Debian Wheezy E-Mail Relay for multiple Domains and IMAP Server with Postfix Dovecot and Fetchmail

One of our customers needed a way to use multiple mail domains. He already had a SBS2011, The Exchange Server on it was configured for the primary E-Mail Domain of the Company. The E-Mails from this Domain were fetched with the POP3 connector and all outgoing Mail was sent to the smart host of the E-Mail Provider.
The additional E-Mail Domains required a similar setup.
Unfortunately Exchange does not allow you to change the smart host for outgoing E-Mail based on the sender. There are third party Exchange addons, that do provide this ability, but I preferred to solve the problem with a Linux Mail Server. The configuration I will describe to you is fairly basic and the scenario it is used in is somewhat special. But the Article will still give you a fairly good impression on how to get a basic Mail Server running and how all the different pieces work together.

As you may have noticed, this Mail Server is not just a simple Mail Relay, it also has user mailboxes. If you are just looking for a Mail Relay for you Exchange Server, you will only need the Postfix part of this Article.
The entire configuration is somewhat unusual if you already have a Mail Server on your premises, but there were some requirements for it.

This Sounds pretty specialised, what do I need that for?

The Answer is simple: A Server like this can be incredibly practical if you have Mailboxes with providers, that only allow for POP3 connection, or which have some very strict space restrictions.
Using a Server like this will allow you to Synchronise your E-Mail across multiple devices and you wont have to worry about the Mailbox size restrictions your provider set for you.

Ok that seems useful. How does it work?

The Mail System I will describe to you in this article, has four basic components:

  1. Fetchmail: Downloads the E-Mails from your Providers Mailbox to your Server
  2. Procmail: Is used by Fetchmail to put the E-Mails in the correct directory on your Server
  3. Dovecot: Is the IMAP Server that your E-Mail clients will use
  4. Postfix: Is used to send the outgoing E-Mails to the correct smart host or Provider Mail Server

I made a little Diagram to show how all the Parts work together:

Debain Mail Relay - Postfix, Fetchmail, Procmail, Dovecot

In this Scenario all Clients with the default E-Mail Domain use Outlook to work with the Exchange Server, like they normally would. The Exchange gets his Mails with the POP3 Connector and sends all outgoing Mail to the Debian Mail Relay Server. Postfix checks the sender address and then Sends the Mail to the correct smar thost in the internet.
The E-Mails of the other Maildomain are downloaded with Fetchmail and locally delivered with Procmail to the Maildir Folder of the corresponding local user.
The users use Outlook and other E-Mail clients to work in their Mailboxes. When they send E-Mail, they use SMTP directly from their E-Mail client to connect to the Mail Relay server. It is again postfix who checks the sender of the outgoing E-Mail and sends it to the correct Smart Host.

Ok I want something like that How do I start?

Well that depends on what you have to work with, you may setup a small server that will run permanently, or you install all the needed programs on a server that is already running. To be quite honest, it is probably a waste to run this on dedicated hardware and a virtual machine or container is probably your best option.
So the as a first Step install Debian into the (Virtual) Machine of your choice. Since this entire Mail Server has no special networking requirements I choose to run it in an OpenVZ container.

The OpenVZ Template I used for this Debian install came with postfix out of the box.
If you installed Debian from a normal install medium, you will likely need to install postfix after the OS installation:

apt-get install postfix

The next things you will need are libsasl2 and libsasl2-modules. The former was already installed in my Template so I only had to install the modules:

apt-get install libsasl2-modules

#probably not needed for dovecot auth test by disabling saslauthd and sending E-Mail

#new after messing with smtpd auth

install sasl2-bin

/etc/default/saslauthd

edit enable to yes

start saslauthd

Since Dovecot and Fetchmail will be needed later on, you should install them now:

check the commands and if they get all other needed packages

apt-get install fetchmail dovecot-common dovecot-imapd

And as last part of the basics, you need a user to receive the mail with. For that run following commands:

useradd -G mail username
passwd username

OK all the stuff is installed. How do I get postfix running?

The Postfix configuration for this server is fairly simple. Since Postfix will only be used to relay mails to the smart hosts of every mail domain, there is no need to set up a local delivery of the E-Mails. Most of the configurations done in the file “/etc/postfix/main.cf”. Here is the main.cf file used for this server:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
#alias_maps = hash:/etc/aliases
#alias_database = hash:/etc/aliases
#mydestination = $myhostname, localhost.$mydomain, localhost
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_type = cyrus
smtp_sasl_mechanism_filter = login,plain
relayhost = smtp.mainmaildomain.com
mynetworks = 192.168.0.0/24 127.0.0.0/8
inet_interfaces = all
recipient_delimiter = +
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

If you have never used postfix, you might not understand what all those values mean. So let me give you a quick rundown.
All options that start with “smtp_” tell postfix what it should do with the E-Mails it has to deliver to the outside world. The options that start with “smtpd_” tell postfix under what conditions it should accept the E-Mails from your clients for delivery. Now a brief overview of the most important options:

  • smtp_sender_dependent_authentication: this Option tells Postfix if it should deliver E-Mails outgoing based on the sender. You need to set this to yes or the server will send your outgoing Mail only to your primary smart host.
  • sender_dependent_relayhost_maps: with this options you tell postfix where to find the file that links your E-Mail addresses and Domains with the corresponding smart hosts.
  • smtp_sasl_auth_enable: Set this to yes in order to tell postfix, that the smart hosts want a username and password.
  • smtp_sasl_password_maps: This tells postfix where the file with the login information for your smart hosts is.
  • smtp_sasl_: these options tell postfix how to log into the smart hosts. The given examples should work in most cases, but they are not the most secure way to do it.
  • relayhost: this is the smart host for your Primary E-Mail domain. All E-Mails from senders that are not listed in the relayhost_map file will be sent over this smart host.
  • mynetworks: lists all networks that are considered local networks by postfix.
  • inet_interfaces: Unless postfix should only listen to specific interfaces, setting this to all is fine.
  • smtpd_sasl_: These options tell Postfix, if and how users sending E-Mail over your server should authenticate themselves. The settings shown in the file, allow your users to use the credentials used in dovecot. This way you will only have to make changes in dovecot, if you wish to change the user backend.
  • smtpd_recipient_restrictions: Tells postfix who to accept mail from. In the given configuration it accepts E-Mail from the networks configured in mynetworks and from users who authenticated themselves with their username and password. If your local networks are not secure, you should probably only allow E-Mails from authenticated users. Otherwise your Server might end up as a spambot.

The configuration links to the file /etc/postfix/relayhost_map, this file has to be created by you. As mentioned earlier, this file contains the mappings for maildomains and their corresponding smart hosts. If you only have a single E-Mail Address that needs to be rerouted, use the example from the first line. In order to reroute E-Mails from an entire domain use the 2nd line. If the SMTP server is a server of a free mail provider you might have to use the submission port instead of the normal SMTP port.

#if the mail provider requires you to use the submission port for outgoing mail

#add :submission to the end of the server address usermailaddress [at] maildomain1 [dot] com smtp.maildomain1.com @maildomain2.com mail.maildomain2.com

After creating the file, you need to transform it into something that postfix can use. Do so by calling the postmap command. This needs to be repeated whenever there is a change to the file:

postmap hash:/etc/postfix/relayhost_map

Now postfix only needs a file to tell it how to authenticate to all those smtp servers. This is done with the file linked under smtp_sasl_password_maps in the main.cf. The contents of this file should look something like this:

#smtp sender dependent auth
usermailaddress [at] maildomain1 [dot] com    username:password
@maildomain2.com    username:password

#relayhost login
smtp.maildomain.com username:password

As with the last file you need to run the postmap command on this one as well. And since this is the last file for postfix you need to change, you should restart postfix after running the postmap command.

postmap hash:/etc/postfix/sasl_passwd
/etc/init.d/postfix restart

This concludes the configuration of postfix. If you only need a sender based E-Mail relay, you are done here. The rest is about getting you providers E-Mails into your own IMAP Server.

I also want to fetch the E-Mails from my providers mailbox. What do I do?

Lets start with setting up Dovecot. Dovecot is the IMAP in all this. If you have used Dovecot before, you might notice that the configuration looks a little different in Debian 7.0 wheezy. This is because wheezy uses Dovecot 2.x and they spread the configuration of Dovecot from one large file to several smaller ones. Each of the new configuration files controls one aspect of dovecot. This makes it easier for beginners to get everything running. Since the Dovecot configuration files are still pretty long, I will only show you the changes that I made to every file. The first file that needs changing is “/etc/dovecot/conf.d/10-master”:

service imap-login {
  inet_listener imap {
     port = 143
  }

service auth {

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
}

These changes tell dovecot to have its IMAP server listening on the default IMAP Port and the second part there is needed if postfix uses Dovecot for authentication.

The next file that you need to edit is: “/etc/dovecot/conf.d/10-mail”. In this one you need to change the mail location, if you do not want to use the default. In my case I wanted to use maildir storage under /var/mail/username. So I changed the mail_location line to this:

mail_location = maildir:/var/mail/%n

The last file you might have to change is “/etc/dovecot/conf.d/10-auth”. Since this is just for a quick test setup I enabled plaintext authentication. You should probably try to avoid using it for security reasons under normal circumstances.:

disable_plaintext_auth = no

Once all the config files have been changes, you will have to restart Dovecot or the changes won’t take effect.

/etc/init.d/dovecot restart

As you can see I did not actually tell you to enable to enable one of the many authentication backends dovecot support. That is because Dovecot uses the local system users for authentication out of the box. This is fine if the server is just for you or a very small company. If you expect some more users on this server, you might want to think about a different authentication backend.

Ok my server can give me IMAP mailboxes now, but where are my E-Mails?

You still have to get you mails from your provider and that is what Fetchmail is for. The global configuration file for Fetchmail is “/etc/fetchmailrc”. This file does not exist after installing it, so you need to create it. While you are at it you should also make sure that it is only readable as root, since the file contains the login information for your E-Mail Accounts.

touch /etc/fetchmailrc
chmod 600 /etc/fetchmailrc

After you created the file you need to give it a few parameters for the deamon and configure all the E-Mail Accounts you want to retrieve:

set daemon 300
set syslog

poll pop.maildomain1.com protocol pop3:
    username "user1" password "password", is systemuser1 here
    #keep    
    #fetchall
    #use procmail to deliver local mail so we dont need to hassle postfix
    mda "/usr/bin/procmail -f %F -d %T"

poll mail.maildomain2.com protocol    pop3:
    username "user2"    password "password" is systemuser2 here
    #keep
    mda "/usr/bin/procmail -f %F -d %T"

This example tells Fetchmail to download the mail from the listed mail servers via pop3 and then to deliver them to the respective system users via Procmail. The set daemon option is tells Fetchmail how often it should run in seconds and the set syslog tells it to write its log in the syslog.
I suggest to uncomment the keep option when you first test the system, since it tells Fetchmail not to delete the E-Mails on your mail providers servers. Once everything is running fine, you can remove the keep option, unless you want to leave copies of the E-Mails on the servers of your provider. You might get trouble with the size of your mailbox, if you let the keep option commented in.

After you prepared the configuration file, you still need to tell Fetchmail to run as daemon. You can do that by adding the line “START_DAEMON=yes” to the file  “/etc/default/fetchmail”

You said I need Procmail?

Procmail is the last piece of the puzzle. I suggest Procmail for the delivery of the E-Mails, because it comes with the system and using Procmail means, you don’t have to set up Postfix to deliver E-Mails via Dovecot. This is definitely the quick and dirty option for this kind of server it is enough.

The configuration of Procmail is fairly similar to Fetchmail. It is also done in a global configuration file called “/etc/procmailrc”. This file has to be created by you as well.

SHELL="/bin/bash"
LOGFILE="/var/log/procmail.log"
# / at the end of default needed for maildir
#needs to be the mail location of dovecot

MAILDIR=/var/mail
DEFAULT=/$MAILDIR/$LOGNAME/

:0

My Example file is very simple. It defines the location of the logfile and the target for the E-Mail delivery. The one thing that you need to watch is, that the DEFAULT line has to end with an “/” if your dovecot uses maildir and naturally the MAILDIR needs to be the base mail directory of dovecot.

Ok I followed it all. Is there anything else I have to do.

No if you followed this tutorial you should have a working mail relay and IMAP server. But this is a fairly basic setup and you should probably consider using encrypted connections.
This server is also extendable, you could add spam and virus filtering for your E-Mails or if you receive large amounts of mail you may want to look a little closer at Procmail. Procmail can be used to categorize certain mails into subfolders of your inbox. If you expect a larger amount of users on your server and possibly some fluctuation, you may want to look at different user backends.

The great thing about this system is that it can be extended with all those functions. It can grow with your needs.

3 thoughts on “Debian Wheezy E-Mail Relay for multiple Domains and IMAP Server with Postfix Dovecot and Fetchmail”

  1. Hoi
    I am searching for a way to make an relayserver from debian with postfix and amavisd-new on it.
    It’s just to put behind out exchange server for relaying outgoing email, how must i configure my postfix then ?

  2. Can you give me a few more details?

    Important questions are:
    – Does your Exchange send E-Mail for multiple Mail domains or do you need to forward the E-Mails to different SMTP servers.
    – Exchange has the capability to forward all E-Mail to a specified Mail Relay. What is the reason you want Debian as that relay.
    For example Providers who provide you a certain number of Mail accounts that you can retrieve with pop3 usually also offer a SMTP Server that you could use as forwarder in Exchange. In that case you would not need a Debian Server in front of your exchange just to do the relay.
    But there are plenty of cases where a Debian Relay in for of your Exchange can be useful, but it is hard give you a recommendation with so little information.
    – Since you want amavis on your server as well I assume, that you want to Virus check all outgoing mail. Do you also want to Virus check/ Filter Spam on all incomming mail?

    If you dont want to publish those Infos, you can send me an E-Mail to skelleton-at-skelleton-dot-net.
    I am on a business trip this week so ill probably not be able to help you much until the weekend.

Leave a Reply

Your email address will not be published. Required fields are marked *