How I setup our small office Mail Server using Open Source software. Why would you want to this? If you’re like us a small IT shop always looking for ways to cut down operating costs then this tutorial is for you.
If you have not done it yet login to your domain registrar to setup your DNS records or whomever manages your DNS records for your domain. My domain was registered through Godaddy.com. The process was logon to my Godaddy account, go to domains, > pick the domain which will handle emails then click launch. This opens domain details. Go to the DNS zone file tab then click edit.
This will open the DNS zone editor. I am going to create an A record called mail which points to my IP 22.214.171.124, using the default TTL time. Then click save zone file.
Then I have to add an MX record. My record was mail.mydomain.com (replace mail.mydomain.com with your fully qualified domain name) which is set to priority zero which informs other mail servers this is the primary mail server for this domain.
After an hour or two you could check if the MX record you have created is working by going to mxtoolbox.com free MX record checking. Below are my results. Once you have the mail server setup you could also check it using the SMTP test link to see if it ready and listening for connections.
Build your own office mail server
Our fancy Proxmox Hypervisor server using an old recycled box.
From the Proxmox web panel I created the virtual machine. Below are the hardware setup for this virtualized mail server. The specs below are good enough for our size of 20 users. The average mail processed per day is about 6000 external emails if you include internal the number could be around 10000. If there ever was a need to increase resources it is easy enough to do for everything is virtualized. You may have noticed I am using VirtIO drivers for the hard drive and nic cards for performance.
Virtual Machine Creation
Creating a VM on the Proxmox web panel. I provided the name MAIL-SERVER. The Proxmox hypervisor provides the VM ID but this could be assigned as well.
Using the latest Kernel version.
Choosing the ISO to install by clicking the drop down. For this installation I am going with Ubuntu 12.04.3 LTS Server amd 64 bit.
Assigning the bus driver, disk size and disk format. According to the Proxmox documentation it is advisable to go with VirtIO drivers. Disk size of 150 GB is the perfect size for our operation. For the disk format raw is usually what the Proxmox developers would recommend.
Below are the specs of my KVM virtual mail server.
At this point we now could start our newly provisioned KVM virtual machine by highlighting the virtual machine.
With the virtual machine running we can connect to the virtual mail server through the console.
Click console. Allow any java alerts. If you get a network error just click reload.
We now see the Ubuntu install. Choose your language.
Choose Install Server.
Choose country of origin.
Click enter. No for keyboard detect. Click enter, enter.
Create name for server.
Create user account.
Encrypt home directory. Make your choice.
Verify time zone.
I prefer to use LVM. It makes it easier later on if I need to add addtional hard drive space.
It shows our VirtIO driver disk block which we will use for the installation.
Write changes to disk and configure LVM.
Click yes, enter.
Shows the HD size.
Write changes to disk.
Leave proxy setting blank.
Wait for the package retrieval to complete.
I prefer not to download updates automatically.
Install only OpenSSH server.
Finish the installation.
We’re now ready to login using the account we created earlier.
Login at the console with username h0n3yp0t.
After logging in move into the directory src.
Set Fully Qualified Domain Name (FQDN) of server
From Webmin menu > Networking > Network Configuration > Hostname and DNS Client put in your hosts FQDN.
Next under Host Addresses click localhost IP 127.0.0.1, then add just the hostname of your mail server without the domain name.
From the shell prompt you can now verify your hostname and FQDN as follows.
typing both hostname and hostname will return the fully qualified domain name of your hosts.
Let us start hosting a mail enabled domain
We begin by connecting to virtualmin https://126.96.36.199:10000. If you have changed this port to something else (which you should have to increase security) use that port instead of the default port 10000. You’ll end up at the dashboard like below. As you can see there are no virtual servers created yet.
Lets create one which will be our mail enabled domain by clicking create virtual server. Filling out the following details.
- Setup website for domain is checked for we will install roundcube later on for webmail.
- Setup for virus filtering for emails.
- Accept mail for domain enabled otherwise it defeats the purpose why we’re doing this setup.
- Create MySQL database for we will use this later on for roundcube.
- Setup spam filtering for emails.
- Setup status monitoring – when a service goes down like Postfix, monin will try to restart the service.
Then click create server.
Set quota limits
Before we create any mail box accounts I will set the overall quota for this email enabled domain. By going to Webmin > Servers > Virtualmin Virtual Servers.
Click save virtual server.
At one time I failed to set the quota limits before creating user mail accounts. When I created a mail user account with 5 Gigabytes of storage I got the error below.
Creating user mail accounts
Click on edit users the add a user to this server. I have the following setup.
- Quota at 5 Gigabytes (the value could also be entered as 2.5 etc) this is the sum total of how much emails a user can have on the inbox including any emails stored on mail folders. When a user goes over the quota they will get a notification which we will set later on.
- Primary email address enabled refers to the mail address for the created mail user which in this example is firstname.lastname@example.org.
- Check for spam virus default is yes.
- Deliver to this user normally checked. Otherwise no email will be kept for the user account. You will only unchecked this if this email address was only setup to forward any emails it receives to another email address.
- Send auto reply off by default. I only use this if the email address was use for contact us website links where it sends an auto reply to acknowledge we have receive the email.
- Login permissions leaving it for email use only. You could of course give more access as the need requires.
Then click create.
The newly created email account by default appears as joe.mymailtestdomain with the domain part appended to each user account. This will be the username which will be used when logging on through webmail or usermin to read emails. This is also the login account to use if you were using a mail client like Thunderbird or Outlook.
The first account on the top of the lists is the administrator account which is normally for FTP or SCP access if this virtual server was also hosting a website. You will use this account to upload the website data into the root folder of the website. If you click on this account you will see this account also gets all of the emails for.
If I were to manage a user mail account I would go about by clicking on the name this brings up the following. Take note of how emails are stored per user. By default Virtualmin sets it up using Maildir. The nice thing with Maildir for it allows my users to organize their mail folders two or three deep. We will come back to this later when backing up emails for each user.
Creating mail aliases
This is when you need to create an alias for your actual email address such email@example.com. Anyone sending an email to this email address will now be delivered to your mailbox.
Testing sending and receiving email using Usermin
From the domain we created earlier, edit users choose the user account you created.
Click user account. Click login to usermin.
Click continue if you get a prompt from the Safari browser regarding the self-issued certificate.
You’re now login using Usermin another Webmin module which is used to manage a user account on a Linux server. If you can get past its dated interface you will find Usermin is a very powerful tool. Let us start by sending a test email to ourselves. Before we do it we will enable formatting tools for composing emails.
Click preferences. These are my enabled settings.
Composing and reading emails
Let us create an email now to send.
Click compose. Compose your test email then click send mail.
If you click your inbox now you should have your test email.
Clicking on the test email we just received then click view all headers.
You’ll see the path the mail took. You will also see that the email was also passed through Spam Assassin so it can be checked for spam. Even though it does not show here this email was also pass through ClamAV in case it had a virus attachment.
Email virus scanning
But to be sure let us test if ClamAV is really setup to scan for viruses. Download the test virus from Eicar. When you have it downloaded send an email to yourself using Usermin with the Eicar attachment.
Click choose file > browse to location of eicar zipped file.
Click send mail.
Even though on the mail.log the transmission was recorded as being delivered. You will find the virus email you sent to yourself will not show up in your inbox. This is the default setting. Any email with a virus attachment is automatically discarded.
You can change the default setting. Why would you want to this is up to you.
From the Virtualmin menu > Virtualmin configuration > from the configuration category > spam filtering options.
Usermin Default Preferences settings
We touched off earlier changing default settings for composing emails and enabling the html editor when composing emails. Instead of having each user do this on their own we can set a global preference to make their lives a little easier. This is what we will set out to do now.
I like to set the homepage whenever a user logs into Usermin to show their current disk space usage. This could be done by going to Webmin > usermin configuration > user interface.
These are the following options I have set as shown on the image.
Now when a user logs in Usermin this is what they will see below first.
What I have enabled.
Set global default allowing users to setup mail filtering
This will allow you users to setup their own filtering rules and auto reply. If for some reason you get the error “Warning – The system is configured to not process user-defined mail filters. Filters defined here will not be used.” The solution would be to go to under Virtualmin menu > Email Messages menu > Spam and Virus Scanning click yes “Allow maibox users to create mail filters.”
When that has been setup users will be able to filter emails based on subject or from addresses in Usermin. On the Usermin dashboard click on Filter and Forward Mail > create your filters. Click create.
Setup Out of Office Auto Replies
Login in Usermin then go to Automatic Reply. Create your message then click save to enable.
Where to find an auto reply template click here.
To allow users to report spam which has not been caught by SpamAssassin the following email addresses spamtrap and hamtrap will have to be setup. Under Virtualmin menu > Server Configuration > Spam and Virus Delivery click yes for “Create spamtrap and hamtrap email aliases” Click save.
After that has been setup a user is able to report a spam email from their mail client by forwarding the message to firstname.lastname@example.org.
Or they can also setup deny rules from their Usermin login. They can click on Report Spam which reports the spam email to Razor blacklists. Clicking on Deny Sender will tell SpamAssassin to tag this email as spam.
Spamassassin Filter Rules
There are times I have to add my own spam rules to catch words often used by spammers if the built-in spamassassin ruleset are unable to catch these words.
From the Webmin menu > Servers > SpamAssassin Mail Filter.
Click on Header and Body Tests
The rules I created below will catch any emails with the word oz in the message body or subject line. When it does it will give a score of 5 for the email message. Which will then cause Spamassassin to tag it is a spam. Any email message which scores 5 or more will be automatically tagged as spam. Don’t forget to click save after adding your rules. Then click apply changes for Spamassasin to use the rules.
Emails Tagged as Spam
When an email is tagged as spam this is what it looks like for my mail system. On the subject line appears as [SAF-SPAM-FILTER]. These emails are automatically moved into a folder called spam. Details of how the email was scored are also shown. If you need to look at the actual email you can double click the mail attachment.
Another layer of defense against spam. From the Virtualmin menu > Email Messages > Email Greylisting. Follow the prompts to enable.
If you need to enforce an email retention policy you could do this globally or per user.
Global email retention setting. Go to Virtualmin menu > Email Messages > Mailbox Cleanup.
You can set any emails older than 60 days will be deleted from all user’s mailboxes. This applies to all of the user’s mail folders. Set it to which email domains to apply it to the click save.
Individual email retention maybe a better choice unless you don’t mind dealing with angry users when their emails are automatically deleted. Login in to Usermin and from the Manage Folders menu > Pick the email email folders you want to apply email retention policy. On mine I have it applied for my inbox and sent mail folders.
Click on Auto Clearing.
I have it set to delete any messages older than 30 days. Click save.
We will secure usermin by doing the following. These are all done within the Usermin configuration page.
Click on IP access control if you want to limit where your your user’s could connect from. If you wanted to limit access only from the 172.16.0.0 network.
Let us block users and host after a set failed login attempts. Click on Usermin’s authentication module. The image shows what I have set for mine.
Change the default Usermin port of 20000 to something else just make sure you use a port not already assigned. This is done by clicking Ports and Addresses.
Set Mail Quota’s
We will have to set the overall quota limit for the mail domain being hosted first. This is done by going to Webmin > Virtualmin Virtual Servers > Quota and Limits. Set your limits.
Click Save Virtual Server.
To apply a default mail quota for each user go to Webmin > Disk Quotas. This is what I have set for my users.
Let us set notification reminders whenever a user is about to hit their quota. Whenever they reach 95% of their soft limit which I have set to 4.5 GB the system will start to send them an email notification. Enable it by going to the email notifications tab. These are the settings I used.
Edit the mail notification wording by going to Webmin > Disk Quotas > Module Config > click the drop down to Quota email messages. You can add your message here just make sure not to delete variable holders starting with the dollar sign.
If you have a lot of users to monitor for quota you will want to increase the number being displayed by Webmin’s disk quota module. Still under Module Config just choose the drop down Configurable options.
Pulling emails from other mail boxes
If you have other mailbox accounts from other mail providers Fetchmail will be able to pull emails from these mail accounts. Setting up Fetchmail.
By default fetchmail DAEMON is off. To have it run as a DAEMON we will have to edit the file.
vi /etc/default/fetchmail START_DAEMON=yes
For the user who needs to pull email from external mailboxes we will to setup fetchmail retrieval. From Webmin menu > Fetchmail Mail Retrieval add each user needing this service.
Fill out needed information of mailbox. Click create.
To start the Fetchmail DAEMON. Click on Server to poll for the account created. Click check this server. Click save. Once the email pull has completed close window.
Now schedule how often Fetchmail will pull email down. Click Scheduled Checking. On mine I have it set to run every minute.
Common error with Fetchmail:
If you try to start Fetchmail manually you will error below. To have it run as a DAEMON the key is to click on “Check this Server” which we did earlier or reboot the server once you have the account set to pull external emails.
“Executing /etc/init.d/fetchmail start ..
* /etc/fetchmailrc not found.
* can not start fetchmail daemon… consider disabling the script”
To use Fetchmail securely when pulling down emails from another mail server click here.
Copying emails from one server to another
If you have to move a user mailbox to another server you can use a simple tool called imapcopy. This is available through the Debian or Ubuntu repository.
To install imapcopy.
apt-get install imapcopy
Once it has been installed you can use the sample configuration in /usr/share/doc/imapcopy/examples.
By default Virtualmin will do a lot in the backend enabling your domain to receive emails. But there is some changes in Postfix we will have to do don’t worry this could be done using Webmin’s Postfix module. From Webmin menu > Servers > Postfix Mail Server > General Options. Change this part to use the Fully Qualified Domain Name of your server. This makes sure as you send email through your server the receiving mail server will know your Postfix is setup to use FQDN of the host. Click Save and Apply.
Webmin and Postfix
Webmin comes with a Postfix module which you can use to manage Postfix many configurations. From Webmin menu > Servers > Postfix Mail server.
Virtualmin Pro also comes with a nifty system checking tool to make sure your configuration setup is correct. This has helped me prevent any Postifix “loops by to myself errors.” From the Virtualmin menu > System Settings > Re-Check Configuration. Click this to have it run checks. If everything looks good you will receive “your system is ready for use by Virtualmin.” If the check finds an error the system will provide which configuration needs fixing.
If you have the Virtualmin Pro version it will allow you to install on one click the Roundcube webmail software. Which is what we use for webmail.
The Roundcube web interface.
Securing Dovecot and SMTP connections
Virtualmin provides a way to manage SSL certificates. From the Virtualmin menu > Server Configuration > Manage SSL Certificates. After creating your SSL certs you could then have it applied to Dovecot and Postfix which will then secure your IMAP and SMTP authentications. I provided a step by step way to create and submit an SSL cert with Godaddy on this article.
Connecting to your new mail server from mail clients
Stopping Brute Force logins against Dovecot or SMTP authentication
I use ConfigSecurity Firewall to stop brute force attacks directed against IMAP or SMTP authentication. You can use my tutorial here to setup CSF firewall on your server.
For our Group Shared Calendar since we’re all Mac users at work I have setup Group calendar sharing through our Mac Server. There are some Open Source group calendars available on the install scripts but I have not tried any of them.
This is my personal guide which I continually update to match changes in technology. I have used this setup for the last 15 years to run and support a reliable mail server for the last 15 years.