Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / operating-systems / Linux

How to Install & Configure Email Server with Postfix, Dovecot & Opendkim

5.00/5 (3 votes)
28 Nov 2014CPOL6 min read 29.6K  
In this article, we are talking Postfix, Dovecot and DKIM so we will walk you through the steps of installing and configuring an email server with Postfix, Dovecot and OpenDKIM on a CentOS 7 system

Introduction

An email server is a system or set of systems which handles the receiving and sending of email messages on the Internet. There are multiple types of email servers such as SMTP servers which use the Simple Mail Transfer Protocol that is used for e-mail transmission. An SMTP server usually runs in conjunction with an IMAP or POP3 server whose purpose is to provide e-mail retrieval and/or storage. Running an email server is not an easy task. It requires installing, configuring, understanding and maintaining a number of different services.

As you can imagine, there are number of different SMTP, POP3 and IMAP servers out there. In this article, we are talking Postfix, Dovecot and DKIM so we will walk you through the steps of installing and configuring an email server with Postfix, Dovecot and OpenDKIM on a CentOS 7 system. For this article, we are using CentOS 7 on a Linux VPS from Rose Hosting but you can also use anything else which runs CentOS 7 and preferably has a public IP address.

Before proceeding any further, it is recommended to verify your host/domain name is a valid FQDN (fully qualified domain name) and it has a valid MX DNS record. For this, you can use a tool like dig for example. Run this command to install dig if it's not already installed on the system:

# if !type -path "dig" > /dev/null 2>&1; then yum install bind-utils -y; fi

In our case, the hostname of the e-mail server is galaxy.mydomain.com and the domain is mydomain.com. The domain name has the following MX record:

# dig MX mydomain.com @4.2.2.2 +short
0 mydomain.com.

which tells everyone on the Internet that the machine where mydomain.com resolves will handle the e-mails for mydomain.com.

It's also recommended that the public IP address of the e-mail server has a valid rDNS (Reverse DNS) record that matches the e-mail server hostname. You can verify this using dig:

# dig -x 1.2.3.4 +short
galaxy.mydomain.com.

Access your Server

To complete this article, you will need to have root access (or sudo privileges) on the CentOS system. So, use your favorite SSH client to connect to your server. In *NIX like operating systems, you can fire up your terminal and execute:

# sshroot@YOUR_SERVER_IP -p 22

Note: Make sure you change the port if SSH is listening on non-default port. Also be sure to replace YOUR_SERVER_IP with your actual server's IP address.

Once you're logged into your CentOS 7 system, install (if it's not already installed) a tool named screen using yum:

# yum install screen

and initiate a new screen session using the command below:

# screen -U -S postfix-dovecot-dkim

Update the System

Once you are in a screen session, it is preferred to make sure your system is fully up-to-date. So, run the following yum command to update your CentOS 7:

# yum update

Note: It is recommended to reboot your system if there's a kernel upgrade.

SSL Certificate

You will need an SSL certificate to make the e-mail server secure and capable of communicating over SSL with other servers or clients. In our example, we are using a self-signed certificate which can be generated using the commands below:

# yum install openssl
# mkdir -p /root/SSL/mydomain.com
# cd /root/SSL/mydomain.com

# opensslgenrsa -out mydomain.com.key 2048
# opensslreq -new -x509 -nodes -days 365 -key mydomain.com.key -out mydomain.com.crt

Enter your SSL certificate details like Country, City, Common Name, etc., for example:

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Oregon
Locality Name (eg, city) [Default City]:Portland
Organization Name (eg, company) [Default Company Ltd]:E-Mail Dept.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:mydomain.com

Once you have the certificate and key, use the following commands to copy them to /etc/pki/tls/certs/ and /etc/pki/tls/private/ respectively:

# cp -av mydomain.com.crt /etc/pki/tls/certs/
# cp -avmydomain.com.key /etc/pki/tls/private/

Install Dovecot

Before installing Dovecot, let's say a word about it. What is Dovecot? It is a POP3 and IMAP server that provides a way to Mail User Agents (MUA) like Thunderbird or Outlook, etc. to access the e-mails on the e-mail server.

Install dovecot using yum:

# yum install dovecot

Once installed, you have to edit a few Dovecot configuration files in /etc/dovecot and add/edit some configuration parameters. Let's start with /etc/dovecot/conf.d/10-mail.conf and /etc/dovecot/conf.d/20-imap.conf where we'll set the mail location where the e-mails are looked up from:

# vim +/mail_location /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir
# vim /etc/dovecot/conf.d/20-imap.conf
protocolimap {
mail_location = maildir:~/Maildir
}

Next, edit /etc/dovecot/conf.d/10-ssl.conf and set the following parameters:

# vim +/"ssl =" /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/tls/certs/mydomain.com.crt
ssl_key = </etc/pki/tls/private/mydomain.com.key

Note: Double check the certificate and key actually exist in the paths specified in ssl_cert and ssl_key.

In /etc/dovecot/conf.d/10-auth.conf, set disable_plaintext_auth to no and enable plain and login authentication mechanisms:

# vim +/disable_plaintext_auth /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
auth_mechanisms = plain login

We'll use Dovecot's SMTP authentication service in Postfix to authenticate the e-mail accounts, so edit /etc/dovecot/conf.d/10-master.conf and make sure the following snippet exists within service auth {} section:

# vim /etc/dovecot/conf.d/10-master.conf
...
serviceauth {
    # Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
    }
}
...

Finally, let's edit /etc/dovecot/dovecot.conf, set the enabled protocols and bind Dovecot to all interfaces:

# vim +/"protocols =" /etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp
listen = *

Restart the Dovecot service on the system using systemctl and add it to the system's startup:

# systemctl restart dovecot
# systemctl status dovecot
# systemctl enable dovecot

Install Postfix

What is Postfix? It is a Mail Transfer Agent (MTA) which is responsible for transferring e-mail messages from one computer to another. An MTA has the capability to act as a client for sending e-mails or as a server for receiving e-mails via the SMTP protocol.

Install postfix using yum:

# yum install postfix

Once installed, create the /etc/mail directory, edit Postfix main configuration file /etc/postfix/main.cf and set the following configuration options:

# mkdir /etc/mail
# vim /etc/postfix/main.cf
inet_interfaces = all
inet_protocols = ipv4

myhostname=galaxy.mydomain.com
mydestination = /etc/mail/my_domains, $myhostname
virtual_alias_maps = hash:/etc/mail/virtual
home_mailbox = Maildir/

tls_random_source = dev:/dev/urandom
broken_sasl_auth_clients = yes

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_use_tls = yes
smtpd_tls_key_file  = /etc/pki/tls/private/mydomain.com.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mydomain.com.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Note: Make sure you replace galaxy.mydomain.com with your actual server's hostname. Also verify the paths used in smtpd_tls_key_file and smtpd_tls_cert_file exist.

Next, create two configuration files, /etc/mail/my_domains and /etc/mail/virtual. The first one will contain all domain names handled by Postfix and the second one will contain the virtual e-mail aliases.

# touch /etc/mail/my_domains /etc/mail/virtual
postmap /etc/mail/virtual
Edit /etc/postfix/master.cf and enable the submission (587) and SSL (465) ports in Postfix:
# vim /etc/postfix/master.cf

submissioninet n       -       n       -       -       smtpd

smtpsinet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Restart the Postfix service using systemctl for the changes to take effect:

# systemctl restart postfix
# systemctl status postfix
# systemctl enable postfix

Add Domain, Account and Aliases

Add mydomain.com to /etc/mail/my_domains so Postfix can accept and relay email for this domain. Each domain should be added on a new line.

# echo mydomain.com >> /etc/mail/my_domains

To create a new john@mydomain.com email account on the e-mail server, you can use the following commands:

# useradd -s /sbin/nologin -m john
# passwd john

If you like to add some aliases like helpdesk@mydomain.com or sales@mydomain.com, you can use add the following to /etc/mail/virtual.

helpdesk@mydomain.com john
sales@mydomain.com john

Every-time you change this configuration file, you have to postmap it and restart Postfix for the changes to take effect. For example:

# postmap /etc/mail/virtual
# systemctl restart postfix

Setup OpenDKIM

DKIM is a digital email signing and verification technology that digitally signs the e-mails on the e-mail server. This feature can be used for further verification of the e-mail message that it was signed...

Enable EPEL Repository

You can install the EPEL repository simply by using yum as in:

# yum install https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm

Verify EPEL is enabled on the system:

# yumrepolist

Install OpenDKIM

Install OpenDKIM using yum

# yum install opendkim

Configure OpenDKIM

The following configuration is reasonable and should work in most setups. You are free, however, to make any changes as needed for your case.

Make a copy of the opendkimconfig file and modify it as shown below. Finally, save the file and exit vim.

# mv /etc/opendkim.conf{,.orig}
# vim /etc/opendkim.conf
AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreListrefile:/etc/opendkim/TrustedHosts
InternalHostsrefile:/etc/opendkim/TrustedHosts
KeyTablerefile:/etc/opendkim/KeyTable
SigningTablerefile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserIDopendkim:opendkim
TemporaryDirectory      /var/tmp

Setup DKIM Private/Public Keys

You will now need to create the necessary DKIM private and public keys. Execute the following statements as shown.

# mkdir /etc/opendkim/keys/mydomain.com
# opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s mail
# chown -R opendkim: /etc/opendkim/keys/mydomain.com
# mv /etc/opendkim/keys/mydomain.com/mail.private /etc/opendkim/keys/mydomain.com/mail

Edit the KeyTable file:

# vim /etc/opendkim/KeyTable

mail._domainkey.mydomain.com mydomain.com:mail:/etc/opendkim/keys/mydomain.com/mail

Now edit the SigningTable file:

# vim /etc/opendkim/SigningTable

*@mydomain.com mail._domainkey.mydomain.com

Add the trusted hosts in the file as shown below. Make sure you change mydomain.com with your actual domain name.

# vim /etc/opendkim/TrustedHosts

127.0.0.1
mydomain.com
galaxy.mydomain.com

add a TXT record in tje domain's zone file:

# cat /etc/opendkim/keys/mydomain.com/mail.txt

verify the DKIM TXT record using dig

# dig +short mail._domainkey.mydomain.com TXT

Integrate DKIM in Postfix

# vim /etc/postfix/main.cf

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2
# systemctl restart opendkim
# systemctl enable opendkim

# systemctl restart postfix

And that should be it. You should now have a fully functional Postfix, Dovecot and DKIM setup, ready to send and receive DKIM signed emails for your domain.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)