Lampros - Weird Bricks

Step by step instructions for setting up a FreeBSD e-mail server with Postfix and Dovecot

27 February, 2011 | FreeBSD

Note: Fixed the missing SSL certificate lines for Dovecot and added the screenshot (ver 2) 

Note: This post took forever to write, comments/corrections/suggestions/questions/problems and any kind of feedback will be much appreciated! Enjoy!

Let's start looking at something slightly more advanced. E-mail.

FreeBSD can make for a great e-mail server, and I have previously succesfully run a POP3/IMAP server on a system with as little as 128MB of RAM. Impressed? Read on.

This is a step-by-step guide on building a basic SMTP/IMAP server with SSL for encrypted communication.

Let's cut to the chase, start by installing Postfix from ports. Postfix sends out e-mail. Dovecot let's clients (Outlook,Thunderbird,Eudora etc.) access the e-mail. We need both and we need to get them to play along with each other.


Start here:
time pkg_add -r perl libtool tcl85 expat gettext

It finished, took about 3 minutes to download the packages and install them

Now if you don't have it already, get the port tree skeleton:
For more details on ports look here.
portsnap fetch;portsnap extract (took about 30 minutes on my system)

Next, let's go to the port directory of Postfix.
Cd /usr/ports/mail/postfix
and do a 'make config-recursive' so we can start setting options:
make config-recursive

You'll get the options screen of postfix 2.8.1,1. Select PCRE,SASL2,DOVECOT,TLS,BDB

Use the TAB key to go to 'OK' and hit Enter to continue

Then you'll get the options for perl 5.10.1_3. Select just the defaults, they should be: PERL_64BITINT, USE_PERL (it doesn't matter what you choose anyway, the compilation of Perl will be skipped since it's already installed by package)

Again, use the TAB key to go to 'OK' and hit Enter to continue

After this, you'll be returned to the prompt – however, now that we have selected additional options to compile for Postfix, we need to redo the 'make config-recursive' !

Do a 'make config-recursive' again:

As you can see, now we got the options for a different port: this time it's cyrus-sasl 2.1.23_3. Cyrus is used for authentication, select the following: BDB, AUTHDAEMOND, LOGIN, PLAIN, CRAM, DIGEST, OTP, NTLM

then go to OK to continue.
Now you're getting the options for dovecot 1.2.16. Select KQUEUE, SSL, MANAGESIEVE and BDB.

then go to OK to continue.

Options for libiconv 1.13.1_1 – just take the defaults: EXTRA_ENCODINGS – again libiconv won't be really compiled from ports, it's already installed as a package

then go to OK to continue.
Do another 'make config-recursive' just to be sure we didn't miss anything:

As you can see, no options window came up! We're good to go.

To start compiling do a 'time make install clean' – this took about 20 minutes on my system.

When Postfix is almost finished, it will ask you the following:

Make sure to hit 'y' and press Enter.

Then you'll get another question:

VERY Important: Make sure to hit 'y' and press Enter. Do not go with the default 'n' because then Postfix won't be set as the default e-mail system. This can lead to really big problems later.

If all is done succesfully you should see this:

Configuration – Postfix:
To configure Postfix do:
ee /usr/local/etc/postfix/

Go to line 99:
Change the line from
#myorigin = $mydomain

Should look like this when done:

Go to line 160:
#mydestination = $myhostname, localhost.$mydomain, localhost
mydestination = $myhostname, localhost.$mydomain, localhost

Should look like this when done:

Now, go to the end of the file and add those lines:

#Dovecot authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

#TLS settings

When you're done it should look like this:

Save and exit.

If you don't already have it, now it's a good time to install OpenSSL:
do a:
cd /usr/ports/security/openssl
time make install clean to install it (will take about 10 minutes)

In the options screen for openssl 1.0.0_5 select:
I386, SSE2, ASM, ZLIB and MD2

Select 'OK' to continue

When openssl is done you should see something like this:

We need to create a certificate for Postfix. Create it using this command:
openssl req -new -x509 -nodes -out /usr/local/etc/postfix/smtpd.pem -keyout /usr/local/etc/postfix/smtpd.pem -days 3650

OpenSSL will ask you for some information to fill in the certificate, it doesn't really matter what you enter here:

Configuration – Dovecot:

Time to configure Dovecot:
We'll need another certificate for Dovecot. Type:
openssl req -new -x509 -nodes -out /root/server.crt -keyout /root/server.key -days 3650

Again the options don't matter:

ee /usr/local/etc/dovecot.conf

Go to line 24:
protocols = imap pop3 imaps pop3s managesieve
change to:
protocols = imaps

Should look like this:

Go to line 93:
#ssl = yes
change to:
ssl = required

Go to lines 99-100:
#ssl_cert_file =
#ssl_key_file =

change to:
ssl_cert_file = /root/server.crt
ssl_key_file = /root/server.key

Go to line 877:
auth default {

This part needs some heavy modification. To make it easier to read, delete all comments in the ee editor by doing Ctrl+K for every line with a comment(Ctrl+K deletes the whole line). If you do it carefully enough you should be left with the following:

Save and exit.
Let's edit /etc/rc.conf so Dovecot is set to start on boot up. Postfix has already been added automatically so no need to worry about that.

ee /etc/rc.conf

Go to the end of the file and add the following:

and save and exit.

At this point restart the system, by typing 'reboot now'

reboot now

It's a good idea to add a user to the system other than root for testing. To add a user, just type
'adduser'. I added an example user called 'test' – password 'test'.

Make sure to choose 'no' to 'lock out the account after creation?'


After the computer restarts, let's run some tests to see if everything is in place:
type 'top'.'top' shows the running processes.

You should see the following:

Press Ctrl+C to get out of top.

Now that we have made sure that that works, let's take a look at our router settings to see if forwarding is set up correctly – Remember: The IP address in VirtualBox is set to This address is internal to the LAN. In other words, it cannot be seen by the outside world, so you need to set up port forwarding in your router. Since we have SMTP and IMAPS the corresponding ports need to be 25 for SMTP and 993 for IMAPS.

In my router:

This is what my configuration looks like. As you can see ports 25 and 993 are set up and they are targeting IP Address which corresponds to the FreeBSD VirtualBox.

Now go to
This website will look up your public IP address and can check if ports are open on your IP and seen by the outside world.

Try port 25 first and click 'Check' , this is what you should see:

Now try port 993 and click 'Check'

Both are a success. So only thing left to do is see if we can send/receive e-mail!

Testing with Mozilla Thunderbird:

Fire up Mozilla Thunderbird (get a portable version here)

Click 'File'->'New'->'Mail Account...'

You'll get the 'Mail Account Setup' screen.

Fill it in as in the next screenshot:

and click 'Continue'.

Thunderbird will try to autodetect the settings. This is what it found:

It looks correct. Click 'Create Account' to use the account.
Thunderbird then proceeds to get all the folders through IMAP. In this screenshot you can see what it looks like:

Let's try sending an e-mail out to ourselves for testing. Click 'Write'. In the 'To' field use , enter any subject you like and something in the body part and click 'Send'.

Voila!!!! It works!

Let's try to send an e-mail to an external account, i.e. To hotmail.

As you can see we instantly got back a 'Undelivered Mail Returned to Sender'. Click on that to see the details.

As you can see, you cannot really set up an e-mail server on a dynamically assigned IP address. You need to have a static address. In most cases this means that you need to contact your Internet Service Provider (in my case Comcast) and request a STATIC IP address .Comcast for example, won't give a static ip at all to residential customers, you need to get a business line (in other words contract) AND then you need to add the static IP as 'an add-on' = more money.