Deploying the Flockport mail server

Once again this is non trivial. The Flockport mail server is the most complex container and is mainly designed to be useful for those with some expertise. For the lay user there is no way to simplify a pretty complex deployment so those following this guide need to pay very close attention.

Let's quickly recap the components of the Flockport mail server.

  • Postfix - SMTP - /etc/postfix
  • Dovecot - IMAP/POP - /etc/dovecot
  • Roundcube - Webmail - /usr/local/roundcube
  • Vimbadmin - Domain GUI management - /usr/local/vimbadmin
  • Nginx - Webserver - /etc/nginx
  • Mysql - Virtual users store

The mail server supports multiple domains and virtual users and has support for webmail, IMAP and POP and GUI management to add domains, users and aliases.  Its also extremely lightweight, sophisticated and powerful and the basic deployment can run a large number of domains and users. For instance with a single domain and around 15 users it uses barely 150 MB of RAM in your average KVM instance.

A lot of the complexity in installing and configuring the mail server and its components is already done. For this guide we are going to deploy the mail server container in a cloud KVM instance with a public IP, and thus will have to port forward all the ports used by the mail server from the KVM instance public IP to the container private IP.

You can of course configure your networking layer to give the mail server container a public IP. Please refer to the Flockport networking guides to learn more about LXC container networking.

Mail server URL
The mail server URL is configured in /etc/postfix/main.cf. You need to configure your chosen mail server domain URL in the 'myhostname' configuration in this file. It's common to use a 'mail' subdomain so the mail server URL is for instance mail.flockport.org. You can also use the plain domain name for the mail server ie flockport.org. Make sure your chosen mailserver URL is replicated in the /etc/mailname and /etc/hostname.

Mail server ports
A mail server uses the following ports depending on how is is configured.

SMTP - 25, 465 (SSL), 587 (TLS)
IMAP - 143, 993 (SSL)
POP - 110, 995 (SSL)

The Flockport mail server has both Postfix and Dovecot configured for SSL/TLS access and thus the only thing the user has to do is install or generate certificates, configure Postfix and Dovecot to use them and is good to go.

Mail server security and certificates
By default both Postfix and Dovecot generate their own certificates during install. To use a mail server in production you need trusted certificates issued by a certificate authority. We find Namecheap and Rapidssl to offer the best value for SSL certificates.

For this guide we are going to use self signed certificates, the problem with self signed certificates is they are not trusted and hence browser and mail clients give errors and warnings and are not recommended for production. If this is personal mail server you can use self signed certificates.

You can choose to run a mail server without encryption but this is not recommended. Port 25, 143, and 110 are used for unencrypted communication. Here is a quick guide on TLSfying mail servers and certificates

For this guide we are going to use the following ports.

port 25   : Mail server SMTP
port 587  : Mail client secure SMTP access
port 993  : Secure IMAP access.
Port 443  : Webmail and Vimbadmin GUI SSL access

Let's generate self signed certificates for Postfix and Dovecot. When generating an SSL certificate you will need to answer a number of questions. The main thing to pay attention to here is the 'common name'. This should be the mail server FQDN URL like mail.flockport.org
openssl req -new -x509 -days 3650 -nodes -newkey rsa:4096 -out /etc/ssl/certs/mailserver.pem -keyout /etc/ssl/private/mailserver.pem

Configure Postfix and Dovecot to use the new certificates. Edit /etc/postfix/main.cf and /etc/dovecot/conf.d/10-ssl-auth.conf and change the certificate paths accordingly.

nano /etc/postfix/main.cf
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/mailserver.pem
smtpd_tls_key_file=/etc/ssl/private/mailserver.pem

nano /etc/dovecot/conf.d/10-ssl.conf

Restart Postfix and Dovecot

service postfix restart
service dovecot restart

Configuring secure SSL access for webmail and Vimbadmin
Roundcube and Vimbadmin are located at /usr/local. Both are configured to be available at mail.flockport.org and vma.flockport.org in Nginx by default. You need to of course change these URLs to match your chosen domain URLs for accessing webmail and the Vimbadmin GUI.

The Nginx settings for the 2 sites is in '/etc/nginx/sites-available'. Since we are going to use SSL let's generate self signed certs for the mail domain URL. Remember for production its best to use proper certs to avoid browser warnings.

Make an SSL directory in the /etc/nginx/ folder
mkdir /etc/nginx/ssl

Generate SSL certs for your chosen mail domain, we are using mail.flockport.org and vma.flockport.org. For this guide let's just generate a wildcard certificate for the entire domain. To do this when prompted for 'Common name' during the certificate creation process choose '*.your-chosen-mail-domain' for instance *.flockport.org

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/your-chosen-url.key -out /etc/nginx/ssl/your-chosen-url.crt

Let's configure Nginx SSL access. In the '/etc/nginx/sites-available' folder edit 'mail.flockport.org' and 'vma.flockport.org' . Change the name of these files to match your URL and link them to the '/etc/nginx/sites-enabled' folder.

The Nginx configuration should look like below for SSL webmail access.

server {
        listen 443;
        server_name mail.flockport.org;

        access_log   /var/log/nginx/mail.flockport.org.access.log;
        error_log    /var/log/nginx/mail.flockport.org.error.log;

        ssl on;
        ssl_certificate /etc/nginx/ssl/flockport.crt;
        ssl_certificate_key /etc/nginx/ssl/flockport.key;

        root /usr/local/roundcube;
        index index.php;

        location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                try_files $uri =404;
                include fastcgi_params;
                fastcgi_pass 127.0.0.1:9000;
        }
 }

Remember to change the 'server_name' in the configuration to match your mail server FQDN.

For Vimbadmin GUI the Nginx configuration is identical, only the server_name will be vma.your-chosen-url.org. Remember to change the SSL key file names in the SSL certificate Nginx configs to match your generated SSL certificate name.

Restart Nginx after making the changes

service nginx restart

At this point your basic configuration is done, and you should be able to test access to mailserver webmail and IMAP/POP access by editing your /etc/hosts file with the chosen URLs. For production you need to make changes to your DNS. Here are 2 decent references on configuring mail server DNS

Mailserver DNS settings
Without proper DNS settings a lot of mail sent from your mail server may be rejected or land in spam boxes of recipients so mail server DNS settings are extremely important. Different domain registrars have different interfaces for these settings so we will provide a general overview of the proper configuration. There are 3 important settings to pay attention to.

There are also other settings like DKIM that we will not cover in this guide as if the settings below are properly set things usually work.

  • Mail server MX records and corresponding A records for 'mail' subdomain if used.
  • Reverse IP PTR records
  • SPF Text records

You need to configure MX records at your domain registrar or DNS provider to point to your mail server FQDN for instance MX records for the domain flockport.org for this guide would be be mail.flockport.org and the mail sub domain should be a proper A record.

It's also a good idea to configure SPF text records. Learn more about text records here. We are using 'v=spf1 a ~all' for the flockport.org domain for this guide. Please note for the spf records use the domain and not the subdomain for the record.  Text records are important for multi-domain mail servers as they authorize multiple domains to be served by a single mail server.

Reverse PTR records are usually set at your VPS/cloud/server providers end. Configure this so your public IP reverse PTR records resolve to your mail server FQDN.

Once configured DNS records typically take a few minutes to propagate. It's a good idea at this point to head to a website like mxtoolbox to test if your mail server is configured properly. Mxtoolbox will generate a pretty useful report and highlight problem areas on your mail server.

Port forwarding
Since our mail server has a private IP unless configured otherwise its time to forward the proper ports from your cloud instance public IP to the mail server container private IP. We will forward the following ports.

Port 25
Port 587
Port 993
Port 443

Use the iptables command below for each of the above ports. Use your public IP and container mail server IP in the command. For instance if the public IP is 1.2.3.4 and the container IP is 10.0.3.25 the iptables command would look like this.

iptables -t nat -I PREROUTING -i eth0 -p TCP -d 1.2.3.4/32 --dport 25 -j DNAT --to-destination 10.0.3.25:25

Some heavy handed VPS/cloud providers block port 25 by default. A mail sever needs port 25 to be open to work, and you need to ask your provider to open port 25 incase it is blocked.

You mail server is now ready to go. At this point you should be able to access:

  • Vimbadmin at vma.your-chosen-nginx-url to add domains and email IDs
  • Webmail at your-chosen-nginx-url to access webmail
  • IMAP is available on port 993 and SMTP on port 587

Once you have added a domain and some users, you can configure mobile email clients and desktop clients like Thunderbird to access email on these ports. You also need to install rsyslogd in the Flockport mail server container to enable logging.
apt-get install rsyslogd

Mail clients
Remember if you are using self signed certificates some mail clients will complain or fail. To get around this in some cases you may need to add exceptions to the mail client for self signed certs. Most mail clients will options to enable this.

Thunderbird can be particularly problematic for self signed certs. Some versions may work but in others you may need to import the public mailserver.pem cert generated earlier in this guide for Postfix and Dovecot to Thunderbird's server certificates before configuring the email account. There should be no issues with proper certificates.

Security and Spam
To complete the configuration and secure the mail server you can use a tool like fail2ban to monitor apps and ports and prevent bots and hacking attempts. There are currently 3 DNSBL lists configured in /etc/postfix/main.cf to prevent spam. You can add more lists here.

Troubleshooting
Dovecot LDA error. If you are not able to receive mails please review the /var/log/dovecot.log file.

dovecot: lmtp(5304): Fatal: Error reading configuration: Invalid settings: postmaster_address setting not given

To fix the error above edit the Dovecot lda config file and add a postmaster address email id of your choice.
nano /etc/dovecot/conf.d/15-lda.conf

# Address to use when sending rejection mails.
# Default is postmaster@.
postmaster_address = [email protected]
Recent Posts

Leave a Comment

Login

Register | Lost your password?