NavigationContentFooter
Jump toSuggest an edit

Setting up a secure mail server on Ubuntu 22.04 LTS (Jammy Jellyfish)

Reviewed on 15 October 2024Published on 04 June 2020
  • security
  • DKIM
  • Rspamd
  • MariaDB
  • Roundcube
  • dmarc

In this tutorial you will learn how to configure a mail server that uses Postfix, Dovecot, Rspamd, DKIM, and MariaDB to deliver mails securely. You learn also how to install a Roundcube webmail interface to be able to read your emails directly from your browser.

Tip

We recommend you follow this tutorial using a Production-Optimized Instance.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An SSH key
  • An Instance running Ubuntu Bionic Beaver or later
  • A domain or subdomain configured to point to the IP address of your Instance
  • Enabled the SMTP ports to send emails from your Instance

Pre-work and system preparation

Important

Before you continue with this tutorial, some configuration is required to make sure your mail server will be working.

  • To ensure that other servers will accept emails sent from your Instance a valid reverse DNS within your own domain name (for example mail.domain.com) must be configured.
  • The SMTP ports have been unlocked in the security group of the server.
  1. Update the system:

    apt update && apt upgrade -y
  2. Ensure no conflicting mail software is installed:

    service sendmail stop
    update-rc.d -f sendmail remove
    Note

    If the message Failed to stop sendmail.service appears, it can be safely ignored.

Install Nginx, PHP, and MariaDB

  1. Install the required packages:

    apt install nginx mariadb-server php8.1-fpm php8.1-cli php8.1-imap php8.1-json php8.1-mysql php8.1-opcache php8.1-mbstring php8.1-readline php8.1-intl -y
  2. Secure the MariaDB installation:

    mysql_secure_installation

    During the setup, provide answers to secure your MariaDB installation (set the root password, remove anonymous users, disallow remote root login, etc.). Refer to Installing and Securing MariaDB for further details regarding the configuration of MariaDB.

Install and configure PostfixAdmin

  1. Download and extract PostfixAdmin:

    wget https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.13.tar.gz
    tar xzf PostfixAdmin*.tar.gz
    mv postfixadmin-*/ /var/www/postfixadmin
  2. Set the correct file permissions:

    chown -R www-data: /var/www/postfixadmin
  3. Log into MariaDB using the root user:

    mysql -u root -p

    Run the following SQL commands to create a MariaDB database for PostfixAdmin:

    CREATE DATABASE postfixadmin;
    GRANT ALL ON postfixadmin.* TO 'postfixadmin'@'localhost' IDENTIFIED BY 'your_secret_password';
    FLUSH PRIVILEGES;
    EXIT;
  4. Create the PostfixAdmin configuration file:

    nano /var/www/postfixadmin/config.local.php

    Add the following content:

    <?php
    $CONF['configured'] = true;
    $CONF['database_type'] = 'mysqli';
    $CONF['database_host'] = 'localhost';
    $CONF['database_user'] = 'postfixadmin';
    $CONF['database_password'] = 'your_secret_password';
    $CONF['database_name'] = 'postfixadmin';
    ?>
  5. Initialize the PostfixAdmin database schema:

    sudo -u www-data php /var/www/postfixadmin/public/upgrade.php
  6. Create an admin user for PostfixAdmin:

    bash /var/www/postfixadmin/scripts/postfixadmin-cli admin add

    Follow the prompts to add your email address and create the admin user.

  7. Create an Nginx configuration file for PostfixAdmin::

    nano /etc/nginx/sites-available/mail.example.com.conf

    Add the following configuration:

    server {
    listen 80;
    server_name mail.example.com;
    root /var/www;
    location / {
    try_files $uri $uri/ /index.php;
    }
    location /postfixadmin {
    index index.php;
    try_files $uri $uri/ /postfixadmin/public/login.php;
    }
    location ~ \.php$ {
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
    }
  8. Activate the Nginx configuration and reload:

    ln -s /etc/nginx/sites-available/mail.example.com.conf /etc/nginx/sites-enabled/
    systemctl reload nginx

Generate and apply a Let’s Encrypt TLS/SSL certificate

  1. Install Certbot for Nginx:

    apt install certbot python3-certbot-nginx -y
  2. Run the following command to generate a Let’s Encrypt TLS/SSL certificate for your mail domain:

    certbot --nginx -d mail.example.com

    Follow the prompts to enter your email, agree to terms, and choose HTTPS options. Certbot will automatically configure SSL for Nginx and restart the service.

  3. Visit https://mail.example.com to ensure your website is now accessible via HTTPS with the TLS/SSL certificate applied.

Install and configure Postfix and Dovecot

  1. Install Postfix, Dovecot, and necessary packages:

    apt install postfix postfix-mysql dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysql -y
  2. After installing Postfix, update its configuration to use the Let’s Encrypt certificate:

    postconf -e 'smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem'
    postconf -e 'smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem'
    postconf -e 'smtpd_use_tls=yes'
    postconf -e 'smtpd_tls_security_level=may'
    postconf -e 'smtp_tls_security_level=may'
  3. Configure Dovecot to use the SSL certificate: Edit the file /etc/dovecot/conf.d/10-ssl.conf:

    nano /etc/dovecot/conf.d/10-ssl.conf

    Update the SSL settings:

    ssl = yes
    ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
    ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
    ssl_dh = </etc/ssl/certs/dhparam.pem
    ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    ssl_prefer_server_ciphers = yes
  4. Restart Dovecot to apply the changes:

    systemctl restart dovecot

Configure DKIM with Rspamd

  1. Install Redis and Rspamd:

    apt install redis-server rspamd -y
  2. Generate DKIM keys and configure Rspamd for signing:

    mkdir /var/lib/rspamd/dkim/
    rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key > /var/lib/rspamd/dkim/mail.pub
  3. Add DKIM signing configuration by opening the file /etc/rspamd/local.d/dkim_signing.conf in a text editor:

    nano /etc/rspamd/local.d/dkim_signing.conf

    Then add the following content:

    selector = "mail";
    path = "/var/lib/rspamd/dkim/$selector.key";
    allow_username_mismatch = true;
  4. Restart Rspamd to apply the configuration:

    systemctl restart rspamd
  5. Retrieve the DKIM public key for your domain:

    cat /var/lib/rspamd/dkim/mail.pub

    Add the output as a TXT record to your domain’s DNS zone to publish your DKIM public key in DNS. Refer to How to manage DNS records for furher information.

Install Roundcube Webmail

  1. Install the PHP dependencies for Roundcube:

    apt install php-intl php-mail-mime php-net-smtp php-net-socket php-pear php-xml php-intl php-gd php-imagick -y
  2. Log into MariaDB using the root user:

    mysql -u root -p

    Execute the following SQL commands to create a MariaDB database for Roundcube:

    CREATE DATABASE roundcubemail;
    GRANT ALL ON roundcubemail.* TO 'roundcube'@'localhost' IDENTIFIED BY 'your_secret_password';
    FLUSH PRIVILEGES;
    EXIT;
  3. Download and install Roundcube:

    wget

https://github.com/roundcube/roundcubemail/releases/download/1.6.1/roundcubemail-1.6.1-complete.tar.gz tar xzf roundcubemail-1.6.1-complete.tar.gz mv roundcubemail-1.6.1 /var/www/webmail chown -R www-data: /var/www/webmail

4. Edit the Nginx configuration file (`/etc/nginx/sites-enabled/mail.example.com.conf`):
```bash
nano /etc/nginx/sites-enabled/mail.example.com.conf

And add the following section for Roundcube:

location /webmail {
index index.php;
try_files $uri $uri/ /webmail/index.php;
}
  1. Restart Nginx to apply changes:

    systemctl restart nginx
  2. Complete the Roundcube setup by visiting https://mail.example.com/webmail/installer/ and following the web-based setup.

  3. Remove the installer directory for security:

    rm -rf /var/www/webmail/installer

Automate SSL renewal with Certbot

Let’s Encrypt certificates have a limited validity. Ensure the SSL certificates renew automatically:

certbot renew --dry-run
Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway