Postfix is the default Mail Transfer Agent (MTA) in Ubuntu. It attempts to be fast and easy to administer and secure. It is compatible with the MTA sendmail. This section explains how to install and configure postfix. It also explains how to set it up as an SMTP server using a secure connection (for sending emails securely).
To install postfix run the following command:
sudo apt-get install postfix
Simply press return when the installation process asks questions, the configuration will be done in greater detail in the next stage.
To configure postfix, run the following command:
sudo dpkg-reconfigure postfix
The user interface will be displayed. On each screen, select the following values:
-
Internet Site
-
mail.example.com
-
steve
-
mail.example.com, localhost.localdomain, localhost
-
No
-
127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0/24
-
0
-
+
-
all
![[Note]](../../libs/admon/note.png)
|
|
|
Replace mail.example.com with your mail server hostname, 192.168.0/24 with the actual network and class range of your mail server, and steve with the appropriate username. |
Now is a good time to decide which mailbox format you want to use. By default
Postifx will use mbox for the mailbox format.
Rather than editing the configuration file directly,
you can use the postconf command to configure
all postfix parameters. The
configuration parameters will be stored in
/etc/postfix/main.cf file. Later if you
wish to re-configure a particular parameter, you can either
run the command or change it manually in the file.
To configure the mailbox format for Maildir:
sudo postconf -e 'home_mailbox = Maildir/'
|
|
|
|
This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent (MDA) to use the same path. |
SMTP-AUTH allows a client to identify itself through an authentication mechanism (SASL). Transport Layer Security (TLS) should be used to encrypt the authentication process. Once authenticated the SMTP server will allow the client to relay mail.
-
Configure Postfix for SMTP-AUTH using SASL (Dovecot SASL):
sudo postconf -e 'smtpd_sasl_type = dovecot' sudo postconf -e 'smtpd_sasl_path = private/auth-client' sudo postconf -e 'smtpd_sasl_local_domain =' sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' sudo postconf -e 'inet_interfaces = all'
The smtpd_sasl_path configuration is a path relative to the Postfix queue directory.
-
Next, configure the digital certificate for TLS. When asked questions, follow the instructions and answer appropriately:
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 sudo mv smtpd.key /etc/ssl/private/ sudo mv smtpd.crt /etc/ssl/certs/ sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/
You can get the digital certificate from a certificate authority. But unlike web clients, SMTP clients rarely complain about "self-signed certificates", so alternatively, you can create the certificate yourself. Refer to the section called “Creating a Self-Signed Certificate” for more details.
-
Configure Postfix to provide TLS encryption for both incoming and outgoing mail:
sudo postconf -e 'smtpd_tls_auth_only = no' sudo postconf -e 'smtp_use_tls = yes' sudo postconf -e 'smtpd_use_tls = yes' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt' sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s' sudo postconf -e 'tls_random_source = dev:/dev/urandom' sudo postconf -e 'myhostname = mail.example.com'
|
|
|
|
After running all the commands, Postfix is configured for SMTP-AUTH and a self-signed certificate has been created for TLS encryption. |
Now, the file /etc/postfix/main.cf
should look like this.
The postfix initial configuration is complete. Run the following command to restart the postfix daemon:
sudo /etc/init.d/postfix restart
Postfix supports SMTP-AUTH as defined in RFC2554. It is based on SASL. However it is still necessary to set up SASL authentication before you can use SMTP-AUTH.
Postfix supports two SASL implementations Cyrus SASL and Dovecot SASL. To enable Dovecot SASL the dovecot-common package will need to be installed. From a terminal prompt enter the following:
sudo apt-get install dovecot-common
Next you will need to edit /etc/dovecot/dovecot.conf. In the auth default
section uncomment the socket listen option and change the following:
socket listen {
#master {
# Master socket provides access to userdb information. It's typically
# used to give Dovecot's local delivery agent access to userdb so it
# can find mailbox locations.
#path = /var/run/dovecot/auth-master
#mode = 0600
# Default user/group is the one who started dovecot-auth (root)
#user =
#group =
#}
client {
# The client socket is generally safe to export to everyone. Typical use
# is to export it to your SMTP server so it can do SMTP AUTH lookups
# using it.
path = /var/spool/postfix/private/auth-client
mode = 0660
user = postfix
group = postfix
}
}
Once you have Dovecot configured restart it with:
sudo /etc/init.d/dovecot restart
SMTP-AUTH configuration is complete. Now it is time to test the setup.
To see if SMTP-AUTH and TLS work properly, run the following command:
telnet mail.example.com 25
After you have established the connection to the postfix mail server, type:
ehlo mail.example.com
If you see the following lines among others, then everything is working perfectly. Type quit to exit.
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
This section introduces some common ways to determine the cause if problems arise.
The Ubuntu postfix package will by default install into a chroot environment for security reasons. This can add greater complexity when troubleshooting problems.
To turn off the chroot operation locate for the following line in the
/etc/postfix/master.cf configuration file:
smtp inet n - - - - smtpd
and modify it as follows:
smtp inet n - n - - smtpd
You will then need to restart Postfix to use the new configuration. From a terminal prompt enter:
sudo /etc/init.d/postfix restart
Postfix sends all log messages to /var/log/mail.log.
However error and warning messages can sometimes get lost in the normal log output so they are also logged to
/var/log/mail.err and /var/log/mail.warn respectively.
To see messages entered into the logs in real time you can use the tail -f command:
tail -f /var/log/mail.err
The amount of detail that is recorded in the logs can be increased. Below are some configuration options for increasing the log level for some of the areas covered above.
-
To increase TLS activity logging set the smtpd_tls_loglevel option to a value from 1 to 4.
sudo postconf -e 'smtpd_tls_loglevel = 4' -
If you are having trouble sending or receiving mail from a specific domain you can add the domain to the debug_peer_list parameter.
sudo postconf -e 'debug_peer_list = problem.domain' -
You can increase the verbosity of any Postfix daemon process by editing the
/etc/postfix/master.cfand adding a -v after the entry. For example edit the smtp entry:smtp unix - - - - - smtp -v
|
|
|
|
It is important to note that after making one of the logging changes above the Postfix process will need to be reloaded in order to recognize the new configuration: sudo /etc/init.d/postfix reload |
-
To increase the amount of information logged when troubleshooting SASL issues you can set the following options in
/etc/dovecot/dovecot.confauth_debug=yes auth_debug_passwords=yes
|
|
|
|
Just like Postfix if you change a Dovecot configuration the process will need to be reloaded: sudo /etc/init.d/dovecot reload. |
|
|
|
|
Some of the options above can drastically increase the amount of information sent to the log files. Remember to return the log level back to normal after you have corrected the problem. Then reload the appropriate daemon for the new configuration to take affect. |
Administering a Postfix server can be a very complicated task. At some point you may need to turn to the Ubuntu community for more experienced help.
A great place to ask for Postfix assistance, and get involved with the Ubuntu Server community, is the #ubuntu-server IRC channel on freenode. You can also post a message to one of the Web Forums.
For in depth Postfix information Ubuntu developers highly recommend: The Book of Postfix.
Finally, the Postfix website also has great documentation on all the different configuration options available.
