Master-master simple email server with Dovecot

The purpose of this article is to explain how to create an hight availability email server with Dovecot.
We will use internal plain text files as users backend but it can of course easily be extended to use LDAP or SQL, but this article won’t cover this setup.

Install required packages

On both servers we’ll install dovecot as well as the POP3 and IMAP backends

To use dovecot clustering feature, known as dsync, we need dovecot 2.2 or later. Debian Jessie’s version is ok.

Setup file-based users database

Edit /etc/dovecot/conf.d/auth-passwdfile.conf.ext and set both userdb and passworddb like this:

I will use plaintext clear password here because I really want to be able to read the users from the configuration file directly. You can of course use an encrypted format, see Dovecot documentation.

The file /etc/dovecot/users will contains the users accounts and we’ll deliver all emails using paths like /srv/vmail/user@domain.com.
Dovecot is set up to always use the vmail user with mail group to avoid uid/gids madness.

First I tried to create a multi-domain setup, using “username_format=%n /etc/dovecot/%d/users” and “default_fields = uid=vmail gid=mail home=/srv/vmail/%d/%n” but current master/master plugin is unable to handle such configuration (Error: passwd-file: User iteration isn’t currently supported with %variable paths) so I decided to use a single authentication file using email as login (%u instead of %n).

We need to create the system user for dovecot:

Now we need to enable this backend by commenting auth-system and un-commenting auth-passwdfile from /etc/dovecot/conf.d/10-auth.conf

Configure Postfix to use Dovecot as delivery agent

In /etc/postfix/master.cf add the following section:

Then run the following command to make sure Postfix is configured correctly (postconf is a command that will edit main.cf config file):

Please MAKE SURE your /etc/hosts and /etc/hostname are configured correctly !
The following commands should return short/full/domain names:

Now we’ll enable Dovecot LDAP and enable our mail domain:

Additional Dovecot config

In /etc/dovecot/conf.d/10-mail.conf set

It will deliver emails in Maildir format like this: /srv/vmail/user@domain.com/Maildir

In /etc/dovecot/conf.d/10-auth.conf we’ll enable plain text login because we don’t care about SSL and stuff (non-encrypted auth is disabled for any host except localhost by default):

Create first user and try it

Create /etc/dovecot/users with the following content:

And secure the file permissions:

Finally restart dovecot, postfix and send a test email:

You should see something like this in the logs:

The key part here is dovecot: lda(test@domain.com): msgid=: saved mail to INBOX.

We can now check what happened on the filesystem:

Now we can test IMAP login will the following transcript using telnet:

You should see the message body containing “test”. If so, we now have a fully working email server.

Enable doveadm service and replication plugin

Create a new file /etc/dovecot/local.conf with the following content:

Then we’ll configure the peer address for replication plugin in /etc/dovecot/conf.d/90-plugin.conf:

Now we will globally enable the replication plugin as well as the notify one (required), in /etc/dovecot/conf.d/10-mail.conf:

And that’s it… Yes, really, we’re done here !

Replicate config to secondary server

Here is my synchronisation script

Basically it sync the whole Postfix and Dovecot postfix, replace the hostname by the secondary server one in Postfix configuration and change the address in Dovecot’s mail_replica setting.

You can now run echo test | mail -s test test@domain.com on both server and check that both filesystems are updated with all emails 🙂

Of course, you can now connect two Thunderbird instances against 1.2.3.4 and 5.6.7.8 and then create folder, move emails, toggle read flag. Both will show the change with a very little delay.

Thanks for reading and I hope that will help

Stop backscattering when using Postfix as an Exchange frontend

Hey,

Not much to say here because everything is already explained in the GitHub README file.

In a few words, I wrote a script that extracts from Active Directory LDAP all Exchange email addresses and export this as a Postfix map. The idea is to be able to reject invalid recipients instead of whitelisting the whole domain. By doing this, your infrastructure will stop sending “non-delivery notifications” back to forged sender addresses because you let some invalid recipient emails go into your system.

Everything is available there:
https://github.com/eLvErDe/exchange-active-directory-to-postfix-map