This tutorial is for mbox mailboxes which is default on centos. You could use Maildir - there are plenty of tutorials how to do that.
References:
Add your first user and set system mail to go to it:
useradd johnsmith
then add this to /etc/aliases:
root: johnsmith
and run newaliases
This will make all the mail generated by the OS go to this user.
In postfix configuration long lines can be split to multiple lines as long as you put leading blank space on the next line.
First you need to remove sendmail and install postfix:
yum erase sendmail yum install postfix
This will make /usr/sbin/sendmail work as if sendmail was installed. Technically it makes symlink to /usr/sbin/sendmail.postfix which can be used in the same way as sendmail
alternatives --set mta /usr/sbin/sendmail.postfix
master.cf describes protocols and ports. You can also define milters or other options here
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - 80 smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #the next lines were there in default centos installation, so I leave them there: #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache
#queue_directory = /var/spool/postfix #command_directory = /usr/sbin #daemon_directory = /usr/libexec/postfix #mail_owner = postfix myhostname = mail.example.com mydomain = example.com myorigin = $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydestination = $myhostname mynetworks = 192.168.0.0/24, 127.0.0.0/8 inet_interfaces = all #inet_protocols = all inet_protocols = ipv4 relay_domains = #home_mailbox = mail virtual_alias_domains = /etc/postfix/local-host-names virtual_alias_maps = hash:/etc/postfix/virtusertable, hash:/etc/postfix/aliases, hash:/etc/postfix/virtual canonical_maps = hash:/etc/postfix/canonical # NIS overrice alias_maps = mailbox_command = /usr/bin/procmail smtpd_helo_required = yes disable_vrfy_command = yes #inet_interfaces = 127.0.0.1, 1.1.1.1, 1.1.1.2 mynetworks = 127.0.0.0/8, 1.1.1.1
Add this to your /etc/postfix/main.cf file:
# enable SASL authentication smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
and enable saslauthd service:
/bin/systemctl enable saslauthd.service /bin/systemctl start saslauthd.service
If you have systemd-based OS:
systemctl enable postfix.service systemctl start postfix.service
First you need to create certificate.
edit /etc/pki/tls/openssl.cnf and change following parameters:
# expire after 20 years default_days = 7300 countryName_default = BG stateOrProvinceName_default = Sofia Grad localityName_default = Sofia 0.organizationName_default = Nicksoft Solutions Ltd organizationalUnitName_default = Mail Server
Then run:
cd /etc/pki/tls/certs make postfix.pem DAYS=7300
To check the certificate run: openssl x509 -noout -in /etc/pki/tls/certs/postfix.pem -text
Add this to your main.cf file:
# TLS parameters smtpd_tls_cert_file=/etc/pki/tls/certs/postfix.pem smtpd_tls_key_file=/etc/pki/tls/certs/postfix.pem smtpd_use_tls=yes smtpd_tls_auth_only = yes smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
Then restart postfix:
/bin/systemctl restart postfix.service
First you need to remove sendmail and install postfix:
yum install dovecot
Edit /etc/dovecot/dovecot.conf and uncomment following lines:
protocols = imap pop3 lmtp listen = *
Edit /etc/dovecot/conf.d/10-auth.conf and change the auth mechanisms:
auth_mechanisms = plain login
Edit /etc/dovecot/conf.d/10-mail.conf add/uncomment following line. On centos : mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
Edit /etc/dovecot/conf.d/10-master.conf and switch to postfix auth:
service auth {
#....
unix_listener auth-userdb {
#mode = 0666
#user =
#group =
}
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
#....
}
Edit /etc/dovecot/conf.d/20-pop3.conf and uncomment/add :
pop3_uidl_format = %08Xu%08Xv pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
Make sure that SSL is required. Edit 10-ssl.conf
ssl = required ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem
By default there should be a dovecot certificate installed in your OS:
openssl x509 -noout -in /etc/pki/dovecot/certs/dovecot.pem -text
However it's set to expire one year after dovecot install. If you are like me and you don't want to renew the certificate every year you could create a new one with longer validity period. To do that edit /etc/pki/dovecot/dovecot-openssl.cnf and enter your details in it - country, city … etc. You don't have to do that, but your mail client will ask you if you accept the mail certificate and it will show these details to you. However you should at least change CN to match your mail server's hostname or you will get a warning every time you open your mail. If you also change other things make sure to uncomment them first. Also you might want to change default_bits to at least 2048 to enhance security a bit (default is 1024). Example:
[ req ] default_bits = 2048 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) C=BG # State or Province Name (full name) ST="Sofia Grad" # Locality Name (eg. city) L="Sofia" # Organization (eg. company) O="NickSoft Solutions" # Organizational Unit Name (eg. section) OU="IMAP server" # Common Name (*.example.com is also possible) CN="mail.apptizer.net" # E-mail contact emailAddress="postmaster@nicksoft.com" [ cert_type ] nsCertType = server
Technically you can run /usr/libexec/dovecot/mkcert.sh to create the key/certificate, but it'll force 365 days expiry. What I like to do is:
root@example dovecot# openssl req -new -x509 -nodes -config /etc/pki/dovecot/dovecot-openssl.cnf -out /etc/pki/dovecot/certs/dovecot.pem -keyout /etc/pki/dovecot/private/dovecot.pem -days 7300 Generating a 2048 bit RSA private key .....................................................................................+++ .......+++ writing new private key to '/etc/pki/dovecot/private/dovecot.pem' ----- root@example dovecot# openssl x509 -subject -fingerprint -noout -in /etc/pki/dovecot/certs/dovecot.pem subject= /C=BG/ST=Sofia Grad/L=Sofia/O=NickSoft Solutions/OU=IMAP server/CN=mail.apptizer.net/emailAddress=postmaster@nicksoft.com SHA1 Fingerprint=B6:92:A6:5C:4D:36:83:28:08:84:29:5F:82:E1:9F:B6:54:40:44:57
Where -days 7300 is 365 days/year * 20 years
Now check the certificate:
root@los dovecot# openssl x509 -noout -in /etc/pki/dovecot/certs/dovecot.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a5:86:76:24:5e:35:e1:a2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=BG, ST=Sofia Grad, L=Sofia, O=NickSoft Solutions, OU=IMAP server, CN=mail.apptizer.net/emailAddress=postmaster@nicksoft.com
Validity
Not Before: Jan 1 11:10:45 2020 GMT
Not After : Dec 27 11:10:45 2039 GMT
Subject: C=BG, ST=Sofia Grad, L=Sofia, O=NickSoft Solutions, OU=IMAP server, CN=mail.apptizer.net/emailAddress=postmaster@nicksoft.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:e4:bb:82:ba:b8:53:9c:fd:a2:ef:b5:43:d3:
61:82:a2:1f:f7:d2:2d:ab:cc:ba:4e:01:4c:c6:20:
7c:77:02:eb:0c:9c:e4:0f:81:84:1d:fd:e6:8d:2e:
96:a0:08:5e:29:50:a7:51:2f:6a:9e:21:ee:c9:62:
82:81:0e:2b:1d:0c:4f:ea:ef:d3:7b:5e:eb:72:d8:
b5:6f:91:c9:7e:b6:92:c6:c8:42:2f:29:31:ed:38:
a5:85:d3:bf:5d:f6:f9:72:aa:76:b8:f1:20:68:9f:
7e:fc:53:2d:df:27:b5:71:b9:19:dd:f1:3f:e4:b8:
73:de:d7:aa:99:a2:f6:e2:de:e7:3e:d2:51:21:76:
c7:ac:dd:57:d7:08:7e:fd:5f:70:7a:32:8a:cb:b8:
c8:95:c3:00:32:08:66:04:65:3a:f9:2b:b1:0c:05:
f5:e7:72:c3:2a:bd:41:25:72:3c:4f:db:f6:88:37:
76:8f:7f:54:d5:98:91:64:75:3b:d1:9a:66:ad:17:
0c:a4:dc:2b:73:c7:67:f5:21:21:86:c7:c0:0b:1b:
11:2b:a2:6c:0b:aa:5a:fb:c3:7f:84:96:cb:b3:d5:
7b:91:65:ff:2f:26:36:de:cc:47:4a:fd:d4:a4:0c:
16:8c:48:c7:c6:c6:06:4e:52:cf:61:c7:05:2e:4f:
4c:69
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server
Signature Algorithm: sha256WithRSAEncryption
39:20:48:53:ea:e2:18:96:2b:dd:2d:91:23:e6:b6:f2:ff:7a:
0f:38:5e:a6:a1:8e:4a:e8:a1:84:56:e6:5a:b6:87:42:0f:ae:
fc:1f:6c:1b:b3:e6:eb:d2:a4:3a:53:75:61:90:aa:83:73:82:
0e:6f:6a:ba:57:2f:23:b9:43:98:f9:30:48:c2:94:9c:4f:7b:
ef:3e:2c:fd:71:32:c2:b4:d6:40:d8:ce:07:d0:84:ce:f7:ee:
2b:84:39:d5:1b:4d:5c:0e:46:cb:e9:bf:eb:48:05:08:0e:a7:
f7:30:15:41:a0:2b:37:da:5b:40:61:99:e7:07:d2:a1:b6:c5:
eb:a2:8c:81:86:5a:0b:f8:92:14:68:b7:46:b8:95:ab:1f:f9:
6c:48:d0:cf:34:a9:4a:f1:45:e1:5d:a1:10:90:cd:e4:7b:1e:
b6:1c:52:33:cd:0f:a1:d6:ea:4e:67:58:3a:df:18:8d:6f:5f:
6b:62:5a:a3:b7:f1:98:a9:8a:21:fa:49:3a:f4:ff:2a:aa:3b:
cd:c7:43:d8:19:6f:1f:48:01:d9:15:63:30:96:cf:b1:1c:7b:
97:b3:ad:06:88:5c:b5:35:58:6a:32:0e:09:ae:f9:ff:5f:48:
bc:40:14:ce:b9:67:2b:03:79:7b:df:2f:5a:cf:e3:eb:80:0f:
6e:23:c4:31
/bin/systemctl enable dovecot.service /bin/systemctl start dovecot.service
The problem - you can't authenticate with dovecot and you see this in log:
Jan 1 13:25:08 los dovecot: imap(johnsmith): Error: fchown(/home/johnsmith/mail/.imap, group=12(mail)) failed: Operation not permitted (egid=1007(johnsmith), group based on /var/spool/mail/johnsmith - see http://wiki2.dovecot.org/Errors/ChgrpNoPerm)
What's causing it is that dovecot tries to set the same user/group as your inbox file - /var/spool/mail/johnsmith which by default on centos has mode 660 and group mail. That's not ideal because other users on the same system can ready your mail in some cases.
So the solution is:
chmod 600 /var/spool/mail/*
The problem is that every time you create a new user it'll have these permissions. To avoid that you can edit /etc/default/useradd and comment this line:
#CREATE_MAIL_SPOOL=yes