We were in Winston Salem a couple weeks ago for a quick visit. Only caught a couple shots when I was walking around one morning.

An old farmhouse still standing on the Fair Hill Natural Resource Management Area in Elkton, Maryland.

This guide is targeted at creating the ultimate personal email server. This would work on most any server that you have root access to, but I recommend hosting from one of the better VPS providers. I have personally hosted servers at Ramnode, Linode, and most recently Digital Ocean.

So go grab yourself a VPS. A small one with 512MB of memory should be fine, if you want to add virus scanning with ClamAV expect to need at least 1GB. Setting up the VPS is outside of the scope of this tutorial and the remainder is based on using Debian as the OS, if you use something other than a Debian based distribution you’ll have to adjust the file locations and possibly some of the settings. Proceed at your own risk.

Packages

The first thing I recommend doing is getting your system up to date.

sudo apt-get update
sudo apt-get upgrade

Then let’s install some good stuff.

This next command will install Postfix to communicate with email servers across the web, Dovecot to manage our email boxes on the server, Spamassassin and some plugins to avoid filling our inbox with junk, OpenDKIM to prove to people that we’re not sending junk, Nginx / PHP5 and Roundcube so that we can have a web interface to our mail, and finally MySQL to satisfy our database needs. You can modify these selections, but they’re all required to complete the rest of the tutorial as written.

sudo apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-mysql \
    dovecot-lmtpd dovecot-sieve dovecot-managesieved dovecot-antispam \
    ntp spamassassin spamc razor pyzor opendkim opendkim-tools postgrey fail2ban nginx \
    php5 php5-fpm mysql-server roundcube roundcube-plugins roundcube-plugins-extra

There will be some packages that must be configured.

For postfix configure the server as an Internet Site, and ensure that the hostname is correct. I chose not to create self-signed certificates because I prefer to use certificates that are externally authenticated and not get that little pop-up when I access the server.

For mysql-server choose a strong root password. You will not have to enter it often once the server is setup, so it’s not necessary to choose something memorable if you use a good password manager.

For roundcube you’ll need to configure a database, this is easy as you’ll be able to do it with db-config as part of the package setup. Use

Database Setup

Log into the database as the root user:

mysql -u root -p

Create a database and user we can use:

CREATE DATABASE `mailserver`;
GRANT SELECT ON `mailserver`.* to 'mailuser'@'localhost' IDENTIFIED BY 'mystr0ngp4ssw0rd';
FLUSH PRIVILEGES;

Still as the root user, switch into the mailserver database:

USE `mailserver`;

First (and it needs to be first) create a table of domains that we will host on this mail server

CREATE TABLE `domains` (
`id` INT NOT NULL AUTO_INCREMENT,
`domain` varchar(50) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `domain` (`domain`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Now we need to create a table where we will store the users for the mail server

CREATE TABLE `users` (
`id` INT NOT NULL AUTO_INCREMENT,
`domain_id` INT NOT NULL,
`email` VARCHAR(120) NOT NULL,
`password` VARCHAR(106) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `email` (`email`),
FOREIGN KEY (`domain_id`) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

It often happens that we need a virtual alias address to point to a real address. We can support that with an alias table.

CREATE TABLE `aliases` (
`id` INT NOT NULL AUTO_INCREMENT,
`domain_id` INT NOT NULL,
`source` varchar(120) NOT NULL,
`destination` varchar(120) NOT NULL,
PRIMARY KEY (`id`),
FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Ok now that we have the three tables set up we can add our first datasets.

Let’s add a domain.

INSERT INTO `mailserver`.`domains` (`domain`)
VALUES ('example.com');

If you wanted to insert additional, you can repeat that with a different domain.

INSERT INTO `mailserver`.`domains` (`domain`)
VALUES ('example2.org');

Now let’s create a user. Note: you must make sure the domain_id matches the domain in the email address of the user and the associated domain in the domains table.

INSERT INTO `mailserver`.`users` (`domain_id`, `email`, `password`)
VALUES ('1', 'user@example.com', ENCRYPT('examplepassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))));

Finally let’s add an alias. In this case the domain_id must match the domain_id of the alias’s domain in the domains table, not the destination domain.

INSERT INTO `mailserver`.`aliases` (`domain_id`, `source`, `destination`)
VALUES (, '1', 'alias@example.com', 'email1@example.com');

SSL Certificates

There is no way that the ultimate personal email server is going to let you sling your passwords and private information around without some sort of encryption so we’re going to need some SSL certificates.

Getting those is outside the scope of this tutorial. My recommendation is to go to your local neighborhood domain registrar and see what they have on offer. You can often find cheap SSL certificates that will make this a lot easier.

We’re going to place ours in /etc/ssl/private and call the certificate example.com.crt and call the key example.com.key. You’ll also likely need to create a certificate with the full authority chain (if you forget the order should be example.com.crt, then each certificate going up the chain), call that file example.com.chain.crt.

Postfix Configuration

Let’s make backups of the original postfix configuration files, just in case…

sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.orig
sudo cp /etc/postfix/master.cf /etc/postfix/master.cf.orig

We need to set up some configuration files that will allow postfix to reference the MySQL database for it’s user lookups.

sudo vim /etc/postfix/mysql-virtual-domains.conf

user = mailuser
password = mystr0ngp4ssw0rd
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM domains WHERE domain='%s'

sudo vim /etc/postfix/mysql-virtual-users.conf

user = mailuser
password = mystr0ngp4ssw0rd
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM users WHERE email='%s'

sudo vim /etc/postfix/mysql-virtual-aliases.conf

user = mailuser
password = mystr0ngp4ssw0rd
hosts = 127.0.0.1
dbname = mailserver
query = SELECT destination FROM aliases WHERE source='%s'

Edit main.cf to have these changes

In the TLS section:

#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_cert_file=/etc/ssl/private/example.com.chain.crt
smtpd_tls_key_file=/etc/ssl/private/example.com.key
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination,
    check_policy_service inet:127.0.0.1:10023

The last line in that configuration is what sets up Postgrey as a filter for your email messages.

Change mydestination to localhost:

#mydestination = example.com, hostname.example.com, localhost.example.com, localhost
mydestination = localhost

Let’s reject unwanted mail rather than re-trying later:

#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

IPV6 causes trouble with sending messages to Gmail at times. If you don’t need to use it, let’s disable it

#inet_protocols = all
inet_protocols = ipv4

Let’s enable email tagging so you can use addresses like email1+amazon@example.com, make sure this line is in the configuration:

recipient_delimiter = +

We need to set up a milter for OpenDKIM to sign our emails. This is a good measure to authenticate our messages to avoid getting them marked as SPAM. We’ll put this in now and set up OpenDKIM later.

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Add these line to the end of the file:

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.conf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-users.conf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-aliases.conf

Now test what we’ve done

To check the domain lookup enter the following command, it should return 1.

postmap -q example.com mysql:/etc/postfix/mysql-virtual-domains.conf

To check the email lookup enter the following command, it should again return 1.

postmap -q user@example.com mysql:/etc/postfix/mysql-virtual-users.conf

Finally, to check alias lookup enter the following command, this time it should return the destination address.

postmap -q alias@example.com mysql:/etc/postfix/mysql-virtual-aliases.conf

If any of those do not function as expected, go back and check through your work before continuing.

Now let’s edit master.cf to make it more compatible with outside servers and to set up postfix to work with spamassassin.

First, let’s allow access on a couple secure ports (587 and 465). Locate and uncomment these two lines:

submission inet n       -       -       -       -       smtpd

smtps     inet  n       -       -       -       -       smtpd

Now let’s add support for spamassassin, find the smtp line and add a content filter to all incoming mail on the SMTP port:

smtp      inet  n       -       -       -       -       smtpd
  -o content_filter=spamassassin

At the bottom of the file, add a content filter that matches that line:

spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -f -e
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Now restart postfix:

sudo service postfix restart

Setup Spamassassin

First we’ll create a user that’s going to run the spam filter

sudo adduser spamd --home /var/spamd --disabled-login

Now let’s edit the file that starts up spamassassin to have some more ideal settings, vim /etc/default/spamassassin

Make sure it is enabled:

ENABLED=1

And update the folder it uses, add a location for the PID file, and enable CRON updates:

SPAMD_HOME="/var/spamd/"
OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir ${SPAMD_HOME} -s ${SPAMD_HOME}spamd.log"

#PIDFILE="/var/run/spamd.pid"
PIDFILE="${SPAMD_HOME}spamd.pid"

#CRON=0
CRON=1

Now we can edit the configuration file, sudo vim /etc/spamassassin/local.cf

rewrite_header Subject *** SPAM _SCORE_ ***
report_safe         0
required_score      4.0
use_bayes           1
bayes_auto_learn    1
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status
skip_rbl_checks     0
use_razor2          1
use_pyzor           1

Now restart the spamassassin service:

sudo service spamassassin restart

Setup OpenDKIM

OpenDKIM is a tool that will allow postfix to sign your emails with a calculated header. When combined with a DNS record that matches the calculated header, the recipient can be confident they are receiving email from a sender authorized for that domain and that the email has not been forged.

First we need to generate some signing keys to use.

sudo mkdir -p /etc/opendkim/keys
cd /etc/opendkim/keys
sudo opendkim-genkey -s example.com -d example.com

You’ll want to read out the contents of the key files so that you can add them as a DNS record.

sudo cat /etc/opendkim/keys/example.com.txt

example.com._domainkey  IN  TXT ( "`v=DKIM1; k=rsa; "
      "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB..." )  ; ----- DKIM key example.com for example.com

From that you’ll need to add a TXT DNS record for your domain. The name should be example.com._domainkey and the value should be v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB....

Now we’ll create a table that allows OpenDKIM to know which keys to use for which domain. It is recommended that you use a different key for each domain that you host. For some reason it takes two files to do this.

sudo vim /etc/opendkim/KeyTable

example.com._domainkey.example.com example.com:example.com:/etc/opendkim/keys/example.com.private

sudo vim /etc/opendkim/SigningTable

example.com example.com._domainkey.example.com

Now let’s tell OpenDKIM about the files we created, and tell it to open a port for us to use. This port must match the port we put into the postfix milter configuration earlier.

sudo vim /etc/opendkim.conf

Socket inet:8891@localhost
KeyTable /etc/opendkim/KeyTable
SigningTable /etc/opendkim/SigningTable

Fix some permissions and a quick restart for both opendkim and postfix.

sudo chown -R opendkim:opendkim /etc/opendkim
sudo service opendkim restart
sudo service postfix restart

Setup SPF Record

While you’re updating your DNS records for the DKIM signing, you should also make sure to add an SPF record. It will tell recipients which servers are authorized to send email on your behalf. This is super important to get right if you want Gmail to ever receive your emails.

As this is a personal email server, and we’re setting it up both to receive and to send email, the easiest SPF record is just to allow any server set up as an MX record to send. To do that, just add a TXT record with these contents:

v=spf1 mx -all

Setup DMARC Record

DMARC is a way for you to inform receiving servers what to do with email they receive that looks like it comes from you but does not match the SPF and DKIM records you have set up.

Initially, I would just set this up so that they alert you and you can see how you’re doing.

To do that, we will again add a TXT DNS record with these contents:

v=DMARC1; p=none; rua=mailto:postmaster@example.com

Once you have that settled and your email seems to be working nicely, you can start telling email servers to be more and more strict about it. I won’t go into detail as Google took the time to clearly explain it.

Setup PTR

The final thing we’ll want to do is ensure that our PTR / rDNS records are set up correctly.

This is done differently with every VPS provider so check with yours to make sure it exactly matches the domain that postfix is configured with.

Setup Dovecot

OK, back to the server setup. We need to configure Dovecot to properly act as our IMAP host. First things first, let’s backup the configuration files we’re going to change.

sudo cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.org
sudo cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
sudo cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
sudo cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.orig
sudo cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig
sudo cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig

Let’s add a quick line to the main dovecot configuration file.

sudo vim /etc/dovecot/dovecot.conf

protocols = imap lmtp

Now we’ll edit the 10-mail.conf file, find the line starting with mail_location and change it to create proper maildir for each of the users.

sudo vim /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:/var/mail/vhosts/%d/%n/maildir

Let’s make dovecot a bit more secure. Find these lines and make sure they match.

sudo vim /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes
...
auth_mechanisms = plain login
...
#!include auth-system.conf.ext
...
!include auth-sql.conf.ext

Now that dovecot is looking to sql to locate user information we need to tell it how to do that. Edit just one line in the userdb { section of the file.

sudo vim /etc/dovecot/conf.d/auth-sql.conf.ext

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
  ...
...

Now edit the MySQL parameters in the dovecot-sql.conf.ext file.

sudo vim /etc/dovecot/dovecot-sql.conf.ext

...
driver = mysql
...
connect = host=127.0.0.1 dbname=mailserver user=mailuser password=mystr0ngp4ssw0rd
...
default_pass_scheme = SHA512-CRYPT
...
password_query = SELECT email as user, password FROM users WHERE email='%u';
...

Setup how dovecot controls access in 10-master.conf

sudo vim /etc/dovecot/conf.d/10-master.conf

...
service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
       mode = 0600
       user = postfix
       group = postfix
   }
   ...
...
service auth {

  unix_listener /var/spool/postfix/private/auth {
  mode = 0666
  user = postfix
  group = postfix
  }

  unix_listener auth-userdb {
  mode = 0600
  user = vmail
  #group =
  }

  ...
  user = dovecot
}
...
service auth-worker {
  ...
  user = vmail
}
...

Next, tell Dovecot which SSL certificates to use and prevent use of old SSL protocols.

sudo vim /etc/dovecot/conf.d/10-ssl.conf

...
ssl = required
...
ssl_cert = </etc/ssl/private/example.com.crt
ssl_key = </etc/ssl/private/example.com.key
...
ssl_protocols = !SSLv2 !SSLv3
...

Now we need to create the correct users and set some file permissions.

sudo addgroup vmail --gid 5000
sudo adduser vmail --uid 5000 --gid 5000 --disabled-login --home /var/mail
sudo chown -R vmail:vmail /etc/dovecot /var/mail
sudo chmod -R o-rwx /etc/dovecot /var/mail

And finally, give dovecot a restart

sudo service dovecot restart

Setup Dovecot Plugins

dovecot-sieve

First we have to enable the dovecot-sieve plugin

sudo vim /etc/dovecot/conf.d/20-lmtp.conf

...
protocol lmtp {
  ...
  mail_plugins = $mail_plugins sieve
}
...

Let’s setup a global mail filter folder and sieve file so that users SPAM emails are properly quarantined.

sudo mkdir -p /var/lib/dovecot/sieve/

sudo vim /var/lib/dovecot/sieve/default.sieve

require ["fileinto","imap4flags"];
if header :contains "X-Spam-Flag" "YES" {
  setflag "\\seen";
  fileinto "Spam";
} else {
  keep;
}

Now let’s compile those rules.

sudo sievec /var/lib/dovecot/sieve/default.sieve

And finally we’ll make sure that Dovecot can see that folder

sudo chown -R vmail:vmail /var/lib/dovecot

Now we’ll tell Dovecot to use those rules before user rules.

sudo vim /etc/dovecot/conf.d/90-plugin.conf

...
plugin {
  ...
  sieve_before = /var/lib/dovecot/sieve/default.sieve
  ...
}
...

dovecot-antispam

Now that we have our mail properly filing away into a Spam folder, we’ll want to be able to better train our Spamassassin bayesian filtering by moving email into or out of that folder. For that we’ll lean on the dovecot-antispam plugin and a quick script.

Let’s make that script real quick:

sudo vim /usr/local/bin/sa-learn-pipe.sh

#!/bin/bash

echo /usr/bin/sa-learn $* /tmp/sendmail-msg-$$.txt echo "$$-start ($*)" >> /tmp/sa-learn-pipe.log

/usr/bin/sa-learn $* /tmp/sendmail-msg-$$.txt

rm -f /tmp/sendmail-msg-$$.txt

echo "$$-end" >> /tmp/sa-learn-pipe.log

exit 0

Make it executable

sudo chmod +x /usr/local/bin/sa-learn-pipe.sh

Now we integrate it into Dovecot

sudo vim /etc/dovecot/conf.d/90-plugin.conf

...
plugin {
  ...
  antispam_trash_ignorecase = trash;deleted*
  antispam_spam_ignorecase = spam;junk*
  antispam_mail_sendmail = /usr/bin/sa-learn-pipe.sh
  antispam_mail_spam  = --spam
  antispam_mail_notspam  = --ham
  ...
}
...

dovecot-lucene

Note: You must be running Debian Jessie for this to work. I know… Debian testing on a server! Scary! At the time of writing, this is a non-trivial installation and I won’t go into detail of what I had to do to install it (hint: install everything on Wheezy, then upgrade). If you want to run stable and still want full-text search you can install dovecot-solr following this guide.

We’re going to use the dovecot-lucene for our full-text search. This should be just as good and way lighter weight than dovecot-solr. No java necessary!

First we’ll install it:

sudo apt-get install dovecot-lucene

Let’s just make sure it is configured properly:

sudo vim /etc/dovecot/conf.d/90-plugin.conf

...
plugin {
  ...
  fts = lucene
  fts_lucene = whitespace_chars=@.
  ...
}
...

and that’s it! Much easier than previous FTS solutions.

Finally, now that all of our plugins are configured, we’ll restart dovecot

sudo service dovecot restart

Setup Nginx

We’re going to set up Nginx to host a webmail application for when we’re not near an IMAP client.

Let’s generate an key to use for elliptic curves. This takes forever…

sudo openssl dhparam -outform pem -out /etc/ssl/private/dhparam2048.pem 2048

Let’s blow out the entire default file and replace it with this:

sudo vim /etc/nginx/sites-enabled/default

server {
    listen 80;
    server_name hostname.example.com;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl spdy;
    server_name hostname.example.com;

    root /usr/share/roundcube;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.html;
    }

    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
        deny all;
    }

    location ~ ^/(bin|SQL) {
        deny all;
    }

    location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
    }

    ssl_certificate /etc/ssl/private/example.com.chain.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    add_header Strict-Transport-Security 'max-age=31536000';

    ssl_prefer_server_ciphers on;
    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    keepalive_timeout   70;
    ssl_buffer_size 1400;

    spdy_headers_comp 0;

    ssl_dhparam /etc/ssl/private/dhparam2048.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=86400;
    resolver_timeout 10;
    ssl_trusted_certificate /etc/ssl/private/example.com.chain.crt;
}

Now we need to quickly restart Nginx:

sudo service nginx restart

Setup Roundcube

sudo vim /etc/roundcube/main.inc.php

...
$rcmail_config['default_host'] = 'tls://localhost';
...
$rcmail_config['smtp_server'] = 'tls://localhost';
...
$rcmail_config['smtp_user'] = '%u';
...
$rcmail_config['smtp_pass'] = '%p';
...
$rcmail_config['plugins'] = array('managesieve');
...

Optional: Setup Logwatch

Finally we’ll have logwatch email our logs to us so we can see how the server is performing.

First install logwatch:

sudo apt-get install logwatch

Then edit the cron.daily file so that it emails the logs to the account you created.

sudo vim /etc/cron.daily/00logwatch

...
logwatch --mail --mailto email1@example.com
...

Incomparable quality Hand blown… Hand cut

Black Moshannon is a man made lake in Central Pennsylvania that is surrounded by peat bogs that leach tannins into the water turning it conspicuously black. We stayed there for a couple nights in some nice, old cabins built by the CCC in the 30s and 40s.