Running your own mail server

Discussion in 'Tutorials and Guides' started by wlanboy, Aug 9, 2013.

  1. graeme

    graeme Active Member

    Nov 20, 2013
    Is this because mail servers attract "attention" that that may affect other services?
  2. wlanboy

    wlanboy Content Contributer

    May 16, 2013
    My personal reasons are:

    • If one goes down - everything is not available.
      What to restore first? 
      What if the backup is old? Database, email accounts and websites are changed in different timespans.
      Mail server got hacked / spam-a-lot - one problem and all services have to be shut down (by firewall).
      IP address got banned - same problem.
    • Migration is a big bang - upgrades too.
      Package dependencies are quite a hell.
      You cannot upgrade php because your webmailer depends on an older version.
      If something fails you have to rollback everything.
      Have to move some services to a new host? Good luck if your configs/services do depend on each other (sendmail localhost).
    • Cloudflare can hide web traffic but cannot hide smtp/imap traffic.
      So all reverse proxies are useless if the mail server has the same ip and leacks it (MX records, smtp protocol).
    • Performance
      Email servers run quite a lot of threads. Per imap connection, for spam check, virus check, smtp processes.
      Easily a lot of XX MB RAM per connection. Thinking about bandwith problems too. Someone downloading a 300MB attachment and your website loading times go up.
    • Local forwards
      I have a mail server that is responsible for about 8 domains. All that notifiers, mailing lists, forwarders are done through localhost - saves a lot of bandwidth.
      Only ssh, postfix, dovecot, sa and fail2ban. No other services. Keep things simple.
  3. souen

    souen Active Member

    Jun 23, 2014
    Thanks for the excellent tutorial. I followed it on a CentOS 7 vps sometime back, most of it still applies except for a few commands and config locations.

    5. Setup your mail server

    sudo yum install postfix dovecot

    Postfix and Dovecot configuration files are in the same location. I skipped 9-12 so no input there, sorry. :(

    14. DKIM

    opendkim is available in the EPEL repository.

    sudo yum install epel-release
    sudo yum install opendkim

    Configuration is done in /etc/opendkim.conf, including the socket setting (no "/etc/default/opendkim").

    After "cp mail.private /etc/mail/dkim.key" (or wherever the key is stored), I checked the ownership of the key file and assign ownership to the opendkim user given in /etc/opendkim.conf if the user is different:

    ls -la /etc/mail/dkim.key
    chown opendkim:eek:pendkim dkim.key

    16. I started the services instead of restarting the vps -- is that a problem? Everything seems to work fine.

    // Start Postfix and Dovecot, add to startup services
    systemctl start postfix
    systemctl start dovecot
    systemctl enable postfix
    systemctl enable dovecot

    // After installing DKIM, restart Postfix
    systemctl start opendkim
    systemctl enable opendkim
    systemctl restart postfix

    // For CentOS 6
    service postfix start
    service dovecot start
    chkconfig postfix on
    chkconfig dovecot on
    service opendkim start
    chkconfig opendkim on
    service postfix restart

    Hope that helps ... sort of?
    Last edited by a moderator: Jan 12, 2016
    wlanboy likes this.
  4. graeme

    graeme Active Member

    Nov 20, 2013
    @wlanboyOK, lots of reasons. I am convinced. I have no experience of running a mail server, so had no idea about load - I had assumed they were fairly simple and low load....
    Last edited by a moderator: Apr 30, 2017
  5. souen

    souen Active Member

    Jun 23, 2014
    Tried some more ...

    9. Install postgrey

    postgrey is available in the EPEL repository.

    sudo yum epel-release
    sudo yum install postgrey
    sudo nano /etc/sysconfig/postgrey
    add (default delay is 60):
    POSTGREY_OPTS="--inet= --delay=55"

    After Postfix configuration, start and enable the service:

    systemctl start postgrey
    systemctl enable postgrey

    10. Install spamassassin

    Having a little trouble locating the packages, not entirely sure if the list is correct. I couldn't find perl-Geo-IPfree and perl-Net-Ident, RPMforge doesn't have them for CentOS 7. Does anyone know a reputable repository that carries them for CentOS 7?

    // (CentOS 6) Install RPMforge repo to fetch some Perl modules
    // 32-bit
    rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.i686.rpm

    // 64-bit
    rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

    rm -rf rpmforge*.rpm

    sudo yum install perl-Net-DNS pyzor perl-Razor-Agent perl-Digest-SHA perl-Encode-Detect perl-DBI perl-Geo-IPfree perl-Net-Ident
    sudo yum install spamassassin

    There is no /etc/default/spamassassin, so I just started it up like other services:

    systemctl start spamassassin
    systemctl enable spamassassin

    Minor note when updating the rules, there wasn't a /etc/spamassassin directory, I just download the GPG key somewhere and import. Before "sa-update -D -v", download and import the GPG key from Apache servers (or it returns "error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG ...")

    sa-update --import GPG.KEY
    sa-update -D -v

    Additional note -- if running into the error below during install and can't find the kernel-headers in the main repo:

    Error: Package: glibc-headers-2.17-106.el7_2.1.x86_64 (updates)
    Requires: kernel-headers
    Error: Package: glibc-headers-2.17-106.el7_2.1.x86_64 (updates)
    Requires: kernel-headers >= 2.2.1

    This is due to kernel packages being excluded in /etc/yum.conf on some systems. Run the following command to grab the headers:

    sudo yum --disableexcludes=main install kernel-headers

    11. Install fail2ban

    fail2ban is available in the EPEL repository.

    sudo yum install epel-release
    sudo yum install fail2ban

    /etc/fail2ban/jail.conf recommends having a separate config file instead (/etc/fail2ban/jail.local or placed in /etc/fail2ban/jail.d) instead of editing jail.conf directly. Followed the config from there. The only thing was I couldn't find [sasl], but [postfix-sasl] (and there's no corresponding filter named sasl.conf in /etc/fail2ban/filter.d):

    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    nano /etc/fail2ban/jail.local


    enabled = true
    port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter = postfix-sasl
    # You might consider monitoring /var/log/mail.warn instead if you are
    # running postfix since it would provide the same log lines at the
    # "warn" level but overall at the smaller filesize.
    logpath = /var/log/mail.log

    Check that the log files exist or fail2ban won't start. Create them if needed:

    touch /var/log/mail.log /var/log/secure

    Start it up:

    systemctl start fail2ban
    systemctl enable fail2ban

    Additional note -- as when installing spamassassin, if the ipset package requires the kernel package not yet installed, do:

    sudo yum --disableexcludes=main install kernel

    12. Own SSL configuration

    Sorry, I don't have certificates on hand to test it. There's no /etc/dovecot/conf.d/01-mail-stack-delivery.conf file on CentOS 7. Dovecot certificate paths are /etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem (self-signed certs are stored in /etc/pki/tls/certs), so I'm not sure where the 3rd step goes, if there's a 3rd step. The old (and possibly outdated) howto on the CentOS wiki adds it to /etc/dovecot/dovecot.conf:

    ssl_cert_file = /etc/pki/tls/certs/
    ssl_key_file = /etc/pki/tls/private/

    14. DKIM

    Forgot to mention in my previous post -- there is no /etc/mail directory by default, but I suppose it could be created, as long as the KeyFile path in the config file is correct (I generated the key in /etc/opendkim/keys and linked to it there).
    Last edited by a moderator: Jan 13, 2016
    wlanboy likes this.
  6. norival1992

    norival1992 New Member Verified Provider

    Sep 30, 2015
    Thanks for your good tutorial....
  7. ZenithHosting

    ZenithHosting New Member

    Apr 1, 2016
    Thank you for the tutorial
  8. River

    River Member Verified Provider

    May 3, 2015
    This is a really good guide. I've always wondered though if there is a good control panel for just email servers. I know of the collab suites like Zimbra and OpenXChange but I haven't found anything for just the email without all the additional features - really just mailbox management and settings GUI.
  9. drmike

    drmike 100% Tier-1 Gogent

    May 13, 2013
    There is:

    (I haven't used it)
  10. Licensecart

    Licensecart Active Member

    May 22, 2013
    You are a legend @wlanboy been trying tutorials all over the net and found this one in our backyard, much easier to follow too.
    Last edited by a moderator: Apr 30, 2017
  11. Licensecart

    Licensecart Active Member

    May 22, 2013
    Theres but I couldn't get it working myself but I was following rubbish online ones, might be able to get it to work by following wlanboy's. There's PostfixAdmin too I looked into:
    Last edited by a moderator: Apr 3, 2016
    River likes this.
  12. bizzard

    bizzard Active Member

    May 16, 2013
    @River Virtualmin is my choice for managing mail servers. Not a user focused panel, but good enough for administrators. Handles the mess of multiple domains and quotas pretty well and some other neat features too. Disable all the unwanted services and modules and it still works fine. The default username format is a nuisance though.

    Have thought of writing a wrapper around Virtualmin for just mail management but haven't found the time for it. Need to complete the billing panel before I move to other stuffs.
    Last edited by a moderator: Apr 30, 2017
    River likes this.
  13. TheLinuxBug

    TheLinuxBug New Member

    May 15, 2013
    @bizzardYou mean Usermin

    Last edited by a moderator: Apr 30, 2017
  14. Licensecart

    Licensecart Active Member

    May 22, 2013
    I tried using your tutorial on Centos 7 changing apt-get to yum and I couldn't get it working so maybe that's why :D

    I did have to use yum install dovecot postfix -y
    Last edited by a moderator: Apr 22, 2016
  15. WiredBlade

    WiredBlade New Member

    Jul 19, 2016
    Great tutorial. I have been hosting my own email server in Windows and found it to be very hard to manage. I have always want to move to a Linux mail server and this tutorial would help me enormously.