Applicability: Once you have set up a Postfix mail server you should secure the email transfer and protect against any unauthorized use. Emails that are sent over the internet without strong encryption can be intercepted by malicious users. Open outgoing mail servers are often exploited by unauthorized users to mask the true source of malicious emails. This tutorial provides a relatively simple way to add server communication encryption using LetsEncrypt and password authentication using SASL and dovecort. Typical Postfix configurations are presented that will greatly improve the security of your mail server. This tutorial assumes that you have previously set up email forwarding with Postfix as described in the Guide to Email Forwarding. In this tutorial, LetsEncrypt will be used as the certificate authority to secure email communicatoins in much the same way it is uesd to secure web server communications.
Required Environment: This guide assumes that you already have successfuly installed postfix on a computer running Ubuntu linux. This guide will show you how to add certificates from LetsEncrypt but any certificate provider can be used. If you already have secured a web server on the same computer, you can use the same set of certificates but you must add the email host.
Installation Process: The basic steps for securing your eamil server are as follows:
Optional installation of Let's Encrypt: If you have not already installed Let's Encrypt you will need to follow the instructions for installation shown below. If you already have Let's Encrypt installed, you can skip the download from github and go to the "Obtain certificate from LetsEncrypt" step.
Download a clone of Let's Encrypt from GitHub repo:
Obtain certificate from LetsEncrypt: Change to Letsencrypt directory and run Let's Encrypt with the mail subdomain name added to the end of the command:
Configure Ubuntu to renew certificates: Configure Crontab from your user account. Crontab should start a script file once a month to refresh the certificates. The script will shutdown Apache, load new certificates, and then restart Apache.
Create the email address lookup file: Create the email address lookup file
Configure postfix: First you need to create the main.cf file and postfix installs with an example file that you can just copy and modify as shown below:
Now you need to add three lines to the main.cf file and you can do that using your favorite editor. I use vi and you will need to use sudo as shown below:
Go to the end of the file and after entering insert mode, add the following lines but replace my example domain and hostname with your domain and host name. Note that you can add as many virtual domains as you want, just as long as you have created an MX record for each.
virtual_alias_domains = lucralogic.com otherdomains.com
virtual_alias_maps = hash:/etc/postfix/virtual
myhostname = hostname.lucralogic.com
After you have saved your changes to the main.cf file you will need to create the virtual file and add your email routing information. First, create the virtual file by starting the editor as shown below:
Next, add the following lines to the virtual file to define the desired routing of the emails and replace the email addresses with your companies addresses:
@lucralogic.com lucralogic@verizon.net mybusiness@gmail.com
In the example shown above, all emails to the domain lucralogic will be forwarded to both lucralogic@verizon.net and mybusiness@gmail.com. In the following example the email for greg is sent to verizon.net and the email for tim is sent to gmail.com
greg@lucralogic.com lucralogic@verizon.net
tim@otherdomains.com mybusiness@gmail.com
After you have saved and exited the virtual file you should convert your file to Berkley DB format with postmap as shown below:
The postmap command will create the file virtual.db so you can check to see if the file was created. The last step is to restart postfix with the following command:
Install and configure Dovecot: Install and configure Dovecot
Configure your Email Client: Configure your Email Client
Test your installation: To test your installation go to an external email account and send an email to your new business email address such as greg@lucralogic.com. If everything is working you should receive an email in your third party email. In this example the email will be forwarded to your lucralogic@verizon.net account. You can set up an account in your email client in windows, linux, OSX, or other operating system to send your mail from your business email address. If you have an issue you can check the email routing at any time with the following command:
You can also check for problems reported by postfix in the following files:
| /var/log/mail.log | All log messages |
| /var/log/mail.err | All error messages |
| /var/log/mail.warn | All warning messages |