Since my Raspberry Pi already has Postfix + Dovecot installed and configured via a DB connection, there is a need to administer mailboxes. For the convenience of administration, it is implemented through the web interface by the PostfixAdmin service. How to install and configure this service, I will describe step by step in this post.

Requirements for PostfixAdmin

To install PostfixAdmin, I don’t need to install anything additionally, because many services were installed at the previous stage – when installing Postfix and Zabbix. However, it will not be superfluous to check already existing packages and dependencies. For the rest of this article, I will assume that we already have all dependencies installed and configured, namely:

• PHP – php php-mbstring php-intl php-imap php-curl php-mysql php-xml php-sqlite3
• Apache – apache2
• MariaDB – mariadb-client mariadb-server
• Related packages – unzip git composer

Before starting, as always, you need to update the packages:

sudo apt update && sudo apt upgrade

After checking and installing the necessary dependencies, proceed to the installation of PostfixAdmin

Installing PostfixAdmin

PostfixAdmin is downloaded via the git repository.

cd /var/www/html
sudo git clone https://github.com/postfixadmin/postfixadmin.git
sudo chown -R www-data:www-data postfixadmin
cd postfixadmin

To streamline the installation process, you can run the install.sh file, which will install composer, the PHP libraries, and the templates_c directory. This will save you from making mistakes in the future.

chmod +x install.sh
./install.sh

After installation, you can go to the database.

Creating a database for PostfixAdmin

To do this, you need to connect to an already existing or newly created database:

sudo mysql -u root -p<password>

Creating a database and a user, and providing access for this user to interact with the database:

CREATE DATABASE postfixadmin CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'postfixuser'@'localhost' IDENTIFIED BY '<password>';
GRANT ALL PRIVILEGES ON postfixadmin.* TO 'postfixuser'@'localhost';
FLUSH PRIVILEGES;
EXIT;

After the database and the user are defined, proceed to the PostfixAdmin configuration settings

Editing the configuration

The main files are already in the directory at: /var/www/html/postfixadmin. In this directory, instead of editing the main config.inc.php file, you need to create a config.local.php file and write the main configuration parameters there. This configuration file will not be overwritten or corrupted in future updates.

sudo nano config.local.php

In it, we change or add the following lines:

$CONF['configured'] = true;
$CONF['default_language'] = 'en';
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixuser';
$CONF['database_password'] = '<Password>';
$CONF['database_name'] = 'postfixadmin';
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';

Creating an Apache virtual host

Since Apache can have many virtual hosts, you need to create another one for PostfixAdmin.

sudo nano /etc/apache2/sites-available/postfixadmin.conf

With the following parameters:

<VirtualHost *:80>
    ServerAdmin admin@localhost
    DocumentRoot /var/www/html/postfixadmin/public
    ServerName postfixadmin.local

    <Directory /var/www/postfixadmin/public>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/postfixadmin_error.log
    CustomLog ${APACHE_LOG_DIR}/postfixadmin_access.log combined
</VirtualHost>

But if you want PostfixAdmin to be accessible only from your local network, replace the <Directory> block with your subnet with the following:

<Directory /var/www/html/postfixadmin>
    Require ip 127.0.0.1
    Require ip 192.168.0.0/24
</Directory>

In order for the changes to take effect, you need to activate the site:

sudo a2ensite postfixadmin.conf
sudo a2enmod rewrite
sudo systemctl reload apache2

Since no one except the server knows about the postfixadmin.local domain anymore, in order not to register this domain separately on each host, I added this entry in the settings of my UXG Lite router: Settings -> Routing -> DNS -> Create Entry -> entry type A. Such settings are applied locally almost instantly.

After restarting the Apache server, you can go to the web interface at the address: http://postfixadmin.local/setup.php

PostfixAdmin web service configuration

The first visit to http://postfixadmin.local/setup.php will prompt you to generate a hash for the password you just created. This hash must be entered in the configuration file config.local.php

$CONF['setup_password'] = '$2y$10$.tW14352cmjVC3N07u9MQOphugNCl5tIOAdwhYLs21XT7/TwR7Lo.';

In most cases, the user may also encounter errors that are fatal for further configuration. Therefore, if you did not encounter an error when generating the hash, then all the flags should be green. Unfortunately, I also encountered errors that are quite lively discussed on the Internet, namely:

• Password Hashing – attempted to use configured encrypt backend (dovecot:SHA512-CRYPT) triggered an error: /usr/bin/doveadm pw failed, see error log for details
• You will have problems logging into PostfixAdmin.
• Check out our Dovecot documentation at https://github.com/postfixadmin/postfixadmin/blob/master/DOCUMENTS/DOVECOT.txt, specifically around ‘3. Permissions’.

There are many methods to solve the access problem, but I will cover only two of them:

It is necessary to create a new configuration file for SSL keys, copy only the parameters of SSL keys to this file, add a link to the auxiliary SSL file at the end of the main dovecot configuration file, change the rights and owner for this file and restart dovecot to apply the changes.

This method is probably one of the simplest, but the danger lies in the fact that, for example, if wordpress and a mail server are installed on the server, then an attacker who gains unauthorized access to the www-data user will be able to gain access to all resources belonging to the Dovecot group, for example: sockets, configs, caches, logs with usernames. I tried this option for educational purposes, but I do not recommend it, but I will share the settings:

sudo nano /etc/dovecot/conf.d/ssl-keys.conf
# add path to certificates
ssl_cert = ...
ssl_key = ...

sudo nano /etc/dovecot/conf.d/10-ssl.conf
# remove or comment out these lines
ssl_cert = ...
ssl_key = ...

sudo nano /etc/dovecot/dovecot.conf
# add a link to the new file at the end of the file
!include_try /etc/dovecot/conf.d/ssl-keys.conf

# change permissions and owner of new file add www-data to dovecot group 
sudo chown root:root /etc/dovecot/conf.d/ssl-keys.conf
sudo chmod 644 /etc/dovecot/conf.d/ssl-keys.conf
sudo usermod -aG dovecot www-data

# restart services
sudo systemctl restart dovecot apache2

It provides isolation between the web server and the mail server by giving the www-data user permission to the certificates, but this method did not work for me!

sudo setfacl -R -m u:www-data:rx /etc/letsencrypt/live/ /etc/letsencrypt/archive/
sudo setfacl -R -m u:www-data:rwx /var/run/dovecot/stats-reader /var/run/dovecot/stats-writer

After making changes, reload the page and enter the superadministrator password again. The solution worked for me, so my errors disappeared.

Let’s move on, namely the creation of a superuser! To do this, you need to fill out a form with 4 fields:

• Setup password – enter the current password
• Admin – email for super administrator login
• Password – complex password
• Password (again) – repeat a complex password

After that, click on the Add Admin button.

The successful creation will be indicated by the line:

After the superuser is created, you can log in and continue with the settings. To do this, go to the login page http://postfixadmin.local/login.php

We enter the data of the super administrator that was created in the previous step and continue the settings.

This is what the dashboard looks like

Add a domain

On the dashboard, click the Overview button, and a window opens where you need to create a domain. Click the Add Domain button

In the Add a new domain window, there will be several fields that need to be filled in:

• Domain – my domain for mail as on this site – ostrich.kyiv.ua
• Description – the usual description, the field is not mandatory, but I filled it – Ostrich mail domain
• Forwards – is the number of forwarding mailboxes, I entered 15, I think it’s enough
• Mailboxes – is the total number of mailboxes that can be created in this mail server, I entered 15, I think it’s enough
• Mail server – is backup MX – there should not be a checkmark, because this is the main server and not a secondary one
• Active – the check mark must be there for the domain to be active
• Add default mail aliases – if checked, 4 aliases will be created: abuse, hostmaster, postmaster, webmaster

Add a mailbox

On the dashboard, click the Add Mailboxes button, and the Create a new mailbox for your domain window opens. where you need to fill out a form for a new user.

• Username – username (mailbox) for the ostrich.kyiv.ua domain
• Password – complex password
• Password (again) – repeat a complex password
• Name – the full name of the user
• Quota – for the test user, I set a quota of 10 megabytes, but if the field is empty, then the quota is not applied
• Active – ticked to activate this email
• Send Welcome mail – check the box to receive a welcome mail from the server when testing the mail client
• Other e-mail – mailbox for password recovery

After filling out the form, click Add Mailbox and the mail is instantly created

Postfix and Dovecot configuration

I previously created three configuration files, they need to be changed, namely to replace the username, password and name of the database for connection, the SQL query remains unchanged. I have these files at the base address: /etc/postfix/

• mysql-virtual-mailbox-domains.cf

user = postfixuser
password = <password>
hosts = 127.0.0.1m
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' AND active = 1

• mysql-virtual-mailbox-maps.cf

user = postfixuser
password = <password>
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1

• mysql-virtual-alias-maps.cf

user = postfixuser
password = <password>
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = 1

The database connection configuration must also be written in the dovecot-sql.conf.ext file

driver = mysql
connect = host=127.0.0.1 dbname=postfixadmin user=postfixuser password=<password>
default_pass_scheme = SHA512-CRYPT
password_query = SELECT username as user, password FROM mailbox WHERE username = '%u' AND active = 1

No more changes to the configuration should be made, so you can reload the services and check the mail

sudo systemctl restart postfix
sudo systemctl restart dovecot

Checking mail

If thunderbird was previously configured, it will continue to work in normal mode, provided that the mailbox password has not been changed. The same thing happened to me, when I opened the mail client, I received a welcome letter from the server, which indicates that the settings are correct.

Conclusions

Using services or applications greatly facilitates administration. If you are considering a Postfix mail server in a large organization, then PostfixAdmin will be a fairly simple and convenient tool for managing mail user accounts.

After installing and configuring the Postfix mail server, it became necessary to track various metrics of this server using Zabbix and display a diagram for visual monitoring.

Defining the monitoring type

First, it is essential to determine what exactly needs to be monitored, what state is considered normal, and what indicates a deviation. I am interested in two metrics: mail queue statistics and monitoring the number of processes, which we will discuss in detail.

Mail queue statistics

When the mail server operates correctly, emails are usually processed instantly, and the queue does not form, or it is only a momentary process. However, if the server becomes unavailable, the queue accumulates, which indicates a problem with the mail server. Under normal operation, this value is zero; if it is greater than zero, attention should be paid to it.

Monitoring the number of processes

Under normal idle operation, the server typically runs 5 processes:

• master – the main Postfix process (manages all other processes).
• qmgr – manages the mail queue, responsible for delivering messages.
• tlsmgr – manages TLS sessions for encryption (if used).
• pickup – processes new messages entering the queue.
• showq – displays the status of the mail queue.

During authentication, sending, or receiving mail, the number of processes increases to 9 or 10. Thus, if authentication occurs, even a failed one, it is recorded, allowing the administrator to take action against potential attacks on the server.

Connecting Postfix to Zabbix

Since Zabbix Agent is already installed on the server, the configuration is straightforward via the configuration file. To do this, the Zabbix Agent configuration file must be updated with user parameters for our metrics.

Open the configuration file, usually located at:

sudo nano /etc/zabbix/zabbix_agentd.conf

Add the following lines at the end of the file:

# Settings for Postfix:
UserParameter=postfix.queue_size,postqueue -p | tail -n 1 | awk '{print ($5+0)}'
UserParameter=postfix.active_processes,ps aux | grep "[p]ostfix" | wc -l

Restart the Zabbix agent:

sudo systemctl restart zabbix-agent

Creating Items in Zabbix

In the Data Collection menu, select the Hosts submenu and, in the host list, click on Items. Then, in the Items list window, click the Create item button.

To monitor active Postfix processes (postfix.active_processes) fill form by next data:

• Name: Postfix Active Processes
• Type: Zabbix Agent
• Key: postfix.active_processes
• Type of Information: Numeric (unsigned)
• Host interface: 127.0.0.1:10050
• Update interval: 1m
• Description: Postfix Active Processes
• Enabled: checkbox

In the Tags tab:

• Name: Mail
• Value: Postfix

To ensure the item works correctly, test its functionality and obtain the expected value by clicking TEST and GET VALUE.

Similarly, create a second item to monitor the mail queue (postfix.queue_size), with the only difference being the Key: postfix.queue_size. Again, test the created item to obtain the expected result – 0.

Verifying data collection

After one minute, Postfix begins collecting data. To view it, navigate to the Monitoring menu and select Latest data. In the name filter, enter Postfix Active Processes. On the Latest data page, the Last check column should display the expected value, which in my case is 5.

Creating a dashboard graph

To display the graph on the dashboard, click the Add button, which will automatically open the new widget creation window. Fill in the following fields:

• Type: Graph
• Name: Mail
• Refresh interval: Default 1m
• Data set: select the host and items

Other characteristics in the Data set tab, such as color and transparency, can be customized as desired.

Detecting and mitigating a server attack

I regularly monitor the mail server’s activity and noticed significantly high activity on the dashboard graph. By expanding the date range to two days, I identified the exact date and time when the attack began.

Reviewing Postfix logs for the past two days, I discovered that a malicious actor was attempting brute-force login authentication on my mail server. Although these attempts failed, they still consumed server resources:

sudo tail -f /var/log/mail.log

Mar 30 13:31:51 mail postfix/smtpd[1230298]: connect from unknown[196.251.92.50]
Mar 30 13:31:55 mail postfix/smtpd[1230298]: warning: unknown[196.251.92.50]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=admin2
Mar 30 13:31:55 mail postfix/smtpd[1230298]: disconnect from unknown[196.251.92.50] ehlo=1 auth=0/1 quit=1 commands=2/3
Mar 30 13:35:13 mail postfix/smtpd[1230766]: connect from unknown[196.251.92.50]
Mar 30 13:35:17 mail postfix/smtpd[1230766]: warning: unknown[196.251.92.50]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=back-up
Mar 30 13:35:17 mail postfix/smtpd[1230766]: disconnect from unknown[196.251.92.50] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 

To mitigate this incident, I blocked the specified address in the router’s firewall settings and applied the rule. After that, the server activity returned to normal.

Conclusions

Monitoring Postfix activity with Zabbix enables timely detection of mail server issues, such as mail queue accumulation or suspicious activity. By configuring metrics to track the queue size and the number of active processes, administrators can quickly respond to potential threats and system failures.

During server operation, monitoring also helps identify unauthorized access attempts, such as brute-force login attacks. By analyzing graphs and system logs, administrators can take immediate security measures, such as blocking malicious IP addresses. This significantly enhances the security of the mail infrastructure and ensures stable service operation.

Postfix is a popular Mail Transfer Agent (MTA) that allows email forwarding through various mechanisms. This guide covers user-level forwarding.

My Postfix is configured to store email in the home user directory. It means each system user has its own mailbox. You can see this feature in the /etc/postfix/main.cf file:

home_mailbox = Maildir/

Since users are created as local system accounts, email forwarding needs to be handled using the ~/.forward file for each specific user.

Need to perform configuration and test by the next steps:

• Creating the Forwarding File
• Identifying Forwarded Emails
• Verifying Forwarding

Creating the Forwarding File

To create the forwarding file, use the terminal with sudo rights. In this example, I will use the “ostrich” account.

sudo nano /home/ostrich/.forward

Add only the address to which emails will be forwarded

[email protected]

With this setup, forwarded emails will not be saved on the server. To keep the forwarded emails on the server, you need to add the user’s name followed by a slash before the forwarding address. This way, the forwarded email will remain on the server.

\ostrich, [email protected]

After saving the changes, it’s recommended to change the file’s permissions

chmod 600 /home/ostrich/.forward
chown ostrich:ostrich /home/ostrich/.forward

Identifying Forwarded Emails

In Postfix, it’s possible to add an identifier or signature to forwarded emails. I will do this using header_checks. This method allows modifying the message headers before forwarding.

In the main.cf configuration file, add the following line:

header_checks = regexp:/etc/postfix/header_checks

Since this file doesn’t exist yet, create it and add the header modification line

sudo nano /etc/postfix/header_checks

Add the following line

/^Received:/ PREPEND X-Forwarded-By: Ostrich Mail

This line adds a new header X-Forwarded-By: Ostrich Mail to each email that passes through Postfix and contains a Received header.

After that, restart the Postfix service

systemctl restart postfix

Now, let’s move on to test

Verifying Forwarding

I sent an email from my Gmail account to my Ostrich account, which was then forwarded to my Hotmail server.

After logging in to Hotmail, I opened the email and reviewed the headers.

X-Forwarded-By: Ostrich Mail

The X-Forwarded-By header was present, confirming that the settings were correctly applied, and the service was working as expected

Conclusion

The email forwarding process in Postfix can be efficiently configured by setting up the ~/.forward file and utilizing the header_checks to add identifiers like X-Forwarded-By. This ensures both the proper forwarding of messages and clear identification of forwarded emails.