loading...

CentOS 7 – Mail Server with Postfix

How to install Docker CE on CentOS 8

Nowadays, many people are already using configured and reliable web-based mail services such as Gmail, Yahoo, and so on. Most of those people are questioning the need for a local e-mail server installed inside their server environment. Well, servers also need to send e-mails, not only humans; and it is useful for many other needs, especially when notifying an administrator if a server is in a critical state.

Postfix is a high-performance open source Mail Transfer Agent ( MTA) for Linux systems. It is fast, easy to administrate, and secure. It helps to route and deliver electronic mail. Postfix supports encryption and virtual domains, and its configuration files are clear, and easy to understand, and edit.

The installation of Postfix will be divided into multiple sections. Since this chapter is all about setting up an e-mail server using Postfix and adding some tools to make it fully qualified and then securing it, we will do the installation step by step, where we are going to stretch it into the different chapter sections every time we add a new tool or a new tweak.

During this chapter, we are going to learn the following things:

  • Set up and configure the Postfix e-mail server using CentOS 7 Linux
  • Configure it to store users and virtual domains on a MySQL database
  • Set up a mail tool (Dovecot) to get e-mail
  • Configure the OpenLDAP active directory
  • Secure both mail services using SSL/TLS

Setting up and configuring of Postfix mail server

As we all know, Postfix as an MTA acts, as an SMTP server. It accepts incoming mail and passes it to the service responsible for retrieving mails. Then it forwards outgoing mails to the next responsible SMTP server. For the SMTP service, we need to have the port 25/TCP open in the system’s firewall. Postfix is very easy to set up and configure. We only need to make sure that some pre-installation steps have been done in order to have a clean setup.

First, we need to open the required port at the firewall for all the needed services for a mail server, using Firewalld. The ports we are going to open are from the following services:

  • Simple Mail Transfer Protocol (SMTP): 25 on TCP
  • Secure SMTP (SMTPS): 465 on TCP
  • Mail Submission Agent (MSA): 587 on TCP
  • Post Office Protocol 3 (POP3): 110 on TCP
  • Secure POP3: 995 on TCP
  • Internet Message Access Protocol (IMAP): 143 on TCP
  • Secure IMAP (IMAP SSL): 993 on TCP

    This is how to apply the change in the system local firewall using Firewalld:


$ sudo firewall-cmd --permanent --add-port=25/tcp
$ sudo firewall-cmd --permanent --add-port=465/tcp
$ sudo firewall-cmd --permanent --add-port=587/tcp
$ sudo firewall-cmd --permanent --add-port=995/tcp
$ sudo firewall-cmd --permanent --add-port=993/tcp
$ sudo firewall-cmd --permanent --add-port=143/tcp
$ sudo firewall-cmd --permanent --add-port=110/tcp
$ sudo firewall-cmd --reload

After that, we need to have an accurate time for the server, so we need to install an NTP client to synchronize the machine time with one of many worldwide available NTP servers. We need to install the NTP client service using the yum package manager:


$ sudo yum install ntpd

Usually, an NTP client, when installed, already has some default NTP servers configured to synchronize its time with them. But if we have a local NTP server and we want to use it, we can always go to the configuration file of NTP and add it. As a best practice, it is advised to always have at least three NTP servers:


$ sudo nano /etc/ntp.conf

We look for the lines that start with server and we comment the unneeded servers and add those that we want (shown as LOCAL_NTP_SERVER_IP_ADDRESS in the following snippet):


#server 0.centos.pool.ntp.org iburst
server LOCAL_NTP_SERVER_IP_ADDRESS iburst

We need to start the NTP service and add it to the system startup services:


$ sudo systemctl start ntpd
$ sudo systemctl enable ntpd

To verify whether the NTP client is synchronizing with the defined servers, we need to use the command ntpq -p. Let’s have a look at the following output:

After making our server time accurate, we need to make sure that our server’s hostname is well configured, since a foreign mail server may not accept mail from our server due to its suspicious name. We can verify this using the following command:


$ hostname -f

If we receive a fully-qualified domain name server.domain we can proceed, where server is the host name of our server and domain is where it belongs. Otherwise, we need to set one by editing the hostname configuration files:


$ sudo nano /etc/hosts
$ sudo nano /etc/hostname

Or you can also use the following command:


$ sudo hostnamectl set-hostname

We should ensure we write a well-written domain address. Then we save the files.

And, finally, we need to check our DNS resolution. Our server should be using a fully-qualified DNS, which means that it can resolve addresses from all around the Web. We need to check the /etc/resov.conf file:


$ sudo cat /etc/resolv.conf

If we are not sure that the configured DNS server is well updated to handle all our queries, we can edit the file and add some DNS servers that we are sure are qualified (Google DNS: 8.8.8.8, 8.8.4.4). We can test our DNS server using the nslookup command:


$ sudo nano /etc/resolv.conf

We are now ready to install Postfix on our server. As we have mentioned before, the installation and the configuration will keep adding and configuring to the same server for each section.

In this section, we will start by installing and configuring our Postfix as an SMTP server. First, we need to install the postfix package using yum. We need to plan for the coming sections. Since the default version of Postfix in the yum package manager doesn’t support MariaDB (the drop-in replacement for MySQL), we need to install Postfix from the CentOSPlus repository. Just before starting the installation, we need to add an exclusion to some repositories to prevent overwriting the Postfix packages update:


$ sudo nano /etc/yum.repos.d/CentOS-Base.repo

Then we need to make sure to add the line exclude=postfix to the end of the [base] and the [updates] repository source to look like this:

[base]
name=CentOS-$releasever - Base
exclude=postfix

#released updates
[updates]
name=CentOS-$releasever - Updates
exclude=postfix

After saving the file, we can start the package installation. We will do the installation of the essential packages to have a fully-functioning mail server: Postfix as an MTA mail server for the SMTP, Dovecot serves for IMAP, and POP daemons and some supporting packages for the authentication service:


$ sudo yum --enablerepo=centosplus install postfix
$ sudo yum install dovecot mariadb-server dovecot-mysql

Here, we will merge the installation of the tools but the configuration will be separated into each section of this chapter.

After having the Postfix mail server installed, we can start with the configuration. Postfix has almost all of its options as either commented or not fully applicable. So to have Postfix fully configured we need to go to its main configuration file and make some changes. First, we open the file using any text editor:


$ sudo nano /etc/postfix/main.cf

Then we start changing uncommented lines and adding information about the desired mail server. Since we are going to make many separate changes in a big file, we should not add any unnecessary lines because we will be pointing to which line we should change at a time. At any point if we are using nano as a text editor we can always use the search option to look up the desired line using the combination of Ctrl + W and typing in the first part of the line.

Next, we need to define our mail server hostname. We go to the line of the option myhostname and we uncomment the line and change it with the desired information, such as in the following example:

myhostname = server.packt.co.uk

Then, we need to set up the domain name at the line of the option mydomain, as shown in the following example:

mydomain = packt.co.uk

This is followed by the origin, which has the same value as the domain, at the line of the option myorigin:

myorigin = $mydomain

Then we define which network interfaces our server will be providing its services (listening) to. In our case we will just use all of them. To set up that, we either comment line 116 and uncomment line 113, or just change line 116 to the following code:

inet_interfaces = all

Then we move to the line of the option mydestination to add the domain address to the end of the destination domain’s line:

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

Then we make a big jump to the line of the option mynetworks to uncomment it and add the other networks that we will be using for the network related to the server:

mynetworks = 127.0.0.0/8, 192.168.8.0/24, 10.0.1.0/24

Then we jump to the line of the option home_mailbox to uncomment the mailbox folder location option and change it to whatever suits our needs:

home_mailbox = maildir/

We end the line counting by going to the line of the option smtpd_banner and uncomment it and changing it to look like the following code:

smtpd_banner = $myhostname ESMTP

Then we go to the end of the file and add the following lines and limit the e-mail size for the server to handle (10 mega bytes= 10485760):

message_size_limit = 10485760

Also, we need to limit the mailbox folder size (1 giga bytes= 1073741824):

mailbox_size_limit = 1073741824

And, finally, we set up the SMTP server authentication configuration option lines:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject

This configuration is considered as the initial one. After having it set, we can always use the command postconf -e to change an option or set a new one. If we ever needed to change the server hostname, we need to write it as follows:


$ sudo postconf -e 'myhostname = mailserver.packt.co.uk'

After making sure that all configurations are well set, we can start our Postfix service and add it to the system startup services:


$ sudo systemctl restart postfix
$ sudo systemctl enable postfix

Just to verify that everything is ok, we need to do a small test to the Postfix services. There are many ways to do this test. We will go with the traditional way of sending a mail using the command mail and then verifying the mail log file located at /var/log/maillog:


$ echo "Testing the Postfix mail service" | mail -s "This is a test mail" user2@server.packt.co.uk && tail -f /var/log/maillog

Then we should see the following message in the mail log file, which tells us the following message to know that the mail has been sent ok and the Postfix services are working fine:


server postfix/local[28480]: 98E2F61B6365: to=<user2@server.packt.co.uk>, relay=local, delay=0.02, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)

With this step, we can say that we have successfully configured Postfix as an MTA. But this may not be a well set up mail server. We need to add and configure a few tools to help make it well qualified and secure. We will start adding and configuring the necessary tools during the next sections. This is how our mail server will look like after having all it components installed and running:

Comments are closed.

loading...