#g33kr_

Setting up an SMTP and IMAP server on CentOS 7

This is a quick and dirty breakdown for setting up a Linux-based email server on CentOS 7 using the Postfix MTA and the Dovecot IMAP server.

This configuration will result in a server that provides SMTP with TLS, secure client SMTP, and secure IMAP service, using local accounts for authentication and storing the mailboxes in each user's home directory in maildir format. This tutorial assumes the use of an SSL certificate to securely encrypt IMAP and SMTP client traffic and to offer SMTP over TLS. Because on a publicly-accessible server, not doing so would be a Bad Idea.

In this post, we'll cover the basic setup of IMAP and SMTP. Adding spam filtering and anti-virus will be covered in a follow-up post.

IMAP and SMTP services

Assuming you've installed CentOS 7 using the minimal install, you'll need to install the Postfix and Dovecot packages and any dependencies:

[root@host /]# yum install postfix dovecot

To configure Postfix, you'll need to edit two configuration files:

/etc/postfix/main.cf

compatibility_level = 2
myhostname = host.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain,
                localhost, $mydomain,
                <any other domains you receive email for>;
mynetworks = 127.0.0.0/8, <your local network, e.g. 192.168.1.0/24>;
mynetworks_style = subnet
relay_domains = $mydestination
inet_interfaces = all
inet_protocols = all

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
append_dot_mydomain = no
biff = no
soft_bounce = no
recipient_delimiter = +
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
home_mailbox = .mail/
mailbox_command = /usr/libexec/dovecot/deliver
mail_owner = postfix
default_privs = nobody

unknown_local_recipient_reject_code = 550
unknown_address_reject_code = 550
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550

in_flow_delay = 1s
default_destination_concurrency_limit = 5
relay_destination_concurrency_limit = 1
disable_vrfy_command = yes
message_size_limit = 26214400    # max message size 25MB, adjust if needed
mailbox_size_limit = 53687091200 # max mailbox size 50GB, adjust if needed

smtpd_banner = $myhostname ESMTP
# the following are some basic anti-spam measures
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
                          reject_non_fqdn_helo_hostname,
                          reject_invalid_helo_hostname,
                          reject_unknown_helo_hostname,
                          permit
smtpd_recipient_restrictions = permit_mynetworks,
                          permit_sasl_authenticated,
                          reject_unknown_client_hostname,
                          reject_unknown_sender_domain,
                          reject_unknown_recipient_domain,
                          reject_unauth_pipelining,
                          reject_unauth_destination,
                          reject_invalid_hostname,
                          reject_non_fqdn_sender
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_relay_restrictions = permit_mynetworks,
                          permit_sasl_authenticated,
                          reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = no

smtpd_tls_cert_file = /etc/pki/tls/certs/your.domain.crt
smtpd_tls_key_file = /etc/pki/tls/private/your.domain.key
smtpd_tls_ciphers = high
smtpd_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_random_source = dev:/dev/urandom

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop

meta_directory = /etc/postfix
sample_directory = /usr/share/doc/postfix/samples
readme_directory = /usr/share/doc/postfix/README_FILES
manpage_directory = /usr/share/man
html_directory = no
shlib_directory = no

/etc/postfix/master.cf

# uncomment the following lines to enable SMTP client authentication.
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

To configure the Dovecot IMAP server, you'll need to edit several config files:

/etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain login

/etc/dovecot/conf.d/10-master.conf

# disable imap and enable imaps on port 993
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

# disable pop3 and pop3s (unless you plan to use it)
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 0
  }
}

# enable Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }

/etc/dovecot/conf.d/10-mail.conf

# set the maildir location to the same as in /etc/postfix/main.cf
mail_location = maildir:~/.mail

/etc/dovecot/conf.d/10-ssl.conf

ssl = required
ssl_cert = &lt;/etc/pki/tls/certs/your.domain.crt
ssl_key = &lt;/etc/pki/tls/private/your.domain.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = HIGH:!aNULL:!MD5

/etc/dovecot/conf.d/15-lda.conf

postmaster_address = postmaster@<yourdomain.com>
hostname = <host.yourdomain.com>
recipient_delimiter = +
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes

/etc/dovecot/conf.d/15-mailboxes.conf

# this is a matter of preference, I use the following:
mailbox Drafts {
    special_use = \Drafts
    auto = subscribe
}
mailbox Junk {
    special_use = \Junk
    auto = subscribe
}
mailbox Trash {
    special_use = \Trash
    auto = subscribe
}
mailbox Sent {
    special_use = \Sent
    auto = subscribe
}
mailbox Archive {
    special_use = \Archive
    auto = subscribe
}

Postfix and Dovecot should both be configured at this point. If you're running firewalld (and you should be), then open the local ports for SMTP, SMTPS, and IMAPS:

[root@host /]# firewall-cmd --zone=public --permanent --add-service=smtp
[root@host /]# firewall-cmd --zone=public --permanent --add-service=imaps
[root@host /]# firewall-cmd --zone=public --permanent --add-port=465/tcp
[root@host /]# firewall-cmd --reload

Now enable and start Postfix and Dovecot:

[root@host /]# systemctl enable postfix
[root@host /]# systemctl start postfix
[root@host /]# systemctl enable dovecot
[root@host /]# systemctl start dovecot

Ensure that the services started and are listening on TCP ports 25, 465, and 993:

[root@host /]# netstat -an | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN

Assuming that you have created a user account on your mail server, configure your mail client, authenticate as that user, and test email. You should be able to send and receive email at this point. If not, work out any network or configuration issues first, before moving on to adding anti-virus and anti-spam.