This page documents my adventure in setting up a working Postfix mail server that resides on my home server.

Installing

One of my goals was to get a mail server working so that I could send out emails through MediaWiki. In order to get this all working, I had to install several pieces of software.

Postfix

I used the following website to help me get Postfix and Dovecot installed: http://www.mysql-apache-php.com/#mailserver

I used aptitude to install Postfix:

$ apt-get install postfix postfix-tls

This installs postfix, and a patch for postfix that incorporates support for TLS (TLS is transport layer security wikipedia:Transport Layer Security, a child protocol of wikipedia:Secure Socket Layer). It is used by Postfix to encrypt sessions (see http://www.postfix.org/TLS_README.html).

Next, I needed to install SASL (wikipedia:Simple Authentication and Security Layer), which is used by Postfix as part of authentication (see http://www.postfix.org/SASL_README.html):

$ aptitude search sasl
$ apt-get install sasl2-bin libsasl2-2 libsasl2-modules libsasl2-dev

And just for good measure (see website referenced above):

$ apt-get install popa3d

which is a small POP3 daemon designed for security.

Next, the Postfix configuration file is located at /etc/postfix/main.cf, or in your installation prefix if you installed from source.

Finally, if you want to restart your Postfix server, you can run

$ /etc/init.d/postfix restart

or, wherever your Postfix has been installed. Different Linux distros will put it in different places.

Dovecot

I installed Dovecot, which is a POP3 and IMAP server. It uses Postfix as a mail transfer application, and it provides the POP3 and IMAP interface.

A really slick way to use this feature is to set up your Gmail to check email from your POP or IMAP server, so you get your domain email delivered directly to your inbox. You can also set up Gmail so that you can send email from your domain email address.

$ apt-get install dovecot-common dovecot-imapd dovecot-pop3d dovecot-dev

Next, if you want to edit the Dovecot configuration file, it's located at /etc/dovecot/dovecot.conf. I changed/added the following lines:

# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap

# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv

And finally, to restart Dovecot, run

$ /etc/init.d/dovecot restart

SASL Authentication + TLS

This is a way to protect a mailserver from being used by spammers. It requres authentication of users before it sends emails out.

The first step is to set up SMTP authentication (using SASL) with Postfix and Dovecot.

In the file /etc/postfix/main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = yourdomain.com
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous

This will require you to set the variable mynetworks, and will not allow anyone outside of "mynetworks" to use your mail server.

In the file /etc/dovecot/dovecot.conf:

First, rename the line starting with "auth default" to "auth default2".

Before that line, put this block:

auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }
}

You'll now have to restart the SASL authentication daemon, Postfix, and Dovecot (with root privileges):

$ /etc/init.d/saslauthd restart
$ /etc/init.d/postfix restart
$ /etc/init.d/dovecot restart

Also remember that you should open up port 25 (or whatever port you end up using for your email server) in your Firewall. (And if you don't have a firewall, GET ONE!!!)

PHP Pear

Pear is a way of extending the functionality of PHP. In my case, I had to install a Pear module named Mail in order to get MediaWiki's mail functionality working. The Mail module depends on a couple of other modules. I ran the following commands to install these:

$ pear install Net_Socket
$ pear install Auth_SASL
$ pear install Net_SMTP
$ pear install Mail

This was using my installed-from-source version of PHP, which was already on my $PATH. You can also use a package manager like aptitude or yum to install PHP, e.g. apt-get install php. This will automatically install Pear.

If you set up authentication for your SMTP server (e.g. when you set up Postfix), then you'll need to edit the corresponding Pear PHP files to add the username and password. The smtp.php file (which you'll have to edit) should be at /path/to/php/lib/php/Mail/smtp.php.

Finally, I had to add this to my php.ini file:

; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
sendmail_path = /usr/sbin/sendmail

MediaWiki

You can find mail-related notification settings for LocalSettings.php here: http://www.mediawiki.org/wiki/Manual:Configuration_settings#Email_settings

You can get an extension that requires new users to be confirmed after registering, to prevent random people from creating accounts and vandalizing your wiki: http://www.mediawiki.org/wiki/Extension:ConfirmAccount

Mailman

Main article: Mailman

GNU Mailman is a program for creating and managing mailing lists. I set this up to work with my mail server. Instructions are at the Mailman page.

Relaying Through Gmail

One of the biggest issues with setting up your own mail server is, anyone can do it. That's nice, but also not so nice: it means it's easy for spammers to set up their own mail server and spam the world. So, most email services (Gmail, Yahoo Mail, etc.) will not accept email from residential (or otherwise blacklisted) IP addresses. That means you'll have a very hard time emailing your buddies at Yahoo and Gmail.

The way around this is to authenticate your email server by tying it to a Gmail account.

I followed this guide: http://souptonuts.sourceforge.net/postfix_tutorial.html

(Except I installed everything through a package manager rather than building everything from source, meaning I skipped to step 3)

And also this guide: http://prantran.blogspot.com/2007/01/getting-postfix-to-work-on-ubuntu-with.html

(This guy is going for the same setup that I am going for)

SSL Certificate

Step Number One is to Create an SSL Certificate.

Once you've created your certificates, you'll have to copy your Certificate of Authority (CA) file, your private key, and your server certificate (signed with your private key) to some location where Postfix can access them.

$ cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix

You will also need to change the permissions so that no one can steal your private key, &c.:

$ chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
$ chmod 400 /etc/postfix/FOO-key.pem
</syntaxhighglight>



=== Postfix User/Group ===

The following commands must be run to create a postfix user and group:

<syntaxhighlight>
$ useradd -M -s /usr/sbin/nologin postfix
$ groupadd postdrop

Transport and SASL and Generic Files

Create a transport file that will route email through another SMTP server (Gmail's server):

# File /etc/postfix/transport
# When done editing, run 
#   postmap transport
#
# This sends mail to Gmail
*               smtp:[smtp.gmail.com]:587

Next, set the SASL (Gmail) username and password:

# Contents of /etc/postfix/sasl_passwd
# When done editing, run
#   postmap sasl_passwd
#
[smtp.gmail.com]:587             your_username@gmail.com:password

The postmap command will create a hash of each file.

This sasl_password file then needs to be protected:

$ chown root.postfix sasl_passwd*
$ chmod 0640 sasl_passwd*

You can also use a "Generic" maps file to map a local address to a Gmail address. For example, the file /etc/postfix/generic might contain:

your_username@yourdomain.com         your_gmail_username@gmail.com

And the postmap command can be run to create a hashed version:

$ postmap /etc/postfix/generic

Main.cf

I was then able to copy, with little modification, the block for main.cf into my main.cf file:

    ##   Add these lines to the bottom on main.cf
    ##
    ##


    ## TLS Settings
    #
    # For no logs set = 0
    smtp_tls_loglevel = 1
    # 
    # smtp_enforce_tls = yes
    # Above is commented because doing it site by site below
    smtp_tls_per_site = hash:/etc/postfix/tls_per_site
    #
    smtp_tls_CAfile = /etc/postfix/cacert.pem
    smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
    smtp_tls_key_file = /etc/postfix/FOO-key.pem
    smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
    smtp_use_tls = yes
    smtpd_tls_CAfile = /etc/postfix/cacert.pem
    smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
    smtpd_tls_key_file = /etc/postfix/FOO-key.pem
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom

    ##  SASL Settings
    # This is going in to THIS server
    smtpd_sasl_auth_enable = no
    # We need this
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtpd_sasl_local_domain = $myhostname
    smtp_sasl_security_options = noanonymous
    #smtp_sasl_security_options =
    smtp_sasl_tls_security_options = noanonymous
    smtpd_sasl_application_name = smtpd


    ## Gmail Relay
    relayhost = [smtp.gmail.com]:587
 
    ## Good for Testing
    # sender_bcc_maps = hash:/etc/postfix/bcc_table

    # Disable DNS Lookups
    disable_dns_lookups = yes
    #
    # Great New feature Address Mapping 
    #  for example make someone@localhost to someone@gmail.com
    smtp_generic_maps = hash:/etc/postfix/generic
    #
    # 
    transport_maps = hash:/etc/postfix/transport

Verifying It's Gmail

In order to verify you're setting up an ecrypted session with Gmail, and not a man-in-the-middle, you can use the file /etc/postfix/tls_per_site to demand certificate verification:

    # Contents of /etc/postfix/tls_per_site
    #  After changes run:
    #    postmap /etc/postfix/tls_per_site

    smtp.gmail.com              MUST
    no-certificate-needed.com   MAY

(And as before, this file should be hashed).