MAIL SERVER SET UP IN UBUNTU

Fire up an Ubuntu 12.04 AWS Instance with a Suitable Security Group

Start up an Elastic Block Store (EBS) server instance - at the time of writing, Ubuntu 12!" is one of
the options right there in the #uick start menu for launching a new instance $ail servers %on&t
generall' have to be all that big if 'ou aren&t in the business of email( a micro instance has serve% me
)ust fine for a fairl' well trafficke% web site with a mailing list of thousan%s, for e*ample +hat sai%, the
server pro%uce% b' following this gui%e runs at close to ,!- memor' utili.ation for a micro instance
when operating unloa%e% - a su%%en bli..ar% of une*pecte% web traffic woul% probabl' cause issues
So a%)ust 'our e*pectations accor%ingl'
/irewall settings in 01S are manage% through assignment of Securit' 2roups 3ou&ll probabl' want to
create one before starting the server +he Securit' 2roup shoul% allow inboun% +45 traffic from an' 65
a%%ress to these ports7 28 (S$+5), ,! (9++5), 11! (5:5;), 1"; (6$05), ""; (9++5S), "<8 (S$+5S),
==; (6$05S), an% ==8 (5:5;S) +hat is in a%%ition to whatever rules 'ou might have for SS9 access
over port 22 - it is not a goo% i%ea to leave that open to the worl%, so lock it %own to the 65 a%%ress
ranges 'ou use
6n fact it is a goo% i%ea to restrict all inboun% traffic to the server to 'our 65 a%%ress ranges while 'ou
are buil%ing it 3ou can a%)ust the rules to allow traffic from the rest of the worl% after 'ou&re certain
that ever'thing is secure an% shipshape
/or %etails follow the bwlow links which contain the mail server configuration bul%ing mail server
from scratch

https7>>wwwe*rationecom>2!12>!8>a-mailserver-on-ubuntu-12!"-postfi*-%ovecot-
m's#l>
S+E5S +: /:??:1
@EAU6@EB 055?640+6:CS +: 6CS+0?? 7
D 5ostfi*7 sen%s an% receives mail via the S$+5 protocol 6t will onl' rela' mail on to other
mailservers if the mail is sent b' an authenticate% user, but an'one can sen% mail to this server for local
%eliver'
Bovecot7 a 5:5 an% 6$05 server that manages local mail %irectories an% allows users to log in
an% %ownloa% their mail 6t also han%les user authentication
5ostgre'7 gre'lists incoming mail, re#uiring unfamiliar %eliverers to wait for a while an% then
resen% +his is one of the better tools for cutting %own on spam
amavis%-new7 a manager for organi.ing various antivirus an% spam checking content filters
4lam 0ntiEirus7 a virus %etection suite
Spam0ssassin7 for sniffing out spam in emails
5ostfi* 0%min7 a web front en% for a%ministering mail users an% %omains
1eb mail %epen%s on the user there are %ifferent web mails available like
roun%cube,hor%e,s#urriel mail an' one of this can be use% as web mail for users that can sen%
an% receive mails

4onfiguration process 7
STEP 1:
9ost name shoul% be configure%
Use the following comman% to change the host name
4omman%7
hostname mail.example.com
After adding the hostname.The host name should be set in the hosts.
And add your hostname to the first line of /etc/hosts can be done
using text editor.
It support to look as:
127.0.0.1 mail.example.com localhost
ST! 2"
o! you"ll !ant to regenerate the ser#er"s default self$signed %%&
certificate so that it matches the domain name. 'ou may ha#e
purchased an %%& certificate for your mail ser#er( but it is
perfectly possible and completely secure to run a mail ser#er using a
self$signed certificate. The only conse)uences !ill be !arning
screens !hen using !ebmail hosted on the ser#er and !arnings from
*icrosoft +utlook !hen connecting #ia ,+,( I*A,( or %*T,.
-se the follo!ing commands for installing ssl certs
. apt#$et install ssl#cert
. %a&e#ssl#cert $enerate#'e(ault#sna&eoil )(orce#o*erwrite
ST! +"
o! /uild a &A*, 0eb %er#er
'ou !ill need the mailser#er to also be a &A*, 1&inux( Apache( *y%2&(
,3,4 !eb ser#er( since you !ill !ant !ebmail and a !eb$based
administrati#e interface for managing users. %o turning your -buntu
instance into a !eb ser#er is a good place to start. There is a
shortcut to install the basic &A*, packages( so start by updating the
repository data and installing the packages. otice the 565 at the
end of the command there $ it is necessary:
-se the follo!ing commands for instllaing lamp ser#er.
, apt#$et up'ate
, apt#$et up$ra'e
, apt#$et install la%p#ser*er-
7uring this install you !ill be asked to choose a root pass!ord for
*y%2&. 8hoose something sensible( and then mo#e on to adding an array
of basic additional packages for ,3, $ such as A,8 bytecode caching(
memcache support( c-9&( an :*& parser( and ;7 image processing. Add
more to suite your o!n taste and the applications you !ant to support
on this ser#er.
-se the follo!ing command and install mods and applications.
, apt#$et install php#apc php.#%e%cache php.#curl php.#$' php#/%l#
parser
ST! 4 "
8onfigure ,3,
The default configuration for ,3, and the additional packages
mentioned abo#e is sufficient for most casual usage. %o unless you
ha#e something complicated or high$po!ered in mind( you should
probably only change the expose<php setting in
/etc/php./apache2/php.ini. %et it to 5+ff5:
1
2
;
"
8
<
= 7ecides !hether ,3, may expose the fact that it is installed on
the ser#er
= 1e.g. by adding its signature to the 0eb ser#er header4. It is no
security
= threat in any !ay( but it makes it possible to determine !hether
you use ,3,
= on your ser#er or not.
= http:>>php.net>expose$php
expose<php ? +ff
ST! ."
8onfigure Apache:
+he e*pecte% en% result for 0pache is that it will serve a single site with a couple of running web
applications7 webmail an% 5ostfi* 0%min hi%%en awa' in a sub%irector' 0ll traffic will be %irecte% to
9++5S - there is no goo% reason to allow non-secure access to an' of what will be on the web server
/irstl' configure the following lines in /etc/apache2/conf.d/secu!t" to minimi.e the information that
0pache gives out in its response hea%ers7
1
2
;
"
8
<
F
,
=
1!
11
12
1;
1"
18
1<
1F
1,
@
@ %er#erTokens
@ This directi#e configures !hat you return as the %er#er 3TT,
response
@ 3eader. The default is "Aull" !hich sends information about the
+%$Type
@ and compiled in modules.
@ %et to one of: Aull B +% B *inimal B *inor B *aCor B ,rod
@ !here Aull con#eys the most information( and ,rod the least.
@
%er#erTokens ,rod

@
@ +ptionally add a line containing the ser#er #ersion and #irtual
host
@ name to ser#er$generated pages 1internal error documents( AT,
directory
1=
@ listings( mod<status and mod<info output etc.( but not 8;I
generated
@ documents or custom error documents4.
@ %et to 5D*ail5 to also include a mailto: link to the %er#erAdmin.
@ %et to one of: +n B +ff B D*ail
@
%er#er%ignature +ff
$ake sure that mo%Grewrite, mo%Gssl, an% the %efault SS? virtual host is enable% - 'ou&ll nee% these
line items to be able to force visitors to use 9++5S
1
2
a2enmod re!rite ssl
a2ensite default$ssl
+he %efault site configuration in /etc/apache2/s!tes#a$a!%a&%e/defau%t can be e%ite% to look something
like this for the sake of simplicit'7
1
2
;
"
8
<
F
,
=
1!
11
12
1;
1"
18
1<
1F
EFirtual3ost G:H0I
%er#erAdmin !ebmasterJlocalhost

7ocument9oot >#ar>!!!
E7irectory 5>5I
+ptions Aollo!%ym&inks
Allo!+#erride All
E>7irectoryI

Drror&og KLA,A83D<&+;<7I9M>error.log

@ ,ossible #alues include: debug( info( notice( !arn( error(
crit(
@ alert( emerg.
&og&e#el !arn

8ustom&og KLA,A83D<&+;<7I9M>access.log combined
E>Firtual3ostI
But of course 'our taste an% nee%s ma' var' Heeping the same simple approach, the upper portion of
the SS? configuration in /etc/apache2/s!tes#a$a!%a&%e/defau%t#ss% can be set up as follows7
1
2
;
"
8
<
F
,
=
1!
11
12
1;
1"
18
1<
1F
1,
1=
2!
21
22
2;
2"
28
2<
2F
2,
2=
;!
;1
;2
EIf*odule mod<ssl.cI
EFirtual3ost <default<:NNOI
%er#erAdmin !ebmasterJlocalhost

7ocument9oot >#ar>!!!
E7irectory 5>5I
+ptions Aollo!%ym&inks
Allo!+#erride All
E>7irectoryI

Drror&og KLA,A83D<&+;<7I9M>error.log

@ ,ossible #alues include: debug( info( notice( !arn( error(
crit(
@ alert( emerg.
&og&e#el !arn

8ustom&og KLA,A83D<&+;<7I9M>ssl<access.log combined

@ %%& Dngine %!itch:
@ Dnable>7isable %%& for this #irtual host.
%%&Dngine on
@

@ ... more default %%& configuration ...

@ 'ou !ill probably need to change this next 7irectory
directi#e as !ell
@ in order to match the earlier one.
E7irectory 5>5I
%%&+ptions P%tdDn#Fars
E>7irectoryI

@ ... yet more default %%& configuration ...
6f 'ou are using a purchase% rather than self-signe% SS? certificate, an% 'ou probabl' have a 40
certificate bun%le from the issuer, then 'ou&ll want to further change these lines in /etc/apache2/s!tes#
ena&%ed/defau%t#ss%7
1
2
;
"
8
<
F
,
=
1!
11
12
1;
1"
18
1<
@ A self$signed 1snakeoil4 certificate can be created by
installing
@ the ssl$cert package. %ee
@ >usr>share>doc>apache2.2$common>9DA7*D.7ebian.gQ for more info.
@ If both key and certificate are stored in the same file( only
the
@ %%&8ertificateAile directi#e is needed.
%%&8ertificateAile >path>to>my>cert.crt
%%&8ertificateReyAile >path>to>my>key.key

@ %er#er 8ertificate 8hain:
@ ,oint %%&8ertificate8hainAile at a file containing the
@ concatenation of ,D* encoded 8A certificates !hich form the
@ certificate chain for the ser#er certificate. Alternati#ely
@ the referenced file can be the same as %%&8ertificateAile
@ !hen the 8A certificates are directly appended to the ser#er
@ certificate for con#inience.
%%&8ertificate8hainAile >path>to>my>ca$bundle.crt
+o push visitors to 9++5S, put something similar to the following snippet into /$a/'''/.htaccess7
1
2
;
9e!riteDngine +n
9e!rite8ond SL%D9FD9<,+9TM H0
9e!rite9ule 61.G4 https:>>mail.example.com>K1 T&U
ST! 0 "
Install and 8onfigure *emcached
u !ill need to install *emcached to support the !ebmail applications
intended to run on this ser#er:
apt#$et instal%e%cache'
+he %efault configuration file at /etc/(e(cached.conf is goo% enough for a small server7 it locks %own
access to localhost an% provi%es generall' sensible configuration parameter values 6f 'ou are buil%ing
a larger machine for heav' usage, 'ou will probabl' want to bump the memor' allocation to be higher
than the %efault of <"$7
1
2
;
"
@ %tart !ith a cap of VN megs of memory. It"s reasonable( and the
daemon default
@ ote that the daemon !ill gro! to this siQe( but does not start
out holding this much
@ memory
$m VN
ST! 1"
Install the *ailser#er ,ackages
Cow we&re rea%' to start in on the har%er stuff 0s for the ?0$5 server, there is a shortcut for installing
the basic packages for a mail server 0gain, note the IJI at the en% of the comman%7
apt#$et install %ail#ser*er-
0hen ,ostfix installs( you !ill be asked to choose a general type of
mail configuration $ select 5Internet site5. 'ou !ill be asked for
the system mail name( !hich is the hostname of your mailser#er $ e.g.
mail.example.com. 0hat this gi#es you is pretty much Cust bare bones(
aimed at a mailser#er that manages its users as straightfor!ard -nix
users( and !hich doesn"t use a %2& database to store data. %o !e need
the rest of the cast $ such as *y%2& support for ,ostfix and 7o#ecot(
and the coterie of spam$mashing packages. 'ou might also ha#e to
install I*A, support for 7o#ecot( as it may or may not be included in
the mail$ser#er packages:
1
2
;
apt$get install postfix$mys)l do#ecot$mys)l do#ecot$imapd postgrey
apt$get install ama#is clama# clama#$daemon spamassassin
apt$get install phpW$imap
+he php8-imap package actuall' supports 5:5; as well as the 6$05 protocol, an% will be nee%e% b'
5ostfi* 0%min an% man' of the possible options for 595 webmail applications @estart 0pache to have
that running an% rea%'7
The phpW$imap package actually supports ,+,O as !ell as the I*A,
protocol( and !ill be needed by ,ostfix Admin and many of the
possible options for ,3, !ebmail applications. 9estart Apache to ha#e
that running and ready:

1ser#ice apache2 restart
Ce*t 'ou&ll want some optional packages that e*ten% the abilities of the spam an% virus %etection
packages, such as b' allowing greater inspection of attache% files7
1
2
apt$get install libnet$dns$perl pyQor raQor
apt$get install arC bQip2 cabextract cpio file gQip nomarch pax unQip
Qip
3ou probabl' also want a package for %ealing with @0@-format archives - but 6&ve foun% unrar-free to
be somewhat bugg' an% unstable, while unrar is not free So 'ou ma' )ust choose to skip that an%
shrug
ST! 2"
8reate a *ail 7atabase and -ser in *y%2&
?og in to $'SA? as the root user, entering the passwor% 'ou set earlier7
1mys)l $uroot $p
Cow set up a %atabase an% user for the mail software +his %atabase will store information on user
accounts an% mail %omains, using schema set up b' the 5ostfi* 0%min package7
1
2
create database mail=
grant all on mail.G to "mail"J"localhost" identified by "mailpass!ord"=
STEP ):
6nstall 5ostfi* 0%min an% the $'SA? Schema
5ostfi* 0%min is installe% as follows +o start things off, %ownloa% the package from Sourceforge,
unpack it, an% move it into a sub%irector' of 'our webroot 3ou will probabl' also nee% to change
ownership to the www-%ata user7
1
2
;
"
8
!get
http:>>do!nloads.sourceforge.net>proCect>postfixadmin>postfixadmin>p
ostfixadmin$2.O.V>postfixadmin$2.O.V.tar.gQ
gunQip postfixadmin$2.O.V.tar.gQ
tar $xf postfixadmin$2.O.V.tar
m# postfixadmin$2.O.V >#ar>!!!>postfixadmin
cho!n $9 !!!$data:!!!$data >#ar>!!!>postfixadmin
Ce*t is an interesting sort of a two-phase setup process /irstl' alter the following lines in
/$a/'''/postf!*ad(!n/conf!+.!nc.php7
1
2
;
"
8
<
F
,
>GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
G XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
G 'ou ha#e to set K8+AT"configured"U ? true= before the
G application !ill runX
G 7oing this implies you ha#e changed this file as re)uired.
G i.e. configuring database etc= specifying setup.php pass!ord etc.
G>
K8+AT"configured"U ? true=
1
2
;
"
>> ,ostfix Admin ,ath
>> %et the location of your ,ostfix Admin installation here.
>> '+- *-%T DTD9 T3D 8+*,&DTD -9& e.g.
http:>>domain.tld>postfixadmin
K8+AT"postfix<admin<url"U ?
"https:>>mail.example.com>postfixadmin"=
1
2
;
"
8
<
F
,
=
>> 7atabase 8onfig
>> mys)l ? *y%2& O.2O and N.0( N.1 or W
>> mys)li ? *y%2& N.1P
>> pgs)l ? ,ostgre%2&
K8+AT"database<type"U ? "mys)l"=
K8+AT"database<host"U ? "localhost"=
K8+AT"database<user"U ? "mail"=
K8+AT"database<pass!ord"U ? "mailpass!ord"=
K8+AT"database<name"U ? "mail"=
1
2
;
"
8
<
F
,
=
1!
11
12
>> %ite Admin
>> 7efine the %ite Admins email address belo!.
>> This !ill be used to send emails from to create mailboxes.
K8+AT"admin<email"U ? "meJexample.com"=

>> *ail %er#er
>> 3ostname 1A274 of your mail ser#er.
>> This is used to send email to ,ostfix in order to create
mailboxes.
>>
>> %et this to localhost for no!( but change it later.
K8+AT"smtp<ser#er"U ? "localhost"=
K8+AT"smtp<port"U ? "2W"=
1
2
;
"
8
<
F
,
=
1!
>> Dncrypt
>> In !hat !ay do you !ant the pass!ords to be cryptedY
>> mdWcrypt ? internal postfix admin mdW
>> mdW ? mdW sum of the pass!ord
>> system ? !hate#er you ha#e set as your ,3, system default
>> cleartext ? clear text pass!ords 1ouchX4
>> mys)l<encrypt ? useful for ,A* integration
>> authlib ? support for courier$authlib style pass!ords
>> do#ecot:89',T$*DT3+7 ? use do#ecotp! $s "89',T$*DT3+7". Dxample:
do#ecot:89A*$*7W
K8+AT"encrypt"U ? "mdWcrypt"=
1
2
;
"
8
<
F
,
=
1!
11
12
>> *ailboxes
>> If you !ant to store the mailboxes per domain set this to "'D%".
>> Dxamples:
>> 'D%: >usr>local>#irtual>domain.tld>usernameJdomain.tld
>> +: >usr>local>#irtual>usernameJdomain.tld
K8+AT"domain<path"U ? "+"=
>> If you don"t !ant to ha#e the domain in your mailbox set this to
"+".
>> Dxamples:
>> 'D%: >usr>local>#irtual>domain.tld>usernameJdomain.tld
>> +: >usr>local>#irtual>domain.tld>username
>> ote: If K8+AT"domain<path"U is set to +( this setting !ill be
forced to 'D%.
K8+AT"domain<in<mailbox"U ? "'D%"=
Cote that the last items above are onl' for the purposes of %efining how 5ostfi* 0%min stores its %ata -
the' %on&t set s'stem paths for mailbo*es +he actual s'stem paths to virtual mailbo* %irectories are
%efine% in the Bovecot configuration outline% in a later section of this post
Ce*t open up a web browser an% visit 'our mail server at7
1https:>>mail.example.com>postfixadmin>setup.php
/ollow the instructions on that page to choose a setup passwor%, an% generate a hash of that passwor%
0%% that hash to the configuration file an% save it7
1
2
;
"
>> In order to setup ,ostfixadmin( you *-%T specify a hashed
pass!ord here.
>> To create the hash( #isit setup.php in a bro!ser and type a
pass!ord into the field(
>> on submission it !ill be echoed out to you as a hashed #alue.
K8+AT"setup<pass!ord"U ? "...a long hash string..."=
+hen return to the setup page 3ou can now use the passwor% 'ou selecte% in or%er to create an initial
a%ministrator account 5ostfi* 0%min will also automaticall' create its %atabase schema at this point
6t is probabl' wise to restrict access to /$a/'''/postf!*ad(!n/setup.php after having use% it 4reate
a file /$a/'''/postf!*ad(!n/.htaccess an% put the following instructions into it7
1
2
;
EAiles 5setup.php5I
deny from all
E>AilesI
STEP 1,:
4reate the Bomain an% 0ccounts in 5ostfi* 0%min
Cow navigate to the main 5ostfi* 0%min login page7
1https:>>mail.example.com>postfixadmin>
?og in as the newl' create% a%ministrator account, an% then choose the ICew %omainI option un%er
IBomain ?istI in or%er to create the e*amplecom %omain 3ou can then a%% mail users (I0%%
mailbo*I) an% aliases (I0%% aliasI) while viewing 'our %omain +his will populate the schema, but it
won&t %o an'thing else 'et as none of the other mailserver components are configure% to look at the
%atabase at this point
5ostfi* 0%min %oes have another useful function %uring this long setup process - it allows 'ou to sen%
mail to local users through the web interface, which is helpful when testing 'our configuration an%
chasing %own errors
STEP 11:
-eate a Use to .and%e V!tua% Ma!% /!ecto!es
Eirtual mail users are those that %o not e*ist as Uni* s'stem users +he' thus %on&t use the stan%ar%
Uni* metho%s of authentication or mail %eliver' an% %on&t have home %irectories +hat is how we are
managing things here7 mail users are %efine% in the %atabase create% b' 5ostfi* 0%min rather than
e*isting as s'stem users $ail will be kept in subfol%ers per %omain an% account un%er /$a/$(a!% -
eg meKe*amplecom will have a mail %irector' of /$a/$(a!%/e*a(p%e.co(/(e 0ll of these mail
%irectories will be owne% b' a single user calle% vmail, an% Bovecot will use the vmail user in or%er to
create an% up%ate mail files
1
2
0
1
usera'' #r #u 1.0 #$ %ail #' /*ar/*%ail #s /sbin/nolo$in #c 34irtual
%ail'ir han'ler3 *%ail
%&'ir /*ar/*%ail
ch%o' 110 /*ar/*%ail
chown *%ail"%ail /*ar/*%ail
Cote that the user an% virtual mail %irector' fol%er are using the ImailI group, an% allowing other users
in that group to mo%if' the contents
ST! 12"
5on(i$ure 6o*ecot
Bovecot will manage 6$05 an% 5:5; connections, local mail %irectories, an% receive incoming mail
han%e% off from 5ostfi* 6t will also manage authentication for S$+5 connections - no point in having
two separate authentication s'stems when Bovecot can han%le both cases 4onfiguration is sprea%
across a number of files in /etc/do$ecot an% subfol%ers thereof, an% might seem a little intimi%ating,
but it&s all lai% out fairl' logicall' +he first thing to %o is to ensure that Bovecot is looking for user %ata
in the %atabase create% b' 5ostfi* 0%min, so e%it or create the file /etc/do$ecot/conf.d/auth#
s2%.conf.e*t to have the following contents7
1
2
;
"
8
<
F
,
=
1!
11
12
7 8oo& up user passwor's (ro% a S98 'atabase as
7 'e(ine' in /etc/'o*ecot/'o*ecot#s:l.con(.e/t
pass'b ;
'ri*er < s:l
ar$s < /etc/'o*ecot/'o*ecot#s:l.con(.e/t
=
7 8oo& up user in(or%ation (ro% a S98 'atabase as
7 'e(ine' in /etc/'o*ecot/'o*ecot#s:l.con(.e/t
user'b ;
'ri*er < s:l
ar$s < /etc/'o*ecot/'o*ecot#s:l.con(.e/t
=
Cow e%it these lines in /etc/do$ecot/do$ecot#s2%.conf.e*t such that it uses the $'SA? %atabase
create% b' 5ostfi* 0%min7
1
2
7 6atabase 'ri*er" %ys:l> p$s:l> s:lite
'ri*er < %ys:l
1
2
;
"
8
<
@ Dxamples:
@ connect ? host?1Z2.1VH.1.1 dbname?users
@ connect ? host?s)l.example.com dbname?#irtual user?#irtual
pass!ord?blarg
@ connect ? >etc>do#ecot>authdb.s)lite
@
connect ? host?localhost dbname?mail user?mail pass!ord?mailpass!ord
1
2
;
"
8
<
@ 7efault pass!ord scheme.
@
@ &ist of supported schemes is in
@ http:>>!iki2.do#ecot.org>Authentication>,ass!ord%chemes
@
default<pass<scheme ? *7W$89',T
1
2
;
"
8
@ 7efine the )uery to obtain a user pass!ord.
pass!ord<)uery ? [
%D&D8T username as user( pass!ord( ">#ar>#mail>Sd>Sn" as
userdb<home( [
"maildir:>#ar>#mail>Sd>Sn" as userdb<mail( 1W0 as userdb<uid( H as
userdb<gid [
A9+* mailbox 03D9D username ? "Su" A7 acti#e ? "1"
1
2
;
"
8
@ 7efine the )uery to obtain user information.
user<)uery ? [
%D&D8T ">#ar>#mail>Sd>Sn" as home( "maildir:>#ar>#mail>Sd>Sn" as
mail( [
1W0 A% uid( H A% gid( concat1"dirsiQe:storage?"( )uota4 A% )uota [
A9+* mailbox 03D9D username ? "Su" A7 acti#e ? "1"
+hen change the controlling %efinitions in /etc/do$ecot/conf.d/1,#auth.conf such that Bovecot will
rea% the SA? configuration files 1hile 'ou are there, 'ou shoul% also make sure that plainte*t
authentication is %isable% unless the connection is encr'pte% or local7
1
2
;
"
8
@ 7isable &+;I command and all other plaintext authentications
unless
@ %%&>T&% is used 1&+;I7I%A/&D7 capability4. ote that if the
remote I,
@ matches the local I, 1ie. you"re connecting from the same
computer4( the
@ connection is considered secure and plaintext authentication is
allo!ed.
disable<plaintext<auth ? yes
1
2
;
"
8
@ %pace separated list of !anted authentication mechanisms:
@ plain login digest$mdW cram$mdW ntlm rpa apop anonymous gssapi
otp skey
@ gss$spnego
@ +TD: %ee also disable<plaintext<auth setting.
auth<mechanisms ? plain login
1
2
;
"
8
<
F
,
=
1!
11
12
1;
1"
18
1<
1F
1,
1=
2!
21
22
2;
2"
28
2<
2F
2,
@@
@@ ,ass!ord and user databases
@@

@
@ ,ass!ord database is used to #erify user"s pass!ord 1and nothing
more4.
@ 'ou can ha#e multiple passdbs and userdbs. This is useful if you
!ant to
@ allo! both system users 1>etc>pass!d4 and #irtual users to login
!ithout
@ duplicating the system users into #irtual database.
@
@ Edoc>!iki>,ass!ord7atabase.txtI
@
@ -ser database specifies !here mails are located and !hat
user>group I7s
@ o!n them. Aor single$-I7 configuration use 5static5 userdb.
@
@ Edoc>!iki>-ser7atabase.txtI

@Xinclude auth$deny.conf.ext
@Xinclude auth$master.conf.ext

@Xinclude auth$system.conf.ext
@ -se the %2& database configuration rather than any of these
others.
Xinclude auth$s)l.conf.ext
@Xinclude auth$ldap.conf.ext
@Xinclude auth$pass!dfile.conf.ext
@Xinclude auth$checkpass!ord.conf.ext
@Xinclude auth$#popmail.conf.ext
@Xinclude auth$static.conf.ext
Ce*t up, tell Bovecot where to put the virtual user mail %irectories +hat re#uires the following changes
in /etc/do$ecot/conf.d/1,#(a!%.conf7
1
2
;
"
8
<
F
,
=
1!
11
12
1;
@ &ocation for users" mailboxes. The default is empty( !hich means
that 7o#ecot
@ tries to find the mailboxes automatically. This !on"t !ork if the
user
@ doesn"t yet ha#e any mail( so you should explicitly tell 7o#ecot
the full
@ location.
@
@ If you"re using mbox( gi#ing a path to the I/+: file 1eg.
>#ar>mail>Su4
@ isn"t enough. 'ou"ll also need to tell 7o#ecot !here the other
mailboxes are
@ kept. This is called the 5root mail directory5( and it must be
1"
18
1<
1F
1,
1=
2!
21
22
2;
2"
28
2<
the first
@ path gi#en in the mail<location setting.
@
@ There are a fe! special #ariables you can use( eg.:
@
@ Su $ username
@ Sn $ user part in userJdomain( same as Su if there"s no domain
@ Sd $ domain part in userJdomain( empty if there"s no domain
@ Sh $ home directory
@
@ %ee doc>!iki>Fariables.txt for full list. %ome examples:
@
@ mail<location ? maildir:\>*aildir
@ mail<location ? mbox:\>mail:I/+:?>#ar>mail>Su
@ mail<location ? mbox:>#ar>mail>Sd>S1n>Sn:I7D:?>#ar>indexes>Sd>
S1n>Sn
@
@ Edoc>!iki>*ail&ocation.txtI
@
mail<location ? maildir:>#ar>#mail>Sd>Sn
1
2
;
"
8
@ %ystem user and group used to access mails. If you use multiple(
userdb
@ can o#erride these by returning uid or gid fields. 'ou can use
either numbers
@ or names. Edoc>!iki>-serIds.txtI
mail<uid ? #mail
mail<gid ? mail
1
2
;
"
8
<
F
,
@ Falid -I7 range for users( defaults to W00 and abo#e. This is
mostly
@ to make sure that users can"t log in as daemons or other system
users.
@ ote that denying root logins is hardcoded to do#ecot binary and
can"t
@ be done e#en if first<#alid<uid is set to 0.
@
@ -se the #mail user uid here.
first<#alid<uid ? 1W0
last<#alid<uid ? 1W0
6f 'ou are bringing 'our own SS? certificate to the part', 'ou have to let Bovecot know about b'
e%iting these lines in /etc/do$ecot/conf.d/1,#ss%.conf @emember to inclu%e 'our 40 certificate bun%le
if provi%e% with one b' the certificate issuer7
1
2
;
"
8
<
F
@ %%&>T&% support: yes( no( re)uired. Edoc>!iki>%%&.txtI
ssl ? yes

@ ,D* encoded :.W0Z %%&>T&% certificate and pri#ate key. They"re
opened before
@ dropping root pri#ileges( so keep the key file unreadable by
anyone but
,
=
1!
11
12
1;
1"
18
1<
1F
1,
1=
2!
@ root. Included doc>mkcert.sh can be used to easily generate self$
signed
@ certificate( Cust make sure to update the domains in do#ecot$
openssl.cnf
ssl<cert ? E>path>to>my>cert.pem
ssl<key ? E>path>to>my>key.pem

@ If key file is pass!ord protected( gi#e the pass!ord here.
Alternati#ely
@ gi#e it !hen starting do#ecot !ith $p parameter. %ince this file
is often
@ !orld$readable( you may !ant to place this setting instead to a
different
@ root o!ned 0V00 file by using ssl<key<pass!ord ? Epath.
@ssl<key<pass!ord ?

@ ,D* encoded trusted certificate authority. %et this only if you
intend to use
@ ssl<#erify<client<cert?yes. The file should contain the 8A
certificate1s4
@ follo!ed by the matching 89&1s4. 1e.g. ssl<ca ?
E>etc>ssl>certs>ca.pem4
@ssl<ca ? E>path>to>ca.pem
Ce*t, e%it these lines in /etc/do$ecot/conf.d/1,#(aste.conf to a%% the 5ostfi* option7
1
2
;
"
8
<
F
,
=
1!
11
12
1;
1"
18
1<
1F
1,
ser#ice auth L
@ auth<socket<path points to this userdb socket by default. It"s
typically
@ used by do#ecot$lda( do#eadm( possibly imap process( etc. Its
default
@ permissions make it readable only by root( but you may need to
relax these
@ permissions. -sers that ha#e access to this socket are able to
get a list
@ of all usernames and get results of e#eryone"s userdb lookups.
unix<listener auth$userdb L
mode ? 0V00
user ? #mail
group ? mail
M

unix<listener >#ar>spool>postfix>pri#ate>auth L
mode ? 0VV0
@ Assuming the default ,ostfix user and group
user ? postfix
group ? postfix
M
3ou ma' have to e*plicitl' set a postmaster a%%ress in /etc/do$ecot/conf.d/13#%da.conf( if 'ou see
I6nvali% settings7 postmasterGa%%ress setting not givenI showing up in the mail log, then this is the fi*
for that $ake sure that a suitable alias or mailbo* e*ists for 'our chosen postmaster a%%ress7
1
2
;
@ Address to use !hen sending reCection mails.
@ 7efault is postmasterJEyour domainI.
postmaster<address ? postmasterJexample.com
3ou&ll want to change the Bovecot configuration to be accessible to both %ovecot an% vmail users7
1
2
cho!n $9 #mail:do#ecot >etc>do#ecot
chmod $9 o$r!x >etc>do#ecot
0 final note on Bovecot7 it onl' creates a user&s mail %irector' when mail is first %elivere% to that
virtual user So creating a user in 5ostfi* 0%min will not result in the imme%iate creation of a mail
%irector' un%er /$a/$(a!%, an% that&s )ust fine
STEP 10 :
-onf!+ue A(a$!s4 -%a(AV4 and Spa(Assass!n
Before configuring 5ostfi*, we ma' as well take a short %etour into configuring the spam an% virus
tools +heir %efault configuration is close to what most people will nee%, an% tools like Spam0ssassin
auto-%etect man' of the optional a%%itional packages 'ou ma' have installe% 6f 'ou have specialist
nee%s or greater knowle%ge, 'ou can of course spen% a fair amount of time here crafting intricate rules
/or the casual user, this is a #uick an% straightforwar% process, however Cote that here we are putting
off the portions relating to integration with 5ostfi* - eg a%%itions to the mastercf file - into the 5ostfi*
section of this post
/irst a%% 0mavis an% 4lam0E users to one another&s groups to enable them to collaborate7
1
2
adduser clama# ama#is
adduser ama#is clama#
+hen turn on 0mavis b' e%iting /etc/a(a$!s/conf.d/13#content5f!%te5(ode - the software is %isable%
b' %efault, so uncomment the Kb'pass lines7
1
2
;
"
8
<
F
,
=
1!
11
12
1;
1"
18
1<
1F
1,
1=
2!
use strict=

@ 'ou can modify this file to re$enable %,A* checking through
spamassassin
@ and to re$enable anti#irus checking.

@
@ 7efault anti#irus checking mode
@ ,lease note( that anti$#irus checking is 7I%A/&D7 by
@ default.
@ If 'ou !ish to enable it( please uncomment the follo!ing lines:

Jbypass<#irus<checks<maps ? 1
[Sbypass<#irus<checks( [Jbypass<#irus<checks<acl( [
Kbypass<#irus<checks<re4=

@
@ 7efault %,A* checking mode
@ ,lease note( that anti$spam checking is 7I%A/&D7 by
21
22
2;
2"
@ default.
@ If 'ou !ish to enable it( please uncomment the follo!ing lines:

Jbypass<spam<checks<maps ? 1
[Sbypass<spam<checks( [Jbypass<spam<checks<acl( [
Kbypass<spam<checks<re4=

1= @ ensure a defined return
Cow enable Spam0ssassin b' e%iting these lines in /etc/defau%t/spa(assass!n7
1
2
@ 8hange to one to enable spamd
DA/&D7?1
1
2
;
"
@ 8ronCob
@ %et to anything but 0 to enable the cron Cob to automatically
update
@ spamassassin"s rules on a nightly basis
89+?1
Spam0ssassin un%er 0mavis will onl' check mail that&s %etermine% to be arriving for local %eliver'
+here are a couple of wa's to tell 0mavis which mails are for local %eliver', but here we&ll set it up to
check the %atabase set up b' 5ostfi* 0%min E%it /etc/a(a$!s/conf.d/3,#use to look like this7
1
2
;
"
8
<
F
,
=
1!
11
12
1;
1"
18
1<
1F
1,
1=
2!
21
22
2;
2"
28
2<
2F
2,
2=
use strict=

@
@ ,lace your configuration directi#es here. They !ill o#erride
those in
@ earlier files.
@
@ %ee >usr>share>doc>ama#isd$ne!> for documentation and examples of
@ the directi#es you can use in this file
@

@ Three concurrent processes. This should fit into the 9A*
a#ailable on an
@ A0% micro instance. This has to match the number of processes
specified
@ for Ama#is in >etc>postfix>master.cf.
Kmax<ser#ers ? O=

@ Add spam info headers if at or abo#e that le#el $ this ensures
they
@ are al!ays added.
Ksa<tag<le#el<deflt ? $ZZZZ=

@ 8heck the database to see if mail is for local deli#ery( and thus
@ should be spam checked.
Jlookup<s)l<dsn ? 1
T"7/I:mys)l:database?mail=host?127.0.0.1=port?OO0V"(
"mail"(
;!
;1
;2
"mailpass!ord"U4=
Ks)l<select<policy ? "%D&D8T domain from domain 03D9D
8+8AT15J5(domain4 I 1Sk4"=

@ -ncomment to bump up the log le#el !hen testing.
@ Klog<le#el ? 2=

@$$$$$$$$$$$$ 7o not modify anything belo! this line $$$$$$$$$$$$$
1= @ ensure a defined return
3ou will have to restart these processes to pick up the new configuration7
1
2
ser#ice ama#is restart
ser#ice spamassassin restart
ST! 14"
8onfigure ,ostfix
5ostfi* han%les incoming mail via the S$+5 protocol, an% its configuration files have be set up to
allow it to integrate with the various other packages we have installe% so far 0t a high level, we want
5ostfi* to han% off incoming mail to the spam an% virus checkers before passing it on to Bovecot for
%eliver', an% to authenticate virtual users who are connecting over S$+5 in or%er to to sen% mail
/irstl' create files %escribing for 5ostfi* where to fin% information on users an% %omains Cote that the
IhostsI %irective in these files must be e*actl' the same as the Ibin%-a%%ressI in /etc/("s2%/(".cnf 6f
one si%e sa's IlocalhostI an% the other si%e sa's I12F!!1I then 'ou ma' fin% that 5ostfi* cannot
connect to $'SA? - strange but true 9ere are the nee%e% 5ostfi* files7
/etc/postf!*/("s2%5$!tua%5a%!as5do(a!na%!ases5(aps.cf
1
2
;
"
8
<
F
,
user ? mail
pass!ord ? mailpass!ord
hosts ? 127.0.0.1
dbname ? mail
)uery ? %D&D8T goto A9+* alias(alias<domain
03D9D alias<domain.alias<domain ? "Sd"
A7 alias.address?concat1"Su"( "J"( alias<domain.target<domain4
A7 alias.acti#e ? 1
/etc/postf!*/("s2%5$!tua%5a%!as5(aps.cf
1
2
;
"
8
<
F
,
user ? mail
pass!ord ? mailpass!ord
hosts ? 127.0.0.1
dbname ? mail
table ? alias
select<field ? goto
!here<field ? address
additional<conditions ? and acti#e ? "1"
/etc/postf!*/("s2%5$!tua%5do(a!ns5(aps.cf
1
2
;
"
8
<
F
,
user ? mail
pass!ord ? mailpass!ord
hosts ? 127.0.0.1
dbname ? mail
table ? domain
select<field ? domain
!here<field ? domain
additional<conditions ? and backupmx ? "0" and acti#e ? "1"
/etc/postf!*/("s2%5$!tua%5(a!%&o*5do(a!na%!ases5(aps.cf
1
2
;
"
8
<
F
,
user ? mail
pass!ord ? mailpass!ord
hosts ? 127.0.0.1
dbname ? mail
)uery ? %D&D8T maildir A9+* mailbox( alias<domain
03D9D alias<domain.alias<domain ? "Sd"
A7 mailbox.username?concat1"Su"( "J"(
alias<domain.target<domain 4
A7 mailbox.acti#e ? 1
/etc/postf!*/("s2%5$!tua%5(a!%&o*5(aps.cf
1
2
;
"
8
<
F
,
user ? mail
pass!ord ? mailpass!ord
hosts ? 127.0.0.1
dbname ? mail
table ? mailbox
select<field ? 8+8AT1domain( ">"( local<part4
!here<field ? username
additional<conditions ? and acti#e ? "1"
Cow create the file /etc/postf!*/heade5chec6s, which will contain some %irectives to remove certain
hea%ers when rela'ing mail +his improves privac' for the sen%ing users b' such things as stripping the
original 65 a%%ress an% mail software i%entifiers, for e*ample +his file will be reference% in the main
5ostfi* configuration7
1
2
;
"
8
<
>69ecei#ed:> I;+9D
>6-ser$Agent:> I;+9D
>6:$*ailer:> I;+9D
>6:$+riginating$I,:> I;+9D
>6x$cr$Ta$QUG:> I;+9D
>6Thread$Index:> I;+9D
+he following is the complete main 5ostfi* configuration file at /etc/postf!*/(a!n.cf, which contains a
fair number of comple* choices an% options on how mail is rela'e% an% how S$+5 behaves 6t is far
be'on% the scope of this post to e*plain each an% ever' choice of best practice or configuration
parameter in %etail 6 strongl' suggest that 'ou spen% some time rea%ing up on 5ostfi* configuration, as
this is where it is eas' to fall %own an% pro%uce a suboptimal or fault' mailserver
1
2
;
"
@ %ee >usr>share>postfix>main.cf.dist for a commented( more
complete #ersion

@ The first text sent to a connecting process.
8
<
F
,
=
1!
11
12
1;
1"
18
1<
1F
1,
1=
2!
21
22
2;
2"
28
2<
2F
2,
2=
;!
;1
;2
;;
;"
;8
;<
;F
;,
;=
"!
"1
"2
";
""
"8
"<
"F
",
"=
8!
81
82
8;
smtpd<banner ? Kmyhostname D%*T, Kmail<name
biff ? no
@ appending .domain is the *-A"s Cob.
append<dot<mydomain ? no
readme<directory ? no

@ %A%& parameters
@ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

@ -se 7o#ecot to authenticate.
smtpd<sasl<type ? do#ecot
@ 9eferring to >#ar>spool>postfix>pri#ate>auth
smtpd<sasl<path ? pri#ate>auth
smtpd<sasl<auth<enable ? yes
broken<sasl<auth<clients ? yes
smtpd<sasl<security<options ? noanonymous
smtpd<sasl<local<domain ?
smtpd<sasl<authenticated<header ? yes

@ T&% parameters
@ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

@ 9eplace this !ith your %%& certificate path if you are using
one.
smtpd<tls<cert<file?>etc>ssl>certs>ssl$cert$snakeoil.pem
smtpd<tls<key<file?>etc>ssl>pri#ate>ssl$cert$snakeoil.key
@ The snakeoil self$signed certificate has no need for a 8A file.
/ut
@ if you are using your o!n %%& certificate( then you probably
ha#e
@ a 8A certificate bundle from your pro#ider. The path to that
goes
@ here.
@smtpd<tls<8Afile?>path>to>ca>file

smtp<tls<note<starttls<offer ? yes
smtpd<tls<logle#el ? 1
smtpd<tls<recei#ed<header ? yes
smtpd<tls<session<cache<timeout ? OV00s
tls<random<source ? de#:>de#>urandom
@smtpd<tls<session<cache<database ? btree:K
Ldata<directoryM>smtpd<scache
@smtp<tls<session<cache<database ? btree:K
Ldata<directoryM>smtp<scache

@ ote that forcing use of T&% is going to cause breakage $ most
mail ser#ers
@ don"t offer it and so deli#ery !ill fail( both incoming and
8"
88
8<
8F
8,
8=
<!
<1
<2
<;
<"
<8
<<
<F
<,
<=
F!
F1
F2
F;
F"
F8
F<
FF
F,
F=
,!
,1
,2
,;
,"
,8
,<
,F
,,
,=
=!
=1
=2
=;
="
=8
=<
=F
=,
==
1!!
1!1
1!2
outgoing. This is
@ unfortunate gi#en !hat #arious go#ernmental agencies are up to
these days.

@ These are ,ostfix 2.2 only.
@
@ Dnable 1but don"t force4 use of T&% on incoming smtp
connections.
smtpd<use<tls ? yes
smtpd<enforce<tls ? no
@ Dnable 1but don"t force4 use of T&% on outgoing smtp
connections.
smtp<use<tls ? yes
smtp<enforce<tls ? no

@ These are ,ostfix 2.O and later.
@
@ Dnable 1but don"t force4 all incoming smtp connections to use
T&%.
smtpd<tls<security<le#el ? may
@ Dnable 1but don"t force4 all outgoing smtp connections to use
T&%.
smtp<tls<security<le#el ? may

@ %ee >usr>share>doc>postfix>T&%<9DA7*D.gQ in the postfix$doc
package for
@ information on enabling %%& in the smtp client.

@ %*T,7 parameters
@ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

@ -ncomment the next line to generate 5delayed mail5 !arnings
@delay<!arning<time ? Nh
@ !ill it be a permanent error or temporary
unkno!n<local<recipient<reCect<code ? NW0
@ ho! long to keep message on )ueue before return as failed.
@ some ha#e O days( I ha#e 1V days as I am backup ser#er for some
people
@ !hom go on holiday !ith their ser#er s!itched off.
maximal<)ueue<lifetime ? 7d
@ max and min time in seconds bet!een retries if connection failed
minimal<backoff<time ? 1000s
maximal<backoff<time ? H000s
@ ho! long to !ait !hen ser#ers connect before recei#ing rest of
data
smtp<helo<timeout ? V0s
@ ho! many address can be used in one message.
@ effecti#e stopper to mass spammers( accidental copy in !hole
1!;
1!"
1!8
1!<
1!F
1!,
1!=
11!
111
112
11;
11"
118
11<
11F
11,
11=
12!
121
122
12;
12"
128
12<
12F
address list
@ but may restrict intentional mail shots.
smtpd<recipient<limit ? 1V
@ ho! many error before back off.
smtpd<soft<error<limit ? O
@ ho! many max errors before blocking it.
smtpd<hard<error<limit ? 12

@ This next set are important for determining !ho can send mail
and relay mail
@ to other ser#ers. It is #ery important to get this right $
accidentally producing
@ an open relay that allo!s unauthenticated sending of mail is a
Fery /ad Thing.
@
@ 'ou are encouraged to read up on !hat exactly each of these
options accomplish.

@ 9e)uirements for the 3D&+ statement
smtpd<helo<restrictions ? permit<mynet!orks( !arn<if<reCect
reCect<non<f)dn<hostname( reCect<in#alid<hostname( permit
@ 9e)uirements for the sender details
smtpd<sender<restrictions ? permit<sasl<authenticated(
permit<mynet!orks( !arn<if<reCect reCect<non<f)dn<sender(
reCect<unkno!n<sender<domain( reCect<unauth<pipelining( permit
@ 9e)uirements for the connecting ser#er
smtpd<client<restrictions ? reCect<rbl<client sbl.spamhaus.org(
reCect<rbl<client blackholes.easynet.nl( reCect<rbl<client
dnsbl.nCabl.org
@ 9e)uirement for the recipient address. ote that the entry for
@ 5check<policy<ser#ice inet:127.0.0.1:1002O5 enables ,ostgrey.
smtpd<recipient<restrictions ? reCect<unauth<pipelining(
permit<mynet!orks( permit<sasl<authenticated(
reCect<non<f)dn<recipient( reCect<unkno!n<recipient<domain(
reCect<unauth<destination( check<policy<ser#ice
inet:127.0.0.1:1002O( permit
smtpd<data<restrictions ? reCect<unauth<pipelining

@ re)uire proper helo at connections
smtpd<helo<re)uired ? yes
@ !aste spammers time before reCecting them
smtpd<delay<reCect ? yes
disable<#rfy<command ? yes

@ ;eneral host and deli#ery info
@ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

myhostname ? mail.example.com
myorigin ? >etc>hostname
+o be clear, if 'ou are using a purchase% SS? certificate - an% have a 40 certificate bun%le from the
issuer - then 'ou will have to alter these lines in /etc/postf!*/(a!n.cf7
1
2
;
"
8
<
F
,
@ 9eplace this !ith your %%& certificate path if you are using one.
smtpd<tls<cert<file?>path>to>my>cert.pem
smtpd<tls<key<file?>path>to>my>key.key
@ The snakeoil self$signed certificate has no need for a 8A file.
/ut
@ if you are using your o!n %%& certificate( then you probably ha#e
@ a 8A certificate bundle from your pro#ider. The path to that goes
@ here.
@smtpd<tls<8Afile?>path>to>ca>file
/urther, if 'ou are running 5ostfi* version 21! or later, which might be the case if 'ou are rea%ing this
recipe for pointers on an installation on a later version of Ubuntu, then 'ou will nee% to a%% the
following lines7
1
2
;
@ This is a ne! option as of ,ostfix 2.10( and is re)uired in
addition to
@ smtpd<recipient<restrictions for things to !ork properly in this
setup.
smtpd<relay<restrictions ? reCect<unauth<pipelining(
permit<mynet!orks( permit<sasl<authenticated(
reCect<non<f)dn<recipient( reCect<unkno!n<recipient<domain(
reCect<unauth<destination( check<policy<ser#ice
inet:127.0.0.1:1002O( permit
3ou must also a%% some material to /etc/postf!*/(aste.cf, an% here is the entire file for clarit',
inclu%ing much of the %efault material from the package install - such as commente% options7
1
2
;
"
8
<
F
,
=
1!
11
12
1;
1"
18
1<
1F
1,
1=
2!
21
22
@
@ ,ostfix master process configuration file. Aor details on the
format
@ of the file( see the master1W4 manual page 1command: 5man W
master54.
@
@ 7o not forget to execute 5postfix reload5 after editing this
file.
@
@
??????????????????????????????????????????????????????????????????
????????
@ ser#ice type pri#ate unpri# chroot !akeup maxproc command P
args
@ 1yes4 1yes4 1yes4 1ne#er4 11004
@
??????????????????????????????????????????????????????????????????
????????

@ %*T, on port 2W( unencrypted.
smtp inet n $ $ $ $ smtpd
@smtp inet n $ $ $ 1
2;
2"
28
2<
2F
2,
2=
;!
;1
;2
;;
;"
;8
;<
;F
;,
;=
"!
"1
"2
";
""
"8
"<
"F
",
postscreen
@smtpd pass $ $ $ $ $ smtpd
@dnsblog unix $ $ $ $ 0 dnsblog
@tlsproxy unix $ $ $ $ 0 tlsproxy

@ %*T, !ith T&% on port WH7. 8urrently commented.
@submission inet n $ $ $ $ smtpd
@ $o syslog<name?postfix>submission
@ $o smtpd<tls<security<le#el?encrypt
@ $o smtpd<sasl<auth<enable?yes
@ $o smtpd<enforce<tls?yes
@ $o
smtpd<client<restrictions?permit<sasl<authenticated(reCect<unauth<
destination(reCect
@ $o smtpd<sasl<tls<security<options?noanonymous

@ %*T, o#er %%& on port NVW.
smtps inet n $ $ $ $ smtpd
$o syslog<name?postfix>smtps
$o smtpd<tls<!rappermode?yes
$o smtpd<sasl<auth<enable?yes
$o smtpd<tls<auth<only?yes
$o
smtpd<client<restrictions?permit<sasl<authenticated(reCect<unauth<
destination(reCect
$o smtpd<sasl<security<options?noanonymous(noplaintext
$o smtpd<sasl<tls<security<options?noanonymous

@V2H inet n $ $ $ $ )m)pd
pickup fifo n $ $ V0 1 pickup
$o content<filter?
$o recei#e<o#erride<options?no<header<body<checks
cleanup unix n $ $ $ 0 cleanup
)mgr fifo n $ n O00 1 )mgr
@)mgr fifo n $ n O00 1 o)mgr
tlsmgr unix $ $ $ 1000Y 1 tlsmgr
re!rite unix $ $ $ $ $ tri#ial$
re!rite
bounce unix $ $ $ $ 0 bounce
defer unix $ $ $ $ 0 bounce
trace unix $ $ $ $ 0 bounce
#erify unix $ $ $ $ 1 #erify
flush unix n $ $ 1000Y 0 flush
proxymap unix $ $ n $ $ proxymap
proxy!rite unix $ $ n $ 1 proxymap
smtp unix $ $ $ $ $ smtp
relay unix $ $ $ $ $ smtp
@ $o smtp<helo<timeout?W $o smtp<connect<timeout?W
sho!) unix n $ $ $ $ sho!)
Cote that 0mavis is restricte% to three processes, which shoul% be fine for most casual to mo%erate use
+he processes are memor'-heav', so start low an% a%% more onl' if 'ou nee% to %ue to volume of mail
- see the notes in this gui%e for pointers on how to %o that
Restat E$e"th!n+4 and Test the Se$e
@estart all the necessar' processes to pick up configuration changes7
1
2
;
"
8
ser#ice postfix restart
ser#ice spamassassin restart
ser#ice clama#$daemon restart
ser#ice ama#is restart
ser#ice do#ecot restart
Cow start testingL Heep an e'e on /$a/%o+/(a!%.e an% /$a/%o+/(a!%.%o+ for error messages an% tr'
logging in to 5:5 an% 6$05, sen%ing mail to an account create% on the server, an% sen%ing mail from
the server 6f 'ou fin% issues, then 2oogle is 'our frien% when it comes to searching on specific error
messages in or%er to i%entif' where the configuration is wrong, or when something une*pecte% crops
up
+hats the en% of the mail server configuration
Setup 'e&(a!%:
/or eas' to use an% simple instllation process use roun%cube as webmail
+his post is a brief a%%en%um to the long Ubuntu 12!" mail server recipe 6 assemble% last 'ear +hat
uses 9or%e for webmail an% 6 have become somewhat %isenchante% with that package 6f 'ou nee%
calen%aring an% other broa% feature packages offere% b' 9or%e then it is probabl' worth wa%ing
through the Swamp of 6nfinite 4onfiguration to get it working 6f not, then there are simpler options
@oun%cube is a straightforwar% 595 webmail package, so it&s eas' enough to substitute @oun%cube in
place of 9or%e when buil%ing a mail server +he instructions 'ou&ll fin% online on how to install
@oun%cube are, shall we sa', somewhat confuse% however +he' will largel' lea% 'ou %own the wrong
path if working from a package install on Ubuntu 9ere instea% is the #uick an% eas' wa' to manage
things, assuming that 'our mail server was built accor%ing to m' gui%e, an% thus has 0pache an%
$'SA? available
6nstallation
Start b' installing the necessar' packages +he plugin packages aren&t essential, but it %oesn&t hurt to
look them over to see what is available7
1apt$get install roundcube roundcube$plugins roundcube$plugins$extra
6n the package installation process 'ou shoul% choose to have the package set up the %atabase for 'ou
5ick $'SA? as the %atabase t'pe 3ou&ll be aske% for the $'SA? root user passwor%, an% to choose a
passwor% for the roun%cube user that will be create%
4onfiguration
Set the following line in /$a/%!&/oundcu&e/conf!+/(a!n.!nc.php7
1
2
;
"
8
<
F
,
=
1!
>> the mail host chosen to perform the log$in
>> lea#e blank to sho! a textbox at login( gi#e a list of hosts
>> to display a pulldo!n menu or set one host as string.
>> To use %%&>T&% connection( enter hostname !ith prefix ssl:>> or
tls:>>
>> %upported replacement #ariables:
>> Sn $ http hostname 1K<%D9FD9T"%D9FD9<A*D"U4
>> Sd $ domain 1http hostname !ithout the first part4
>> Ss $ domain name after the "J" from e$mail address pro#ided at
login screen
>> Aor example Sn ? mail.domain.tld( Sd ? domain.tld
Krcmail<configT"default<host"U ? "localhost"=
0t this point @oun%cube is now installe% an% minimall' configure%, but it isn&t accessible from the
server webroot +he @oun%cube webroot containing 595 files an% various s'mlinks is sitting in
/$a/%!&/oundcu&e, an% the ne*t step is to make that available to visitors
:ption 17 @oun%cube in a Subfol%er
6f 'ou have a bus' webroot with other applications running, 'ou ma' want to stick @oun%cube into a
subfol%er, to be accesse% via https7>>maile*amplecom>roun%cube or similar +his is easil'
accomplishe% b' creating a s'mlink in the webroot7
1ln $s >#ar>lib>roundcube >#ar>!!!>roundcube
6f 'ou have nothing in the upper %irector' of 'our webroot an% want to re%irect arrivals to the webmail
login 'ou might set up a re%irect in /$a/'''/.htaccess7
19e!rite9ule 6>YK >roundcube T&U
+his has the a%vantage of leaving other sub%irectories un%er /$a/''' accessible for whatever 'ou
might want to use them for, such as a 5ostfi* 0%min installation
:ption 27 @oun%cube is the 1ebroot
0n alternate approach is to switch the whole webroot over to /$a/%!&/oundcu&e, such that
http7>>maile*amplecom is the webmail login 6n 'our site %efinition files un%er /etc/apache2/s!tes#
ena&%ed 'ou&ll want to change the Bocument@oot %irective7
1
2
;
@ 9eplace the standard !ebroot !ith the 9oundcube directory.
@ 7ocument9oot >#ar>!!!>
7ocument9oot >#ar>lib>roundcube
+his means that ever'thing in /$a/'''/.htaccess, such rewrite rules to re%irect all incoming traffic to
SS?, must be copie% an% inserte% into the e*isting @oun%cube htaccess file at
/$a/%!&/oundcu&e/.htaccess Bon&t )ust overwrite it as @oun%cube nee%s its rules in or%er to function
0n' files an% fol%ers un%er /$a/''' must now be s'mlinke% from /$a/%!&/oundcu&e, or the' will
now be inaccessible /or e*ample if 'ou are using 5ostfi* 0%min an% have it set up at
/$a/'''/postf!*ad(!n then 'ou woul% nee% to create this s'mlink7
1ln $s >#ar>!!!>postfixadmin >#ar>lib>roundcube>postfixadmin
Thats the end of the !ebmail configuration.
;enerally !ebmails does"nt come !ith the most settings that !e are
see in yahoo or gmail etc !e ha#e to enable them in roundcube by
enabling them in the form of plugins.
7ifferent types of plugins are used for different settings
most of the plugins are a#ailable for do!nload and ha#e to enable
them manually.