Introduction Postfix is a mail transfer agent (MTA), an application used to send and receive email. It can be configured so that it can be used to send emails by local application only. This is useful in situations when you need to regularly send email notifications from your apps or have a lot of outbound traffic that a third-party email service provider won’t allow. It’s also a lighter alternative to running a full-blown SMTP server, while retaining the required functionality.
In this tutorial, you’ll install and configure Postfix as a send-only SMTP server. You’ll also request free TLS certificates from Let’s Encrypt for your domain and encrypt the outbound emails using them.
apt update && apt upgrade -ysudo mkdir -p /<path to vmail>/vmail/sudo groupadd -g 5000 vmailsudo useradd -g vmail -u 5000 vmail -d /<path to vmail>/vmailsudo chmod 770 /<path to vmail>/vmailsudo chown -R vmail:vmail /<path to vmail>/vmaills -ld /<path to vmail>/vmaildrwxrwx--- 2 vmail vmail 4096 Jun 24 03:21 /<path to vmail>/vmailid -u vmail
5000
id -g vmail5000
Other Configuration for add Users:
adduser mailadduser infousermod -aG sudo mailusermod -aG sudo mailgroupadd -g 5000 mailgroupadd -g 5000 mailmkdir -p /home/mailmkdir -p /home/infochown -R info:info /home/mail/chown -R mail:mail /home/info/chmod 775 /home/info/chmod 755 /home/mail/usermod info -s /sbin/nologin
usermod mail -s /sbin/nologin2.1 To install Postfix run the following command:
sudo apt install zip unzip rar unrarsudo apt install pyzor razor arj cabextract lzop nomarch p7zip-full rpm2cpio tnef unzip unrar-free zip bzip2 cpio file gzip paxsudo apt install postfix postfix-mysqlsudo apt-get install postfix-policyd-spf-pythonsudo dpkg-reconfigure postfix
The user interface will be displayed. On each screen, select the following values:
- Internet Site
mail.example.comstevemail.example.com,localhost.localdomain,localhost- No
127.0.0.0/8 \[::ffff:127.0.0.0\]/104 \[::1\]/128192.168.0.0/24- 0
-
+ - all
2.3 To configure the mailbox format for Maildir: ( Note same path to dovecot mail mail configuration)
sudo postconf -e 'home_mailbox = /Maildir/'1.Generating a Certificate Signing Request (CSR)
openssl genrsa -des3 -out server.key 2048openssl rsa -in server.key -out server.key.insecuremv server.key server.key.securemv server.key.insecure server.keyopenssl req -new -key server.key -out server.csrYou can now submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.
2.Creating a Self-Signed Certificate
mkdir -p /etc/certs/privatemkdir -p /etc/certs/certsopenssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtsudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/certs/private/postfix-selfsigned.key -out /etc/certs/certs/postfix-selfsigned.crtsudo cp server.crt /etc/ssl/certssudo cp server.key /etc/ssl/private3. Use certbot:
apt install certbotcertbot certonly --standalone -d myminio.com --staple-ocsp -m test@yourdomain.io --agree-toscp /etc/letsencrypt/live/myminio.com/fullchain.pem /home/user/.minio/certs/public.crtcp /etc/letsencrypt/live/myminio.com/privkey.pem /home/user/.minio/certs/private.keysudo chown user:user /home/user/.minio/certs/private.keysudo chown user:user /home/user/.minio/certs/public.crtsudo cp server.crt /etc/ssl/certssudo cp server.key /etc/ssl/privatesudo chown user:user /home/user/.minio/certs/private.keysudo chown user:user /home/user/.minio/certs/public.crt4. Acme Commands:
sudo acme.sh --issue --standalone -d foo.internal \
--server https://ca.internal/acme/acme/directory \
--ca-bundle $(step path)/certs/root_ca.crt \
--fullchain-file foo.crt \
--key-file foo.key5. Create Wildcards
For wildcard:
certbot certonly --manual \
--preferred-challenges=dns \
--email marcin@hotmail.com \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos \
--manual-public-ip-logging-ok \
-d “*.domain.com”6. Acme another:
apt update && apt upgrade -yapt install curl socat -ycurl https://get.acme.sh | sh~/.acme.sh/acme.sh --set-default-ca --server letsencrypt~/.acme.sh/acme.sh --register-account -m <email Address>~/.acme.sh/acme.sh --issue -d <domain> --standalone~/.acme.sh/acme.sh --installcert -d <domain> --key-file /root/private.key --fullchain-file /root/cert.crtsudo chown user:user /home/user/.minio/certs/private.keysudo chown user:user /home/user/.minio/certs/public.crt7. use cerbot auto generate Certificate:
certbot --apache8. create a self-signed PEM file:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pemHow to create a PEM file from existing certificate files that form a chain:
(optional) Remove the password from the Private Key by following the steps listed below:
openssl rsa -in server.key -out nopassword.keyNote: Enter the pass phrase of the Private Key. Combine the private key, public certificate and any 3rd party intermediate certificate files:
cat nopassword.key > server.pem
cat server.crt >> server.pemNote: Repeat this step as needed for third-party certificate chain files, bundles, etc:
cat intermediate.crt >> server.pem4- change reciver mail:
vi /etc/aliasesEdit like this:
postmaster: root
root: yourmail@domain.localsudo newaliasescp /etc/postfix/main.cf cp /etc/postfix/main.cf.bk
cp /etc/postfix/master.cf cp /etc/postfix/master.cf.bknano /etc/postfix/main.cf:edit main.cf file like this and delete extra configurations:
- Update this configurations and delete extra configurations:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
readme_directory = no
append_dot_mydomain = no
compatibility_level = 3.6
# TLS parameters
# SMTPD TLS configuration for inbound connections
smtpd_tls_cert_file=/etc/ssl/certs/cert.crt
smtpd_tls_key_file=/etc/ssl/private/private.key #(it's better that use .crt and .key files)
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/cyberredcert/cert.crt #(it's better that use .crt and .key files)
smtp_tls_security_level=may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
smtpd_tls_received_header = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
#General Configurations:
myhostname = domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = domain.com, domain.com, localhost.org, , localhost, cyberblue.pro
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox= /Maildir/
#home_mailbox= /var/mail/
#TLS parameters
#SMTP TLS configuration for outbound connections
smtp_tls_cert_file=/etc/ssl/certs/cert.crt #(it's better that use .crt and .key files)
smtp_tls_key_file=/etc/ssl/private/private.key #(it's better that use .crt and .key files)
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_auth_only = yes
#Enable Opportunistic TLS
smtp_tls_security_level = may
#displays TLS information in the E-Mail header
smtp_tls_received_header = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_use_tls = yes
mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtputf8_enable = no
#Enforce TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1nano /etc/postfix/master.cf:- Update this configurations:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
# -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable smtps for loopback clients only, or for any client.
#127.0.0.1:smtps inet n - y - - smtpd
#smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}sudo systemctl restart postfix.servicepostfix checkpostfix -nsudo systemctl restart postfixsudo ss -lnpt | grep masterTo disable backwards compatibility use:
postconf compatibility_level=3.6postfix reloadsudo apt-get install dovecot-imapd dovecot-pop3dsudo apt install dovecot dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql dovecot-sieve dovecot-managesievedapt-get install libsasl2-modules- Add
lmtpandsieveandimapandpop3to the supported protocols.
protocols = imap pop3 lmtp sieve- Update this configurations:
- Next, edit /etc/dovecot/conf.d/10-ssl.conf and amend following lines to specify that Dovecot should use these custom certificates :
nano /etc/dovecot/conf.d/10-ssl.confssl = yes #or set to: required
ssl_cert = </etc/cyberredcert/cert.crt #(it's better that use .crt and .key files)
ssl_key = </etc/cyberredcert/private.key #(it's better that use .crt and .key files)
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
- Update this configurations:
nano /etc/dovecot/conf.d/10-auth.confdisable_plaintext_auth = yes
auth_username_format = %n
auth_mechanisms = plain login
!include auth-system.conf.extnano /etc/dovecot/conf.d/10-mail.conf - Update this configurations:
mail_location = maildir:~/Maildir
#(same as home on Postfix main.cf file)- Update this configurations same as this:
- Be careful about the syntax. Each opening bracket needs to be paired with a closing bracket.
nano /etc/dovecot/conf.d/10-master.conf service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service submission-login {
inet_listener submission {
port = 587
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0666
user = postfix
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}- Open the /etc/dovecot/conf.d/15-lda.conf file.
nano /etc/dovecot/conf.d/15-lda.conf - add this config:
protocol lda {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins sieve
}- Open the /etc/dovecot/conf.d/20-lmtp.conf file.
nano /etc/dovecot/conf.d/20-lmtp.conf - add this config:
protocol lmtp {
mail_plugins = quota sieve
}sudo systemctl restart postfix dovecotsudo ss -lnpt | grep dovecotTest your setup SMTP-AUTH configuration is complete – now it is time to test the setup. To see if SMTP-AUTH and TLS work properly, run the following command:
telnet mail.example.com 25
telnet gmail-smtp-in.l.google.com 25If you see the following in the output, then everything is working perfectly. Type quit to exit.
220 cyberred.org ESMTP Postfix (Linux) [308 ms]
EHLO keeper-us-east-1d.mxtoolbox.com
250-host.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING [322 ms]
MAIL FROM:<supertool@mxtoolboxsmtpdiag.com>
250 2.1.0 Ok [317 ms]
RCPT TO:<test@mxtoolboxsmtpdiag.com>
454 4.7.1 <test@mxtoolboxsmtpdiag.com>: Relay access denied [307 ms]
LookupServer 4685ms
Continue to Part 2 (DKIM, SPF, DMARC, PTR)