Install dovecot email server on Amazon Linux2022

 In Amazon AWS

Install a Basic TLS/SMTP IMAP e-mail Server on Amazon Linux 2022

Software: SASL, PAM, POSTFIX, DOVECOT in conjunction with Amazon SES

An END-TO-END Solution

This is a detailed discussion for an end-to-end installation of a basic/introductory e-mail server on Amazon Linux 2022. (I have private notes on Linux2.) Installing Roundcubemail is a separate article or an add-on I can do here later on.

NEVER DO THIS TECHNICAL EXERCISE ON A LIVE SYSTEM !!

I looked at this exercise on and off for 2 years, finally having a working installation. I gave up many times. There is no end-to-end article on the Internet for this installation, but some very important sections of information from various authors. Others spend millions of dollars to do fully qualified services for us, so we should be using services like Amazon Workmail or MS Exchange, and so on.

Having said that, I assert this service will make use of a pre-configured and tested SES service utilising an S3 bucket, Lambda function(s), IAM attached on the Instance, Amazon’s anti-spam and DKIM/SPF, DMARC security. This means the headers of our final e-mails will be professional. We will also assume from my other installation notes you know how to install Linux 2022, and S3FS to do an “nfs-style” mount of the inbound e-mail bucket. These must be working.

First Notes

Disclaimers

This article is not using production-strength or advanced configurations. It shows the basic installation as up and running only as a technical exercise for one e-mail user and no aliases or vhosts etc. It will use domain_name.com and “fred” as the example names. There is no discussion of ongoing problems that may arise in the real world.

The end-to-end solution contains many configurations I personally do not understand or have expertise in. They are simply given as a working model, therefore some configs may not be needed or could be different. This is a starting point that works. For instance, I have not added e-mail sizes or how to add additional disk space, or virtual mailboxes and a database, or options like mbox or dbox.

Prerequisites

The service will need the SES framework up and running. We will have incoming e-mails going into an S3 bucket, as there is no other choice. These are transferred to the INBOX via crontab each minute. SES also permits the outgoing e-mails.

We will configure Route53 DNS appropriately.

For the purposes of this exercise, we will not create a hostname called imap.domain_name.com as that would require an SSL certificate for domain_name.com. www.domain_name.com, imap.domain_name.com and the www entries.

We are using a Comodo Store Postive SSL certificate, the lowest cost available, rather than letsencrypt. You may test with letsencrypt but the Comodo (or Sertigo) would assure the certificate is valid and not produce incompatibility errors when testing.

We will finally configure Apple’s Mail.app on an iMac to send and receive e-mails. I would suggest once the server is tested with outgoing and incoming e-mails, one can do a snapshot backup.

Notes

We use dovecot with some parts of cyrus. We do not need the cyrus-imap package that was included on Linux2. Linux 2022 no longer has dovecot by default, hence the compilations we give below. Keep in mind that authorisations need saslauthd, its password/user setups, and PAM, which I show below.

We will not look at POP3 email, but the ports are opened on my test instance.

The Configurations

Basic Configurations

Linux 2022 Dovecot

[
All of my comments below are enclosed in these square brackets [] and terminal shell commands are as-shown
SSH Logged in as “sudo su”
I use the vi editor in the configs below. Use your own preference.
]

echo "vm.swappiness=10" >> /etc/sysctl.conf
echo "vm.vfs_cache_pressure=200" >> /etc/sysctl.conf
sysctl -w vm.swappiness=10
sysctl -w vm.vfs_cache_pressure=200
dd if=/dev/zero of=/swapfile bs=1024 count=1048576
mkswap /swapfile
chmod 600 /swapfile
swapon /swapfile
echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
free -m

dnf install -y httpd httpd-tools mod_ssl 
dnf install -y php php-common php-pear wget php-mysqli php-devel php-mbstring
dnf install -y php-cli php-pdo php-fpm php-json php-mysqlnd php-opcache
dnf install -y gd libzip-devel httpd-devel kernel-devel php-gd postfix
dnf -y install pcre-devel gcc zlib zlib-devel
pecl install zip
pecl channel-update pecl.php.net

[You should add “extension=zip.so” to php.ini – insert after the Dynamic Extensions section in /etc/php.ini]

dnf install -y cronie cronie-anacron

[Set your own timezone]

a="Australia/Brisbane";export a;echo $a
ln -sf /usr/share/zoneinfo/$a /etc/localtime
date

[
Do standard setups as per my Linux install notes for:
– php.ini, php.d/10-opcache.ini, php-fpm.d/www.conf
– /etc/httpd/conf/httpd.conf, /etc/httpd/conf.modules.d and /etc/httpd/conf.d files.
– add/configure /usr/share/phpMyAdmin
– /etc/bashrc PS1 value
– apache user/group
– change /var/www/html from drwxrwsr-x. 2 ec2-user apache 6 Jun 30 2022 html to chown apache html -> drwxrwsr-x. 2 ec2-user apache 6 Jun 30 2022 html
– mariadb v10 (instead of older v5)
– if using certbot, then the python3 configs and install certbot certificate (tricky).
– basic postfix up and renning, sending emails
– s3fs configs (this allows emails to be mounted from an S3 bucket to your instance – see my article on installing this – I would not do much on this until you know dovecot is working)
]

dnf -y install mariadb105
dnf -y install mariadb105-server

[configure mariadb]
[some of these may not be required, but I’ll put them in anyway…]

dnf -y install automake fuse fuse-devel gcc-c++ git libcurl-devel libxml2-devel make openssl-devel
dnf -y install bison flex
dnf -y install gettext-devel 
dnf -y install pam-devel

[Update to this release – not later as it impacts updates to mariadb:]

dnf update
dnf upgrade
dnf update --releasever=2022.0.20221019

sync;sync;reboot

[Test that https:// is working ok before continuing…]
[
DNS entries are standard as we are using the primary domain name, so there are SES records for mail.domain_name.com (or whatever) and an MX record for domain_name.com to Amazon’s relay server, which in my case from Oregon is 10 inbound-smtp.us-west-2.amazonaws.com. See my SES installation notes for more information.
We need to ensure the EC2 instance has these ports open in it inbound rules for the security group. You can play with these later if you want to remove things like POP.
587
25
993
80
110
143
443
995
465
]
[CONFIGURE POSTFIX for standard Amazon / SES use, and test it. We will modify it for Dovecot after we know it is correctly up and running.]
[
INSTALLING DOVECOT

Download from here:
www.dovecot.org/download/
Then upload to your /home/ec2-user directory, tar xvf the gzip file.

cd to the extracted dovecot directory and compile dovecot – takes a while.
For example, cd dovecot-2.3.20
]

./configure --with-ssl=openssl --enable-maintainer-mode --with-pam

[
I got the following lines at the end of this configuration command. It is important that you see SSL: yes (OPenSSL)

Install prefix . : /usr/local
File offsets … : 64bit
I/O polling …. : epoll
I/O notifys …. : inotify
SSL ………… : yes (OpenSSL)
GSSAPI ……… : no
passdbs …….. : static passwd passwd-file shadow pam checkpassword
: -bsdauth -ldap -sql
userdbs …….. : static prefetch passwd passwd-file checkpassword
: -ldap -sql
CFLAGS ……… : -std=gnu99 -g -O2 -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
SYSTEMD …….. : simple – /usr/lib/systemd/system/dovecot.service
SQL drivers …. :
: -pgsql -mysql -sqlite -cassandra
Full text search : squat
: -lucene -solr
]

make
make install

[This method means we have to add a soft link from dovecot to /etc/dovecot, and copy example files…]
[Now that we have copied the files, we configure postfix, dovecot, /etc/hosts, sasl and pam, including adding an email user and null dovecot users]
[
CONFIGURING POSTFIX/DOVECOT/PAM/SASL
]

adduser dovenull
adduser dovecot

systemctl enable mariadb
systemctl enable httpd
systemctl enable php-fpm
systemctl enable postfix
systemctl enable saslauthd

[Restart all the above services to make sure it is all running]

doveconf -n

[This is the error you will see:
# 2.3.20 (80a5ac675d): /usr/local/etc/dovecot/dovecot.conf
doveconf: Fatal: open(/usr/local/etc/dovecot/dovecot.conf) failed: No such file or directory (copy example configs from /usr/local/share/doc/dovecot/example-config/)

We need to create a softlink to /etc/dovecot to make things easier for us, so we can do commands like cd /etc/postfix, cd /etc/dovecot and so on, and copy dovecot configurations files to that /etc/dovecot directory….]

cd /usr/local/etc/dovecot
ls

[We should see a README file]

ln -s /usr/local/etc/dovecot /etc/dovecot
cd /etc/dovecot
ls

[We should see the same file]

cd /usr/local/share/doc/dovecot/example-config
ls

[We should see dovecot.conf and the directory conf.d]

cp -pR * /etc/dovecot
cd /etc/dovecot
ls

[This should be enough for our basic configurations. You will notice there are other files in /usr/local/share/doc/dovecot that we will not worry about]

cd /etc/systemd/system
ln -s /usr/lib/systemd/system/dovecot.service dovecot.service
cd /usr/lib/systemd/system
ls

vi dovecot.service

[Change ProtectSystem=full to:]

ProtectSystem=false

[Save and exit the editor]

[Create a utility that we will use later to keep testing each step of our configs to make sure the system does not fail on one of our steps… It will not work just yet though. Replace “fred” and password with your own on the testsaslauthd line:]

cd /home/ec2-user
vi st.sh
#!/bin/sh
echo "Stop Postfix Dovecot"
systemctl stop postfix
systemctl stop dovecot
systemctl stop saslauthd
systemctl daemon-reload
echo "Start saslauthd Postfix Dovecot"
systemctl start dovecot
systemctl start postfix
systemctl start saslauthd
echo "Status Postfix"
systemctl status postfix -l
echo "Status saslauthd"
systemctl status saslauthd -l
echo "Status Dovecot"
systemctl status dovecot -l
echo "TESTSASLAUTHD"
testsaslauthd -u fred -p password
exit

[Save and exit the editor]

chmod 775 st.sh

[Add an email user. We will use fred on a test domain name called domain_name.com. Use your own names.]

adduser fred
passwd fred

[Give fred a password]

cd /home
ls -l
cd fred
mkdir Maildir
chown fred Maildir
chgrp fred Maildir
chmod 2775 Maildir
cd /etc/postfix
vi main.cf

[
Add these entries, using your own domain name, and ensure no double entries.
If there are, systemctl status postfix -l should show where you have doubled up, giving an error.
Replace domain_name.com with your own domain name. And your .crt and .key files.
]

myhostname = domain_name.com
mydomain = domain_name.com
myorigin = $mydomain
inet_interfaces = all
# inet_interfaces = localhost
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
relayhost = [email-smtp.us-west-2.amazonaws.com]:587
smtp_sasl_auth_enable = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/pki/tls/private/domain_name.key
smtpd_tls_cert_file = /etc/pki/tls/certs/domain_name.crt
smtpd_tls_security_level = encrypt
smtpd_tls_loglevel = 2
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_auth_only=yes
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_sasl_mechanism_filter = plain, login
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtp_sasl_type = cyrus
smtpd_use_tls = yes
smtp_sasl_path = private/auth
smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_maps

[Save and exit the editor]

[
Notice that there is an existing entry that says:
smtp_tls_CApath = /etc/pki/tls/certs
This is good if you are using a comodo or sertigo style SSL certificate in that directory, but letsencrypt would, I gather, need /etc/letsencrypt/live/domain_name.com (with whatever your domain name)
]
[IN this next configuration, use your own email name and domain name…]

vi smtpd_sender_login_maps
fred@domain_name.com fred

[save and exit the editor]

postmap hash:/etc/postfix/smtpd_sender_login_maps
chmod 0600 /etc/postfix/smtpd_sender_login_maps /etc/postfix/smtpd_sender_login_maps

[You will see smtpd_sender_login_maps.db as a new file after this. If editing again, put back to chmod 777, then redo the same steps.]

cd /etc/postfix
vi master.cf

[Have these following entries... you will have to add a section for smtps.
e.g. insert above the commented line, #submissions     inet  n       -       n       -       -       smtpd]

smtp      inet  n       -       n       -       -       smtpd

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_sasl_auth_enable=yes

[Save and exit the editor]
cd /etc
vi emailuser
fred
fred@domain_name.com

[Save and exit the editor]

cd pam.d
vi dovecot
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      password-auth
account    include      password-auth
session    include      password-auth
auth    required  pam_listfile.so  item=user sense=allow file=/etc/emailuser onerr=fail
account required  pam_listfile.so  item=user sense=allow file=/etc/emailuser onerr=fail

[save and exit]
vi imap
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      password-auth
account    include      password-auth
session    include      password-auth
auth    required  pam_listfile.so  item=user sense=allow file=/etc/emailuser onerr=fail
account required  pam_listfile.so  item=user sense=allow file=/etc/emailuser onerr=fail

[save and exit]
vi smtp
#%PAM-1.0
auth       include    password-auth
account    include    password-auth
auth    required  pam_listfile.so  item=user sense=allow file=/etc/emailuser onerr=fail
account required  pam_listfile.so  item=user sense=allow file=/etc/emailuser onerr=fail

[save and exit]
vi smtpd
#%PAM-1.0
auth       include    password-auth
account    include    password-auth
auth    required  pam_listfile.so  item=user sense=allow file=/etc/emailuser onerr=fail
account required  pam_listfile.so  item=user sense=allow file=/etc/emailuser onerr=fail

[save and exit]
cd /etc/dovecot
vi dovecot.conf
protocols = imap pop3 lmtp
listen = *, ::

[save and exit]
cd /etc/dovecot/conf.d
vi 10-auth.conf
disable_plaintext_auth = no
auth_mechanisms = plain login

[save and exit]
vi 10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/tls/certs/domain_name.crt
ssl_key = </etc/pki/tls/private/domain_name.key

[save and exit]

[Again, in the above, use your own domain name crt and key files. The file contents are what matters, so various providers could give you different names.
For letsencrypt you would have /etc/letsencrypt/live/domain_name.com/fullchain.pem and /etc/letsencrypt/live/domain_name.com/privkey.pem]

vi 10-master.conf
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

  [save and exit]

vi /etc/dovecot/conf.d/auth-system.conf.ext
passdb {
  driver = pam
  args = session=yes dovecot
  # args = %s
  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=]
  # [cache_key=] []
  #args = dovecot
}
userdb {
  driver = passwd
}

[save and exit - userdb should already be there, but jest check it is]

[Set the password for the user “fred” to the same password you already used:]

saslpasswd2 -c -u domain_name.com fred
sasldblistusers2
cd /etc/dovecot/conf.d
vi 10-mail.conf
[uncomment the line as shown:]

   mail_location = maildir:~/Maildir

 [save and exit]

[Note: often configs do not work until you restart services, including saslauthd]
[Again, I’m not 100% sure on every config I have shown, but we want to get things up and running. Add your own public IP address for the instance to /etc/hosts
Append to the bottom of the file:]
[I found I did not need the next /etc/hosts step…]

vi /etc/hosts
xxx.xxx.xxx.xxx domain_name.com

[save and exit with your own IP address and hostname]

[I like to have a backup user who can login to the EC2 instance from an EC2 AWS terminal if root cannot do so for some reason. For example, if you accidentall overwrite /home/ec2-user/.ssh you are done! You can append to /etc/sudoers something like:
fred ALL=(ALL) NOPASSWD:ALL
]

—————————————————————————————————————————————————

If you run your st.sh script, you should see output like this:

Stop Postfix Dovecot
Start Postfix Dovecot
Status Postfix
● postfix.service – Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-01-18 10:14:28 AEST; 18ms ago
Process: 7367 ExecStartPre=/usr/sbin/restorecon -R /var/spool/postfix/pid/master.pid (code=exited, status=255/EXCEPTION)
Process: 7368 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
Process: 7370 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
Process: 7371 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Main PID: 7442 (master)
Tasks: 3 (limit: 419)
Memory: 4.4M
CPU: 421ms
CGroup: /system.slice/postfix.service
├─ 7442 /usr/libexec/postfix/master -w
├─ 7443 pickup -l -t unix -u
└─ 7444 qmgr -l -t unix -u

Jan 18 10:14:27 ip-172-31-42-247.ap-southeast-2.compute.internal systemd[1]: Starting postfix.service – Postfix Mail Transport Agent…
Jan 18 10:14:27 ip-172-31-42-247.ap-southeast-2.compute.internal restorecon[7367]: /usr/sbin/restorecon: lstat(/var/spool/postfix/pid/master.pid) failed: No such file or directory
Jan 18 10:14:28 ip-172-31-42-247.ap-southeast-2.compute.internal postfix/postfix-script[7440]: starting the Postfix mail system
Jan 18 10:14:28 ip-172-31-42-247.ap-southeast-2.compute.internal postfix/master[7442]: daemon started — version 3.7.2, configuration /etc/postfix
Jan 18 10:14:28 ip-172-31-42-247.ap-southeast-2.compute.internal systemd[1]: Started postfix.service – Postfix Mail Transport Agent.
Status Dovecot
● dovecot.service – Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; linked; vendor preset: disabled)
Active: active (running) since Wed 2023-01-18 10:14:27 AEST; 482ms ago
Docs: man:dovecot(1)
https://doc.dovecot.org/
Main PID: 7364 (dovecot)
Tasks: 4 (limit: 419)
Memory: 6.0M
CPU: 38ms
CGroup: /system.slice/dovecot.service
├─ 7364 /usr/local/sbin/dovecot -F
├─ 7372 dovecot/anvil
├─ 7373 dovecot/log
└─ 7374 dovecot/config

Jan 18 10:14:27 ip-172-31-42-247.ap-southeast-2.compute.internal systemd[1]: Started dovecot.service – Dovecot IMAP/POP3 email server.
Jan 18 10:14:28 ip-172-31-42-247.ap-southeast-2.compute.internal dovecot[7364]: master: Dovecot v2.3.20 (80a5ac675d) starting up for imap, pop3, lmtp

BUT: there is still a problem: TESTSASLAUTHD
connect() : No such file or directory

—————————————————————————————————————————————————

You have to restart saslauthd: in the example below, use your own user instead of fred, and fred’s password, then see the OK Success message.

]

systemctl restart saslauthd
testsaslauthd -u fred -p password

0: OK "Success."

systemctl enable dovecot

[Remember, it is good to reboot the instance if you’ve done a lot of new work.]
[TESTING…. these commands (wuth your own domain name) should work.]

openssl s_client -crlf -starttls smtp -connect email-smtp.us-west-2.amazonaws.com:587
quit

openssl s_client -crlf -connect email-smtp.us-west-2.amazonaws.com:465
quit

[again, use your own domain name:]

openssl s_client -connect domain_name.com:993
A1 LOGIN fred password

[
!!!!! if you get something like:
warning: hostname mail.waytoslowmanagement.de does not resolve to addres
then there is something odd going on, like a grey listed IP address. Get a new Amazon IP address and edit /etc/hosts after an instance stop/start.
You can however try these tests without an appended entry in /etc/hosts and see how you go. If you add something like imap.domain_name.com you may need to add an entry in /etc/hosts (?) but you would need to add another A record in DNS with the same IP address as domain_name.com to imap.domain_name.com, and an MX record to Amazon’s relay, or possible to your domain_name.com name – not sure until this is tested.
If you get the error again, try systemctl status postfix -l, and systemctl status dovecot -l. If you see a dovecot error, tehre is something in conf.d that likely needs correction.

Do the above again, and try: (or if it is working, continue the test to LIST the INBOX:)
]

openssl s_client -connect domain_name.com:993
A1 LOGIN fred password
A2 LIST "" "*"
A3 EXAMINE INBOX
A4 LOGOUT
netstat -a|grep imap

[output like this:]
tcp 0 0 0.0.0.0:imaps 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:imap 0.0.0.0:* LISTEN
tcp6 0 0 [::]:imaps [::]:* LISTEN
tcp6 0 0 [::]:imap [::]:* LISTEN
unix 2 [ ACC ] STREAM LISTENING 39684 /usr/local/var/run/dovecot/login/imap
unix 2 [ ACC ] STREAM LISTENING 39687 /usr/local/var/run/dovecot/imap-master
unix 2 [ ACC ] STREAM LISTENING 39690 /usr/local/var/run/dovecot/imap-urlauth-worker
unix 2 [ ACC ] STREAM LISTENING 39691 /usr/local/var/run/dovecot/token-login/imap-urlauth
unix 2 [ ACC ] STREAM LISTENING 39694 /usr/local/var/run/dovecot/imap-urlauth
unix 2 [ ACC ] STREAM LISTENING 39701 /usr/local/var/run/dovecot/imap-hibernate

netstat -antup | grep dovecot 

[Use your own domain name in these tests:]

openssl s_client -starttls smtp -connect domain_name.com:25
logout

openssl s_client -starttls smtp -connect domain_name.com:587
quit

openssl s_client -starttls imap -connect domain_name.com:143
A1 LOGOUT

[or, try the same A1, A2, A3, A4 options shown above on port 993]

[
When e-mail is up and running:
– treat Roundcubemail as a separate installation exercise
– install SES with e-mail rules,and the S3FS bucket mount/scripts/crontab as pearate exercises. There is quite a lot involved around this.
– Make sure you previously have the domain able to receive emails and the SES email rules include the user, e.g. fred@…..
– See my ohter articles on s3fs mount errors and fixes, and SES installations with IAM attached to the instance, email rules etc.
]

*** NOW ADD an Applie iMac email account ***
Use your own values:

email address: fred@…..
USername: fred
Account type: imap
Incoming: domain_name.com
Outgoing: domain_name.com

Takes half a minute if all is ok. Otherwise it may take a long time and default to non-SSL.
Untick the Notes option.

At this stage there is only an INBOX, so initially try sending from your new email domain to some other email you already have.
As you work with emails, or add folders in iMac/Mail.app these will show up ok.

This should work, as I have tested it with all the above configurations and openssl tests.

You should previosuly have set up an S3 bucket to receive emails.
Try sending to fred@…. and check the bucket and CLoudwatch logs if need be.

If that works you can then setup S3FS to mount the bucket, and run a crontab script every minute:

cd /home/ec2-user
vi email.sh
#!/bin/sh
cd /var/s3email
chmod 777 *
chown fred *
mv * /home/fred/Maildir/new
exit

[save and exit]

[You need to cd to /var to avoid processes hanging]

cd /var
ls -l
[Verify you have s3email as a directory or some other name you set up and that you have your IAM policy attched to the instance - see my other setup articles]
s3fs -o iam_role="YOUR_IAM_ROLE" -o use_path_request_style -o url="https://s3-us-west-2.amazonaws.com" -o endpoint=us-west-2 -o dbglevel=info -o curldbg -o allow_other -o use_cache="" YOURBUCKETNAME_Allready_Working /var/s3email
df
crontab -e
* * * * * /home/ec2-user/email.sh >/dev/null 2>&1

[save and exit]

[
Questions:
– How do we upgrade Dovecot? I have not addressed this just yet.
]

If one can install all the above, one will have the skills to install roundcubemail.

There are some dnf packages to consider, which I managed to work out.
The final configs are quite simple. See Roundcube’s installation webpage.
Make sure /var/www/ has apache ownership and group in html,
and all roundcube files – see my chdir.sh script for setting permissions.
And make sure /var/www/hmtl/roundcubemail/config has chmod 777 on the temp directory, and you have created a user called roudcube in Mariadb with UTF83 general char set. I don’t know we need imagick and php-imagick but I did work out those configs.

However, config.inc.php had these values:
$config[‘imap_host’] = ‘tls://domain_name.com:143’;
$config[‘smtp_host’] = ‘tls://domain_name.com’;

defaults.inc.php should not be used for modifications, rather config.inc.php, but here were my settings:

$config[‘imap_host’] = ‘localhost:143’;

Cheers 🙂

How to change from domain_name.com to imap.domain_name.com – with letsencrypt

Say you’d like the incoming and outgoing entry to be some other name, like imap.domain_name.com. I think this raises other problems, but one can try it.

To Route53, add another A record with the name using the same IP address.

In Route53, as per my installation notes, add the CAAA records for letsencrypt, rather than Comodo.

Add another MX record with imap, using the same as the standard Amazon MX record values.

Using certbot, set up domain_name.com, www.domain_name.com, and imap.domain_name.com (three values) and place all three as aliases in the ssl.conf file.

/etc/hosts does not need another entry.

In /etc/dovecot/conf.d/10-ssl.conf, change the entries to letsencrypt.

For instance, </etc/letsencrypt/live/domain_name/fullchain.pem and so on.

Do the same fix for the two certificate entries in /etc/postfix/main.cf.

Ensure https:// is running fine, and restart saslauthd, postfix, and dovecot with the systemctl stop/start commands, and if need be do dovecot twice if you get strange messages from the systemctl status … -l command.

You should now be able to add the account to your Mail.app (or other email client you like using.)

If all is well, as it should be, reboot your instance, verify that httpd, saslauthd, postfix, and dovecot are running, then retest sending and receiving emails with the server account you previously set up above.

Reverse Lookup

If you use the URL:
mxtoolbox.com/SuperTool.aspx#

you can test your postfix/dovecot service using the test email server option. It will give a reverse pointer error:
SMTP Banner Check Reverse DNS does not match SMTP Banner

To fix this, do a PTR lookup of your server IP address, and obtain the Amazon EC2 instance associated with the IP.
e.g.
ec2-xx-xx-xxx-xxx.ap-southeast-2.compute.amazonaws.com -> whatever values.
Then in /etc/postfix/main.cf add a line with the EC2 instance value, followed by any two strings:
smtpd_banner = ec2-xx-xx-xxx-xxx.ap-southeast-2.compute.amazonaws.com ESMTP domain_name.com postfix
In this example we put the domain name being used, and that it was postfix. At least now the reverse lookup in MX Tools will be ok.

Start typing and press Enter to search