Personal Mail Server with Mail-in-a-Box on a Cloud Server
Introduction
Operating a personal mail server can be beneficial for several reasons:
You can create an unlimited number of mailboxes or redirects without incurring any additional costs. Of course, the number of possible mailboxes on the server also depends on the hardware capabilities provided, such as the size of the RAM, processor power, and server storage space. If you use hosting.fr cloud servers, you have the option to dynamically adjust hardware performance by switching to a larger plan.
You can decide for yourself which software you want to use on your mail server and how it should be configured. For example, you can allow email attachments of any size or set the spam filter according to your wishes.
You have more control over your data. For example, you can create backups of all mailboxes with any software to freely chosen destinations.
Integrating the mail server into your existing company infrastructure is facilitated. For example, using user authentication via LDAP is theoretically possible.
The mail server can be integrated into your company’s VPN.
You can encrypt data on your mail server. This is possible through the use of Linux operating system disk encryption.
However, operating a personal mail server can also lead to problems and disadvantages:
Operating a personal mail server requires taking responsibility for the mail system and exercising caution. A mail server failure, incorrectly processed or lost emails can disrupt business processes in the company. Stored emails may contain critical business information that third parties must not access under any circumstances.
A poorly configured mail server can cause other mail servers to classify your emails as spam, refuse them, or list your mail server on central blacklists as unreliable.
Configuring a mail server requires certain technical knowledge that the administrator must either possess or acquire.
A personal mail server must be maintained. A minimum of maintenance involves regularly installing security updates.
A mail server consists of several components. Manually installing and configuring these components is laborious. However, several options now exist to install, configure, and maintain these components automatically. In this article, we will use the “Mail-in-a-Box” script. It automatically installs and configures a mail server with all important components. The project is overseen by Joshua Tauberer.
Requirements
This guide is intended for administrators with basic Linux knowledge and familiar with administering a Linux system via the command line.
You will need a server with a fixed IP address on the Internet, which has a reliable and permanent Internet connection to operate the mail server. We recommend our cloud servers for this purpose. A minimum of 512 MB of RAM is required.
For Mail-in-a-Box, you will need a server or cloud server at hosting.fr with a fresh installation of Ubuntu Linux in the current LTS version. At the time of writing this guide, this is Ubuntu 18.04 LTS “Bionic Beaver”. The operating system installation on a cloud server at hosting.fr can be done fully automatically via the web interface.
To send and receive emails, you will need a domain name whose DNS records you can modify. The mail server also needs a valid hostname. We assume you have reserved a domain at hosting.fr.
Overview
A mail server generally consists of the following components:
The SMTP server is responsible for receiving and sending emails. It stores received emails on the server and sends emails received from clients to other SMTP servers.
The IMAP or POP3 server allows the retrieval of emails stored on the mail server by the client.
The spam filter is responsible for filtering incoming emails.
The web interface serves for user-friendly management of the mail server.
For domain name resolution to IP addresses via the Domain Name System (DNS), a DNS server is required. For DNS, there are additional security extensions “Domain Name System Security Extensions” (DNSSEC) that extend the system with encryption.
All components are automatically installed and configured by “Mail-in-a-Box”.
For those interested, this graphic provides an overview of the Mail-in-a-Box components and how they interact. The main ones are:
- Postfix: as the SMTP server
- Dovecot: as the IMAP(S) and POP3 server, as well as for email filtering with Sieve
- Spamassassin: as the spam filter
- nginx: as the web server
- Nextcloud: for calendar and contact synchronization
- Roundcube: as the webmail interface
Step 1: Creating a Cloud Server
If you have not yet completed this step, please create a new cloud server at hosting.fr with the currently required operating system for Mail-in-a-Box. At the time of writing this article, this is Ubuntu 18.04 LTS. Mail-in-a-Box requires a freshly installed server.
Step 2: Adjusting DNS Settings
Mail-in-a-Box also includes an integrated DNS server. For functional separation between the DNS server and the mail server, however, we will not use it in this tutorial, but the default DNS servers already used at hosting.fr, which are redundantly backed up several times, and whose entries can be modified via the hosting.fr management interface.
Please adjust the DNS settings of your domain accordingly. This is done at hosting.fr in the web interface.
The mail server requires a valid “A” and “AAAA” entry for its hostname. The “A” entry contains the IPv4 address of your server, while the “AAAA” entry contains the IPv6 address of the server. In our case, we use the hostname “mailinabox.mustermann-domain.fr” under the domain “mustermann-domain.fr” for the mail server.
The Reverse-DNS (RDNS) entry of the mail server, also called the “PTR record”, must be configured correctly. It associates the server’s IP address with a hostname. RDNS entries can be set at hosting.fr in the cloud server’s network configuration. Please set the RDNS entry of the IPv4 and IPv6 address to the mail server’s hostname here.
The “Mail Exchange Resource Records” (MX) entries, apparently called “MX records”, define which mail server should process the emails received for the respective domain. Multiple MX records with different priorities for multiple servers can be defined. Since we are only operating one mail server in this article, an MX record with priority 10 is sufficient. The MX record points to the mail server’s hostname. If the mail server is to process emails for multiple domains, please also modify the MX records of the other domains.
Step 3: Unblocking Port 25
If you are using a hosting.fr cloud server, port 25 for SMTP will be blocked by default to prevent spam sending. Please contact hosting.fr support to unlock this port.
Step 4: Running the Mail-in-a-Box Script via SSH
Please connect with root rights via SSH to your server. For security reasons, we recommend using OpenSSH public key authentication and disabling password authentication on the server.
First, update the system with:
apt update
apt upgrade
Then install the curl package:
apt install curl lsb-release
Please run the following command to start the installation of Mail-in-a-Box:
curl -s https://mailinabox.email/setup.sh | sudo -E bash
The script will then start installing other missing packages on the system and will end with the following message:
Please confirm with “OK”. Then you will be prompted to provide an email address you want to use to manage Mail-in-a-Box:
The local part - that is, the part before the “@” symbol of the email address - is free. The domain part - that is, the part after the “@” symbol - must match one of your controlled domains.
Mail-in-a-Box will then ask for confirmation regarding the mail server’s hostname:
This must match the RDNS entry. In our example, it is mailinabox.mustermann-domain.fr.
In the next step, you need to configure the geographic region in which the server will be operated:
For France, please choose “Europe” then “Paris”. In the next step, keys and certificates will be generated and the installation of the components will begin. This may take some time.
The installer will then ask for a password for the user who will be used to manage the mail server:
Please generate a password and set it. Once the installation is complete, the following message will appear:
Please now access the Mail-in-a-Box web interface. To do this, please visit the page https://<Your-Hostname>/admin. Mail-in-a-Box uses a self-signed certificate at this stage. You will therefore need to add an exception in your browser. The individual fingerprint of the certificate was displayed by Mail-in-a-Box on the command line for comparison.
After logging in, the result of a status check will be displayed:
Everything that appears in green in the screenshot above should also be visible in your status check.
Step 5: Configuring the SSL Certificate with Let’s Encrypt
To configure an SSL certificate, please click in the Mail-in-a-Box admin panel on “System” > “TLS (SSL) Certificates”. Click on “Provision” there.
The certificate for the mail server will be configured automatically. Once the configuration is complete, the following message will be displayed:
At the bottom of the page, error messages may appear regarding certificates related to domains not managed by the mail server.
Step 6: More Security with SPF, DKIM, DMARC, and DNSSEC
The following procedures offer additional protection when exchanging emails. They particularly protect against sending emails by unauthorized servers with your sender address, which is what is called “spoofing” of your sender address.
The Sender Policy Framework (SPF) procedure, according to RFC 7208, offers additional protection by allowing the mail server receiving emails from another server to verify using DNS records if the sending server is authorized to send emails for the respective domain. For example, in a DNS record for the domain, it can be indicated that only servers with an MX record for this domain are authorized to send emails for this domain.
With the DomainKeys Identified Mail (DKIM) procedure according to RFC 6376, outgoing emails on the mail server are cryptographically signed. Using this signature, the receiving mail server can verify using a key from a DNS record if the email actually comes from the indicated sender.
The SPF and DKIM procedures allow the receiving mail server to know if the sending server was authorized to send an email. The Domain-based Message Authentication, Reporting and Conformance (DMARC) procedure according to RFC 7489 gives the sending mail server the ability to let the recipient know using a DNS record which procedure should be followed when the recipient receives forged emails.
If all three procedures are to be used, the corresponding DNS entries must be created on the DNS server. The appropriate DNS records are automatically proposed by Mail-in-a-Box. To display them, click on “System” > “External DNS”.
The following TXT type DNS records must be transferred to the hosting.fr DNS server:
For the SPF procedure, the following entries are necessary:
mustermann-domain.fr TXT v=spf1 mx -all
The necessary entries for the DKIM procedure:
mail._domainkey.mustermann-domain.fr TXT v=DKIM1; h=sha256; k=rsa; s=email; p=[individual key]
mail._domainkey.mailinabox.mustermann-domain.fr TXT v=DKIM1; h=sha256; k=rsa; s=email; p=[individual key]
The value “[individual key]” corresponds to a key that is individually generated by Mail-in-a-Box. Please copy the TXT records with your specific keys generated from the Mail-in-a-Box web interface and add them to the hosting.fr DNS server.
The DMARC records, which define the rules regarding how emails detected as forged should be handled:
_dmarc.mustermann-domain.fr TXT v=DMARC1; p=quarantine
_dmarc.mailinabox.mustermann-domain.fr TXT v=DMARC1; p=quarantine
The above DNS records for the DMARC procedure instruct the receiving mail server to move forged emails to quarantine.
Since all the procedures mentioned above rely on the DNS system, it is advisable to also activate DNSSEC to close the cryptographic chain. You can activate DNSSEC in the “Advanced Settings” of the domain in the hosting.fr user interface. Please activate both options “DNSSEC” and “Keys to keep with the domain”.
Step 7: Creating Mailboxes and Aliases
Mailboxes can be created and managed in the Mail-in-a-Box admin panel under:
https://mailinabox.mustermann-domain.fr/admin
In mailboxes, emails can be stored, while aliases can simply redirect emails to mailboxes on the mail server itself or to other mail servers.
To manage mailboxes, go to the menu via “Mail” > “Users”:
Via “Mail” > “Aliases” you can manage aliases:
Step 8: Testing the Server
Before the mail server is put into operation, some checks must be performed to ensure the correct functioning of the mail server and also to prevent the server and its IP address from appearing on a blacklist for mail servers or the server’s reputation from being degraded in spam filters.
There are some tools on the Internet to check mail server configurations, for example:
- DNS settings: forward and reverse lookup for IPv4 and IPv6
- SSL certificates
- “Open Mail Relay” check
The site “MXToolbox” is a good option to check the mail server configuration. Please visit this site. In the “Super Tool” input field please enter “smtp:mailinabox.mustermann-domain.fr”, where “mailinabox.mustermann-domain.fr” is the mail server’s hostname. The output should be similar to the following output:
Please note that depending on the TTL of your DNS records, it may even take several days before the DNS records you created in the hosting.fr admin interface are propagated on the Internet, as DNS servers on the Internet cache DNS information for some time.
Additionally, you should check the MX records of the domains for which the mail server should receive emails. This is done with “mx:mustermann-domain.fr” in the “MXToolbox”. The output should be approximately:
Step 9: Backups
It is recommended to regularly perform backups of the cloud server. This allows recovering errors on the server or if a user accidentally deletes emails.
By default, Mail-in-a-Box has a built-in backup function. Mail-in-a-Box automatically creates a backup every night and stores it on the server itself. In the Mail-in-a-Box admin panel under “System” > “Backups”, you can set how often backups should be performed:
Backups on the mail server are automatically encrypted using PGP with the key stored under
/home/user-data/backup/secret_key.txt
The internal backup tool uses Duplicity. It is advisable to download the backup key once and store it in a password manager.
Backups are stored under
/home/user-data/backup/encrypted
and are automatically rotated. This means that old backups are automatically deleted under certain conditions.
From the location mentioned above, backups can be downloaded or transferred to other servers. For this, you can use a cron job with SFTP, for example.
You can occasionally copy the backups to your own computer, for example via SFTP with the following command:
scp -pr root@mailinabox.mustermann-domain.fr:/home/user-data/backup/encrypted ~/myMailserverBackups/
Transferring backups to another server can also be done automatically by Mail-in-a-Box. For this, the Rsync protocol is used. For example, you could reserve a second cloud server on which to store only backups. This function can be configured via the admin interface. Backups will also be kept locally. A configuration might look like this:
Mail-in-a-Box automatically generates an RSA key pair for the SSH connection, so the indicated public key must be registered on the target system. Mail-in-a-Box then automatically transfers the backups to the server in question.
Step 10: Configuring Mail Clients such as Outlook, Thunderbird, Apple Mail, etc.
The appropriate settings for your Mail-in-a-Box installation for configuring mail clients are displayed in the Mail-in-a-Box admin panel under “Mail” > “Instructions”.
Instructions for configuring the new account are available for several clients:
Maintenance and Care
Keeping the Operating System Up to Date
The operating system of the mail server and the installed software provided by Ubuntu must be updated regularly to fix potential security vulnerabilities and errors. To do this, connect via SSH to the mail server and run the following commands:
apt update
apt upgrade
Keeping Mail-in-a-Box Up to Date
In addition to the operating system, Mail-in-a-Box must also be updated whenever a new version is released, especially in the case of security updates. Mail-in-a-Box announces new versions on its Twitter account and in the support forum. Before updating, be sure to check the release notes. To start the Mail-in-a-Box update, simply connect via SSH to the box and run the following script:
curl -s https://mailinabox.email/setup.sh | sudo bash