Setup a Mail Server with Postfix and Fetchmail

Last Update: Dec 13 2019

OS: Ubuntu 18.04





Postfix is a mail server,or MTA (Mail Transfer Agent). It accepts messages and delivers them.(Postfix created by Wietse Venema)

Fetchmail is a remote-mail retrieval system, providing home users, who don't have corporate accounts, the ability to pull down mail from an ISP, or in this case Gmail, to our local Linux box.

01 - Configure the hostname:

To see your hostname:
hostname -f

And to change your hostname:

sudo hostnamectl set-hostname YOURHOSTNAME

02 - Install Postfix:

sudo apt-get update
sudo apt-get install postfix

General type of mail configuration:

  • 'No configuration' -> means the installation process will not configure any parameters.
  • 'Internet Site' -> means using Postfix for sending emails to other MTAs and receiving email from other MTAs.
  • 'Internet with smarthost' -> means using postfix to receive email from other MTAs, but using another smart host to relay emails to the recipient.
  • 'Satellite system' -> means using smart host for sending and receiving email.
  • 'Local only' -> means emails are transmitted only between local user accounts.

System mail name:

Next, enter your domain name for the system mail name, i.e. the domain name after @ symbol. This domain name will be appended to addresses that doesn’t have a domain name specified. Once installed, Postfix will be automatically started and a /etc/postfix/main.cf file will be generated. Now we can check Postfix version with this command:

sudo postconf mail_version

Postfix ships with many binaries under the /usr/sbin/ directory, as can be seen with the following command.

dpkg -L postfix | grep /usr/sbin/

Output:

/usr/sbin/postalias
/usr/sbin/postcat
/usr/sbin/postconf
/usr/sbin/postdrop
/usr/sbin/postfix
/usr/sbin/postfix-add-filter
/usr/sbin/postfix-add-policy
/usr/sbin/postkick
/usr/sbin/postlock
/usr/sbin/postlog
/usr/sbin/postmap
/usr/sbin/postmulti
/usr/sbin/postqueue
/usr/sbin/postsuper
/usr/sbin/posttls-finger
/usr/sbin/qmqp-sink
/usr/sbin/qmqp-source
/usr/sbin/qshape
/usr/sbin/rmail
/usr/sbin/sendmail
/usr/sbin/smtp-sink
/usr/sbin/smtp-source

Sample Settings:


General type of mail configuration: Internet Site

System mail name: DOMAIN.TLD

Root and postmaster mail recipient: YOURUSERNAME

Other destinations to accept mail for: $myhostname, DOMAIN.TLD, mail.DOMAIN.TLD, localhost.DOMAIN.TLD, localhost

Force synchronous updates on mail queue?: no

Local networks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

Mailbox size limit: (in ubuntu)0

Local address extension character:+

Internet protocols to use: all


To reconfigure Postfix:
sudo dpkg-reconfigure postfix
You can find Postfix configs in /etc/postfix/
Postfix main configs: /etc/postfix/main.cf

03 - Open ports in firewall

Ubuntu doesn’t enable a firewall by default. If you have enabled the UFW firewall, you need to open 25, 587, 465, 143, 993 ports with the following command, so Postfix can receive emails from other SMTP servers.

sudo ufw allow 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 465/tcp
sudo ufw allow 143/tcp
sudo ufw allow 993/tcp

04 - Checking If Port 25 (outbound) is blocked

telnet localhost 25
If it’s not blocked, you would see messages like below, which indicates a connection is successfully established. (Hint: Type in quit and press Enter to close the connection.)
Trying 74.125.68.26...
Connected to localhost
Escape character is '^]'.
220 MAIL.DOMAIN.TLD ESMTP Postfix (Ubuntu)

05 - Generating Certificates:

In the following commands, replace “MAIL.DOMAIN.TLD” with the host name of your own server.
First generate a private key for the server (supply the key with a password, and don’t forget it!):
openssl genrsa -des3 -out MAIL.DOMAIN.TLD.key 2048
Then you create a certificate request:
openssl req -new -key mail.domain.tld.key -out MAIL.DOMAIN.TLD.csr
Fields you must fill:
Enter pass phrase for MAIL.DOMAIN.TLD.key: YOURHOSTNAME
Common Name (eg, YOUR name) []: MAIL.DOMAIN.TLD

* Leave blank other fields

Create a self signed key:
openssl x509 -req -days 365 -in MAIL.DOMAIN.TLD.csr -signkey MAIL.DOMAIN.TLD.key -out MAIL.DOMAIN.TLD.crt
Now remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix):

openssl rsa -in MAIL.DOMAIN.TLD.key -out MAIL.DOMAIN.TLD.key.nopass
mv MAIL.DOMAIN.TLD.key.nopass MAIL.DOMAIN.TLD.key
Make ourself a trusted CA:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Fields you must fill:
Enter pass phrase for MAIL.DOMAIN.TLD.key: YOURHOSTNAME
Common Name (eg, YOUR name) []: MAIL.DOMAIN.TLD

* Leave blank other fields


Now we have made ourselves a new set of keys.
Last thing to do is copy the files to a proper location and tell postfix to use the new keyfiles.
Copy the files into a proper location:
chmod 600 mail.domain.tld.key
chmod 600 cakey.pem
mv mail.domain.tld.key /etc/ssl/private/
mv mail.domain.tld.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/
Tell Postfix where the keys are and use TLS:
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtpd_tls_key_file = /etc/ssl/private/MAIL.DOMAIN.TLD.key'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt'
postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = MAIL.DOMAIN.TLD'
You can change settings in /etc/postfix/main.cf 

06 - Postfix main.cf 

My postfix main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters

# For Server
smtpd_use_tls=yes
smtpd_tls_cert_file=/etc/ssl/certs/mail.reganto.ir.crt
smtpd_tls_key_file=/etc/ssl/private/mail.reganto.ir.key
smtpd_tls_CAfile=/etc/ssl/certs/cacert.pem smtpd_tls_auth_only=no smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache # For Client smtp_use_tls=yes smtp_tls_cert_file=/etc/ssl/certs/mail.reganto.ir.crt
smtp_tls_key_file=/etc/ssl/private/mail.reganto.ir.key
smtp_tls_CAfile=/etc/ssl/certs/cacert.pem # smtp_tls_auth_only=no smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache tls_random_source = dev:/dev/urandom # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = mail.reganto.ir
alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $myhostname, mail.reganto.ir, reganto.ir, localhost.com, localhost
# relayhost = [smtp.gmail.com]:587 # fallback_relay = relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all ## SASL Settings smtpd_sasl_auth_enable = no smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtpd_sasl_local_domain = $myhostname smtp_sasl_security_options = noanonymous #smtp_sasl_security_options = smtp_sasl_tls_security_options = noanonymous # smtpd_sasl_application_name = smtpd # Disable DNS Lookups disable_dns_lookups = yes # Generic Mechanism smtp_generic_maps = hash:/etc/postfix/generic # Transport Mechanism transport_maps = hash:/etc/postfix/transport # LOG ;) smtp_tls_loglevel = 8 virtual_alias_maps = hash:/etc/postfix/virtual # Report troubles to postmaster error_notice_recipient = postmaster notify_classes = resource, software # smtp_tls_per_site = hash:/etc/postfix/smtp_tls_per_site smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtpd_enforce_tls = no
Notice the difference between "smtp" and "smtpd". One is for client connectivity and the other is for connecting to this server.
To find functionality of other parameters please check Postfix Documentation .

07 - Install MUA(mail user agent) to Send and Read Email

sudo apt-get install mailutils
To send email, type
mail USERNAME

08 - Create a new account on Postfix

The simple way to add a user is to simply add a new account on the system. Postfix will handle the rest. For example, on my Ubuntu, I'd just create new user with the following command, and Postfix would just do the right thing with regard to sending mail to that user, delivered locally.

sudo adduser USERNAME

But what if you don't want to create a system account for the user? You should have a virtual domain set up that is not configured as a mydestination domain.(Postfix doc)

Add virtual map to main.cf:
sudo postconf -e 'virtual_alias_maps= hash:/etc/postfix/virtual'
Next, we can set up the virtual maps file. Open the file in your text editor:
sudo vim /etc/postfix/virtual
The virtual alias map table uses a very simple format. On the left, you can list any addresses that you wish to accept email for. Afterwards, separated by whitespace, enter the Linux user you’d like that mail delivered to.

For example, if you would like to accept email at contact@DOMAIN.TLD and dev@DOMAIN.TLD and would like to have those emails delivered to the reganto Linux user, you could set up your file like this:

contact@DOMAIN.TLD reganto
dev@DOMAIN.TLD  reganto

After you’ve mapped all of the addresses to the appropriate server accounts, save and close the file.

We can apply the mapping by typing:
sudo postmap /etc/postfix/virtual
Restart the Postfix process to be sure that all of our changes have been applied:
sudo service postfix restart

09 - Creating Email Alias

There are certain required aliases that you should configure when operating your mail server in a production environment. You can add email alias in the /etc/aliases file, which is a special Postfix lookup table file using a Sendmail-compatible format.

sudo vim /etc/aliases
By default, there are only two lines in this file.
# See man 5 aliases for format
postmaster: root
root:   USERNAME
The first line is a comment. The second line is the only definition of an alias in this file. The left-hand side is the alias name. The right-hand side is the final destination of the email message. So emails for postmaster@DOMAIN.TLD will be delivered to root@DOMAIN.TLD. The postmaster email address is required by RFC 2142.
Normally we don’t use the root email address. Instead, the postmaster can use a normal login name to access emails. So you can add the following line. Replace USERNAME with your real username.
This way, emails for postmaster@DOMAIN.TLD will be delivered to username@your-domain.com.  Now you can save and close the file. Then rebuild the alias database with the 'newaliases' command
sudo newaliases

10 - sasl_passwd

In the "main.cf" file, there are several hashed files, or Berkeley DB files which will have to be created. Look again at the recommended entries in "main.cf", and you will notice "hash:" in front of these values. For example "hash:/etc/postfix/sasl_passwd".
Below is a sample sasl_passwd file. This will login to smtp.gmail.com with username 'rreganto', using the password 'asdfqwerasacoiap'(Gmail App Password). As of Aug 2008, I noticed that gmail is only accepting connections on port 587.

# Contents of sasl_passwd
[smtp.gmail.com]:587              rreganto@gmail.com:asdfqwerasacoiap
* Get a Gmail App Password for Postfix

* sasl_password should be created in /etc/postfix/

Next, this file must be converted to hash format, with the following command.
postmap /etc/postfix/sasl_passwd 
The "postmap" command must be run anytime "sasl_passwd" is changed, because this creates the "sasl_passwd.db" that postfix reads.
After you have done the above command, run this simple "hash" key test.
postmap -q [smtp.gmail.com]:587 sasl_passwd
Output:
rreganto@gmail.com:asdfqwerasacoiap
You'll need to protect your password so that only the postfix group and root can read it by changing the access rights as follows:
chown root.postfix sasl_passwd*
chmod 0640 sasl_passwd*

* Add following lines to main.cf (sasl_passwd configs)

##  SASL Settings

smtpd_sasl_auth_enable = no

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
# smtpd_sasl_application_name = smtpd

11 - generic (Postfix on hosts without a real Internet hostname)

This section is for hosts that don't have their own Internet hostname. Typically these are systems that get a dynamic IP address via DHCP or via dialup. Postfix will let you send and receive mail just fine between accounts on a machine with a fantasy name. However, you cannot use a fantasy hostname in your email address when sending mail into the Internet, because no-one would be able to reply to your mail. In fact, more and more sites refuse mail addresses with non-existent domain names.

Postfix uses the generic address mapping to replace local fantasy email addresses by valid Internet addresses. This mapping happens ONLY when mail leaves the machine; not when you send mail between users on the same machine.

The following example presents additional configuration.

Add this line to main.cf:
smtp_generic_maps = hash:/etc/postfix/generic
create 'generic' in /etc/postfix/:
sudo vim /etc/postfix/generic
This is my generic:
@mail.reganto.ir    rreganto@gmail.com
Means every local email address from 'mail.reganto.ir' have a valid address 'rreganto@gmail.com'. you can create own.
Sample generic:
dev@HOSTNAME.LOCAL    ACCOUNT1@ISP.TLD
foo@HOSTNAME.LOCAL    ACCOUNT2@ISP.TLD
Next, this file must be converted to hash format, with the following command.
postmap /etc/postfix/generic
The "postmap" command must be run anytime "generic" is changed, because this creates the "generic.db" that postfix reads.

12 - Transport

Transport is a dispatcher table. this table send local emails to other accounts on machine and send emails to remote via SMTP RELAY. 
This is my transport :
# Internal Delivery
mail.reganto.ir   :

# External Delivery
*               smtp:[smtp.gmail.com]:587

Means every email with 'mail.reganto.ir' as hostname send to local and other emails send to 'smtp.gmail.com:587' as smtp relay. please check Postfix doc for more information.

Next, this file must be converted to hash format, with the following command.
postmap /etc/postfix/transport
The "postmap" command must be run anytime "transport" is changed, because this creates the "transport.db" that postfix reads.

13 - Fetchmail

Fetchmail pulls the email down from Google's Gmail, since for a home user with a fake domain and changing IP address their email server will not forward the email.
Again, it is very important to setup fetchmail with some type of encryption. STARTTLS encryption works well, since you have already installed the necessary openssl files. You just need to pickup the necessary keys, and put them in the proper format.

sudo apt-get install fetchmail

14 - Google Gmail Certificates

openssl s_client -connect pop.gmail.com:995 -showcerts

The command above will return the certificate from Google's Gmail. Next, you need to copy the FIRST certificate part, which is everything between the "BEGIN CERTIFICATE" part and "END CERTIFICATE" part, and save this to ~/certs/.certs/ as 'gmail.pem' .(create these folders)

Now you need a ROOT CERTIFICATE. You can use equifax or verisign or globalsign or ...

15 - Certificate of the CA 

Equifax :
Equifax Secure CA
=================
MD5 Fingerprint: 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
PEM Data:
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----
Save this in ~/certs/.certs as equifax.pem

16 - Rehash or Creating Symlinks

Once you have created these files, you will need to run the "c_rehash" command to create the necessary sym-links.
c_rehash ~/certs/.certs

17 - Checking the Certificate

It's possible to check the certificates as with the "openssl s_client" command as follows:
openssl s_client -connect pop.gmail.com:995 -CApath ~/certs/.certs/
The "verify return code: 0 (ok)" indicates the certificate was verified. you MUST have a valid certificate otherwise gmail send back '21' or '2' or '20' code that means the certificate has not been verified.

18 - The Fetchmail config

Fetchmail config for specific put in /home/USERNAME/.fetchmailrc. (for all users /etc/fetchmailrc)
For more infornation about Fetchmail please check Fetchmail Doc. following is a .fetchmailrc sample config:
poll mail.example.com protocol pop3:
     username "elessar" password "lkfhsifvmaksadel" there is "aragorn" here;
username "mithrandir" password "qwokmnspkiuamjrt" there is "gandalf" here;

* Get a Gmail App Password for Fetchmail

This is my .fetchmailrc:
# Check mail every 600 seconds
set daemon 600 
set syslog
set postmaster reganto
#set bouncemail
# user 'rreganto@gmail.com' with password "uiemjapqkjfutyhr"  is 'reganto' here options ssl sslcertck  sslcertpath '~/certs/.certs' keep    
#
poll pop.gmail.com with proto POP3 and options no dns 
    user 'rreganto@gmail.com' there with password "uiemjapqkjfutyhr"  is 'reganto' here options ssl sslcertck  sslcertpath '/home/reganto/certs/.certs'
    # deliver email to postfix on localhost
    smtphost localhost
# You would use this to by-pass Postfix
# mda '/usr/bin/procmail -d %T'
* Make sure 'smtpd_enforce_tls' is left unset, or is set to no, in the "/etc/postfix/main.cf" file.
* 'set daemon 600' -> The fetchmail binary with run in the background in daemon mod and fetch mail from the server every 600 seconds or 10 minutes. Please do not check more often than every 10 minutes, else google may block or ban you, as that just overloads their systems.

19 - Fetchmail Commands

Below are some of the more common fetchmail commands.
fetchmail -q            # quits fetchmail daemon
fetchmail -v            # start fetchmail daemon in verbose mode
fetchmail -c            # checks for email only
fetchmail -S localhost  # delivers mail to your Postfix server

20 - resources

  • postfix.org
  • souptonuts.sourceforge.net/postfix_tutorial.html
  • linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu
  • fetchmail.info
  • other


* Special thanks to Dr. Majid Mousavi

ارسال نظر آزاد است، اما اگر قبلا در بیان ثبت نام کرده اید می توانید ابتدا وارد شوید.
شما میتوانید از این تگهای html استفاده کنید:
<b> یا <strong>، <em> یا <i>، <u>، <strike> یا <s>، <sup>، <sub>، <blockquote>، <code>، <pre>، <hr>، <br>، <p>، <a href="" title="">، <span style="">، <div align="">
تجدید کد امنیتی
طراح قالب : عرفـــ ـــان قدرت گرفته از بلاگ بیان