OpenSMTPD, Dovecot and SpamAssassin

January 31, 2015

How to run your own email server with your own domain ? This is the TLDR (Too long; didn’t read) version of the most popular post on my blog! In this post, I explained how to configure OpenSMTPD, Dovecot and SpamAssassin to take your email back.

last edit: may 02 2015

Requirements


OpenSMTPD

The most important part of your server is the Mail Transfer Agent (MTA). This is the core application that actually transmits email around between email servers. There are many MTA as OpenSMTPD, Exim, Sendmail, Postfix, Qmail, Sendmail, etc. I choose OpenSMTPD because is secure, fast, simple to configure and is now the Default MTA in OpenBSD.

A home for your mails

OpenSMTPD need a place to send emails you received. So we are going to create a user: ({$ user $}).

Add a user to our system:

useradd -m -u 5000 {$ user $} -d /home/{$ user $}/

Add a password for this user:

passwd {$ user $}

Certificates

You need a TLS certificate to encrypt communications between your mail client and server. You need the private key of the certificate that often ends with .key (eg mail.{$ domain $}.key) and public certificate that ends with .crt or .pem (eg mail.{$ domain $}.crt)

If you don't have any certificate, you can generate one :

openssl genrsa -out /etc/ssl/private/mail.{$ domain $}.key 4096
openssl req -new -x509 -key /etc/ssl/private/mail.{$ domain $}.key -out /etc/ssl/certs/mail.{$ domain $}.crt -days 730

Be sure to set the permission of your certificates

chmod 700 /etc/ssl/private/mail.{$ domain $}.key
chmod 700 /etc/ssl/certs/mail.{$ domain $}.crt

Install OpenSMTPD

To install OpenSMTPD run the command:

apt-get install opensmtpd

During installation it will ask you the FQDN (Fully qualified domain name) that corresponds to the right part of the arobase ({$ domain $}) and the user name that will received root and postmaster emails. You can put {$ user $}.

We can now edit our OpenSMTPD conf file /etc/smtpd.conf :

pki mail.{$ domain $} key "/etc/ssl/private/mail.{$ domain $}.key"
pki mail.{$ domain $} certificate "/etc/ssl/certs/mail.{$ domain $}.crt"

listen on eth0 port 25 hostname mail.{$ domain $} tls pki mail.{$ domain $}
listen on eth0 port 587 hostname mail.{$ domain $} tls-require pki mail.{$ domain $} auth mask-source

table aliases file:/etc/aliases

accept from any for domain "{$ domain $}" alias <aliases> deliver to maildir "~/mails"

accept from local for any relay

The first two lines are easy to understand: we define two PKI (public key infrastructure) one for the private key and one for the public certificate.

Then we ask OpenSMTPD to listen on eth0 network interface on ports 25 and 587 for the hostname mail.{$ domain $}. We use TLS connection with the pki defined just before. We allows authentication and mask the source on port 587. Port 587 will be use by your email client to send en email through OpenSMTPD.

The next line specifies that all local user (or authenticated) can relay emails.

The penultimate line describe the path of an aliases table.

/etc/aliases file looks like :

postmaster: root
abuse: root
root: {$ user $}
contact: {$ user $}

Every emails root|postmaster|abuse|contact@{$ domain $} are aliases for {$ user $}@{$ domain $}. Run newaliases to regenerate aliases.

The last line lets OpenSMTPD to transfer all emails destined for oslab.fr in the email folder for each user described in the /etc/aliases table. Every time an email is sent to one of these accounts, the email arrives in the /home/{$ user $}/mails/ folder.

That's it for the email server part, 7 lines of configuration! If you want to change this configuration and add features, I invite you to read the documentation.

Configure the DNS

A mail server need to know where the mail server for {$ domain $} is. Here is my configuration for my domain:

{$ domain $}.                 300  MX     10 mail.{$ domain $}.
mail                      300  A      {$ ip4 $}
; Ignore this line if your host has no IPv6 connectivity:
mail                      300  AAAA   {$ ip6 $}
{$ domain $}.                 IN   TXT    "v=spf1 mx mx:{$ domain $} -all"

MX record indicate where our mail server is. According to the DNS RFC, an MX record must point to a subdomain, then this subdomain must point to an IP address.

The last line sets the SPF (Sender Policy Framework), a protection to prevent people sending emails with your domain name.

At the end when everything works it is recommended to increase the TTL to avoid problems such as those encountered by @N

IMAP, get your emails

Install Dovecot

To retrieve emails with our mail client, we will use IMAP protocol (Internet Message Access Protocol). To configure IMAP, we will use Dovecot.

To install Dovecot run the command:

apt-get install dovecot-imapd

During installation reject the creation of a certificate because our certificates already exist.

Configure Dovecot

Comment all the line and add the following content to /etc/dovecot/dovecot.conf file :


protocols = imap
ssl = required
ssl_key = </etc/ssl/private/mail.{$ domain $}.key
ssl_cert = </etc/ssl/certs/mail.{$ domain $}.crt
mail_location = maildir:~/mails
listen = *

userdb {
  driver = passwd
  args = blocking=no
}

passdb {
  driver = pam
  args = 
}

For Dovecot configuration, there is not much to add. We add the certificate and use the Pluggable Authentication Module (pam) for the IMAP authentication.

Mail Client

To test and see if everything work fine here the information to add in our mail client.

To check our emails with IMAP :

To send emails via SMTP:

SpamAssassin

If you want to install SpamAssassin with your OpenSMTPD, you will need spampd (Spam Proxy Daemon).

To install spampd run the command:

apt-get install spampd

We need to tell OpenSMTPD to relay every mail on unix socket through port 10025, and tag every mail coming from port 10026 and deliver it to maildir. Spampd listens on port 10025 on the same host as the internal mail server and will send back to port 10026 mails filtered.

We can edit our OpenSMTPD conf file /etc/smtpd.conf :

pki mail.{$ domain $} key "/etc/ssl/private/mail.{$ domain $}.key"
pki mail.{$ domain $} certificate "/etc/ssl/certs/mail.{$ domain $}.crt"

listen on lo port 10026 tag Filtered
listen on eth0 port 25 hostname mail.{$ domain $} tls pki mail.{$ domain $}
listen on eth0 port 587 hostname mail.{$ domain $} tls-require pki mail.{$ domain $} auth mask-source

table aliases file:/etc/aliases

accept tagged Filtered for any alias <aliases> deliver to maildir "~/mails"

accept from any for domain "{$ domain $}" relay via "smtp://127.0.0.1:10025"

accept from local for any relay

We need to enable spamassassin:

Change ENABLED to 1 in /etc/default/spamassassin

When everything works well

Now that everything works well, we will increase our TTL.

To increase TTL, simply change the value 300 previously defined in our DNS and mount this value 86400 seconds (1 day) minimum value recommended by RFC 1033

The end

Did you like this post? Thank me by improving it or share it on twitter!

Par Guillaume Vincent