Ubuntu is a Debian-based Linux operating system, with Unity as its default desktop environment. It is based on free software and named after the Southern African philosophy of ubuntu (literally, "human-ness"), which often is translated as "humanity towards others" or "the belief in a universal bond of sharing that connects all humanity". According to some metrics, Ubuntu is the most popular Linux distribution.
Every mail server administrator dreads his or her server becoming compromised by spammers. A lot of effort, time and even money is spent on securing mail servers and making sure that the servers do not become open relay.
To combat against spambots in an SMTP server, Postfix in general uses the mynetworks parameter to specify the trusted sender network i.e., LAN. In a typical scenario, the users stationed in the internal LAN are legitimate users, and Postfix will happily accept SMTP requests from them, and forward the emails towards destination. Although this used to be the standard practice in the past, today's users want mobility. Everyone wants to be able to send/receive emails in their phones/tablets/laptops at work, home, on the go, or even from their favorite coffee shop around the corner. For people who are in the fields for critical services, a simple email alert could save a lot of time, effort and money.
To cope up with the mobility need, Postfix started to support another method of validating users. Simple Authentication and Security Layer (SASL) is a framework that can be used by many connection-oriented Internet protocols for securing data, servers and users. With SASL enabled, Postfix will not accept any incoming SMTP connections without proper authentication. As smart spammer can imitate a legitimate email account, no SMTP from even internal users are accepted without authentication.
This tutorial will focus on setting up a Postfix SMTP server to use Dovecot SASL for user authentication. As Dovecot provides mechanisms for user authentication, Postfix will simply ask Dovecot to do the work for it. That way, there is no need to re-invent the wheel.
SSL (Secure Sockets Layer) and its descendant TLS (Transport Layer Security) are the most widely used protocols for encrypting data that is exchanged between a server and a client. These protocols often use X.509 certificates and asymmetric cryptography.
STARTTTLS is another method of securing plain-text communication. This protocol also encrypts data with SSL or TLS, but with the same port as the plain-text protocols, instead of using separate ports for SSL/TLS-encrypted communications. For example, IMAP over STARTTLS uses the same port as IMAP (143), while IMAPS (IMAP over SSL) uses a separate port 993.
The previous tutorial describes how to set up a mail server running on Postfix and Dovecot, but the security aspect was not covered. In this tutorial, we demonstrate how to add security to a mail server through TLS/SSL-based encryption.
Certificates needed for TLS/SSL can be self-signed, signed by a free certification authority (e.g., CAcert) or signed by a commercial authority (e.g., VeriSign), and can be generated with utilities like OpenSSL. We are going to use a self-signed certificate in this tutorial.