Postfix, dovecot + tls & SASL

Install Postfix
aptitude install postfix

configure postfix/
# Handing off local delivery to Dovecot's LMTP
virtual_transport = lmtp:unix:private/dovecot-lmtp

#Enabling SMTP for authenticated users, and handing off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes

To check what different smtpd_sasl_type plugins your installation of Postfix supports run the following command.
postconf -a

Add mailbox domains -
#Virtual domains, users, and aliases
virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
# virtual_mailbox_maps = /etc/postfix/virtual_mailbox_maps

update virtual domains
nano /etc/postfix/virtual_mailbox_domains
add domains to file OK OK

Then run postmap on the file. It will create a file named virtual_mailbox_domains.db which is going to be used by Postfix
postmap /etc/postfix/virtual_mailbox_domains

Enable SMTPS and MSA -
uncomment this line
submission inet n - - - - smtpd

restart postfix
/etc/init.d/postfix restart

Install Dovecot
# sudo apt-get install dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd

check dovecont.conf whether this line is present
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol

Installed protocols should be listed in this way
# ls -l /usr/share/dovecot/protocols.d
total 12
-rw-r--r-- 1 root root 28 Nov 30 15:44 imapd.protocol
-rw-r--r-- 1 root root 28 Nov 30 15:44 lmtpd.protocol
-rw-r--r-- 1 root root 28 Nov 30 15:44 pop3d.protocol

Configure Inbox location - 10-mail.conf
Edit the 10-mail.conf file
#mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_location = maildir:/var/mail/vhosts/%d/%n

create directories for mails
mkdir /var/mail/vhosts/
mkdir /var/mail/vhosts/

Create a system user to read emails
groupadd -g 5000 vmail
useradd -r -g vmail -u 5000 vmail -d /var/mail/vhosts -c "virtual mail user"

give him appropriate privileges
chown -R vmail:vmail /var/mail/vhosts/

Enable IMAPS and POP3S services - 10-master.conf
service imap-login {
inet_listener imap {
#port = 143
inet_listener imaps {
port = 993
ssl = yes

service pop3-login {
inet_listener pop3 {
#port = 110
inet_listener pop3s {
port = 995
ssl = yes

Configure lmtp socket - 10-master.conf
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix


Configure SASL authentication socket
service auth {
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666

Configure authentification in conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain login

Specify authentication files
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

Edit password file
nano /etc/dovecot/conf.d/auth-passwdfile.conf.ext
passdb {
driver = passwd-file
args = scheme=PLAIN username_format=%u /etc/dovecot/dovecot-users
userdb {
driver = static
# args = username_format=%u /etc/dovecot/dovecot-users
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
# Default fields that can be overridden by passwd-file
#default_fields = quota_rule=*:storage=1G
# Override fields from passwd-file
#override_fields = home=/home/virtual/%u

Configure user accounts
create file>
touch /etc/dovecot/dovecot-users

Example file
# cat dovecot-users{plain}abc123{MD5-CRYPT}$1$JdyRMcO6$qUwKZT40EVp/oIpVfAEXF1

generate crypted passwords
doveadm pw -s MD5-CRYPT
Enter new password:
Retype new password:

Enable SSL in dovecot - 10-ssl.conf
# SSL/TLS support: yes, no, required.
ssl = required

also update/create a certficates
ssl_cert =

Setup logrotate
nano /etc/logrotate.d/dovecot
add there following
/var/log/dovecot*.log {
doveadm log reopen

restart services and test mail

test whether authentification work
testsaslauthd -u user -p password

check dovecot config
dovecot -n

Port 25 - is for MTA (Mail transmission Agent). MTA service is to allow other MTAs and MSAs to connect to and deliver mails.

Port 465/587 - is for MSA (Mail submission agent). MSA service is for MUAs (mail user agents like thunderbird) to connect and deposit emails for delivery.

Things to know
1. Dovecot shall be given a location to store the incoming mails handed over by Postfix.

2. A separate system user account shall be created and given to dovecot so that dovecot can read/write the mail storage directory. In our example the user is called "vmail".

3. Dovecot shall host secure IMAP and POP services to allow email clients to read Inbox.

4. Dovecot shall provide the SASL authentication service to Postfix via a unix socket. The same username/password shall work with both Postfix (SMTP server) and Dovecot (IMAP/POP server)

5. We shall use the full email address ( as the username and set a encrypted password too.