Virtual user mail system with Postfix, Dovecot and Roundcube

From ArchWiki
(Redirected from Virtual user mail system)

This article or section is a candidate for merging with Postfix.

Notes: Article duplicates Postfix, Dovecot and Roundcube and mainly consists of config snippets intended to be copy'n'pasted. (Discuss in Talk:Virtual user mail system with Postfix, Dovecot and Roundcube)

This article describes how to set up a virtual user mail system, i.e. where the senders and recipients do not correspond to the Linux system users.

Roughly, the components used in this article are Postfix as the mail server, Dovecot as the IMAP server, Roundcube as the webmail interface and PostfixAdmin as the administration interface to manage it all.

In the end, the provided solution will allow you to use the best currently available security mechanisms, you will be able to send mails using SMTP and SMTPS and receive mails using POP3, POP3S, IMAP and IMAPS. Additionally, configuration will be easy thanks to PostfixAdmin and users will be able to login using Roundcube.

Installation

Before you start, you must have both a working MySQL server as described in MySQL and a working Postfix server as described in Postfix.

Install the postfix-mysql, dovecot, and roundcubemail packages.

Configuration

User

For security reasons, a new user should be created to store the mails:

# groupadd -g 5000 vmail
# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail

A gid and uid of 5000 is used in both cases so that we do not run into conflicts with regular users. All your mail will then be stored in /home/vmail. You could change the home directory to something like /var/mail/vmail but be careful to change this in any configuration below as well.

Database

You will need to create an empty database and corresponding user. In this article, the user postfix_user will have read/write access to the database postfix_db using hunter2 as password. You are expected to create the database and user yourself, and give the user permission to use the database, as shown in the following code.

$ mysql -u root -p
CREATE DATABASE postfix_db;
GRANT ALL ON postfix_db.* TO 'postfix_user'@'localhost' IDENTIFIED BY 'hunter2';
FLUSH PRIVILEGES;

This article or section needs expansion.

Reason: Further manual database installation is missing. So far, the only way to follow this article is by installing PostfixAdmin with Apache, MySQL and PHP. (Discuss in Talk:Virtual user mail system with Postfix, Dovecot and Roundcube)

Now you can go to the PostfixAdmin's setup page, let PostfixAdmin create the needed tables and create the users in there.

PostfixAdmin

See PostfixAdmin.

SSL certificate

You will need a SSL certificate for all encrypted mail communications (SMTPS/IMAPS/POP3S). If you do not have one, create one:

# cd /etc/ssl/private/
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout vmail.key -out vmail.crt -days 1460 #days are optional
# chmod 400 vmail.key
# chmod 444 vmail.crt

Alternatively, create a free trusted certificate using Let's Encrypt. The private key will be in /etc/letsencrypt/live/yourdomain/privkey.pem, the certificate in /etc/letsencrypt/live/yourdomain/fullchain.pem. Either change the configuration accordingly, or symlink the keys to /etc/ssl/private:

# ln -s /etc/letsencrypt/live/yourdomain/privkey.pem /etc/ssl/private/vmail.key
# ln -s /etc/letsencrypt/live/yourdomain/fullchain.pem /etc/ssl/private/vmail.crt

Postfix

Before you copy & paste the configuration below, check if relay_domains has already been set. If you leave more than one active, you will receive warnings during runtime.

Warning: relay_domains can be dangerous. You usually do not want Postfix to forward mail of strangers. $mydestination is a sane default value. Double check its value before running postfix! See http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to

Also follow Postfix#Secure SMTP (receiving) pointing to the files you created in #SSL certificate.

Setting up Postfix

To /etc/postfix/main.cf append:

relay_domains = $mydestination
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 5000
virtual_transport = virtual
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
transport_maps = hash:/etc/postfix/transport

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_cert_file = /etc/ssl/private/vmail.crt
smtpd_tls_key_file = /etc/ssl/private/vmail.key
smtpd_sasl_local_domain = $mydomain
smtpd_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_loglevel = 1
  • In the configuration above virtual_mailbox_domains is a list of the domains that you want to receive mail for. This CANNOT contain the domain that is set in mydestination. That is why we left mydestination to be localhost only.
  • virtual_mailbox_maps will contain the information of virtual users and their mailbox locations. We are using a hash file to store the more permanent maps, and these will then override the forwards in the MySQL database.
  • virtual_mailbox_base is the base directory where the virtual mailboxes will be stored.

The virtual_uid_maps and virtual_gid_maps are the real system user IDs that the virtual mails will be owned by. This is for storage purposes.

Note: Since we will be using a web interface (Roundcube), and do not want people accessing this by any other means, we will be creating this account later without providing any login access.

Create the file structure

Those new additional settings reference a lot of files that do not even exist yet. We will create them with the following steps.

If you were setting up your database with PostfixAdmin and created the database schema through PostfixAdmin, you can create the following files. Do not forget to change the password:

/etc/postfix/virtual_alias_maps.cf
user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
table = alias
select_field = goto
where_field = address
/etc/postfix/virtual_mailbox_domains.cf
user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
table = domain
select_field = domain
where_field = domain
/etc/postfix/virtual_mailbox_maps.cf
user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
table = mailbox
select_field = maildir
where_field = username

For alias domains functionality adjust the following files:

/etc/postfix/main.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf,proxy:mysql:/etc/postfix/virtual_alias_domains_maps.cf
virtual_alias_domains = proxy:mysql:/etc/postfix/virtual_alias_domains.cf
/etc/postfix/virtual_alias_domains_maps.cf
user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = '1' AND alias_domain.active='1'
/etc/postfix/virtual_alias_domains.cf
user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
query = SELECT alias_domain FROM alias_domain WHERE alias_domain='%s' AND active = '1'
Note: For setups without using PostfixAdmin, create the following files.
/etc/postfix/virtual_alias_maps.cf
user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
table = domains
select_field = virtual
where_field = domain
/etc/postfix/virtual_mailbox_domains.cf
user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
table = forwardings
select_field = destination
where_field = source
/etc/postfix/virtual_mailbox_maps.cf
user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
table = users
select_field = concat(domain,'/',email,'/')
where_field = email

Run postmap on transport to generate its db:

# postmap /etc/postfix/transport

Dovecot

Instead of using the provided Dovecot example configuration file, we will create our own /etc/dovecot/dovecot.conf. Please note that the user and group here might be vmail instead of postfix!

/etc/dovecot/dovecot.conf
protocols = imap pop3
auth_mechanisms = plain
passdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf
}
userdb {
    driver = sql
    args = /etc/dovecot/dovecot-sql.conf
}
 
service auth {
    unix_listener auth-client {
        group = postfix
        mode = 0660
        user = postfix
    }
    user = root
}

mail_home = /home/vmail/%d/%n
mail_location = maildir:~

ssl_cert = </etc/ssl/private/vmail.crt
ssl_key = </etc/ssl/private/vmail.key
Note: If you instead want to modify dovecot.conf.sample, beware that the default configuration file imports the content of conf.d/*.conf. Those files call other files that are not present in our configuration.

Now we create /etc/dovecot/dovecot-sql.conf, which we just referenced in the configuration above. Use the following contents and check if everything is set accordingly to your system's configuration.

If you used PostfixAdmin, then you add the following:

/etc/dovecot/dovecot-sql.conf
driver = mysql
connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2
# It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/PasswordSchemes
default_pass_scheme = SHA512-CRYPT
# Get the mailbox
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=',  quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
# Get the password
password_query = SELECT username as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 as  userdb_uid, 5000 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'
# If using client certificates for authentication, comment the above and uncomment the following
#password_query = SELECT null AS password, ‘%u’ AS user

Without having used PostfixAdmin you can use:

/etc/dovecot/dovecot-sql.conf
driver = mysql
connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2
# It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/PasswordSchemes
default_pass_scheme = SHA512-CRYPT
# Get the mailbox
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=',  quota) AS quota FROM users WHERE email = '%u'
# Get the password
password_query = SELECT email as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 as  userdb_uid, 5000 as userdb_gid FROM users WHERE email = '%u'
# If using client certificates for authentication, comment the above and uncomment the following
#password_query = SELECT null AS password, ‘%u’ AS user
Tip: Visit https://wiki2.dovecot.org/Variables to learn more about Dovecot variables.

DH parameters

With v2.3 you are required to provide ssl_dh = /path/to/dh.pem yourself.

To generate a new DH parameters file (this will take a long time):

# openssl dhparam -out /etc/dovecot/dh.pem 4096

then add the file to /etc/dovecot/dovecot.conf

ssl_dh = </etc/dovecot/dh.pem

PostfixAdmin

See PostfixAdmin.

Note: To match the configuration in this file, config.inc.php should contain the following.

   # /etc/webapps/postfixadmin/config.inc.php
   ...
   $CONF['domain_path'] = 'YES';
   $CONF['domain_in_mailbox'] = 'NO';
   ...

Roundcube

See Roundcube.

Make sure that both extension=pdo_mysql and extension=iconv are uncommented in your php.ini file. Also check the .htaccess for access restrictions. Assuming that localhost is your current host, navigate a browser to http://localhost/roundcube/installer/ and follow the instructions.

Roundcube needs a separate database to work. You should not use the same database for Roundcube and PostfixAdmin. Create a second database roundcube_db and a new user named roundcube_user.

While running the installer ...

  • For the address of the IMAP host, i.e. imap_host, use ssl://localhost/ or tls://localhost/ and not just localhost.
  • Use port 993. Likewise with SMTP.
  • For the address of the SMTP host, i.e. smtp_host, use tls://localhost/ and port 587 if you used STARTTLS. Use ssl://localhost/ with port 465 if you used SMTPS. If there is a failure to establish a session, try using tls://yourservername instead, replacing yourservername with the name of your server.
  • See #Postfix for an explanation on that.
  • Make sure the resulting configuration file has $config['smtp_user'] = '%u'; and $config['smtp_pass'] = '%p'; lines in it or you will not be able to send email.

The post install process is similar to any other webapp like PhpMyAdmin or PostFixAdmin. The configuration file is in /etc/webapps/roundcubemail/config/config.inc.php which works as an override over defaults.inc.php.

Apache configuration

If you are using Apache, copy the example configuration file to your webserver configuration directory.

# cp /etc/webapps/roundcubemail/apache.conf /etc/httpd/conf/extra/httpd-roundcubemail.conf

Add the following line in

/etc/httpd/conf/httpd.conf
Include conf/extra/httpd-roundcubemail.conf

Roundcube: Change Password Plugin

To let users change their passwords from within Roundcube, do the following:

Enable the password plugin by adding this line to

/etc/webapps/roundcubemail/config/config.inc.php
$config['plugins'] = ['password'];

Configure the password plugin and make sure you alter the settings accordingly:

/usr/share/webapps/roundcubemail/plugins/password/config.inc.php
<?php

$config['password_driver'] = 'sql';
$config['password_db_dsn'] = 'mysql://<postfix_database_user>:<password>@localhost/<postfix_database_name>';
// If you are not using dovecot specify another algorithm explicitly e.g 'sha256-crypt'
$config['password_algorithm'] = 'dovecot';
// For dovecot salted passwords only (above must be set to 'dovecot')
// $config['password_algorithm_prefix'] = 'true';
// $config['password_dovecotpw'] = '/usr/bin/doveadm pw';
// $config['password_dovecotpw_method'] = 'SHA512-CRYPT';
// $config['password_dovecotpw_with_method'] = true;
$config['password_query'] = 'UPDATE mailbox SET password=%P WHERE username=%u';

Make sure this file is readable only by the http user and group since it contains sensitive information:

# chown http:http /usr/share/webapps/roundcubemail/plugins/password/config.inc.php
# chmod o-r /usr/share/webapps/roundcubemail/plugins/password/config.inc.php

Fire it up

All necessary daemons should be started in order to test the configuration. Start both postfix and dovecot.

Now for testing purposes, create a domain and mail account in PostfixAdmin. Try to login to this account using Roundcube. Now send yourself a mail.

Testing

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Reason: Needs some cleanup. There are probably more general ways to write this. (Discuss in Talk:Virtual user mail system with Postfix, Dovecot and Roundcube)

Now lets see if Postfix is going to deliver mail for our test user.

nc servername 25
helo testmail.org
mail from:<test@testmail.org>
rcpt to:<cactus@virtualdomain.tld>
data
This is a test email.
.
quit

Error response

451 4.3.0 <lisi@test.com>:Temporary lookup failure

Maybe you have entered the wrong user/password for MySQL or the MySQL socket is not in the right place.

This error will also occur if you neglect to run newaliases at least once before starting postfix. MySQL is not required for local only usage of postfix.

550 5.1.1 <email@spam.me>: Recipient address rejected: User unknown in virtual mailbox table.

Double check content of mysql_virtual_mailboxes.cf and check the main.cf for mydestination

See that you have received a email

Now type $ find /home/vmailer.

You should see something like the following:

/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/tmp
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/cur
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new/1102974226.2704_0.bonk.testmail.org

The key is the last entry. This is an actual email, if you see that, it is working.

Optional Items

Although these items are not required, they definitely add more completeness to your setup

Quota

To enable mailbox quota support by dovecot, do the following:

  • First add the following lines to /etc/dovecot/dovecot.conf
dict {
	quotadict = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
service dict {
	unix_listener dict {
		group = vmail
		mode = 0660
		user = vmail
	}
	user = root
}
service quota-warning {
	executable = script /usr/local/bin/quota-warning.sh
	user = vmail
	unix_listener quota-warning {
		group = vmail
		mode = 0660
		user = vmail
	}
}	
mail_plugins=quota
protocol pop3 {
	 mail_plugins = quota
	 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
	 pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
	mail_plugins = quota
	postmaster_address = postmaster@yourdomain.com
}
protocol imap {
	mail_plugins = $mail_plugins imap_quota
	mail_plugin_dir = /usr/lib/dovecot/modules
}
plugin {
       quota = dict:User quota::proxy::quotadict
       quota_rule2 = Trash:storage=+10%%
       quota_warning = storage=100%% quota-warning +100 %u
       quota_warning2 = storage=95%% quota-warning +95 %u
       quota_warning3 = storage=80%% quota-warning +80 %u
       quota_warning4 = -storage=100%% quota-warning -100 %u # user is no longer over quota
}
  • Create a new file /etc/dovecot/dovecot-dict-sql.conf.ext with the following code:
connect = host=localhost dbname=yourdb user=youruser password=yourpassword
map {
	pattern = priv/quota/storage
	table = quota2
	username_field = username
	value_field = bytes
}
map {
	pattern = priv/quota/messages
	table = quota2
	username_field = username
	value_field = messages
}
  • Create a warning script /usr/local/bin/quota-warning.sh and make sure it is executable. This warning script works with postfix lmtp configuration as well.
#!/bin/sh
BOUNDARY="$1"
USER="$2"
MSG=""
if [[ "$BOUNDARY" = "+100" ]]; then
    MSG="Your mailbox is now overfull (>100%). In order for your account to continue functioning properly, you need to remove some emails NOW."
elif [[ "$BOUNDARY" = "+95" ]]; then
    MSG="Your mailbox is now over 95% full. Please remove some emails ASAP."
elif [[ "$BOUNDARY" = "+80" ]]; then
    MSG="Your mailbox is now over 80% full. Please consider removing some emails to save space."
elif [[ "$BOUNDARY" = "-100" ]]; then
    MSG="Your mailbox is now back to normal (<100%)."
fi
 
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"
From: postmaster@yourdomain.com
Subject: Email Account Quota Warning

Dear User,

$MSG

Best regards,
Your Mail System
EOF
  • Edit the user_query line and add iterat_query in dovecot-sql.conf as following:
 user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1'
 iterate_query = SELECT username AS user FROM mailbox
  • Set up LDA as described above under SpamAssassin. If you are not using SpamAssassin, the pipe should look like this in /etc/postfix/master.cf :
 dovecot    unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

As above activate it in Postfix main.cf

 virtual_transport = dovecot
  • You can set up quota per each mailbox in postfixadmin. Make sure the relevant lines in config.inc.php look like this:
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';

Restart postfix and dovecot services. If things go well, you should be able to list all users' quota and usage by the this command:

doveadm quota get -A

You should be able to see the quota in roundcube too.

Autocreate and autosubscribe folders in Dovecot

To automatically create the "usual" mail hierarchy, modify your /etc/dovecot/dovecot.conf as follows, editing to your specific needs.

namespace inbox {
  type = private
  separator = /
  prefix =
  inbox = yes
}
namespace inbox {
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
   auto = subscribe
   special_use = \Junk
 }
 mailbox Trash {
   auto = subscribe
   special_use = \Trash
 }
 mailbox Sent {
   auto = subscribe
   special_use = \Sent
 }
}

Dovecot public folder and global ACLs

In this section we enable IMAP namespace public folders combined with global and per-folder ACLs.

First, add the following lines to /etc/dovecot/dovecot.conf:

### ACLs
mail_plugins = acl
protocol imap {
  mail_plugins = $mail_plugins imap_acl
}
plugin {
 acl = vfile
 # With global ACL files in /etc/dovecot/dovecot-acls file (v2.2.11+):
 acl = vfile:/etc/dovecot/dovecot-acl
}

### Public Mailboxes
namespace {
 type = public
 separator = /
 prefix = public/
 location = maildir:/home/vmail/public:INDEXPVT=~/public
 subscriptions = no
 list = children
}

Create the root directory /home/vmail/public and the folders you want to publicly share, for example (the period is required!) /home/vmail/public/.example-1.

Change the ownership of all files in the root directory:

$ chown -R vmail:vmail /home/vmail/public

Finally, create and modify your global ACL file to allow users access to these folders:

/etc/dovecot/dovecot-acl
public/* user=admin@example.com lrwstipekxa

In the above example, user admin@example.com has access to, and can do anything to, all the public folders. Edit to fit your specific needs.

Note:
  • lrwstipekxa are the permissions being granted. Visit the Dovecot wiki for further details.
  • Make sure the user subscribes to the folders in the client they are using.

Fighting Spam

To use SpamAssassin, you must set it up with a SQL database. Otherwise user scores and filter data won't be saved as users are virtual and don't have home directories where to save these.

As an alternative to SpamAssassin, consider rspamd. Out of the box, it delivers an amazing amount of spam reduction, greylisting, etc and includes a nifty webui. See also [1].

Sidenotes

Alternative vmail folder structure

Instead of having a directory structure like /home/vmail/example.com/user@example.com you can have cleaner subdirectories (without the additional domain name) by replacing select_field and where_field with:

query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'

Troubleshooting

IMAP/POP3 client failing to receive mails

If you get similar errors, take a look into /var/log/mail.log or run journalctl -xn --unit postfix.service as root to find out more.

It may turn out that the Maildir /home/vmail/mail@domain.tld is just being created if there is at least one email waiting. Otherwise there would not be any need for the directory creation before.

Roundcube not able to delete emails or view any 'standard' folders

Ensure that the Roundcube config.inc.php file contains the following:

$config['default_imap_folders'] = ['INBOX', 'Drafts', 'Sent', 'Junk', 'Trash'];
$config['create_default_folders'] = true;
$config['protect_default_folders'] = true;

LMTP / Sieve

Is LMTP not connecting to sieve? Ensure that your server is not routing the messages locally. This can be set in /etc/postfix/main.cf:

mydestination =

Are your emails sent to gmail users ending up in their junk/spam folders?

Google gmail (and most other large email providers) will send your emails straight into your recipients junk / spam folder if you have not implemented SPF / DKIM / DMARC policies. (Hint: Rspamd, via the link above, shows you how to set this up, and will DKIM sign your emails.)

See also