In a previous recipe, you were shown how to configure Postfix as a domain-wide mail transport agent. As we have learned in the first recipe of this chapter, Postfix only understands the SMTP protocol and does a remarkable job to transport messages from another MTA or mail user client to other remote mail servers or storing mails which are destinated to itself into its local mailboxes. After storing or relaying mails, Postfix jobs end. Postfix can only understand and speak the SMTP protocol and is not capable of sending messages to anything other than MTAs. Any possible recipient user for a mail message who wants to read his mails would now need to log in to the server running the Postfix service using ssh and look into his local mailbox directory, or alternatively use mailx
locally to view his messages on a regular basis to see if there are any new mails. This is highly inconvenient and nobody would use such a system. Instead, the users choose to access and read their mail from their own workstations other than where our Postfix server is located. Therefore, another group of MTAs has been developed, sometimes are called access agents and which have the main functionality to synchronize or transfer those local mailbox messages from the server running the Postfix daemon over to external mailing programs where users can read them. These MTA systems use different protocols than SMTP, namely POP3 or IMAP. One such MTA program is Dovecot. Most professional server administrators would agree that Postfix and Dovecot are perfect partners and it is the purpose of this recipe to learn how to configure Postfix to work with Dovecot in order to provide a basic POP3/IMAP and a POP3/IMAP over SSL (POP3S/IMAPS) service for our mailboxes to provide an industry standard e-mail service for your users across the local network.
To complete this recipe, you will require a working installation of the CentOS 7 operating system with root privileges, a console-based text editor of your choice, and a connection to the Internet in order to download additional packages. It is also assumed that you are working through this chapter recipe by recipe in the order that they appear and for this reason it is expected that Postfix has been configured as a domain-wide MTA.
Dovecot is not installed by default, and for this reason we must begin by installing the necessary packages by following the given steps:
yum install dovecot
systemctl enable dovecot
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.BAK vi /etc/dovecot/dovecot.conf
protocols
we want to use by activating (removing the #
sign at the beginning of the line) and modifying the following line, so it reads:protocols = pop3 imap imaps pop3s
#listen = *
, ::
, then modify it so it reads:listen = *
10-mail.conf
file and afterwards opening it in your favorite text editor:cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.BAK vi /etc/dovecot/conf.d/10-mail.conf
#
character) the following line, so it reads:mail_location = maildir:~/Maildir
cp /etc/dovecot/conf.d/20-pop3.conf /etc/dovecot/conf.d/20-pop3.conf.BAK vi /etc/dovecot/conf.d/20-pop3.conf
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.BAK vi /etc/dovecot/conf.d/10-auth.conf
#disable_plaintext_auth = yes
to state:disable_plaintext_auth = no
cd /etc/pki/tls/certs; make postfix-server.pem
cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.BAK vi /etc/dovecot/conf.d/10-ssl.conf
ssl = required
) to read:ssl = yes
ssl_cert = < /etc/pki/tls/certs/postfix-server.pem ssl_key = </etc/pki/tls/certs/postfix-server.pem
firewalld
service files, since they are not available in CentOS 7 by default:sed 's/995/110/g' /usr/lib/firewalld/services/pop3s.xml | sed 's/ over SSL//g' > /etc/firewalld/services/pop3.xml sed 's/993/143/g' /usr/lib/firewalld/services/imaps.xml | sed 's/ over SSL//g' > /etc/firewalld/services/imap.xml firewall-cmd --reload for s in pop3 imap pop3s imaps; do firewall-cmd --permanent --add-service=$s; done;firewall-cmd --reload
systemctl start dovecot
mailx
to access the local mailboxes on the remote Postfix server, which is provided by Dovecot with the different access agent protocols. In our example, we want to access the local mailbox of the system user john
on our Postfix server with the IP 192.168.1.100
(to login to john's account, you need his Linux user password) remotely:mailx -f pop3://[email protected] mailx -f imap://[email protected]
yes
to confirm that the certificate is self-signed and not trusted:mailx -v -S nss-config-dir=/etc/pki/nssdb -f pop3s://[email protected] mailx -v -S nss-config-dir=/etc/pki/nssdb -f imaps://[email protected]
mailx
inbox view of your mailbox with all your mail messages of user john
as you would run the mailx
command locally on the Postfix server to read local mails.Having successfully completed this recipe, you have just created a basic POP3/SMTP service, (with or without SSL encryption) for all the valid server users in your network, which will deliver local mails from the Postfix server to the client's e-mail program. Every local system user can directly authenticate and connect to the mail server and fetch their mail remotely. Of course, there is still much more that can be done to enhance the service, but you can now enable all local system account holders to configure their favorite e-mail desktop software to send and receive e-mail messages using your server.
So what did we learn from this experience?
We started the recipe by installing Dovecot. Having done this, we then enabled Dovecot to run at boot before proceeding to make a few brief changes to a series of configuration files. Starting with the need to determine which protocol will be used in the Dovecot configuration file at /etc/dovecot/dovecot.cf
here we will use: IMAP, POP3, IMAPS, and POP3S. As with most other essential networking services, after installation they only listen on the loopback device, so we enabled Dovecot to listen to all network interfaces installed in the server. In the 10-mail.conf
file we then confirmed the mailbox directory location for Dovecot (with the mail_location
directive) as the location Postfix will put them into on receiving mails so Dovecot can find them here and pick them up. Following this, we then opened the POP3 protocol in 20-pop3.conf
by adding a fix relating to various e-mail clients (for example, for the Outlook client) using the pop3_uidl_format
and pop3_client_workarounds
directives. Finally, we enabled plain text authorization by making several changes to /etc/dovecot/conf.d/10-auth.conf
. Remember that using plain text authorization with POP3 or IMAP without SSL encryption is considered insecure but because we were concentrating on a local area network (for a group of trusted server users) we should not necessarily see this as a risk. Afterwards, we enabled POP3 and IMAP over SSL (POP3S and IMAPS) by pointing the ssl
directives in the 10-ssl.conf
file to some existing self-signed server certificates. Here we changed ssl = required
to ssl=yes
to not force the client connecting to the Dovecot service to use SSL encryption, as we do want to give the user the choice to enable encrypted authentication if he likes to but not make it mandatory for older clients. Afterwards, to make our Dovecot service available from the other computers in our network, we had to enable the four ports to allow POP3, IMAP, POP3S, and IMAPS, 993, 995, 110, 143, by using the predefined firewalld
service files and creating the missing ones for IMAP and POP3 ourselves. Later, we started the Dovecot service and tested our new POP3/IMAP server using the mailx
command remotely. By supplying an -f
file parameter, we were able to specify our protocol and location. For using SSL connections, we needed to supply an additional nss-config-dir
option pointing to our local Network Security Services database where certificates are stored in CentOS 7.
Remember, if you happen to encounter any errors, you should always refer to the log file located at /var/log/maillog
. Using plain text authorization should not be used in a real corporate environment and POP3/IMAP over SSL should be preferred.
In the main recipe, you were shown how to install Dovecot in order to enable trusted local system users with system accounts to send and receive e-mails. These users will be able to use their existing username as the basis of their e-mail address, but by making a few enhancements you can quickly enable aliases, which is a way to define alternative e-mail addresses for existing users.
To start building a list of user aliases, you should begin by opening the following file in your favorite text editor:
vi /etc/aliases
Now add your new identities to the end of the file, where <username>
will be the name of the actual system account:
#users aliases for mail newusernamea: <username> newusernameb: <username>
For example, if you have a user called john
who currently (only) accepts e-mails at [email protected]
, but you want to create a new alias for john
called johnwayne@ centos7.home,
you will write:
johnwayne: john
Repeat this action for all the aliases, but when you have finished remember to save and close the file in the usual way before running the following command: newaliases
.
There are a vast number of e-mail clients on the market and by now you will want to start setting up your local users to be able to send and receive e-mails. This isn't complicated by any means, but in order to have a good starting point you will want to consider the following principles. The format of the e-mail address will be [email protected]
.
The incoming POP3 settings will be similar to the following:
mailserver.centos7.home, Port 110 Username: system_username Connection Security: None Authentication: Password/None
For POP3S, just change the port to 995
and use Connection Security
: SSL/TLS
. For IMAP, just change the port to 143
, and for IMAPS use port 993
and Connection Security
: SSL/TLS
.
The outgoing SMTP settings will be similar to the following:
mailserver.centos7.home, Port 25 Username: system_username Connection Security: None Authentication: None