The community-maintained documentation platform of IPFire

User Tools

Site Tools



This instruction have no claim for completeness. There is only one possible way described how to install and use a mailserver consisting of a combination of Postfix, Cyrus-imap, Fetchmail, Amavis, and Clamav, Spamassassin on IPFire.

A special thanks to all who have assisted me therefor! alpensegler, Arne.F, eXciter, Maniacikarus, ummeegge, Vossi

Of course I have not reinvented the wheel but a lot of research on the Internet. Important sources from which I have used excerpts:

My thanks also go to the operators and authors of this websites!

Requirement for this instruction is the successful installation of the required basic packages: mysql, postfix, cyrus-imapd, fetchmail, amavisd, clamav, spamassasin, openmailadmin.


Function description for this mailserver

This internal mailserver setup will collect the external mail accounts over Fetchmail and POP3 or IMAP. Also it will investigate the mails for spam and viruses using Amavis, Spamassassin and ClamAV in order to determine the mails subsequently to the internal IMAP mail accounts. As the outgoing mailserver we use the SMTP mailserver from the provider of our trust. In this case it is Arcor, but it could be also any other SMTP server. Requirement is, of course you have an account on this.


As an introduction to the subject matter, I recommend the wiki which describes the creation of Openmailadmin. This was my entry and it is a good basis for this guide.

Please note that the above assumed wiki uses the mailserver also as a SMTP server. In here this will be done differently.

So let's start...

If you have created a mail account via Openmailadmin and the first internal mail was successfully sent and retrieved, let's start with the next step. As described in the above mentioned wiki we will set up fetchmail to collect the first Internet mail account. Here again the advice that you have to enter the SMTP-server of your provider in your mail client, not the IPFire!

Since I do not hold much of unencrypted e-mail traffic on the Internet, the first step is to activate the encryption.

Therefor we use the Console of IPFire and execute step by step the following commands.

  • Create the Keyfile
openssl req -new -nodes -out req.pem -keyout key.pem  
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 999 
  • Copy them into the right place and make a certificate out of it
cp new.key.pem /var/ipfire/cyrusimap/server.pem
rm new.key.pem
cat ca-cert >> /var/ipfire/cyrusimap/server.pem
  • Set up the owner of the certificate and restrict the access
chown cyrus:mail /var/ipfire/cyrusimap/server.pem
chmod 600 /var/ipfire/cyrusimap/server.pem # Your key should be protected
  • Extend the Cyrus-IMAP configuration for the usage of the certificate
echo tls_ca_file: /var/ipfire/cyrusimap/server.pem >> /var/ipfire/cyrusimap/imapd.conf
echo tls_cert_file: /var/ipfire/cyrusimap/server.pem >> /var/ipfire/cyrusimap/imapd.conf
echo tls_key_file: /var/ipfire/cyrusimap/server.pem >> /var/ipfire/cyrusimap/imapd.conf

This allows the encrypted email traffic between email client and our mailserver.

TLS support for Postfix

Now, the additional mail traffic between our mailserver and the mailservers we collect from will be encrypted. Therefor we need to edit the postfix configuration file /etc/postfix/ and add the following lines.

file: /etc/postfix/
#TLS Support
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/certs/smtpd.key
smtpd_tls_cert_file = /etc/postfix/certs/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Then we go back to the Console and issue the following commands:

  • Create the directory
mkdir /etc/postfix/certs
  • Change into the directory
cd /etc/postfix/certs
  • Create the private Key
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
  • Restrict the access permission for the Key
chmod 600 smtpd.key
  • Create the certificate
openssl req -new -key smtpd.key -out smtpd.csr

It is important to set the corresponding host-domain for the “common name” As passphrase you should use the same than before

openssl x509 -req -days 999 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
  • Rename the key
mv -f smtpd.key.unencrypted smtpd.key
  • Autograph session
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 999
  • Postfix must now be restarted to activate the new settings
/etc/init.d/postfix restart

Autostart Postfix

To start Postfix automatically on boot time you can set the following symlinks:

ln -s /etc/init.d/postfix /etc/rc.d/rc0.d/K31postfix
ln -s /etc/init.d/postfix /etc/rc.d/rc3.d/S31postfix
ln -s /etc/init.d/postfix /etc/rc.d/rc6.d/K31postfix

Customize Fetchmail

The most important thing is to add the ssl line into the file /root/.fetchmailrc to enable the SSL functionality at all. This line must be retrieved to any registered account.


File: /root/.fetchmailrc
  poll with 
    proto pop3 
    user testuser
    is usertest
    no rewrite 

We are not done yet, on the Console, we execute the following command.

fetchmail -v 

The answer will look similarly or like this.

fetchmail: 5.9.11 querying (protocol POP3) at Wed, 02 Oct 2002 18:42:00 	+0200 (CEST): poll started
	fetchmail: Issuer Organization: Thawte Consulting cc
	fetchmail: Issuer CommonName: Thawte Server CA
	fetchmail: Server CommonName:
	fetchmail: key fingerprint: 	1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47
	fetchmail: fingerprints match.
	fetchmail: POP3< +OK WEB.DE POP3-Server
	fetchmail: POP3> USER christoph.rummel
	fetchmail: POP3< +OK Bitte Kennwort eingeben/enter password
	fetchmail: POP3> PASS *
	fetchmail: POP3< +OK Postfach bereit/mailbox locked and ready
	fetchmail: POP3> STAT
	fetchmail: POP3< +OK 0 0
	fetchmail: No mail for christoph.rummel at
	fetchmail: POP3> QUIT
	fetchmail: POP3< +OK
	fetchmail: 5.9.11 querying (protocol POP3) at Wed, 02 Oct 2002 18:42:05 	+0200 (CEST): poll completed
	fetchmail: normal termination, status 1

The fingerprint is important for us. We will add this information to the file /root/.fetchmailrc.

file: /root/.fetchmailrc
  poll with 
    proto pop3 
    user testuser
    is usertest
    no rewrite 
    sslfingerprint "1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47"

If you want to safely collect e-mails from a mail server, without deleting it from the server, you can write into the /root/.fetchmailrc behind the user name a “keep” and so the mails will be kept on the server.


File: /root/.fetchmailrc
  poll with 
    proto pop3 
    user testuser keep
    is usertest
    no rewrite 
    sslfingerprint "1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47"

The password will be fetched from /root/.netrc. A valid entry looks like this.

File: /root/.netrc
	login testuser 
	password xxxxx

Attention! If you do this you should create a symbolic link to /root/.netrc:

ln -s /root/.netrc /.netrc

otherwise fetchmail can not find the file if it starts by cron or at boot time.

Don't forget to set the correct permissions

chmod 600 /root/.netrc

Autostart Fetchmail

To start fetchmail automatically on boot time you can set the following symlinks:

ln -s /etc/init.d/fetchmail /etc/rc.d/rc0.d/K35fetchmail
ln -s /etc/init.d/fetchmail /etc/rc.d/rc3.d/S35fetchmail
ln -s /etc/init.d/fetchmail /etc/rc.d/rc6.d/K35fetchmail

Amavis, Spamassasin, ClamAV

At this point we collect our Internet mail accounts encrypted and sort them in our internal mail account.

But now we still want to let the mail investigate for spam and viruses. Therefor we use Amavis, Spamassassin und ClamAV.

For the first step we edit the file /etc/postfix/ again and add the following lines into it.

File: /etc/postfix/
	soft_bounce = yes 

Afterwards we adapt the file /etc/amavisd.conf . We check the following lines and adjust them according to our naming.

It is also important that the path to the ClamAV is set correctly.

File: /etc/amavisd.conf
  $myhostname = 'ipfire.localdomain';  # must be a fully-qualified domain name! 
          #       ### 
	  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], 
	        qr/\bOK$/, qr/\bFOUND$/, 
	         qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Back again in the Console we incorporate the user clamav to the group amavis, because ClamAV and Amavis will need each other permissions.

usermod -aG amavis clamav

Subsequently we will edit the file /var/ipfire/clamav/clamd.conf and add the following lines.

File: /var/ipfire/clamav/clamd.conf
	AllowSupplementaryGroups yes

So that everything works even after a restart we create under /etc/rc.d/rc3.d/ appropriate symbolic links. Therefor we type the following commands into the Console.

ln -s ../init.d/amavisd /etc/rc.d/rc3.d/S38amavisd
ln -s ../init.d/spamassassin /etc/rc.d/rc3.d/S38spamassassin

Because we want to work clean, we will also finish the applications while a shutdown or restart of the system.

ln -s ../init.d/amavisd /etc/rc.d/rc0.d/K25amavisd
ln -s ../init.d/amavisd /etc/rc.d/rc6.d/K25amavisd	
ln -s ../init.d/spamassassin /etc/rc.d/rc0.d/K25spamassassin
ln -s ../init.d/spamassassin /etc/rc.d/rc6.d/K25spamassassin


For brief explanation, I mount an NFS from myNAS to /backup. Then I will check with an “IF-loop” if it works, because I do not want that he saves the backup directly to the IPFire. If the mount fails, he sends me an e-mail and cancels the backup.

You can also omit this, but in this case the mail backup would then be placed directly on the IPFire.

First, I created a directory where the backup should be written.

mkdir /backup

Now we create a file named and copy it to /bin

touch /bin/

The content looks like this:

File: /bin/
	DATE=$(date +%a)
	SOURCE="/var/imap /var/log/imap /srv/web/openmailadmin /root/.fetch*"
	mount -t nfs /backup
	if [ "$?" == "0" ]
		/etc/init.d/fetchmail stop;
		/etc/init.d/amavisd stop
		/etc/init.d/spamassassin stop
		/etc/init.d/postfix stop;
		/etc/init.d/cyrus-imapd stop;
		sleep 10;
		killall master;
		sleep 5;
		su - cyrus -c '/usr/lib/cyrus/ctl_mboxlist -d \ > /backup/mailboxes.txt';
		mv /backup/mailboxes.txt $BACKUP_DIR/$DATE-mailboxes.txt;
		tar -czpf $BACKUP_DIR/$DATE-mails.tar.gz $SOURCE #kompression gzip;
		/etc/init.d/cyrus-imapd start;
		/etc/init.d/postfix start sleep 5;
		/etc/init.d/amavisd start
		/etc/init.d/spamassassin start
		/etc/init.d/fetchmail start;
		umount /backup;
	else sendmail -t < /bin/mail-backup-error.txt

Set the correct access permission

chmod 600 /bin/

The sending of the e-mail happens with Sendmail. So that this works, another file named mail-backup-error.txt needs to be created in the directory /bin. The following content should then be inserted.

File: /bin/mail-backup-error.txt
	to: receiver account	
     subject: Mailbackup failed! 
	from: Sender account
	The backup of the email accounts could not be accomplished. 
	Please fix this!

Now we have also a way to ensure our mail accounts. Who wants to automate the whole thing, needs to subscribe it to the fcrontab.

This is simply done by editing the fcrontab via console.

fcrontab -e

The editing of fronctab takes place with the editor vi. Please make yourselves familiar with the handling in advance! You can also use alternatively WINSCP

and add the following lines.

# mail-backup 
30 2 * * * /bin/ 

So thats all. We retrieve our mails, check them for spam and viruses, sort it into our accounts and backup our email accounts once a day.

Finally, a word of advice. In this configuration, spam and virus emails moves into the folder /var/virusmail/ and they won't be delivered. Who prefer another way needs to adjust amavis accordingly, but that is beyond this manual.


To prevent that too many temporary files and directories are accumulate by Amavis, the Documetation of Amavisd-new advises to look from time to time for superfluous and delete it.

For this purpose, there can be found in the mentioned documentation in the category “Tips and FAQ – general” the following commands.

  find /var/amavis -type d -name 'amavis-20??????T*' \
    -prune -mtime +1 -exec rm -rf {} \;

It also describes that by executing the commands amavisd should not be active.

So for this intention it is possible to write a script to manage this procedure, which finishes first amavisd, executes then the commands to starts subsequently amavisd again. For the second way you can do it like me and add the commands to the start script of amavisd. This implicates before each start, amavisd will deleted the redundant data.

The content of /etc/init.d/amavisd looks the as follows.

File: /etc/init.d/amavisd
# Begin $rc_base/init.d/amavisd
# Description : Amavisd Init Script
# Authors     : Michael Tremer (
# Version     : 01.00
# Notes       :
. /etc/sysconfig/rc
. ${rc_functions}
case "${1}" in
                boot_mesg "Starting AMaViS Daemon..."
                find /var/amavis/tmp -type d -name 'amavis-20??????T*' \
    -prune -mtime +1 -exec rm -rf {} \;
                loadproc /usr/bin/amavisd
                boot_mesg "Stopping AMaViS Daemon..."
                killproc /usr/bin/amavisd
                ${0} stop
                sleep 1
                ${0} start
                statusproc /usr/bin/amavisd
                echo "Usage: ${0} {start|stop|restart|status}"
                exit 1

Addendum 2

It is to consider that Fetchmail as well as Postfix produces also log files. Since they both are Addons, and not a part of the standard installation of IPFire they are not a part of the configured logfile-rotation and they would grow more and more. So they have to be involved afterwards to the logfile-rotation.

Therefor, the file /etc/logrotate.conf will be edited and the following lines will be added.

File: /etc/logrotate.conf
# Postfix
/var/log/mail {
    rotate 4
# Fetchmail
/var/log/fetchmail.log {
    rotate 4

For this WiKi the IPFire team wants to thanks WhyTea.

addons/mailserver/start.txt · Last modified: 2018/11/13 00:44 by Jon