Installing on Centos 7.1: Postfix 2.10.x / Dovecot 2.2.x (imaps)/ OpenSSL 1.0.1x

April 10, 2015

I composed these instructions from notes taken during a recent installation. I cannot guarantee their accuracy because there was a lot of troubleshooting involved and I did not repeat the process. All packages are installed as RPMs. Most of these instructions were derived from this tutorial:

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-postfix-e-mail-server-with-dovecot

I'd like to ensure that Dovecot does not unintentionally accept unencrypted connections on port 143/tcp and I'm most familiar with iptables, so I start by installing iptables and disabling firewalld:

yum install iptables-service
systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptables

Now we install the Postfix and Dovecot RPMs. If you have not installed OpenSSL, append "[space]openssl" to this command:

yum install postfix dovecot

Generate an certificate and key for IMAPS (993/tcp) access, change their permissions and move them to an appropriate directory:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mail.key -out mailcert.pem
chmod 600 mail*
mv mailcert.pem /etc/ssl/certs/
mv mail.key /etc/ssl/private/

Make some changes to the Postfix configuration in /etc/postfix/main.cf:

# Identify this server and the domains it serves
myhostname = smtp.mydomain.com
virtual_alias_domains = mydomain.com myotherdomain.com myfriendsdomain.com
# Identify the file that contains the list of virtual address mappings
virtual_alias_maps = hash:/etc/postfix/virtual
# Restrict relaying to local email clients
mynetworks = 127.0.0.0/8
# Limit mailbox size to 500mb and individual messages to 20mb
mailbox_size_limit = 500000000
message_size_limit = 20000000

After saving the above changes (particularly the mynetworks variable), we can configure Postfix to listen on the public network interface by commenting the following line:

inet_interfaces = localhost

Clear the contents of /etc/dovecot/conf.d and add:

disable_plaintext_auth = yes
mail_privileged_group = mail
mail_location = maildir:~/Maildir
userdb {
driver = passwd
}
passdb {
args = %s
driver = pam
}
protocols = " imap"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
ssl = required
ssl_cert = </etc/ssl/certs/mailcert.pem
ssl_key = </etc/ssl/private/mail.key

If you prefer MBOX inboxes stored in /var/mail (which typically points to /var/spool/mail) and other folders under ~/mail, change the mail_location line to:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

This step appears in my notes but I'm not sure it's necessary. Try skipping this step and return if necessary.

cp /etc/pam.d/dovecot /etc/pam.d/imap

Verify that correct permissions are set on all mailboxes in /var/spool/mail (if you chose to use MBOX):

chmod 600 /var/mail/*

Start Dovecot and Postfix:

systemctl start dovecot.service
systemctl start postfix.service