In a previous process, you were shown how to configure Postfix as a domain-wide mail transport agent. As we have learned in the first process of Postfix that it only understands the SMTP protocol and does a remarkable job to transport messages from another MTA or mail user client to other remote mail servers or storing mails which are destinated to itself into its local mailboxes. After storing or relaying mails, Postfix jobs end. Postfix can only understand and speak the SMTP protocol and is not capable of sending messages to anything other than MTAs. Any possible recipient user for a mail message who wants to read his mails would now need to log in to the server running the Postfix service using ssh and look into his local mailbox directory, or alternatively use mailx locally to view his messages on a regular basis to see if there are any new mails. This is highly inconvenient and nobody would use such a system. Instead, the users choose to access and read their mail from their own workstations other than where our Postfix server is located. Therefore, another group of MTAs has been developed, sometimes are called access agents and which have the main functionality to synchronize or transfer those local mailbox messages from the server running the Postfix daemon over to external mailing programs where users can read them. These MTA systems use different protocols than SMTP, namely POP3 or IMAP. One such MTA program is Dovecot. Most professional server administrators would agree that Postfix and Dovecot are perfect partners and it is the purpose of this process to learn how to configure Postfix to work with Dovecot in order to provide a basic POP3/IMAP and a POP3/IMAP over SSL (POP3S/IMAPS) service for our mailboxes to provide an industry standard e-mail service for your users across the local network.
To Start With: What Do You Need?
To complete this process, you will require a working installation of the CentOS 7 operating system with root privileges, a console-based text editor of your choice, and a connection to the Internet in order to download additional packages. It is also assumed that you are working through this chapter division process by the process in the order that they appear and for this reason, it is expected that Postfix has been configured as a domain-wide MTA.
Note
This process serves as a guide to setting up a basic POP3S/IMAPS service for trusted users on a local network. It is not suitable for general Internet use without applying additional security measures.
The Process
Dovecot is not installed by default, and for this reason we must begin by installing the necessary packages by following the given steps:
- To start, log in as root and type in the following command:
yum install dovecot
- Once installed, enable the Dovecot service at boot by typing:
systemctl enable dovecot
- Now open the main Dovecot configuration file in your favorite text editor, after creating a backup copy, by typing:
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.BAK
vi /etc/dovecot/dovecot.conf - Begin by confirming the protocols we want to use by activating (removing the # sign at the beginning of the line) and modifying the following line, so it reads:
protocols = pop3 imap imaps pop3s
- Next, enable Dovecot to listen to all network interfaces instead of only the loopback address. Search for the line #listen = *, ::, then modify it so it reads:
listen = *
- Now save and close the file in the usual way before making a backup of the 10mail.conf file and afterwards opening it in your favorite text editor:
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10
mail.conf.BAK
vi /etc/dovecot/conf.d/10-mail.conf - Scroll down and uncomment (remove # character) the following line, so it reads:
mail_location = maildir:~/Maildir
- Again, save and close the file in the usual way before creating a backup copy and then opening the following file in your favorite text editor:
cp /etc/dovecot/conf.d/20-pop3.conf /etc/dovecot/conf.d/20
pop3.conf.BAK
vi /etc/dovecot/conf.d/20-pop3.conf - Start by uncommenting the following line:
pop3_uidl_format = %08Xu%08Xv
- Now scroll down and amend the following line:
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
- Save and close the file in the usual way. Now we will allow plain text logins. To do this, make a backup before opening the following file:
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10
auth.conf.BAK
vi /etc/dovecot/conf.d/10-auth.conf - Change the line #disable_plaintext_auth = yes to state:
disable_plaintext_auth = no
- Save and close the file. In our final configuration setting, we will tell Dovecot to use our self-signed server certificate. Just use your Postfix certificate from another process in this segment or create a new one (otherwise skip this step):
cd /etc/pki/tls/certs; make postfix-server.pem
- Open Dovecot’s standard SSL config file after making a backup of the file:
cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.BAK
vi /etc/dovecot/conf.d/10-ssl.conf - Now change the following line (ssl = required) to read:
ssl = yes
- Now change the following two lines to point to your server’s own certificate path:
ssl_cert = < /etc/pki/tls/certs/postfix-server.pem
ssl_key = </etc/pki/tls/certs/postfix-server.pem - Save and close this file. Next, enable IMAP, IMAPS, POP3, and POP3S ports in our firewall to allow incoming connections on the corresponding ports. For POP3 and IMAP, we need to specify our own firewalld service files, since they are not available in CentOS 7 by default:
sed 's/995/110/g' /usr/lib/firewalld/services/pop3s.xml | sed 's/ over
SSL//g' > /etc/firewalld/services/pop3.xml
sed 's/993/143/g' /usr/lib/firewalld/services/imaps.xml | sed 's/ over
SSL//g' > /etc/firewalld/services/imap.xml
firewall-cmd --reload
for s in pop3 imap pop3s imaps; do firewall-cmd --permanent --add
service=$s; done;firewall-cmd --reload - Now save and close the file before starting the Dovecot service:
systemctl start dovecot
- Finally, to test our new POP3/SMTP network service, just login on another computer in the same network and run the following commands to use mailx to access the local mailboxes on the remote Postfix server, which is provided by Dovecot with the different access agent protocols. In our example, we want to access the local mailbox of the system user john on our Postfix server with the IP 192.168.1.100 (to login to john’s account, you need his Linux user password) remotely:
mailx -f pop3://john@192.168.1.100
mailx -f imap://john@192.168.1.100 - Next, to test the secure connections, use the following commands and type yes to confirm that the certificate is self-signed and not trusted:
mailx -v -S nss-config-dir=/etc/pki/nssdb -f pop3s://john@192.168.1.100
mailx -v -S nss-config-dir=/etc/pki/nssdb -f imaps://john@192.168.1.100 - For all four commands, you should see the normal mailx inbox view of your mailbox with all your mail messages of user john as you would run the mailx command locally on the Postfix server to read local mails.
How Does It Work?
Having successfully completed this process, you have just created a basic POP3/SMTP service, (with or without SSL encryption) for all the valid server users in your network, which will deliver local mails from the Postfix server to the client’s e-mail program. Every local system user can directly authenticate and connect to the mail server and fetch their mail remotely. Of course, there is still much more that can be done to enhance the service, but you can now enable all local system account holders to configure their favorite e-mail desktop software to send and receive e-mail messages using your server.
Note
POP3 downloads the mails from the server on a local machine and deletes them afterwards, whereas IMAP synchronizes your mails with your mail server without deleting them.
So what did we learn from this experience?
We started the process by installing Dovecot. Having done this, we then enabled Dovecot to run at boot before proceeding to make a few brief changes to a series of configuration files. Starting with the need to determine which protocol will be used in the Dovecot configuration file at /etc/dovecot/dovecot.cf here we will use: IMAP, POP3, IMAPS, and POP3S. As with most other essential networking services, after installation they only listen on the loopback device, so we enabled Dovecot to listen to all network interfaces installed in the server. In the 10-mail.conf file we then confirmed the mailbox directory location for Dovecot (with the mail_location directive) as the location Postfix will put them into on receiving mails so Dovecot can find them here and pick them up. Following this, we then opened the POP3 protocol in 20-pop3.conf by adding a fix relating to various e-mail clients (for example, for the Outlook client) using the pop3_uidl_format and pop3_client_workarounds directives. Finally, we enabled plain text authorization by making several changes to /etc/dovecot/conf.d/10-auth.conf. Remember that using plain text authorization with POP3 or IMAP without SSL encryption is considered insecure but because we were concentrating on a local area network (for a group of trusted server users) we should not necessarily see this as a risk. Afterwards, we enabled POP3 and IMAP over SSL (POP3S and IMAPS) by pointing the ssl directives in the 10ssl.conf file to some existing self-signed server certificates. Here we changed ssl = required to ssl=yes to not force the client connecting to the Dovecot service to use SSL encryption, as we do want to give the user the choice to enable encrypted authentication if he likes to but not make it mandatory for older clients. Afterwards, to make our Dovecot service available from the other computers in our network, we had to enable the four ports to allow POP3, IMAP, POP3S, and IMAPS, 993, 995, 110, 143, by using the predefined firewalld service files and creating the missing ones for IMAP and POP3 ourselves. Later, we started the Dovecot service and tested our new POP3/IMAP server using the mailx command remotely. By supplying an -f file parameter, we were able to specify our protocol and location. For using SSL connections, we needed to supply an additional nssconfig-dir option pointing to our local Network Security Services database where certificates are stored in CentOS 7.
Remember, if you happen to encounter any errors, you should always refer to the log file located at /var/log/maillog. Using plain text authorization should not be used in a real corporate environment and POP3/IMAP over SSL should be preferred.
There's more…
In the main process, you were shown how to install Dovecot in order to enable trusted local system users with system accounts to send and receive e-mails. These users will be able to use their existing username as the basis of their e-mail address, but by making a few enhancements you can quickly enable aliases, which is a way to define alternative e-mail addresses for existing users.
To start building a list of user aliases, you should begin by opening the following file in your favorite text editor:vi /etc/aliases
Now add your new identities to the end of the file, where <username> will be the name of the actual system account:
#users aliases for mailnewusernamea: <username>
newusernameb: <username>
For example, if you have a user called john who currently (only) accepts e-mails at john@centos7.home, but you want to create a new alias for john called johnwayne@ centos7.home, you will write:johnwayne: john
Repeat this action for all the aliases, but when you have finished remember to save and close the file in the usual way before running the following command: newaliases.
Setting up e-mail software in CentOS
There are a vast number of e-mail clients on the market and by now you will want to start setting up your local users to be able to send and receive e-mails. This isn’t complicated by any means, but in order to have a good starting point you will want to consider the following principles. The format of the e-mail address will be system_username@domainname.home.
The incoming POP3 settings will be similar to the following:mailserver.centos7.home, Port 110
Username: system_username
Connection Security: None
Authentication: Password/None
For POP3S, just change the port to 995 and use Connection Security: SSL/TLS. For IMAP, just change the port to 143, and for IMAPS use port 993 and Connection Security: SSL/TLS.
The outgoing SMTP settings will be similar to the following:mailserver.centos7.home, Port 25
Username: system_username
Connection Security: None
Authentication: None