1. Obtaining a certificate for the mail server
Obtain a certificate for the mail server to convert the mail server to SSL/TLS.
Use the certbot that was used when the web server was converted to SSL.
Stop the web server and execute the following command
# service apache24 stop
# certbot certonly --standalone -d mail.<domain name>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mail.<domain name>
Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/mail.<domain name>/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/mail.<domain name>/privkey.pem
This certificate expires on 2026-09-15.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. advance preparations
2.1 procmail Install
Mail is sorted by procmail.
# pkg install procmail
Set parameters that are always set when make is executed
Edit pkgtools.conf
# vi /usr/local/etc/pkgtools.conf
Added on line 404
MAKE_ARGS = {
'security/cyrus-sasl2' => 'WITHOUT_OTP=yes',
'security/cyrus-sasl2-saslauthd' => 'WITH_BDB=yes',
'mail/postfix' => 'WITH_SASL2=yes WITH_TLS=yes',
}
2.2 cyrus-sasl2 , cyrus-sasl2-saslauthd Install
Use SASL for SMTP authentication; install Cyrus SASL2 library , Cyrus SASL2 Authentication Daemon
# pkg install cyrus-sasl cyrus-sasl-saslauthd
3. Postfix
3.1 Install
# cd /usr/ports/mail/postfix
# make WITH_SASL2=yes WITH_TLS=yes WITH_BDB=yes install clean
3.2 Postfix Settings
①main.cf edit
# vi /usr/local/etc/postfix/main.cf
Add to line 100
myhostname = mail.<domain>
Add to line 107
mydomain = <domain>
Uncomment line 122
myorigin = $mydomain
Uncomment line 136
inet_interfaces = all
Uncomment line 184
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
Uncomment line 286 and change to your own network.
mynetworks = 127.0.0.0/8, 192.168.11.0/24
Uncomment line 320 and add the following
relay_domains = $mydestination
Uncomment around line 410
alias_maps = hash:/etc/aliases
Uncomment around line 420
alias_database = hash:/etc/aliases
Uncomment around line 442
home_mailbox = Maildir/ #←Maildir format
Add around line 472
mailbox_command = /usr/local/bin/procmail #←Specify the procmail path
#Add to the end
# Cyrus-SASL configuration
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# TLS Settings
# TLS configuration
smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/mail.<domain>/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/mail.<domain>/privkey.pem
smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_scache
➁master.cf edit
# vi /usr/local/etc/postfix/master.cf
Starting on line 19, uncomment some of the lines in the "submission" section as shown below.
submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_forbid_unauth_pipelining=no
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o local_header_rewrite_clients=static:all
# -o smtpd_hide_client_session=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Starting on line 40, uncomment some of the entries under "submissions" as shown below
submissions inet n - n - - smtpd
-o syslog_name=postfix/submissions
# -o smtpd_forbid_unauth_pipelining=no
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o local_header_rewrite_clients=static:all
# -o smtpd_hide_client_session=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
➂saslauthd automatic startup configuration
# vi /etc/rc.conf
The following is added
saslauthd_enable="YES"
saslauthd_flags="-a sasldb"
start
# /usr/local/etc/rc.d/saslauthd start
Starting saslauthd.
④SMTP AUTH setting
Create the following files
# vi /usr/local/lib/sasl2/smtpd.conf
The following description
pwcheck_method: auxprop
⑤Add SMTP User
Add system user huong as an SMTP user
# saslpasswd2 -c -u [domain] huong
Password:
Again (for verification):
Email User Verification
# sasldblistusers2
huong@[domain]: cmusaslsecretOTP
huong@[domain]: userPassword
⑥/usr/local/etc/sasldb2.db Ownership change
# chown cyrus:mail /usr/local/etc/sasldb2.db
# chmod 640 /usr/local/etc/sasldb2.db
⑦Stop Sendmail
If Sendmail is running, stop it.
# /etc/rc.d/sendmail stop
Stopping sendmail.
Waiting for PIDS: 915.
sendmail_submit not running? (check /var/run/sendmail.pid).
Stopping sendmail_msp_queue.
Waiting for PIDS: 933.
Sendmail Auto-Start Disable
# vi /etc/rc.conf
The following is added as a postscript.
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
⑧Other
Create new file below
# vi /etc/periodic.conf
The following description
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
# mv /etc/mail/mailer.conf /etc/mail/mailer.conf.org
# vi /etc/mail/mailer.conf
The following description
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmail
# vi /etc/make.conf
The following description
NO_MAILWRAPPER=YES
NO_SENDMAIL=YES
⑨Postfix start
# vi /etc/rc.conf
The following description
postfix_enable="YES"
# /usr/local/etc/rc.d/postfix start
postfix/postfix-script: starting the Postfix mail system
4. Dovecot
4.1 Install
# cd /usr/ports/mail/dovecot
# make BATCH=yes install clean
4.2 dovecot configuration
①Edit dovecot.conf
After installation, the sample dovecot.conf is located in /usr/local/etc/dovecot/example-config/. Copy the entire contents under /usr/local/etc/dovecot/
Also, set the dovecot.conf permissions to 640.
# cp -r /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot/
# chmod 640 /usr/local/etc/dovecot/dovecot.conf
# vi /usr/local/etc/dovecot/dovecot.conf
Line 25 : Add
protocols = imap pop3
Line 30 : Uncomment
listen = *, ::
➁Edit 10-ssl.conf
# vi /usr/local/etc/dovecot/conf.d/10-ssl.conf
Line 6 : Uncomment
ssl = yes
Line 12,13 : Replace with the acquired key
ssl_cert = < /usr/local/etc/letsencrypt/live/mail.<domain>/fullchain.pem
ssl_key = < /usr/local/etc/letsencrypt/live/mail.<domain>/privkey.pem
➂Edit 10-master.conf
# vi /usr/local/etc/dovecot/conf.d/10-master.conf
Line 19 : change
service imap-login {
inet_listener imap {
#port = 143 → port = 0
}
Line 22,23 : Uncomment
inet_listener imaps {
port = 993
ssl = yes
}
}
Line 40 : change
service pop3-login {
inet_listener pop3 {
#port = 110 → port = 0
}
Line 43,44 : Uncomment
inet_listener pop3s {
port = 995
ssl = yes
}
}
Line 110-112 : Uncommented and added
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
④Edit 10-auth.conf
# vi /usr/local/etc/dovecot/conf.d/10-auth.conf
Line 10 : Uncomment and change
disable_plaintext_auth = no
Line 100 : Add
auth_mechanisms = plain login
⑤Edit 10-mail.conf
# vi /usr/local/etc/dovecot/conf.d/10-mail.conf
Line 31 : Add
mail_location = maildir:~/Maildir
⑥Dovecot Automatic Startup Configuration and Startup
# vi /etc/rc.conf
Addendum below
dovecot_enable="YES"
# /usr/local/etc/rc.d/dovecot start
Starting dovecot.
⑦Rebuild database for mail alias
Set an address to forward mail addressed to root
# vi /etc/aliases
Added on line 18
# root: me@my.domain
root: [Your email address]
Reflect settings
# postalias /etc/aliases
5. Create user mail directory
①Create mail directory for existing users (existing user is assumed to be huong)
Once done switch SHELL to bash
# pkg install bash
# bash
# mkdir -p /home/huong/Maildir/{cur,new,tmp}
# chmod -R 700 /home/huong/Maildir
# chmod -R 700 /home/huong/Maildir/{cur,new,tmp}
# chown -R huong:huong /home/huong/Maildir
➁Create mail directory for new users
# mkdir -p /usr/share/skel/Maildir/{cur,new,tmp}
# chmod -R 700 /usr/share/skel/Maildir/
SHELL back to original sh
# sh
6. Procmail Settings
As an example, let's say you want to discard e-mails with the word “finance” in the subject line.
# vi /usr/local/etc/procmailrc
SHELL=/bin/sh
PATH=/bin:/usr/bin:/usr/local/bin
DROPPRIVS=yes
MAILDIR=$HOME/Maildir
DEFAULT=$MAILDIR/
#LOGFILE=$MAILDIR/procmail.log
#remove finance
:0
* ^Subject: .*finance.*
/dev/null
7. Firewall Settings
Allow the following ports in ipfirewall(ipfw)
• 995 port: (POP3S)
• 993 port:(IMAPS)
• 465 port: (SMTPS)
# vi /usr/local/etc/ipfw.rules
…Addendum: Replace XXX with an appropriate value.
$IPF XXX allow tcp from any to any 465 in
$IPF XXX allow tcp from any to any 465 out
$IPF XXX allow tcp from any to any 993 in
$IPF XXX allow tcp from any to any 993 out
$IPF XXX allow tcp from any to any 995 in
$IPF XXX allow tcp from any to any 995 out
ipfw reload
# /etc/rc.d/ipfw restart
Firewall rules loaded.
Port release may be required on the router side
SMTP connection check with Telnet
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.<domain> ESMTP Postfix
EHLO localhost
250-mail.<domain>
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
quit
221 2.0.0 Bye
Connection closed by foreign host.
# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.<domain> ESMTP Postfix
EHLO localhost
250-mail.<domain>
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
quit
221 2.0.0 Bye
Connection closed by foreign host.
set up in your email client Thunderbird
※ For information on creating an email account in Thunderbird, please refer to the page below.
Incoming servers
・IMAP Mail Server Port 993
・Security Settings Connection Protection----SSL/TLS
Authentication method ----- normal password authentication
Sending server
・SMTP Server Port 465
・Security Settings Connection Protection----SSL/TLS
Authentication method ----- normal password authentication
と設定する