How to Configure a System to Manage Multiple Virtual Mailboxes Using Postfix and Dovecot

---

When managing multiple virtual users under one real-user account and using Postfix as Mail Transporting Agent (MTA) and Dovecot as IMAP server, the virtual-user base mail directory has to be set up with Postfix and Dovecot configured correctly to ensure that each virtual user can receive and send e-mails properly. The following steps outline a working configuration that is compatible with SELinux in enforcing mode.

In this example, the system is configured for two virtual users, user1 and user2. The virtual users are handled under the vmail real-user account, which is created with UID and GID set to 5000. The domain is set to example.com.

Environment

• Red Hat Enterprise Linux 5
• Red Hat Enterprise Linux 6
• Red Hat Enterprise Linux 7
• Postfix
• Dovecot
• Thunderbird

General Environment Configuration

• Create the real group and user under which virtual users will be handled and then set up the base mail directory structure:

# groupadd -g 5000 vmail
# useradd -u 5000 -g vmail -M vmail
# mkdir -p /var/mail/virtual/example.com
# chown -R vmail:vmail /var/mail/virtual

Postfix Configuration

• Modify the Postfix main.cf configuration file (you can use the postconf command-line tool, as used in this example, or you can edit the configuration file directly) to set basic virtual mailbox configuration, which includes domain names, the base directory, lookup table mapping, and other information as follows:

# postconf -e virtual_mailbox_domains=example.com
# postconf -e virtual_mailbox_base=/var/spool/mail/virtual
# postconf -e virtual_mailbox_maps=hash:/etc/postfix/virtual_mailbox
# postconf -e virtual_minimum_uid=100
# postconf -e virtual_uid_maps=static:5000
# postconf -e virtual_gid_maps=static:5000
# postconf -e virtual_alias_maps=hash:/etc/postfix/virtual

• Create the virtual lookup table for global mail redirection:

# echo 'postmaster@example.com postmaster' > /etc/postfix/virtual

• Build the database from the /etc/postfix/virtual file:

# postmap hash:/etc/postfix/virtual

• Create the virtual_mailbox lookup table with mail redirection for the user1 and user2 virtual users:

# echo 'user1@example.com  example.com/user1' > /etc/postfix/virtual_mailbox
# echo 'user2@example.com  example.com/user2' >> /etc/postfix/virtual_mailbox

• Build the database from the /etc/postfix/virtual_mailbox file:

# postmap hash:/etc/postfix/virtual_mailbox

• Modify the Postfix main.cf configuration file to authenticate SMTP using Dovecot's Simple Authentication and Security Layer (SASL), enable support for SMTP clients that use obsolete versions of the AUTH command (for example, Microsoft Outlook Express version 4 and Microsoft Exchange version 5.0), disallow anonymous access, and enable relaying only for SASL authenticated users:

# postconf -e smtpd_sasl_type=dovecot
# postconf -e smtpd_sasl_path=private/auth
# postconf -e smtpd_sasl_auth_enable=yes
# postconf -e broken_sasl_auth_clients=yes
# postconf -e smtpd_sasl_security_options=noanonymous
# postconf -e smtpd_recipient_restrictions="permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unauth_destination"

• Additionally, it is recommended to modify the Postfix main.cf configuration file to allow Postfix to use Transport Layer Security (TLS) for higher security and to allow the SASL authentication only over the TLS encrypted link to prevent password compromise. First, you need to obtain a certificate and private key for TLS to work, and then you can set up TLS as follows:

# postconf -e smtpd_tls_security_level=may
# postconf -e smtpd_tls_key_file=/etc/pki/tls/private/mail.example.com.key
# postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/mail.example.com.crt
# postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt
# postconf -e smtpd_tls_auth_only=yes

• Finally, restart Postfix with the new configuration:

On RHEL5 and 6:

# service postfix reload

On RHEL7:

# systemctl restart postfix

• Also, note that Dovecot has to be configured accordingly in order to have IMAP working for virtual users.

General Environment Configuration

• Create a home directory for storing user-specific configurations and other states of virtual users and then set ownership of the directory to the real user and group:

# mkdir /home/virtual
# chown vmail:vmail /home/virtual

Dovecot Configuration

• Modify the /etc/dovecot.conf(or /etc/dovecot/dovecot.conf) configuration file to set mailbox location, the authentication domain, and the default authentication domain:

mail_location = mbox:~/mail:INBOX=/var/mail/virtual/%d/%n
auth_realms = "example.com"
auth_default_realm = "example.com"

• Modify the auth default { ... } section(For RHEL5) in the /etc/dovecot.conf(or /etc/dovecot/dovecot.conf) file to the following:

auth default {
  mechanisms = plain login
  passdb passwd-file {
    args = /etc/dovecot.passdb
  }
  userdb static {
   args = uid=vmail gid=vmail home=/home/virtual/%d/%n
  }
  user = root
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }
}

• Modify the auth default { ... } section(For RHEL6 and RHEL7) in the or /etc/dovecot/dovecot.conf file to the following:

auth default {
  mechanisms = plain login
  passdb passwd-file {
    args = scheme=SHA1 /etc/dovecot/passwd
  }
  userdb static {
   args = uid=vmail gid=vmail home=/home/virtual/%d/%n
  }
  user = root
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }
}

• Create a user database(RHEL5):

# touch /etc/dovecot.passdb
# chmod 0600 /etc/dovecot.passdb

• Create a user database(RHEL6 and RHEL7):

# touch /etc/dovecot/passwd
# chmod 0600 /etc/dovecot/passwd

• Add virtual users user1 and user2 to the database(RHEL5):

# USR=user1@example.com; echo "${USR}:$(dovecotpw -u $USR )" >>/etc/dovecot.passdb
# USR=user2@example.com; echo "${USR}:$(dovecotpw -u $USR )" >>/etc/dovecot.passdb

• Add virtual users user1 to the database(RHEL6 and RHEL7):

# doveadm pw -s sha1 | cut -d '}' -f2

Then copy user and password in `/etc/dovecot/passwd`
e.g.
      # cat /etc/dovecot/passwd
user1@example.com:"DOzcsKI8HY0bg8LAuz0DPKwS3WA="

- For more user's password, run same `doveadm` command again.

• Open /etc/dovecot/conf.d/10-auth.conf and change the following options:

disable_plaintext_auth = no
auth_mechanisms = plain

• Open /etc/dovecot/conf.d/10-ssl.conf and change the following option:

ssl = no

• Restart the dovecot daemon:

On RHEL5 and 6:

# service dovecot restart

On RHEL7:

# systemctl restart dovecot

• Testing:
• Run telnet command on localhost:

telnet localhost 143
 .
 .
 .
 a login <username> <password>
 a OK .........

• Test telnet from other system(e.g. where thunderbird will configure):

telnet <system-ip> 143
  .
  .
  .
  a login <username> <password>
  a OK .........

• If above test will succeed then mail client can be installed.

• Send mail to a user from command line and check that whether mail flow is working for this user or not.

# echo mail | mail -s test <user>@<domain.com>

e.g.
# echo mail | mail -s test abc@domain.com

• After successfull mail delivery, install thunderbird(without ssl) client and configure it for the user.

• Send mails and receive mails from thunderbird.

Product(s)

• Red Hat Enterprise Linux

Category

• Learn more

Components

• dovecot
• postfix
• thunderbird

Tags

• rhel_5
• rhel_6
• rhel_7

Article Type

• General