This guide lists all the information you need to build a stable and secure mail server using free software.
Because I had to look all over the place to find this information I thought it best to compile it all in one place and save other newbies from the trouble. A word of warning though: this is not a step by step guide, so you will probably have to think a little for yourself in some places and modify some parts to suit your setup. I hope this document is of use to someone.
My server is a Debian GNU/Linux Virtual Machine hosted by Bytemark (if you use this link to sign up a donation will be made to the Debian Project) in the UK but the software used in this guide should work on all flavours of Unix.
Begin by installing the MTA (Mail Transport Agent), qmail, using Dave Sill's excellent guide "Life with qmail" (lwq). Read the instructions completely and follow them to the letter, this will help you become familiar with the software and make troubleshooting easier.
Use maildir for your mail storage.
qmail is an excellent piece of software written by Daniel J. Bernstein. The current version (1.03) has not had a single security hole since its release in 1998.
I did not install from source, but used Gerrit Pape's excellent lwq-compatible var-qmail package for Debian instead. I do however now recommend installing from source because that will make later patching easier. (No patches are required for this guide though.)
Note: This guide assumes that you already have OpenSSL installed or that you can install it by yourself. Most distributions provide their own packages for it, so it should not be very difficult.
After you have qmail running it is time to install the IMAP server. Binc IMAP is a relatively new server designed in the spirit of qmail: secure, fast and efficient. It also has SSL-encryption and Maildir support built-in. It is written by Andreas Aardal Hanssen.
Install the software by following this HOWTO from the "Life With Binc IMAP" site.
Use IMAPdir as your depot.
I followed this HOWTO when creating the SSL-certificates. But instead of copying the cert-file and key-file to the apache-ssl directory you must merge them into a single pem-file for Binc IMAP:
$ cat key.pem cert.pem >> final.pem
## bincimap.conf
SSL {
pem file = "/etc/ssl/final.pem",
This merged pem-file can also be used in apache-ssl:
## httpd.conf SSLCertificateFile /etc/apache-ssl/apache.pem
Now that we can recieve and read our mail we only need a way to send mail as well. Because we do not want to run an open relay, we need SMTP authentication, with SSL-encryption of course.
Begin by installing stunnel, pre-compiled packages should be available for almost any distribution. I used version 3 of stunnel because it can be configured entirely from the command line and thus sits well together with tcpserver in the run-script.
Continue by installing cvm (configure the /etc/passwd authentication service) and mailfront according to these instructions written by Wayne Marshall.
When installing mailfront you will have to deviate a bit from the instructions. Skip the envdir and mailrules and use this run script instead:
#!/bin/sh
# qmail-authsmtpd/run
# daemontools run script for qmail smtp-auth service
#
# ** using bruce guenter's smtpfront-qmail (mailfront module) **
#
# env variables:
#
# required:
# CVM_SASL_PLAIN=cvm-local:/tmp/.cvm-unix.local
#
# recommended:
# MAILRULES=/var/qmail/control/authsmtp-mailrules
#
# optional:
# PATTERNS=/var/qmail/control/authsmtp-patterns
# PATTERNS_LINEMAX=256
#
# ===
CVM_SASL_PLAIN=cvm-local:/tmp/.cvm-unix.local
export CVM_SASL_PLAIN
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
CONLIMIT=29
PORT=465 # standard ssl-smtp port
exec 2>&1
echo "*** Starting qmail-authsmtpd..."
exec \
softlimit -m 3000000 -f 10000000 \
tcpserver -v -PR \
-U \
-c ${CONLIMIT} \
-x /etc/tcp.authsmtp.cdb \
-u ${QMAILDUID} -g ${NOFILESGID} \
0 ${PORT} \
stunnel -f -p /etc/ssl/stunnel.pem \
-l /usr/local/bin/smtpfront-qmail
### that's all, folks!
Create tcp.authsmtp.cdb with the tcprules program and make a copy of the pem-file we made earlier and chmod it read/write for user qmaild only (otherwise stunnel will complain). Check the log-files if it isn't working as it should.
2005-05-25 Copyright Mattias Wikström (email: me at domain)