Sameer Siruguri

My Blog

Configuring Postfix and Dovecot: A Few Gotchas

There’s plenty of information online on how to configure Postfix and Dovecot but it turned out that there were a few last-mile steps that aren’t adequately documented. I remember my first go-around was pretty hairy, but the second time, I found a better starting point and learned from the first experience. So I decided to set things down, both for my benefit and that of others.

This guide is for Ubuntu users, but I take it life isn’t that different for other flavors.

There are two main pieces of software you need to install and configure – Postfix and Dovecot.

Postfix

A good starting point I found was the Community Help Postfix wiki page on the Ubuntu website. It gives you good defaults to start with that will secure your Postfix installation:

  1. Your mail destinations (domains to which your MTA will deliver mail submitted by other servers) should be limited to your own domain. Only your local server should be able to post to the outside world, otherwise you risk being an accessory to spam.

This guide sets you up to use saslauthd, but we will in fact be using Dovecot to do authentication so in truth you don’t have to do anything more than configure Postfix. You can choose to stop at the step that says, “Configure Postfix to do SMTP AUTH using SASL (saslauthd).”

When you are testing the authentication on your server, you’ll have to do so using Base64 encoded user ID and password values. After telnet‘ing to port 25, type in AUTH LOGIN and type in first your user ID and then your password, both base64 encoded. You can perform base64 encoding of string on this website.

Your next step is to set up Dovecot, which will give you SASL authentication (so that your SMTP port is protected,) and also gives you IMAP and POP access, so you can access your server email via clients on your desktop.

Dovecot

The Digital Ocean webpage on Dovecot turned out to be a great place to start. I run my VPSes on Digital Ocean, but this page is pretty generic, I think.

Note that if you went through the configuration of saslauthd when installing Postfix, you have already created your own self-signed certificates, so you don’t have to do that part again. Just make sure to get the filenames right, when configuring Dovecot.

You can skip ahead to the Dovecot section of this tutorial, of course, though there are instructions on how to set up aliases, which are helpful. It’s right there, just before the Dovecot section starts.

I found though that even after you have followed these instructions, the Dovecot daemon is unable to read the user password file. Here’s one error you’ll see:


localhost dovecot: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one

You need to add these lines to your /etc/dovecot/dovecot.conf file:

passdb {
  args = /etc/shadow
  driver = passwd-file
}

You’re not done! Now you’ll see that the dovecot user which runs the dovecot daemon can’t access the /etc/shadow file. I tried adding the user to the shadow group, which has read access to the shadow file on my system but that didn’t work. If anyone reading this can figure out why, let me know! But I fixed it by running dovecot’s auth-worker process as root:

service auth-worker {
 # Auth worker process is run as root by default, so that it can access
 # /etc/shadow. If this isn't necessary, the user should be changed to
 # $default_internal_user.

 user = root
}

And by changing these lines:


service auth {
 unix_listener /var/spool/postfix/private/auth {
  mode = 0660
  # Assuming the default Postfix user and group
  user = postfix
  group = postfix
 }
}

to this:


service auth {
 user = root
 unix_listener /var/spool/postfix/private/auth {
  mode = 0660
  # Assuming the default Postfix user and group
  user = postfix
  group = postfix
 }
}

Now you should be set… let me know if you are not!

Single Post Navigation

Leave a Reply

Your email address will not be published. Required fields are marked *