How to set up a mail server on a GNU / Linux system

Step by step guide to install Postfix

Easy to follow howto on setting up a mail server with unlimited users and domains, with IMAP/Pop access, anti-spam, anti-virus, secure authentication, encrypted traffic, web mail interface and more.

Ubuntu + Postfix + Courier IMAP + MySQL + Amavisd-new + SpamAssassin + ClamAV + SASL + TLS + SquirrelMail


3rd edition

Author Ivar Abrahamsen

Last Update: 2005-11-09

This edition has been superseeded. Please click here to view the new version instead.


Return to top.


Edition State Started Updated Description
1st Released (outdated) 2004-01 2004-02 Based on Mandrake 9.1.
2nd Released (outdated) 2004-02 2004-07 Based on Mandrake 10.x, but valid for all distributions. Very thorough. Includes package description, where to get the sources and binaries, how to build them or which RPMs to use, includes many refrences, etc etc. Starts off with a basic working server, then advances, extends and tightens it in stages.
3rd (This) Released 2005-05 2005-11 Latest released version. Based on Ubuntu 5.04, Hoary Hedgehog. More concise simplified guide to get an advanced server working quickly. Now includes SASL & TSL integration.
4th In developement 2005-10 2005-11 Breezy Badger, Ubuntu 5.10, updated version. Tweaks to edition3, and also adding PostGrey. Please send me information on changes needed from 3rd edition to work in Ubuntu 5.10.
Further details available in the change log and below in the introduction.
Return to top.


This is a step by step guide to set up a fully working and feature rich mail server for a GNU / Linux machine. The aims are to be straight forward and a simple set up, so that as many as possible can easily have a useable, respectable and secure mail server.

If you follow this howto, you end up with a mail server, which can host unlimited domains, with unlimited users, using unlimited disk space, which will be scanned for viruses and spam. You can send and read email via your favourite clients or via webmail. And it will also be very secure.

What do you need before starting this? A blank box in mail server terms. A newly installed linux puta is good or even better; installed with my chosen OS. However old machines are fine, as long as there wont be conflicts with other installed mail packages. Naturally an internet connection is crucial, and speedy as well for downloading the required software. A static, semi-static IP address or a dynamic dns service is also important for DNS resolving etc.

Do you need to be a Linux guru to follow this howto? Not at all, however you should be comfortable having root access to a box. Also you should be aware of the security implications of having open ports exposed to the internet.

As with all guides, don't just rely on one opinion. Have a look at the other howtos in my references, look up postfix.org's listed howtos, read the excellent books available (E.g. Kyle's or Hildebrandt's), and read postfix's documentation to create your custom mail server.

I suggest first reading the whole how to, if not at least skim read it. Then as you start the implementation, be aware of the different sections, and how they relate, E.g configration when testing. You may have to comment things out while debugging the elements.

Feel free to contact me via the contact section in the appendix. Questions, criticism, bug reports are all welcome. Naturally I disclaim all liablities if anythings goes wrong while following my howto. Nor do I guarantee any support, but I am always willing to help, so just drop me a note and I'll see if I can assist. Paid consultancy can be done via electric ray.

About the author. I am Ivar Abrahamsen, a 28 year old Software Engineer. I am Norwegian, but based in Manchester, UK. I am not a Postfix or Linux guru, but I do know abit about both to write a good "how to". My general interest are sports, technology and my better half.

Why have I written this how to? I set up my mail server in 2003, and then did the same for a few friends and collegues. Soon I was getting more request, and being a lazy programmer, I thought.. "Why don't I write a howto and let them do it themselves..." Soon it was listed on postfix.org and I was getting thousends of hits and lots of emails. (blessing in disguise)

Some see the proliferation of howtos as a scourge of useless spam. I see it as a blessing. The more informed and varied information, assistance and opinions, the better. Much better than a single monolithic and even chargable point. I research other people's howtos on most things I do all the time. I tend to write down things I do, most of which no-one else ever reads, some are thankfully usefull for some people, which makes it all worthwhile.

If you find this guide usefull, then any donation of a few quid (or more) will be very nice. Or just a short thank you note is also very much appreciated. (No, I wont collect your addresses and sell it to a spam database. :-) )

Return to top.


Courier IMAP
admin SPF

What software packages have/will I use and why.

Please see software links appendix for further information about these software packages. In that section there is more links to documentation or forums, and viable alternatives, downloadable packages, versions details etc.

Further software and tweaks are discussed in the extension section.

Also review other peoples opinion on these packages via my references.

Return to top.


If you are not going to use the apt-get packages I use in Ubuntu, then you need to review my old edition which have more detail on installing each package from tarballs. Also refer to my referenced howtos, which go into detail on each package, what compile options you should use etc. The Software links section in the Appendix, list where to get the latest software from.

If you use Mandriva(Mandrake), you should go to Easy Urpmi, for adding additional RPM source databases.

If you want to install Ubuntu, then you can install the basic server option of Ubuntu. The server option, available by pressing F1 and type server on the boot up prompt, is cleanest way, but leaves all configuration via command line only. Unless you know your way round Linux and especially Ubuntu/Debian then perhaps the default desktop option is easier. You can then always remove the guis after the mail server is up and running.

Further installation procedures varies between distributions and your preferences. For the optimized custom variety then download the sources and compile just what you need. Again I prefer the slick and easy options, so I use package management software, with the Debian derived Ubuntu; this means using apt-get.

You should enable more package repositories than the default ones that Ubuntu is shipped with (main and restricted). Use synaptic or edit manually /etc/apt/sources.list, and enable universe and add multiverse.

Here is a example summary of my own sources.list file:

#deb cdrom:[Ubuntu 5.04 _Hoary Hedgehog_ - Release i386 (20050407)]/ hoary main restricted deb http://gb.archive.ubuntu.com/ubuntu hoary main restricted multiverse deb-src http://gb.archive.ubuntu.com/ubuntu hoary main restricted multiverse deb http://gb.archive.ubuntu.com/ubuntu hoary-updates main restricted multiverse deb-src http://gb.archive.ubuntu.com/ubuntu hoary-updates main restricted multiverse deb http://gb.archive.ubuntu.com/ubuntu hoary universe deb-src http://gb.archive.ubuntu.com/ubuntu hoary universe deb http://security.ubuntu.com/ubuntu hoary-security main restricted multiverse deb-src http://security.ubuntu.com/ubuntu hoary-security main restricted multiverse deb http://security.ubuntu.com/ubuntu hoary-security universe deb-src http://security.ubuntu.com/ubuntu hoary-security universe
Return to top.

Below are the packages I have installed that are relevant to this mail server. You may choose not to use some of these packes, e.g. Pyzor, or SASL all together, but some parts may not work as I have set up.

I have also included an additionals section, which packages you probably already have installed. The apache/php is needed for SquirrelMail and phpMyAdmin. I also included a firewall, Shorewall, as you will be more exposed to the internet then before, however you should use whichever firewall you trust.

You can install all now, or just each section as we go through the steps. If you are running ubuntu you will need to prepend "sudo" before any commands, or log in as root for this session. Some have a few dependancies, the content checkers have many perl modules.

# Log in as root sudo su # example to find what you have installed dpkg --list | grep postfix # example to find what is available to install apt-cache search postfix # then reiterate through each package # or do a section in one go apt-get install insert-package-name-here

Some of the packages will need you to approve permission to do certain actions, E.g. permissions for some ClamAV access. Courier will also ask if you want to create directories for web based admin. Optional but I tend to say yes.

Return to top.


OS: Ubuntu

The most important setting, security wise, is to configure the firewall. This off course varies between firewalls, your usage. Shorewall main config files in /etc/shorewall that we are concerned with, are interfaces, hosts, zones, policy and rules.

Here is a typical basic zones file

#zone display comment loc Local Local network net Net Tinternet

Here is a typical interfaces file

net eth0 detect

Here is a typical hosts file

loc eth0:

Here is a typical policy file

fw loc ACCEPT fw net ACCEPT loc all DROP info net all DROP info all all REJECT info

Here is a typical rules file for a mail server

AllowPing loc fw AllowSSH loc fw AllowSMTP loc fw #AllowIMAP loc fw #ACCEPT loc fw tcp 465 - AllowPing net fw #AllowSMTP net fw

SMTP access from the web is commented out, untill we are confident everything is working and secure. Also commented out for now is IMAP and TLS SMTP traffic untill we need it.

Then edit /etc/default/shorewall and turn it on.

startup=1 #restart shorewall with /etc/init.d/shorewall restart

For more details on IP Tables and Shorewall, look up its website.

Return to top.

MTA: Postfix

Postfix resides in /etc/postfix. Postfix is by default set up in a chroot jail. This is a security procedure and is very good feature.

However when setting up the server the chroot may be a problem, so keep it in mind if someting don't work. In master.cf there is a column which decides which modules are run within the jail restrictions. Hopefully you don't have to change these settings.

In main.cf you define how Postfix shall operate. Each distribution have different defaults for these settings, however most are similar, so you should not need to worry, but be aware of it. These default are defined in the postfix installation folder, which probably is somewhere in /usr. Most distributions also set up some suggested defaults in the main.cf. Edit this file, note the suggestions and then comment them out.

First set your server name, this must match what you put in your domains DNS MX records.

myhostname = server.yourdomain.com

Then decide what the greeting text will be. Enough info so it is usefull, but not divelge everything to potential hackers.

smtpd_banner = $myhostname ESMTP $mail_name

Next you need to decide whether to send all outgoing mail via another SMTP server, or send them yourself. I send via my ISP's server, so it has to worry about the queing etc. If you send it yourself then you are not reliant on 3rd party server. But you may risk more exposure and accidentally be blocked by spam blockers. And it is more work for your server. Also many servers block dynamic dns hosts, so you may find your server gets rejected. However choose whichever you are confortable with.

# leave blank to do it yourself relayhost = # or put it an accessible smtp server relayhost = smtp.yourisp.com

Next is network details. You will accept connection from anywhere, and you only trust this machine

inet_interfaces = all mynetworks_style = host

Next you can masquerade some outgoing addresses. Say your machine's name is "mail.domain.com". You may not want outgoing mail to come from username@mail.domain.com, as you'd prefer username@domain.com. You can also state which domain not to masquerade. E.g. if you use a dynamic dns service, then your server address will be a subdomain. You can also specify which users not to masquerade.

masquerade_domains = sub.domain.com !sub.dyndomain.com masquerade_exceptions = root

As we will be using virtual domains, these need to be empty.

local_recipient_maps = mydestination =

Then will set a few numbers.

# how long if undelivered before sending warning update to sender delay_warning_time = 4h # will it be a permanent error or temporary unknown_local_recipient_reject_code = 450 # how long to keep message on queue before return as failed. # some have 3 days, I have 16 days as I am backup server for some people # whom go on holiday with their server switched off. maximal_queue_lifetime = 16d # max and min time in seconds between retries if connection failed minimal_backoff_time = 1000s maximal_backoff_time = 8000s # how long to wait when servers connect before receiving rest of data smtp_helo_timeout = 60s # how many address can be used in one message. # effective stopper to mass spammers, accidental copy in whole address list # but may restrict intentional mail shots. smtpd_recipient_limit = 16 # how many error before back off. smtpd_soft_error_limit = 3 # how many max errors before blocking it. smtpd_hard_error_limit = 12

Now we can specify some restrictions. Be carefull that each setting is on one line only.

smtpd_sender_restrictions = reject_non_fqdn_sender permit_sasl_authenticated reject_unknown_sender_domain reject_unauth_pipelining permit smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, reject_rbl_client cbl.abuseat.org smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination, check_relay_domains smtpd_helo_required = yes disable_vrfy_command = yes

In my client restrictions I specify some spam detection servers. These are call RBL: Real-time blackhole list. They check if the connecting server is a known open relay used by spammers. Some argue these should not be used in the postfix configuration, as there are some false positives. And SpamAssassin uses rbl checking, but as part of its scoring system, so it is not all black and white.

Next we need to set some maps and lookups for the virtual domains.

# not sure of the difference of the next two # but they are needed for local aliasing alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases # this specifies where the virtual mailbox folders will be located virtual_mailbox_base = /var/spool/mail/virtual # this is for the mailbox location for each user virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf # and their user id virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf # and group id virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf # and this is for aliases virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf # and this is for domain lookups virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf # this is how to connect to the domains (all virtual, but the option is there) # transport_maps = mysql:/etc/postfix/mysql_transport.cf

You need to set up an alias file. This is only used locally, and not by your own mail domains.

cp /etc/aliases /etc/postfix/aliases # may want to view the file to check if ok. # especially that the final alias, eg root goes # to a real person postalias /etc/postfix/aliases

Next you need to set up the folder where the virtual mail will be stored. This may have already been done by the apt-get. And also create the user whom will own the folders.

# to add if there is not a virtual user mkdir /var/spool/mail/virtual groupadd virtual -g 5000 useradd virtual -u 5000 -g 5000 chown -R virtual:virtual /var/spool/mail/virtual # to modify if a virtual user is already set groupmod -g 5000 virtual usermod -g virtual -u 5000 virtual chown -R virtual:virtual /var/spool/mail/virtual

Next we need to set up the files to access the lookups via the database. We will only set up a few now, and the rest later when/if needed:

Edit /etc/postfix/mysql_mailbox.cf

user=mail password=apassword dbname=maildb table=users select_field=maildir where_field=id hosts= additional_conditions = and enabled = 1

Edit /etc/postfix/mysql_uid.cf

user=mail password=apassword dbname=maildb table=users select_field=uid where_field=id hosts=

Edit /etc/postfix/mysql_gid.cf

user=mail password=apassword dbname=maildb table=users select_field=gid where_field=id hosts=

Edit /etc/postfix/mysql_alias.cf

user=mail password=apassword dbname=maildb table=aliases select_field=destination where_field=mail hosts= additional_conditions = and enabled = 1

Edit /etc/postfix/mysql_domains.cf

user=mail password=apassword dbname=maildb table=domains select_field=domain where_field=domain hosts=

As you can see the 3 first are very similar, only the select_field changes. If you specify an ip in hosts, (as opposed to 'localhost') then it will communicate over tcp and not the mysql socket. (chroot restriction)

Return to top.

Database: MySQL

Next we need to setup all those lookups specified before.

First you need to create a user to use in MySQL. Then you need to create the database. And unless you already have done this, make sure you have set a password for the root user!

# If not already done... mysqladmin -u root password new_password # log in as root mysql -u root -p # then enter password for the root account when prompted Enter password: # then we create the mail database create database maildb; # then we create a new user: "mail" GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO 'mail'@'localhost' IDENTIFIED by 'apassword'; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO 'mail'@'%' IDENTIFIED by 'apassword'; exit;

You need to create these tables: We will create more later on for further extensions, but only these are relevant now.

# log in to mysql as the new mail user mysql -u mail -p maildb # enter the newly created password Enter password: #then run this commands to create the tables; CREATE TABLE `aliases` ( `pkid` smallint(3) NOT NULL auto_increment, `mail` varchar(120) NOT NULL default '', `destination` varchar(120) NOT NULL default '', `enabled` tinyint(1) NOT NULL default '1', PRIMARY KEY (`pkid`), UNIQUE KEY `mail` (`mail`) ) ; CREATE TABLE `domains` ( `pkid` smallint(6) NOT NULL auto_increment, `domain` varchar(120) NOT NULL default '', `transport` varchar(120) NOT NULL default 'virtual:', PRIMARY KEY (`pkid`) ) ; CREATE TABLE `users` ( `id` varchar(128) NOT NULL default '', `crypt` varchar(128) NOT NULL default 'sdtrusfX0Jj66', `name` varchar(128) NOT NULL default '', `uid` smallint(5) unsigned NOT NULL default '5000', `gid` smallint(5) unsigned NOT NULL default '5000', `home` varchar(255) NOT NULL default '/var/spool/mail/virtual/', `maildir` varchar(255) NOT NULL default '', `quota` varchar(255) NOT NULL default '', `enabled` tinyint(3) unsigned NOT NULL default '1', `change_password` tinyint(3) unsigned NOT NULL default '1', `procmailrc` varchar(128) NOT NULL default '', `spamassassinrc` varchar(128) NOT NULL default '', `clear` varchar(128) NOT NULL default 'ChangeMe', PRIMARY KEY (`id`), UNIQUE KEY `id` (`id`) ) ;

Next is to edit the my.cnf file. In Ubuntu/debian this is created by default. In Mandrake I had to manually create a blank one in /etc. In ubuntu edit /etc/mysql/my.cnf

# comment out this line #skip-networking # Make sure this is set log = /var/log/mysql/mysql.log

By this you have enable net access to MySQL, but you still control whom connects to it with your firewall and user settings in MySQL. You may be able to just connect straight to the socket which is more secure.

# restart MySQL to make sure # its picking up the new settings. sudo /etc/init.d/mysql restart
Return to top.

Pop/IMAP: Courier IMAP

Edit /etc/courier/authdaemonrc, and change the module line to this:


Edit authmysqlrc and make sure these setting lines are set correctly.

MYSQL_SERVER localhost MYSQL_USERNAME mail MYSQL_PASSWORD apassword MYSQL_PORT 0 MYSQL_OPT 0 MYSQL_DATABASE maildb MYSQL_USER_TABLE users # comment out this field, # as I now longer use the encrypted pw options #MYSQL_CRYPT_PWFIELD crypt MYSQL_CLEAR_PWFIELD clear MYSQL_UID_FIELD uid MYSQL_GID_FIELD gid MYSQL_LOGIN_FIELD id MYSQL_HOME_FIELD home MYSQL_NAME_FIELD name MYSQL_MAILDIR_FIELD concat(home,'/',maildir) MYSQL_WHERE_CLAUSE enabled=1

Edit imapd

# set how many connections to use per person. Easy to underestimate if you have 6 mailboxes set up. MAXPERIP=20 # high debug to start with DEBUG_LOGIN=2 IMAPDSTART=YES

Then edit the same in the pop and ssl options, if you are going to use them.

If you have followed these steps properly, you should now have a working mail server. You can skip down to the data and then test stage to see if your server works as intended. It is not secure and is suceptable to spam, so do follow the other steps soon, but it is nice to find out that it works!

Return to top.

Content Checks: Amavisd-new

Open /etc/amavis/amavis.conf and review it. As you can see there is loads of options. The ones that are important are:

$mydomain 'yourdomian.com'; $daemon_user= 'virtual'; $daemon_group= 'virtual'; @local_domains_acl = qw(); $inet_socket_port = 10024; $forward_method = 'smtp:'; # @bypass_virus_checks_acl = qw( . ); # @bypass_spam_checks_acl = qw( . ); # I also change these $TEMPBASE = "$MYHOME/tmp"; # Whilst debugging $log_level = 2; $warnbannedrecip = 1; $warn_offsite = 1; $warnvirusrecip = 1; $spam_quarantine_to = "spam-quarantine\@$mydomain"; $virus_quarantine_to = "virus-quarantine\@$mydomain"; $sa_local_tests_only = 0;

Then in av_scanner section you enable/disable the virus scanners you are going to use. We will be using ClamAV, so comment out all lines between @av_scanners( and its closing bracket. Do the same for @av_scanners_backup. Then in @av_scanner uncomment Clam lines, (maybe lines 1232 to 1235).

Then you need to check that the $TEMPBASE folder exists and is ownder by the $daemon_user. The same goes for the virusfolder.

# You may have to do this cd /var/lib/amavis mkdir tmp chown virtual:virtual tmp chown virtual:virtual virusmails

The init script for amavis insist on the ownership of these being the "proper" amavis user and group. As we need it to be the virtual pair, we need to edit the /etc/init.d/amavis script. (Unless someone has a sweeter way.)

#edit about line 31 #chown -c -h "$1:$2" "$4" chown -c -h "virtual:virtual" "$4"

Next thing is to specify how to connect to the content check plugin.

Edit master.cf in /etc/postfix, The changes I have made from the default master.cf is modifying two lines then addding three more services.

#smtp inet n - n - - smtpd smtp inet n - - - - smtpd -o cleanup_service_name=pre-cleanup #cleanup unix n - - - 0 cleanup cleanup unix n - - - 0 cleanup -o mime_header_checks= -o nested_header_checks= -o body_checks= -o header_checks= amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o strict_rfc821_envelopes=yes -o mynetworks= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1001 pre-cleanup unix n - - - 0 cleanup -o virtual_alias_maps= -o canonical_maps= -o sender_canonical_maps= -o recipient_canonical_maps= -o masquerade_domains=

Then edit main.cf in /etc/postfix and add these lines.

content_filter = amavis:[]:10024 #receieve_override_options = no_address_mappings
Return to top.

Anti-Virus: ClamAV

ClamAV do not need a lot of setting up. You need to make sure it is run by the same user as the amavisd-new. And then you may configure the fresclam option, which makes sure you have the latest virus definitions.

Edit /etc/clamav/clamd.conf and change the user to the amavisd-new user or the other way round.

# User clamav User virtual

Then change ownership of its runtime folder

chown virtual:virtual /var/run/clamav

Edit freshclam.conf

# how frequent per day. default is once an hourwhich is a bit excesive. Checks 1
Return to top.

Anti-Spam: Spamassassin

SpamAssassin's default settings were fine, but you can tweak them at /etc/spamassassin/local.cf and review the defauls at /usr/share/spamassassin/. E.g. you can in/decrease the levels needed before emails are marked as spam and before rejections.

Here is an example of my local.cf.

skip_rbl_checks 0 use_razor2 0 use_dcc 0 use_pyzor 0 use_bayes 1 bayes_path /etc/spamassassin/bayes bayes_file_mode 0770

Once you have a collection of spam and non spam (200+ of each), you can train the Bayes filter in SpamAssassin with these emails. Review this on the SpamAssassin web site.

# E.g. like this sa-learn --showdots -C /etc/spamassassin --spam /var/spool/mail/virtual/quarantine/.spam/* sa-learn --showdots -C /etc/spamassassin --ham /var/spool/mail/virtual/mine/cur/*

If you notice too much spam is being let through, then do more tweaking. If you get too many false postives, ie real emails marked as spam, loosen the set up slightly. A properly configured SpamAssassin should catch 97% of all spam. With probably 1 in 1000 false positives.

The SpamAssassin site has a lot of information on setting it up. It is worth a good read through. Some usefull tips are automatic learning, cronjobs to learn user marked spam and ham, etc.

Return to top.


Cyrus SASL provide a secure method of authenticating users. This type of authentication is required by two methods, one is by postfix when sending email and the other is by Courier when reading emails.

First we wil will deal with postfix. Add these lines to main.cf

# modify the existing smtpd_recipient_restrictions smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_relay_domains # modify the existing smtpd_sender_restrictions smtpd_sender_restrictions = reject_non_fqdn_sender permit_sasl_authenticated reject_unknown_sender_domain reject_unauth_pipelining permit # then add these smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2 smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname

Then we need to create the sasl configuration

# May already exist mkdir /etc/postfix/sasl # Then create the conf file. vi /etc/postfix/sasl/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sql mech_list: plain login cram-md5 digest-md5 sql_engine: mysql sql_hostnames: sql_user: mail sql_passwd: apasswd sql_database: maildb sql_select: select clear from users where id='%u@%r'

That is all that should be required for sending email.

Next is to configure Courier to authenticate via SASL as well.

In Ubuntu all this was preset so the only line I needed to modify / confirm in /etc/courier/imapd is:


If you need Pop, modify the pop file as well.

Return to top.


SASL is secure authentication, but all the traffic is still in plain text. Enter encryption and TSL. TSL, an evolution of SSL, encrypts the traffic between the server and your email client for sending via postfix and reading via courier.

TSL is not client encryption, ie encrypting the content all the way between sender and recipient. For this type look up GNuPG and S/MIME in extensions.

First you need to create a certificate for postfix and one for courier. In postfix you need to do this for 3 year certificate:

cd /etc/postfix openssl req -new -outform PEM -out \ postfix.cert -newkey rsa:2048 -nodes -keyout \ postfix.key -keyform PEM -days 999 -x509

Then you need to add these to /etc/postfix/main.cf

smtpd_use_tls = yes smtpd_tls_cert_file = /etc/postfix/postfix.cert smtpd_tls_key_file = /etc/postfix/postfix.key smtpd_data_restrictions = reject_unauth_pipelining

The debian packages in Ubuntu creates certificate for courier for you. Otherwise do this (in case server name is not same as machine name):

openssl req -x509 -newkey rsa:1024 -keyout imapd.pem -out \ imapd.pem -nodes -days 999

Then edit /etc/courier/imapd-ssl and make sure this is path to the certificate.


This will enable secure traffic of emails via your clients and the server. As these are not signed certificates, some may be prompted to accept license. You could get people to import your certificates, if only a few is accessing you imap/smtp server, or purchase a signed one if you have a large number of users, especially if corporate. Outlook is known as stuburn to accept the certificates.

There are some issues with using SALS and TLS at the same time. Since all the traffic is encrypted with TLS, then the need for SASL is less.

Return to top.

Webmail: SquirrelMail

The squirrel is php module from sourceforge. Once installed in a web root somewhere go to its parent folder. E.g. /var/www/. In Ubuntu it is installed in /usr/share, so do this first.

ln -s /usr/share/squirrelmail /var/www/squirrelmail

Next thing is to set up a url to access squirrel mail. You can either have it as a subfolder in an existing web site, or as I prefer as virtual host for itself. Edit wherever your specify virtual hosts on your system, ( e.g. /etc/httpd/conf/vhosts/ ). In Ubuntu edit this file: /etc/apache2/sites-available/webmail

<VirtualHost *> ServerAdmin webmaster@localhost ServerName webmail.yourdomain.com DocumentRoot /var/www/squirrelmail <Directory /var/www/squirrelmail> Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all </Directory> ErrorLog /var/log/apache2/error-webmail.log LogLevel warn CustomLog /var/log/apache2/access-webmail.log combined ServerSignature On </VirtualHost>

Then will enable and activate it.

ln -s /etc/apache2/sites-available/webmail /etc/apache2/sites-enabled/810-webmail /etc/init.d/apache2 restart

Squirrelmail comes with perl executable to configure itself. Run it.


It is menu driven, and powerfull so be carefull. Chose option 9 from the menu, the database option. Then 1 to edit the dns for address book.

# Enter this mysql://mail:apassword@

Then choose 3 for the preferences and enter the same.


There is also a global address option if you choose to use it. Press s to save the settings, and r to return to main menu. Press q to exit.

Then you need to create these database tables, log into mysql maildb database and run these.

mysql -u mail -p maildb CREATE TABLE `address` ( `owner` varchar(128) NOT NULL default '', `nickname` varchar(16) NOT NULL default '', `firstname` varchar(128) NOT NULL default '', `lastname` varchar(128) NOT NULL default '', `email` varchar(128) NOT NULL default '', `label` varchar(255) default NULL, PRIMARY KEY (`owner`,`nickname`), KEY `firstname` (`firstname`,`lastname`) ) ; CREATE TABLE `userprefs` ( `user` varchar(128) NOT NULL default '', `prefkey` varchar(50) NOT NULL default '', `prefval` varchar(255) default NULL, `modified` timestamp(14) NOT NULL, PRIMARY KEY (`user`,`prefkey`) ) ;

Right then, as the squirrelmail suggested, you can try of this works later on by going to http://your-squirrelmail-location/src/configtest.php ( Please note you may not have any data or mail to test it with yet. so perhaps wait till test section. )

Return to top.


PhpMyAdmin is an excellent MySQL administration gui. I use it to manage my mail settings, and can be used when setting up the MySQL database as well.

# cd into web root where phpMyAdmin is installed, e.g. /var/www # Again in Ubuntu a soft link is needed to /usr/share # this time however the apt-get has done it for you. (check though) # If the folder contains the version in its name. # do this for ease of access and if later upgrading ln -s phpMyAdmin1.6.2 phpMyAdmin

First of all once you have installed phpMyAdmin is the create a .htaccess file in its folder. Otherwise every Tom, Dick and Harry can mess your system up.

# either reuse an old .htpasswd file # or as below , create one when you add the first user htpasswd2 -c /path/to/htpasswd/file/outside/www/.htpasswd ausername # then enter desired passwd

Then create a .htaccess file, /path/to/phpmyadmin/.htaccess. The phpMyAdmin that comes with Ubuntu already has this file, so you need to comment out those and add these lines to it.

AuthType Basic AuthName "A Bit Hush and all that" AuthUserFile "/path/to/htpasswd/file/outside/www/.htpasswd" require valid-user

Next is to edit /path/to/phpmyadmin/config.inc.php. Set the $cfg['PmaAbsoluteUri'] to whatever address and path your phpMyAdmin is. Then set up what servers to connect to. You can add the root user for easy admin of the whole system, but that is a bit insecure. Adding a different user with full access is a better solution, if you require full admin through the gui. However for the mail admin, neither is required, all you need to add is the mail user.

$cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['user'] = 'mail'; $cfg['Servers'][$i]['password'] = 'apassword'; $cfg['Servers'][$i]['only_db'] = 'maildb';


For a mail server to be used, people/machines will have to know how and where to connect to deliver mail for your domains.

You need to edit the MX records of your domains DNS. Whether you run your owm DNS server, or use a free DNS service. they mostly act the same, even though some has been fluffed up with a nice GUI.

domain.tld IN MX 10 your.mailserver.name.tld
Return to top.


So we got a fully set up mail server... Well no, there is no users, domains, no nothing!

Okay, first you need add some default data, some which are required, some which make sense.

Then we'll add your own users and domains.

First the required domains for local mail

# Use phpMyAdmin or command line mysql INSERT INTO domains (domain) VALUES ('localhost'), ('localhost.localdomain');

Then some default aliases. Some people say these are not needed, but I'd include them.

INSERT INTO aliases (mail,destination) VALUES ('postmaster@localhost','root@localhost'), ('sysadmin@localhost','root@localhost'), ('webmaster@localhost','root@localhost'), ('abuse@localhost','root@localhost'), ('root@localhost','root@localhost'), ('@localhost','root@localhost'), ('@localhost.localdomain','@localhost');

Then a root user.

INSERT INTO users (id,name,maildir,clear) VALUES ('root@localhost','root','root/','apassword');

Now lets add some proper data. Say you want this machine to handle data for the fictional domains of "blobber.org", "whopper.nu" and "lala.com". Then say this machine's name is "mail.blobber.org". You also have two users called "Xandros" and "Vivita". You want all mail for whooper to go to xandros. There is also a "Karl" user, but he does want all mail forwarded to an external account.

INSERT INTO domains (domain) VALUES ('blobber.org'), ('whopper.nu'), ('lala.com'); INSERT INTO aliases (mail,destination) VALUES ('xandros@blobber.org','xandros@blobber.org'), ('vivita@blobber.org','vivita@blobber.org'), ('karl@blobber.org','karl.vovianda@gmail.com'), ('@whopper.nu','xandros@blobber.org'), ('@lala.com','@blobber.org'), ('postmaster@whopper.nu','postmaster@localhost'), ('abuse@whopper.nu','abuse@localhost'), ('postmaster@blobber.org','postmaster@localhost'), ('abuse@blobber.org','abuse@localhost'); INSERT INTO users (id,name,maildir,clear) VALUES ('xandros@blobber.org','xandros','xandros/','apassword'), ('vivita@blobber.org','vivita','vivita/','anotherpassword');

So what does each of these lines do? Well the domains are pretty straight forward. The users are as well, it requires four fields. ID is the email address of the user, and also its username when loggin in, described later on. NAME is optional description of the user. MAILDIR is the name of the folder inside /var/spool/mail/virtual. It must end in a /, otherwise it wont be used as a unix maildir format. CLEAR is the clear text password to use.

The alises are the interesting part. Lets start from a top down view. Say an email arrives addressed to "john@whopper.nu". Postfix looks up aliases and searches for a row where the mail field matches "john@whopper.nu". None does so it next searches for "@whopper.nu", which is the way to specify catch all others for that domain. It finds one row and its destination is "xandros@blobber.org". It then searches for "xandros@blobber.org" and finds one, which destination is the same as the mail, therefor it is the final destination. It then tries to deliver this mail. The look up says blobber.org is a local mail so it looks up users for a matching id and delivers it to its maildir.

Lets try "julian.whippit@lala.com". First lookup does not find this user, but the next finds the catchall "@lala.com". But its destination is another catchall, "@blobber.org". This means Postfix will look for "julian.whippit@blobber.org". This address is not found either, nor is a catchall for blobber.org. Therefor this address is not valid and the message will be bounced.

Any mail arriving for "karl@blobber.org" or "karl@lala.com", gets forward to an external address of "karl.vovianda@gmail.com". So forwarding is simple. I tend to use a subdomain for all my friends addresses as easily I forget what their real addresses are, and I use different email clients all the time.

I also added the required aliases of postmaster and abuse to blobber.org and whopper.nu. The catchall for lala.com means they are not required for that domain. You can add them though if you do not want xandros to get the admin emails. Another usefull alias to add is root, as often you get admin mail from e.g cron jobs within those domains etc. Other often used aliases are info, support, sales and all. But they are also honeypots for spam, so just include the ones you think you will need.

So to add a new domain to the system, You do this:

INSERT INTO domains (domain) VALUES ('domain.tld'); INSERT INTO aliases (mail,destination) VALUES ('@domain.tld','email@address'), ('postmaster@domain.tld','email@address'), ('abuse@domain.tld','email@address');

And to add a new user to the system, do this:

INSERT INTO users (id,name,maildir,clear) VALUES ('email@address','short description','foldername/','password'); INSERT INTO aliases (mail,destination) VALUES ('email@address','email@address');
Return to top.



This is a small and simple section, but this will be the one you spend the longest on!

There will be spelling errors(by you and me), difference in setups, external factors etc, so this server is guaranteed not to work first time. Great eh?

But don't worry, we can quickly track down which section is at fault, and solve the issues one by one.

I hope you blocked external acces to your SMTP port (25) in your firewall setting. Otherwise you might have become an open relay for spammers. (Okay unlikely unless you have been running exposed for a few weeks). You will have to unblock it soon, but not yet. Lets first be 100% sure the system works, so only local access to SMTP should be allowed for now.

We will test each section bit by bit to black box certify each bit. First test that postfix delivery works (by exluding content checks and ignoring courier). We will check if it can connect to MySQL for its lookups, if maildir are created and if it can send messages. Then we'll re-enable content checks to see if they work. Then we start testing courier, see if it can access MySQL and if it shows the right mailboxes.

The easiest way to do the testing is with telnet. Turn on full debuggon, tail a few logs a lets get started.

# Making sure nothing is running /etc/init.d/courier stop /etc/init.d/postfix stop /etc/init.d/amavisd stop /etc/init.d/spamassassin stop /etc/init.d/clamav stop /etc/init.d/mysqld stop # Then to check if they really stopped ps aux netstat -tnp

Then we'll disable content cheks. In /etc/postfix/master.cf uncomment/comment these lines like this:

smtp inet n - n - - smtpd #smtp inet n - - - - smtpd # -o cleanup_service_name=pre-cleanup cleanup unix n - - - 0 cleanup #cleanup unix n - - - 0 cleanup # -o mime_header_checks= # -o nested_header_checks= # -o body_checks= # -o header_checks=

Then in main.cf comment out this line:

#content_filter = amavis:[]:10024

Then we'll tail the mysql and postfix logs. (Paths might differ). It helps being in X windows, or ssh in from another machine, if no X server. Or just using different sessions (ctrl+alt+f1-6), as we will be tailling and editing in many sessions at once.

# In one window do this tail -f /var/log/mysql/mysql.log # then in another tail -f /var/log/maillog.info /etc/init.d/mysqld start # then /etc/init.d/postfix start # then check if postfix is listening on 25 and mysql on 3306 netstat -tnp

Okay up and running (hopefully).

First we will telnet in and try and send a message to a local user.

Then we will try and send to an external user via postfix.

# Lets try and send a message to xandros@lala.com # (replace with your own user in this setup, or use postmaster@localhost) telnet localhost 25 # reponse back: > > > # then open the hand shake with ehlo and the server name you are connecting from... EHLO mail.domain.tld > > > # then say who is the sender of this email MAIL FROM: <your@address.com> > 250 Ok # then say who the mail is for RCPT TO: <xandros@lala.com> > 250 Ok data > 354 End data with <CR><LF>.<CR><LF></LF></CR></LF></CR> # enter message bodyand end with a line with only a full stop. blah blah blah more blah . > 250 Ok; queued as QWKJDKASAS # end the connection with quit > 221 BYE

The postfix log should then start showing up what is happening. If something happens in the mysql log, it means that connection if working.

Possible problems and solution can be:

When all these test are working fine, re-enable the content checks and try them all the tests again. This time you might have to tail the syslog as well. Possible problems can be:

Then the next step is to test Courier-IMAP.

Again tail the maillog, syslog and mysql log. Turn on DEBULEVEL in /etc/courier/imap to 2.

telnet localhost 143 > > >

telnet 10024 Trying Connected to Escape character is '^]'. 220 [] ESMTP amavisd-new service ready

If a response then all is well. Otherwise check ownership of /var/run/amavisd. Perhaps change /etc/init.d/amavisd to make sure it chown to virtual:virtual

debug_peer_list =

Now if all okay internally, then you need to edit the firewall rules and re-enable smtp access from the net. Test from an external server if you have ssh access. Proper telnet testing will let you know quickly if something is wrong. When that process works okay, it is time to test with proper emails. Either use an external webmail service, e.g. gmail, or forward via external mail forwarding services.

Doing a full reboot to test if everything comes up as desired is probably a good idea as well.

Congratulations, you have a working mail server! Now send me a note to let me know about it.

Return to top.


By now you should have a fully working system. No point extending and complicating it untill then. What next? There are many ways to extend the server, to create your own powerfull customized version.

Some of these sections can be brief as they are not core to this howto.

Remote MX mail backup

With MX backup loosing emails are unlikely.

Normally if someone sends an email destined for you, their server will try and connect to your server. If it can't reach your server for whatever reason ( it is down, dns issues, there is network problems, or just too busy ), the other server will back off and try again in a bit. How many and for how long it will try again is determined by the sending server. Some of them are not very patience, and it will report undelivered after only a few attempts. So you would have lost that email.

If you had specified a backup MX, this email may not have been lost. Upon first failure to connect to your server, the sender would see if there is any alternative server to send to. So it connects to your backup mx server. This server spools and queues your message and will try at intervals to send the message to you. It too will though eventually give up.

What is the difference? Simple, you (or whoever controls the backup mx ) is in control how long and often to try connecting to your machine. So if you have a reasonable values and your server is not down for weeks, no mail is lost.

How to implement it? First edit the DNS records again, and add a backup mx with a higher value.

# your server details domain.tld IN MX 10 your.mailserver.name.tld # new backup server domain.tld IN MX 20 your.backupserver.name.tld

Now presuming the other backup mx is a postfix server identical to this, or you are backuing up someone else's server; Go into mysql and create this tables:

CREATE TABLE `backups` ( `pkid` smallint(6) NOT NULL auto_increment, `domain` varchar(128) NOT NULL default '', `transport` varchar(128) NOT NULL default '', PRIMARY KEY (`pkid`), UNIQUE KEY `domain` (`domain`) );

Then still on the backup server, edit main.cf and add these:

relay_domains = mysql:/etc/postfix/mysql_backups.cf transport_maps = mysql:/etc/postfix/mysql_transport.cf

You may choose to have this as the last line in the file, as you may use small cron jobs to modify this ip address, if you don't have a permanent static address. It should contain your IP addres, hence if you do not have a very static IP address, that you need to automatic editing if the postfix file.

proxy_interfaces =

Next create this file /etc/postfix/mysql_backups.cf

user=mail password=apassword dbname=maildb table=backups select_field=domain where_field=domain hosts=

Next create this file /etc/postfix/mysql_transport.cf

user=mail password=apassword dbname=maildb table=backups select_field=transport where_field=domain hosts=

You noticed I added a transport lookup. This is a field in both the domain and the backup tables. In domains it is used to determine how to deliver the email, ie either virtual (correct) or local (not used in this howto). When backing up servers, your also need to specify in the transport field how to connect to the correct servers.

Say you are backiup for a friends server, mail.friend.com, for the domains of friend1.com and friend2.com. So you should insert this into your backup table.

INSERT INTO backups (domain,transport) VALUES ('friend1.com' , ':[mail.friend.com]' ), ('friend2.com' , ':[mail.friend.com]' );

The :[] tells to connect directly to this server, not doing any more look ups for valid MX servers.

This shouls now work fine. Further tweaking of the queue values, review these and modify as appropiate. Shorter warning times are good for the sender, so that they realise the email has not arrived yet, but may also be annoying. Tradeoffs.. Look in the first main.cf configurations for ways to do so.

Return to top.

Local file backup

Here is rough backup script to backup your configurations and mail folders. You may want to backup the folders seperatly as they can quickly grow to GBs. Adding this to a cronjob automates this process. Be aware that you should stop postfix and courier while backing up the mail folders. And that if they have grown large, that this may take some time.

tar czf mail-config.xxxxx.tgz /etc/postfic /etc/courier /etc/spamassassin /etc/clamav /etc/amavis /etc/mysql/my.cnf tar czf mail-fold.xxxx.tgz /var/spool/mail/virtual mysqldump -u mail -papassword -t maildb > data.sql mysqldump -u mail -papassword -d maildb > schema.sql tar czf mail-data.xxx.tgz schema.sql data.sql tar cf mail.xxxxx.tar mail-*.xxxxx.tgz

You may combine a full backup with a intermediate update of what has changed recently only.

tar --newer-mtime "2005-01-01"
Return to top.

Sender ID & SPF


Further security features is using Microsoft's Sender ID or Pobox's SPF. I'd use SPF as there is much argument over Sender ID.



While SPF should limit who can send mail on behalf of your domains, ( so basically less spoofed spam addresses ), I do have some technical issues with SPF as the design of it is a bit iffy. That is because of the limitation of DNS and that it has to fit inside the limited TEXT part. No nice XML config file....

While Microsoft is not always entirely evil, as sometimes they do nice things and make some usefull software, I would prefer not to be locked into their Sender ID technology.

Return to top.

Spam reporting


Reporting spam to Pyzor, Razor and SpamCop, for collaboration in spam fighting.

More detail on SpamCop is here.



Return to top.

White/Black Lists


You can implement white and black lists to explicitly allow or block domains and users.

You have already visited the option of a blackhole list of known open relays in the postfix configuration.

You can implement further lists inside Postfix or SpamAssassin. Amavisd-new already has a few well known white/black listed items in its config files. SpamAssissin also as a feture to automaticly learn white lists.

Return to top.


Adding support for GnuPG and S/MIME increases indiviual security.

This is not implemented on the postfix server side, as this totally a client side option.

However SquirrelMail has a GnuPG option. It is a plugin that can be downloaded from their website. Which can then be enabled via SquirrelMail's config script.

Here is how to create a GnuPG key pair.

# check you have not already got a key gpg --list-keys # then create one gpg --gen-key

To import GnuPG into Evolution; in your settings/preferences edit your account settings and add you private key under the security tab. The private key is found via listing the GnuPG keys as above, then it is the 8 characters after the "sub 1024g/" bit of you key.

To use GnuPG with Thunderbird you need to install EnigMail.

S/MIME is another way to encrypt and/or sign messages. You can create you own certificate or use known organizations like Thawte. (Thawte was originally set up by the Ubuntu founder)

Return to top.

Relocation notice

If people change addresses, a bounced message stating so if people send email to the old address is quite usefull. To implement this in postfix, frst create a lookup table in the database.

CREATE TABLE `relocated` ( `pkid` smallint(6) NOT NULL auto_increment, `oldadr` varchar(128) NOT NULL default '', `newadr` varchar(128) NOT NULL default '', `enabled` tinyint(1) NOT NULL default '1', PRIMARY KEY (`pkid`), UNIQUE KEY `oldadr` (`oldadr`) ) ;

Then add this to /etc/postfix/main.cf

relocated_maps = mysql:/etc/postfix/mysql_relocated.cf

The create this file /etc/postfix/mysql_relocated.cf

user=mail password=apassword dbname=maildb table=relocated select_field=newadr where_field=oldadr hosts=

Then if pete@domain1.com has changed address to pete.jones@another.org:

INSERT INTO relocated (oldadr,newadr)VALUES ('pete@domain1.com','pete.jones@another.org');

If anyone sends an email to pete@domain.com, they will get a message back stating he has changed address to pete.jones@another.org.

Return to top.


If SASL didn't work, or you are using clients which dont support it, the Pop-Before-SMTP is an easy way around that issue, so that people externally can still securly send mail via your server.

Refer to my 2nd edition on Pop-berfore-SMTP setup.

Return to top.

Admin software


Trying out a few admin software might make you life easier, if phpMyAdmin gets to crude. Quick search

More to come later.

Return to top.

Auto Reply


Postfix have now features to auto reply to an email, while still delivering it to its alias.

Return to top.

Block Addresses

If you use catch alls, which are usefull for some domains, then eventually some addresses will be target for spam. You can then either stop the catch all, or stop indivdual addresses.

By implementing a lookup and adding this restriction to smtpd_recipient_restrictions accomplises this.

check_recipient_access mysql:/etc/postfix/mysql_block_recip.cf,

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, \ check_recipient_access mysql:/etc/postfix/mysql_block_recip.cf, \ reject_non_fqdn_recipient, reject_unauth_destination, \ check_relay_domains

Beware of the order is important here, if any options says ok before check_recipient_access it will ignore it.

Next create mysql_block_recip.cf to lookup addresses. Either create a another table, or add a blocked field to aliases table.

Return to top.

Throttle Output


For some users with restrictions on bandwidth, you may wish to control how much mail is sendt out. Postfix has long refused to implement these features, out of ideolocial beliefs that mail servers should not be restricted. However there are some ways around this. More to come later.

Return to top.

Mail Lists

Interaction with Majordome etc is not covered here. However a simple mailling list can be implemented, by simply seperating aliases in the destination field in the aliases table with a comma.

INSERT INTO aliases (mail,destination) VALUES ( 'listof@domain.com' , 'john@ppp.com,vic@domain.com,jj@somewhere.tld' );
Return to top.


For postgrey integration, see edition4. Postgrey reduces spam by about 99%.

Return to top.


If you have any suggestions to other ways of extending a postfix server, then fire off a mail to me via the contact form further down.

Return to top.



Return to top.

Software Links

Return to top.


Here is a list of config files to assist you and some batch shell scripts to try and do the install steps for you.

Please note, they are not guaranteed to work. You should review them to make sure they will work for you, and that I am not doing something bad, or misspelt or forgot something, and so that you understand how they work.

Return to top.


You can contact me directly, however the best way to talk about this howto is to use the Ubuntu forums web site. There is a thread for this howto in the Ubuntu 5.04 (Hoary) section, and soon there will be one for 5.10 (Breezy).

But if you would like to contact me, and I do like to hear from people using this howto, then use the form below, or at a flurdy.com. I can't guarantee when I will reply though.. :)

I would like to hear from people whom have written howtos to extend this howto or recommend links for extensions.

Your Name

Email Address



Return to top.


Always a lot todo, but I have moved them all to the 4th edition...

Return to top.

Change Log

Return to top.