email:install_a_full_secure_mail_server

This is an old revision of the document!


Email - Install a full secure mail server

Prerequisites

1) A Linux server, preferably Debian or Ubuntu to follow this tutorial step by step, on other distributions the software packages and file paths can be different.

2) Public IP address preferably directly on the server (+ if you are not directly owning the IP in RIPE database, the provider of this IP address to you should be able and willing to set reverse DNS entry on this IP address later in this tutorial, so if you are just looking for provider check this with them before ordering a service from them).

3) A publicly registered domain name either with some DNS hosting company or you can do yourself a small DNS server. If you will have a DNS provider, just make sure they allow you to enter TXT records for your domain record.

My example users and domain used in this tutorial

In this tutorial, I will be using “example.com” as the domain. Please change all example.com text in this tutorial to your own domain when following this tutorial. At the point of writing this tutorial this example.com was pointing to public IP of 123.123.123.123.

Also the demouser account email is demouser@example.com.

The target what we will have at the end of this tutorial

  • En email system with email in the form of @example.com.
  • IMAP secured with SSL for access to your emails (test is to access emails from your smartphone).
  • All standard protection mechanisms on the emails so that other email systems do not classify our emails as SPAM. This includes SPF, DKIM, rDNS and SpamAssassin headers.

Step 1: Configure local hostname and domain on linux server

How we will call our systems. This uses “example.com” as the domain, and “exampleserver” as the hostname.

The DNS server will be 8.8.8.8 (NOTE: This is a gmail DNS system).

echo exampleserver> /etc/hostname
hostname -F /etc/hostname
echo "8.8.8.8   exampleserver.example.com exampleserver" >> /etc/hosts

Verification is easy, just use these commands and you should get the answers visible.

hostname --short
exampleserver
 
hostname --domain
example.com
 
hostname --fqdn
exampleserver.example.com
 
hostname --ip-address
8.8.8.8 

Step 2: Install email system exim4 and supporting packages

To get all the software in debian for our little tutorial, we need three main pieces of software:

  1. Exim4 – the SMTP daemon.
  2. Courier – communication extension for Exim4 to have IMAP and POP access to emails.
  3. Swaks – Swiss army knife for SMTP troubleshooting.
  4. SSL-cert packages – for easy work with generating certificates in later parts of the tutorial.

If you are using Debian or Ubuntu, then you can simply follow these commands :

apt-get update 
apt-get install exim4-daemon-heavy courier-authdaemon courier-imap courier-imap-ssl courier-pop courier-pop-ssl swaks libnet-ssleay-perl ssl-cert

Note/Warning: Courier will by default use a self-signed certificates. These are OK if you are going to be the only user of the mail system, but if you plan to invite many people like for a public system (and you do not plan to distribute your own certification authority to them), then you need a signed-certificate. But for our use-case we will not go into replacing these for our small IMAP usage, but definitely not OK for a public or larger one! This is also the warning installation will give you about this fact:

SSL Certificate Required

POP and IMAP over SSL requires a valid, signed, X.509 certificate.
During the installation of courier-pop-ssl or courier-imap-ssl, a
self-signed certificate will be generated if necessary.

For production use, the X.509 certificate must be signed by a recognized 
certificate authority, in order for mail clients to accept the
certificate.  The default location for this certificate is
/etc/courier/pop3d.pem or /etc/courier/imapd.pem.

Verification of the installation can be afterwards done by checking the running ports with a netstat command if all the pop3, imap, smtp, pop3s and imaps ports are present like visible like in the example below:

netstat –utal
-- omitted --
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN     
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN     
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN     

Step 3: Preparing local users for mail system (Maildir)

In this example, I will prefer each user having his email inside his home directory under ~/Maildir. For the new users, add this directory to the skeleton so that it is automatically created for new users like this:

maildirmake /etc/skel/Maildir

For existing users, you have to do this manually (or do a script for this). For example for my test user “testuser” like this:

maildirmake ~demouser/Maildir
chown –R demouser.demouser ~demouser/Maildir

Step 4: Create new user to test the mail system

adduser demouser

Give this user a password when prompted. Always choose a good password here because this UNIX passwords will also be user by the IMAP/POP3 access to your emails!

Step 5: Configure exim4

Now, first step here is to use the debian built-in configuration package to configure the “main” exim4 points with:

dpkg-reconfigure exim4-config

It will give you several options in a wizard, this is how I configured my answers for a small and independent server:

  • General type of mail configuration: internet site; mail is sent and received directly using SMTP.
  • System mail name: example.com
  • IP-addresses to listen on for incoming SMTP connections: leave this field empty!!!
  • Other destinations for which mail is accepted: leave this field empty!!!
  • Domains to relay mail for: leave this field empty!!!
  • Machines to relay mail for: leave this field empty!!!
  • Keep number of DNS-queries minimal (Dial-on-Demand)?: NO
  • Delivery method for local mail: Maildir format in home directory
  • Split configuration into small files?: NO
  • Root and postmaster mail recipient: demouser (or your real administrator name, but non-root account)

Step 6: X.509 certificate for exim4 TLS support

First run this small command to generate a certificate based on example from exim.

email/install_a_full_secure_mail_server.1595694373.txt.gz · Last modified: 2020/07/25 16:26 by 92.220.10.100

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki