvR08UCHb11KCmCHbCaPcd1xv7CylpfdZgu3gv0WddRZGoF1drU62aHHEU9U4VTeTsM/wlxI2svBXsd7auX0
...
ln:{SHA512-CRYPT}$6$RHC1lIs0bS.ggVzR$NRaTNB.SJW7.sTcFbMcbfRZdJwEllNCM4zmROOxhiTBqQr4B4oxFnOAA1I.BknbKbSZ7uuvk5Z6k3JjT1Jonq/
...
In: /etc/dovecot/dovecot.conf
log_path = /var/log/dovecot.log
mail_location = maildir:/var/dovecot/data/%n/mail
auth_mechanisms = plain login
disable_plaintext_auth = no
#ssl_ca =
Enable and start the Dovecot:
systemctl start dovecot
systemctl enable dovecot
Make a connection with each mailbox with a MUA (mutt or Thunderbird) first **before** sending mail to the LMTP-connection. This will let Dovecot create the mailfolder structure for the mailbox to be stored. See: /var/dovecot/data/ (each username has it's own directory here).
Connect info for the MUA:
IMAP host:port = vps2.laboratory.local : 993
SMTP host:port = vps1.laboratory.local : 587
loginname = sv
Test with:
telnet vps1.laboratory.local 25