I am running my own mail server now for over five years. There are a lot of good free email services out there but I am not satisfied with their spam filters. I am getting about 300 spam mails a day and with my current solution only one of them makes it into my inbox per month.

The second reason is that I do not want to delete or archive my mails to often and I want to have access to them anywhere at any time. Therefor I need an IMAP server with a lot of storage. Most free mail services provide this nowadays but did not five years ago. I thought about using GMAIL lately but I am not completely happy with storing all my mails on Google servers.

First I used an old PC that ran in my home office day and night. My home internet connection always had a high enough upload bandwidth to allow that. The mail server was no dedicated mail server for my domain. I used fetchmail to receive my emails from multiple POP3 servers.

About six months ago I configured a VPS machine to act as the dedicated mail server for my domains. I host multiple mail accounts for my family and friends on it. This post explains what I did to configure my perfect personal mail server.

Basic mail server setup

The whole system is based on Debian etch base network installation. The first packages I installed were

apt-get install postfix mutt

I use postfíx as my mail transfer agent. It provides a huge set of features and is a lot easier to configure than other systems. After installing postfix the configuration dialog asked what kind of system I have. I answered “Internet site” because I wanted to configure a dedicated mail server for my domain.

mutt is a simple mail reader which I use to read and send mails for testing when connected over ssh. After the installation of postfix it should be possible to send mails localy between user accounts (tom, root, …) and to an official mail address with mutt. See the mutt manual on how to control mutt.

Spam filter

I found this nice article on how to install and configure spamassassin with postfix on debian. Based on this how to I installed the following packages:

apt-get install spamassassin spamc pyzor razor

With the command line

spamassassin --lint -D

it is possible to check if spamassassin works and what checks are enabled.

I added a user for spamassassin with the following statements:

groupadd -g 5001 spamd
useradd -u 5001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin spamd
mkdir /var/lib/spamassassin
chown spamd:spamd /var/lib/spamassassin

In the file /etc/default/spamassassin I made the following changes:

SAHOME="/var/lib/spamassassin/"
ENABLED=1
OPTIONS="--create-prefs --max-children 2 --username spamd --helper-home-dir ${SAHOME} -s ${SAHOME}spamd.log"

This enables spamassassin on startup of the server, configures its home directory and defines the maximum number of processes it is allowed to use.

Inside the file /etc/postfix/master.cf I added the following line to tell postfix to filter received mails through spamassassin:

smtp inet n - - - 2 smtpd
-o content_filter=spamassassin

spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

After this point every incoming mail is checked by spamassassin. I wanted to drop every mail with a spam rating higher than ten points so I added the following line in /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks

and created the file /etc/postfix/header_checks with this content:

/^X-Spam-level: \*\*\*\*\*\*\*\*\*.*$/ DISCARD

So far I had my new server where my old PC at home already was. One of the biggest advantages of having my own dedicated mail server for my domain compared to a home server with fetchmail is that it is possible to use greylisting. This means every time a new mail server wants to send a mail to my domain it is rejected on the first try. If the server tries again after five minutes the mail is accepted. Most spam senders do not try again which reduces spam significant (by about 90 percent!).

All I had to do to get greylisting was to install the correct Debian package

apt-get install postgrey

and add the following lines to /etc/postfix/main.cf:

smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000

IMAP, POP and Webmail

Now that mails are received, filtered and stored by the server I had to make them accessible. My choice for this is dovecot for IMAP and POP in combination with squirrelmail for webmail. Of course there are Debian packages which I installed with

apt-get install dovecot-imapd dovecot-pop3d squirrelmail

This also installs apache2 as web server with PHP support because squirrelmail is a PHP web application. Inside /etc/dovecot/dovecot.conf I added the protocols IMAP, IMAPS and POP3S:

protocols = imap imaps pop3s

I only use IMAPS for security reasons but squirrelmail connects over IMAP internally. Now it was possible to run dovecot by executing

/etc/init.d/dovecot start

To enable squirrelmail I added the example configuration inside of /etc/squirrelmail/apache.conf to my apache2 virtual host and reloaded the apache2 configuration. Now I was able to log into my webmail.

Virtual mail users

Since I want to allow all the members of my family to use my mail server without having to add a user account on my Linux system I chose to create virtual mail users. Therefor I first created a real system user under which the mails of all virtual users will be handled.

adduser vmail

I made sure that he the user is not able to login (shell /bin/false) and has a strong password. Then I added the following lines to /etc/postfix/main.cf:

virtual_transport = virtual
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
virtual_alias_maps = hash:/etc/postfix/valias

The ID 1001 in this configuration is the user and group ID of the vmail user I just created. Then I created the files configured above. The vhosts file holds the domains for which the mail server should handle incoming mails just like:

domain1.com
domain2.com

The vmaps file tells the system in which subdirectory of the vmail base directory (in my case /var/mail/vmail) the mails of the virtual users should be stored:

tom@domain1.com tom@domain1.com/
tom@domain2.com tom@domain2.com/
jim@domain2.com jim@domain2.com/

I had to create these directories and make vmail the owner of them. Later this configuration will be ignored because I used maildrop for filtering my mails (see below).

After creating the file I had to call postmap vhosts to generate to map that postfix uses to access it.

In the valias file it is possible to define mail alias which allows to create multiple email addresses that should be stored in the same mailbox like the following:

postmaster@domain1.com tom@domain1.com
postmaster@domain2.com tom@domain2.com
thomas@domain2.com tom@domain2.com

Like before I had to use postmap to create the map file for this file after every change. A reload of the configuration by calling /etc/init.d/postfix reload makes postfix aware of the changes and it is able to handle incoming mails for the virtual users.

To tell dovecot how to handle virtual users I had to make the following changes to /etc/dovecot/dovecot.conf:

mail_location = maildir:/var/mail/vmail/%u

auth default {  mechanisms = plain digest-md5  passdb passwd-file {

   # Path for passwd-file

   args = /etc/dovecot/passwd

  }

userdb passwd-file {

    # Path for passwd-file

    args = /etc/dovecot/users

  }

}

In the two configured files I added the entries required for the authorization of the virtual users. The file /etc/dovecot/users looks like

tom@domain1.com::1001:1001::/var/mail/vmail/tom@domain1.com/:/bin/false::
tom@domain2.com::1001:1001::/var/mail/vmail/tom@domain2.com/:/bin/false::
jim@domain2.com::1001:1001::/var/mail/vmail/jim@domain2.com/:/bin/false::

Here 1001 again is the ID of the user vmail. By using the dovecot password tool I created the entries for /etc/dovecot/passwd:

dovecotpw -u tom

The generated password hash has to be copied into the file /etc/dovecot/passwd:

tom@domain1.com:5tA1zgMfhrE4U
tom@domain2.com:BUJC6K1tPPNxc
jim@domain2.com:YpdhuPLRTRuqg

After reloading the configuration of dovecot it was able to authenticate the virtual users and to find their mail directory.

Maildrop

Because I want to sort my incoming mails into different IMAP folders automatically on the server I decided to use maildrop. I installed the Debian maildrop package by calling

apt-get install maildrop

I added the following two lines to /etc/postfix/main.cf

maildrop_destination_recipient_limit = 1
virtual_transport = maildrop

and removed the line

virtual_transport = virtual

to tell postfix to delivery mail through maildrop. Additionally I had to include the following in the master.cf

maildrop  unix  -       n       n       -       -       pipe

flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${recipient}

When a mail is delivery maildrop looks into the home directory of the user for a file named .mailfilter so I created this file in /home/vmail with the following content:

DEFAULT="/var/mail/vmail/$1/"

exception {
  include "$HOME/mailfilters/$1"
}
to $DEFAULT

This configuration tells maildrop to look into the folder mailfilters for special configurations for a virtual users or to put the mail to its default directory. In the directory /home/vmail/mailfilters I created the files for the virtual mail users like tom@domain1.com:

if (/^X-Spam-Flag:.*YES/)
{
  exception {
    to "$DEFAULT/.spam/"
  }
}

if (/^Subject.*LogWatch/ || /^Subject.*Cron/ )
{
  exception {
    to "$DEFAULT/.logwatch/"
  }
}

Now every mail that is tagged by spamassassin with the X-Spam-Flag header is placed into the IMAP folder called spam and mails with a subject containing “LogWatch” are placed in the folder logwatch.

SASL

Sending mail through the server that is configured as the MX for a domain reduces the chance that it is mistaken for spam a lot. To allow me to not only receive email with my mailserver but to send my email through it I configured SASL for secure access and to block all other invalid users.

The packages are installed by the following command line:

apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util

The following lines needed to be added to /etc/postfix/main.cf:

smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous

Then I created the file /etc/postfix/sasl/smtpd.conf containing the following two lines:

pwcheck_method: saslauthd
mech_list: plain login

and I created a directory for the SASL daemon:

mkdir -p /var/spool/postfix/var/run/saslauthd

This directory is defined in /etc/defaults/saslauthd with

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Finished

This is the complete setup of my mail system. If you got any questions or hints to improve it please let me know it in your comments.

On last tip: It is helpful to test your system while going through the steps above. Therefor I used a testmail written into a file that looks like the this:

HELO test.local
MAIL FROM:test@local
RCPT TO:tom
DATA
Subject: testsubject
From: test@local
To: tom

Hello,
This is a Test
Goodbye
.
QUIT

By saving this text into a file, named testmail for example, it is possible to do a quick test of your mail system by executing

cat testmail | telnet localhost 25

which makes postfix receive the mail, send it through the configured chain and stores it in the appropriate user accounts inbox.

For further information see the following list of sites. These are the sources I used to create my how to:

http://www.howtoforge.com/linux_postfix_virtual_hosting
http://blogbound.com/etch-postfix-spamassassin-vps
http://postfix.wiki.xs4all.nl/index.php?title=Combine_With_Maildrop_Howto
http://www.howtoforge.com/perfect_setup_debian_etch_p5