Saturday, April 23, 2011

Debian Mail Server Setup with Postfix + Dovecot + SASL + Squirrel Mail

Postfix is an attempt to provide an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and hopefully secure, while at the same time being sendmail compatible enough to not upset your users.
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It’s fast, simple to set up, requires no special administration and it uses very little memory. When sending mail, the Postfix SMTP client can look up the remote SMTP server hostname or destination domain (the address right-hand part) in a SASL password table, and if a username/password is found, it will use that username and password to authenticate to the remote SMTP server. And as of version 2.3, Postfix can be configured to search its SASL password table by the sender email address.
SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
Note : If you install Postfix/Dovecot mail server you will ONLY be able to send mail within your network. You can only send mail externally if you install SASL authentication with TLS. As otherwise you get “Relay Access Denied” error.
Install Postfix MTA (Mail Transfer Agent)
Use the following command to install postfix in debian
#aptitude install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules popa3d
During installation, postfix will ask for few questions like name of server and answer those questions by entering your domain name and select Internet site for postfix.
Postfix configuration file is located at:/etc/postfix/ You can edit this file using popular text editor vi /etc/postfix/
Restart Postfix Server using the following command
#/etc/init.d/postfix restart
Install Dovecot
Dovecot is POP3/IMAP server which needs MTA like Postfix to work properly.
#aptitude install dovecot-imapd dovecot-pop3d dovecot-common
Dovecot configuration file is located at: /etc/dovecot/dovecot.conf
Before we proceed we need to make some changes with dovecot configuration file. Double check the following entries in the file if the values are entered properly.
Edit the dovecot configuration file using the following command
#vi /etc/dovecot/dovecot.conf
# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap
# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv
Now, create a user to test our pop3 mail with outlook:
#adduser user_name
Note: Always create a separate user to test your mail or ftp.
Restart Dovecot using the following command
#/etc/init.d/dovecot restart
Now, you can use your outlook express to test whether your new mail server is working or not. Just enter username: with password in outlook.
Remember you will NOT be able to send email outside your network, you will be only be able to send within your domain or local network. If you attempt to send email you get “relay access denied” error from outlook express. However, you should have no problems in receiving your email from outlook. Inorder to send email external email you will need to configure SASL authentication as described below.
Configure SASL Authentication with TLS
SASL Configuration + TLS (Simple authentication security layer with transport layer security) used mainly to authenticate users before sending email to external server, thus restricting relay access. If your relay server is kept open, then spammers could use your mail server to send spam. It is very essential to protect your mail server from misuse.
Let us set up SMTP authentication for our users with postfix and dovecot.
Edit the postfix configuration file /etc/postfix/ and enter the few lines to enable authentication of our users
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
postfix does a chroot so it can’t communicate with saslauthd.
#rm -r /var/run/saslauthd/
#mkdir -p /var/spool/postfix/var/run/saslauthd
#ln -s /var/spool/postfix/var/run/saslauthd /var/run
#chgrp sasl /var/spool/postfix/var/run/saslauthd
#adduser postfix sasl
On the Dovecot side you also need to specify the dovecot authentication daemon socket. In this case we specify an absolute pathname. Refer to this postfix manual here
Edit /etc/dovecot/dovecot.conf file
#vi /etc/dovecot/dovecot.conf
Look for the line that starts with auth default, before that insert the lines below.
auth default {
mechanisms = plain login
passdb pam {
userdb passwd {
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
Now, rename previous auth default to auth default2. If you dont rename this then dovecot server will give you error like multiple instances of auth default.
Now restart all the following components of mail server
#/etc/init.d/saslauthd restart
#/etc/init.d/postfix restart
#/etc/init.d/dovecot restart
Test whether your mail server works or not with your outlook express. Configure a user with a user name (without @domain) and make sure that you select my server requires authentication. Under settings select same as incoming mail server
1. If you dont enable My server requires authentication in outlook you cannot send emails to external recipients and you get relay access denied error.
2. Do not use root login to login to your mail server.
3. Dont forget to create a new user before you authenticate using outlook.
Forwarding Mails
Ever wondered how to forward your mails especially if you are a webmaster managing number of sites. You might need to forward any email sent to your primary email address. Its that easy. Just create a .forward file on your home directory. Insert list of emails addresses separated by commas, where you want to get forwarded.
Login as user and type
echo ‘destination_email_address’ > .forward
or you can use vi to create .forward file. Just Delete .forward file if you dont want any forwarding.
Installing Squirrel Web Mail
Before installing Squirrel Web Mail you need to make sure you have installed apache2 with php support
#aptitude install apache2
#aptitude install libapache2-mod-php5 php5-cli php5-common php5-cgi
#aptitude install squirrelmail
Squirrelmail configuration file is located in: /etc/squirrelmail/ folder. By default all settings are preloaded.
# Run squirrelmail configuration utility as ROOT
Now we want to setup to run under apache. Edit apache configuration file /etc/apache2/apache2.conf and insert the following line
Include /etc/squirrelmail/apache.conf
Restart the webserver using the following command
#/etc/init.d/apache2 restart
Access your webmail using the following link
http://yourdomain or server ip/squirrelmail
Create a separate local user and login as a new user.
Mail Server Logs
Always refer to logs located in /var/log/mail.log so that you can identify what the problem is before you can troubleshoot.
  Retrieving Emails From Remote Servers With fetchmail (Debian Etch)

1 Preliminary Note

You need a Linux server with a system user that can receive emails, which means an MTA such as Postfix or Sendmail must be installed on the system. Otherwise fetchmail won't work, because it tries to pass on the downloaded emails to an MTA (Postfix, Sendmail, ...), and the MTA delivers the mails to the user's mailbox (you can configure the system to include spam- and virus scanning in this process, e.g. withamavisd-new or procmail, but this isn't covered in this tutorial).
I use a Debian Etch system in this tutorial where two users called falko and till exist.

2 Install fetchmail

In order to install fetchmail, all we have to do is run
apt-get install fetchmail

3 Configure fetchmail

There are two ways of configuring fetchmail. We can make it run as a daemon with a global configuration file, or we can create a cron job to run fetchmail together with per-user configuration files. I will describe both methods here.

3.1 Run fetchmail As A Daemon With A Global Configuration File

To make fetchmail run as a daemon, we have to edit /etc/default/fetchmail and set START_DAEMON to yes:
vi /etc/default/fetchmail
# This file will be used to declare some vars for fetchmail
# Uncomment the following if you dont want localized log messages
# export LC_ALL=C
# Declare here if we want to start fetchmail. 'yes' or 'no'

Next we must create the configuration file /etc/fetchmailrc because the fetchmail daemon won't start if this file doesn't exist. In this file we can specify how the fetchmail daemon should behave as well as the details fetchmail needs to know to retrieve emails from foreign email accounts.
Let's assume falko has two email accounts from which we want to retrieve emails:
·         First account: server pop.someprovider.tld, protocol POP3, username falko@someprovider.tld (yes, the username is an email address in this case), password secret.
·         Second account: server mail.otherprovider.tld, protocol POP3, username ftimme, password verysecurepassword.
till has one email account:
·         Server mailin.tillsprovider.tld, protocol POP3, username tbrehm, password iwonttellyou.
So our file /etc/fetchmailrc could look like this:

vi /etc/fetchmailrc
# /etc/fetchmailrc for system-wide daemon mode
# This file must be chmod 0600, owner fetchmail

set daemon        300                # Pool every 5 minutes
set syslog                        # log through syslog facility
set postmaster  root

set no bouncemail                # avoid loss on 4xx errors
                                # on the other hand, 5xx errors get
                                # more dangerous...

# Hosts to pool

# Defaults ===============================================================
# Set antispam to -1, since it is far safer to use that together with
# no bouncemail
timeout 300
antispam -1
batchlimit 100

poll pop.someprovider.tld protocol POP3 user "falko@someprovider.tld" there with password "secret" is falko here
poll mail.otherprovider.tld protocol POP3 user "ftimme" there with password "verysecurepassword" is falko here fetchall
poll mailin.tillsprovider.tld protocol POP3 user "tbrehm" there with password "iwonttellyou" is till here keep

At the beginning of the file we have some global options such as set daemon 300 (which means fetchmail should retrieve emails every 300 seconds) that control the operation of the program. The meanings of the above options are as follows:
·         set daemon: Set a background poll interval in seconds.
·         set syslog: Do error logging through syslog.
·         set postmaster: Give the name of the last-resort mail recipient (default: user running fetchmail, "postmaster" if run by the root user).
·         set no bouncemail: Direct error mail to the local postmaster (as per the "postmaster" global option above).
Then we have the server and the user options options. These go together into the lines beginning with poll; if there are options that are the same for each poll line, we can as well specify them before thepoll lines in a section that begins with defaults: (such as timeout, antispam, and batchlimit in our example).
·         timeout: Server inactivity timeout in seconds (default 300).
·         antispam: Specify what SMTP returns are interpreted as spam-policy blocks.
·         batchlimit: Specify the maximum number of messages that will be shipped to an SMTP listener before the connection is deliberately torn down and rebuilt (defaults to 0, meaning no limit).
The poll lines are self-explanatory; as you see fetchmail retrieves emails from both of falko's external email accounts and puts them into one account.
You will notice that the poll lines have different endings (e.g. nofetchall (default), fetchall, keep, nokeep). The meanings are as follows:
·         nofetchall: Retrieve only new messages (default). If nothing else is specified (e.g. fetchall, keep), this means nofetchall.
·         fetchall: Fetch all messages whether seen or not.
·         keep: Don't delete seen messages from server.
·         nokeep: Delete seen messages from server.
To learn more about all available configuration settings, take a look at
man fetchmail
/etc/fetchmailrc must have 600 permissions and must be owned by the user fetchmail, so we do the following:
chmod 600 /etc/fetchmailrc
chown fetchmail /etc/fetchmailrc
Finally, we can start fetchmail:
/etc/init.d/fetchmail start
Fetchmail should now download emails and put them into falko's and till's mailboxes (using the MTA). It will repeat this every set daemon seconds.

3.2 Use Per-User Configuration Files And Run fetchmail Via Cron

Instead of using a global configuration file as shown in chapter 3.1, we can use per-user configuration files. These must have the name .fetchmailrc and must be located in the user's homedir.
We want to create such a file for the user falko now. Make sure you're logged in as falko, not root! Then we do this:
cd ~/
vi .fetchmailrc

set postmaster falko
set bouncemail

poll pop.someprovider.tld protocol POP3 user "falko@someprovider.tld" there with password "secret"
poll mail.otherprovider.tld protocol POP3 user "ftimme" there with password "verysecurepassword" fetchall

The file looks very similar to the file /etc/fetchmailrc from chapter 3.1, however you will notice that I don't use the phrase is falko here anymore (as .fetchmailrc is in falko's homedir, fetchmail knows that the mails should be delivered to falko). Of course, you can still use is falko here, so the file could look like this as well:
set postmaster falko
set bouncemail

poll pop.someprovider.tld protocol POP3 user "falko@someprovider.tld" there with password "secret" is falko here
poll mail.otherprovider.tld protocol POP3 user "ftimme" there with password "verysecurepassword" is falko here fetchall
To learn more about all available configuration settings, take a look at
man fetchmail
.fetchmailrc must have 600 permissions, so that only falko can read from/write to it:
chmod 600 ~/.fetchmailrc
That's it. Now falko can start the retrieval process by running
fetchmail -v
which shows what's going on.
Of course, falko doesn't want to start the retrieval manually every few minutes, so we create a cron job for him. Still as the user falko, we run
crontab -e
and create a cron job like this one (which would start fetchmail every five minutes):
*/5 * * * * /usr/bin/fetchmail &> /dev/null


  1. Hi,

    Thank you for your nice page, very useful!
    Recently I setup a homemade e-mail server and wrote a full detailed tutorial that you can find in

    using Debian Squeeze, Postfix, Dovecot, SASL, Spamassassin and Squirrel (and a Google account for SMTP relay).

    I wish it is helpful to someone.

  2. I have configured Postfix in my debian7 server. But now i can send mail outside of my Lan only like gmail etc.. When i am sending any mail to my Lan its going to Mail Queue with below error :
    host *********** [***.***.254.17] refused to talk to me: 554 dropsmtpd - Your mail is being dropped as spam.
    plz help.