Debian Mail Server Configuration: Postfix, Dovecot & Security Guide
Setting up a mail server requires careful configuration of multiple components to ensure reliable email delivery and security. This comprehensive guide covers installing and configuring Postfix, Dovecot, spam filtering, and modern email authentication standards on Debian servers.
Prerequisites and DNS Setup
Required DNS Records
Before setting up your mail server, configure these DNS records:
# A Records
mail.example.com A 192.168.1.100
# MX Record
example.com MX 10 mail.example.com
# PTR Record (Reverse DNS)
100.1.168.192.in-addr.arpa PTR mail.example.com
# SPF Record
example.com TXT "v=spf1 mx a ip4:192.168.1.100 -all"
# DMARC Record
_dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
# Autoconfig Records (for mail clients)
autoconfig.example.com A 192.168.1.100
autodiscover.example.com A 192.168.1.100
Postfix Installation and Configuration
Installing Postfix
# Update system
sudo apt update
# Install Postfix
sudo apt install postfix postfix-pcre postfix-mysql
# During installation, select:
# - Internet Site
# - System mail name: example.com
Basic Postfix Configuration
sudo nano /etc/postfix/main.cf
Essential configuration:
# Basic Settings
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
inet_protocols = all
# Mail directories
home_mailbox = Maildir/
mailbox_size_limit = 0
recipient_delimiter = +
# SMTP Settings
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
# TLS/SSL Configuration
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
# Client TLS
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
# Restrictions
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
# Recipient Restrictions
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
permit
# Sender Restrictions
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
# HELO Restrictions
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
permit
# Data Restrictions
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
# Relay Restrictions
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
# Message Size Limit (50MB)
message_size_limit = 52428800
# Queue Settings
maximal_queue_lifetime = 5d
bounce_queue_lifetime = 5d
maximal_backoff_time = 4000s
minimal_backoff_time = 300s
queue_run_delay = 300s
# Rate Limiting
smtpd_client_connection_rate_limit = 10
smtpd_client_connection_count_limit = 10
anvil_rate_time_unit = 60s
smtpd_client_message_rate_limit = 10
smtpd_client_recipient_rate_limit = 20
# Milter Configuration (for DKIM)
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
Generate DH parameters:
sudo openssl dhparam -out /etc/postfix/dh2048.pem 2048
Master.cf Configuration
sudo nano /etc/postfix/master.cf
Enable submission and smtps ports:
# SMTP on port 25
smtp inet n - y - - smtpd
# Submission port 587
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
# SMTPS on port 465
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Dovecot Installation and Configuration
Installing Dovecot
# Install Dovecot
sudo apt install dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-mysql
# Enable and start Dovecot
sudo systemctl enable dovecot
sudo systemctl start dovecot
Dovecot Main Configuration
sudo nano /etc/dovecot/dovecot.conf
# Protocols to enable
protocols = imap pop3 lmtp
# Listen on all interfaces
listen = *, ::
# Base directory
base_dir = /var/run/dovecot/
# Greeting message
login_greeting = Mail Server Ready.
Mail Location Configuration
sudo nano /etc/dovecot/conf.d/10-mail.conf
# Mail location
mail_location = maildir:~/Maildir
# Mail user and group
mail_uid = vmail
mail_gid = vmail
# Valid UID range
first_valid_uid = 5000
last_valid_uid = 5000
# Mail plugins
mail_plugins = $mail_plugins quota
Authentication Configuration
sudo nano /etc/dovecot/conf.d/10-auth.conf
# Disable plain text auth unless SSL/TLS is used
disable_plaintext_auth = yes
# Authentication mechanisms
auth_mechanisms = plain login
# Include auth configuration
!include auth-system.conf.ext
!include auth-sql.conf.ext
SSL Configuration
sudo nano /etc/dovecot/conf.d/10-ssl.conf
# Enable SSL
ssl = required
# SSL certificates
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
# SSL protocols and ciphers
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = yes
# DH parameters
ssl_dh = </etc/dovecot/dh.pem
Generate DH parameters for Dovecot:
sudo openssl dhparam -out /etc/dovecot/dh.pem 2048
Master Configuration
sudo nano /etc/dovecot/conf.d/10-master.conf
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
service_count = 1
process_min_avail = 1
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service auth {
unix_listener auth-userdb {
mode = 0660
user = vmail
group = vmail
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
user = dovecot
}
service auth-worker {
user = vmail
}
Virtual Mail Users Setup
Create Virtual Mail User
# Create vmail user and group
sudo groupadd -g 5000 vmail
sudo useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vhosts -m vmail
MySQL Database Setup
# Create database and tables
sudo mysql -u root -p
CREATE DATABASE mailserver;
USE mailserver;
-- Virtual domains table
CREATE TABLE virtual_domains (
id INT NOT NULL AUTO_INCREMENT,
name VARCHAR(50) NOT NULL,
PRIMARY KEY (id)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- Virtual users table
CREATE TABLE virtual_users (
id INT NOT NULL AUTO_INCREMENT,
domain_id INT NOT NULL,
email VARCHAR(100) NOT NULL,
password VARCHAR(106) NOT NULL,
quota INT DEFAULT 0,
active BOOLEAN DEFAULT TRUE,
PRIMARY KEY (id),
UNIQUE KEY email (email),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- Virtual aliases table
CREATE TABLE virtual_aliases (
id INT NOT NULL AUTO_INCREMENT,
domain_id INT NOT NULL,
source VARCHAR(100) NOT NULL,
destination VARCHAR(100) NOT NULL,
PRIMARY KEY (id),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- Create mail user
CREATE USER 'mailuser'@'localhost' IDENTIFIED BY 'mailpassword';
GRANT SELECT ON mailserver.* TO 'mailuser'@'localhost';
FLUSH PRIVILEGES;
-- Insert example domain and user
INSERT INTO virtual_domains (name) VALUES ('example.com');
INSERT INTO virtual_users (domain_id, email, password, quota) VALUES
(1, 'admin@example.com', ENCRYPT('password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 2048);
Postfix MySQL Configuration
# Virtual domains
sudo nano /etc/postfix/mysql-virtual-mailbox-domains.cf
user = mailuser
password = mailpassword
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM virtual_domains WHERE name='%s'
# Virtual mailboxes
sudo nano /etc/postfix/mysql-virtual-mailbox-maps.cf
user = mailuser
password = mailpassword
hosts = 127.0.0.1
dbname = mailserver
query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM virtual_users WHERE email='%s'
# Virtual aliases
sudo nano /etc/postfix/mysql-virtual-alias-maps.cf
user = mailuser
password = mailpassword
hosts = 127.0.0.1
dbname = mailserver
query = SELECT destination FROM virtual_aliases WHERE source='%s'
Update Postfix configuration:
sudo postconf -e "virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf"
sudo postconf -e "virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf"
sudo postconf -e "virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf"
sudo postconf -e "virtual_mailbox_base = /var/mail/vhosts"
sudo postconf -e "virtual_uid_maps = static:5000"
sudo postconf -e "virtual_gid_maps = static:5000"
Dovecot MySQL Configuration
sudo nano /etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=localhost dbname=mailserver user=mailuser password=mailpassword
default_pass_scheme = SHA512-CRYPT
password_query = \
SELECT email as user, password \
FROM virtual_users \
WHERE email='%u' AND active=1
user_query = \
SELECT 5000 AS uid, 5000 AS gid, \
CONCAT('/var/mail/vhosts/', SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1)) AS home, \
CONCAT('*:bytes=', quota*1048576) AS quota_rule \
FROM virtual_users \
WHERE email='%u' AND active=1
Spam Filtering with SpamAssassin and Amavis
Install SpamAssassin and Amavis
# Install packages
sudo apt install spamassassin spamc amavisd-new
# Install additional components
sudo apt install clamav clamav-daemon
sudo apt install libnet-dns-perl libmail-spf-perl pyzor razor
sudo apt install arj bzip2 cabextract cpio file gzip nomarch pax unzip zip
Configure SpamAssassin
sudo nano /etc/spamassassin/local.cf
# Basic configuration
rewrite_header Subject [SPAM]
report_safe 0
required_score 5.0
use_bayes 1
bayes_auto_learn 1
bayes_path /var/lib/amavis/.spamassassin/bayes
skip_rbl_checks 0
# RBL checks
urirhssub URIBL_BLACK multi.uribl.com A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3.0
# Whitelist
whitelist_from *@example.com
Configure Amavis
sudo nano /etc/amavis/conf.d/50-user
use strict;
$max_servers = 2;
$daemon_user = 'amavis';
$daemon_group = 'amavis';
$mydomain = 'example.com';
$myhostname = 'mail.example.com';
@local_domains_acl = ( ".$mydomain" );
@mynetworks = qw( 127.0.0.0/8 [::1] );
$unix_socketname = "$MYHOME/amavisd.sock";
$inet_socket_port = 10024;
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
originating => 1,
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["spamalert\@$mydomain"],
warnbadhsender => 1,
};
# Spam settings
$sa_tag_level_deflt = -999;
$sa_tag2_level_deflt = 5.0;
$sa_kill_level_deflt = 6.9;
$sa_dsn_cutoff_level = 10;
$sa_spam_subject_tag = '[SPAM] ';
# Virus scanning
@av_scanners = (
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);
1;
Integrate with Postfix
Add to /etc/postfix/main.cf:
# Content filtering
content_filter = amavis:[127.0.0.1]:10024
Add to /etc/postfix/master.cf:
# Amavis
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
DKIM, SPF, and DMARC Configuration
Install and Configure OpenDKIM
# Install OpenDKIM
sudo apt install opendkim opendkim-tools
# Configure OpenDKIM
sudo nano /etc/opendkim.conf
# Basic settings
Syslog yes
SyslogSuccess yes
LogWhy yes
Canonicalization relaxed/simple
Mode sv
SubDomains yes
# Key and host settings
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
# Socket
Socket inet:8891@localhost
# Other settings
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp
Generate DKIM Keys
# Create directories
sudo mkdir -p /etc/opendkim/keys/example.com
cd /etc/opendkim/keys/example.com
# Generate key
sudo opendkim-genkey -s mail -d example.com
sudo chown opendkim:opendkim mail.private
# Configure tables
sudo nano /etc/opendkim/KeyTable
Add:
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private
sudo nano /etc/opendkim/SigningTable
Add:
*@example.com mail._domainkey.example.com
sudo nano /etc/opendkim/TrustedHosts
Add:
127.0.0.1
localhost
::1
example.com
mail.example.com
Display DKIM record for DNS:
sudo cat /etc/opendkim/keys/example.com/mail.txt
Configure SPF
SPF record in DNS:
example.com TXT "v=spf1 mx a ip4:192.168.1.100 -all"
Install SPF policy daemon:
sudo apt install postfix-policyd-spf-python
# Add to /etc/postfix/master.cf
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
Add to /etc/postfix/main.cf:
# SPF
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
...
check_policy_service unix:private/policyd-spf,
...
Configure DMARC
Add DMARC record to DNS:
_dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1; pct=100"
Install OpenDMARC:
sudo apt install opendmarc
# Configure OpenDMARC
sudo nano /etc/opendmarc.conf
AuthservID mail.example.com
PidFile /var/run/opendmarc/opendmarc.pid
RejectFailures false
Syslog true
TrustedAuthservIDs mail.example.com
UserID opendmarc:opendmarc
Socket inet:8893@localhost
IgnoreAuthenticatedClients true
RequiredHeaders true
SPFIgnoreResults false
SPFSelfValidate true
SSL/TLS Certificate Setup
Install Certbot
# Install Certbot
sudo apt install certbot
# Obtain certificate
sudo certbot certonly --standalone -d mail.example.com
# Create renewal hook
sudo nano /etc/letsencrypt/renewal-hooks/deploy/mail-services.sh
#!/bin/bash
systemctl reload postfix
systemctl reload dovecot
Make executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/mail-services.sh
Webmail Installation (Roundcube)
Install Roundcube
# Install dependencies
sudo apt install roundcube roundcube-mysql roundcube-plugins
# Configure database
sudo mysql -u root -p
CREATE DATABASE roundcube;
GRANT ALL ON roundcube.* TO 'roundcube'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
Configure Roundcube
sudo nano /etc/roundcube/config.inc.php
// Database connection
$config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';
// IMAP server
$config['default_host'] = 'localhost';
$config['default_port'] = 143;
// SMTP server
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
// Security
$config['force_https'] = true;
$config['use_https'] = true;
// Plugins
$config['plugins'] = array(
'archive',
'zipdownload',
'managesieve',
'password',
'emoticons',
'markasjunk',
'hide_blockquote'
);
Monitoring and Maintenance
Mail Server Monitoring Script
sudo nano /usr/local/bin/mailserver-monitor.sh
#!/bin/bash
# Mail Server Monitoring Script
LOG_DIR="/var/log/mailserver-monitor"
DATE=$(date +%Y-%m-%d_%H-%M-%S)
REPORT="$LOG_DIR/report_$DATE.txt"
mkdir -p "$LOG_DIR"
echo "Mail Server Monitoring Report - $DATE" > "$REPORT"
echo "=======================================" >> "$REPORT"
# Service Status
echo -e "\n=== Service Status ===" >> "$REPORT"
for service in postfix dovecot amavis clamav-daemon opendkim opendmarc; do
if systemctl is-active --quiet $service; then
echo "$service: Running" >> "$REPORT"
else
echo "$service: Not Running" >> "$REPORT"
fi
done
# Mail Queue
echo -e "\n=== Mail Queue ===" >> "$REPORT"
mailq >> "$REPORT"
# Postfix Statistics
echo -e "\n=== Postfix Statistics ===" >> "$REPORT"
pflogsumm -d today /var/log/mail.log >> "$REPORT" 2>&1
# Disk Usage
echo -e "\n=== Disk Usage ===" >> "$REPORT"
du -sh /var/mail/vhosts/* >> "$REPORT"
# Recent Errors
echo -e "\n=== Recent Errors ===" >> "$REPORT"
grep -E "error|warning|fatal|panic" /var/log/mail.log | tail -50 >> "$REPORT"
# Authentication Failures
echo -e "\n=== Authentication Failures ===" >> "$REPORT"
grep "authentication failed" /var/log/mail.log | tail -20 >> "$REPORT"
# Spam Statistics
echo -e "\n=== Spam Statistics ===" >> "$REPORT"
grep "Blocked SPAM" /var/log/mail.log | wc -l >> "$REPORT"
# Send report if issues found
if grep -q "Not Running\|error\|fatal\|panic" "$REPORT"; then
mail -s "Mail Server Alert - $(hostname)" admin@example.com < "$REPORT"
fi
Log Rotation Configuration
sudo nano /etc/logrotate.d/mailserver
/var/log/mail.log
/var/log/mail.err
/var/log/mail.warn
{
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 0640 syslog adm
sharedscripts
postrotate
/usr/bin/systemctl reload rsyslog > /dev/null
endscript
}
Security Best Practices
Implement Rate Limiting
Add to /etc/postfix/main.cf:
# Connection rate limiting
smtpd_client_connection_rate_limit = 10
smtpd_client_connection_count_limit = 10
smtpd_client_message_rate_limit = 10
smtpd_client_recipient_rate_limit = 20
anvil_rate_time_unit = 60s
# Error limits
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 10
smtpd_error_sleep_time = 30s
Implement Greylisting
# Install postgrey
sudo apt install postgrey
# Add to Postfix
sudo postconf -e "smtpd_recipient_restrictions = ... check_policy_service inet:127.0.0.1:10023"
Security Audit Script
sudo nano /usr/local/bin/mail-security-audit.sh
#!/bin/bash
# Mail Security Audit Script
AUDIT_LOG="/var/log/mail-security-audit.log"
echo "Mail Security Audit - $(date)" > "$AUDIT_LOG"
echo "===================================" >> "$AUDIT_LOG"
# Check open relay
echo -e "\n=== Open Relay Test ===" >> "$AUDIT_LOG"
postfix check >> "$AUDIT_LOG" 2>&1
# Check authentication mechanisms
echo -e "\n=== Authentication Check ===" >> "$AUDIT_LOG"
postconf -n | grep -E "smtpd_sasl|smtpd_tls" >> "$AUDIT_LOG"
# Check DNS records
echo -e "\n=== DNS Records Check ===" >> "$AUDIT_LOG"
for record in "mail.example.com" "_dmarc.example.com" "example.com"; do
echo "Checking $record:" >> "$AUDIT_LOG"
dig +short $record TXT >> "$AUDIT_LOG"
done
# Check SSL certificates
echo -e "\n=== SSL Certificate Check ===" >> "$AUDIT_LOG"
openssl s_client -connect mail.example.com:465 -servername mail.example.com < /dev/null 2>/dev/null | openssl x509 -noout -dates >> "$AUDIT_LOG"
# Check for suspicious activity
echo -e "\n=== Suspicious Activity ===" >> "$AUDIT_LOG"
grep -E "reject|blocked|spam|virus" /var/log/mail.log | tail -50 >> "$AUDIT_LOG"
# Email results
mail -s "Mail Security Audit - $(hostname)" admin@example.com < "$AUDIT_LOG"
Troubleshooting Common Issues
Testing Email Delivery
# Test SMTP connection
telnet localhost 25
HELO test
MAIL FROM: test@example.com
RCPT TO: admin@example.com
DATA
Subject: Test Email
This is a test.
.
QUIT
# Test authentication
echo -ne '\0username\0password' | openssl base64
telnet localhost 587
EHLO test
AUTH PLAIN [base64_string]
# Test mail delivery
echo "Test email body" | mail -s "Test Subject" admin@example.com
# Check mail logs
tail -f /var/log/mail.log
Common Error Solutions
- Permission Denied: Check vmail user permissions
- Connection Refused: Verify services are running and ports are open
- Authentication Failed: Check database connections and passwords
- Mail Not Delivered: Check DNS records and spam filters
- SSL Errors: Verify certificate paths and permissions
Conclusion
Setting up a mail server on Debian requires careful configuration of multiple components. This guide provides a solid foundation for a secure, modern mail server with proper authentication, spam filtering, and monitoring.
Key points to remember: - Always implement SPF, DKIM, and DMARC - Use strong SSL/TLS encryption - Regularly monitor logs and queues - Keep software updated - Test your configuration thoroughly - Implement rate limiting and greylisting - Regular security audits are essential
A well-configured mail server can provide reliable email service for years with proper maintenance and monitoring.