Setup a Mail Server with Postfix and Fetchmail
Previous Update: Dec 13 2019
Latest Update: Dec 14 2020
OS: Kubuntu 18.04
Postfix is a mail server,or MTA (Mail Transfer Agent). It accepts messages and delivers them.(Postfix created by Wietse Venema)
Fetchmail is a remote-mail retrieval system, providing home users, who don't have corporate accounts, the ability to pull down mail from an ISP, or in this case Gmail, to our local Linux box.
01 - Configure the hostname:
To see your hostname:
hostname -f
And to change your hostname:
sudo hostnamectl set-hostname YOURHOSTNAME
02 - Install Postfix:
sudo apt-get update
sudo apt-get install postfix
General type of mail configuration:
- 'No configuration' -> means the installation process will not configure any parameters.
- 'Internet Site' -> means using Postfix for sending emails to other MTAs and receiving email from other MTAs.
- 'Internet with smarthost' -> means using postfix to receive email from other MTAs, but using another smart host to relay emails to the recipient.
- 'Satellite system' -> means using smart host for sending and receiving email.
- 'Local only' -> means emails are transmitted only between local user accounts.
System mail name:
Next, enter your domain name for the system mail name, i.e. the domain name after @ symbol. This domain name will be appended to addresses that doesn’t have a domain name specified. Once installed, Postfix will be automatically started and a /etc/postfix/main.cf file will be generated. Now we can check Postfix version with this command:
sudo postconf mail_version
Postfix ships with many binaries under the /usr/sbin/ directory, as can be seen with the following command.
dpkg -L postfix | grep /usr/sbin/
Output:
/usr/sbin/postalias /usr/sbin/postcat /usr/sbin/postconf /usr/sbin/postdrop /usr/sbin/postfix /usr/sbin/postfix-add-filter /usr/sbin/postfix-add-policy /usr/sbin/postkick /usr/sbin/postlock /usr/sbin/postlog /usr/sbin/postmap /usr/sbin/postmulti /usr/sbin/postqueue /usr/sbin/postsuper /usr/sbin/posttls-finger /usr/sbin/qmqp-sink /usr/sbin/qmqp-source /usr/sbin/qshape /usr/sbin/rmail /usr/sbin/sendmail /usr/sbin/smtp-sink /usr/sbin/smtp-source
Sample Settings:
General type of mail configuration: Internet with smarthost
System mail name: DOMAIN.TLD
Root and postmaster mail recipient: YOURUSERNAME
Other destinations to accept mail for: $myhostname, DOMAIN.TLD, mail.DOMAIN.TLD, localhost.DOMAIN.TLD, localhost
Force synchronous updates on mail queue?: no
Local networks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
Mailbox size limit: (in ubuntu)0
Local address extension character:+
Internet protocols to use: all
To reconfigure Postfix:
sudo dpkg-reconfigure postfix
You can find Postfix configs in /etc/postfix/
Postfix main configs: /etc/postfix/main.cf
03 - Open ports in firewall
Ubuntu doesn’t enable a firewall by default. If you have enabled the UFW firewall, you need to open 25, 587, 465, 143, 993 ports with the following command, so Postfix can receive emails from other SMTP servers.
sudo ufw allow 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 465/tcp
sudo ufw allow 143/tcp
sudo ufw allow 993/tcp
04 - Checking If Port 25 (outbound) is blocked
telnet localhost 25
If it’s not blocked, you would see messages like below, which indicates a connection is successfully established. (Hint: Type in quit and press Enter to close the connection.)
Trying 74.125.68.26... Connected to localhost Escape character is '^]'. 220 MAIL.DOMAIN.TLD ESMTP Postfix (Ubuntu)
05 - Generating Certificates:
In the following commands, replace “MAIL.DOMAIN.TLD” with the host name of your own server.
First generate a private key for the server (supply the key with a password, and don’t forget it!):
openssl genrsa -des3 -out MAIL.DOMAIN.TLD.key 2048
Then you create a certificate request:
openssl req -new -key mail.domain.tld.key -out MAIL.DOMAIN.TLD.csr
Fields you must fill:
Enter pass phrase for MAIL.DOMAIN.TLD.key: YOURHOSTNAME
Common Name (eg, YOUR name) []: MAIL.DOMAIN.TLD
* Leave blank other fields
Create a self signed key:
openssl x509 -req -days 365 -in MAIL.DOMAIN.TLD.csr -signkey MAIL.DOMAIN.TLD.key -out MAIL.DOMAIN.TLD.crt
Now remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix):
openssl rsa -in MAIL.DOMAIN.TLD.key -out MAIL.DOMAIN.TLD.key.nopass
mv MAIL.DOMAIN.TLD.key.nopass MAIL.DOMAIN.TLD.key
Make ourself a trusted CA:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Fields you must fill:
Enter pass phrase for MAIL.DOMAIN.TLD.key: YOURHOSTNAME
Common Name (eg, YOUR name) []: MAIL.DOMAIN.TLD
* Leave blank other fields
Now we have made ourselves a new set of keys.
Last thing to do is copy the files to a proper location and tell postfix to use the new keyfiles.
Copy the files into a proper location:
chmod 600 mail.domain.tld.key
chmod 600 cakey.pem
mv mail.domain.tld.key /etc/ssl/private/
mv mail.domain.tld.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/
Tell Postfix where the keys are and use TLS:
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtpd_tls_key_file = /etc/ssl/private/MAIL.DOMAIN.TLD.key'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt'
postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = MAIL.DOMAIN.TLD'
You can change settings in /etc/postfix/main.cf
06 - Postfix main.cf
My postfix main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on # fresh installs. compatibility_level = 2 # TLS parameters # For Server smtpd_use_tls=yes smtpd_tls_cert_file=/etc/ssl/certs/mail.reganto.ir.crt smtpd_tls_key_file=/etc/ssl/private/mail.reganto.ir.key
smtpd_tls_CAfile=/etc/ssl/certs/cacert.pem smtpd_tls_auth_only=no smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache # For Client smtp_use_tls=yes smtp_tls_cert_file=/etc/ssl/certs/mail.reganto.ir.crt
smtp_tls_key_file=/etc/ssl/private/mail.reganto.ir.key
smtp_tls_CAfile=/etc/ssl/certs/cacert.pem # smtp_tls_auth_only=no smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache tls_random_source = dev:/dev/urandom # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = mail.reganto.ir
alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $myhostname, mail.reganto.ir, reganto.ir, localhost.com, localhost
# relayhost = [smtp.gmail.com]:587 # fallback_relay = relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all ## SASL Settings smtpd_sasl_auth_enable = no smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtpd_sasl_local_domain = $myhostname smtp_sasl_security_options = noanonymous #smtp_sasl_security_options = smtp_sasl_tls_security_options = noanonymous # smtpd_sasl_application_name = smtpd # Disable DNS Lookups disable_dns_lookups = yes # Generic Mechanism smtp_generic_maps = hash:/etc/postfix/generic # Transport Mechanism transport_maps = hash:/etc/postfix/transport # LOG ;) smtp_tls_loglevel = 8 virtual_alias_maps = hash:/etc/postfix/virtual # Report troubles to postmaster error_notice_recipient = postmaster notify_classes = resource, software # smtp_tls_per_site = hash:/etc/postfix/smtp_tls_per_site smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtpd_enforce_tls = no
Notice the difference between "smtp" and "smtpd". One is for client connectivity and the other is for connecting to this server.
To find functionality of other parameters please check Postfix Documentation .
07 - Install MUA(mail user agent) to Send and Read Email
sudo apt-get install mailutils
To send email, type
mail USERNAME
08 - Create a new account on Postfix
The simple way to add a user is to simply add a new account on the system. Postfix will handle the rest. For example, on my Ubuntu, I'd just create new user with the following command, and Postfix would just do the right thing with regard to sending mail to that user, delivered locally.
sudo adduser USERNAME
But what if you don't want to create a system account for the user? You should have a virtual domain set up that is not configured as a mydestination domain.(Postfix doc)
Add virtual map to main.cf:
sudo postconf -e 'virtual_alias_maps= hash:/etc/postfix/virtual'
Next, we can set up the virtual maps file. Open the file in your text editor:
sudo vim /etc/postfix/virtual
The virtual alias map table uses a very simple format. On the left, you can list any addresses that you wish to accept email for. Afterwards, separated by whitespace, enter the Linux user you’d like that mail delivered to.
For example, if you would like to accept email at contact@DOMAIN.TLD and dev@DOMAIN.TLD and would like to have those emails delivered to the reganto Linux user, you could set up your file like this:
contact@DOMAIN.TLD reganto dev@DOMAIN.TLD reganto
After you’ve mapped all of the addresses to the appropriate server accounts, save and close the file.
We can apply the mapping by typing:
sudo postmap /etc/postfix/virtual
Restart the Postfix process to be sure that all of our changes have been applied:
sudo service postfix restart
09 - Creating Email Alias
There are certain required aliases that you should configure when operating your mail server in a production environment. You can add email alias in the /etc/aliases file, which is a special Postfix lookup table file using a Sendmail-compatible format.
sudo vim /etc/aliases
By default, there are only two lines in this file.
# See man 5 aliases for format postmaster: root root: USERNAME
The first line is a comment. The second line is the only definition of an alias in this file. The left-hand side is the alias name. The right-hand side is the final destination of the email message. So emails for postmaster@DOMAIN.TLD will be delivered to root@DOMAIN.TLD. The postmaster email address is required by RFC 2142.
Normally we don’t use the root email address. Instead, the postmaster can use a normal login name to access emails. So you can add the following line. Replace USERNAME with your real username.
This way, emails for postmaster@DOMAIN.TLD will be delivered to username@your-domain.com. Now you can save and close the file. Then rebuild the alias database with the 'newaliases' command
sudo newaliases
10 - sasl_passwd
In the "main.cf" file, there are several hashed files, or Berkeley DB files which will have to be created. Look again at the recommended entries in "main.cf", and you will notice "hash:" in front of these values. For example "hash:/etc/postfix/sasl_passwd".
Below is a sample sasl_passwd file. This will login to smtp.gmail.com with username 'rreganto', using the password 'asdfqwerasacoiap'(Gmail App Password). As of Aug 2008, I noticed that gmail is only accepting connections on port 587.
# Contents of sasl_passwd [smtp.gmail.com]:587 rreganto@gmail.com:asdfqwerasacoiap
* Get a Gmail App Password for Postfix
* sasl_password should be created in /etc/postfix/
Next, this file must be converted to hash format, with the following command.
postmap /etc/postfix/sasl_passwd
The "postmap" command must be run anytime "sasl_passwd" is changed, because this creates the "sasl_passwd.db" that postfix reads.
After you have done the above command, run this simple "hash" key test.
postmap -q [smtp.gmail.com]:587 sasl_passwd
Output:
rreganto@gmail.com:asdfqwerasacoiap
You'll need to protect your password so that only the postfix group and root can read it by changing the access rights as follows:
chown root.postfix sasl_passwd*
chmod 0640 sasl_passwd*
* Add following lines to main.cf (sasl_passwd configs)
## SASL Settings smtpd_sasl_auth_enable = no smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtpd_sasl_local_domain = $myhostname smtp_sasl_security_options = noanonymous #smtp_sasl_security_options = smtp_sasl_tls_security_options = noanonymous # smtpd_sasl_application_name = smtpd
11 - generic (Postfix on hosts without a real Internet hostname)
This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names.
Postfix uses the generic address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine.
The following example presents additional configuration.
Add this line to main.cf:
smtp_generic_maps = hash:/etc/postfix/generic
create 'generic' in /etc/postfix/:
sudo vim /etc/postfix/generic
This is my generic:
@mail.reganto.ir rreganto@gmail.com
Means every local email address from 'mail.reganto.ir' have a valid address 'rreganto@gmail.com'. you can create your own.
Sample generic:
dev@HOSTNAME.LOCAL ACCOUNT1@ISP.TLD foo@HOSTNAME.LOCAL ACCOUNT2@ISP.TLD
Next, this file must be converted to hash format, with the following command.
postmap /etc/postfix/generic
The "postmap" command must be run anytime "generic" is changed, because this creates the "generic.db" that postfix reads.
12 - Transport
Transport is a dispatcher table. this table send local emails to other accounts on machine and send emails to remote via SMTP RELAY.
This is my transport :
# Internal Delivery mail.reganto.ir : # External Delivery * smtp:[smtp.gmail.com]:587
Means every email with 'mail.reganto.ir' as hostname send to local and other emails send to 'smtp.gmail.com:587' as smtp relay. please check Postfix doc for more information.
Next, this file must be converted to hash format, with the following command.
postmap /etc/postfix/transport
The "postmap" command must be run anytime "transport" is changed, because this creates the "transport.db" that postfix reads.
13 - Fetchmail
Fetchmail pulls the email down from Google's Gmail, since for a home user with a fake domain and changing IP address their email server will not forward the email.
Again, it is very important to setup fetchmail with some type of encryption. STARTTLS encryption works well, since you have already installed the necessary openssl files. You just need to pickup the necessary keys, and put them in the proper format.
sudo apt-get install fetchmail
14 - Google Gmail Certificates
openssl s_client -connect pop.gmail.com:995 -showcerts
The command above will return the certificate from Google's Gmail. Next, you need to copy the FIRST certificate part, which is everything between the "BEGIN CERTIFICATE" part and "END CERTIFICATE" part, and save this to ~/certs/.certs/ as 'gmail.pem' .(create these folders)
Now you need a ROOT CERTIFICATE. You can use equifax or verisign or globalsign or ...
15 - Certificate of the CA
Equifax :
Equifax Secure CA ================= MD5 Fingerprint: 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 PEM Data: -----BEGIN CERTIFICATE----- MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1 MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y 7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh 1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 -----END CERTIFICATE-----
Save this in ~/certs/.certs as equifax.pem
16 - Rehash or Creating Symlinks
Once you have created these files, you will need to run the "c_rehash" command to create the necessary sym-links.
c_rehash ~/certs/.certs
17 - Checking the Certificate
It's possible to check the certificates as with the "openssl s_client" command as follows:
openssl s_client -connect pop.gmail.com:995 -CApath ~/certs/.certs/
The "verify return code: 0 (ok)" indicates the certificate was verified. you MUST have a valid certificate otherwise gmail send back '21' or '2' or '20' code that means the certificate has not been verified.
18 - The Fetchmail config
Fetchmail config for specific put in /home/USERNAME/.fetchmailrc. (for all users /etc/fetchmailrc)
For more infornation about Fetchmail please check Fetchmail Doc. following is a .fetchmailrc sample config:
poll mail.example.com protocol pop3:
username "elessar" password "lkfhsifvmaksadel" there is "aragorn" here;
username "mithrandir" password "qwokmnspkiuamjrt" there is "gandalf" here;
* Get a Gmail App Password for Fetchmail
This is my .fetchmailrc:
# Check mail every 600 seconds
set daemon 600
set syslog
set postmaster reganto
#set bouncemail
# user 'rreganto@gmail.com' with password "uiemjapqkjfutyhr" is 'reganto' here options ssl sslcertck sslcertpath '~/certs/.certs' keep
#
poll pop.gmail.com with proto POP3 and options no dns
user 'rreganto@gmail.com' there with password "uiemjapqkjfutyhr" is 'reganto' here options ssl sslcertck sslcertpath '/home/reganto/certs/.certs'
# deliver email to postfix on localhost
smtphost localhost
# You would use this to by-pass Postfix
# mda '/usr/bin/procmail -d %T'
* Make sure 'smtpd_enforce_tls' is left unset, or is set to no, in the "/etc/postfix/main.cf" file.
* 'set daemon 600' -> The fetchmail binary with run in the background in daemon mod and fetch mail from the server every 600 seconds or 10 minutes. Please do not check more often than every 10 minutes, else google may block or ban you, as that just overloads their systems.
19 - Fetchmail Commands
Below are some of the more common fetchmail commands.
fetchmail -q # quits fetchmail daemon fetchmail -v # start fetchmail daemon in verbose mode fetchmail -c # checks for email only fetchmail -S localhost # delivers mail to your Postfix server
20 - resources
- postfix.org
- souptonuts.sourceforge.net/postfix_tutorial.html
- linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu
- fetchmail.info
- other
* Special thanks to Dr. Majid Mousavi