amuck-landowner

Running your own mail server

wlanboy

Content Contributer
Is this because mail servers attract "attention" that that may affect other services?

My personal reasons are:

  • If one goes down - everything is not available.
    What to restore first? 
    What if the backup is old? Database, email accounts and websites are changed in different timespans.
    Mail server got hacked / spam-a-lot - one problem and all services have to be shut down (by firewall).
    IP address got banned - same problem.
     
  • Migration is a big bang - upgrades too.
    Package dependencies are quite a hell.
    You cannot upgrade php because your webmailer depends on an older version.
    If something fails you have to rollback everything.
    Have to move some services to a new host? Good luck if your configs/services do depend on each other (sendmail localhost).
     
  • Cloudflare can hide web traffic but cannot hide smtp/imap traffic.
    So all reverse proxies are useless if the mail server has the same ip and leacks it (MX records, smtp protocol).
     
  • Performance
    Email servers run quite a lot of threads. Per imap connection, for spam check, virus check, smtp processes.
    Easily a lot of XX MB RAM per connection. Thinking about bandwith problems too. Someone downloading a 300MB attachment and your website loading times go up.
     
  • Local forwards
    I have a mail server that is responsible for about 8 domains. All that notifiers, mailing lists, forwarders are done through localhost - saves a lot of bandwidth.
    Only ssh, postfix, dovecot, sa and fail2ban. No other services. Keep things simple.
 

souen

Active Member
Would anyone want to help me porting this tutorial to CentOS?
I think some would like to use CentOS instead of Debian/Ubuntu.

Thanks for the excellent tutorial. I followed it on a CentOS 7 vps sometime back, most of it still applies except for a few commands and config locations.



5. Setup your mail server


sudo yum install postfix dovecot




Postfix and Dovecot configuration files are in the same location. I skipped 9-12 so no input there, sorry. :(


14. DKIM


opendkim is available in the EPEL repository.


sudo yum install epel-release
sudo yum install opendkim


Configuration is done in /etc/opendkim.conf, including the socket setting (no "/etc/default/opendkim").


After "cp mail.private /etc/mail/dkim.key" (or wherever the key is stored), I checked the ownership of the key file and assign ownership to the opendkim user given in /etc/opendkim.conf if the user is different:


ls -la /etc/mail/dkim.key
chown opendkim:eek:pendkim dkim.key




16. I started the services instead of restarting the vps -- is that a problem? Everything seems to work fine.


// Start Postfix and Dovecot, add to startup services
systemctl start postfix
systemctl start dovecot
systemctl enable postfix
systemctl enable dovecot

// After installing DKIM, restart Postfix
systemctl start opendkim
systemctl enable opendkim
systemctl restart postfix

// For CentOS 6
service postfix start
service dovecot start
chkconfig postfix on
chkconfig dovecot on
service opendkim start
chkconfig opendkim on
service postfix restart




Hope that helps ... sort of?
 
Last edited by a moderator:

graeme

Active Member
@wlanboyOK, lots of reasons. I am convinced. I have no experience of running a mail server, so had no idea about load - I had assumed they were fairly simple and low load....
 
Last edited by a moderator:

souen

Active Member
Tried some more ...



9. Install postgrey


postgrey is available in the EPEL repository.


sudo yum epel-release
sudo yum install postgrey
sudo nano /etc/sysconfig/postgrey
add (default delay is 60):
POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=55"


After Postfix configuration, start and enable the service:


systemctl start postgrey
systemctl enable postgrey




10. Install spamassassin


Having a little trouble locating the packages, not entirely sure if the list is correct. I couldn't find perl-Geo-IPfree and perl-Net-Ident, RPMforge doesn't have them for CentOS 7. Does anyone know a reputable repository that carries them for CentOS 7?


// (CentOS 6) Install RPMforge repo to fetch some Perl modules
// 32-bit
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.i686.rpm

// 64-bit
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

rm -rf rpmforge*.rpm

sudo yum install perl-Net-DNS pyzor perl-Razor-Agent perl-Digest-SHA perl-Encode-Detect perl-DBI perl-Geo-IPfree perl-Net-Ident
sudo yum install spamassassin


There is no /etc/default/spamassassin, so I just started it up like other services:


systemctl start spamassassin
systemctl enable spamassassin


Minor note when updating the rules, there wasn't a /etc/spamassassin directory, I just download the GPG key somewhere and import. Before "sa-update -D -v", download and import the GPG key from Apache servers (or it returns "error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG ...")


wget http://spamassassin.apache.org/updates/GPG.KEY
sa-update --import GPG.KEY
sa-update -D -v


Additional note -- if running into the error below during install and can't find the kernel-headers in the main repo:


Error: Package: glibc-headers-2.17-106.el7_2.1.x86_64 (updates)
Requires: kernel-headers
Error: Package: glibc-headers-2.17-106.el7_2.1.x86_64 (updates)
Requires: kernel-headers >= 2.2.1


This is due to kernel packages being excluded in /etc/yum.conf on some systems. Run the following command to grab the headers:


sudo yum --disableexcludes=main install kernel-headers




11. Install fail2ban


fail2ban is available in the EPEL repository.


sudo yum install epel-release
sudo yum install fail2ban


/etc/fail2ban/jail.conf recommends having a separate config file instead (/etc/fail2ban/jail.local or placed in /etc/fail2ban/jail.d) instead of editing jail.conf directly. Followed the config from there. The only thing was I couldn't find [sasl], but [postfix-sasl] (and there's no corresponding filter named sasl.conf in /etc/fail2ban/filter.d):


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

[postfix-sasl]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log


Check that the log files exist or fail2ban won't start. Create them if needed:


touch /var/log/mail.log /var/log/secure


Start it up:


systemctl start fail2ban
systemctl enable fail2ban


Additional note -- as when installing spamassassin, if the ipset package requires the kernel package not yet installed, do:


sudo yum --disableexcludes=main install kernel




12. Own SSL configuration


Sorry, I don't have certificates on hand to test it. There's no /etc/dovecot/conf.d/01-mail-stack-delivery.conf file on CentOS 7. Dovecot certificate paths are /etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem (self-signed certs are stored in /etc/pki/tls/certs), so I'm not sure where the 3rd step goes, if there's a 3rd step. The old (and possibly outdated) howto on the CentOS wiki adds it to /etc/dovecot/dovecot.conf:


ssl_cert_file = /etc/pki/tls/certs/mail.domain.com.cert
ssl_key_file = /etc/pki/tls/private/mail.domain.com.key


14. DKIM


Forgot to mention in my previous post -- there is no /etc/mail directory by default, but I suppose it could be created, as long as the KeyFile path in the config file is correct (I generated the key in /etc/opendkim/keys and linked to it there).
 
Last edited by a moderator:

River

Member
Verified Provider
This is a really good guide. I've always wondered though if there is a good control panel for just email servers. I know of the collab suites like Zimbra and OpenXChange but I haven't found anything for just the email without all the additional features - really just mailbox management and settings GUI.
 

Licensecart

Active Member
You are a legend @wlanboy been trying tutorials all over the net and found this one in our backyard, much easier to follow too.
 
Last edited by a moderator:

Licensecart

Active Member
This is a really good guide. I've always wondered though if there is a good control panel for just email servers. I know of the collab suites like Zimbra and OpenXChange but I haven't found anything for just the email without all the additional features - really just mailbox management and settings GUI.

Theres roundcube.net but I couldn't get it working myself but I was following rubbish online ones, might be able to get it to work by following wlanboy's. There's PostfixAdmin too I looked into: http://postfixadmin.sourceforge.net
 
Last edited by a moderator:

bizzard

Active Member
@River Virtualmin is my choice for managing mail servers. Not a user focused panel, but good enough for administrators. Handles the mess of multiple domains and quotas pretty well and some other neat features too. Disable all the unwanted services and modules and it still works fine. The default username format is a nuisance though.


Have thought of writing a wrapper around Virtualmin for just mail management but haven't found the time for it. Need to complete the billing panel before I move to other stuffs.
 
Last edited by a moderator:

Licensecart

Active Member
Would anyone want to help me porting this tutorial to CentOS?
I think some would like to use CentOS instead of Debian/Ubuntu.

I tried using your tutorial on Centos 7 changing apt-get to yum and I couldn't get it working so maybe that's why :D

I did have to use yum install dovecot postfix -y
 
Last edited by a moderator:

WiredBlade

New Member
Great tutorial. I have been hosting my own email server in Windows and found it to be very hard to manage. I have always want to move to a Linux mail server and this tutorial would help me enormously.
 
Top
amuck-landowner