Ubuntu 9.04 Postfix Install Evaluation
April 21, 2009 Postfix Configuration
One of the newest features of Ubuntu 9.04 is the Postfix Mail Server/Dovecot enhancements to make it easier to set up a mail server. This article is a review of those improvements and a tutorial on how to fix several problems that were experienced.
Before you jump to any conclusions about the new features it is important to understand the goal of both Ubuntu and the Ubuntu-server team, at least as I understand it. The mail server is one of the most difficult to set up and manage correctly. Sure Postfix is easier than some but there are a lot of issues you must deal with like; security, configuring anti_virus, spam reduction, integrating Dovecot, Spamassassin, amavisd-new, Postfix, squirrelmail, etc. It is the integration that presents so many issues. That said, the goal seems to be to move in the direction of a one click install to make this all happen.
Here is the claim on the enhanced mail stack:
“In Ubuntu-server team we’ve decided that this should be much easier and, based on experience of our members, created integrated mail stack with safe default setup. This setup won’t solve all mail configuration problems (we don’t setup any antispam and antivirus countermeasures), but it will enable your startup to get working e-mail server out of the box.
So, what’s included? Mail server stack is based on dovecot for IMAP/POP3 protocols and postfix for SMTP. Feature list:
- POP3, IMAP, POP3S, IMAPS
- SMTP, SMTP/TLS
- Maildir storage for e-mails
- SASL authentication (SMTP-AUTH)
- dovecot MDA (mail delivery agent)
- support for sieve scripting
- managesieve protocol for managing sieve scripts on *server* from your *client*, like thunderbird or kmail
- IMAP & POP3 workarounds for buggy clients”
- See the whole blog article: HERE
It is an interesting idea to create a one click install, however if you are looking at easy mail installs take a look at Citadel which is easier and has more features or Zimbra which has everything done…the one click install all complete with 10 times the features. The problem with the Ubuntu install is twofold. First, since there is no documentation, you are left with a lot of questions about what was done and what needs yet to be done with the install. Now as you will see below I have listed for you the changes to dovecot-postfix.conf and main.cf of Postfix. That is a good place to see what changes were done.
Here is a look at the install procedure:
sudo apt-get install dovecot-postfix
The following extra packages will be installed:
dovecot-common dovecot-imapd dovecot-pop3d
The following NEW packages will be installed:
dovecot-common dovecot-imapd dovecot-pop3d dovecot-postfix
Creating config file /etc/dovecot/dovecot-sql.conf with new version
adduser: Warning: The home directory `/usr/lib/dovecot’ does not belong to the user you are currently creating.
You already have ssl certs for dovecot.
Creating config file /etc/dovecot/dovecot-postfix.conf with new version
* Restarting IMAP/POP3 mail server dovecot Error: ssl_cert_file: Can’t use /etc/ssl/certs/ssl-mail.pem: No such file or directory
In fact the file does exist and once I restarted it was OK.
Fatal: Invalid configuration in /etc/dovecot/dovecot-postfix.conf
[fail]
This failure was also fixed with a restart of Dovecot.
Dovecot Not Start Correctly
After install a check with netstat showed that Postfix was running but Dovecot was not. So I started Dovecot manually with:
/etc/init.d/dovecot start
Now a review of netstat shows it is all running.
# netstat -aunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
Here are the config options set by default for Dovecot. This is found in the /etc/dovecot/dovecot-postfix.conf file and is part of what has been set up by the Ubuntu team. Note that if you do not want all options listed for imap,pop3, imaps,pop3s and managesieve just remove them and restart Dovecot and Postfix.
protocols = imap pop3 imaps pop3s managesieve
disable_plaintext_auth = yes
log_timestamp = “%Y-%m-%d %H:%M:%S ”
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/ssl-mail.pem
ssl_key_file = /etc/ssl/private/ssl-mail.ke
ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
mail_location = maildir:~/Maildir
mail_privileged_group = mail
protocol imap {
mail_max_userip_connections = 10
login_greeting_capability = yes
imap_client_workarounds = outlook-idle delay-newmail
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
mail_max_userip_connections = 3
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol managesieve {
sieve=~/.dovecot.sieve
sieve_storage=~/sieve
}
protocol lda {
postmaster_address = postmaster
mail_plugins = cmusieve
quota_full_tempfail = yes
deliver_log_format = msgid=%m: %$
rejection_reason = Your message to <%t> was automatically rejected:%n%r
}
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
client { path = /var/spool/postfix/private/dovecot-auth
path = /var/spool/postfix/private/dovecot-auth
mode = 0660
user = postfix
group = postfix
}
}
}
dict {
}
plugin {
}
Postfix Configuration
These are settings hat the Ubuntu team has configured to help with setting up the mail server. The major time savers is the TLS setup so you can have encrypted connections. If TLS is what you want to use be sure to turn off imap and pop3 so you are forced to use the secure connections.
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA’s job.
append_dot_mydomain = no
# Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = ub904
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = ub904, localhost.localdomain, , localhost
relayhost =
mynetwork = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m “${EXTENSION}”
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom
Summary;
If you have set up Postfix with Dovecot and TLS in the past you will certainly appreciate the work done by the Ubuntu team. This will save you a lot of time making those decisions. On the other hand there is a lot left to do and if you are new to mail servers ….you will be lost initially trying to find the holes. Several things you will need to fix:
1. Send mail to another user instead of root – See Here
2. Check your Relays - See Here
3. Review how the TLS and Dovecot work – See Here
4. Verify your identity settings – See Here
5. Check your Postfix install – See Here
5. Set Up Spamassassin – See Here
6. Set Up Anti-Virus – See Here
Options
7. Multiple Domains – See Here
8. Set Up filters - See Here
9. Send yourself mail stats - See Here
There is certainly a lot left to do but you have a start and it will save you time.
