Part 2: Install Dovecot IMAP server on Debian & Enable TLS Encryption

This is part 2 of building your own secure email server on Debian from scratch tutorial series. In part 1, we showed you how to set up a basic Postfix SMTP server. In this tutorial, we are going to configure the email server so that we can receive and send emails using a desktop email client like Mozilla Thunderbird or Microsoft Outlook.

  • To be able to send emails using a desktop email client, we need to enable the submission service in Postfix.
  • To receive emails using a desktop email client, we can install an open-source IMAP server named Dovecot on the Debian server.
  • And to encrypt our communications, we can install a free TLS certificate issued by Let’s Encrypt.

Step 1: Open Ports in Firewall

Debian doesn’t enable firewall by default. If you have enabled the UFW firewall, then you need to run the following command to open email related ports in firewall.

sudo ufw allow 80,443,587,465,143,993/tcp

If you use POP3 to fetch emails (I personally don’t), then also open port 110 and 995.

sudo ufw allow 110,995/tcp

Step 2: Securing Email Server Traffic with TLS Certificate

When we configure our desktop email clients, It’s always a good idea to enable TLS encryption to prevent hackers from snooping on our emails. We can easily obtain a free TLS certificate from Let’s Encrypt. Issue the following commands to install Let’s Encrypt client (certbot) on Debian server from the default software repository.

sudo apt update

sudo apt dist-upgrade

sudo apt install certbot

If you don’t have a web server running yet, I recommend you install one (Apache or Nginx), because it’s easier to obtain and install TLS certificate with a web server than using other methods. And in a later tutorial, I will show you how to set up webmail, which requires running a web server.

If you choose to use Apache web server, you need to install the Apache plugin. (The following command will install Apache web server if it’s not already installed on your system.)

sudo apt install python3-certbot-apache

If you choose use Nginx web server, then install the Nginx plugin. (The following command will install Nginx web server if it’s not already installed on your system.)

sudo apt install python3-certbot-nginx

Obtaining TLS Certificate with Apache Web Server

We create an Apache virtual host for mail.example.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:

sudo nano /etc/apache2/sites-available/mail.example.com.conf

Then paste the following text into the file.

<VirtualHost *:80>        
        ServerName mail.example.com

        DocumentRoot /var/www/html/
</VirtualHost>

Save and close the file. Enable this virtual host.

sudo a2ensite mail.example.com.conf

Then disable the default virtual host, because it might interfere with other virtual hosts.

sudo a2dissite 000-default

Reload Apache for the changes to take effect.

sudo systemctl reload apache2

Once the virtual host is created and enabled, run the following command to obtain Let’s Encrypt TLS certificate.

sudo certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp --email [email protected] -d mail.example.com

Where:

  • certonly: obtain the TLS certificate but don’t install it in the web server.
  • -a apache: Use the Apache plugin for authentication
  • --agree-tos: Agree to terms of service.
  • --no-eff-email: Don’t receive emails from EFF foundation.
  • --staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS connection.
  • --email: Enter your email address, which is used for important notifications and account recovery.
  • -d: domain, aka your mail server hostname.

Substitute the red text with your actual data. You should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.

postfix-tls-letsencrypt-certbot

If there’s a problem when trying to obtain the TLS certificate, please read the following article to learn how to troubleshoot.

Obtaining TLS Certificate with Nginx Web Server

We create an Nginx virtual host for mail.example.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:

sudo nano /etc/nginx/conf.d/mail.example.com.conf

Next, paste the following text into the file.

server {
      listen 80;
      listen [::]:80;
      server_name mail.example.com;

      root /usr/share/nginx/html/;

      location ~ /.well-known/acme-challenge {
         allow all;
      }
}

Save and close the file. Make sure the /usr/share/nginx/html/ directory exists on your server.

sudo mkdir -p /usr/share/nginx/html/

Reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Once the virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate with Nginx plugin.

sudo certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email [email protected] -d mail.example.com

Where:

  • certonly: obtain the TLS certificate but don’t install it in the web server.
  • -a nginx: Use the Nginx plugin for authentication
  • --agree-tos: Agree to terms of service.
  • --no-eff-email: Don’t receive emails from EFF foundation.
  • --staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS connection.
  • --email: Enter your email address, which is used for important notifications and account recovery.
  • -d: domain, aka your mail server hostname.

You should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.

dovecot-tls-letsencrypt-certbot

If there’s a problem when trying to obtain the TLS certificate, please read the following article to learn how to troubleshoot.

Step 3: Enable Submission Service in Postfix

To send emails from a desktop email client, we need to enable the submission service of Postfix so that the email client can submit emails to Postfix SMTP server. Edit the master.cf file.

sudo nano /etc/postfix/master.cf

In submission section, uncomment or add the following lines. Please allow at least one whitespace (tab or spacebar) before each -o. In postfix configurations, a preceding whitespace character means that this line is continuation of the previous line. (By default the submission section is commented out. You can copy the following lines and paste them into the file, so you don’t have to manually uncomment or add new text.)

submission     inet     n    -    y    -    -    smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_wrappermode=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

The above configuration enables the submission daemon of Postfix and requires TLS encryption. So later on our desktop email client can connect to the submission daemon in TLS encryption. The submission daemon listens on TCP port 587. STARTTLS is used to encrypt communications between email client and the submission daemon.

Microsoft Outlook mail client only supports submission over port 465. If you are going to use Microsoft Outlook, then you also need to enable submission service on port 465 by adding the following lines in the file.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Enable Submission Service in Postfix

Save and close the file.

Hint: The SMTP protocol is used when an email client submits emails to an SMTP server.

Next, we need to specify the location of TLS certificate and private key in Postfix configuration file. Edit main.cf file.

sudo nano /etc/postfix/main.cf

Edit the TLS parameter as follows. Remember to replace mail.example.com with your real hostname.

#Enable TLS Encryption when Postfix receives incoming emails
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_security_level=may 
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

#Enable TLS Encryption when Postfix sends outgoing emails
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#Enforce TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Your Let’s Encrypt certificate and private key are stored under /etc/letsencrypt/live/mail.example.com/ directory.

postfix tls parameters

Save and close the file. Then restart Postfix.

sudo systemctl restart postfix

If you run the following command, you will see Postfix is now listening on port 587 and 465.

sudo ss -lnpt | grep master

postfix master submission port 587 smtps port 465

Step 4: Installing Dovecot IMAP Server

Enter the following command to install Dovecot core package and the IMAP daemon package on Debian server.

sudo apt install dovecot-core dovecot-imapd

If you use POP3 to fetch emails, then also install the dovecot-pop3d package.

sudo apt install dovecot-pop3d

Check Dovecot version:

sudo dovecot --version

Sample output:

2.3.13 (89f716dc2)

Step 5: Enabling IMAP/POP3 Protocol

Edit the main config file.

sudo nano /etc/dovecot/dovecot.conf

Add the following line to enable IMAP protocol.

protocols = imap

debian-dovecot-enable-IMAP-protocol

If you use POP3 to fetch emails, then also add POP3 protocol.

protocols = imap pop3

Save and close the file.

Step 6: Configuring Mailbox Location

By default, Postfix and Dovecot use mbox format to store emails. Each user’s emails are stored in a single file /var/mail/username. You can run the following command to find the mail spool directory.

sudo postconf mail_spool_directory

Sample output:

mail_spool_directory = /var/mail

However, nowadays it’s almost always you want to use the Maildir format to store email messages. The config file for mailbox location is /etc/dovecot/conf.d/10-mail.conf.

sudo nano /etc/dovecot/conf.d/10-mail.conf

The default configuration uses mbox mail format.

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Change it to the following to make Dovecot use the Maildir format. Email messages will be stored under the Maildir directory under each user’s home directory.

mail_location = maildir:~/Maildir

Save and close the file. Then add dovecot to the mail group so that Dovecot can read the INBOX.

sudo adduser dovecot mail

Step 7: Using Dovecot to Deliver Email to Message Store

Although we configured Dovecot to store emails in Maildir format, by default, Postfix uses its built-in local delivery agent (LDA) to move inbound emails to the message store (inbox, sent, trash, Junk, etc), and it will be saved in mbox format.

We need to configure Postfix to pass incoming emails to Dovecot, via the LMTP protocol, which is a simplified version of SMTP, so incoming emails will saved in Maildir format by Dovecot. LMTP allows for a highly scalable and reliable mail system. It also allows us to use the sieve plugin to filter inbound messages to different folders.

Install the Dovecot LMTP Server.

sudo apt install dovecot-lmtpd

Edit the Dovecot main configuration file.

sudo nano /etc/dovecot/dovecot.conf

Add lmtp to the supported protocols.

protocols = imap lmtp

Save and close the file. Then edit the Dovecot 10-master.conf file.

sudo nano /etc/dovecot/conf.d/10-master.conf

Change the lmtp service definition to the following. Be careful about the syntax. Each opening bracket needs to be paired with a closing bracket.

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
  }
}

dovecot-lmtp-debian

Save and close the file.

Next, edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following lines at the end of the file. The first line tells Postfix to deliver incoming emails to local message store via the Dovecot LMTP server. The second line disables SMTPUTF8 in Postfix, because Dovecot-LMTP doesn’t support this email extension.

mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtputf8_enable = no

Save and close the file.

Step 8: Configuring User Authentication Mechanism

Edit the authentication config file.

sudo nano /etc/dovecot/conf.d/10-auth.conf

Uncomment the following line.

disable_plaintext_auth = yes

It will disable plaintext authentication when there’s no SSL/TLS encryption. Then find the following line,

#auth_username_format = %Lu

Uncomment it and change its value to %n.

auth_username_format = %n

By default, when Dovecot tries to find or deliver emails for a user, it uses the full email address. Since in this part, we only set up canonical mailbox users (using OS users as mailbox users), Dovecot can’t find the mailbox user in full domain format ([email protected]), so we need to set auth_username_format = %n to drop the domain part, then Dovecot should be able to find the mailbox user. This also allows us to use the full email address ([email protected]) to log in.

debian-dovecot-auth_username_format

Next, find the following line.

auth_mechanisms = plain

This line only enables the PLAIN authentication mechanism. LOGIN is another authentication mechanism you probably want to add to support older email clients.

auth_mechanisms = plain login

Save and close the file.

Step 9: Configuring SSL/TLS Encryption

Edit SSL/TLS config file.

sudo nano /etc/dovecot/conf.d/10-ssl.conf

Change ssl = yes to ssl = required to enforce encryption.

ssl = required

Then find the following lines.

ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key

By default, Dovecot uses a self-signed TLS certificate. Replace them with the following values, which specify the location of your Let’s Encrypt TLS certificate and private key. Don’t leave out the < character. It’s necessary.

ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

Find the following line.

#ssl_prefer_server_ciphers = no

It’s a good practice to prefer the server’s order of ciphers over client’s. So uncomment this line and change the value to yes.

ssl_prefer_server_ciphers = yes

Then find the following line.

#ssl_min_protocol = TLSv1

Change it to the following to disable insecure SSLv3, TLSv1, and TLSv1.1 protocols.

ssl_min_protocol = TLSv1.2

Save and close the file.

Step 10: Configuring SASL Authentication

Edit the following file.

sudo nano /etc/dovecot/conf.d/10-master.conf

Change service auth section to the following so that Postfix can find the Dovecot authentication server. Please be careful about the syntax. Every opening bracket should be terminated by a closing bracket.

service auth {
    unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
    }
}

postfix-smtp-auth-debian

Save and close the file.

After you save and close all the above config files, restart Postfix and Dovecot.

sudo systemctl restart postfix dovecot

Dovecot will be listening on port 143 (IMAP) and 993 (IMAPS), as can be seen with:

sudo ss -lnpt | grep dovecot

debian-dovecot-imap-server-port-143-993

If there’s a configuration error, dovecot will fail to restart, so it’s a good idea to check if Dovecot is running with the following command.

sudo systemctl status dovecot

Step 11: Configure Desktop Email Client

Now open up your desktop email client such as Mozilla Thunderbird. Go to Edit -> Account Settings -> Account Actions -> Add Mail Account to add a mail account.

  • In the incoming server section, select IMAP protocol, enter mail.your-domain.com as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

debian-postfix-dovecot-letsencrypt

Hint 1: You can also use port 993 with SSL/TLS encryption for IMAP, and use port 465 with SSL/TLS encryption for SMTP. You should NOT use port 25 as the SMTP port in mail clients to submit outgoing emails.

Hint 2: If you use Microsoft 365 Outlook email client, then you shouldn’t enable Secure Password Authentication (SPA), which is a proprietary Microsoft protocol. Your password is already encrypted by TLS.

You should now be able to connect to your own email server and also send and receive emails with your desktop email client!

We use local Unix accounts as email addresses, as we did in part 1. For example, if you have a user named user1 on your Debian server, then you have an email address: [email protected], and the password for the email address is the same password for the user1 user. To create a local Unix account, run

sudo adduser user1

Note: Dovecot doesn’t allow you to log in with the root account. You need to create separate user accounts.

You can list all available mailbox users with:

sudo doveadm user '*'

It’s recommended to restart Dovecot after adding users, so Dovecot can recognize new mailbox users.

sudo systemctl restart dovecot

Troubleshooting Tips

As a rule of thumb, you should always check the mail log (/var/log/mail.log) on your mail server when an error happens. The following is a list of specific errors and troubleshooting tips.

Can’t login from Mail Clients

If you can’t log into your mail server from a desktop mail client, scan your mail server to find if the ports (TCP 587, 465, 143, and 993) are open. Note that you should run the following command from another Linux computer or server. If you run it on your mail server, then the ports will always appear to be open.

sudo nmap mail.example.com

And check if Dovecot is running.

systemctl status dovecot

You can also check the mail log (/var/log/mail.log), which may give you some clues. If Dovecot fails to start, the error might not be logged to the /var/log/mail.log file, you can run the following command to see what’s wrong.

sudo journalctl -eu dovecot

For example, some folks may have the following error in the journal.

doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-master.conf line 78: Unknown setting

Most of the time, it’s a simple syntax error, like a missing curly bracket. Open the configuration file, go to the specified line and fix the error.

If you find the following error message in the mail log

imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small

Then open the Dovecot TLS configuration file.

sudo nano /etc/dovecot/conf.d/10-ssl.conf

Add the following line in this file.

ssl_dh = </etc/dovecot/dh.pem

Save and close the file. Then generate the DH parameter file with:

sudo openssl dhparam -out /etc/dovecot/dh.pem 4096

Restart Dovecot for the changes to take effect.

Cloudflare DNS

As I said in part 1, if you use Cloudflare DNS service, you should not enable the CDN (proxy) feature when creating DNS A record and AAAA record for the hostname of your mail server. Cloudflare doesn’t support SMTP or IMAP proxy.

Relay Access Denied

If you see the “relay access denied” error when trying to send emails from a mail client, it’s most likely that you use port 25 as the SMTP port in your mail client. As I said a while ago, you should use port 587 or 465 as the SMTP port in mail clients (Mozilla Thunberbird, Microsoft Outlook, etc) to submit outgoing emails. Port 25 should be used for SMTP server to SMTP server communications.

postfix dovecot relay access denied

If you see the following “relay access denied” error in the /var/log/mail.log file when trying to send emails from other mail services like Gmail to your own mail server, it’s likely that yourdomain.com is not in the list of $mydestination parameter.

NOQUEUE: reject: RCPT from mail-il1-f180.google.com[209.85.166.180]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-il1-f180.google.com>

You can display the current value of $mydestination with:

postconf mydestination

Some folks might not have the main domain name in the list like so:

mydestination = $myhostname, localhost.$mydomain, localhost

Then run the following command to add the main domain name to the list.

sudo postconf -e "mydestination = example.com, \$myhostname, localhost.\$mydomain, localhost"

Reload Postfix for the changes to take effect.

sudo systemctl reload postfix

User Doesn’t Exist

If you see the following error message in the mail log (/var/log/mail.log), it’s likely that you forgot to set auth_username_format = %n In /etc/dovecot/conf.d/10-auth.conf file.

mail postfix/lmtp[2256]: 68E00FC1A5: to=, relay=mail.example.com[private/dovecot-lmtp], delay=509, delays=509/0.03/0.03/0.02, dsn=5.1.1, status=bounced (host mail.example.com[private/dovecot-lmtp] said: 550 5.1.1  User doesn't exist: [email protected] (in reply to RCPT TO command))

iOS Mail App

If you use the iOS Mail app to log into your mail server and encounter the following error.

ios the mail server is not responding

You can try to fix it by enforcing SSL encryption, for both SMTP and IMAP.

ios mail enforce SSL encryption

Fun fact: It seems the iOS Mail app has difficulty in supporting STARTTLS on IMAP port 143, but it supports STARTTLS on the submission port 587.

If you encounter the “No password provided” error in the iOS Mail app, it’s likely that you have a typo when entering the username in the Mail account settings, or you didn’t enable SSL in the Mail account settings.

ios mail no password provided

Unable to Receive Email From Gmail, Hotmail, Yahoo Mail, etc

If you can’t receive emails from Gmail, Hotmail, Yahoo Mail, etc, here are the possible causes:

  1. Your MX record is wrong, or not propagated to the Internet yet.
  2. Your mail server hostname doesn’t have DNS A record, or not propagated to the Internet yet.
  3. Your firewall doesn’t allow incoming connection to port 25. Maybe your mail server is behind a NAT?
  4. Postfix isn’t listening on the public IP address.
  5. Check the mail log (/var/log/mail.log) to find out if there are other errors in your Postfix and Dovecot configuration.

You can use the Network Tools Email Checker to test if your SMTP server is reachable from the Internet. Just enter your domain email address and click the Go button. As you can see from the screenshot below, it successfully found my domain’s MX record and my SMTP server is reachable from the Internet.

email checker

If your SMTP servers isn’t reachable from the Internet, then you have a problem in the first 4 items. If your SMTP server is reachable from the Internet, but you still can’t receive emails, check the mail log (/var/log/mail.log) to find out if there is any errors in your Postfix and Dovecot configuration.

Step 12: Auto-Renew TLS Certificate

You can create Cron job to automatically renew TLS certificate. Simply open root user’s crontab file.

sudo crontab -e

If you use Apache web server, add the following line at the bottom of the file.

@daily certbot renew --quiet && systemctl reload postfix dovecot apache2

If you are using Nginx web server, then add the following line.

@daily certbot renew --quiet && systemctl reload postfix dovecot nginx

Reloading Postfix, Dovecot and the web server is necessary to make these programs pick up the new certificate and private key.

Step 13: Dovecot Automatic Restart

If for any reason your Dovecot process is killed, you need to run the following command to restart it.

sudo systemctl restart dovecot

Instead of manually typing this command, we can make Dovecot automatically restart by editing the dovecot.service systemd service unit. To override the default systemd service configuration, we create a separate directory.

sudo mkdir -p /etc/systemd/system/dovecot.service.d/

Then create a file under this directory.

sudo nano /etc/systemd/system/dovecot.service.d/restart.conf

Add the following lines in the file, which will make Dovecot automatically restart 5 seconds after a failure is detected.

[Service]
Restart=always
RestartSec=5s

Save and close the file. Then reload systemd for the changes to take effect.

sudo systemctl daemon-reload

To check if this would work, kill Dovecot with:

sudo pkill dovecot

Then check Dovecot status. You will find Dovecot automatically restarted.

systemctl status dovecot

Wrapping Up

I hope this article helped you set up Postfix and Dovecot on Debian server. In part 3, I will show you how to create virtual mailboxes with PostfixAdmin.

If you like to use MariaDB/MySQL database server, then follow this tutorial. ⇓

If you like to use PostgreSQL database server, then follow this tutorial. ⇓

As always, if you found this post useful, subscribe to our newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 21 Average: 4.9]

39 Responses to “Part 2: Install Dovecot IMAP server on Debian & Enable TLS Encryption

  • T. J. Brumfield
    3 years ago

    How should you set smtpd_tls_cert_file and smtpd_tls_key_file if you have multiple domains on your server?

  • hi
    is it possible to save user mailbox (MAILBOXDIR) to other saver(samba server)?if is it possible how can config in config file?

  • P. Helmert
    3 years ago

    Great tutorial, when will part 3 be released?

  • Juan Avila
    3 years ago

    Congratulations. Excellent tutorial. A hard task made easy. It worked on my server like a charm. Thanks a lot.

  • Timm Taylor
    3 years ago

    Awesome job. Thank you a lot! Don’t know yet if it works for me, but I can handle debugging myself. Thank you again!

  • Xiao….I just started Part 2 of your e-mail series. I have encountered a problem with the LetsEncrypt SSL cert process. My mail.mydomain.com dns record points to the correct router/public IP address, but that router is not passing port 80. A webserver for WWW.mydomain.com already exists but exists on a different router/public IP address. Thus Certbot fails with an authentication error since it does not get a response from mail.mydomain.com port 80. Is there a work-around?…RDK

    • Xiao Guoan (Admin)
      2 years ago

      Which domain registrar do you use? Some domain registrars support the dns-01 validation in Certbot. dns-01 valiation doesn’t require port 80/443.

    • Xiao Guoan (Admin)
      2 years ago

      Hi RDK,

      Cloudflare supports the Certbot dns-01 validation.

      I recommend you migrate your name server to Cloudflare. It’s free. Then you can obtain a Let’s Encrypt certificate without port 80/443.

      The dns-01 validation works by creating a temporary TXT record for your domain to certify that you actually own this domain, so it can bypass TCP port 80 and TCP port 443.

      First, you need to install Certbot DNS plugin.

      sudo apt install python3-certbot-dns-cloudflare

      Then create a configuration file for Cloudflare.

      sudo nano /etc/letsencrypt/cloudflare.ini

      You need to add your Cloudflare account email address and API key in this file like below.

      # Cloudflare API credentials used by Certbot
      dns_cloudflare_email = [email protected]
      dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

      You can find your Cloudflare API key at https://dash.cloudflare.com/profile. Note that the Certbot Cloudflare plugin does not currently support Cloudflare’s API Tokens, so ensure you use the Global API Key for authentication.

      Save and close the file. The API key bypasses two-factor authentication of Cloudflare, so you should only allow root user to read this file.

      sudo chmod 600 /etc/letsencrypt/cloudflare.ini

      Now run certbot.

      sudo certbot --agree-tos -a dns-cloudflare -i nginx --redirect --hsts --staple-ocsp --email [email protected] -d mail.your-domain.com

      In the above command, we specified that we will use dns-cloudflare as the authenticator to obtain new TLS certificate and use the nginx plugin to create the HTTPS server block. If you use Apache, then replace nginx with apache.

      This command will ask you to enter the path of the .ini file, so enter /etc/letsencrypt/cloudflare.ini and press the Enter key.

      certbot dns cloudflare

      If everything went properly, you should be able to obtain the Let’s Encrypt TLS certificate now.

  • Xiao….I’m ok for now as I contacted our router admin and he temporarily opened port 80 for me. While I was waiting I read about the DNS challenge. Very interesting. We have our own Primary DNS server, so, I assume, in principle we should be able to add the Certbot challenge CNAME record??…RDK

  • Thank you for the help Xiao!

    I’ve been struggling with getting dovecot to work. I get

    ● dovecot.service - Dovecot IMAP/POP3 email server
         Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
         Active: failed (Result: exit-code) since Fri 2022-05-20 03:13:58 UTC; 13s ago
           Docs: man:dovecot(1)
                 http://wiki2.dovecot.org/
        Process: 38827 ExecStart=/usr/sbin/dovecot -F (code=exited, status=89)
       Main PID: 38827 (code=exited, status=89)
            CPU: 13ms

    I’ve retraced my steps through the whole process and even fixed a couple of syntax errors but I still receive the same message. Any advice on problem solving?

    • Oh this is the log, I forgot

      May 20 03:25:48 mail.patrickspain.tech systemd[1]: Starting Dovecot IMAP/POP3 email server...
      May 20 03:25:48 mail.patrickspain.tech dovecot[825]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-master.conf line 120: Unknown setting: service { service { service
      May 20 03:25:48 mail.patrickspain.tech systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a
      May 20 03:25:48 mail.patrickspain.tech systemd[1]: dovecot.service: Failed with result 'exit-code'.
      May 20 03:25:48 mail.patrickspain.tech systemd[1]: Failed to start Dovecot IMAP/POP3 email server.
    • Xiao Guoan (Admin)
      2 years ago

      You still have syntax errors in the /etc/dovecot/conf.d/10-master.conf file.

      A service {…} block should not contain another service {…} block.

  • First of all thanks a lot for the great tutorial!!

    I build a Mailserver with this tutorial and everything works fine.
    But I want to add a postmulti instance like there is the other tutorial but I don’t get it working :/
    I build a second instance and I am able to telnet mails via port 25
    I don’t get port 587 working on the 2nd instance:/
    just copied the master.cf and main.cf from the first one and edited the values

    master_service_disable =
    myhostname = 
    inet_interfaces =
    

    wanted to add some code but cloudflare is blocking :/

    • i will try to add here step by step
      error log

      May 20 18:34:44 mail postfix/submission/smtpd[2464]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
      May 20 18:34:45 mail postfix/submission/smtpd[2464]: connect from unknown[x.x.x.x]
      May 20 18:34:45 mail postfix/submission/smtpd[2464]: Anonymous TLS connection established from unknown[x.x.x.x]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
      May 20 18:34:45 mail postfix/submission/smtpd[2464]: warning: SASL: Connect to private/auth failed: No such file or directory
      May 20 18:34:45 mail postfix/submission/smtpd[2464]: fatal: no SASL authentication mechanisms
      May 20 18:34:46 mail postfix-mail01/master[1543]: warning: process /usr/lib/postfix/sbin/smtpd pid 2464 exit status 1
      May 20 18:34:46 mail postfix-mail01/master[1543]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
      
    • /etc/postfix-mail01/master.cf

      smtp      inet  n       -       y       -       -       smtpd
      
      submission     inet     n    -    y    -    -    smtpd
        -o syslog_name=postfix/submission
        -o smtpd_tls_security_level=encrypt
        -o smtpd_tls_wrappermode=no
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth
        
      smtps     inet  n       -       y       -       -       smtpd
        -o syslog_name=postfix/smtps
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth
      
      
    • etc/postfix-mail01/main.cf

      # TLS parameters
      #Enable TLS Encryption when Postfix receives incoming emails
      smtpd_tls_cert_file=/etc/letsencrypt/live/mail.blabla.de/fullchain.pem
      smtpd_tls_key_file=/etc/letsencrypt/live/mail.blabla.de/privkey.pem
      smtpd_tls_security_level=may
      smtpd_tls_loglevel = 1
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      
      #Enable TLS Encryption when Postfix sends outgoing emails
      smtp_tls_CApath=/etc/ssl/certs
      smtp_tls_security_level = may
      smtp_tls_loglevel = 1
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      
      #Enforce TLSv1.3 or TLSv1.2
      smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
      smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
      smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
      smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
      
      smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
      
      mailbox_transport = lmtp:unix:private/dovecot-lmtp
      smtputf8_enable = no
      
      
      virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
      virtual_mailbox_maps =
         proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
         proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
      virtual_alias_maps =
         proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
         proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
         proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
      
      virtual_transport = lmtp:unix:private/dovecot-lmtp
      
      
      virtual_mailbox_base = /var/vmail
      virtual_minimum_uid = 2000
      virtual_uid_maps = static:2000
      virtual_gid_maps = static:2000
      
      
      # Milter configuration
      milter_default_action = accept
      milter_protocol = 6
      
    • /etc/dovecot/conf.d/10-auth.conf

      disable_plaintext_auth = yes
      auth_username_format = %u
      auth_mechanisms = plain login
      !include auth-sql.conf.ext
      auth_debug = yes
      auth_debug_passwords = yes
      
    • Xiao Guoan (Admin)
      2 years ago

      If you see the following error in the mail log (/var/log/mail.log)

      postfix/submission/smtpd[4125]: warning: SASL: Connect to private/auth failed: No such file or directory
      postfix/submission/smtpd[4125]: fatal: no SASL authentication mechanisms
      

      This means you didn’t add a new unix_listener for the postfix-smtp1 instance in the Dovecot 10-master.conf file, or you forgot to restart Dovecot.

      Can you post a screenshot of your Dovecot 10-master.conf file?

    • /etc/dovecot/conf.d/10-master.conf
      Screenshot1

    • /etc/dovecot/conf.d/10-master.conf
      Screeshot2

    • Xiao Guoan (Admin)
      2 years ago

      The service auth section should be:

      service auth {
          unix_listener /var/spool/postfix/private/auth {
            mode = 0660
            user = postfix
            group = postfix
          }
         unix_listener /var/spool/postfix-mail01/private/auth {
            mode = 0660
            user = postfix
            group = postfix
         }
      }
      
  • Xiao…..I had to put this project away for a while, but I’m now back to it. I have finished Part 2 and ready to start on Part 3 – PostfixAdmin. But first I have a few questions.

    I set up my Outlook client as shown in the two attached figures. I have successfully installed the LetsEncrypt SSL certificates, should I be using ports 993 and 465? I’m able to send and receive e-mails to and from Hotmail and my local French account using the current settings.

    Moving on to Part 3: I do not wish to have the PostfixAdmin available on the internet/web but rather, using a HOSTS file or local DNS, allow local clients access to the GUI on our LAN. I can still configure it as postfixadmin.mydomain.com and there is a NginX webserver on the LAN which responds mydomain.com which I gather is necessary for the PostfixAdmin password setup? Comments? Suggestions?

    Thanks…RDK

    • Xiao Guoan (Admin)
      2 years ago

      Hi RDK,

      1. If it works, then you don’t need to change it.

      2. Yes, you can make PostfixAdmin only accessible to internal networks. You should install PostfixAdmin on the mail server.

  • Flemming Bjerke
    2 years ago

    Hi Xiao – again: thank you very much!!!
    But, isn’t there a minor issue when you show the outcome of the ss command:

    ss -lnpt | grep master

    Among the output you display 3 lines that with [::]:* telling that postfix listen on ipv6. E.g.:

    LISTEN            0                 128                                   [::]:25                                   [::]:*

    But, you have just recommended closing ipv6 in part 1.

    postconf -e "inet_protocols = ipv4"
    • Xiao Guoan (Admin)
      2 years ago

      If your server doesn’t have public IPv6 address, then I recommend disabling IPv6 in Postfix.
      If your server has a public IPv6 address, then you can use IPv6 in Postfix.

  • I’m Having this problem:

    Jan 18 15:30:41 mail postfix/lmtp[2102]: warning: problem talking to service private/scache: Connection timed out
    Jan 18 15:34:36 mail dovecot: master: Warning: SIGHUP received - reloading configuration
    
  • Hariprasad
    2 years ago

    Hello brother,

    I have followed guide everything works fine was able send and receive messages from thunderbird, But one problem thunderbird unable to save sent messages. it was struck in progressing window 100%. Could please help me solve the problem.

    Thank you.

    • 3dgecas3
      2 years ago

      remove the spaces, and the below becomes a link 🙂
      support. mozilla. org/ en-US/ questions/ 1299140
      these people had the same problem, hope it helps.

      if you are curious about it, i simply highlighted “thunderbird, But one problem thunderbird unable to save sent messages” and clicked “Search Google for…”. i found that link among the first few results.

      also, ty linuxbabe for your time! if i had money, i would tip you!!

  • Bitflux_the_script_kiddie
    2 years ago

    Hi Xiao
    Thanks for a great guide!
    I worked like a charm, but i didnt get any mails in my client. it kept writing in my mail.log: status deferred…. No such file or directory.
    some googling got me this, to put into /etc/dovecot/conf.d/10-master.conf

    service lmtp {
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
    }
    }

    And it worked.. my testmails are now pouring in.
    Found it here:
    https://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP

    • Bitflux the lamer
      2 years ago

      God.. im so stupid, im not even a good script kiddie.. how could i miss that entire section… sorry

  • Norbert
    2 years ago

    Great tutorial – thanks.

    When i use mail box mail_location = mbox:~/mail:INBOX=/var/mail/%u .procmailrc works fine.

    How to connect .procmailrc to local delivery in this solution when using mail_location = maildir:~/Maildir ?

    service lmtp {
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
    }
    }

    I would like to use .procmailrc like this (example for copying every mail arriving to one email to others email):

    :0 c
    [email protected]
    :0 c
    [email protected]

  • It’s 2023? Why no TLS support in this config? My other Postfix testbox has TLS just fine?

  • Russell Heaton
    2 years ago

    Hi. Great tutorial. I have a strange problem. I can set up an email account on. say, my phone which is connecting to the mail server from outside of my LAN. When I do an nmap from outside of my LAN I can see that all of the necessary ports are open through my pfSense firewall. When I try to set up an email account on a computer connected locally to my LAN the error messages indicate that a connection is not being made. This is confirmed when I do a nmap check from a different linux PC on the same LAN – it only shows port 22 and port 53 are open. Why would the server have closed ports to the local area network and how do I fix it? Check your paypal account – I’ve just incentivised you…

    • Russell Heaton
      2 years ago

      Haha. Keep the money, your tutorials are well worth it, but I have solved my own problem. I use pi-hole on my network, both as an ad-blocker and as my DNS server. I had to write a local DNS record that pointed my domain name to the ip address of the mail server. Works great now.

  • 1. “smtps” service in master.cf file is now renamed to “submissions” (check your /etc/services)

    2. preferred syntax for enforcing TLSv1.3 or TLSv1.2 is now:

    smtpd_tls_mandatory_protocols = >=TLSv1.2
    smtpd_tls_protocols = >=TLSv1.2
    smtp_tls_mandatory_protocols = >=TLSv1.2
    smtp_tls_protocols = >=TLSv1.2

  • HiPhish
    7 mins ago

    Just a quick note for people who cannot find nmap in their package manager: the license of nmap has changed to a non-free license and so you might no longer be able to install it easily on your distro. You can use nc from the netcat package instead:

    # Check port 578 on mail.example.com
    nc -zvw10 mail.example.com 578
  • I am using Ansible to automate this process and editing the Dovecot configuration files in an automated manner is difficult and brittle. A better idea would be to create one or more new configuration files with the new settings and then included them from the main Dovecot configuration file. That way I only need to add one line to one existing file. And it is much easier to revert to the original configuration: just throw away the custom configuration files. Even if you don’t use Ansible and edit files by hand I would say that adding a new file is preferable to editing an existing one.

    Add the follwing line to `/etc/dovecot/dovecot.conf`:

    !include custom-conf.d/*.conf

    Now place all your custom configuration files inside `custom-conf.d`. As an added bonus only files ending in `.conf` will be included, so you could add a complementary README file or something in there as well.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here