Back to main index

email on vasilian.net

Start reading this document about why you may not want to run an email server.

I decided to use (1) MTA=Postfix (2) MDA=Dovecot and (3) IMAP server.

I have not yet decided on Spam Filter, AntiVirus and Webmail.

Here is an overview about existing MTA programs.

Add required DNS entries for the email programs.

Here is a guide on why and how to add the SPF record.

Here is a wiki page on the MX record (it will always map to an A, AAA record).


DNS records

Here is an article about email routing. Observe the last command:

dig vasilian.net mx

We head now further into installing the Let's Encrypt Certbot and creating a SSL certificate for the domain and subdomains.

certbot --apache

This will detect only the www and domain name, but will not show the mail. subdomain

You have to re-run with expand option to include also the mail.vasilian.net

certbot --expand -d www.vasilian.net,vasilian.net,mail.vasilian.net

Here is a page for crontab commands to list all jobs for current user or for all users.

To easily create a crontab job use this generator.

crontab -l
* * * * 1 certbot renew >/dev/null 2>&1

To check if SSL certificate is installed correctly use the SSL Server Test page.

Now it's time to install postfix and dovecot. The setup will use Maildir format (instead of mbox) and the SSL certificate that was previously generated.

My 1st installation guide explains authentication via STARTTLS on smtp port 25.

A 2nd installation guide for CentOS7 has useful parameters for Dovecot.

A 3rd installation guide exists at DigitalOcean for Debian.

Also here a 3rd guide I used for better overview on the parameters. This is for Ubuntu.

Here are my final changes for the setup.

/etc/postfix/main.cf

mail_owner = postfix
myhostname = mail.vasilian.net
mydomain = vasilian.net
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual
mynetworks = 127.0.0.0/8
relayhost =
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/vasilian.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/vasilian.net/privkey.pem
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
smtpd_sender_login_maps = $virtual_alias_maps
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

/etc/postfix/master.cf

# ==========================================================================                                                  
# service type  private unpriv  chroot  wakeup  maxproc command + args                                                        
#               (yes)   (yes)   (yes)   (never) (100)                                                                         
# ==========================================================================                                                  
smtp       inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtp
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_sender_login_maps=$virtual_alias_maps
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  
submission inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sender_login_maps=$virtual_alias_maps
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,permit_sasl_authenticated,reject

Edit /etc/postfix/virtual
here replace AT with @

mihaiATvasilian.net    mihai
rootATvasilian.net     mihai

Here is a guide on postfix parameters. Of interest here was virtual(5) and $inet_interfaces.

However, after /etc/postfix/virtual file is edited the database must be re-generated with:

postmap /etc/postfix/virtual

Edit /etc/dovecot/dovecot.conf

protocols = imap imaps

Edit /etc/dovecot/conf.d/10-auth.conf.orig

disable_plaintext_auth = yes
auth_mechanisms = plain login

Edit /etc/dovecot/conf.d/10-mail.conf.orig

mail_location = maildir:~/Maildir

Edit /etc/dovecot/conf.d/10-master.conf.orig

unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
}

Edit /etc/dovecot/conf.d/10-ssl.conf.orig

ssl = yes
ssl_cert = </etc/letsencrypt/live/vasilian.net/fullchain.pem
ssl_key  = </etc/letsencrypt/live/vasilian.net/privkey.pem
ssl_protocols = !SSLv2 !SSLv3

Edit /etc/dovecot/conf.d/20-pop3.conf.orig

pop3_uidl_format = %08Xu%08Xv

Here is a guide on how to set the reverse dns for DigitalOcean droplet.

Rename the droplet from CentOS7-512MB-FRA1-01 to vasilian.net

and DigitalOcean will automatically assign a PTR record for the domain.

Reverse DNS

Check if the IP has a reverse dns with:

host 138.68.68.112
112.68.68.138.in-addr.arpa domain name pointer vasilian.net.

Let's check the mail server functionality
What ports are open?

nmap vasilian.net

PORT    STATE  SERVICE
25/tcp  open   smtp
143/tcp open   imap
587/tcp open   submission
993/tcp open   imaps
Protocol Usage Plain text /
encrypted session
Encrypted session only
POP3 Incomming mail 110 995
IMAP Incomming mail 143 993
SMTP Outgoing mail 25 465
Submission Outgoing mail 587

Is AUTH PLAIN LOGIN available unencrypted?

telnet vasilian.net smtp
ehlo vasilian.net

250-mail.vasilian.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Does MAIL FROM: work unencrypted?

telnet vasilian.net smtp
MAIL FROM: user@vasilian.net
530 5.7.0 Must issue a STARTTLS command first

Does encrypted authentication work?

# use real login data 
echo -ne '\0user\0password' | base64
AHVzZXIAcGFzc3dvcmQ=

openssl s_client -connect vasilian.net:25 -starttls smtp
ehlo vasilian.net

250-mail.vasilian.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

AUTH PLAIN
334 
AHVzZXIAcGFzc3dvcmQ=
235 2.7.0 Authentication successful

quit
221 2.0.0 Bye
closed


Back to main index