
How to set up a mail server on a GNU / Linux system - nsomaru
http://flurdy.com/docs/postfix/
======
darklajid
This looks like _a lot_ of work was put into the article.

Nevertheless, I think you shouldn't do this. This takes a lot of time and is
basically copy/pasting things around. For something as crucial as your own
mail server I'd go with a solution that is automated: If your server goes away
you fire up a different one in a couple of minutes, restore backups and change
DNS records, done.

Reasons for this might be, in no particular order:

\- VPS provider goes away

\- hardware failure

\- user error (think "Oh, I probably shouldn't have issued that command as
root on my mailserver")

\- maintenance: This guide is (initially) from 2009. How are you making sure
that your system is up to date, after you followed the instructions/installed
it? Either you'll leave the system to bitrot or you need to actively maintain
it and probably will run into issues upgrading the machine. Or .. you migrate
to a brand new machine every 6-12 month, which gives you a decent excuse to
verify that your backup/restore process is working as well.

~~~
fredsted
That's why I use Virtualmin for this stuff.

1) It backs up every day to one of my own machines

2) If it goes down, I'll re-upload the backup file and my whole system (mail,
web, DNS, MySQL, etc) is running again.

~~~
creeble
I actually wrote a script for Ubuntu server (works on 13.04) that encapsulates
most of this tutorial. It doesn't include ClamAV or Spamassassin, but does
everything else. You end up with a server that uses three mysql tables.

But then I discovered that Virtualmin does _all_ of what this tutorial does,
with an understandable u/i and all of the same capabilities from
Dovecot/Postfix/saslauth. Doh!

------
captn3m0
The ridiculous length of this guide is a testament to the fact that it is
still really hard to host your own mail.

~~~
VLM
Something as small as "your own mail" is one or two packages on one server;
this guy is implementing most of an entire IT infrastructure including
database server and virus scanning capable of operating a hosting company.

Sort of like the existence of Oracle's products and IBM's DB2 does not
preclude end users being able to use SQLite.

~~~
trurl42
Virus scanning is maybe not that important, but pretty much everything else
is.

Spam filtering for example. Would you really want to run a mail setup without
it?

What would be the "SQLite" in mail servers, including spam filtering, webmail,
imap and all the other conveniences?

~~~
calpaterson
I was able to run my personal mailserver for nearly two years without having
to learn what amavis-new was. After that, I started getting enough spam that
it became an annoyance and I added it.

Webmail is not that important to me now that I have a smartphone (I really
recommend K-9 Mail for Android, which is FOSS
[https://play.google.com/store/apps/details?id=com.fsck.k9&hl...](https://play.google.com/store/apps/details?id=com.fsck.k9&hl=en_GB)).
Failing that can always log into my machine using ssh and use mutt to read and
send mail.

I think the mailserver SQLite is Postfix (SMTP), Dovecot (IMAP) and some DNS
records.

~~~
trurl42
Postfix is the mail server used in this very guide.

So I don't consider Postfix to be easy to set up.

OpenSMTPD looks like a step in the right direction.

~~~
calpaterson
I haven't looked at OpenSMTPD. This guide does include a lot of configuration,
but it's worth mentioning that not only are the defaults pretty reasonable,
but that Ubuntu (and Debian) can configure the most important options using
dpkg-reconfigure.

------
jvehent
I wrote something similar, that uses Postfix, Dovecot, OpenLDAP, Roundcube,
DSPAM and OpenDKIM.
[http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:n...](http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:nectux)

I presented it at my local LUG a while back, here are the slides
[http://www.slideshare.net/jvehent/di-
ymail](http://www.slideshare.net/jvehent/di-ymail)

------
exratione
I moved off Abrahamsen's recipe 18 months ago or so for no good reason other
than I like to make work for myself: it had been working just fine for me. You
set it up on a cloud server, take an image, and that's that - you have a
working base from which you can restore your mail server if anything bad
should happen.

Last year I put up the Dovecot / Postfix / Postfix Admin / Horde recipe I used
in place of Abrahamsen's, and judging by the feedback it's helped a great many
people:

[https://www.exratione.com/2012/05/a-mailserver-on-
ubuntu-120...](https://www.exratione.com/2012/05/a-mailserver-on-
ubuntu-1204-postfix-dovecot-mysql/)

(You can replace Horde with Roundcube or any other webmail package you care to
put in place if you don't like it).

The market here is for learning, not necessarily for setting up. If you don't
know how to set up a mail server, it is well worth walking through one of
these as it will teach the lay of the land. Then you can later move to a
packaged solution, as you'll be knowledgeable enough to troubleshoot it when
it breaks.

I was intending to put together a Chef cookbook for my recipe, but looking at
what's already out there it seems like it would duplicate some good ones that
already exist. e.g.:

[https://github.com/onddo/postfix-dovecot-
cookbook](https://github.com/onddo/postfix-dovecot-cookbook)

I think that running your own mail server is certainly worth the initial
effort; once you have the thing set up it ticks along with very little upkeep
needed.

------
dirkdk
Can I ask the obvious question Why? Email (IMAP/SMTP) is so standard, there
are lots of companies out there that do it better and cheaper than you
yourself can do. GMail (Google Apps for business) and Fastmail.fm are the 2
names I always recommend.

Another factor to consider is how you will keep your SMTP ip-addresses from
being blacklisted. Companies like Mailchimp and Sendgrid spend a lot of time
and effort on this. With your own very low volume, it takes only a couple of
persons to mark your email as spam and suddenly all mails sent from your
domain end up in in spam folders, no matter what DKIM or SPF settings you have
configured.

Only reason I would see is when you want to keep your email away from the NSA
and therefore out of the USA (Fastmail is Australian based btw
[http://thenextweb.com/insider/2013/10/07/are-overseas-
based-...](http://thenextweb.com/insider/2013/10/07/are-overseas-based-
companies-free-from-nsa-requests-australias-fastmail-thinks-so/)). Keeping
your server out of the USA will not mean that your email will never travel
through the USA, where the NSA can still access it, as SMTP is very cleartext
between MTA's.

~~~
Goladus
As much as the NSA concerns me, and as a political issue it's far more
important, I am interested in reducing dependency on Google because as far as
I am concerned Google has broken its trust with me all by itself. It has
nothing to do with the NSA debacle.

I don't have time for a rant but the short is: I'm sick of their identity
management, their willingness to put blatantly obvious "search bubble" results
based on recent (or even non-recent) activity-- stuff that is prominently
visible to anyone who might be sharing a screen with me. Ditto for chrome's
"most visited pages" thumbnails when you open a new tab, which I disabled but
had to install a plugin to do. There's some other minor issues. But the final
straw came a few weeks ago when my search history showed up unexpectedly on my
girlfriend's phone-- I suppose because she logged into chrome on my laptop to
check her Gmail. Until she logged out, auto-complete on her phone was using MY
search history from chrome on my desktop. What the FUCK? Obviously I trust her
enough to let her log into my laptop so it didn't cause me problems here, but
I had no way to know that would happen. So what's it going to be next time?
What's google's next clever/reckless silicon valley echo chamber idea that's
going to cause me problems?

I'd rather not wait to find out. So I've begun the process of reducing google
dependence. Email is a big one, Gmail is my single biggest google dependency.

------
ams6110
I'd have a look at one of the newer kids on the block, OpenSMTPD. Being from
OpenBSD, the man pages are actually good.

[http://www.opensmtpd.org/manual.html](http://www.opensmtpd.org/manual.html)

~~~
sliverstorm
Ugh. I _want_ to use OpenBSD- alas, OpenVZ...

------
ivan_ah
Does anyone have experience running a mail server on a home connection with a
dynamic IP?

I'm imagining a system that will have a homebox (long term storage, privacy)
and a cloudbox (provides availability) and the mail flow will be like this:

    
    
       sender ---(1)---> cloudbox  ---(2)--->  homebox
    

Assuming cloud stays up (1) will happen, and if homebox is reachable, then (2)
will also happen. However, if (2) can't be done, then cloudbox will
temporarily hold the email until homebox comes online (POP mail style).

Has anyone ever setup something like this before? Any pointers will be
appreciated.

~~~
dsr_
Certainly. There are several ways to set it up. For example, you can set
cloudbox as your domain's MX with a lower priority than homebox. If mail can't
get to homebox, the originating mail server will try cloudbox automatically.
If cloudbox's MTA is running in secondary mode, it will try to deliver to
homebox, but hold it in the queue until it succeeds.

Or, you could have all mail sent to cloudbox, and use imapsync or getmail or
fetchmail to pull mail off of it whenever you want.

Or you can use UUCP-over-ssh.

~~~
mhurron
> you can set cloudbox as your domain's MX with a lower priority than homebox.

This is one way to do this, but if you do, remember that a spamming tactic in
the past has been to direct spam to the lower priority MX records as often
they were somewhat forgotten and not kept up with the latest spam guards.

Basically, always make sure your primary and secondary mail servers have the
same and latest of whatever you are using to stomp on spam.

You will also want to change the length of time things are held in the queue.
The default is something like 7 days. That might not be long enough if you're
using the secondary MX as a failsafe.

------
naterator
[https://github.com/al3x/sovereign](https://github.com/al3x/sovereign)

~~~
csense
I've been looking for a good introduction to Ansible -- this may be it!

------
bratsche
Out of curiosity: people who are running their own mail servers for multiple
users, where do you host?

------
shabbyrobe
I have tried this guide and others a couple of times. Unfortunately, no matter
what I do, Gmail and Hotmail always classify anything I send from it as spam.
DKIM? Check. SPF? Check. Reverse DNS? Check. Spamassassin score? 0.0. Result?
"google thinks this message is spam". While it was an interesting experience,
the end result is invariably a server that can't send mail to most of the
people it needs to, which is quite frustrating.

~~~
Kototama
Here some links that may help you:

[http://www.brandonchecketts.com/emailtest.php](http://www.brandonchecketts.com/emailtest.php)

[http://mxtoolbox.com/](http://mxtoolbox.com/)

[http://www.codinghorror.com/blog/2010/04/so-youd-like-to-
sen...](http://www.codinghorror.com/blog/2010/04/so-youd-like-to-send-some-
email-through-code.html)

------
spindritf
I run my own e-mail server and it's a lot of work. I have exim with ACLs,
spamd and just mutt. Nothing "fancy" like other users, pop3/imap/smtp auth,
virus scanning, additional mxs...

Still took me a weekend to get ACLs right, tune the threshold for greylisting
(I greylist e-mails which score between two and seven points in Spam Assasin),
set up DKIM and SPF... it's not difficult but there's a long list of things to
do.

If you're doing it just for yourself, exim, spamd and mutt are enough. But I
wouldn't want to be responsible for a larger installation with regular, non-
technical users.

It's not just the configuration, your service will always be subpar. At least
until there's a good webmail (I have high hopes for Mailpile).

~~~
csmuk
I don't know what you're doing then, because I run postfix+procmail+mutt and
nothing else and it is zero maintenance and hardly any config. I don't use
DKIM or SPF or SpamAssassin. All I have is a RBL client restriction and
recipient/helo restrictions. I get possibly one spam a week and I can deal
with that manually and I post to a lot of lists.

I've also built a couple of very large mail clusters (full 42U rack sized, 20+
machines) for ISPs before running courier, sendmail and procmail and it's
really not that much management or effort to get it off the ground. The real
bugger is getting a management front end on it all (postfixadmin doesn't cut
it on that scale so it's LDAP time which isn't much fun).

I've rather horribly dealt with Exchange (2000, 2003) and that's just a whole
pile of pain. My noble Exchange battling colleagues inform me that it still
stinks.

~~~
gambler
If it's so easy, I am sure you have your own article detailing how you did it,
right?

Also, you spam statistic sounds way off for a setup that doesn't explicitly
deal with spam.

~~~
csmuk
Yeah here you go on Debian. I just pasted this from my notes and added some
formatting...

    
    
       == set up mutt ==
       $ sudo apt-get install mutt
       $ echo "export EMAIL=user@domain.com" >> ~/.profile
       $ source ~/.profile
       
       == postfix ==
       $ sudo apt-get install postfix
         .. answer system mail name as your host name
         .. add your domain to domains to accept email for
       .. Follow instructions here WRT SPAM:
          https://wiki.debian.org/Postfix#anti-spam:_smtp_restrictions
          .. basically add two lines to /etc/postfix/main.cf
       $ sudo service postfix restart
       $ ufw allow 25 # allow smtp in firewall. I use ufw.
       .. add your hostname as the MX for your domain (I use 123-reg)
       .. Visit mxtoolbox.com and check the machine isn't an open relay and is functioning correctly
    
       == procmail ==
       $ sudo apt-get install procmail
       .. add following to /etc/postfix/main.cf
          mailbox_command = /usr/bin/procmail -f- -a "$USER" 
       $ sudo service postfix reload
    
       == root alias ==
       $ echo "root: youruseraccount" >> /etc/aliases
       $ sudo newaliases
    

Done.

I genuinely get virtually no SPAM. RBLs and postfix sender validation above
seems to work pretty well on its own.

I've done the same on OpenBSD with OpenSMTPd and spamd with even less effort.

------
jwatte
I remember actually understanding sendmail.cf syntax. Those were the days! The
problem is not the daemons; those are easy. The problem is spam on the inbound
and deliverability on the outbound. And I do /not/ want to fight that fight on
my own!

~~~
brdrak
I've personally not found this difficult. Unless perhaps you're dealing very
large volumes of mail and overhead of SpamAssassin is an issue. Mail volume in
10s of thousands/day on a low end VPS has been no problem for me.

------
adders
I would definitely recommend using Virtualmin, its a hosting control panel
that can control mail/websites/dns in one via a simple control panel.

All works like Plesk, but without breaking everything.

They've got a script that sets up dovecot, postfix, apache, bind, clamav,
spamassassin, Mysql, and loads of other hosting software and then you
configure every thing via a web interface.

Linux install script is at
[http://software.virtualmin.com/gpl/scripts/install.sh](http://software.virtualmin.com/gpl/scripts/install.sh),
instructions at
[http://virtualmin.com/download](http://virtualmin.com/download)

------
robomartin
This is really cool. Amazing work.

I am looking at running my own mail server out of a Linode instance. It would
service a number of our domains and serve to migrate from having web and email
live on the same machine at other VPS's. I want to have email serviced from a
dedicated instance that does nothing but email for all of our sites.

This seems like a better overall strategy but it's been hard to get motivated
to get it done due to the amount of work this represents. I have not studied
this guide in detail yet but it seems to really take you down the path step by
step very nicely. Thanks!

------
raimue
Good tutorial with detailed set up instructions. On some configuration values
I would say the default would suffice as well, but mentioning what can be
configured might also be helpful.

However, from experience, setting up a database is overkill for a small mail
server instance hosting only a few mail boxes. It's way easier to use system
user accounts (just disable remote login for them). That avoids the hassles of
setting up the virtual mail delivery. Only for a large mail server using a
database backend would make sense to gain more performance.

------
zobzu
I run my own email since about 20 years. My current setup is different from
the author and I like it better. I had his setup a few years ago I think.

\- postfix

\- Dovecot

\- RoundCube

\- SpamAssassin w/ sa-learn sa-update and razor

\- Clamav + Clamav-milter

\- MariaDB

Spam: Not an issue.

Features: DKIM, DMARC, SPF checks

Maintenance: what maintenance? I update the programs with my distro package
manager and that's basically it.. Whoever talked about this being hard....

Webmail: I like RC much better than gmail, nuff said.

~~~
mikevm
What about the reliability of your home Internet connection? Isn't that a
major issue? You can have a power outage, ISP problems, or your server might
simply die. What happens to the important emails you might miss?

~~~
nacs
Mail servers are made to attempt redelivery if a mail is undeliverable. Most
mail servers will attempt redelivery for multiple days before disposing of it
so it shouldn't be an issue.

~~~
dingaling
Furthermore, to address the 'server on fire' issue. If you build the mail
server and its ancillaries up in a VM ( or number of VMs ) then you can sync
VM to another host on a schedule, or even live.

Set-up a heartbeat ping and the alternative host can bring-up its copy of the
mail server VM in a few seconds.

------
kennu
That's nice. I have for a long time been running just Postfix + Dovecot IMAP
and relying on OSX Mail's spam detection, which is not that great (lots of
false positives, learned data not synched between computers, etc). This
inspires me to try using a SpamAssassin + ClamAV combo on the server.

------
dschiptsov
Few hours of work: sudo apt-get/yum install postfix dovecot openldap
roundcube.)

OpenLDAP schemes and ssl certs are the bulk of it.

Hint: never put postfix's spool and dovecot's storage on the same physical
device _and_ I/O controller. /var/log must live on the separate device too.

~~~
brdrak
> never put postfix's spool and dovecot's storage on the same physical device
> and I/O controller. /var/log must live on the separate device too.

This probably depends on the mail volume, no? I host all mail related services
for myself and some family on a $9/month VPS (1 VCPU, 512 MB RAM, and
pedestrian I/O capabilities) without any issues. My mail volume is typically
under 20K messages/day.

------
borplk
The problem with things like this is, since I'm not super confident with any
of the technologies involved, it leaves me with an uneasy feeling of having
messed something up somewhere.

It is extremely easy to set or forget one extra parameter or something and
everything falls apart.

------
N0RMAN
Is it recommended to use a relay for postfix (for private usage) like Mailgun?

------
blakesterz
I've been doing web/mail hosting since 2002 and it amazes me that it is STILL
this hard to do a mail server. I gave up and started using iredmail 2 years
ago, so far it's been great.

------
300
Respect for all the work done - this is a long but detailed guide!

------
egoitz
I would change that Courier or any Dovecot with a Cyrus IMAP implementation...
it really rocks in terms of stability (and works smoothly), is fast and
replication :)

~~~
houk
Really? My experience has been the complete opposite.

Almost every time I've even been involved with or ran any medium/large mail
infrastructures (200K active mailboxes) I've always found Dovecot to be a
better choice.

~~~
brdrak
Good to hear that Dovecot scales. I personally went with Cyrus because at the
time I was picking an IMAP server, Cyrus was already a well tested solution
known to scale. As I recall, Dovecot back then was still young and developed
by one person. I've heard a lot of good things about it since though. I'm
sticking with Cyrus since it works fine for me, but it's good to have options.

------
plg
What do HNers think of the Mac OSX server solution? Assuming you have an apple
machine, isn't it rather easy to set up a mail server?

~~~
protomyth
Yeah, last I looked its dovecot and postfix for OS X. It is a pretty easy
setup. Just buy server from the App Store and follow the instructions.

------
voltagex_
How do you handle cut-over to your server when waiting for the DNS changes to
propagate?

------
locusm
Comprehensive, well written article.

------
z92
save.

------
s7an4o
This is a very nice article!

