Setting up Postfix mail server with ssl enryption, using multiple domains under same ip. (Dimitris Tzemos 1. run these commands before installing postfix groupadd -g 200 postfix useradd -u 200 -d /dev/null -s /bin/false -g postfix postfix groupadd -g 201 postdrop 2. Install postfix-2.9.4. It is on salix current repos Since you already have postfix installed dont do this step. 3. Install dovecot-2.1.10 and dovecot-pigeonhole-0.3.3 (remove dovecot-seive. It has been replaced by pigeonhole) (they are on salix package submissions , soon will be on salix repos) Dovecot has change default setup and set up files are on conf.d folders You can always convert a old dovecot-1.2 dovecot-1.conf file to new syntax with the command "dovecot -n -c dovecot-1.conf > dovecot-2.conf" 4.as root cd /usr/doc/dovecot-2.1.10/ sh config-helper.sh to create group and user and group dovecot (MUID=202 MGID=202) sh config-helper-dovenull.sh to create group and user and group dovenull (MUID=248 MGID=248) 5)Create TLS/SSL certificates cd /root openssl req -new -x509 -days 365 -nodes -out "example.cert" -keyout "example.key" For web services, the Common Name field usually must exactly match the hostname of the system the certificate will be used on; otherwise, clients should complain about a certificate to hostname mismatch. The -days argument specifies how long the certificate will be valid for. Example: Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bavaria Locality Name (eg, city) []:Seattle Organization Name (eg, company) [Internet Widgits Pty Ltd]:Salix OS Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:example.com Email Address []:postmaster@example.com As the .key file is private, change it's permissions: chmod 600 example.key 5.1) create as root the folders if they dont exist mkdir /etc/postfix/ssl/certs mkdir /etc/postfix/ssl/private/ mkdir /etc/dovecot/ssl/certs mkdir /etc/dovecot/ssl/private/ copy the keys to folders cp -a /root/example.cert /etc/postfix/ssl/postfix.cert cp -a /root/example.key /etc/postfix/ssl/postfix.key cp -a /root/example.cert /etc/postfix/ssl/certs/dovecot.pem cp -a /root/example.key /etc/postfix/ssl/private/dovecot.pem cp -a /root/example.cert /etc/dovecot/ssl/certs/dovecot.pem cp -a /root/example.key /etc/dovecot/ssl/private/dovecot.pem 6) edit the following files 6.1 /etc/postfix/main.cf set these as shown bellow #Note: On line mydestination = $myhostname, localhost.$mydomain, localhost, # you can add your domain e.g simplynux.org salixos.org or ariadni.dynalias.net if you have a dydndns domain # these are examples don't use these names because they are used of real postfix setup's myhostname = simplynux.fr # this is an example set to what is your domain mydomain = $myhostname mydestination = $myhostname, localhost.$mydomain, localhost, simplynux.org salixos.org mynetworks_style = host #you can comment this and postfix will decide what is best alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases home_mailbox = Maildir/ mailbox_command = /usr/libexec/dovecot/deliver debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop #### add these to the end of main.cf, for ssl authenctication ##### smtpd_tls_cert_file = /etc/postfix/ssl/postfix.cert smtpd_tls_key_file = /etc/postfix/ssl/postfix.key smtpd_tls_security_level = may smtpd_sasl_type = dovecot smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders smtpd_recipient_restrictions = permit_mynetworks reject_sender_login_mismatch permit_sasl_authenticated reject_unauth_destination 6.2) edit file /etc/postfix/aliases and change the line on top (akuna is an axample you will write an existing user other than root to receive mail) # Person who should get root's mail. Don't receive mail as root! root: akuna 6.3) edit file /etc/postfix/virtual add in the end of file what you want e.g an example webmaster@slackel.dynalias.net webmaster webmaster@ariadni.dynalias.net webmaster djemos@ariadni.dynalias.net djemos 6.4) create the file /etc/postfix/controlled_envelope_senders and add into it this is an example # sender owners (SASL login names) djemos@ariadni.dynalias.net djemos webmaster@ariadni.dynalias.net webmaster,djemos 6.5) run the commands to create or update the above files newaliases postmap /etc/postfix/virtual postmap /etc/postfix/controlled_envelope_senders 6.6) edit file /etc/postfix/master.cf It may be a good idea to require enryption with STARTTLS for users on the submission port. The beginning of the file should look like this: smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt 7) edit /etc/dovecot/dovecot.conf (If it is not exist then cp /usr/doc/dovecot-2.1.10/example-config/dovecot.conf /etc/dovecot/dovecot.conf change the lines as bellow protocols = imap pop3 lmtp listen = * 8) Copy directory conf.d to /etc/dovecot ( cp -R /usr/doc/dovecot-2.1.10/example-config/conf.d/ /etc/dovecot/) 8.1 Edit /etc/dovecot/conf.d/10-auth.conf and change the lines as bellow auth_mechanisms = plain login 8.2 Edit/etc/dovecot/conf.d/10-mail.conf and change the lines as bellow mail_location = maildir:~/Maildir namespace inbox { inbox = yes } 8.3 Edit /etc/dovecot/conf.d/10-ssl.conf and change the lines as bellow ssl = yes ssl_cert = ] # [cache_key=] [] #args = dovecot #} #passdb { #driver = passwd # [blocking=no] #args = #} passdb { driver = shadow # [blocking=no] #args = } userdb { # driver = passwd # [blocking=no] #args = # Override fields from passwd #override_fields = home=/home/virtual/%u } now run postfix /etc/rc.d/rc.postfix start /etc/rc.d/rc.dovecot start NOTE.!!!! if you open port for imap 993 on router then postfix will use ssl/tls encryption, if you open 143 port as well on router then postfix will use starttls encryption on port 143. I think you have set it this way. Both work. Before you do all these copy in a safe place files you change like /etc/postfix/aliases main.cf etc. Always keep the old files so can safely go back. Have fun Dimitris Tzemos