How Do You Install Postfix on Ubuntu?
This document describes the steps required to install and configure a secure Postfix SMTP server including DKIM and SPF setups on an Ubuntu server. In addition, it is configured to work with Dovecot, a secure IMAP server.
What is Postfix?
Postfix is an open source email server, communicating via the SMTP protocol, and run on the Unix operating system and many variants including Linux.
The primary author of postfix is Wietse Venema.
What is Dovecot?
Dovecot is a secure open source IMAP server. It allows devices such as mobile phones to talk to an email server and send and receive mails as the user desires.
The mail server runs in the background all the time receiving and delivering email. The IMAP client may only be operating for a few minutes while the user checks their mail box on the server for messages. It can provide push notifications so users are notified on their device as soon as new mail arrives.
What is Ubuntu?
Ubuntu is a distribution of the GNU/Linux Operating System. It is based on a Linux distribution called Debian. The Ubuntu team curates and customises Debian packages to create a consistent end user experience including support on top of the powerful Linux kernel to create a popular computer operating system.
Why run a secure Postfix server?
As port 25 (SMTP) can be blocked by ISPs (e.g. mobile providers) we use port 587 with a Secure SMTP server to provide email services over the public internet.
Prerequisites
It is assumed:
- you have a server with Ubuntu 24.04 or later installed
- the server has access to the public internet
- there are DNS records that you control pointing to your server's IP address
Install Postfix Software on Ubuntu
We will assume you have access to your system as the system administrator - you will need to be able to execute the sudo command.
To install the packages required to run the Postfix and Dovecot servers run the command below:
sudo apt install postfix ssmtp dovecot-core dovecot-imapdThe package will prompt you for:
- Configuration type: reply Internet Site
- System mail name: reply with what appears after the @ in your email address, for example intrepiduniverse.com for
user1@intrepiduniverse.com.
How do I point Dovecot to the Postfix Mailboxes?
You will need to configure Dovecot to use the same mailbox locations as postfix. Edit the configuration file:
sudo vi /etc/dovecot/conf.d/10-mail.confEnsure you have the below:
mail_location = mbox:~/Mail:INBOX=/var/mail/%u
mail_access_groups = mail
Restart dovecot to apply the changes
sudo service dovecot restartHow do I make Postfix Secure?
There are several steps here, based on these instructions detailed below.
TLS/SSL Certificate for Secure SMTP
Configure an SSL certificate for TLS - below we create a self signed certificate but you can also use one provided by your SSL certificate provider:
# Create self signed certificate
openssl genrsa 2048 > smtpd.key chmod 600 smtpd.key
# Complete prompts
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt
# Complete prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
# Configure postfix to use the local CA and self signed certificate
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/
# TLS Configuration
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
# Use the hostname from your certificate below:
sudo postconf -e 'myhostname = uk2.intrepiduniverse.com'
sudo service postfix restartSASL For User Authentication
Configure postfix for SASL:
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'Edit config file
sudo vi /etc/postfix/sasl/smtpd.confEnsure sasl is configured with these lines:
pwcheck_method: saslauthd
mech_list: plain login
Install and configure SASL:
sudo apt install sasl2-bin
# Edit config file and add START=”yes” at the end
sudo vi /etc/default/saslauthdTest sasl using (change the user name)
testsaslauthd -u user1 -p XXXSecure postfix will run chroot so make saslauthd create sockets under /var/spool/postfix/var/run/saslauthd and link back.
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /run/saslauthd
sudo service saslauthd startManually edit /etc/default/saslauthd OPTIONS= (there is a comment about this there). To survive reboot create /etc/tmpfiles.d/saslauthd.conf with this content:
L+ /run/saslauthd - - - - /var/spool/postfix/var/run/saslauthd
Install SPF Checking for Postfix
apt install postfix-policyd-spf-python postfix-pcreAdd to master.cf file:
policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf
ensure the following lines are present in main.cf (merge with existing):
policyd-spf_time_limit = 3600
Smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf
service postfix restartEnsure there is an spf TXT record in DNS so receiving servers can check us
Install DKIM for Postfix
apt install opendkim opendkim-tools
adduser postfix opendkimFollow instructions for Open DKIM Copy dkimkeys from uk1:
scp -r uk1:/etc/opendkim/keys/ /etc/dkimkeys
chown -R opendkim:opendkim /etc/dkimkeysUncomment the following in /etc/opendkim.conf:
- Mode
- Domain
- Selector
- KeyFile
Be careful setting the _domainkey TXT record – webpage mentions changing h argument You can check things look okay with mxtoolbox.com and (change to use your domain name):
sudo -u opendkim opendkim-testkey -d intrepiduniverse.comCreate chroot dir /var/spool/postfix/var/run/opendkim and fstab entries to mount it Add to postfix/main.cf:
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
Milter_default_action = accept
systemctl restart postfixDisable Open Relay
Edit /etc/postfix/master.cf and uncomment most of the commented out lines but not the command line args or the relay service.
Edit /etc/postfix/main.cf and set the below to ensure not an open relay:
smtpd_tls_auth_only = yes
smtpd_tls_security_level = encrypt
Restart postfix
sudo systemctl restart postfixDNS Record Summary
Set up MX record in your DNS server – it should not reference a CNAME only A or AAAA should be used, priority 10
For SPF you will have added a spf TXT record.
For DKIM you will have added a _domainkey TXT record.
Configure Client Devices
setup iPhone etc by remove old account and add new account - configure fetch schedule to e.g. hourly
Congratulations - you now have a secure email server on the public internet.
HowTo Block Email Address
edit /etc/postfix/transport as root and add:
support@intrepiduniverse.com error:5.1.1 User unknown
Then update database and restart postfix:
sudo postmap /etc/postfix/transport
sudo service postfix restartHowTo Implement Server Side Rules
Install procmail for server side rules:
apt install procmailHowTo Receive On All Interfaces
Receive email on all interfaces can be useful if using multiple VPNs and your mail server - review for your network security architecture
sudo postconf -e 'inet_interfaces = all'HowTo Renew Dovecot Certificate
openssl genrsa -out /etc/ssl/private/dovecot.key 2048
openssl req -new -x509 -key /etc/ssl/private/dovecot.key -out /etc/ssl/certs/dovecot.pem -days 730You will be prompted as below so enter values that make sense for you:
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intrepid Universe Limited
Organizational Unit Name (eg, section) []:Technology
Common Name (e.g. server FQDN or YOUR name) []:mail.intrepiduniverse.com
Email Address []:user1@intrepiduniverse.com
Restart dovecot:
/etc/init.d/dovecot restartThe certificate will need to be trusted on client devices. A simple but less secure way to do this is email certificate to user's device so it can be trusted:
sudo apt install mutt
mutt -s "Cert" -a dovecot.pem -- user1@icloud.comThen for example, on iOS open mail and click on download. Go to Settings and install the VPN profile found in the downloaded certificate. Then go to “Trusted Certificates” and enable it as trusted. Then after restarting the Mail app it asks to trust the server intrepiduniverse.com - do so.
HowTo See multiple mail address in one account?
If you have multiple addresses that you would like to see from one login to the server create an alias.
For example the Administrator account root could be aliases to the user user1, thereby enabling user1 to read all mail sent to root. To do this edit the file /etc/aliases and add a line to map root to user1:
root: user1
then to update Postfix's own database of aliases run:
sudo newaliasesHowTo Whitelist on outlook.com
SNDS and JMRP to not be marked as spam by Outlook.com Outlook SNDS
