Install iRedmail, Open-Source Mail Server, on Ubuntu
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Why Run a Mail Server?
Running your own mail server has many benefits. It allows you to manage the size of your mailboxes and attachments, run hourly/daily email backups, view mail logs, and gives you the freedom to use any domain name available. The drawback is usually the in-depth and sometimes complicated process of installing all the necessary parts. This guide uses a streamlined process, the iRedMail install script, and should have you up and running your mail server in under 15 minutes.
Prerequisites
Before beginning this guide you should have:
- A domain name.
- An understanding of the Linux command line.
- A Linode running Ubuntu 14.04.
This guide assumes you’ve followed the Linode Getting Started documentation. If you haven’t done so, read through the guide, and return here following the completion of the “Setting the Hostname” section.
The steps required in this guide require root privileges. Be sure to run the steps below as root
or with the sudo prefix. For more information on privileges see our
Users and Groups guide.
MX Record
A DNS MX record tells the internet where to send email directed at you domain. Before your Linode can receive email for addresses at a domain, an MX record must be created for that domain, pointing to your Linode’s IP address. An example MX record can be found on the Linode Introduction to DNS records page.
Install iRedMail
Start by making sure your Linode is up-to-date by running the following commands:
apt-get update apt-get upgrade
Check your hostname to ensure a FQDN with a subdomain:
hostname hostname -f
iRedMail requires that you have a properly formatted Fully Qualified Domain Name (FQDN). The format is
hostname.domain.com
. If your hostname is only your domain name, iRedMail does not install properly. Common hostnames for mail servers includemail
andmx
.user@hostname:~$ hostname mail user@hostname:~$ hostname -f mail.domain.com
Download the latest release of iRedMail. The current release, as of 16 September 2014, is 0.8.7 and can be downloaded by entering the following:
cd /root/ wget https://github.com/iredmail/iRedMail/releases/download/1.3.1/iRedMail-1.3.1.tar.gz
Uncompress the package and run the script:
tar zxf iRedMail-1.3.1.tar.gz cd iRedMail-1.3.1 bash iRedMail.sh
The remainder of the installation refers to on-screen confirmation of default options and selections. With the exception of the backend and hostname selections, most users confirm the default options and continue the installation.
Note The next few steps were taken directly from the iRedMail Ubuntu installation steps.Press “enter” to say “yes” to installing iRedMail. NOTE: Ctrl-C exits the installation process when pressed at any time prior to step #12.
Press “enter” to accept /var/vmail as the default mail storage directory
Use the “up” and down arrow keys to highlight your preferred backend. Press “space” to select your preferred option, then press “enter”. If you’re unsure, choose
MySQL
.Choose a password for your MySQL root administrator and press “enter”. Be sure to commit the password to memory or paper.
Enter your domain name as the first virtual domain name and press “enter”.
By default, iRedMail configures postmaster@yourdomain.com as the default administrator. Enter a password for your iRedMail administrator and press “enter”.
The next screen lists optional components to be included in your MySQL backend. While none of these are required, We recommend the installation of all components, since the benefits of each add to the function and security of your mail server.
This step indicates that the configuration is complete, references the location of the SENSITIVE config file and asks (y or n) if you’d like to continue. Type “y”.
The installer then downloads and installs the appropriate files. After it completes, you receive a prompt asking whether you would like to use iRedMail’s firewall rules at
/etc/default/iptables
, and identifies your SSHD port. Type “y” to accept, or “n” if you want to configure your firewall manually.After typing “y”, the install screen asks if you’d like to restart the firewall. Type “y”.
The installation is now complete! While the bottom half of the screen is filled with useful URL information and the location of the iRedMail tips file, a couple emails are waiting in postmaster@yourdomain.com’s inbox.
Reboot the Linode and navigate to
https://mail.yourdomain.com/mail
and login as “postmaster@yourdomain.com” to retrieve the necessary info.As a security precaution, we remove the config file. This file is no longer needed after a successful iRedMail install, and contains sensitive information (usernames/passwords) about your mail server configuration.
rm /root/iRedMail-0.8.7/config
Add Users
iRedMail is packaged with a mail server account configuration called iRedAdmin. Below are the steps required to add a user/mailbox to your mail server.
To access iRedAdmin, navigate to
https://yourdomain.com/iredadmin
and log in with your postmaster@yourdomain.com user.Once the dashboard page loads, navigate to the
Add
dropdown and selectUser
.Fill in the address, password, display name, and mailbox quota blocks. Clicking Add completes the process.
Certificates, SPF, DKIM, and rDNS
By default, iRedMail generates a key and self-signed certificate for the mail server, and web server. To avoid other email servers marking email from our server as spam, we install a trusted certificate.
The process of obtaining a trusted certificate is outside the scope of this guide. You can follow the Obtaining a Commercial TLS Certificate guide to obtain a certificate.
The next section assumes you have the .key and .crt (or .pem) file in hand and are ready to go.
After first logging into the postmaster account, you should have two emails waiting for you. The first is titled “Helpful Links iRedMail” and the second is titled “Details of this iRedMail installation.” In the second email, there are various file paths we need, since we are replacing the SSL certificate and need to know the DKIM public key for our DNS TXT entry. First up, certificate replacement.
.pem
files instead of .crt
, be sure to replace the file extension in the instructions below.Certificates
After moving your certificate and key onto your Linode, make a note of its location. The recommendation is to install in the same directories as the iRedMail default certificate and key. The certificate is located in
/etc/ssl/certs/
and the key is in/etc/ssl/private/
.mv mail.yourdomain.com.crt /etc/ssl/certs/ mv mail.yourdomain.com.key /etc/ssl/private/
To replace the certificates used by Apache2, substitute the following paths in
default-ssl.conf
with the location of your certificate and key:- File: /etc/apache2/sites-available/default-ssl.conf
1 2
SSLCertificateFile /etc/ssl/certs/mail.yourdomain.com.crt SSLCertificateKeyFile /etc/ssl/private/mail.yourdomain.com.key
To replace the certificates used by Postfix, substitute the following paths in
main.cf
with the location of your certificate and key:- File: /etc/postfix/main.cf
1 2
smtpd_tls_cert_file = /etc/ssl/certs/mail.yourdomain.com.crt smtpd_tls_key_file = /etc/ssl/private/mail.yourdomain.com.key
To replace the certs used by Postfix, substitute the following paths in
dovecot.conf
with the location of your certificate and key:- File: /etc/dovecot/dovecot.conf
1 2
ssl_cert = </etc/ssl/certs/mail.yourdomain.com.crt ssl_key = </etc/ssl/private/mail.yourdomain.com.key
To apply the certificate changes to both your web and mail server, run the following commands:
service apache2 restart service dovecot restart service postfix restart
If you encounter error messages during these commands, go back and confirm the correct paths are in place for your certificates.
SPF, DKIM and rDNS
This section covers the insertion of SPF and DKIM records in your DNS entry. SPF records allow us to specify the authority to send mail from our domain to specific IP addresses. DKIM records are another way of proving the validity of an email by allowing the receiver to check a public key, or the mail server’s DNS TXT record, against the DKIM key included in every email message sent by your mail server.
SPF
Navigate to your DNS provider, either where you purchased your domain name or Linode if you’ve transferred your DNS, and enter the following bits of information in your subdomain area to activate SPF. If you are using Linode’s DNS manager, you can leave the name field blank, but other DNS providers may require you to specify @ for the hostname.
hostname | ip address/url | record type | ttl -------- | ----------------------------- | ----------- | --- @ | v=spf1 ip4:12.34.56.78 -all | txt | 1800
For more information, you can check out the SPF website link recommended by iRedMail.
DKIM
In the same area of your DNS host records, add the following entry to enable DKIM. The IP address/url entry following the “p=“ is your public DKIM key, which can be found in your “Details of this iRedMail installation” email about halfway down under the “DNS record for DKIM support” section. Copy everything BETWEEN the double quotes and place after the “p=“ portion of the dkim._domainkey DNS entry.
hostname | ip address/url | record type | ttl -------------- | ------------------- | ----------- | --- dkim._domainkey | v=DKIM1; p=MIGFdfs… | txt | 1800
A good way to test your mail server’s DKIM is to enter the following command:
amavisd-new testkeys
You should receive
=> pass
as output.For more information on DKIM records, you can check out the DKIM website link recommended by iRedMail.
rDNS
To set your rDNS, check out the Setting Reverse DNS section of the DNS Manager guide. This is optional but gives additional credibility to a mail server for certain spam filters.
Apache Authentication Fix for Cluebringer and AWStats Login
Cluebringer (a.k.a. PolicyD v2) is a policy server utility for our mail transfer agent, Postfix. It provides a web-based interface (example) where you can fine tune policies applied to Postfix. For more info, see the Policy D documentation.
AWStats quickly analyzes and displays log files/server activity via a few web-based (or command line) statistical graphs. Using the configuration outlined below, it displays the # of emails sent, the total size of the emails, sender and receiver, time (hourly/daily/monthly), and SMTP error codes. An example can be seen here. For more info, see the AWStats documentation.
Due to “mod-auth-mysql” not working with Apache 2.4, the default installation cannot use the module to log in to Cluebringer or AWStats. Below is the fix, which can also be found in this iRedMail forum post.
Install libaprutil1-dbd-mysql:
apt-get install libaprutil1-dbd-mysql
Enable the two dbd apache modules:
a2enmod dbd authn_dbd
Edit
apache2.conf
by adding the text block below to the end of the file. Make sure to comment out the existing Auth_MySQL lines at the end of the file.- File: /etc/apache2/conf/apache2.conf
1 2 3 4 5 6 7 8 9
#MySQL auth (mod_dbd, libaprutil1-dbd-mysql) <IfModule mod_dbd.c> DBDriver mysql DBDParams "host=127.0.0.1 dbname=vmail user=vmail pass=(SUBSTITUTE WITH YOUR PASSWORD: see in your iRedMail.tips file)" DBDMin 1 DBDKeep 8 DBDMax 20 DBDExptime 300 </IfModule>
Edit
awstats.conf
to mirror the example text below, by adding themod_authn_dbd
section and commenting out theAuth_MySQL
section.- File: /etc/apache2/conf-available/awstats.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
<Directory /usr/lib/cgi-bin/> DirectoryIndex awstats.pl Options ExecCGI AuthType Basic AuthName "Authorization Required" ############################## # mod_auth_mysql (deprecated)# ############################## # AuthBasicAuthoritative Off # AuthUserFile /dev/null # # # Database related. # AuthMySQL_Password_Table mailbox # Auth_MySQL_Username_Field username # Auth_MySQL_Password_Field password # # # Password related. # AuthMySQL_Empty_Passwords off # AuthMySQL_Encryption_Types Crypt_MD5 # Auth_MySQL_Authoritative On # #AuthMySQLUserCondition "isglobaladmin=1" ################# # mod_authn_dbd # ################# # Password related. AuthBasicProvider dbd AuthDBDUserPWQuery "SELECT password FROM mailbox WHERE mailbox.username=%s" Order allow,deny Allow from all Require valid-user </Directory>
Edit
cluebringer.conf
to mirror the example text below, by adding themod_authn_dbd
section and commenting outAuth_MySQL
section).- File: /etc/apache2/conf-available/cluebringer.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
<Directory /usr/share/postfix-cluebringer-webui/webui/> DirectoryIndex index.php AuthType basic AuthName "Authorization Required" ############################## # mod_auth_mysql (deprecated)# ############################## # AuthMYSQL on # AuthBasicAuthoritative Off # AuthUserFile /dev/null # # # Database related. # AuthMySQL_Password_Table mailbox # Auth_MySQL_Username_Field username # Auth_MySQL_Password_Field password # # # Password related. # AuthMySQL_Empty_Passwords off # AuthMySQL_Encryption_Types Crypt_MD5 # Auth_MySQL_Authoritative On ################# # mod_authn_dbd # ################# # Password related. AuthBasicProvider dbd AuthDBDUserPWQuery "SELECT password FROM mailbox WHERE mailbox.username=%s" Order allow,deny Allow from all Require valid-user </Directory>
Restart Apache for the changes to take effect, then test them by logging in to either Cluebringer or Awstats.
service apache2 restart
Greylist a Recommendation
By default, Cluebringer starts with the greylisting feature enabled. While the implementation of greylisting does protect a mail server from receiving spam, there are unintended consequences to its operation. This was tested by sending a few emails from a well-known “free” email account to my new mail server. Most of the “free” email SMTP services are provided by SEVERAL SMTP servers that upon receiving the 4XX reply code from your server. Since the hostname and IP of the SMTP server isn’t “known”, does retransmit the email. However, usually, the retransmitted email is from either another host or from the same host but from another IP address. The greylisting feature of Cluebringer either severely delayed, or completely denied, a few of the test emails.
For this reason, the author recommends turning this module off. Note, since being disabled, neither delays nor denials of email have been observed on the author’s mail server. Additionally, the mail server has yet to receive any spam.
Edit the Cluebringer config file (/etc/cluebringer/cluebringer.conf) to disable the Greylisting module.
Search for the term “Greylisting” (without the quotation marks).
Change the “1” to “0” to disable.
Restart Cluebringer to complete the changes.
service postfix-cluebringer restart
Final Test and Conclusion
As a final test, you can utilize a service such as Mail Tester to ensure that your records have been configured correctly. If you have followed this guide precisely, you should receive a score of 10/10 on Mail Tester’s site. If not, Mail Tester provides you with a report indicating what portion of your configuration needs improvement.
Conclusion
Familiarize yourself with the various files, configs, and settings listed in the iRedMail emails and website and start adding users to your mail server. Happy Mailing!
This page was originally published on