How to install a complete mailserver on Debian 8/9, featuring Postfix, Dovecot, MySQL, Spamassassin, ClamAV, Roundcube and Fail2ban.

~ the howto that actually works ~

Part 1: Introduction
Part 2: Preparations: Apache, Let’s Encrypt, MySQL and phpMyAdmin
Part 3: MTA: Postfix
Part 4: IMAP server: Dovecot
Part 5: Web interface: Roundcube
Part 6: Spam filtering: SpamAsasssin
Part 7: Antivirus: ClamAV and ClamSMTP
Part 8: Quota and other Roundcube settings
Part 9: Using mail with a remote IMAP client (i.e. Thunderbird)
Part 10: Counter brute-force attacks with Fail2ban
Part 11: Sources, config files, colouring and comments

On this page

Enable SSL
Incoming mail
Outgoing mail

Comments are on the last page.

On this page

On this page

To use IMAP you need to forward ports 993 (IMAP over TLS) and 465 (SMTP over TLS) from your router to your mailserver. In theory you can use any port you like but let’s stick to the rfc’s for now. I will use Thunderbird as an example client.

You've done it again, Gadget!

You’ve done it again, Gadget!

Enable SSL

In case your forgot read this bit about your website’s domain vs. your mail domain.

Turn on SSL first. (And by SSL I mean TLS you nitpicks.) We can use the Let’s Encrypt certificates we got for the webserver. In /etc/dovecot/conf.d/10-ssl.conf:

ssl = required
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem 

Incoming mail

In /etc/dovecot/conf.d/10-master.conf we tell Dovecot about the protocol:

service imap-login {
  inet_listener imap {
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

Be VERY careful in this document. Like we discussed before, if you mess up one # or { in this file you will be troubleshooting the rest of the day. See the part about setting up LMTP and SASL.

Do

# dovecot reload

and watch /var/log/mail.log for errors or warnings.

In Thunderbird use the following values:
Servername: example.com
Username: tinus@example.com
Port: 993
Connection type: SSL/TLS
Authentication method: Normal password

Thunderbird can be a bit stubborn. If you are sure your settings are correct and no obvious errors get logged but Thunderbird just won’t accept your settings just close it and try again. Also sometimes it says the settings are incorrect but will allow you to continue anyway and it just works.

Outgoing mail

In /etc/postfix/main.cf:

smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes

In /etc/postfix/master.cf:

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Note that the three option lines must start with at least one whitespace.

I suggest you open the TLS ports on your firewall but keep 143 (IMAP) closed. This prevents unencrypted IMAP sessions being set up in case of a configuration error.

# postfix reload

In Thunderbird:
Servername: example.com
Port: 465
Connection encryption: SSL/TLS
Authentication method: Normal password
Username: tinus@example.com

Mail settings in Thunderbird

Mail settings in Thunderbird