iRedMail

Setting up a mail server is tedious.

Main page to follow: https://docs.iredmail.org/install.iredmail.on.debian.ubuntu.html

Recommended to use a standalone server to host these services:

• Many different services will be setup, and with users created for the services on specific uids. These may interfere with existing nginx / MySQL / Python / PHP.
• Better to separate the mail server from the web server, since these are two big attack surfaces.
• The mail domain should resolve to the server, which would require the use of CNAMEs if they share the same address.

Minimum requirements of 4GB RAM for AV and spam detection services.

Created a Debian LXC to minimize resource usage. Also reminder to add SSH keys to .ssh/authorized_keys for logins.

root:~# apt update && apt upgrade
root:~# apt install -y gzip dialog curl
root:~# curl -L -O "https://github.com/iredmail/iRedMail/archive/refs/tags/1.7.1.tar.gz"
root:~# tar xzvf 1.7.1.tar.gz

A mail domain should exist and redirect to the server. One could peruse the DNS section to understand how the hostname should be resolved; an example of /etc/hosts could be:

/etc/hosts

127.0.0.1 localhost
192.168.1.3 mail.pyuxiang.com mail myhostname

user:~$ hostname -f
mail.pyuxiang.com

Execute the installer, noting to enable the nginx webserver (there is much configuration done to nginx, so might as well tag along):

root:~# cd iRedMail-1.7.1
root:~# bash iRedMail.sh

Restart the mail server host. This will also restart the nginx webserver to expose port 443. Add

Defaults are provided in iRedMail.tips (make sure to delete this after storing the credentials). Things to do:

• Update TLS certificate: /etc/ssl/certs/iRedMail.crt and /etc/ssl/private/iRedMail.key
• Update DNS records, i.e. dkim._domainkey for DKIM.
• Add users using iRedAdmin panel: /iredadmin
• Restrict all services to local network (minimally), via IP whitelist and restart nginx.
  • Recommended to modify iredadmin.tmpl, roundcube.tmpl, and netdata.tmpl under nginx templates.
  • Remove SOGo entry if not installed.
• Expose ports to outside, usually 25/tcp and 587/tcp.

Here's a simple DKIM parser:

#!/usr/bin/env python3
# Get DKIM record
#
# Example:
#     amavisd showkeys | ./parse_dkim.py
 
import sys
 
data = sys.stdin.read()
data = [r.strip("\"'() ") for r in data.split("\n")[2:]]
record = "".join(data)
print(record)

Use mail-tester to check spammy-ness of emails. Other useful resources:

• Policy lookup tests: uriports, mxtoolbox
• Explanation of authentication flow: learndmarc

The required DNS records for mail:

When sending mail, make sure to add a display name so that the "From" field doesn't just contain the email address.

Test authentication flow:

openssl s_client -connect mail.pyuxiang.com:587 -starttls smtp