Email Service (SMTP,IMAP)

I will describe how to use postfix as MTA and use it locally and on the interet, then DOVECOT for IMAP & POP3

Basically you will do 2 things

Configure a macine as an SMTP server using POSTFIX

Configure IMAP or POP3 for Client Access (Remotly connect)

SMTP Server

Postfix is what's called an MTA or a message transfer agent. That's a server or a daemon that runs a process that supports these simple mail transport protocol, or SMTP communications. So when it comes to email, a lot of us use web-based mail now, so we don't see these protocols at all. That's why people don't even think about these things running. But if you configure an email client, you're normally receiving email by using things like POP3 or IMAP4. But when you send email, email is sent using SMTP. And MTAs or message transfer agents, they receive the email you're sending and then guide it to its destination. So if it needs to go to Gmail or me.com or AOL or whoever it is that you're emailing, it finds the servers and gets it delivered to the right place. So SMTP servers aren't really designed to interact with end users. They're designed to interact with other SMTP servers.

Building an SMTP server with Postfix

Installing the binaries and starting the configuration: sudo DEBIAN_PRIORITY=low apt install postfix

If you want to configure an email server on the internet you don’t want to use the default configuration that comes with sudo apt install postfix which will result to the server being an open relay

An open SMTP relay is a server that allows anyone on the internet to send email through it. This is not a desirable configuration because it can be exploited by spammers to send massive amounts of unsolicited email. If your server is an open relay, it can be added to blacklists and your legitimate email may not be delivered. It's important to properly configure your SMTP server to prevent it from becoming an open relay.

Reconfigure the installation:

sudo dpkg-reconfigure postfix

Postfix Configuration

  • using it’s config file:

    sudo vim /etc/postfix/mainc.cf

  • Or using a command utility:

    postconf

    • If you want to see only overwritten things :

      postconf -n

Next thing is Mapping users to email addresses

We need to define a mapping file, by default w don’t have it inside /etc/postfix, I will create it

sudo postconf -e 'virtual_alias_maps= hash:/etc/postfix/maps’

Now it’s gonna now that have a mapping file and i can go and create it

sudo vim /etc/postfix/maps

taqiyeddine@homelab.lan touk

I need to tell postfix about it :

sudo postmap /etc/postfix/maps

And it is a good idea to restart the service:

sudo systemctl restart postfix

Now, I have a functional SMTP server and it can accepts emails

Allow it through the firewall?

sudo ufw allow 25/tcp or sudo ufw allow postfix and it will add more needed ports like secure smtp …

SOME CHANGES I HAD TO DO:

I added an MX record for my mail server:

touk@k8snode:/etc/bind$ cat homelab.lan.zone
;
; BIND data file for homelab.lan zone
;
$TTL    604800
@       IN      SOA     ns1.homelab.lan. admin.homelab.lan. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns1.homelab.lan.
ns1     IN      A       192.168.1.9

; -- Add dns records
web     IN      A       192.168.1.12
centos  IN      A       192.168.1.16
site1   IN      CNAME   web
site2   IN      CNAME   web
server  IN      A       192.168.1.5
@       IN      MX      10 server.homelab.lan.

sudo systemctl restart bind9

Changing host-name in /etc/postfix/main.cf

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = homealb.lan
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, homelab.lan, ubuntu-server, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 172.16.1.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Mail/
virtual_alias_maps = hash:/etc/postfix/maps

sudo systemctl restart postfix

One thing else, i have messed with the home_mailbox for postfix, so you shouldn’t do that

just comment it and restart the service and everything will 100% work

sudo vim /etc/postfix/main.cf

#home_mailvbox= Mail/

sudo systemctl restart postfix

I will add another user and check if he can receive mails

As you can see in my sudo cat /etc/postfix/maps

testuser@ubuntu-server:/etc/postfix$ cat /etc/postfix/maps
taqiyeddine@homelab.lan touk
testuser@homelab.lan testuser
touk@ubuntu-server:/etc/postfix$ sudo useradd -m -s /bin/bash testuser
touk@ubuntu-server:/etc/postfix$ sudo passwd testuser
New password:
Retype new password:
passwd: password updated successfully

echo “Hello test user” | mail -s 'to testuser' testuser@homelab.lan

and now :

touk@ubuntu-server:/etc/postfix$ su testuser
Password:
testuser@ubuntu-server:/etc/postfix$ mail
"/var/mail/testuser": 2 messages 2 new
>N   1 touk               Sat Sep  2 11:28  14/434   to testuser

TEST IT via the intrnet:

touk@ubuntu-server:/etc/postfix$ mail -s "this is from postfix" recipo2194@xgh6.com
Cc:
ANOTHER TEEEEST; POSTFIX IS WORKINGGGG
Untitled

Securing Postfix with TLS

We will use Let’s Encrypt for that!

Let's Encrypt will let you generate a certificate that is publicly trusted, free of charge

sudo apt install certbot

What Certbot is is a little automated utility that will help us generate a trusted certificate. Well, it can spin up a temporary web server on port 80, and Let's Encrypt can use that temporary web server to validate that I am who I say I am, that I control that domain.

sudo certbot certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d server.homelab.lan

Make sure to point the record for your smtp server like i am doing in my bind9 server:

touk@k8snode:/etc/bind$ sudo dig server.homelab.lan

; <<>> DiG 9.16.1-Ubuntu <<>> server.homelab.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4260
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 1d332c4ffc55f0d90100000064f30800fad0cd29d4c4147f (good)
;; QUESTION SECTION:
;server.homelab.lan.            IN      A

;; ANSWER SECTION:
server.homelab.lan.     604800  IN      A       192.168.1.5

;; Query time: 0 msec
;; SERVER: 192.168.1.9#53(192.168.1.9)
;; WHEN: Sat Sep 02 03:01:36 PDT 2023
;; MSG SIZE  rcvd: 91

Once that done it will create a trusted cert for you

For me i dont have these certs, because my domain is not registered

Or you can do this lol:

register a free domain in No-IP AND then point it to the public ip of your home router and do port forwarding to the smtp server

touk@ubuntu-server:/etc/postfix$ sudo certbot certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d serversmtp.servehttp.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for serversmtp.servehttp.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/serversmtp.servehttp.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/serversmtp.servehttp.com/privkey.pem
This certificate expires on 2023-12-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   <https://letsencrypt.org/donate>
 * Donating to EFF:                    <https://eff.org/donate-le>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

View the current values postconf | grep 'smtpd_tls_cert\\|smtpd_tls_key'

Update the values sudo postconf -e'smtpd_tls_cert_file=/etc/letsencrypt/live/lab.itpro.tv/fullchain.pem' sudo postconf -e'smtpd_tls_key_file=/etc/letsencrypt/live/lab.itpro.tv/privkey.pem'

Now encryption is like a boolean between the server and the client

touk@ubuntu-server:/etc/postfix$ postconf smtpd_tls_security_level
smtpd_tls_security_level = may

You can force it, but it violates the standards, mails might be dropped (If it is an smtp serve on the internet not in private net)

sudo postconf -e 'smtpd_tls_security_level=encrypt’

IMAP & POP3

REMOTE EMAIL DELIVERY

We all love the terminal, i am assuming lol

but i do not like working on the terminal when it comes to recieve and sending emails, i don’t want to ssh very time i want to check my mail to get in the server

i am going to have my laptop or my phone or something like that retrieve mail from the server

In order for that to work we need to install Remote email delivery

sudo apt install dovecot-pop3d dovecot-imapd

Configuring Dovecot for User Access

sudo vim /etc/dovecot/10-auth.conf

auth_mechanisms = plain login
disable_plaintext_auth = no

adding ‘login’ will give as basic linux login

disabling plain text is referred to looking at password in plain text or hashed, but we will use TLS instead

Setting email users location

#mail_location = mbox:~/mail:INBOX=/var/mail/%u

mail_location = maildir:~/Maildir

i have commented the first line and added the default directory

This will use the Maildir format and store the emails in the Maildir directory in the user's home directory.

Configure Unix Listener

And then one last thing I need to do is to configure a Unix listener. When somebody logs in, they're logging in with their Linux user account. Dovecot expects them to log in with a virtual user account. So that's already set up, but I I'd be good to go if I went with virtual users. But I'm using real users, so I need to add a couple of extra permissions to make that happen. So I need to go into the 10-master file, which is the master configuration for Dovecot as a whole

sudo vim 10-master.conf

I'm just going to uncomment that line right there. That's the one that's allowing us to handle that authentication and tie the users together. Now the default configuration is fine, but if you're running Postfix under a dedicated user account, which Ubuntu does by default, then you may need to add two extra lines here. I'm going to say user equals postfix and group equals postfix. And that's letting Dovecot know that the Postfix server is running under its own user account. And so now it knows which user and which group to use when it's dealing with file permissions.

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user =
    #group =
  }

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

For TLS as i menionned you can configure the 10-ssl.conf and add the path for your certificate and key in ssl_crt path and ssl_jey path inside this file

Firewall access

sudo ufw allow "Dovecot POP3"
sudo ufw allow "Dovecot IMAP"
sudo ufw allow "Dovecot Secure IMAP"
sudo ufw allow "Dovecot Secure POP3"

sudo systemctl restart dovecot

This was done because i faced an issue of directories conflict between postfix using mailbox and dovecot using Maildir

touk@ubuntu-server:/etc/dovecot/conf.d$ sudo apt install mb2md

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
mb2md is already the newest version (3.20-9).
0 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.

mb2md -s /var/mail/touk -d ~/Maildir

Converting /var/mail/touk to maildir: /home/touk/Maildir
Source Mbox is /var/mail/touk
Target Maildir is /home/touk/Maildir
6 messages.

There is a mismatch between the old directory used by postfix which use /var/mail/touk and pop3 ~/Maildir so i need to tell postfix to use Maildir in /etc/postfix/main.cf

home_mailbox = Maildir/

sudo systemctl restart postfix

touk@ubuntu-server:~$ echo "this is a test" | mail -s "testing mail directory if its working" touk@ubuntu-server
touk@ubuntu-server:~$ telnet 127.0.0.1 110
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
+OK Dovecot (Ubuntu) ready.
user touk
+OK
pass touk
+OK Logged in.
list
+OK 8 messages:
1 541
2 449
3 2238
4 477
5 466
6 451
7 466
8 469

Testing Dovecot Locally

touk@ubuntu-server:/etc/dovecot/conf.d$ telnet 127.0.0.1 110
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
+OK Dovecot (Ubuntu) ready.
user touk
+OK
pass touk
+OK Logged in.
list
+OK 13 messages:
1 541
2 449
3 2238
4 477
5 466
6 451
7 466

Using ThunderBird

ThunderBird login via account

Thunder bird login successfully

Send mail via the terminal

Messages
PreviousLDAPNextIPTABLES

Last updated