Introduction
Email service configuration is a complex but essential Linux administration skill. This comprehensive guide covers Postfix for SMTP, Dovecot for IMAP/POP3, DNS configuration with MX/SPF/DKIM records, TLS encryption, and webmail setup with Roundcube.
We'll explore email delivery architecture, DNS requirements, mail security, spam prevention, and production best practices. Each section includes practical configurations and real-world examples.
Linux Administration Series
📚 View Complete Linux Administration Guide - Master all 7 parts with our comprehensive learning path.
This is Part V of our comprehensive 7-part Linux administration guide:
- Part I: File System & Process Management
- Part II: User Authentication & LDAP
- Part III: UFW Firewall & Networking
- Part IV: systemd & SSH Hardening
- Part V: Postfix Email Server (Current Article)
- Part VI: QEMU KVM Virtualization
- Part VII: LVM & RAID Storage
Email System Architecture
Complete Email Flow
Email components:
- MTA (Mail Transfer Agent): Postfix - sends/receives email (SMTP)
- MDA (Mail Delivery Agent): Dovecot LDA - delivers to mailbox
- MUA (Mail User Agent): Thunderbird, Outlook - reads email
- IMAP/POP3 Server: Dovecot - provides mailbox access
DNS Configuration for Email
Required DNS Records
Essential DNS records:
# A Record - Points to mail server IP
mail.example.com. 14400 IN A 203.0.113.50
# MX Record - Mail exchanger
example.com. 14400 IN MX 10 mail.example.com.
# SPF Record - Authorized sending servers
example.com. 14400 IN TXT "v=spf1 ip4:203.0.113.50 -all"
# DKIM Record - Email signature
default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0..."
# PTR Record - Reverse DNS (set by ISP)
50.113.0.203.in-addr.arpa. IN PTR mail.example.com.
# DMARC Record - Policy for failed auth
_dmarc.example.com. 14400 IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
Prerequisites:
- Static IP address - Required for mail server
- Valid domain name - With access to DNS management
- Reverse DNS (PTR) - Must match forward DNS
- IP not blacklisted - Check at mxtoolbox.com/blacklists.aspx
- Open firewall ports - 25 (SMTP), 587 (submission), 143 (IMAP), 993 (IMAPS)
Installing Postfix (SMTP Server)
Postfix Architecture
Installing Postfix:
# Install Postfix (Postfix documentation: http://www.postfix.org/documentation.html)
sudo apt install postfix
# During installation, select:
# - General type: Internet Site
# - System mail name: example.com
# Check Postfix status
systemctl status postfix
# Main configuration file
sudo vim /etc/postfix/main.cf
Basic Postfix configuration (/etc/postfix/main.cf):
# Hostname and domain
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
# Listen on all interfaces
inet_interfaces = all
inet_protocols = ipv4
# Trusted networks
mynetworks = 127.0.0.0/8, 192.168.1.0/24
# Destination domains (receive mail for)
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
# Mailbox location (Maildir format)
home_mailbox = Maildir/
# SMTP banner
smtpd_banner = $myhostname ESMTP
# Message size limit (50MB)
message_size_limit = 52428800
# Restart Postfix
sudo systemctl restart postfix
Firewall configuration:
# Allow SMTP ports
sudo ufw allow 25/tcp # SMTP (incoming)
sudo ufw allow 587/tcp # Submission (outgoing with auth)
sudo ufw allow 465/tcp # SMTPS (deprecated, use 587)
Postfix SMTP Authentication and TLS
TLS Encryption Flow
Configure TLS encryption:
# Generate self-signed certificate (for testing)
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/mail.key \
-out /etc/ssl/certs/mail.crt
# Set permissions
sudo chmod 600 /etc/ssl/private/mail.key
# Edit /etc/postfix/main.cf
sudo vim /etc/postfix/main.cf
# Add TLS settings:
# TLS for incoming mail (SMTP on port 25)
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
# TLS for outgoing mail
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high
Configure SMTP authentication (submission port 587):
# Edit /etc/postfix/master.cf
sudo vim /etc/postfix/master.cf
# Enable submission port:
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# Restart Postfix
sudo systemctl restart postfix
Installing Dovecot (IMAP/POP3 Server)
Dovecot Architecture
Installing Dovecot:
# Install Dovecot with IMAP and POP3 (Dovecot documentation: https://doc.dovecot.org/)
sudo apt install dovecot-core dovecot-imapd dovecot-pop3d
# Check status
systemctl status dovecot
# Main configuration
ls /etc/dovecot/
ls /etc/dovecot/conf.d/
Dovecot mail location (/etc/dovecot/conf.d/10-mail.conf):
sudo vim /etc/dovecot/conf.d/10-mail.conf
# Set mailbox format and location
mail_location = maildir:~/Maildir
# Mailbox permissions
mail_privileged_group = mail
Dovecot authentication (/etc/dovecot/conf.d/10-auth.conf):
sudo vim /etc/dovecot/conf.d/10-auth.conf
# Enable plain text auth (over TLS only)
disable_plaintext_auth = yes
auth_mechanisms = plain login
Dovecot SSL/TLS (/etc/dovecot/conf.d/10-ssl.conf):
sudo vim /etc/dovecot/conf.d/10-ssl.conf
# Enable SSL/TLS
ssl = yes
ssl_cert = </etc/ssl/certs/mail.crt
ssl_key = </etc/ssl/private/mail.key
# Disable old protocols
ssl_min_protocol = TLSv1.2
ssl_cipher_list = HIGH:!aNULL:!MD5
ssl_prefer_server_ciphers = yes
Enable Postfix SASL authentication (/etc/dovecot/conf.d/10-master.conf):
sudo vim /etc/dovecot/conf.d/10-master.conf
# Uncomment and configure:
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
Restart services:
sudo systemctl restart dovecot
sudo systemctl restart postfix
# Open IMAP/POP3 ports
sudo ufw allow 143/tcp # IMAP
sudo ufw allow 993/tcp # IMAPS (IMAP over SSL)
sudo ufw allow 110/tcp # POP3
sudo ufw allow 995/tcp # POP3S (POP3 over SSL)
SPF, DKIM, and DMARC Configuration
Email Authentication Flow
SPF Configuration (DNS TXT record):
# Allow mail from your server IP only (SPF specification: https://www.rfc-editor.org/rfc/rfc7208)
example.com. IN TXT "v=spf1 ip4:203.0.113.50 -all"
# Allow mail from your server and Google (if using Gmail)
example.com. IN TXT "v=spf1 ip4:203.0.113.50 include:_spf.google.com -all"
# SPF mechanisms:
# ip4:IP - authorize IPv4 address
# ip6:IP - authorize IPv6 address
# a - authorize A record IPs
# mx - authorize MX record IPs
# include:domain - include another domain's SPF
# -all - fail all others (strict)
# ~all - soft fail all others (recommended)
DKIM Configuration:
# Install OpenDKIM (DKIM specification: https://www.rfc-editor.org/rfc/rfc6376)
sudo apt install opendkim opendkim-tools
# Generate DKIM keys
sudo mkdir -p /etc/opendkim/keys/example.com
sudo opendkim-genkey -b 2048 -d example.com -D /etc/opendkim/keys/example.com -s default -v
# Set permissions
sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod 600 /etc/opendkim/keys/example.com/default.private
# View public key for DNS
sudo cat /etc/opendkim/keys/example.com/default.txt
# Add to DNS as TXT record:
default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."
# Configure OpenDKIM
sudo vim /etc/opendkim.conf
# Configuration:
Syslog yes
UMask 002
Domain example.com
Selector default
KeyFile /etc/opendkim/keys/example.com/default.private
Socket inet:8891@localhost
# Configure Postfix to use DKIM
sudo vim /etc/postfix/main.cf
# Add:
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
# Restart services
sudo systemctl restart opendkim
sudo systemctl restart postfix
DMARC Configuration (DNS TXT record):
# DMARC policy (DMARC specification: https://www.rfc-editor.org/rfc/rfc7489)
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; pct=100"
# DMARC parameters:
# p=none - monitor only (no action)
# p=quarantine - send to spam
# p=reject - reject message
# rua= - aggregate reports
# ruf= - forensic reports
# pct= - percentage of messages to apply policy (100 = all)
Webmail with Roundcube
Roundcube Architecture
Installing Roundcube:
# Install Apache, PHP, and dependencies
sudo apt install apache2 php php-mysql php-json php-mbstring php-xml php-zip php-curl php-intl
# Install Roundcube
sudo apt install roundcube roundcube-mysql
# During installation:
# - Configure database: Yes
# - Database type: mysql
# - Database password: [set password]
# Configure Apache for Roundcube
sudo vim /etc/apache2/conf-available/roundcube.conf
# Add:
Alias /roundcube /usr/share/roundcube
<Directory /usr/share/roundcube>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# Enable configuration
sudo a2enconf roundcube
sudo systemctl reload apache2
# Access Roundcube at:
# http://mail.example.com/roundcube
Roundcube configuration (/etc/roundcube/config.inc.php):
<?php
// IMAP server
$config['default_host'] = 'ssl://mail.example.com';
$config['default_port'] = 993;
// SMTP server
$config['smtp_server'] = 'tls://mail.example.com';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
// Product name
$config['product_name'] = 'Example Mail';
// Plugins
$config['plugins'] = array('archive', 'zipdownload', 'password');
?>
Testing Email Server
Test SMTP locally:
# Send test email
echo "Test message" | mail -s "Test Subject" user@example.com
# Check mail queue
mailq
postqueue -p
# Check logs
sudo tail -f /var/log/mail.log
sudo tail -f /var/log/mail.err
# Test SMTP connection
telnet mail.example.com 25
# Test submission with auth
openssl s_client -connect mail.example.com:587 -starttls smtp
Test from external servers:
# MX record lookup
dig MX example.com
# SPF record check
dig TXT example.com
# DKIM record check
dig TXT default._domainkey.example.com
# Test with external tools:
# - mxtoolbox.com - comprehensive email testing
# - mail-tester.com - spam score testing
Production Best Practices
-
DNS Configuration:
- Always configure PTR (reverse DNS)
- Implement SPF, DKIM, and DMARC
- Monitor DMARC reports
- Keep DNS TTL reasonable (14400)
-
Security:
- Always use TLS encryption
- Require SMTP authentication on port 587
- Disable plain text auth except over TLS
- Implement fail2ban for brute-force protection
- Regular security updates
-
Spam Prevention:
- Configure SpamAssassin
- Implement greylisting
- Use RBL (Real-time Blackhole Lists)
- Monitor mail logs for abuse
-
Performance:
- Use Maildir format (better than mbox)
- Implement mail quotas
- Configure message size limits
- Monitor disk usage
-
Backup:
- Regular mailbox backups
- Backup configurations
- Test restore procedures
- Document all settings
Troubleshooting Common Issues
Mail not being received:
# Check if Postfix is listening
sudo ss -tlnp | grep :25
# Check DNS MX records
dig MX example.com
# Check if port 25 is blocked by ISP
telnet mail.example.com 25
# Check Postfix logs
sudo tail -f /var/log/mail.log | grep -i error
Mail sent to spam:
# Check SPF record
dig TXT example.com
# Check DKIM signature
sudo journalctl -u opendkim -f
# Check reverse DNS
dig -x 203.0.113.50
# Test at mail-tester.com
# Send email to generated address
Authentication failing:
# Check Dovecot SASL
sudo doveadm auth test user@example.com
# Check Postfix SASL
sudo postconf smtpd_sasl_auth_enable
# Check logs
sudo tail -f /var/log/mail.log | grep auth
TLS certificate issues:
# Test TLS connection
openssl s_client -connect mail.example.com:993
openssl s_client -connect mail.example.com:587 -starttls smtp
# Check certificate dates
openssl x509 -in /etc/ssl/certs/mail.crt -noout -dates
# Verify certificate chain
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/mail.crt
Frequently Asked Questions
Q: What is the difference between Postfix and Dovecot?
Postfix is an MTA (Mail Transfer Agent) that handles SMTP for sending and receiving emails between servers. Dovecot is an MDA (Mail Delivery Agent) providing IMAP and POP3 for users to access mailboxes. Postfix receives mail and passes to Dovecot for storage. Use both together for complete email server functionality.
Q: What are SPF, DKIM, and DMARC records?
SPF (Sender Policy Framework) lists authorized mail servers in DNS TXT records. DKIM (DomainKeys Identified Mail) cryptographically signs emails with private keys verified by public DNS records. DMARC (Domain-based Message Authentication) defines policies for SPF/DKIM failures. Together they prevent email spoofing and improve deliverability.
Q: How do I configure TLS encryption for email?
Configure TLS in Postfix with smtpd_tls_cert_file and smtpd_tls_key_file pointing to certificates. Enable with smtpd_use_tls=yes for optional or smtpd_enforce_tls_security=yes for mandatory. Configure Dovecot with ssl=yes and ssl_cert/ssl_key directives. Use Let's Encrypt certificates for free trusted TLS certificates.
Q: What ports do email services use?
SMTP uses port 25 for server-to-server, 587 for authenticated submission with STARTTLS, and 465 for SMTPS. IMAP uses 143 for plain and 993 for SSL/TLS. POP3 uses 110 for plain and 995 for SSL/TLS. Modern servers should use encrypted ports 587, 993, and 995 exclusively.
Q: How does email authentication work with SASL?
SASL (Simple Authentication and Security Layer) provides authentication for SMTP submission. Dovecot SASL authenticates users against system accounts or databases. Postfix integrates with Dovecot SASL to verify credentials before accepting mail. Configure with smtpd_sasl_auth_enable=yes and smtpd_sasl_type=dovecot. Requires TLS to protect credentials.
Q: Why are my emails going to spam?
Emails land in spam due to missing SPF/DKIM/DMARC records, no reverse DNS, shared IP reputation, poor content quality, or invalid TLS certificates. Test with mail-tester.com for scoring. Configure proper DNS authentication, use dedicated IPs, warm up IP reputation gradually, and avoid spam trigger words.
Q: How do I set up webmail with Roundcube?
Install Roundcube via package manager or download from roundcube.net. Configure Apache/Nginx virtual host pointing to Roundcube directory. Configure database settings in config/config.inc.php. Set IMAP/SMTP server to localhost. Enable plugins in config. Access via browser at https://mail.example.com/roundcube. Secure with HTTPS certificates.
Conclusion
Linux email service configuration requires proper setup of Postfix SMTP, Dovecot IMAP/POP3, DNS records, and security measures. Understanding MTA/MDA architecture, SPF/DKIM/DMARC authentication, TLS encryption, and webmail integration is essential for reliable email delivery.
Choose appropriate configurations: Postfix for SMTP with TLS, Dovecot for mailbox access, complete DNS setup with SPF/DKIM/DMARC, and Roundcube for webmail. Implement security best practices, monitor deliverability, and maintain regular backups for production email systems.