Configuring Postfix, Dovecot IMAP, SASL, TLS, SpamAssassin, and ClamAV on Ubuntu "Hardy Heron" 8.04 LTS

October 31st, 2008

This is Part 3 of four parts:

• Part 1: incoming mail with spam and virus blockers
• Part 2: secure relaying for outgoing mail - authentication over SASL
• Part 3: secure IMAP and SMTP relaying with TLS for Dovecot and Postfix
• Part 4: the future - Apache JAMES?

---

We need TLS - Transport Layer Security

As you can see in our previous two parts of this series, we have two cases where authentication is needed:

• Before relaying, Postfix requires users to use SMTP AUTH with a username and password, to prevent open relaying
• Dovecot requires a username and password to allow IMAP access

Our mail server is (like most mail servers) in a managed hosting facility. Our users may be in the office, or at home, or a hotel room, or in an Internet cafe in Agra. All of these connections are vulnerable to interception. This isn't a far-fetched or paranoid concern, either. WiFi sniffers are unfortunately all too common in Internet cafes and other locations. A lost user password would give access to all of that user's old mail in the IMAP account. This could be a major disaster.

Encryption with TLS solves the problem. Fortunately, it's pretty easy to set up. The hardest part is getting keys and getting them into the right key file format. See our earlier blog entry about Postfix with TLS and about securing Dovecot for information about extracting keys from a Java keystore to use with Postfix and Dovecot. We'll simply list the configuration and do some testing here.

TLS IMAP for Dovecot

This one is easy:

For the migration itself

At this point we have incoming mail, outgoing mail, and IMAP all working. It's time to migrate. These are the steps to migrate from one mail server to another:

1. Inventory all the domains being handled by the current Postfix
2. Inventory all the active user accounts on the current machine, and create the necessary user accounts on the new machine
3. Inventory and copy over all necessary aliases
4. Go the the DNS controls for those domains, and check what the mail exchanger is
5. Create a new domain name for the new server, such as newmail.chiralsoftware.com
6. Check the SPF records for the domain names being served
7. Before making the DNS changes, turn off Postfix on the old server, so that incoming mail will be delayed (held) by servers attemping to send mail, and also turn off Dovecot, so that local users will not be able to access their mail queues.
8. Use tar to tar up both the mail spool directory and also the users' Maildirs and move them to the new machine. When run as root, tar preserves file ownership, based on usernames, so this will be an effective way to do this.
9. Make the DNS changes to the relevant domains.
10. Once the DNS changes have taken effect, activate the Postfix server to start receiving mail, and test it, and activate Dovecot to start handling IMAP, and test it