Other :: رگانتو

Setup a Mail Server with Postfix and Fetchmail

Previous Update: Dec 13 2019

Latest Update: Dec 14 2020

OS: Kubuntu 18.04

Postfix is a mail server,or MTA (Mail Transfer Agent). It accepts messages and delivers them.(Postfix created by Wietse Venema)

Fetchmail is a remote-mail retrieval system, providing home users, who don't have corporate accounts, the ability to pull down mail from an ISP, or in this case Gmail, to our local Linux box.

01 - Configure the hostname:

To see your hostname:

hostname -f

And to change your hostname:

sudo hostnamectl set-hostname YOURHOSTNAME

02 - Install Postfix:

sudo apt-get update

sudo apt-get install postfix

General type of mail configuration:

'No configuration' -> means the installation process will not configure any parameters.
'Internet Site' -> means using Postfix for sending emails to other MTAs and receiving email from other MTAs.
'Internet with smarthost' -> means using postfix to receive email from other MTAs, but using another smart host to relay emails to the recipient.
'Satellite system' -> means using smart host for sending and receiving email.
'Local only' -> means emails are transmitted only between local user accounts.

System mail name:

Next, enter your domain name for the system mail name, i.e. the domain name after @ symbol. This domain name will be appended to addresses that doesn’t have a domain name specified. Once installed, Postfix will be automatically started and a /etc/postfix/main.cf file will be generated. Now we can check Postfix version with this command:

sudo postconf mail_version

Postfix ships with many binaries under the /usr/sbin/ directory, as can be seen with the following command.

dpkg -L postfix | grep /usr/sbin/

Output:

/usr/sbin/postalias
/usr/sbin/postcat
/usr/sbin/postconf
/usr/sbin/postdrop
/usr/sbin/postfix
/usr/sbin/postfix-add-filter
/usr/sbin/postfix-add-policy
/usr/sbin/postkick
/usr/sbin/postlock
/usr/sbin/postlog
/usr/sbin/postmap
/usr/sbin/postmulti
/usr/sbin/postqueue
/usr/sbin/postsuper
/usr/sbin/posttls-finger
/usr/sbin/qmqp-sink
/usr/sbin/qmqp-source
/usr/sbin/qshape
/usr/sbin/rmail
/usr/sbin/sendmail
/usr/sbin/smtp-sink
/usr/sbin/smtp-source

Sample Settings:

General type of mail configuration: Internet with smarthost

System mail name: DOMAIN.TLD

Root and postmaster mail recipient: YOURUSERNAME

Other destinations to accept mail for: $myhostname, DOMAIN.TLD, mail.DOMAIN.TLD, localhost.DOMAIN.TLD, localhost

Force synchronous updates on mail queue?: no

Local networks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

Mailbox size limit: (in ubuntu)0

Local address extension character:+

Internet protocols to use: all

To reconfigure Postfix:

sudo dpkg-reconfigure postfix

You can find Postfix configs in /etc/postfix/

Postfix main configs: /etc/postfix/main.cf

03 - Open ports in firewall

Ubuntu doesn’t enable a firewall by default. If you have enabled the UFW firewall, you need to open 25, 587, 465, 143, 993 ports with the following command, so Postfix can receive emails from other SMTP servers.

sudo ufw allow 25/tcp

sudo ufw allow 587/tcp

sudo ufw allow 465/tcp

sudo ufw allow 143/tcp

sudo ufw allow 993/tcp

04 - Checking If Port 25 (outbound) is blocked

telnet localhost 25

If it’s not blocked, you would see messages like below, which indicates a connection is successfully established. (Hint: Type in quit and press Enter to close the connection.)

Trying 74.125.68.26...
Connected to localhost
Escape character is '^]'.
220 MAIL.DOMAIN.TLD ESMTP Postfix (Ubuntu)

05 - Generating Certificates:

In the following commands, replace “MAIL.DOMAIN.TLD” with the host name of your own server.

First generate a private key for the server (supply the key with a password, and don’t forget it!):

openssl genrsa -des3 -out MAIL.DOMAIN.TLD.key 2048

Then you create a certificate request:

openssl req -new -key mail.domain.tld.key -out MAIL.DOMAIN.TLD.csr

Fields you must fill:

Enter pass phrase for MAIL.DOMAIN.TLD.key: YOURHOSTNAME

Common Name (eg, YOUR name) []: MAIL.DOMAIN.TLD

* Leave blank other fields

Create a self signed key:

openssl x509 -req -days 365 -in MAIL.DOMAIN.TLD.csr -signkey MAIL.DOMAIN.TLD.key -out MAIL.DOMAIN.TLD.crt

Now remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix):

openssl rsa -in MAIL.DOMAIN.TLD.key -out MAIL.DOMAIN.TLD.key.nopass

mv MAIL.DOMAIN.TLD.key.nopass MAIL.DOMAIN.TLD.key

Make ourself a trusted CA:

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Fields you must fill:

Enter pass phrase for MAIL.DOMAIN.TLD.key: YOURHOSTNAME

Common Name (eg, YOUR name) []: MAIL.DOMAIN.TLD

* Leave blank other fields

Now we have made ourselves a new set of keys.

Last thing to do is copy the files to a proper location and tell postfix to use the new keyfiles.

Copy the files into a proper location:

chmod 600 mail.domain.tld.key

chmod 600 cakey.pem

mv mail.domain.tld.key /etc/ssl/private/

mv mail.domain.tld.crt /etc/ssl/certs/

mv cakey.pem /etc/ssl/private/

mv cacert.pem /etc/ssl/certs/

Tell Postfix where the keys are and use TLS:

postconf -e 'smtpd_use_tls = yes'

postconf -e 'smtpd_tls_auth_only = no'

postconf -e 'smtpd_tls_key_file = /etc/ssl/private/MAIL.DOMAIN.TLD.key'

postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt'

postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'

postconf -e 'tls_random_source = dev:/dev/urandom'

postconf -e 'myhostname = MAIL.DOMAIN.TLD'

You can change settings in /etc/postfix/main.cf

06 - Postfix main.cf

My postfix main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters

# For Server
smtpd_use_tls=yes
smtpd_tls_cert_file=/etc/ssl/certs/mail.reganto.ir.crt
smtpd_tls_key_file=/etc/ssl/private/mail.reganto.ir.key
smtpd_tls_CAfile=/etc/ssl/certs/cacert.pem
smtpd_tls_auth_only=no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

# For Client
smtp_use_tls=yes
smtp_tls_cert_file=/etc/ssl/certs/mail.reganto.ir.crt
smtp_tls_key_file=/etc/ssl/private/mail.reganto.ir.key
smtp_tls_CAfile=/etc/ssl/certs/cacert.pem
# smtp_tls_auth_only=no
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

tls_random_source = dev:/dev/urandom

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.reganto.ir

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mail.reganto.ir, reganto.ir, localhost.com, localhost
# relayhost = [smtp.gmail.com]:587
# fallback_relay = 
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

##  SASL Settings

smtpd_sasl_auth_enable = no

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
# smtpd_sasl_application_name = smtpd

# Disable DNS Lookups
disable_dns_lookups = yes

# Generic Mechanism
smtp_generic_maps = hash:/etc/postfix/generic

# Transport Mechanism
transport_maps = hash:/etc/postfix/transport

# LOG ;)
smtp_tls_loglevel = 8
virtual_alias_maps = hash:/etc/postfix/virtual

# Report troubles to postmaster
error_notice_recipient = postmaster
notify_classes = resource, software

# smtp_tls_per_site = hash:/etc/postfix/smtp_tls_per_site

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

smtpd_enforce_tls = no

Notice the difference between "smtp" and "smtpd". One is for client connectivity and the other is for connecting to this server.

To find functionality of other parameters please check Postfix Documentation .

07 - Install MUA(mail user agent) to Send and Read Email

sudo apt-get install mailutils

To send email, type

mail USERNAME

08 - Create a new account on Postfix

The simple way to add a user is to simply add a new account on the system. Postfix will handle the rest. For example, on my Ubuntu, I'd just create new user with the following command, and Postfix would just do the right thing with regard to sending mail to that user, delivered locally.

sudo adduser USERNAME

But what if you don't want to create a system account for the user? You should have a virtual domain set up that is not configured as a mydestination domain.(Postfix doc)

Add virtual map to main.cf:

sudo postconf -e 'virtual_alias_maps= hash:/etc/postfix/virtual'

Next, we can set up the virtual maps file. Open the file in your text editor:

sudo vim /etc/postfix/virtual

The virtual alias map table uses a very simple format. On the left, you can list any addresses that you wish to accept email for. Afterwards, separated by whitespace, enter the Linux user you’d like that mail delivered to.

For example, if you would like to accept email at contact@DOMAIN.TLD and dev@DOMAIN.TLD and would like to have those emails delivered to the reganto Linux user, you could set up your file like this:

contact@DOMAIN.TLD reganto
dev@DOMAIN.TLD  reganto

After you’ve mapped all of the addresses to the appropriate server accounts, save and close the file.

We can apply the mapping by typing:

sudo postmap /etc/postfix/virtual

Restart the Postfix process to be sure that all of our changes have been applied:

sudo service postfix restart

09 - Creating Email Alias

There are certain required aliases that you should configure when operating your mail server in a production environment. You can add email alias in the /etc/aliases file, which is a special Postfix lookup table file using a Sendmail-compatible format.

sudo vim /etc/aliases

By default, there are only two lines in this file.

# See man 5 aliases for format
postmaster: root
root:   USERNAME

The first line is a comment. The second line is the only definition of an alias in this file. The left-hand side is the alias name. The right-hand side is the final destination of the email message. So emails for postmaster@DOMAIN.TLD will be delivered to root@DOMAIN.TLD. The postmaster email address is required by RFC 2142.

Normally we don’t use the root email address. Instead, the postmaster can use a normal login name to access emails. So you can add the following line. Replace USERNAME with your real username.

This way, emails for postmaster@DOMAIN.TLD will be delivered to username@your-domain.com. Now you can save and close the file. Then rebuild the alias database with the 'newaliases' command

sudo newaliases

10 - sasl_passwd

In the "main.cf" file, there are several hashed files, or Berkeley DB files which will have to be created. Look again at the recommended entries in "main.cf", and you will notice "hash:" in front of these values. For example "hash:/etc/postfix/sasl_passwd".

Below is a sample sasl_passwd file. This will login to smtp.gmail.com with username 'rreganto', using the password 'asdfqwerasacoiap'(Gmail App Password). As of Aug 2008, I noticed that gmail is only accepting connections on port 587.

# Contents of sasl_passwd
[smtp.gmail.com]:587              rreganto@gmail.com:asdfqwerasacoiap

* Get a Gmail App Password for Postfix

* sasl_password should be created in /etc/postfix/

Next, this file must be converted to hash format, with the following command.

postmap /etc/postfix/sasl_passwd

The "postmap" command must be run anytime "sasl_passwd" is changed, because this creates the "sasl_passwd.db" that postfix reads.

After you have done the above command, run this simple "hash" key test.

postmap -q [smtp.gmail.com]:587 sasl_passwd

Output:

rreganto@gmail.com:asdfqwerasacoiap

You'll need to protect your password so that only the postfix group and root can read it by changing the access rights as follows:

chown root.postfix sasl_passwd*

chmod 0640 sasl_passwd*

* Add following lines to main.cf (sasl_passwd configs)

##  SASL Settings

smtpd_sasl_auth_enable = no

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
# smtpd_sasl_application_name = smtpd

11 - generic (Postfix on hosts without a real Internet hostname)

This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names.

Postfix uses the generic address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine.

The following example presents additional configuration.

Add this line to main.cf:

smtp_generic_maps = hash:/etc/postfix/generic

create 'generic' in /etc/postfix/:

sudo vim /etc/postfix/generic

This is my generic:

@mail.reganto.ir    rreganto@gmail.com

Means every local email address from 'mail.reganto.ir' have a valid address 'rreganto@gmail.com'. you can create your own.

Sample generic:

dev@HOSTNAME.LOCAL    ACCOUNT1@ISP.TLD
foo@HOSTNAME.LOCAL    ACCOUNT2@ISP.TLD

Next, this file must be converted to hash format, with the following command.

postmap /etc/postfix/generic

The "postmap" command must be run anytime "generic" is changed, because this creates the "generic.db" that postfix reads.

12 - Transport

Transport is a dispatcher table. this table send local emails to other accounts on machine and send emails to remote via SMTP RELAY.

This is my transport :

# Internal Delivery
mail.reganto.ir   :

# External Delivery
*               smtp:[smtp.gmail.com]:587

Means every email with 'mail.reganto.ir' as hostname send to local and other emails send to 'smtp.gmail.com:587' as smtp relay. please check Postfix doc for more information.

Next, this file must be converted to hash format, with the following command.

postmap /etc/postfix/transport

The "postmap" command must be run anytime "transport" is changed, because this creates the "transport.db" that postfix reads.

13 - Fetchmail

Fetchmail pulls the email down from Google's Gmail, since for a home user with a fake domain and changing IP address their email server will not forward the email.

Again, it is very important to setup fetchmail with some type of encryption. STARTTLS encryption works well, since you have already installed the necessary openssl files. You just need to pickup the necessary keys, and put them in the proper format.

sudo apt-get install fetchmail

14 - Google Gmail Certificates

openssl s_client -connect pop.gmail.com:995 -showcerts

The command above will return the certificate from Google's Gmail. Next, you need to copy the FIRST certificate part, which is everything between the "BEGIN CERTIFICATE" part and "END CERTIFICATE" part, and save this to ~/certs/.certs/ as 'gmail.pem' .(create these folders)

Now you need a ROOT CERTIFICATE. You can use equifax or verisign or globalsign or ...

15 - Certificate of the CA

Equifax :

Equifax Secure CA
=================
MD5 Fingerprint: 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
PEM Data:
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

Save this in ~/certs/.certs as equifax.pem

16 - Rehash or Creating Symlinks

Once you have created these files, you will need to run the "c_rehash" command to create the necessary sym-links.

c_rehash ~/certs/.certs

17 - Checking the Certificate

It's possible to check the certificates as with the "openssl s_client" command as follows:

openssl s_client -connect pop.gmail.com:995 -CApath ~/certs/.certs/

The "verify return code: 0 (ok)" indicates the certificate was verified. you MUST have a valid certificate otherwise gmail send back '21' or '2' or '20' code that means the certificate has not been verified.

18 - The Fetchmail config

Fetchmail config for specific put in /home/USERNAME/.fetchmailrc. (for all users /etc/fetchmailrc)

For more infornation about Fetchmail please check Fetchmail Doc. following is a .fetchmailrc sample config:

poll mail.example.com protocol pop3:
     username "elessar" password "lkfhsifvmaksadel" there is "aragorn" here;
     username "mithrandir" password "qwokmnspkiuamjrt" there is "gandalf" here;

* Get a Gmail App Password for Fetchmail

This is my .fetchmailrc:

# Check mail every 600 seconds
set daemon 600 
set syslog
set postmaster reganto
#set bouncemail
# user 'rreganto@gmail.com' with password "uiemjapqkjfutyhr"  is 'reganto' here options ssl sslcertck  sslcertpath '~/certs/.certs' keep    
#
poll pop.gmail.com with proto POP3 and options no dns 
    user 'rreganto@gmail.com' there with password "uiemjapqkjfutyhr"  is 'reganto' here options ssl sslcertck  sslcertpath '/home/reganto/certs/.certs'
    # deliver email to postfix on localhost
    smtphost localhost
# You would use this to by-pass Postfix
# mda '/usr/bin/procmail -d %T'

* Make sure 'smtpd_enforce_tls' is left unset, or is set to no, in the "/etc/postfix/main.cf" file.

* 'set daemon 600' -> The fetchmail binary with run in the background in daemon mod and fetch mail from the server every 600 seconds or 10 minutes. Please do not check more often than every 10 minutes, else google may block or ban you, as that just overloads their systems.

19 - Fetchmail Commands

Below are some of the more common fetchmail commands.

fetchmail -q            # quits fetchmail daemon
fetchmail -v            # start fetchmail daemon in verbose mode
fetchmail -c            # checks for email only
fetchmail -S localhost  # delivers mail to your Postfix server

20 - resources

postfix.org
souptonuts.sourceforge.net/postfix_tutorial.html
linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu
fetchmail.info
other

* Special thanks to Dr. Majid Mousavi

۰ نظر