Link to home
Start Free TrialLog in
Avatar of Brian Sheppard
Brian SheppardFlag for Canada

asked on

How do I setup Sendmail and Dovecot on RHEL 8


How do I setup Sendmail and Dovecot on RHEL 8
Avatar of David Favor
David Favor
Flag of United States of America image

1) Sendmail... Ouch...

2) First, I'd start with Ubuntu, as RedHat/CentOS/Fedora all run Kernel-4.X + Debian/Ubuntu/Spins run Kernel-5.X so Ubuntu provides an additional several years worth of Kernel updates.

3) Also, start with an LXD container, so all your mail plumbing is containerized, rather than polluting your machine.

Mail setup is... complex enough... Better to have your entire mail setup encapsulated, so you can move/clone your entire setup anytime you like.

4) What you're asking can take many steps... sometimes 100+ steps, depending on how you count steps.

Starting search - postfix dovecot rspamd Ubuntu - or switch out the search term of Ubuntu for "RHEL 8" or "CentOS 8".

https://gist.github.com/ibqn/22b9c1726dae656f295a9060fb758d15

This guide provides some base level config info, like setting up Opportunistic TLS for incoming connections.

5) For the minimal steps (there are many additional steps) for having any level of delivery...

https://www.experts-exchange.com/questions/29194498/how-to-configure-smtp-in-wamp-server.html provides a good checklist.

6) For high delivery + inboxing, you'll set your DMARC policy to...

p=reject; sp=reject

Open in new window


7) If you're new to setting up MTAs, better to use Postfix or OpenSMTP to route all outgoing mail through a Mail Relay service, like https://smtp2go.com or similar.

Said differently, mail setup is far more complex than most people realize.

Start with a Mail Relay service, then as required, add in using native MTA sending on a per user basis, till your MTA setup is delivering 100% inboxing.

Only at this point, retire your Mail Relay, switching over to using your native MTA for all users/hosts/domains.
Avatar of Brian Sheppard

ASKER

I am setting up the server on Sunday night. I would like to keep the ticket open, please! I will post on Monday night! 
Brian 
I edited all the files and tried to start postfix?? It was done right up to the section:
Execute
sudo newaliases

Open in new window

to create the alias database file /etc/aliases.db. This file is expected by Postfix by default.


I was having an issue while I try to start postfix. I have included error outputs:

[root@dispatcher10 sql]# vim /etc/postfix/main.cf
[root@dispatcher10 sql]# systemctl start postfix
Job for postfix.service failed because the control process exited with error code.
See "systemctl status postfix.service" and "journalctl -xe" for details.

[root@dispatcher10 sql]# systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/postfix.service.d
           └─restart.conf
   Active: activating (auto-restart) (Result: exit-code) since Thu 2021-06-17 01:13:31 ADT; 3s ago
  Process: 486107 ExecStart=/usr/sbin/postfix start (code=exited, status=1/FAILURE)
  Process: 486105 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 486102 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
[root@dispatcher10 sql]# journalctl -xe
-- Support: https://access.redhat.com/support
--
-- Unit postfix.service has finished shutting down.
Jun 17 01:15:16 dispatcher10.thesheppards.name systemd[1]: Starting Postfix Mail Transport Agent...
-- Subject: Unit postfix.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit postfix.service has begun starting up.
Jun 17 01:15:16 dispatcher10.thesheppards.name postfix[486283]: fatal: parameter inet_interfaces: no local interface found for 216.118.150.90
Jun 17 01:15:17 dispatcher10.thesheppards.name systemd[1]: postfix.service: Control process exited, code=exited status=1
Jun 17 01:15:17 dispatcher10.thesheppards.name systemd[1]: postfix.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit postfix.service has entered the 'failed' state with result 'exit-code'.
Jun 17 01:15:17 dispatcher10.thesheppards.name systemd[1]: Failed to start Postfix Mail Transport Agent.
-- Subject: Unit postfix.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit postfix.service has failed.
--
-- The result is failed.
lines 3901-3925/3925 (END)


[root@dispatcher10 postfix]# cat main.cf
##
## Network settings
##

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = 127.0.0.1, ::1, 216.118.150.90
myhostname = mail.thesheppards.name



# mynetworks = 127.0.0.0/8
# inet_interfaces = 127.0.0.1, 216.118.150.90
# myhostname = mail.thesheppards.name

# My test entry see errors
# inet_protocols = all


##
## Mail queue settings
##

maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m


##
## TLS settings
##

tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

### Outbound SMTP connections (Postfix as sender)

smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt


### Inbound SMTP connections

smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.thesheppards.name/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.thesheppards.name/privkey.pem


##
## Local mail delivery to Dovecot via LMTP
##

virtual_transport = lmtp:unix:private/dovecot-lmtp


##
## Spam filter and DKIM signatures via Rspamd
##

smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept

##
## Server Restrictions for clients, cecipients and relaying
## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)
##

### Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =      reject_non_fqdn_recipient
                                reject_unknown_recipient_domain
                                permit_mynetworks
                                reject_unauth_destination


### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)
### check_recipient_access checks if an account is "sendonly"
smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf


### Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =     permit_mynetworks
                                check_client_access hash:/etc/postfix/without_ptr
                                reject_unknown_client_hostname


### Foreign mail servers must present a valid "HELO"
smtpd_helo_required = yes
smtpd_helo_restrictions =   permit_mynetworks
                            reject_invalid_helo_hostname
                            reject_non_fqdn_helo_hostname
                            reject_unknown_helo_hostname

# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining


##
## Restrictions for MUAs (Mail user agents)
##

mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject


##
## Postscreen Filter
##

### Postscreen Whitelist / Blocklist
postscreen_access_list =        permit_mynetworks
                                cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop


# Drop connections if other server is sending too quickly
postscreen_greet_action = drop


### DNS blocklists
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites =    ix.dnsbl.manitu.net*2
                            zen.spamhaus.org*2
postscreen_dnsbl_action = drop


##
## MySQL queries
##

virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
local_recipient_maps = $virtual_mailbox_maps


##
## Miscellaneous
##

### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0

### Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800

### Do not notify system users on new e-mail
biff = no

### Users always have to provide full e-mail addresses
append_dot_mydomain = no

### Delimiter for "Address Tagging"
recipient_delimiter = +
[root@dispatcher10 postfix]#


With Postfix, best to do everything in stages... till you have your entire config in place...

For example, attempting to use DANE + DNSSEC is complex + relies on your DNS infrastructure being correct.

The way I approach complex Postfix setups.

1) Save your existing config.

2) Revert to original packaging config.

3) Make minimal changes to original packaging config to implement 1x set of logic.

4) First logic set to install is usually...

a) ACL incoming messages - domains for which mail is accepted.

b) ACL outgoing messages - domains for which mail is allowed to be sent.

5) Once you have #4 working, then move onto other parts of your config.

6) Be sure you're starting with Postfix-3.6.1, which is latest stable version as of today.

One of the most common problems with Postfix + Rspamd (DKIM Signing) is starting with an old version, containing bugs that have already been fixed, then wrestling with these bugs, which will eat up massive amounts of time... leading to the solution... install latest stable version...
Thanks I'll do this and try on the weekend.
Brian
Yep.

Another suggestion, get Postfix working with your complete config, except Rspamd plumbing.

Only then add in Rspamd, as trying to debug other config problems along with Rspamd is a nightmare.
Hi David,
I decided to use this resource: https://www.linuxbabe.com/redhat/install-dovecot-centos-enable-tls-encryption.
I will be working on it over the next several weeks to come in the evening. I will update you with respect to this project> I am glad for your input! And thanks for your help! I be working on it in the evening. Thanks again I will check with you for any input you can give!
Brian
1) Likely you'll have a much easier time getting Postfix to work, rather than Sendmail.

2) The above guide fails to implement DKIM, so if mail delivery is important be sure you go through other tutorials on the same site or use the Rspamd docs to implement DKIM signing.

3) Using Rspamd for DKIM signing... is generally easier to get working + works better than other DKIM signing approaches.
Thanks for your input I’ll be setting this up in the next few days.
Brian 
You're welcome!

Good luck!
I’ll contact you Sunday night 
[root@dispatcher10 ~]# systemctl start dovecot
[root@dispatcher10 ~]# systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2021-06-27 22:01:48 ADT; 3s ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
  Process: 3069 ExecStart=/usr/sbin/dovecot -F (code=exited, status=89)
  Process: 3062 ExecStartPre=/usr/libexec/dovecot/prestartscript (code=exited, status=0/SUCCESS)
 Main PID: 3069 (code=exited, status=89)

Jun 27 22:01:48 dispatcher10.thesheppards.name systemd[1]: Starting Dovecot IMAP/POP3 email server...
Jun 27 22:01:48 dispatcher10.thesheppards.name systemd[1]: Started Dovecot IMAP/POP3 email server.
Jun 27 22:01:48 dispatcher10.thesheppards.name dovecot[3069]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 1>
Jun 27 22:01:48 dispatcher10.thesheppards.name systemd[1]: dovecot.service: Main process exited, code=exited, status=89/n/a
Jun 27 22:01:48 dispatcher10.thesheppards.name systemd[1]: dovecot.service: Failed with result 'exit-code'.
lines 1-14/14 (END)

Where can I go to track errors like this?? I am still trying to trouble shoot this web site set up??
https://www.linuxbabe.com/redhat/install-dovecot-centos-enable-tls-encryption 

Configure Desktop Email Client is the last step.

--
[root@dispatcher10 ~]# ss -lnpt | grep postfix
[root@dispatcher10 ~]# ss -lnpt | grep dovcot
[root@dispatcher10 ~]#

both display no services listing. What fills do you need to see?
Brian

https://www.linuxbabe.com/redhat/run-your-own-email-server-centos-postfix-smtp-server
I am using this website also. I am having problems getting this setup. Can you offer any trouble shooting steps? Like what log files I should be looking at etc?
Brian

[root@dispatcher10 mail]# systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/postfix.service.d
           └─restart.conf
   Active: active (running) since Sun 2021-06-27 22:49:00 ADT; 7min ago
  Process: 25477 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
  Process: 25496 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
  Process: 25494 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 25491 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
 Main PID: 25564 (master)
    Tasks: 3 (limit: 99996)
   Memory: 4.3M
   CGroup: /system.slice/postfix.service
           ├─25564 /usr/libexec/postfix/master -w
           ├─25565 pickup -l -t unix -u
           └─25566 qmgr -l -t unix -u

Jun 27 22:49:00 mail.thesheppards.name systemd[1]: Starting Postfix Mail Transport Agent...
Jun 27 22:49:00 mail.thesheppards.name postfix/master[25564]: daemon started -- version 3.5.8, configuration /etc/postfix
Jun 27 22:49:00 mail.thesheppards.name systemd[1]: Started Postfix Mail Transport Agent.
Jun 27 22:54:00 mail.thesheppards.name postfix/qmgr[25566]: 9271E40E5AAC: from=<>, size=2963, nrcpt=1 (queue active)
Jun 27 22:54:00 mail.thesheppards.name postfix/lmtp[25688]: 9271E40E5AAC: to=<brian@thesheppards.name>, orig_to=<root@mail.thesheppards.name>, re>
lines 1-22/22 (END)

Postfix seems to work but I am unable to see any email in /var/mail/brian 
[root@dispatcher10 mail]# ss -lnpt | grep master
LISTEN 0      100               0.0.0.0:587       0.0.0.0:*    users:(("master",pid=25564,fd=20))                                                                    
LISTEN 0      100               0.0.0.0:465       0.0.0.0:*    users:(("master",pid=25564,fd=23))                                                                    
LISTEN 0      100               0.0.0.0:25        0.0.0.0:*    users:(("smtpd",pid=25764,fd=6),("smtpd",pid=25761,fd=6),("master",pid=25564,fd=16))                  
[root@dispatcher10 mail]# ss -lnpt | grep postfix
[root@dispatcher10 mail]#

this is some output.
Tip: Setting up the following are very different.

1) Incoming: Postfix + Opportunistic TLS + IPrev/SPF/DKIM/DMARC policies.

2) Reading: Dovecot + Backing Store - Maildir/sbox/dbox/mdbox + TLS + IMAP.

3) Outgoing: Postfix + Rspamd DKIM signing.

Best to answer each of these items in a separate question to avoid this question becoming jumbled with many answers to different questions.

Suggestion: Treat this question as related to #1 - Postfix incoming email. Once you have Postfix receiving email, open 2x additional questions, 1x for Dovecot setup, 1x for outgoing Postfix.
Thanks David, I'll work on the weekend!
Brian
I'm still working on that email postfix and dovecot server. I'll be at that again soon postfix is still not working very well. I have tried several attempts and no success. I'll email late week and try some more then.
PS I am using https://www.linuxbabe.com/redhat/run-your-own-email-server-centos-postfix-smtp-server as a guide.
But mail will not sent email or receive email? Can you offer any info on a solution? or where I can check error logs?
Brian

[root@mail postfix]# systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/postfix.service.d
           └─restart.conf
   Active: active (running) since Sun 2021-07-11 16:16:23 ADT; 11s ago
  Process: 6382 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
  Process: 6404 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
  Process: 6402 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 6396 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
 Main PID: 6472 (master)
    Tasks: 10 (limit: 99996)
   Memory: 14.0M
   CGroup: /system.slice/postfix.service
           ├─6472 /usr/libexec/postfix/master -w
           ├─6473 pickup -l -t unix -u
           ├─6474 qmgr -l -t unix -u
           ├─6475 trivial-rewrite -n rewrite -t unix -u
           ├─6476 local -t unix
           ├─6477 local -t unix
           ├─6478 lmtp -t unix -u
           ├─6479 lmtp -t unix -u
           ├─6480 bounce -z -n defer -t unix -u
           └─6481 bounce -z -n defer -t unix -u

lines 1-24


David this setup worked with my first attempt of sendmail. Emails came off the server. I don't think that the issue is there??
Brian
[root@mail postfix.service.d]# systemctl restart postfix
[root@mail postfix.service.d]# systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/postfix.service.d
           └─restart.conf
   Active: active (running) since Sun 2021-07-11 16:52:54 ADT; 7s ago
  Process: 7420 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
  Process: 7440 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
  Process: 7438 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 7434 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
 Main PID: 7508 (master)
    Tasks: 3 (limit: 99996)
   Memory: 4.3M
   CGroup: /system.slice/postfix.service
           ├─7508 /usr/libexec/postfix/master -w
           ├─7509 pickup -l -t unix -u
           └─7510 qmgr -l -t unix -u

Jul 11 16:52:54 mail.thesheppards.name systemd[1]: Starting Postfix Mail Transport Agent...
Jul 11 16:52:54 mail.thesheppards.name postfix/master[7508]: daemon started -- version 3.5.8, configuration /etc/postfix
Jul 11 16:52:54 mail.thesheppards.name systemd[1]: Started Postfix Mail Transport Agent.
[root@mail postfix.service.d]#


https://www.linuxbabe.com/redhat/run-your-own-email-server-centos-postfix-smtp-server provides a good setup guide.

You said, "I'll be at that again soon postfix is still not working very well. I have tried several attempts and no success. I'll email late week and try some more then."

The way you'll debug this is on a per message basis using your Postfix delivery logs.

You'll pick 1x Message-ID or however you track messages, then trace this 1x message through it's entire life cycle.

If you're routing your sent mail through a Mail Relay service (looks like this is what https://mailhop.org provides) then you'll also consider MailHop logs (if they provide them) for the same Message-ID.

Said differently, Postfix looks to be running, so next step is debugging a message + your infrastructure (like SPF/DKIM signing if local or Mail Relay if one's in use).
David,
Thanks that gives me a starting point!
Brian
PS I'll email you next weekend.

ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial