On Linux mail servers, Exim and Postfix (MTA) are usually used in combination with Dovecot (MDA). Exim and Postfix take care of sending mail from one mail server to another. Dovecot ensures that mail that is delivered to your VPS actually arrives at the correct mail address.
In this tutorial, we show you how to install Exim and Dovecot on an AlmaLinux or Rocky Linux VPS. As part of the installation, you'll be using virtual domains to handle e-mail accounts, rather then system accounts. Additionally, we show how you use SSL (TLS) from Let's Encrypt to secure the connection.
- For the steps in this manual you need:
- An AlmaLinux or Rocky Linux VPS to which the EPEL repository has been added.
- Correctly set reverse DNS.
- A domain whose DNS refers to your VPS, for example via mail.example.com. In this guide (under mail), we provide an example of how you refer the DNS of your VPS to your VPS for email.
- Execute the commands in this article using sudo, or as a root user.
- This is fairly complex matter. It is recommended to create a snapshot of your VPS in advance so you have a relapse point in case of any configuration errors.
Installing and configuring Exim
Step 1
Connect to your VPS via SSH or the VPS console in the TransIP control panel.
Step 2
Update your VPS so you have the most recent software at your disposal:
dnf -y update
We recommend rebooting your VPS after an update. Many updates are only implemented after a reboot. In addition, any problems in the configuration of your server will then quickly come to light and you can possibly restore a backup.
Step 3
Install Exim with the command:
dnf -y install exim
Step 4
You then adjust the configuration of Exim. To do this, open /etc/exim/exim.conf, for example, with
nano /etc/exim/exim.conf
Adjust the following options in the opened file. They are not all under each other, so you have to scroll / search through the file (ctrl + w in nano or /<wordyouarelookingfor> in vim).
no_local_from_check
Exim does not trust the system users on your server and will rewrite the 'From' field in the headers to contain the hostname if you want to mail on behalf of a system user. This is not really a problem since you use virtual domains in this manual to create mail addresses.
Do you still want system users to be able to mail without rewriting the headers (and you mail with mail@<yourhostname>, for example)? Then add the following two lines to the top of the file (for example, under the 'Runtime configuration file for Exim' block) to trust user accounts:
no_local_from_check
untrusted_set_sender = *
General
domainlist local_domains = lsearch;/etc/listofdomains
tls_certificate = /etc/letsencrypt/live/mail.jedomein.nl/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/
virtual_router
Scroll to the end of the 'router configuration' part and place the code below directly above the 'localuser' part.
virtual_router: driver = accept require_files = +/home/vmail/$local_part@$domain/ transport = virtual_transport
local_delivery
Scroll to the 'transports configuration' section and below to 'local_delivery'. The options listed under local_delivery influence how Exim delivers the mail to local users. Search the file for local_delivery and adjust the options to make them look like the example below.
local_delivery
driver = appendfile
directory = $home/Maildir
maildir_format
delivery_date_add
envelope_to_add
return_path_add
virtual_transport
By adding the virtual_transport, you determine what happens to the mail that is designated for delivery to your server by the virtual_router.
Place the code below directly above the local_delivery component:
virtual_transport: driver = appendfile directory = /home/vmail/$local_part@$domain/ maildir_format delivery_date_add envelope_to_add return_path_add user = vmail group = vmail mode = 0660 mode_fail_narrower = false
Dovecot authenticator
Scroll to the end of the file (shortcut in nano: ctrl + shift + _> ctrl + v, or in vi(m): shift + G) and add the following:
#Dovecot Authenticator dovecot_login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1
There are some additional options in the Exim configuration that you may want to adjust even further depending on your use case. For a complete overview, we recommend that you consult Exim's own documentation. You will find most options in the following places:
- General transport options: contains options to, for example, add extra header information to emails.
- Appendfile transport options: contains options for transports such as the local_delivery (see above).
Finally, save the changes and close the configuration before proceeding (ctrl + x> y> enter).
Create the /etc/listofdomains file with the command:
nano /etc/listofdomains
Step 7
In the file, you add a list of all domains (+ your hostname) that are allowed to receive mail on your VPS. If a domain is not in this file, Exim cannot process mail for it. Place each domain on a separate line, for example:
server.example.com
example.com
voorbeeld.nl
Then, save the changes and close the file (ctrl + x> y> enter).
This completes the installation and configuration of Exim. However, do not start Exim until you are also done with Dovecot and the SSL configuration.
IPv6
If you make use of IPv6, Exim will first try your IPv6 address. Exim has a tedency to use a different IPv6 address then your primary one. If you notice this is happening, you can check your IPv6 addresses with the command:
ip a
Or send an email to yourself and check which IPv6 address was used to send it. Make sure you also include this IPv6 address in your SPF record and reverse DNS settings.
Do you prefer disabling IPv6 for Exim? Then add the code below under the 'Runtime configuration file for Exim' part of /etc/exim/exim.conf
disable_ipv6 = true
Installing and configuring Dovecot
Step 1
Install Dovecot with the command:
yum -y install dovecot
Step 2
The Dovecot configuration is spread over several specific files. First, you adjust the SSL configuration in the file 10-ssl.conf:
nano /etc/dovecot/conf.d/10-ssl.conf
Step 3
Add the following content to the file:
ssl_cert = </etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/
Then, save your changes and close the file (ctrl + x> y> enter).
Step 4
Next, you open the mail configuration. Here you indicate where the mailbox is located on your server.
nano /etc/dovecot/conf.d/10-mail.conf
Step 5
In the file, change #mail_location = enabled to:
mail_location = maildir:/home/vmail/%u
Then, save your changes and close the file (ctrl + x> y> enter).
Step 6
You have set up a Dovecot authenticator in step 5 of the Exim configuration. You give Exim permission to use Dovecot's authentication system in 10-master.conf:
nano /etc/dovecot/conf.d/10-master.conf
Step 7
Add the content below at the bottom of the opened file.
service auth { unix_listener auth-client { mode = 0660 user = exim } }
Then, save your changes and close the file (ctrl + x> y> enter).
Step 8
Open the file which provides the authentication:
nano /etc/dovecot/conf.d/10-auth.conf
Step 9
Change the existing configuration so auth_mechanisms looks like this:
auth_mechanisms = plain login
Then, save your changes and close the file (ctrl + x> y> enter).
Step 10
Finally, open the /etc/dovecot/conf.d/auth-system.conf.ext file. Here, you adjust the authentication method for Dovecot, so you can actually work with virtual domains.
nano /etc/dovecot/conf.d/auth-system.conf.ext
Step 11
Place comments for the existing passdb and userdb parts and add a new one for both as in the example below:
#passdb { # driver = pam # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] # [cache_key=<key>] [<service name>] #args = dovecot #} passdb { driver = passwd-file args = /etc/dovecot/imap.passwd } #userdb { # <doc/wiki/AuthDatabase.Passwd.txt> # driver = passwd # [blocking=no] #args = # # Override fields from passwd #override_fields = home=/home/virtual/%u #} userdb { driver = static args = uid=vmail gid=vmail home=/home/vmail/%u }
Then, save the changes and close the file (ctrl + x> y> enter).
Firewall and related settings
For the correct operation of your mail and the generation of Let's Encrypt certificates, it is necessary to open a few ports. You do this with the commands:
firewall-cmd --zone=public --permanent --add-port=80/tcp
firewall-cmd --zone=public --permanent --add-port=443/tcp
firewall-cmd --zone=public --permanent --add-port=25/tcp
firewall-cmd --zone=public --permanent --add-port=465/tcp
firewall-cmd --zone=public --permanent --add-port=587/tcp
firewall-cmd --zone=public --permanent --add-port=993/tcp
firewall-cmd --zone=public --permanent --add-port=995/tcp
firewall-cmd --reload
- Ports 80 and 443 are required for the Let's Encrypt validation (the acme-challenge).
- Ports 993 and 995 are respectively the IMAP and POP3 ports that Dovecot uses for TLS connections.
- Ports 25, 465 and 587 are the ports that Exim uses to send and receive email.
Optional tip: do you want to be able to close port 25 completely? Then, an adjustment to /etc/services is needed and to the variable daemon_smtp_ports in /etc/exim/exim.conf
Selinux
Do you use Selinux (can be checked with 'sestatus')? Then, also add the necessary ports here with:
semanage port --add -t ssh_port_t -p tcp 80
semanage port --add -t ssh_port_t -p tcp 443
semanage port --add -t ssh_port_t -p tcp 25
semanage port --add -t ssh_port_t -p tcp 465
semanage port --add -t ssh_port_t -p tcp 587
semanage port --add -t ssh_port_t -p tcp 993
semanage port --add -t ssh_port_t -p tcp 995
Opening outgoing mail ports
For new VPSs, the mail ports are closed in the TransIP control panel for security reasons. In this article, we show you how to open them.
VPS firewall
Do you use the VPS firewall in the TransIP control panel? Then, open the ports 80, 443, 993, 995 and 587 therein.
Fail2ban
Do you use Fail2Ban? The logpath for the Exim-jail is /var/log/exim/main.log
Adding an SSL certificate
The basic configuration of Exim and Dovecot has been completed, but in the earlier steps, we have adjusted the configuration to require SSL (TLS). In this section, you create an SSL certificate and automate the renewal thereof.
Step 1
As SSL (TLS) certificate, we use a Let's Encrypt certificate. If you have not yet installed Let's Encrypt, first install it with the command:
yum -y install certbot
Step 2
In this step, you generate a standalone certificate with the command below. Replace mail.example.com with the subdomain that you will use to send and receive mail to/from (the same subdomain you used in step 5 of the Exim configuration).
You will be asked for an email address and permission for the terms and conditions, and for sharing your email address with the Electronic Frontier Foundation (optional).
certbot certonly --standalone -d mail.example.com
Step 3
Your Let's Encrypt certificate and keyfile are stored in /etc/letsencrypt/live/<hostname>/ (the exact location is in the output of the command in step 2).
The advantage of Let's Encrypt is that you can automate certificate renewal. You do this with a cron job which you create with:
crontab -e
Step 4
If you've never opened Crontab before, it'll ask you which editor you'd like to use. Depending on your experience either select nano or vi(m). Assuming you selected vi(m), crontab opens in command mode and you switch to insert mode with the 'i' key. Then, add the content below.
SHELL=/bin/bash HOME=/ @monthly certbot -q renew >> /var/log/le.log
- The cron job is performed every month at 0:00.
- -q ensures that no output is generated, except for errors.
- renew renews all Let's Encrypt certificates that expire within 30 days. Let's Encrypt certificates are valid for 90 days, so a new certificate is generated every two months.
- >> /var/log/le.log sends the output to the le.log file. You create this with the command: touch /var/log/le.log
By successively typing esc>:wq! the crontab closes and your changes are saved. If all goes well, you will see the following confirmation:
Step 5
Exim and Dovecot have no rights to the folders in which the certificates are stored and to the privkey1.pem file. Change the permissions so both can use it:
chmod 755 /etc/letsencrypt/archive
chmod 755 /etc/letsencrypt/archive/mail.example.com
chmod 644 /etc/letsencrypt/archive/mail.example.com/privkey1.pem
chmod 755 /mail.example.com
Creating email addresses
The final preparation
Before you can create email addresses, some preparation is still required: creating the Vmail user and group. All mail is stored in this user's home directory, for example, /home/vmail/mail@example.com/.
In addition, you create the file in which the authentication data of users end up and you set a location to which all mail sent to the root user on your VPS can go.
Step 1
Earlier in this manual, we have set that all mail is stored in the /home/vmail/<mailaddress> directories. To be able to use this, first create the vmail user and group:
useradd vmail
usermod -a -G vmail vmail
The home directory for Vmail is created automatically.
Step 2
Then, create the file in which the names of the email addresses and associated log-in data are stored.
touch
Step 3
Open the /etc/aliases file. This sets where mail to specific system users is sent to.
nano /etc/aliases
Step 4
Scroll to the end of this file. You see an uncommented rule here. Above that line, it says that it determines who receives the mail for the root user.
Delete the # and change the name to the email address on which you want to receive the email. For example, the result looks like this:
# Person who should get root's mail root: mail@voorbeeld.nl
Then, save the changes and close the file (ctrl + x> y> enter).
Step 5
Finally, enable Exim and Dovecot and set both to start automatically with a reboot of your VPS:
systemctl enable exim
systemctl enable dovecot
systemctl start exim
systemctl start dovecot
Step 6 - optional
When writing this manual, after installation, Exim had no rights to write to one of its own log files (main.log) because Exim itself was not the owner of the file. The consequence of this is that Exim does not want to start and does not show an error message of why Exim does not start.
You correct the rights with the commands:
chown exim:exim /var/log/exim/main.log
systemctl restart exim
Creating email addresses
To make things easy for yourself, it is useful to create a shell script that you can use to create new addresses. This saves you the trouble of having to type all associated code every time you create an email address. You create such a script as follows:
Step 1
Open / create the file /etc/dovecot/create_mail.sh:
nano /etc/dovecot/create_mail.sh
Replace the location / name of the file as you wish, but the .sh extension must be retained.
Step 2
Give the file the content below.
#!/bin/bash read -p " Enter user's mailaddress: " mailaddress read -sp " Enter password: " passwd sudo mkdir /home/vmail/$mailaddress sudo chown vmail:vmail /home/vmail/$mailaddress sudo chmod go-rwx /home/vmail/$mailaddress sudo echo $mailaddress:`dovecot pw -s SHA256-CRYPT -p $passwd` >> /etc/dovecot/imap.passwd
Then, save the changes and close the file (ctrl + x> y> enter).
- There are more options than in the example above. For example, you could include an additional prompt to confirm the password: read -sp "Confirm password:" passwd1. You can then create an if then else construction where $passwd and $passwd1 are compared. If they do not match, you let the user specify it again for example.
- You could also create a second script to change passwords (e.g. with an SED command). Please note that you also use dovecot pw for this.
Step 3
Give yourself permission to execute the script with:
chmod 700 /etc/dovecot/create_mail.sh
Using this command, only the owner has permission to execute the script. If you'd like to give more users permission to run the script, you could for example add a seperate group and use chmod to give the group execute rights (chmod 750) and use chown to change ownership of the file. Using usermod you can add users to the group.
Setting up email in mail software and apps
For this tutorial, we used a domain where the MX record has the value 10 mail and the subdomain mail refers to the VPS. We assume that you maintain the same structure, if not, adjust the following to your own scenario.
Use the following information to set up your email address in your email software:
- Email address: the desired email address with which you want to email. It must exist in /etc/dovecot/imap.passwd
- Username: the same email address as above
- Password: the corresponding (non-encrypted) password
- Account name: the same email address again
-
Send message using the name: The name that you want to show for your emails.
- Incoming server:example.com (the subdomain that refers to your VPS)
- Account type: imap or pop3. The differences are explained here.
- Incoming port: 993 (IMAP) or 995 (POP3)
-
Require SSL: yes, or SSL / TLS
- Outgoing (smtp) server:example.com (the subdomain that refers to your VPS)
- Outgoing port: 465 or 587
- Require SSL: yes, or SSL / TLS
- Outgoing server requires authentication: yes
- Use the same username and password for sending mail: yes
This brings us to the end of this article. We have discussed the basics of setting up a mail server with Exim and Dovecot with TLS security via Let's Encrypt. For the security of your mail server we also recommend consulting the following tutorials:
- Exim anti virus security with ClamAV in AlmaLinux or Rocky Linux
- Exim antispam with spamassassin in AlmaLinux or Rocky Linux
- Blacklist control for Exim in AlmaLinux or Rocky Linux
- Using DKIM with Exim in AlmaLinux or Rocky Linux
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.