Mail server configuring. Part 1. Installation and basic configuration for Postfix and Dovecot.

I’m starting to publish an articles series about Postfix and Dovecot mail server configuring.

Today will be the first part — Installation and basic configuration of Postfix and Dovecot.

Installing the mail server

Let’s install Postfix and Dovecot:

$sudo apt install postfix dovecot-core dovecot-imapd

Decline the suggested configuration options. It means that we will configure everything by ourselves without any automation from the mainteners.

The post-installation script will report that Postfix can not work in this state.

Create the missing configuration file:

$ sudo touch /etc/postfix/

Installation is complete.

Preparing to configure mail server

Create MailStore for our mail domain study.local:

#mkdir -p /var/spool/mail/study.local

Create group virtual and user virtual:

#groupadd -g 5000 virtual

#useradd -g virtual -u 5000 virtual

We allocated for them uid and gid 5000. The number was chosen arbitrarily, as sufficiently large.

Specify the owner and permissions for the mail folder:

#chown virtual:virtual /var/spool/mail/study.local

#chmod 770 /var/spool/mail/study.local

Configuring Postfix

Let’s edit /etc/postfix/ and bring it to the following form:

#This will be a welcome message of our server on receiving and sending mail

smtpd_banner = $myhostname ESMTP (ubuntu)

biff = no #Turn off comsat

#Do not allow to automatically complete an incomplete domain name in the recipient address

append_dot_mydomain = no

queue_directory = /var/spool/postfix #Path to the mail queue directory

myhostname = #Hostname of our server

alias_maps =

myorigin = study.local

mydestination = localhost #Specify which domains we will accept mail

#Specify for which virtual domains we will accept mail

virtual_mailbox_domains = study.local

virtual_mailbox_base = /var/spool/mail/ #Beginning of the path to save mail

virtual_alias_maps = hash:/etc/postfix/virtual #File describing mail aliases

virtual_mailbox_maps = hash:/etc/postfix/vmailbox #File describing mailboxes

virtual_minimum_uid = 100

virtual_uid_maps = static:5000

virtual_gid_maps = static:5000

mynetworks = #Specify a list of trusted subnets

inet_interfaces = all #Accept connections on all interfaces

#Describe the authorization through Dovecot

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_helo_required = yes #Require a helo when connecting

#Set up mail receiving/sending filters

#Restrictions that the Postfix applies in the context of a client HELO command

smtpd_helo_restrictions = permit_mynetworks,






#Restrictions that the Postfix applies in the context of a client RCPT TO command

smtpd_recipient_restrictions = permit_mynetworks,







Mail filtering rules.

If our server accepts and sends any email messages, it will be quickly added to all blacklists as a spammer. In addition, the load on our server will increase — all incoming mail should be processed not only by the mail server itself, but also by antivirus and anti-spam applications. To reduce the load on the server and to block unwanted messages at the stage of acceptance, use filtering rules for incoming messages. They are written in our configuration file in the smtpd_helo_restrictions andsmtpd_recipient_restrictions blocks. We have these rules as follows:

smtpd_helo_restrictions = permit_mynetworks,





smtpd_recipient_restrictions = permit_mynetworks,







Let’s look at them in more detail:

permit_mynetworks — accept all letters from trusted zone

permit_sasl_authenticated — accept all the letters from the authenticated connection

reject_unauth_destination — Reject emails that do not related to our domains

reject_unknown_sender_domain — Reject emails from unknown sender domains

reject_unknown_recipient_domain — Reject emails for unknown recipient domains

reject_non_fqdn_recipient — Reject emails for incomplete recipient domain

reject_non_fqdn_sender — Reject emails from an incomplete sender’s domain

reject_non_fqdn_hostname — Reject emails if the sender’s server name is incomplete

reject_invalid_hostname — Reject emails if the sender’s server name is incorrect

reject_unknown_hostname — Reject emails if the sender’s server name is unknown

These rules are applied sequentially from the first to the last. If the letter was not rejected by any rules, it will be accepted.

Additional rules for mail filtering.

To reduce the amount of spam, add some more filtering rules

At the end of the block smtpd_helo_restrictions we will add

check_helo_access hash:/etc/postfix/helo.list

And in the smtpd_recipient_restrictions block after the permit_sasl_authenticated rule insert

check_sender_access hash:/etc/postfix/ext_sender,

Create a file /etc/postfix/helo.list

#touch /etc/postfix/helo.list

We will open it for editing and write in it the string: 550 Don’t use my hostname

And create an indexed map from it:

#postmap /etc/postfix/helo.list

Create a file /etc/postfix/ext_sender

#touch /etc/postfix/ext_sender

We will open it for editing and write in it the string:

study.local 550 Do not use my domain in your envelope sender

And create an indexed map from it:

#postmap /etc/postfix/ext_sender

The check_helo_access rule checks what the sending server sends in the HELO command. If it appears under our own name (the string in the /etc/postfix/helo.list file), the connection will be terminated. In a normal situation, no server can represented by our name, so it’s likely to be a spam server.

The check_sender_access rule checks the sender address of the message. In the case where the sender is from our own domain (study.local line in the file /etc/postfix/ext_sender), the letter will be denied. A letter with such sender can not come from any sender from the outside. Such letter can be sent onlyfrom user on our server. And then the connection will be protected by a login and password and in this case the letter will be accepted according to permit_sasl_authenticated rule, which stands beforedenied rules.

We also need to add another check:


This rule block mesaage receipt in case of wrong DNS configuration — missing or wrong domain name (A-record in DNS) or missing or incorrect reverse zone (PTR-record in DNS). You must insert this rule in smtpd_helo_restrictions block right after permit_sasl_authenticated rule.

Configuring Dovecot

Let’s configure Dovecot version 2.xx.

Unlike older versions of the application, we have many configuration files in the /etc/dovecotfolder. And even with subfolders.

Of course the whole configuration can be reduced to a single file, but this is not correct, because it contradicts the developers’ concept.

Open the main configuration file /etc/dovecot/dovecot.conf and bring it to the following form:

# Used protocol

protocols = imap

# Listen connections on all interfaces

listen = *

# Work Directory

base_dir = /var/run/dovecot/

# Instance name (for display in the log)

instance_name = dovecot

# Greeting line

login_greeting = Dovecot ready.

# Disable client connections when the master service shutting down or restarting

shutdown_clients = yes

# Socket of the management service doveadm

doveadm_socket_path = doveadm-server

# Connecting additional configuration files

!include conf.d/*.conf

Now go to the folder /etc/dovecot/conf.d

Open the file 10-auth.conf and we will write in it two lines :

disable_plaintext_auth = no

auth_mechanisms = plain login

and at the end of the file comment out the line

!include auth-system.conf.ext

and uncomment

!include auth-passwdfile.conf.ext

Next, we will edit the file 10-mail.conf

mail_location = maildir:/var/spool/mail/%d/%n

mail_uid = 5000

mail_gid = 5000

mail_privileged_group = virtual

valid_chroot_dirs = /var/spool/mail/

Next file of interest is 10-master.conf

service imap-login {

inet_listener imap {

#port = 143


inet_listener imaps {

#port = 993

#ssl = yes



service auth {

# Postfix smtp-auth

unix_listener /var/spool/postfix/private/auth {

mode = 0666


# Auth process is run as this user.

user = postfix

group = postfix


And, finally, in the file 10-ssl.conf need to specify parameter

ssl = no

Lastly delete the file 15-mailboxes.conf

Create mailboxes and aliases

Now create a user and mailbox for him:

Login — user@study.local

Password — password

Address — user@study.local

Create the necessary files in Postfix:

# touch /etc/postfix/vmailbox

# touch /etc/postfix/virtual

Enter the information about new mailbox in Postfix.

To do this, we will add a line to /etc/postfix/vmailbox:

user@study.local study.local/user/

Let’s create an alias for this mailbox. To do this, we will add a line to /etc/postfix/virtual:

postmaster@study.local user@study.local

And we will create an indexed map from these files:

#postmap /etc/postfix/virtual

#postmap /etc/postfix/vmailbox

Now we need to restart Postfix:

# service postfix restart

Add data about our user in Dovecot.

Looking at the file auth-passwdfile.conf.ext, you can see that user’s logins and passwords should be stored in /etc/dovecot/users with the CRYPT encryption scheme.

Create a record for user@study.local with a password “user”.

$doveadm pw -s CRYPT -u user@study.local -p user

Let’s insert output string into the /etc/dovecot/users file



