Your personal GMail-like mail system: SMTP server

In general you do not have to run your own SMTP server, and can use the SMTP servers of your mail providers to send the outgoing mail. However creating your own SMTP server makes your setup complete and much easier to use. You can use the same accounts with the same credentials you used for IMAP, which makes the automatic configuration in the mobile devices a breeze. Also if you send an email through your own SMTP server with Thunderbird it is sent much faster because the connection is local. And it may be important if you travel and find yourself in a place which provides free Internet access but doesn’t let you to connect to the port 25 so you cannot use your provider SMTP server.

I choose Postfix as my SMTP server due to its strong security record and it being installed by default on OpenSUSE 12.1. If it is not installed by default on your Linux distro, it should definitely be part of the setup and you should have no problem installing it using the system-specific package.

Configuring Postfix

Postfix keeps its configuration in the /etc/postfix directory, where we need to edit several configuration files.

/etc/postfix/main.cf

Before editing this file I suggest starting Postfix so OpenSUSE would have its chance to append its own configuration into main.cf. Then open this file and scroll down to the bottom. If you see a lot of parameters there, pay attention when you modify something above it in this file. Only the latest modification applies, and your early modification can be overriden later.

The following parameters need to be changed:

# Should be set to your fully-qualified hostname
myhostname = your.host.name

# Your public IP address the SMTP will be listen on.
inet_interfaces = localhost,your.public.IP.address

# The default relay host which will relay your email in case any other rules fail.
# I specified the SMTP server which is used for my personal correspondence
relayhost = smtp.gmail.com

# Enable authentication for incoming SMTP connections
smtpd_sasl_auth_enable = yes

# Use Dovecot authentication agent, so the same credentials could be used for Postfix
smtpd_sasl_type = dovecot

# Path to the authentication socket
smtpd_sasl_path = private/auth

# Disable anonymous logins even with SSL/TLS
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous

# Disable sending mail without authentication, and allow any destination if authenticated
smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination, reject
smtpd_sender_restrictions = permit_sasl_authenticated
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination

# Enable and enforce using TLS for incoming SMTP connections
smtpd_use_tls = yes
smtpd_enforce_tls = yes

# Only allow authentication on secured connections
smtpd_tls_auth_only = yes

# Generated SSL certificates. You can reuse those from Dovecot or generate a different set
smtpd_tls_cert_file = /etc/postfix/ssl/postfix.pem
smtpd_tls_key_file = /etc/postfix/ssl/postfix.key

# Do not ask for a client cert
smtpd_tls_ask_ccert = no

# Do not include the information about connection status into headers
smtpd_tls_received_header = no

#
# Outgoing authentication
#
# Enable outgoing SMTP authentication (this assumes your mail provider
# requires you to authenticate when you send mail)
smtp_sasl_auth_enable = yes

# the password file for the outgoing connections (described later)
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

# Do not try to send the mail without authentication
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

# Try to use TLS for outgoing SMTP connections but send without it if the remote doesn't support it
smtp_tls_security_level = may

# Use different mail relays for the different logins
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay

/etc/postfix/master.cf

We edit this file to enable Postfix to listen on submission port (587) and on SMTP-SSL port (465). We also disable listening on port 25.

# Comment out this line as well as any other line which starts with "smtp  inet" if any. 
# Do not connect the one which starts which "smtp unix"
#smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen

# Add this line to listen on submission port for regular SMTP connections
 submission inet n - n - - smtpd
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes

# Add this line to listen on port 465 for SMTP connections over SSL
 urd inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes

/etc/postfix/sender_relay

This file specifies which SMTP server Postfix will use to send the mail depending on who the e-mail is from. So let’s assume you want your mail which has the sender address bill@mybusiness.com to be sent through the smtp.mybusiness.com:587, mail which has bill@mypersonal.com through the smtp.mypersonal.com and everything else should be sent through your default relayhost. This could be achieved with the following file:

bill@mybusiness.com    [smtp.mybusiness.com]:587
bill@mypersonal.com    smtp.mypersonal.com

Only the mail servers are specified in this file, the authentication credentials are specified in a different file. After you modified this file you must execute the following command to make your changes visible to Postfix:

postmap /etc/postfix/sender_relay

/etc/postfix/sasl_passwd

This file specifies the authentication credentials for those outgoing mail servers which need it. Assume the e-mail sent from bill@mybusiness.com in the example above should use the smart:simple credentials to talk to the associated SMTP server. The bill@mypersonal.com uses myuser:mypassword and your default relayhost (in our case smtp.gmail.com) uses the user:12345 as the username:password you’ll create the following file:

# Per-account information
bill@mybusiness.com  smart:simple
bill@mypersonal.com  myuser:mypassword
# Login information for the default relayhost.
[smtp.gmail.com]     user:12345

After you modified this file you must execute the following command to make your changes visible to Postfix:

postmap /etc/postfix/sasl_passwd

Modifying Dovecot configuration

Dovecot configuration needs also to be modified to add support for Postfix authentication agent. However the modification is quite simple. Edit the file /etc/dovecot/10-master.conf and find the section service auth in this file, and add the following into this section:

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
   mode = 0660
   user = postfix
   group = postfix
 }

Generating SSL certificates

Since we configured Postfix to use SSL we need to provide it with the certificates. You can use the same certificates you generated for Dovecot, or you can generate a different pair. Copy them into the directory specified in the main.cf configuration file above; defaults are /etc/postfix/ssl/postfix.pem and /etc/postfix/ssl/postfix.key

Then restart dovecot and Postfix, and try to send mail from the different addresses, and see in the logs whether the mail goes to the proper destination.

This entry was posted in Email.

One Response to Your personal GMail-like mail system: SMTP server

  1. Johan Ekenberg says:

    George

    I would like to thank you for publishing this series on Dovecot/Postfix/getmail/Thunderbird. I was in a very similar situation – migrating 70000 mails from kmail1 -> kmail2 was a complete disaster. kmail2 is completely useless because of the akonadi-mess. So I set out to leave vendor lock-in once and for all, migrating to a local IMAP-system with remote access. In the process, i happened upon your blog posts which were a great help and saved me many hours of work. Thank you!

    /Johan Ekenberg, Sweden