Build an email server in CentOS7 (dovecot + postfix + SSL)

It took basically two days to configure the mail server under CentOS7. There are too many hardships, so we must summarize them.
The purpose of this article is to build a dovecot + postfix + SSL server under CentOS 7 through a series of configurations, and to send and receive emails through the mail client (Airmail in this article.

& Para; Prerequisites

You have to have a host or VPS.
You have a primary domain such as fancycoding.com and a secondary domain such as mail.fancycoding.com.
The SSL certificate of the second-level domain name.

& Para; configure your DNS records

Confirm that the primary domain name has A record pointing to the server IP address
Add a mail second-level domain name such as mail.fancycoding.com pointing to the server ip address
Add an MX record under the primary domain name to point to the Mail second-level domain name such as mail.fancycoding.com. If you do not have multiple domain names as the mail server, you can write the MX priority randomly (only one domain name), with a maximum of 1 and a minimum of 50. If resolution with a higher priority is ineffective, the resolution will be low.
Add a txt record as SPF (Sender Policy Framework ). The format of SPF can be viewed in the http://www.openspf.org/SPF_Record_Syntax. For example, I set

V = spf1 a mx ~ All

That is, except for my A record and MX record, if other domains send emails, they are all forged.

After completing these steps, you can run the following command to check whether the steps take effect:

Dig MX yourdomain + short @ ns
Host your. subdomain ns
For example, if my domain name is placed in dnspod, the configuration in the figure above should be as follows:

Robin-MacdeMac-mini ~ $ Dig MX fancycoding.com + short @ f1g1ns1.dnspod.net
50 mail.fancycoding.com.
Robin-MacdeMac-mini ~ $ Host mail.fancycoding.com f1g1ns1.dnspod.net
Using domain server:
Name: f1g1ns1.dnspod.net
Address: 119.167.195.3 #53
Aliases:

Mail.fancycoding.com has address 107.170.242.133

& Para; install Postfix

Perform the following operations with the root permission. Otherwise, sudo is troublesome every time, right.
1
Yum-y install postfix
Yum remove sendmail
Sendmail is installed by centos by default. It is extremely difficult to use and can be deleted with ease.

Vim/etc/postfix/main. cf

By default, there should be a lot of data, so you don't have to worry about it. Write the following content at the bottom of the file
Assume that you:

The private key of the domain name certificate is in/etc/ssl/private/mail. fancycoding. key
The public key is stored in/etc/ssl/certs/mail. fancycoding. crt.
CA certificate in/etc/ssl/certs/cacert. pem

Myhostname = mail.fancycoding.com
Mydomain = fancycoding.com
Myorigin = mail.fancycoding.com
Mynetworks = 127.0.0.0/8 [: ffff: 127.0.0.0]/104 [: 1]/128,192.168 .1.0/24
Inet_interfaces = all
Mydestination = $ myhostname, localhost. $ mydomain, localhost, $ mydomain
Smtpd_sasl_auth_enable = yes
Smtpd_sasl_type = cyrus
Smtpd_sasl_security_options = noanonymous
Broken_sasl_auth_clients = yes
Smtpd_sasl_authenticated_header = yes
Smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
Smtpd_tls_auth_only = no
Smtp_use_tls = yes
Smtpd_use_tls = yes
Smtp_tls_note_starttls_offer = yes
Smtpd_tls_key_file =/etc/ssl/private/mail. fancycoding. key
Smtpd_tls_cert_file =/etc/ssl/certs/mail. fancycoding. crt
Smtpd_tls_CAfile =/etc/ssl/certs/cacert. pem
Smtpd_tls_received_header = yes
Smtpd_tls_session_cache_timeout = 3600 s

Then open/etc/postfix/master. cf:

Vim/etc/postfix/master. cf

Find

# Smtp inet n--smtpd

Cancel the comment "#" before it, locate the line "submission", cancel the comment, and add the following:

Submission inet n--smtpd
-O syslog_name = postfix/submission
-O smtpd_tls_wrappermode = no
-O smtpd_tls_security_level = encrypt
-O smtpd_sasl_auth_enable = yes
-O smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
-O milter_macro_daemon_name = ORIGINATING
-O smtpd_sasl_type = dovecot
-O smtpd_sasl_path = private/auth
Note that smtpd_recipient_restrictions should not be written incorrectly. Each comma is a word with no space.
Configure your aliases. This is the alias of the email user name. For example, an email that sends a webmaster@yourdomain.com automatically redirects to the root@youdomain.com.

Vim/etc/aliases

You can see that many aliases have been set. If you want to forward all these people to a real user, such as mike, add a line at the bottom:

Root: mike

& Para; install Dovecot

-Y install postfix

Enter/etc/dovecot. conf

Vim/etc/dovecot. conf

Add the following content at the bottom:

Protocols = imap pop3
Mail_location = mbox :~ /Mail: INBOX =/var/mail/% u
Pop3_uidl_format = % 08Xu % 08Xv

Service auth {
Unix_listener/var/spool/postfix/private/auth {
Group = postfix
Mode = 0660
User = postfix
}
}

Ssl = required
Ssl_cert = </etc/ssl/certs/mail. fancycoding. crt
Ssl_key = </etc/ssl/private/mail. fancycoding. key

& Para; enable all services

Newaliases
Service postfix restart
Service dovecot restart

Check the log

Cat/var/log/maillog
If the following line does not contain any warning or error, the result is:
Sep 10 22:54:51 fancycoding dovecot: master: Dovecot v2.2.10 starting up for imap, pop3 (core dumps disabled)
& Para; test mail sending and receiving

Mail-s TestTitle sombody@someone.com

Then, the system enters the interaction mode. Enter something and press Ctrl + D to start sending.
If you haven't received the email for a long time, you may have to check whether there is an error in log.
If you do not receive the mail command

Yum-y install mailx

You can also send an email to your user, for example, I use QQ mail to send to the webmaster@fancycoding.com, then you will see such a record in the log

Sep 10 23:17:14 fancycoding postfix/smtpd [27682]: connect from smtpbgsg2.qq.com [54.254.200.128]
Sep 10 23:17:16 fancycoding postfix/smtpd [27682]: B334A61941: client = smtpbgsg2.qq.com [54.254.200.128]
Sep 10 23:17:17 fancycoding postfix/cleanup [27686]: B334A61941: message-id = <tencent_1BB3D41C7EDAF8ED30A8BF1D@qq.com>
Sep 10 23:17:17 fancycoding postfix/qmgr [26975]: B334A61941: from = <84084888@qq.com>, size = 2050, nrcpt = 1 (queue active)
Sep 10 23:17:17 fancycoding postfix/local [27687]: B334A61941: to = <root@mail.fancycoding.com>, orig_to = <webmaster@fancycoding.com>, relay = local, delay = 0.81, delays = 0.81/0/0/0, dsn = 2.0.0, status = sent (delivered to mailbox)
Sep 10 23:17:17 fancycoding postfix/qmgr [26975]: B334A61941: removed
We can see that the smtp server smtpbgsg2.qq.com of qq is connected to our server, the original goal is webmaster@fancycoding.com, after alias conversion sent to the root@mail.fancycoding.com.
Use the mail command to view the new email:

[Root @ fancycoding ~] # Mail
Heirloom Mail version 12.5 7/5/10. Type? For help.
"/Var/spool/mail/root": 1 message 1 new
> N 1, Darkness Wed Sep 10 62/2153 "HI_WEBMASTER_TITLE"
&

& Para; connect with the Mail client

I don't want to use command lines when sending emails, right? I don't want to use ssh to log on to emails and run Command Query. So we have done so much before, isn't it just to connect to our mail server with the Mail client?
For example, I want to create a new user named "robin", but this user is not allowed to log on to everyone:

Useradd-s/sbin/nologin username

Passwd username
Open the email client and create an account. Here, Airmail is used as an example:

If your business is smooth, you can use the client to send and receive emails.
If a friend asks you to activate the mailbox, you only need to use useradd to add a user ~ Is it convenient!
& Para; FAQ:
I have a problem, but I don't know what the problem is. What should I do?
Tail/var/log/maillog
Error: chown (/home/user/mail/. imap/INBOX, group = 12 (mail) failed: Operation not permitted (egid = 1000 (user)
Two solutions:
Sudo chmod 0600/var/mail /*
Add mail_access_groups = mail to/etc/dovecot. conf.
Recipient address rejected: Access denied (in reply to rcpt to command)
Netstat-tap: check whether all ports are normal.
/Etc/postfix/main. cf
Check whether myorigin is your second-level domain name, rather than/etc/mailname in some tutorials
Make sure home_mailbox is not defined
If someone else cannot send an email to the created mailbox, the message 554 5.7.1: Recipient address rejected: Access denied is displayed.
There are a lot of problems. It may be that MX resolution is not correct, MX is accepted by other domain names, spf is not correct, and so on.
Make sure that the dig domain name ends in this form, instead of displaying xxx handle by xxx.domain.com.
Mail.fancycoding.com has address 107.170.242.133
# Post
This seemingly simple tutorial actually breaks google. The configuration takes two days.
It is not until you have figured out all the content of 80% of the configuration. In retrospect, it would be better to look at the wiki of dovecot and postfix and then do these things again. Many online tutorials are outdated or not applicable to CentOS.
Finally, I hope that this article will allow you to step by step and avoid detours!