Setup base system


These instructions assume there is a fresh clean install of Ubuntu. Meaning, a base installation with nothing else at this point.

==== Prerequisites ====

2 GBs of Ram is Required unless all the extra features are turned off during the installation.

==== Update OS ====

The following will update and REBOOT the server.

sudo apt update && sudo apt update -y && sleep 10 && shutdown -r now

==== Set hostname ====

Add the hostname to the following(ex. mail) do not put the FQDN(ex. mail.domain.com)

nano /etc/hostname 

Add the FQDN to the following. Example:

nano /etc/hosts

127.0.1.1 mail.domain.com mail
127.0.0.1 mail.domain.com mail localhost

Check the hostname with the following. If it does not show a FQDN you will have to logout and in again.

hostname -f

==== Setup Swap, Swappiness and cache_pressure – Optional ====

sudo dd if=/dev/zero of=/swapfile count=2048 bs=1MiB
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
swapon -s
free -h
vi /etc/fstab
/swapfile swap swap sw 0 0

Enable swappiness and cache pressure settings with out rebooting:

sudo sysctl vm.swappiness=10
sudo sysctl vm.vfs_cache_pressure=50

You will want to add the settings to the bottom of sysctl.conf to make the settings persist on reboot :

sudo vi /etc/sysctl.conf
vm.swappiness = 10
vm.vfs_cache_pressure = 50

Install Iredmail



Make sure to install the latest version of Iredmail.

wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.9.tar.bz2
tar xvf iRedMail-0.9.9.tar.bz2
cd iRedMail-0.9.9/
chmod +x iRedMail.sh
bash iRedMail.sh

Select the features you want. Make sure to use very secure passwords. You will NOT be able to enter the password twice to confirm so be sure to type it right.

==== Set up the Certs ====

apt install software-properties-common 
add-apt-repository ppa:certbot/certbot
apt install certbot
certbot certonly --webroot --agree-tos --email -d mail..com -w /var/www/html/

=== Installing the Certificate in Nginx ===

After obtaining a TLS certificate, configure Nginx web server to use it. Edit the SSL template file.

sudo nano /etc/nginx/templates/ssl.tmpl

Find the following 2 lines:

ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

Replace them with:

ssl_certificate /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.your-domain.com/privkey.pem;

Save and close the file. Then test nginx configuration and reload.

sudo nginx -t
sudo systemctl reload nginx

Visit iRedMail admin panel, your web browser won’t warn you anymore because Nginx is now using a valid TLS certificate.

https://mail.yourdomain.com/iredadmin

=== Installing TLS Certificate in Postfix and Dovecot ===

You will need to configure Postfix SMTP server and Dovecot IMAP server to use the Let’s Encrypt issued certificate so that desktop mail client won’t display a security warning. Therefore, you will need to edit the main configuration file of Postfix.

sudo nano /etc/postfix/main.cf 

Find the following 3 lines. (line 95, 96, 97).

smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

Replace them with:

smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.your-domain.com/chain.pem

Save and close the file. Then reload Postfix.

sudo systemctl reload postfix

Next, edit the main configuration file of Dovecot.

sudo nano /etc/dovecot/dovecot.conf

Find the following 2 lines. (line 47, 48)

ssl_cert = </etc/ssl/certs/iRedMail.crt 
ssl_key = </etc/ssl/private/iRedMail.key

Replace them with:

ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem

ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem

Save and close the file. Then reload dovecot.

sudo systemctl reload dovecot

At this point onward, desktop mail users won’t see security warnings

Setup & Sending Test Emails


Log into the iredadmin panel with the postmaster mail account. Go to the Add tab, to add additional domains or email addresses.

Once you have created a user, you can visit the Roundcube webmail address and login with the new mail user account.

https://mail.your-domain.com/mail/ or https://mail.your-domain.com/

At this point, you can test that the mail server’s email is sending and receiving. Keep in mind that you may need to wait for a few minutes to receive emails because greylisting is enabled by default.

Note: If your hosting provider or ISP blocks port 25, ask them to open it for you. If they refuse to open it, then you can’t send emails directly. You need to set up SMTP relay to solve this problem. The following message in /var/log/mail.log indicates port 25 is blocked.

Nov 3 10:43:43 mail postfix/smtp[9969]: connect to gmail-smtp-in.l.google.com[74.125.200.27]:25: Connection timed out
Nov 3 10:44:13 mail postfix/smtp[9969]: connect to gmail-smtp-in.l.google.com[2404:6800:4003:c03::1b]:25: Connection timed out

==== Using Mail Clients on Your Computer or Mobile Device ====

Open up your desktop email client such as Mozilla Thunderbird, Mac Mail, Outlook, etc and add a mail account.

In the incoming server section, select IMAP protocol, and then enter mail.your-domain.com as the server name, then choose port 143 and STARTSSL.

Choose “normal password” as the authentication method.
In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

==== Improving Your Email Server Reputation ====

Set PTR, SPF, DKIM and DMARC records to prevent your emails from being flagged as spam.

=== PTR record ===

A pointer record, or PTR record, maps an IP address to a FQDN (fully qualified domain name). It’s the counterpart to the A record and is used for reverse DNS lookup, which can help with blocking spammers. Many SMTP servers reject emails if no PTR record is found for the sending server.

To check the PTR record for an IP address, run this command:

dig -x IP-address +short

or

host IP-address

Because you receive your IP address from your hosting provider or ISP, and not from your domain registrar, so you must set PTR record for your IP in the control panel of your hosting provider or ask your ISP. Its value should be your mail server’s hostname: mail.your-domain.com. If your server uses IPv6 address, be sure to add a PTR record for your IPv6 address as well.

=== SPF Record ===

SPF (Sender Policy Framework) record specifies which hosts or IP address are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain. In your DNS management interface, create a new TXT record.

example: v=spf1 mx ~all

  • TXT indicates this is a TXT record.
  • In the name field, enter @ in order to represent the main domain name.
  • v=spf1 indicates this is a SPF record and the version is SPF1.
  • mx means all hosts listed in the MX records are allowed to send emails for your domain and all other hosts are disallowed.
  • ~all indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as forged.

To check if your SPF record is propagated to the public Internet, you can use the dig utility on your Linux machine like below:

dig your-domain.com txt

The txt option tells dig that we only want to query TXT records.

=== DKIM Record ===

DKIM (DomainKeys Identified Mail) uses a private key to digitally sign emails sent from your domain. Receiving SMTP servers verify the signature by using the public key, which is published in the DNS DKIM record.

The iRedMail script automatically configured DKIM for your server, so the only thing left should be to create a DKIM record in the DNS manager. Open the iRedMail.tips file under iRedMail-0.9.9 directory.

sudo nano iRedMail.tips

Scroll down to DNS record for DKIM support section. The DKIM public key is in the parentheses.

You can also show the public key with the following command.

sudo amavisd-new showkeys

Then in your DNS manager, create a TXT record, enter dkim._domainkey in the name field. Copy everything in the parentheses and paste into the value field. Delete all double quotes and spaces.

Once you have saved your changes, you will want to run the following command to test if your DKIM record is correct.

sudo amavisd-new testkeys

If the DKIM record is correct, the test will pass. Depending on the TTL, your DNS record may need some time to propagate across the Internet.

TESTING#1 your-domain.com: dkim._domainkey.your-domain.com => pass

=== DMARC Record ===

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC can help receiving email servers to identify legitimate emails and prevent your domain name from being used for email spoofing.

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following:

v=DMARC1; p=none; pct=100; rua=mailto:dmarc-reports@your-domain.com

The above DMARC record is a safe point to start. However, if you would like to read a full explanation of DMARC, please go to the following article.

Creating DMARC Record to Protect Your Domain Name From Email Spoofing: Click to read

=== Testing Email Score and Placement ===

After you have created the PTR, SPF, DKIM records, go to https://www.mail-tester.com. Once at this site, you will see a unique email address that you can send a test email to from your domain. In your test results, you can then check your score, and know if your PTR record, SPF and DKIM record are valid.

Mail-tester.com can only show you a sender score. There’s another service called (https://glockapps.com/ **free for 3 scans) that will allow you to check if your email landed in the recipient’s inbox, spam folder, or was rejected outright. It supports many popular email providers like Gmail, Outlook, Hotmail, YahooMail, iCloud mail, etc.

=== Adding Multiple Mail Domains ===

If you would like to learn how to add multiple mail domains in iRedMail, please read this article. Click to read

=== How to Disable Greylisting ===

❗ By default, iRedMail has enabled greylisting, which tells other sending SMTP servers to try again later. This is mainly useful to block spam, but it also degrades user experience. If you prefer to disable greylisting, follow the instructions below.

Edit the configuration file.

sudo nano /opt/iredapd/settings.py

Find the following line.

plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy"]

Remove “greylisting” from the list.

Save and close the file. Then restart iredapd.

sudo systemctl restart iredapd

Sources: Quoted from https://www.linuxbabe.com/mail-server/ubuntu-18-04-iredmail-email-server & https://www.digitalocean.com/docs/