I need an internal mail server (it will not be open to the outside world) to receive posts from the infrastructure in general, router switch, or backup reports. We will do this with Postfix and Dovecot on Ubuntu 24.04. The emails are intended for an existing AD user.
1. Join the server to the Active Directory domain with SSSD
Install the necessary packages
sudo apt update
sudo apt install realmd sssd sssd-tools adcli samba-common-bin libnss-sss libpam-sss
Discover and join the domain
# Check that the domain is accessible
realm discover mydomain.local
# Join the domain (an AD account with sufficient rights is required)
sudo realm join --user=Administrator mydomain.local
Check the join
realm list
You should see something like:
mydomain.local
type: kerberos
realm-name: MYDOMAIN.LOCAL
domain-name: mydomain.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
SSSD configuration
The /etc/sssd/sssd.conf file is automatically generated by realm join. Here is a typical example after joining:
[sssd]
domains = mydomain.local
config_file_version = 2
services = nss, pam
[domain/mydomain.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MYDOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = mydomain.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = permit
Simplify user names
By default, SSSD uses the format utilisateur@mondomaine.local for names and home directories (/home/utilisateur@mondomaine.local). To simplify to user only, change two parameters in /etc/sssd/sssd.conf:
use_fully_qualified_names = False
fallback_homedir = /home/%u
Apply the changes:
sudo systemctl restart sssd
sudo sss_cache -E
# Verify
getent passwd username
# Expected result: username:*:XXXX:XXXX::/home/username:/bin/bash
> ⚠️ Warning: If a local Unix account has the same name as an AD account, it will be used by Postfix. Check with getent passwd username and delete any duplicates if necessary with sudo userdel -r username.
> ⚠️ Warning: With use_fully_qualified_names = False, all AD users are accessible without a domain suffix. This option is suitable for single-domain environments. In multi-domain environments, keep True.
2. Install Postfix and Dovecot
sudo apt install postfix dovecot-imapd dovecot-pop3d mailutils
When installing Postfix, select "Website" or "No configuration" according to your preference. The configuration will be done manually.
3. Configure Postfix
/etc/postfix/main.cf
Here are the essential settings for an internal mail server:
# Server identity
myhostname = mailsrv.mydomain.local
mydomain = mydomain.local
myorigin = $mydomain
# Network
inet_interfaces = all
inet_protocols = ipv4
# Accepted local domains
mydestination = $myhostname, localhost.$mydomain, localhost, mydomain.local
# Delivery in Maildir
home_mailbox = Maildir/
# Network authorized to relay without authentication
mynetworks = 127.0.0.0/8 192.168.1.0/24
# Relay restrictions
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
# SASL — SMTP authentication delegated to Dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
Restart Postfix:
sudo systemctl restart postfix
4. Configure Dovecot
/etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
namespace inbox {
inbox = yes
}
/etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
disable_plaintext_auth = no
passdb {
driver = pam
}
userdb {
driver = passwd
}
> Dovecot uses PAM for authentication, which relies on SSSD to validate AD credentials. No additional configuration is required on the PAM side in most cases.
/etc/dovecot/conf.d/10-master.conf
Add the SASL socket for Postfix in the service auth block. This socket allows Postfix to delegate SMTP authentication to Dovecot:
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
unix_listener auth-master {
mode = 0600
user = root
group = root
}
user = root
}
> ⚠️ Check that there are no duplicate sockets in other Dovecot configuration files before adding this block:
> bash > grep -rn "unix_listener" /etc/dovecot/ >
Restart Dovecot:
sudo systemctl restart dovecot
5. Prepare the user Maildir
Postfix delivers emails to ~/Maildir/, but this directory must exist beforehand. Create it for each user:
sudo mkdir -p /home/username/Maildir/new
sudo mkdir -p /home/username/Maildir/cur
sudo mkdir -p /home/username/Maildir/tmp
sudo chown -R username /home/username/Maildir
sudo chmod 750 /home/username
> 💡 Tip: Braces ({new,cur,tmp}) do not work in paths enclosed in quotation marks. Create the three subfolders separately as above.
> 💡 Tip: For AD users, the primary group name may contain spaces. Use only chown -R username without specifying the group to avoid errors.
6. Test the entire chain
Send a test email
echo "Test mail" | mail -s "Test Postfix" nomutilisateur@mondomaine.local
Check delivery in the logs
sudo tail -20 /var/log/syslog | grep postfix
You should see a line indicating successful delivery:
postfix/local: to=<nomutilisateur@mondomaine.local>, status=sent (delivered to maildir)
Check that the email is in the Maildir
sudo ls /home/username/Maildir/new/
Test IMAP authentication with telnet
telnet localhost 143
Once connected, type:
a login nomutilisateur@mondomaine.local "PasswordAD"
a select INBOX
Expected responses:
a OK Logged in— authentication successful* 1 EXISTS— one email present in the inbox
To exit: a logout or Ctrl+] then quit.
7. Configure an IMAP client (Outlook / Thunderbird)
| Parameter | Value |
|---|---|
| Incoming server (IMAP) | mailsrv.mydomain.local |
| IMAP port | 143 |
| Encryption | None (or STARTTLS if SSL is configured) |
| Outgoing server (SMTP) | mailsrv.mydomain.local |
| SMTP port | 25 |
| SMTP authentication | Yes (AD login/password) |
| Login | nomutilisateur@mondomaine.local |
Points to note
Account conflicts: If a local Unix account has the same name as an AD user, Postfix will deliver emails to it first. Always check with getent passwd username before going live and delete any duplicates.
Maildir permissions: The home directory must belong to the AD user. If you get a Permission denied error, check with ls -la /home/username/.
Disk space: With IMAP, emails remain on the server in the Maildir. Monitor the space with df -h /home and consider Dovecot quotas in the long term to avoid saturation.
Startup order: Dovecot must be started before Postfix attempts to use the SASL socket. If you encounter SMTP authentication issues, check that both services are active with systemctl status postfix dovecot.
SSL/TLS: This configuration works without encryption, which is acceptable in an isolated internal network. For exposure outside the LAN, add a certificate (Let's Encrypt or internal PKI) and enable STARTTLS.
There you have it: a lightweight, robust internal messaging solution that integrates seamlessly with Active Directory./nomutilisateur@mondomaine.local