Part 2: Install Dovecot IMAP server on Ubuntu & Enable TLS Encryption

This is part 2 of building your own secure email server on Ubuntu tutorial series. In part 1, we showed you how to set up a basic Postfix SMTP server. In this tutorial, we are going to configure our email server so that we can receive and send emails using a desktop email client like Mozilla Thunderbird or Microsoft Outlook.

To be able to send emails using a desktop email client, we need to do a little bit configuration on Postfix. To receive emails using a desktop email client, we can install an open-source IMAP server named Dovecot on Ubuntu server. And to encrypt our communications, we need a TLS certificate.

Open Ports in Firewall

Ubuntu doesn’t enable firewall by default. If you have enabled the UFW firewall, then you need to run the following command to open email related ports in firewall.

sudo ufw allow 80,443,587,465,143,993/tcp

If you use POP3 to fetch emails (I personally don’t), then also open port 110 and 995.

sudo ufw allow 110,995/tcp

Securing Email Server Traffic with TLS Certificate

When we configure a desktop email client, enabling encryption is always a good idea. We can easily obtain a free TLS certificate from Let’s Encrypt. Issue the following commands to install Let’s Encrypt client (certbot) on Ubuntu server from official PPA.

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install certbot

If you don’t have a web server running yet, I recommend you install one (Apache or Nginx), because it’s easier to obtain and install TLS certificate with a web server than using other methods. And in a later tutorial, I will show you how to set up webmail, which requires running a web server.

If you use Apache web server, you need to install the Apache plugin. (The following command will install Apache web server if it’s not already installed on your system.)

sudo apt install python3-certbot-apache

If you use Nginx web server, then install the Nginx plugin. (The following command will install Nginx web server if it’s not already installed on your system.)

sudo apt install python3-certbot-nginx

Obtaining TLS Certificate with Apache Web Server

You need to have an Apache virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:

sudo nano /etc/apache2/sites-available/mail.your-domain.com.conf

Then paste the following text into the file.

<VirtualHost *:80>        
        ServerName mail.your-domain.com

        DocumentRoot /var/www/mail.your-domain.com
</VirtualHost>

Save and close the file. Then create the web root directory.

sudo mkdir /var/www/mail.your-domain.com

Set www-data (Apache user) as the owner of the web root.

sudo chown www-data:www-data /var/www/mail.your-domain.com -R

Enable this virtual host.

sudo a2ensite mail.your-domain.com.conf

Reload Apache for the changes to take effect.

sudo systemctl reload apache2

Once virtual host is created and enabled, run the following command to obtain and install Let’s Encrypt TLS certificate.

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d mail.your-domain.com

Substitute the red text with your actual data. You should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.

obtain-a-ssl-certificate-from-lets-encrypt

Obtaining TLS Certificate with Nginx Web Server

You need to have an Nginx virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:

sudo nano /etc/nginx/conf.d/mail.your-domain.com.conf

Next, paste the following text into the file.

server {
      listen 80;
      listen [::]:80;
      server_name mail.your-domain.com;

      root /var/www/mail.your-domain.com/;

      location ~ /.well-known/acme-challenge {
         allow all;
      }
}

Save and close the file. Then create the web root directory.

sudo mkdir /var/www/mail.your-domain.com/

Set www-data (Nginx user) as the owner of the web root.

sudo chown www-data:www-data /var/www/mail.your-domain.com -R

Reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Once the virtual host is created and enabled, run the following command to obtain and install Let’s Encrypt certificate with Nginx plugin.

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d mail.your-domain.com

You should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.

postfix tls letsencrypt

Enable Submission Service in Postfix

To send emails from a desktop email client, we need to enable the submission service of Postfix so that the email client can submit emails to Postfix SMTP server. Edit the master.cf file.

sudo nano /etc/postfix/master.cf

In submission section, uncomment or add the following lines. Please allow at least one whitespace (tab or spacebar) before -o.  In postfix configurations, a preceding whitespace character means that this line is continuation of the previous line. (By default the submission section is commented out. You can copy the following lines and paste them into the file, so you don’t have to manually uncomment or add new text.)

submission     inet     n    -    y    -    -    smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_tls_wrappermode=no
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth

The above configuration enables the submission daemon of Postfix and requires TLS encryption. So later on our desktop email client can connect to the submission daemon in TLS encryption. The submission daemon listens on TCP port 587. STARTTLS is used to encrypt communications between email client and the submission daemon.

Microsoft Outlook mail client only supports submission over port 465. If you are going to use Microsoft Outlook, then you also need to enable submission service on port 465 by adding the following lines in the file.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Enable Submission Service in Postfix

Save and close the file.

Hint: The SMTP protocol is used when an email client submits emails to an SMTP server.

Next, we need to specify the location of TLS certificate and private key in Postfix configuration file. Edit main.cf file.

sudo nano /etc/postfix/main.cf

Edit the TLS parameter as follows:

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_security_level=may 
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#Enforce TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Your Let’s Encrypt certificate and private key are stored under /etc/letsencrypt/live/mail.your-domain.com/ directory.

postfix tls parameters

Save and close the file. Then restart Postfix.

sudo systemctl restart postfix

If you run the following command, you will see Postfix is now listening on port 587 and 465.

sudo netstat -lnpt | grep master

postfix submission port 587 smtps port 465

Installing Dovecot IMAP Server

Enter the following command to install Dovecot core package and the IMAP daemon package on Ubuntu server.

sudo apt install dovecot-core dovecot-imapd

If you use POP3 to fetch emails, then also install the dovecot-pop3d package.

sudo apt install dovecot-pop3d

Check Dovecot version:

dovecot --version

Sample output:

2.2.22 (fe789d2)

Enabling IMAP/POP3 Protocol

First, edit main config file.

sudo nano /etc/dovecot/dovecot.conf

Add the following line to enable IMAP protocol.

protocols = imap

If you use POP3 to fetch emails, then also add POP3 protocol.

protocols = imap pop3

Save and close the file.

Configuring Mailbox Location

By default, Postfix and Dovecot use mbox format to store emails. Each user’s emails is stored in a single file /var/mail/username. You can run the following command to find the mail spool directory.

postconf mail_spool_directory

Sample output:

mail_spool_directory = /var/mail

The config file for mailbox location is /etc/dovecot/conf.d/10-mail.conf.

sudo nano  /etc/dovecot/conf.d/10-mail.conf

The default configuration is as follows, which is fine for a small email server. (In part 3 of this tutorial series, I will show you how to use the Maildir format with virtual mailbox domains.)

mail_location = mbox:~/mail:INBOX=/var/mail/%u

We need to add the following line in the file. (On Ubuntu 18.04 and 20.04, this line is already in the file.)

mail_privileged_group = mail

Save and close the file. Then add dovecot to the mail group so that Dovecot can read the INBOX.

sudo adduser dovecot mail

Configuring Authentication Mechanism

Edit the authentication config file.

sudo nano /etc/dovecot/conf.d/10-auth.conf

Uncomment the following line.

disable_plaintext_auth = yes

It will disable plaintext authentication when there’s no SSL/TLS encryption. And if you want to use full email address ([email protected]) to login, add the following line in the file.

auth_username_format = %n

Otherwise, you are able to login with username only (without @your-domain.com). Next, find the following line.

auth_mechanisms = plain

This line only enables the PLAIN authentication mechanism. LOGIN is another authentication mechanism you probably want to add to support older email clients.

auth_mechanisms = plain login

Save and close the file.

Configuring SSL/TLS Encryption

Next, edit SSL/TLS config file.

sudo nano /etc/dovecot/conf.d/10-ssl.conf

Change ssl = yes to ssl = required to enforce encryption.

ssl = required

Then specify the location of your SSL/TLS cert and private key. Don’t leave out the < character. It’s necessary.

ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem

Find the following line.

ssl_prefer_server_ciphers = no

It’s a good practice to prefer the server’s order of ciphers over client’s. So change the value to yes.

ssl_prefer_server_ciphers = yes

We can also disable SSLv3, TLSv1 and TLSv1.1 by adding the following line.

ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1

Note: if you are using Dovecot 2.3.x or above, then you should add the following line instead, which will force Dovecot to use TLSv1.2 or TLSv1.3.

ssl_min_protocol = TLSv1.2

SASL Authentication Between Postfix and Dovecot

Edit the following file.

sudo nano /etc/dovecot/conf.d/10-master.conf

Change service auth section to the following so that Postfix can find the Dovecot authentication server.

service auth {
    unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
    }
}

Save and close the file.

Auto-create Sent and Trash Folder

Edit the below config file.

sudo nano /etc/dovecot/conf.d/15-mailboxes.conf

To auto-create a folder, simply add the following line in the mailbox section.

auto = create

Example:

 mailbox Trash {
    auto = create
    special_use = \Trash
 }

Some common folders you will want to create includes: Drafts, Junk, Trash and Sent. These folders will be created at the user’s home directory. After you save and close all above config files, restart Dovecot.

sudo systemctl restart dovecot

Dovecot will be listening on port 143 (IMAP) and 993 (IMAPS), as can be seen with:

sudo netstat -lnpt | grep dovecot

ubuntu dovecot imap server 143 993

If there’s a configuration error, dovecot will fail to restart, so it’s a good idea to check if Dovecot is running with the following command.

systemctl status dovecot

We also need to restart Postfix to allow the LOGIN authentication mechanism.

sudo systemctl restart postfix

Using Dovecot to Deliver Email to Message Store

By default, Postfix uses its builtin local delivery agent (LDA) to move inbound emails to the message store (inbox, sent, trash, Junk, etc). We can configure it to use Dovecot to deliver emails, via the LMTP protocol, which is a simplified version of SMTP. LMTP allows for a highly scalable and reliable mail system. This step is required if you want to use the sieve plugin to filter inbound messages to different folders.

Install the Dovecot LMTP Server.

sudo apt install dovecot-lmtpd

Edit the Dovecot main configuration file.

sudo nano /etc/dovecot/dovecot.conf

Add lmtp to the supported protocols.

protocols = imap lmtp

Save and close the file. Then edit the Dovecot 10-master.conf file.

sudo nano /etc/dovecot/conf.d/10-master.conf

Change the lmtp service definition to the following.

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
  }
}

Next, edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following lines at the end of the file. The first line tells Postfix to deliver emails to local message store via the dovecot LMTP server.  The second line disables SMTPUTF8 in Postfix, because Dovecot-LMTP doesn’t support this email extension.

mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtputf8_enable = no

Save and close the file. Finally, restart Postfix and Dovecot.

sudo systemctl restart postfix dovecot

Configure Desktop Email Client

Now open up your desktop email client such as Mozilla Thunderbird and add a mail account.

  • In the incoming server section, select IMAP protocol, enter mail.your-domain.com as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

ubuntu postfix dovecot letsencrypt

Hint: You can also use port 993 with SSL/TLS encryption for IMAP, and use port 465 with SSL/TLS encryption for SMTP.

You should now be able to connect to your own email server and also send and receive emails with your desktop email client!

We use local Unix accounts as email addresses, as we did in part 1. For example, if you have a user called user1 on your Ubuntu server, then you have an email address: [email protected], and the password for the email address is the same password for the user1 user.

Troubleshooting Tips

If you can’t log into your mail server from a desktop mail client, scan your mail server to find if the ports are open. Note that you should run the following command from another Linux computer or server. If you run it on your mail server, then the ports will always appear to be open.

sudo nmap mail.your-domain.com

And check if Dovecot is running.

systemctl status dovecot

You can also check the mail log (/var/log/mail.log), which may give you some clues.

Automatically Clean the Junk Folder and Trash Folder

To delete emails in Junk folder for all users, you can run

sudo doveadm expunge -A mailbox Junk all

To delete emails in Trash folder, run

sudo doveadm expunge -A mailbox Trash all

I think it’s better to clean emails that have been in the Junk or Trash folder for more than 2 weeks, instead of cleaning all emails.

sudo doveadm expunge -A mailbox Junk savedbefore 2w

Then add a cron job to automate the job.

sudo crontab -e

Add the following line to clean Junk and Trash folder every day.

@daily doveadm expunge -A mailbox Junk savedbefore 2w;doveadm expunge -A mailbox Trash savedbefore 2w

To receive report when a Cron job produces an error, you can add the following line above all Cron jobs.

MAILTO="[email protected]"

Save and close the file. And you’re done.

If you see the following error:

doveadm(nobody): Error: User initialization failed: Namespace ”: mkdir(/nonexistent/mail) failed: Permission denied (euid=65534(nobody) egid=65534(nogroup))
doveadm(nobody): Error: User init failed

That’s because the command will be performed for all users, including the nobody user. Since the nobody user’s home directory is /nonexistent/, an error would occur because the nobody user can’t create the /nonexistent/ directory.

You can ignore this error by redirecting the error to /dev/null. A better approach would be getting the user list from a file. You can list users with:

sudo doveadm user '*'

Then you can use sed to delete the line containing the word “nobody” and save the result into a text file.

 sudo doveadm user '*' | sed '/nobody/d' > userlist.txt

Now we can use doveadm-expunge like below.

sudo doveadm expunge -F userlist.txt mailbox Trash savedbefore 2w

Note that if you use virtual mailbox domain as described in part 3, there would be no such error, because the user list is obtained from MySQL/MariaDB database.

Auto-Renew TLS Certificate

You can create Cron job to automatically renew TLS certificate. Simply open root user’s crontab file.

sudo crontab -e

If you use Apache web server, add the following line at the bottom of the file.

@daily certbot renew --quiet && systemctl reload postfix dovecot apache2

If you are using Nginx web server, then add the following line.

@daily certbot renew --quiet && systemctl reload postfix dovecot nginx

Reloading Postfix, Dovecot and the web server is necessary to make these programs pick up the new certificate and private key.

Wrapping Up

I hope this article helped you set up Postfix and Dovecot on Ubuntu server. In part 3, I will show you how to create virtual mailboxes.

Rate this tutorial
[Total: 42 Average: 4.3]

113 Responses to “Part 2: Install Dovecot IMAP server on Ubuntu & Enable TLS Encryption

  • jubakala
    2 years ago

    Finally, a tutorial that tells everything that’s needed, not only parts of it. And finally, after about 12 hours of trying, I have a working email-server. So THANKS a lot!

    • I m looking for a reliable source which helps me to setup mail server (Ubuntu 19.10)
      This seems better I will try with this….

      Looking for suggestions from all friends
      Thanks

  • This is THE best postfix/dovecot tutorial on the web. Thank you very much for posting. You covered a lot of material in great detail, but there are still a few parts that I’m unclear on.

    When adding your mail account to your mail client, how do you know what the password is? We didn’t set a password for SMTP authentication in the walkthrough. If my Ubuntu user account is ‘admin’, and my email is [email protected], do I just use my local ‘admin’ account password to connect my mail client to my new email account?

    What if, in my specific case, my local Ubuntu login is ‘admin’, but I want the email address “[email protected]” to be the default for all incoming and outgoing mail? Do I need to create a “user1” local user account on Ubuntu? I’ve send some test emails from the “[email protected]” account and the SPF/DKIM checks are failing. DKIM only passes the check when I send mail from my “[email protected]” account.

    • Well, I continued working at it and I answered one of my questions. Yes, each email account has to have a local user account on the Ubuntu server in order to have email. I have successfully added my accounts on my Android email application. Still looking into the other issue about the “[email protected]” failing DKIM (and therefore getting detected as spam).

    • So after some research and trial/error since my last post, I’m still having problems with DKIM. When I email the port25.com test system from the user account that I followed this guide from, I get a pass on everything. When I email from another user on the system and get a report form port25.com, everything except DKIM passes.

      If I send mail from my root account, DKIM passes. I just can’t figure out what it is about this specific user account that’s causing it to fail. And of course, it happens to be the account that I primarily want to use to send and receive mail. Without DKIM passing, I’ve noticed that Google sends my messages straight to the spam box.

    • Aha! I figured out why my single user account was failing DKIM, and I understand why:

      DKIM takes the message content and hashes it with the private key, then puts this in the email header. I was using an additional postfix configuration option called smtp_generic_maps to “rewrite” how my sender address would appear in the recipients inbox. DKIM did not like this modification and that is what was causing the DKIM check to fail on messages from this specific user. Hopefully this helps somebody else!

      Simply comment out the smtp_generic_maps parameter in your /etc/postfix/main.cf file if you’re having this problem.

      Thanks again for the wonderful guide!

  • M Aprian
    2 years ago

    After doing this part, I can send email but cannot receive email. Can you help me? 🙁

    • M Aprian
      2 years ago

      SOLVED!! I made a little mistake, sorry

      This is the best guide for mail servers (for me now), THANKS YOU

      • I’ve got same hiccup: using email client I can send but cannot receive any email. I have followed exactly the steps in this tutorial. Would you share how you solve the problem? Thanks.

        • Don’t bother. Everything is fine now. Gmail was slow. Thanks.

  • Great tutorial, worked perfectly, thanks!

  • Hello,

    In the command:
    sudo certbot –nginx –agree-tos –redirect –hsts –email your-email-address -d mail.your-domain.com

    What is the “your-email-address” I should provide ?

    Kind regards,
    Daniel

  • Hello,

    My domain is not a .com one, it is a .co.uk (let’s say test.co.uk)

    How should I replace “your-domain” in:
    “sudo nano /etc/nginx/conf.d/mail.your-domain.com.conf” ?

    Kind regards,
    Daniel

  • Daniel Orkan
    2 years ago

    Hello Xiao,

    Thank you very much for the guide, all works for me.
    Also, thank you for the support !!!

    Kind regards,
    Daniel Orkan

  • Once again. Well done. Got everything working perfectly. I couldn’t find the “buy me a beer” link, but thanks for a very thorough job. Have you done an article on virtual mailboxes yet?

  • melvin ramsey
    1 year ago

    I cannot thank you enough.
    Beautifully written article.

  • Biiiiig thank you, Xiao!!!

  • before “sudo certbot –apache –agree-tos –redirect –hsts –email your-email-address -d mail.your-domain.com”
    need to do “sudo apt-get update && sudo apt-get dist-upgrade”, cause some certbot python packages need to be upgraded. You got the error, while otbain certificates, if you dont upgrade some packages. Sorry for bad english.

  • Luke Taaffe
    1 year ago

    You absolute boss.

    I’ve rarely found a tutorial which just works.. for something so complicated and head spinning as well.
    Kudos mate, really.

  • I can’t seem to receive any external mail (ie: from gmail) – but everything else seems to be working well. Any thoughts?

    • found the solution – just needed to run this:

      sudo iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
      • WRONG PORT LISTED ABOVE:

        sudo iptables -A INPUT -p tcp --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  • still 5 star rating! very precise and plain in language and logic writing!! Thank you very much!!!

  • Jason Reeves
    7 months ago

    Question – When opening the ports, why not just do ufw allow dovecot?

    • First, there’s no “dovecot” UFW profile.

      [email protected]:~$ sudo ufw allow dovecot
      ERROR: Could not find a profile matching 'dovecot'

      The profiles installed by the dovecot package are “Dovecot IMAP” and “Dovecot Secure IMAP”, which correspond to port 143 and port 993 respectively. They allow mail clients to fetch emails from the mail server.

      But you also need to open port 587 and 465 for mail clients to submit emails. And if you use webmail, open port 80 and 443.

      You can run the following command to display available UFW profiles.

      sudo ufw app list

      Then you can use the command below to check which port a profile allows, like

      sudo ufw app info "Dovecot IMAP"

      Output

      Profile: Dovecot IMAP
      Title: Secure mail server (IMAP)
      Description: Dovecot is a mail server whose major goals are security and
      extreme
      reliability.
      
      Port:
        143/tcp
      
  • Pablo Cordero
    6 months ago

    Hi,
    This tutorial is really good but I have a little problem with SMTP. I have configured the server in Thunderbird and the IMAP works perfect, but when I’m going to send emails, it says me something like this “Your connection has expired with the SMTP server”.
    I can send messages with the

    mail

    command perfectly, so I don’t know where is the problem. If you know any solutions, please let me know it.

    Thank you in advance!

  • Mårten Behm
    6 months ago

    Hi,
    My mail server works fine, as far as I know, after following your first three tutorials. Thank again! However, I don’t know how to make use of the letsencrypt setup. Can you provide some hint, or will you consider (maybe you already have?) writing a tutorial about this?

  • Nuno Miranda
    6 months ago

    It´s works when I try whith a gmail account, but when I try send a email to a icloud account, that´s not receiving… can you help me please?

  • Nuno Miranda
    6 months ago

    Hi, it´s me again,
    firstly thanks for your super complete tutorial, that´s help me a lot 😀

    the problem:
    I ´m in black list of icloud…..

    in mail.log i see this:
    … refused to talk to me: 550 5.7.0 Blocked…

    How can I solve this? help me :/

  • Nuno Miranda
    6 months ago

    Thanks for your support 😀 I´m gonna try that.

  • Hi,
    As you say: “By default, Postfix and Dovecot uses mbox format to store emails.”

    My question is: What I need to do to config postfix and dovecot to use the MailDir format to store emails ?

    Thanks!!

  • Constantinos
    5 months ago

    Superb tutorial and perfect in all aspects!
    I think I made a mistake when installing postfix and for system mail name I entered: mail.mydomain.com rather than mydomain.com and now the emails are @mail.mydomain.com rather @mydomain.com.
    Anything that can fix the issue?
    Thanks a lot

  • thanks BABE
    4 months ago

    Thanks for the guide!

    Trying to run the clean junk folders gives me an error. Any idea?

    [email protected]:/home$ sudo doveadm expunge -A mailbox Trash all
    doveadm(nobody): Error: User initialization failed: Namespace ”: mkdir(/nonexistent/mail) failed: Permission denied (euid=65534(nobody) egid=65534(nogroup))
    doveadm(nobody): Error: User init failed

    [email protected]:/home$ sudo doveadm user ‘*’
    nobody
    ubuntu

    • According to man doveadm-expunge, if the -A option is present, the command will be performed for all users, including the nobody user. Since the nobody user’s home directory is /nonexistent/, an error would occur because the nobody user can’t create the /nonexistent/ directory.

      You can ignore this error by redirecting the error to /dev/null. A better approach would be getting the user list from a file. You can list users with:

      sudo doveadm user '*'

      Then you can use sed to delete the line containing the word “nobody” and save the result into a text file.

       sudo doveadm user '*' | sed '/nobody/d' > userlist.txt

      Now we can use doveadm-expunge.

      sudo doveadm expunge -F userlist.txt mailbox Trash all

      Note that if you use virtual mailbox domain as described in part 3, there would be no such error, because the user list is obtained from MySQL/MariaDB database.

      • Linux BABE is AWESOME
        4 months ago

        Thank you so much for helping me understand!

  • First of all thank you for your documentation(s), it was really helpful for us!

    After all we have a little problem. We created a same virtual user like the unix user eg: [email protected], and unix user is user1. It feels like its mixing the SMTP auth or something.
    We can get the incoming emails, but we cannot send, because it’s asking SMTP pass, which perfectly fine. (We can login into roundcube.) Other virtual users works perfectly fine, but not the matching users.

    Setup was built on your flow, so we using lemp, postfix, dovecot, postfixadmin and roundcube.

    Could you give us tip where to start debugging our problem?
    Thank you in advance!

    • I don’t think you can have a domain on Postfix that’s both a canonical domain (with Unix system account) and a virtual domain (with virtual users stored in MySQL/MariaDB database) at the same time.

      Domains listed in mydestination parameter are canonical domains. If a domain is listed in the virtual_mailbox_domains parameter, then you can not list the domain in mydestination parameter, as is described in Postfix documentation: NEVER list a virtual MAILBOX domain name as a mydestination domain!

      A virtual domain can’t have email addresses for Unix system accounts.

      • Thank you for your fast response.

        Now i understand much clearly. If mydestination is mail.mydomain.com and virtual_mailbox_domains is mydomain.com, then i can have [email protected] mailbox independently from my Unix system account which is user1.

        Could not be a problem to use the same “user” name, because the Unix system account will use the mydestination domain, right?

    • Yes. That’s correct.

      • Your help lead me to find out the problem.
        When we want to use indentical username eg: user1 for unix system account and for mailbox account, then we should define the full username ([email protected]) in the email client to incoming/outgoing username.
        Other virtual users can use simple username like presented on tutorial picture in document.
        Thanks for all✌😁

    • The username for Unix system account doesn’t have a domain name.

      The username for virtual domain user includes the domain part, as you can see by logging into MySQL/MariaDB database server and displaying the mailbox table in the postfixadmin database.

      I’m not sure if your finding is correct. I think the username field in Thunberbird is misleading.

  • Thanx for the guide!

    I can receive but I cannot send? Any clue what may cause it?

    From mail log:

    Feb  4 22:35:40 postfix/submission/smtpd[21672]: warning: database /etc/aliases.db is older than source file /etc/aliases
    Feb  4 22:35:40 postfix/submission/smtpd[21672]: fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify at least one working instance of: reject_unauth_destination, defer_unauth_destination, reject, defer, defer_if_permit or check_relay_domains
    Feb  4 22:35:41 postfix/master[21332]: warning: process /usr/lib/postfix/sbin/smtpd pid 21672 exit status 1
    Feb  4 22:35:41 postfix/master[21332]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling

    As per this guide I have in my master.cf file:

     -o smtpd_relay_restrictions=permit_sasl_authenticated, reject
     -o smtpd_recipient_restrictions=permit_mynetworks, permit_sasl_authenticated, reject

    So do not have idea why this fatal error is there … or maybe it is not that?

    Any help would be apreciated …

  • Hello there,

    At this stage I can received but when try to send it always says: Timeout when setting up SSL/TLS.

    The log file of the mail client shows:
    11:24:28 C: STARTTLS
    11:24:28 S: 454 4.7.0 TLS not available due to local problem
    11:24:28 Error: Unexpected return code 454 (expected 220):
    “4.7.0 TLS not available due to local problem”.
    11:24:28 Error code: 2001
    11:24:28 Failed action (0). Reset observed read/write timeouts: 8/8

    Can someone help with?

  • Hello Xiao & Thank You so much,
    – You was right, I just redone the typing and it is now working but did not found where; I am now on way to part 3.
    – Also on getting the Letsencrypt certificates you must disable the default virtual host of apache2 – “sudo a2dissite *default” – before enable your own. Otherwise it will fail every time you try to get the certificates.

    Kindest Regards.

    • Disabling the default virtual host is not a must, if you have correctly configured the mail.yourdomain.com virtual host. I have obtained numerous TLS certificates without disabling the default virtual host.

  • In my case the only way to obtained the certificates was disable the default one. So I don’t know what I did wrong on mail.yourdomain.com virtual host configuration.

    Thank You so much for your help.

  • Hello there,
    Regarding TLS, according to ‘IT Security Guidelines for Transport Layer Security (TLS) v2.0’:
    Good: TLS 1.3 and 1.2
    Phase out: TLS 1.1 and 1.0
    Insufficient: SSL 3.0, 2.0 and 1.0

    Is there any way to use only TLS 1.2 and 1.3?


    Kindest Regards,

    • To disable non-secure SSL/TLS versions in Postfix, edit the main configuration file.

      sudo nano /etc/postfix/main.cf

      Add the following lines.

      #Force TLSv1.3 or TLSv1.2
      smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
      smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
      smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
      smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
      

      Restart Postfix.

      sudo systemctl restart postfix

      To disable non-secure SSL/TLS versions in Dovecot, edit the SSL/TLS configuration file.

      sudo nano /etc/dovecot/conf.d/10-ssl.conf

      Add the following line.

      ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1

      Note: if you are using Dovecot 2.3.x or above, then you should add the following line instead, which will force Dovecot to use TLSv1.2 or TLSv1.3.

      ssl_min_protocol = TLSv1.2

      Restart Dovecot.

      sudo systemctl restart dovecot
  • Hello there,
    on “Obtaining TLS Certificate with Nginx Web Server” the syntax of

    ...
    location ~ /.well-known/acme-challenge {
             allow all;
          }
    ...

    the “~” is followed by a SPACE or by the SLASH ?

  • In the file “/etc/nginx/conf.d/mail.your-domain.com.conf”,
    the line “root /var/www/mail.your-domain.com/;” move the nginx server from “Welcome to nginx!” to “403 Forbidden”,
    meaning when the line is comment with “#” the server answer with “Welcome to nginx!” and when the line is uncomment the server answer with “403 Forbidden”.

    Any clue why?

  • Hello Xiao,

    I follow this ‘IT Security Guidelines for Transport Layer Security
    (TLS)’ from NCSC-NL, guideline B2-1 to B2-4 and table 2, 4, 6 and 7 (in
    English) witch is considered here one of the best guides to cyber
    security.
    The website is :
    [https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls]

    The test tool is : “internet.nl”

    About my installation they say on Ciphers (Algorithm selections) this:

    •••••••••••••••••••••••••
    Technical details:
    Mail server (MX): mail.digitalblueprint.eu.
    First found affected cipher: DHE-RSA-SEED-SHA
    Status: phase out
    •••••••••••••••••••••••••
    At least one of your mail servers supports one or more ciphers that have
    a phase out status, because they are known to be fragile and are at risk
    of becoming insufficiently secure.

    Is there any way to unused phased out Ciphers?


    Kindest Regards,
    Alex

    • You can add the following lines in Postfix main configuration file to improve the security of TLS connection.

      #Enforce high grade TLS ciphers
      smtpd_tls_ciphers = high
      smtpd_tls_mandatory_ciphers = high
      
      #Exclude non-secure ciphers
      smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      
      #Disable client-initiated renegotiation to prevent DoS attacks inside a TLS connection
      tls_ssl_options = 0x40000000
      
      #Enable server cipher-suite preferences
      tls_preempt_cipherlist = yes
      

      However, don’t be obsessed with TLS for SMTP and IMAP servers. If you are too strict about TLS, then there will be SMTP clients that can’t establish TLS connection with your SMTP server.

  • Dejan Zivanov
    3 months ago

    Hi i am having currently problem with the setting up my account via Thunderbird for start. I went three times over all three tutorials but something is always not working, i think i am maybe wonky with my fingers or whatever. But here we go, third time is the charm. So, at the moment i am at this stage(2nd).

    And when i am trying to connect via Thunderbird, what password should i use?
    Because we never created that during first 2 tutorials.

    Should i use password that i am using to connect via terminal?

    • The first two parts use local Unix accounts as email addresses. For example, if you have a user called dejan on your Ubuntu server, then you have an email address: [email protected], and the password for the email address is the same password for the dejan user.

      • Dejan Zivanov
        3 months ago

        Thank you, i managed to login via THunderbird, but at the moment i am getting this error(in var/logs) dovecot: imap(contact): Error: Failed to autocreate mailbox Trash: Permission denied

        Not sure what could be cause of this problem

  • please note that (at this date: 28/03/2020) in my machine: ubuntu 18.04.3 , the file: /etc/dovecot/conf.d/10-master.conf had the ports commented out, this resulted in the ports being “closed” when scanned from the outside
    Other tan that, great job, I cant say wether all of this is needed to set it up in a “simple” way but anyway thanks 🙂

  • Hi,

    Great work. %d from mai_locationis coming up as empty and responding with permission denied mkdir(/var/vmail//user). Below is the debug from dovecot:

    Apr 14 23:15:37 auth: Debug: passwd(user,83.34.21.127,): Finished userdb lookup
    Apr 14 23:15:37 auth: Debug: master userdb out: USER 2532442113 user system_groups_user=user uid=1001 gid=1001 home=/home/user auth_mech=PLAIN auth_token=1256c543ad8f4350d5c6b09fcfb8ddfeb077813e
    Apr 14 23:15:37 imap-login: Info: Login: user=, method=PLAIN, rip=83.34.21.127, lip=172.31.0.91, mpid=15239, TLS, session=
    Apr 14 23:15:37 imap(user): Debug: Effective uid=1001, gid=1001, home=/home/user
    Apr 14 23:15:37 imap(user): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/var/vmail//user
    Apr 14 23:15:37 imap(user): Debug: maildir++: root=/var/vmail//user, index=, indexpvt=, control=, inbox=/var/vmail//user, alt=
    Apr 14 23:15:37 imap(user): Debug: Mailbox INBOX: Mailbox opened because: SELECT
    Apr 14 23:15:37 imap(user): Debug: Namespace : /var/vmail//user doesn’t exist yet, using default permissions
    Apr 14 23:15:37 imap(user): Debug: Namespace : Using permissions from /var/vmail//user: mode=0700 gid=default
    Apr 14 23:15:37 imap(user): Error: mkdir(/var/vmail//user) failed: Permission denied (euid=1001(user) egid=1001(user) missing +w perm: /var/vmail/, dir owned by 2000:2000 mode=0755)
    Apr 14 23:15:37 imap(user): Error: mkdir(/var/vmail//user) failed: Permission denied (euid=1001(user) egid=1001(user) missing +w perm: /var/vmail/, dir owned by 2000:2000 mode=0755)
    Apr 14 23:15:37 imap(user): Error: Mailbox INBOX: Failed to autocreate mailbox: Internal error occurred. Refer to server log for more information. [2020-04-14 23:15:37]

    listed below is the configuration I’m using in /etc/dovecot/conf.d/10-mail.conf:
    mail_location = maildir:/var/vmail/%d/%n
    mail_home = /var/vmail/%d/%n

    Please let me know how to fix this, I’m using Ubuntu 18.04 OS.

    Thanks,
    Rish

    • Don’t mix up part 2 and part 3. If you take something from part 3, then you need to follow all of part 3.

    • Hi,

      Thanks for your reply. Can you please let me know which part are you referring to?

      Thanks again,
      Rish

    • This code configuration.

      mail_location = maildir:/var/vmail/%d/%n
      mail_home = /var/vmail/%d/%n
      

      When following part 2 of this tutorial series, you need to use the default mail_location and don’t set the mail_home parameter.

  • Quang Mai
    2 months ago

    Hi Xiao,

    I have another issues with the Thunderbird setup account:
    I checked all the Q&A above in the thread and I understand that the [email protected] as the UNIX root and password. Do you have any solutions? How do I create a second: [email protected] to check it? Thanks so much.

    • To create another email address, simply create another Unix user account on your Ubuntu server.

      sudo adduser user2

      Part 3 will show you how to create virtual users.

  • Hello,

    Loving my setup… Thanks – I have followed all the way through (all 8ish parts).
    I have run into one Challenge post setup, and this is confusing me.
    Firstly… worth noting – Your setup is working!!!
    It is working for all devices apart from an OLD Samsung Tab 2 failed the setup.
    I have put this current challenge on this page as I think it could be the TLS SSL min protocols being part of the problem. But I don’t really want to tinker as I don’t know why you suggested these protocols. – Any suggestions as to what could be causing 1 old device to not work.
    The device also doesn’t allow STARTTLS , so tried every option and none worked.

    Also – feature request – PUSH messages, I would like to use this account for messages but the 15 mins or so i have to wait for IOS messages feels like an eternity . I have been searching and it appears you have to pay for Apple notification service? Feels bonkers!

  • neutek-narco
    1 month ago

    Thank you!

    I had to use this command to get past 404 errors with certbot

    certbot certonly –agree-tos –expand –authenticator webroot –installer apache -d mail.domain.org –webroot-path /var/www/mail.domain.org/

  • Andrés Gutiérrez
    1 month ago

    ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1 (Dovecot ver. 2. 3. x)

    Is no longer needed.

  • Ken Wright
    1 month ago

    Having a problem here. I’ve run the Postfix instructions in Part 2, but when I check systemctl status postfix it says postfix is “active (exited). Does this mean Postfix isn’t running? What have I done wrong?

    • This is normal, because the Postfix systemd service is a oneshot service. Postfix will run the master process after the main Postfix exits. If you run the following command, you can verify if Postfix master process if running.

      sudo netstat -lnpt | grep master

      Output:

      tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      1200577/master      
      tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      1200577/master      
      tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1200577/master      
      tcp6       0      0 :::587                  :::*                    LISTEN      1200577/master      
      tcp6       0      0 :::465                  :::*                    LISTEN      1200577/master      
      tcp6       0      0 :::25                   :::*                    LISTEN      1200577/master    
      

      As you can see, the Postfix master process is listening on port 587, 465 and 25 on my mail server.

      The dovecot systemd service is a simple service, so you will see “active(running)” instead of “active(exited)”.

  • Ken Wright
    1 month ago

    That’s not what I get. I don’t see 587 or 465 listed when I run the above command. Any ideas?

  • Ken Wright
    1 month ago

    Found the problem! I had missed an underline character in /etc/postfix/main.cf. Once I fixed that and reloaded Postfix, everything fell into place.

  • Hello Xiao,

    mail client connects, i can send mail. have recieved mail waiting to be collected by mail client
    mail.log shows client connecting:

    Apr 29 19:17:28 mail postfix/lmtp[4192]: 1EA5621894: to=, relay=none, delay=2251, delays=2251/0.04/0.02/0, dsn=4.4.1, status=deferred (connect to mail.XXXX.XX[private/dovecot-lmtp]: No such file or directory)
    

    Not sure which side to start looking to solve this, do u have an idea?

    • Disabled the steps done in lmtp setup for now, imap works.

    • LMTP is required if your want to follow part 3 of this tutorial series.

      • I understand that, but my client doesnt seem to be able to collect my mail if its activated, ihave no idea why atm… what file/directory is it missing? and earlier i added lmtp behind imap as set protocols. but imap doesnt work if lmtp is there? or is there another issue?

  • Steinar
    1 month ago

    I have already postfix installed as a sendonly SMTP server using your other guide. I want to be able to also send from desktop client. Do I need to install dovecot to be able to communicate with Postfix? If so, are there other steps I can omit from this guide when I don’t need to receive email?

  • Steinar
    1 month ago

    Hmm really? So my wordpress server is sending out emails. Sometimes I need to write a custom email.
    Another server is taking care of incoming mail.
    Do you mean that you send only postfix server guide shouldn’t be combined with an external mail server for incoming and other email?
    I can also send mail from the other server, but not in this case (my colleague is in China, where gmail is blocked so can’t send out email).
    Thanks.

    • I mean if you send an email from your own domain, but the reply email goes to a free third-party email service like gmail, that will trigger some spam filters. Why not receive reply emails on your own domain?

      • Steinar
        1 month ago

        I do receive emails to my own domains. GSuite (gmail) is setup for incoming mail to mydomain.com. The wordpress server is not connected to Gsuite and sending with Postfix. I though from your-send only Postfix guide that this was a ok setup?

    • Ok. I understand now. Simply follow the instructions in this article and you will be able to use desktop email client. Note that inet_interfaces should be set to all in the /etc/postfix/main.cf file.

  • Steinar
    1 month ago

    Thanks, so you mean I do need dovecot even when I will not receive mail?

    • Mozilla Thunderbird, and also other mail clients I think, will not allow you to log into your mail server or send emails if there’s no IMAP/POP3 server running.

  • Steinar
    1 month ago

    Ok, I see. I thought the separate settings in thunderbird etc for smtp server was connecting directly to postfix, but I guess that’s also dovecot than.

  • Victor Kulibaba
    4 weeks ago

    Hi Xiao, thank you for the awesome guide!
    I keep to fail at the last step (configuring Thunderbird). It always shows error box that IMAP server doesn’t allow choosen authentication method.
    I checked nmap for srv.kulibaba.site and it seems that all necessary ports are open.
    Also dovecot is running fine:

    ● dovecot.service - Dovecot IMAP/POP3 email server
       Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
       Active: active (running) since Sun 2020-05-10 21:01:19 MSK; 1h 7min ago
         Docs: man:dovecot(1)
               http://wiki2.dovecot.org/
      Process: 15947 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
      Process: 16148 ExecReload=/usr/bin/doveadm reload (code=exited, status=0/SUCCESS)
      Process: 15986 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
     Main PID: 15990 (dovecot)
       CGroup: /system.slice/dovecot.service
               ├─15990 /usr/sbin/dovecot
               ├─15993 dovecot/anvil
               └─16151 dovecot/log
    
    May 10 21:41:47 srv.kulibaba.site dovecot[16151]: imap-login: Disconnected (no auth attempts in 0 s
    ecs): user=, rip=185.48.37.80, lip=194.58.119.56, TLS: SSL_read() failed: error:14094412:SSL rout
    ines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=
    

    In the log part you can see the error I get.
    When I created let’s encrypt certificate for srv.kulibaba.site I also added –must-staple option, that’s probably the only thing I did “against” your guide…
    I also tried to tweak Thunderbird changing general.useragent.compatMode.firefox to True, though it didn’t help. Neither choosing oAuth2 as auth method helped. My next concern is ssl = required in 10-ssl.conf, but at this point I decided to refer to the source, making this comment.
    Btw, initially if my hostname and MX record is srv.kulibaba.site, was it right to create virtual nginx host and issue certificate using this name instead of “mail.kulibaba.site”?

    • Victor Kulibaba
      4 weeks ago

      Seems like I managed to resolve the issue by setting:
      security.ssl.enable_ocsp_must_staple = false
      in Thunderbird config editor

    • Postfix and Dovecot don’t support OCSP stapling. If you add --must-staple to your TLS certificate, then mail clients (Thunderbird) would refuse to connect. I didn’t test it, but other SMTP servers are probably not able to establish secure TLS connection with your Postfix SMTP server.

      So I recommend obtaining a new TLS certificate for your hostname (srv.kulibaba.site) without using --must-staple.

  • Victor Kulibaba
    3 weeks ago

    Hi Xiao, at the beginning of the guide you wrote: “You need to have an Nginx virtual host for mail.your-domain.com before obtaining Let’s Encrypt TLS certificate”.

    This is probably not true, I just need the certificate and see no reason in creating root folder and granting access to www-data. So I used certbot “certonly” option and configured nginx to make MX url forbidden (return 403). It seems to work fine. Do you see any problem with that?

    • Creating a virtual host is not a must if you have a default Nginx virtual host. There’s no problem with your method. However, you need to create a dedicated Nginx virtual host if you want to install Roundcube webmail later.

      • On Obtaining TLS Certificate with Nginx Web Server for ubuntu 20.04LTS I get the following error:

        “AttributeError: module ‘acme.challenges’ has no attribute ‘TLSSNI01′”

        Any clue on how to resolve this?

        • If you see the following error while trying to obtain TLS certificate on Ubuntu 20.04

          module 'acme.challenges' has no attribute 'TLSSNI01'

          You need to edit a config file.

          sudo nano /usr/lib/python3/dist-packages/certbot_nginx/configurator.py

          Change

          return [challenges.HTTP01, challenges.TLSSNI01]

          to:

          return [challenges.HTTP01]

          Save and close the file. Then run the certbot command again to obtain TLS certificate.

  • Laurentiu
    2 weeks ago

    Hello Xiao,

    thank you for your very good tutorial. I successfully installed an email server using it. All good, but one point.

    We have an ERP application which should send emails, but I cannot connect it to my email server. Not sure if I a missing some options of if I am inputing somethin wrong.

    So I have:
    outgoing mail server: mail.mydomain.com
    port: 25
    encryption: TLS

    error: could not connect to SMTP host.
    I tested with SMTP authentication (just took one created email address, not sure if I need another SMTP account..), I also tried without authentication.

    Can you please give some insight?

    Thank you!

    • You should use port 587.

      • Laurentiu
        2 weeks ago

        Tahnk you.
        Using port 587 I am a step closer. Same error if trying to connect to mail.domain.com but working if connecting to internal server IP.
        Tested without SMTP auth (this is correct)?
        New error on test email:

        Mailer Error: Language string failed to load: tls The following From address failed: [email protected] Called Mail() without being connected

        Can you please help with this error?

        Thank you!

    • You should enable SMTP auth (enter an email address and password) on port 587.

  • really very nice and awesome tut! thanks for ur work

    im trying to install mailserver for only local use, i have my own local dns server (bind9) and have mx record and stuff for my mail server, obv i cant use Let’s Encrypt, so im using openssl instead, followed to this part, i think everything’s fine

    i can login using thunderbird in my laptop fine, it auto detect my settings, i try to send test email to myself (or another local account), i see the mail in sent folders but i receive nothing in inbox.

    i see this in the /var/log/mail.log

    May 23 12:58:34 tsun postfix/submission/smtpd[2723]: connect from unknown[192.168.7.17]
    May 23 12:58:34 tsun postfix/submission/smtpd[2723]: Anonymous TLS connection established from unknown[192.168.7.17]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
    May 23 12:58:34 tsun postfix/submission/smtpd[2723]: CC429802AE: client=unknown[192.168.7.17], sasl_method=PLAIN, sasl_username=veelst
    May 23 12:58:34 tsun postfix/cleanup[2728]: CC429802AE: message-id=
    May 23 12:58:34 tsun postfix/qmgr[2556]: CC429802AE: from=, size=576, nrcpt=1 (queue active)
    May 23 12:58:34 tsun postfix/submission/smtpd[2723]: disconnect from unknown[192.168.7.17] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
    May 23 12:58:34 tsun postfix/smtp[2729]: CC429802AE: to=, relay=none, delay=0.07, delays=0.06/0.01/0/0, dsn=5.4.6, status=bounced (mail for tsun.net loops back to myself)
    May 23 12:58:34 tsun postfix/cleanup[2728]: EBED4802C6: message-id=
    May 23 12:58:35 tsun postfix/bounce[2730]: CC429802AE: sender non-delivery notification: EBED4802C6
    May 23 12:58:35 tsun postfix/qmgr[2556]: EBED4802C6: from=, size=2417, nrcpt=1 (queue active)
    May 23 12:58:35 tsun postfix/qmgr[2556]: CC429802AE: removed
    May 23 12:58:35 tsun dovecot: imap(veelst): Logged out in=544 out=708 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
    May 23 12:58:35 tsun postfix/smtp[2729]: EBED4802C6: to=, relay=none, delay=0.04, delays=0.04/0/0/0, dsn=5.4.6, status=bounced (mail for tsun.net loops back to myself)
    May 23 12:58:35 tsun postfix/qmgr[2556]: EBED4802C6: removed

    i dont know where im going wrong, help is much appreciated!
    thanks!

    • Veelst
      1 week ago

      for some reasons i see the reply is posted “4 seconds ago” and it been days lol
      anyway, solved my problem thanks!

  • Hello, I got all services up and running but I can’t seem to send mail from my address, ports 143 and 587 are open. Outgoing mail won’t seem to work while incoming mail does. All SSL certs and everything are set up but it just won’t seem to send, what could be my issue?

  • Thanks for this tutorial!

    Getting the following:

    Jun  5 22:46:03 mail postfix/lmtp[2256]: 68E00FC1A5: to=, relay=mail.example.com[private/dovecot-lmtp], delay=509, delays=509/0.03/0.03/0.02, dsn=5.1.1, status=bounced (host mail.example.com[private/dovecot-lmtp] said: 550 5.1.1  User doesn't exist: [email protected] (in reply to RCPT TO command))
    

    Of course, [email protected] isn’t the real address.

    I created user1 with:

    sudo adduser user1

    I can sign in with IMAP, but can’t send to it. Thoughts? Thanks!

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.