How to install an open source mail server
Tired of the frustration and lack of control from using an external email service? Looking for an alternative to Microsoft Exchange or GMail? Why not install and manage your own email server with DBMail and Exim. This article offers a straightforward how to guide on installing your own open source mail server.
After setting out the various components that make up a mail server, this article takes you through how to install, configure and manage your own.
Why would you want to run your own email server?
Running a mail server is an essential service so it’s reasonable to ask why manage that responsibility yourself rather than outsource it. The following are some of the more compelling reasons you might choose for your organisation.
- You have full control of your own infrastructure;
- Integration of disparate services such as email, mailing lists, robots and AI under your domain;
- Integrating services such as mailing lists can be a simple as using your domain name, to incorporating corporate security access to S/MIME public key encryption and authentication;
- Immediate processing of incoming emails, essential for processing asynchronous robot messages;
- Spam, phishing and malware are the bane of everyday life, but sometimes it’s useful to tweak settings to accommodate particular circumstances;
- Customising bounce and warning messages;
- Checks can be run before email is accepted, after receipt but before delivery, and then actual delivery.
What is a mail server?
A mail server, despite its seemingly single task, consists of at least two main aspects.
- Mail transfer agent – receiving email and sending it on its way;
- Mail delivery agent – storing users email.
Although separate to email, a calendar and task list is often an essential service and this article shows how Radicale can be integrated into your system.
In addition to those main core services the following essential ancillary services are required
Core services
- Authentication and authorisation;
- DNS – Lets the world know where to send email;
- TLS certificates for secure communication.
Optional services
- Server side email filtering (Sieve) to process emails into folders and respond to requests consistently across all devices;
- DMARC (SPF/DKIM) for Message Authentication, Reporting and Conformance;
- Spam / virus protection;
- Address book.
The core services
Mail transfer agent (SMTP)
Sending emails uses SMTP to transfer emails between servers. When you click send on your email, it first goes to a local SMTP server, for example this might be your ISP. It then goes, perhaps via intermediaries, to the destination server for local delivery.
There are a number of free and open source SMTP servers including Sendmail, Postfix and Exim. This article uses Exim as the configuration is easy to use and integrates well with DBMail.
Mail delivery agent (IMAP/POP3)
When an SMTP server receives an email for a local user, it sends that email to a Mail delivery agent (MDA). Although there are a number of MDA protocols, it’s IMAP that’s the most popular, versatile and well suited for simultaneous use across webmail, desktops and smartphones.
There are a number of free and open source MDA applications including Cyrus, Dovecot, and Microsoft Exchange. This article uses DBMail as it uses an independent relational database to store emails and thus offers the additional benefits of high availability and synchronous backup.
Authentication and authorisation (LDAP)
Knowing who you are (authentication) and what you are allowed to do (authorisation) is essential to ensure only you get to send and see your emails. This article uses the Lightweight Directory Access Protocol (LDAP), an open, vendor neutral implementation for authentication and authorisation.
DNS
Domain Name System let everyone know where to find things such as where to send email (MX records). It’s also an essential part of DMARC / SPF / DKIM to let others check an email perporting to be from you is coming from an authorised source and access to digital signatures to check an email hasn’t been tampered with during transit.
TLS
Letsencrypt is a non profit certificate offering TLS certificates at no charge offering automated secure and privacy-respecting internet access.
Installing and configuring email services
Using your normal package manager install and configure the following apps according to their instruction: Exim, DBMail, OpenLDAP, PostgreSQL, Apache, Roundcube and Radicale. This article uses the FreeBSD operating system, but most BSDs, macOS and Linux are supported.
The data store is PostgreSQL, but MySQL and Oracle are fully supported.
The following sections will guide you through configuring these applications to work together.
- DNS
- Authentication and authorisation
- Exim
- DBMail
- Roundcube
- Radicale
- Testing
DNS
The Domain Name Service is how the internet looks up information such as where to find a website and where to deliver email.
Using the domain example.com it’s usual to implement three domains, one main domain example.com that will be your organisations website and email address, smtp.example.com for the SMTP transport and IMAP for access to emails.
Although CNAME records are popular and often used for domains, an MX record must point to an A and/or AAAA record.
| Purpose | Domain name | Record type | Example |
|---|---|---|---|
| Website | example.com | A | 10.8.0.1 |
| Website | example.com | AAAA | 2001:db8:0:0:1::1 |
| example.com | MX | 10 smtp.example.com | |
| SMTP | smtp.example.com | A | 10.8.0.1 |
| SMTP | smtp.example.com | AAAA | 2001:db8:0:0:1::1 |
| IMAP | imap.example.com | A | 10.8.0.1 |
| IMAP | imap.example.com | AAAA | 2001:db8:0:0:1::1 |
You may find it helpful to use a similar table with your own domain names.
LDAP
Authentication and authorisation is provided by OpenLDAP an open, vendor neutral implementation of the Lightweight Directory Access Protocol.
After configuring OpenLDAP for your domain and installing your first user, as this article uses search/bind for authentication you need to add a search user for use in Exim and DBMail. The search user for this article is:
DN: uid=search,ou=misc,dc=example,dc=com
You can check LDAP is working with a search such as the following:
ldapsearch -D uid=user,ou=users,dc=example,dc=com -w password '(uid=user)'
Exim
After installing Exim, use the Exim configuration example at contrib/exim-dbmail-configure and modify it with your domain information, database and ldap servers, un-comment the ldap_login authenticator so you can send email using your normal login and comment out dbmail_login as you will be using ldap rather than sql to authenticate.
You can test if exim is configured to deliver to DBMail with the following command:
exim -bt user@example.com
You should see something like the following:
exim -bt user@example.com user@example.com router = localuser, transport = dbmail_delivery
DBMail
Following the instructions in the INSTALL document, create a user to access the database and create the initial tables.
Edit your dbmail.conf to include the database user in the dburi, set the authdriver to ldap and edit the LDAP section for your domain.
dburi=postgresql://example.com:5432/dbmail?user=user&password=password
authdriver = ldap
[LDAP] port = 389 version = 3 base_dn = ou=Users,dc=example,dc=com uri = ldap://ldap.example.com bind_dn = uid=search,ou=misc,dc=example,dc=com bind_pw = password scope = SubTree
You test that DBMail is working by running the following commands to add a user then list your users:
Add a user with an email address
dbmail-users -a user -x user@example.com
Test
dbmail-users -l user user
It should list your user “user” with information about that user followed by the email address(es).
user:x:0:0:0.00:0.00:user@example.com
Roundcube (webmail)
Simply follow the installation instructions using your domain name and location of your smtp and imap servers. There is a configuration option for LDAP Address Books. Roundcube has good Sieve integration.
Radicale (Calendar / task list)
After following the instructions for installing radicale with apache, configure apache to use the same LDAP authentication by configuring mod_authnz_ldap
<VirtualHost *:443>
ServerName calendar.example.com
ServerAdmin calendar@example.com
DocumentRoot /path/to/calendar/public_html
SSLCertificateFile /usr/local/etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/example.com/privkey.pem
SSLEngine on
Alias "/robots.txt" "/path/to/calendar/public_html/robots.txt"
Alias "/favicon.ico" "/path/to/calendar/public_html/favicon.ico"
WSGIDaemonProcess calendar.example.com processes=1 threads=1 \
display-name=%{GROUP} user=radicale home=/path/to/calendar/public_html
WSGIProcessGroup calendar.example.com
WSGIScriptAlias / /path/to/radicale/radicale.wsgi
<Location "/">
Options None FollowSymLinks
AuthType basic
AuthName "Example company Ltd"
AuthBasicProvider ldap
AuthLDAPBindDN uid=search,ou=misc,dc=example,dc=com
AuthLDAPBindPassword password
AuthLDAPURL "ldap://example.com/ou=Users,dc=example,dc=com?uid"
Require valid-user
RewriteEngine On
# Check and ensure REMOTE_USER is accessing their own calendar
RewriteCond %{REMOTE_USER}%{PATH_INFO} !^([^/]+/)\1
RewriteRule .* - [Forbidden]
</Location>
</VirtualHost>
Radicale uses text files for calendars and tasks, so ensure these are backed up / replicated.
Test
Finally test the server by sending an internal email, an external one and receiving one:
Test the server is working
By sending a test email from yourself to yourself, it should show in your sent folder as an email sent, and in your inbox as an email received.
Test you are able to send emails
By sending an email from yourself to an external recipient.
The email should be copied into your sent folder, and be delivered to the recipient.
If it does not arrive, check the Exim error log for errors, check Exim is either configured to send emails to the destination, or to use a smart host to send all forward email.
Test you are able to receive emails
By sending an email from an external recipient to yourself.
If it does not arrive, check your sending server knows where to send email by checking your DNS MX record and the Exim logs.
Congratulation, you should have a fully working email server.
Backup
Ensure your servers are fully backed up, of particular note:
- Backup your configurations;
- Replicate your database;
- Synchronise the Radicale database.
Optional services
Although outside the scope of this article, it’s highly recommended to add the following services:
Email filtering (Sieve)
Automating email filtering with Sieve (RFC 3028) is included in DBMail it is a safe, yet powerful language to help deal with incoming mail. It’s incorporated into many email desktop and server clients such as Kmail and Roundcube.
DMARC (SPF/DKIM)
Domain-based Message Authentication, Reporting and Conformance offers authentication against domain spoofing and tampering of email in transit.
Spam / virus protection
There are numerous options for content scanning in Exim including free and paid for services.
Address book
Using LDAP for a company wide address book is included in many email clients.
Robots
Sending structured requests for automated processing has a long history such as Damian Conway's Parse::RecDescent.
Resources
- https://exim.org
- https://www.dbmail.org
- https://github.com/dbmail/dbmail/
- https://www.openldap.org/
- https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)
- https://en.wikipedia.org/wiki/Message_transfer_agent
- https://en.wikipedia.org/wiki/Message_delivery_agent
- https://en.wikipedia.org/wiki/Domain_Name_System
- https://en.wikipedia.org/wiki/Transport_Layer_Security
- https://www.postgresql.org/
- https://roundcube.net/
- https://radicale.org/
- https://en.wikipedia.org/wiki/DMARC
- https://www.clamav.net/
- https://metacpan.org/pod/Parse::RecDescent
Open Source
Open source software is provided at no charge. Maintaining high quality software takes time an effort so please consider donating, your generosity counts.