wjack.com

Main Page

How to setup a Linux Mail Server with iRedMail

I will explain how to setup a Linux mail server with iRedMail. It's pretty quick and easy to get a mail server up and running with iRedMail as long as you have some
experience with Linux and the command line, it can be up and running in 30-60 minutes. The mail server will be full featured with spam, virus, and some hacking
protection built in, and a browser based IMAP email client. Let's get started!

You'll need a registered domain name to be used with your mail server. namecheap is a good place to get a registered domain name, but there are many others.

You'll have to get a VPS(virtual private server), VDS(virtual dedicated server), or Dedicated Server to run your mail server on. I use Contabo for my VPS, and they have
been very dependable and reliable for over a year. They have the cheapest prices, and they have a lot of different VPS's, VDS's and Dedicated Servers to choose from,
with a good choice of server OS's from Linux's, BSD's, and Windows. Go to iRedMail.org to see what OS's are supported. I use Rocky Linux 9.4 for the OS in this example,
but you can use any OS that iRedMail supports, and any provider that supports Linux/BSD you want.

Now you have your domain name, and you have a VPS, VDS, or Dedicated Server running at a server provider. It's time to set the server up to be a iRedMail server. I
will be using Rocky Linux 9.4 as the server in this how-to, but the same can be done with any of the Linux or BSD OS's that iRedMail supports, but the commands may
vary for different OS's. Go to iRedMail.org to see what OS's are supported.

After you get the ip address of your new server from the provider you'll need to SSH to that server. I use PuTTY as my SSH utility. After you first login to your new server
do an update for that OS to get it up to date. On Rocky Linux 9.4 I do a "dnf update", then if there are any updates I do a "dnf upgrade". The update commands may differ
depending on your OS.

Now set a fully qualified domain name (FQDN) for your server. Edit the /etc/hostname file and enter your FQDN. Mine is server1.wjack.org, so all I have in my /etc/hostname
file is server1.wjack.org. Next edit the /etc/hosts file, I put the line "127.0.0.1 server1.wjack.org server1" at the bottom of the file. Next you need to disable SELinux, iRedMail
doesn't work properly with it enabled. Edit /etc/selinux/config, and make sure it is disbled. Now do a reboot.

You want to install iRedMail on a fresh server, so best not to install anything before you install iRedMail. I do install a couple of things before, but nothing that has anything
to do with mail, databases, or web servers. I do an install of the development tools with "dnf group install "Development Tools"", then I install network tools with "dnf install netork-tools".

Now we install iRedMail. Go to iRedMail.org and copy the download link for the latest stable vesrion for iRedMail. At present that link is 1.6.8.tar.gz for iRedMail-1.6.8.
From your PuTTY terminal run "https://github.com/iredmail/iRedMail/archive/refs/tags/1.6.8.tar.gz" to download iRedMail, then rename that file to iRedMail-1.6.8.tar.gz
with "mv 1.6.8.tar.gz iRedMail-1.6.8.tar.gz", then run "tar zxf iRedMail-1.6.8.tar.gz" to extract the file, then "cd iRedMail-1.6.8", then to do the install run "bash iRedMail.sh".
You will be asked several questions. I usually go along with the defaults, but I make sure I have the Nginx web server installed, and the Mariadb installed. You will be asked to
create some passwords, then it will install.

You should now be able to go to the email web client at your server with the ip address for the server https://your.ip.address/mail and sign into the the postmaster account with
postmaster@yourdomainname.com and the password you chose on installation.

(Optional) - Install Webmin as a server control panel. Webmin makes it a lot easier to manage your server and it's free. Go to webmin.com to download the version of webmin for your OS.
Since I'm using Rocky Linux, a Red Hat based OS, I download the rpm version with the command "wget http://prdownloads.sourceforge.net/webadmin/webmin-2.000-1.noarch.rpm", then
I install the optional dependencies with "dnf install perl-Net-SSLeay perl-IO-Tty perl-Encode-Detect", then I install webmin with "rpm -U webmin-2.000-1.noarch.rpm". On Rocky Linux I then
had to open the webmin port 10000 using the firewalld command "firewall-cmd --permanent --zone=iredmail --add-port=10000/tcp".

If you don't want a browser based control panel, and want to do everything from the command line in PuTTY then Midnight Commander is a great ncurses based file manager. On Rocky
Linux I do a "dnf install mc" to install it.

Next we have to properly setup the DNS Zone for our server:

First you need to setup the DNS zone for our server at the place your server is hosted so your domain name will point to the ip address of the server. I have mine
at contabo.com, and it's pretty easy to initially setup there. I just go to my dashboard at Contabo and go to DNS Management, and create a new DNS zone with my
domain name and ip address, and that will get you started. You should be able to reach your server with your domain name now.

Next I create a dmarc record in my DNS zone with Name: _dmarc Type: TXT Data: v=DMARC1; p=none; pct=100; fo=1; rua=mailto:postmaster@wjack.org

Then I create a type CNAME record for the FQDN of my server which is server1.wjack.org pointing to wjack.org

Then I go to Contabo's reverse DNS Management page, and set my FQDN pointing to my ip address.

Then I create a TXT record for my dkim_domainkey. With iRedMail you'll find your dkim_domainkey in an email with details of the installation that was sent
to you after you installed iRedMail. The data for the dkim_domainkey that you enter is in the form v=DKIM1;p=then you put all letters and numbers minus
any quotation marks or spaces after the p=

Next I create a SPF TXT record in my DNS zone. Mine is a simple "v=spf1 mx -all".

The mail server should now be able to send and recieve email to and from anywhere with no problems at this point.
Next we need to setup Let's Encrypt as our free SSL Certificate provider:

There are ssl certificates that come with iRedMail, but they are not recognized as secure, so we need to setup Let's Encrypt to do our SSL certs. Then we won't
have to deal with that "connection not secure" warning, and have to add an exception to enter the site.

The first thing is to install certbot. On Rocky Linux I do a "dnf install certbot". Certbot is the Let's Encrypt program for requesting and renewing ssl certs.

Then I go ahead and do a test with the --dry-run argument to see if it will be successful: "certbot certonly --webroot --dry-run -w /var/www/html -d server1.wjack.com -d www.wjack.com -d wjack.com"
My web root is in /var/www/html, so set yours where your web root is at. I requsted certs for multiple domains with the -d argument so the certs will work if my server is accessed by any of those 3
domain names.

If the above --dry-run was successful then I go ahead and run it for real: "certbot certonly --webroot -w /var/www/html -d server1.wjack.com -d www.wjack.com -d wjack.com".

You'll then need to change permissions for two of the Let's Encrypt directories so Postfix/Dovecot/OpenLDAP/MariaDB/PostgreSQL will be able to access them. Run the command
"chmod 0755 /etc/letsencrypt/{live,archive}".

I then need to rename the iRedMail certs and link the new Let's Encrypt certs to that location with: "mv /etc/pki/tls/certs/iRedMail.crt{,.bak}" and "mv /etc/pki/tls/private/iRedMail.key{,.bak}".
Then "ln -s /etc/letsencrypt/live/server1.wjack.com/fullchain.pem /etc/pki/tls/certs/iRedMail.crt" and "ln -s /etc/letsencrypt/live/server1.wjack.com/privkey.pem /etc/pki/tls/private/iRedMail.key".
*Notice - The certs for the three domains I requested from Let's Encrypt where put into one directory named after the first domain I requested server1.wjack.org.

Reboot your server, and your Let's Encrypt certs should be in effect now, and you won't have to bother with adding an exception to enter your mail server anymore.

Let's Encrypt certs are good for 3 months and have to be renewed, but certbot is configured for auto-renewal, so you shouldn't have to worry much about that, but
I would check occasionally with the command "certbot certificates" to check the expiration date of the certs.

If you installed webmin you can use your letsencrypt certs with it instead of the default certs, so you won't have to add an exception to get to webmin. Just edit the
/etc/webmin/miniserv.conf file and add these two lines referencing your letsencrypt key and cert:
```
keyfile=/etc/letsencrypt/live/server1.wjack.com/privkey.pem
certfile=/etc/letsencrypt/live/server1.wjack.com/fullchain.pem
```
The Email Server should be ready for real world use now. Have Fun!

Additional email server setup and testing.

Hopefully you have your email server up and running properly at this point. One way to test your email server is at mail-tester.com. It will test your mail server for spammyness, and give you a rating
from 1-10. It's an important thing to know if your mail server is being viewed as a possible spam sender, which can happen very easily if the server isn't configured properly. The server I just setup in
the above how-to gets a perfect score of 10 from mail-tester.com. Setting up the DNS Zone properly for your server is the most important thing to keep the internet from viewing you as a possible
spammer.

iRedMail comes with a nice set of protection features built in like spamassassin, fail2ban, amavisd, clamd, and more. It comes out of the box ready to help fight off spam, hack attempts, and viruses,
but there are adjustments you can make to help protect your server. Below are a few more things that can make your mail server more secure.

Don't allow root login to SSH. Edit /etc/ssh/sshd_config and set "PermitRootLogin no".

Change the ssh port from 22 to for example 2200. Edit /etc/ssh/sshd_config and change Port 22 to Port 2200, then open port 2200 with firewalld or iptables, whichever your system uses. It will
prevent a lot of ssh hack attempts.

If you are using webmin as your admin panel then change the port from the default 10000 to for example 12002. Edit /etc/webmin/miniserv.conf and change "port=10000" to "port=12002", then
open port 12002 with firewalld or iptables, whichever your systen uses.

If you are using webmin as your admin panel then set it to only accept logins from your ip address. Edit /etc/webmin/miniserv.conf and add the line "allow=your.ip.address".

Change how fail2ban handles login hack attempts. Edit /etc/fail2ban/jail.local to change the default settings.

findtime = 3600 means that fail2ban will look for password failures from the same ip for 3600 seconds which is 1 hour. I leave it at the default.
bantime = 3600 means that fail2ban will ban an ip for 1 hour. I change that to 86400 which is 24 hours.
maxretry = 5 means that an ip will be banned if they make 5 failed login attempts within 1 hour. I change that to 3.
ignoreip = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 means that fail2ban will ignore your trusted ip addresses. At the end
of this line I add the ip address I use to access the server from.

iRedMail does a great job, and it's free. I used it once to setup and maintain a email server for a internet stock market news company, and they were pleased
with it. They did have some special requirments that I had to write some scripts for. They didn't have a real big problem with spam, but they were getting more
than they wanted, so I had to write some scripts and change some settings to get it more to their liking. Spamassassin does a good job at fighting spam, but it's
probably not going to be as good as some of those high dollar anti-spam services. The company I did the email server for were using Ironport as their email
gateway, and paying thousands of dollars a year for that service. Ironport did a great job at filtering spam for them, but they weren't a big company, and wanted
to save money where they could, and iRedMail worked out well for them.

If you need a email server setup I can do it for hire. Just contact me at wjack@wjack.com

Nginx v1.20.1 Nginx

iRedMail v1.7.1

Please send any feedback to: wjack@wjack.com