Start reading this document
about why you may not want to run an email server.
I decided to use (1) MTA=Postfix (2) MDA=Dovecot and (3) IMAP server.
I have not yet decided on Spam Filter, AntiVirus and Webmail.
Here is an overview about existing MTA programs.
Add required DNS entries for the email programs.
Here is a guide
on why and how to add the SPF record.
Here is a wiki page
on the MX record (it will always map to an A, AAA record).
Here is an article about email routing. Observe the last command:
dig vasilian.net mx
We head now further into installing the Let's Encrypt Certbot
and creating a SSL certificate for the domain and subdomains.
certbot --apache
This will detect only the www and domain name, but will not show the mail. subdomain
You have to re-run with expand option
to include also the mail.vasilian.net
certbot --expand -d www.vasilian.net,vasilian.net,mail.vasilian.net
Here is a page for crontab commands
to list all jobs for current user or for all users.
To easily create a crontab job use this generator.
crontab -l * * * * 1 certbot renew >/dev/null 2>&1
To check if SSL certificate is installed correctly use the SSL Server Test page.
Now it's time to install postfix and dovecot. The setup will use Maildir format (instead of mbox) and the SSL certificate that was previously generated.
I used this installation guide
for postfix and dovecot on CentOS7.
An additional installation guide
exists at DigitalOcean for Debian.
Also here a 3rd guide
I used for better overview on the parameters. This is for Ubuntu.
Here are my final changes for the setup.
/etc/postfix/main.cf
myhostname = mail.vasilian.net
mydomain = vasilian.net
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual
mynetworks = 127.0.0.0/8
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/letsencrypt/live/vasilian.net/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/vasilian.net/fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
/etc/postfix/master.cf
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
Edit /etc/postfix/virtual
here replace AT with @
mihaiATvasilian.net mihai rootATvasilian.net mihai
Here is a guide on postfix
parameters. Of interest here was virtual(5) and $inet_interfaces.
However, after /etc/postfix/virtual file is edited the database must be re-generated with:
postmap /etc/postfix/virtual
Edit /etc/dovecot/dovecot.conf
protocols = imap pop3 imaps pop3s
Edit /etc/dovecot/conf.d/10-auth.conf.orig
disable_plaintext_auth = yes auth_mechanisms = plain login
Edit /etc/dovecot/conf.d/10-mail.conf.orig
mail_location = maildir:~/Maildir
Edit /etc/dovecot/conf.d/10-master.conf.orig
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
Edit /etc/dovecot/conf.d/10-ssl.conf.orig
ssl_cert = </etc/letsencrypt/live/vasilian.net/fullchain.pem ssl_key = </etc/letsencrypt/live/vasilian.net/privkey.pem
Edit /etc/dovecot/conf.d/20-pop3.conf.orig
pop3_uidl_format = %08Xu%08Xv
Here is a guide
on how to set the reverse dns for DigitalOcean droplet.
Rename the droplet from CentOS7-512MB-FRA1-01 to vasilian.net
and DigitalOcean will automatically assign a PTR record for the domain.
Check if the IP has a reverse dns with:
host 138.68.68.112 112.68.68.138.in-addr.arpa domain name pointer vasilian.net.