Building a Linux E-mail Server
Introduction
Managed vs. outsourced e-mail solutions are always in debate. As always both have pros and cons, but throughout the article we will go for a managed solution and build an e-mail server step by step.
If you have read the article about building a network server, we have emphasized that the requirements for a server are not too high. We will implement our e-mail server on the same hardware. We will consider a small business case, but all the information that is presented in the article is infinitely scalable; you can run an ISP with the same programs or you can manage your family’s e-mails.
Before getting our hands dirty, we must first understand some definitions. A Mail Transfer Agent (MTA) is a program which accepts and sends e-mail messages from the Internet. A Mail Delivery Agent (MDA) on the other hand allows your employees to send and receive e-mails from other locations. Therefore, implementing a MDA is essentially building a POP3/SMTP server.
Mail Transfer Agent
Since retrieving messages from the Internet is the key, we must first set up a Mail Transfer Agent. Different distributions have different default MTA, for example Ubuntu and openSuSE have Postfix as the default MTA, whereas Red Hat implements Sendmail. The configurations of the programs are more or less the same for the experienced users, but for the sake of easiness, we will assume an Ubuntu Server installation with Postfix to get you going without changing the default MTA configuration.
Make sure that you have the root account access, or you will not be able to save what we do here.
Before we get our hands dirty with configuration, we have to make a note of our system mail name. I will assume mailserver.mycompany.com and also we can send/receive mails from mycompany.com, localhost.mycompany.com, and localhost. The address for localhost is 127.0.0.1 with Netmask 255.255.255.0 (127.0.0.1/8 for short.) The easiest way to configure Postfix will be to go through the /etc/postfix/main.cf file. Before changing anything, back up the configuration file with cp /etc/postfix/main.cf /etc/postfix/main.cf.old so that if we mess something up, we can easily revert to the original file.
Let’s define our system mail configuration:
myhostname = mailserver.mycompany.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mailserver.mycompany.com,mycompany.com, localhost, mycompany.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
To secure our e-mail sending, we proceed to add SMTP (Simple Mail Transfer Protocol) Authentication:
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
But we need to edit the /etc/postfix/sasl/smtpd.conf file also. This is simple: append the following configuration parameters at the end of the file:
pwcheck_method: saslauthd
mech_list: plain login
And we configure Postfix to impose TLS encryption both to incoming and outgoing e-mails:
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_CAfile = /etc/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
After making all the configurations, give Postfix a restart by /etc/init.d/postfix restart.
Mail Delivery Agent
After we complete our tasks with the MTA, we will go on with the Mail Delivery Agent. We will use Dovecot for this purpose. To configure Dovecot, we will edit the configuration file in /etc/dovecot.conf. We will again make a back up to be safe with cp /etc/dovecot.conf /etc/dovecot.conf.old.
To make our users’ lives easier, we will let them use UNIX username and passwords as their e-mail username and passwords. For this, we will go with the Pluggable Application Modules (PAM) and authenticate the users by checking their shadow passwords.
In addition, we will decide on whether to use maildir or mbox folders. Both have their pros and cons but we will go maildir option.
Now, open up the /etc/dovecot.conf file and amend the following lines:
protocols = imap imaps pop3 pop3s
imap_listen = *
pop3_listen = *
imaps_listen = *
pop3s_listen = *
OK, we have enabled the POP3, IMAP and Secure POP3 for Dovecot. Amend the following line to enable maildir:
mail_location = maildir:/home/%u/Maildir
We must make our Postfix aware of using maildir, so we go back to edit our /etc/postfix/main.cf file and set home_mailbox to Maildir/ (home_mailbox = Maildir/). You can set up user’s default mail folders such as Inbox, Sent, Trash, Drafts and Templates. I will point you to Dovecot’s website to go through the configuration and to experiment yourself to some extent.
Finally, we make our configuration for the PAM. Insert the following lines into /etc/pam.d/dovecot:
passdb pam
{
# use /etc/pam.d/imap and /etc/pam.d/pop3
args = *
}
passdb pam {
# use /etc/pam.d/mail
args = mail
}
And the following to your /etc/dovecot.conf file:
passdb pam
{
args = session=yes dovecot
}
Recommendations
If you are running a small business, I definitely suggest you to outsource your e-mail management. In-house e-mail management sounds too good to be true but keep in mind that the possible down times that will occur will be intolerable. Add regular e-mail backups to this picture and you will be starting a very difficult and very costly adventure.
This post is part of the series: Building a Linux Server
In this series we look at building and configuring a Linux server from scratch. We will look at configuration in detail and we will determine ways to keep our server as secure as possible.