We recommend you follow this tutorial using a Production-Optimized Instance.
Setting up a secure mail server on Ubuntu 22.04 LTS (Jammy Jellyfish)
- security
- DKIM
- Rspamd
- MariaDB
- Roundcube
- dmarc
In this tutorial you will learn how to configure a mail server that uses Postfix, Dovecot, Rspamd, DKIM, and MariaDB to deliver mails securely. You learn also how to install a Roundcube webmail interface to be able to read your emails directly from your browser.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An SSH key
- An Instance running Ubuntu Bionic Beaver or later
- A domain or subdomain configured to point to the IP address of your Instance
- Enabled the SMTP ports to send emails from your Instance
Pre-work and system preparation
Before you continue with this tutorial, some configuration is required to make sure your mail server will be working.
- To ensure that other servers will accept emails sent from your Instance a valid reverse DNS within your own domain name (for example
mail.domain.com
) must be configured. - The SMTP ports have been unlocked in the security group of the server.
-
Update the system:
apt update && apt upgrade -y -
Ensure no conflicting mail software is installed:
service sendmail stopupdate-rc.d -f sendmail removeNoteIf the message
Failed to stop sendmail.service
appears, it can be safely ignored.
Install Nginx, PHP, and MariaDB
-
Install the required packages:
apt install nginx mariadb-server php8.1-fpm php8.1-cli php8.1-imap php8.1-json php8.1-mysql php8.1-opcache php8.1-mbstring php8.1-readline php8.1-intl -y -
Secure the MariaDB installation:
mysql_secure_installationDuring the setup, provide answers to secure your MariaDB installation (set the root password, remove anonymous users, disallow remote root login, etc.). Refer to Installing and Securing MariaDB for further details regarding the configuration of MariaDB.
Install and configure PostfixAdmin
-
Download and extract PostfixAdmin:
wget https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.13.tar.gztar xzf PostfixAdmin*.tar.gzmv postfixadmin-*/ /var/www/postfixadmin -
Set the correct file permissions:
chown -R www-data: /var/www/postfixadmin -
Log into MariaDB using the
root
user:mysql -u root -pRun the following SQL commands to create a MariaDB database for PostfixAdmin:
CREATE DATABASE postfixadmin;GRANT ALL ON postfixadmin.* TO 'postfixadmin'@'localhost' IDENTIFIED BY 'your_secret_password';FLUSH PRIVILEGES;EXIT; -
Create the PostfixAdmin configuration file:
nano /var/www/postfixadmin/config.local.phpAdd the following content:
<?php$CONF['configured'] = true;$CONF['database_type'] = 'mysqli';$CONF['database_host'] = 'localhost';$CONF['database_user'] = 'postfixadmin';$CONF['database_password'] = 'your_secret_password';$CONF['database_name'] = 'postfixadmin';?> -
Initialize the PostfixAdmin database schema:
sudo -u www-data php /var/www/postfixadmin/public/upgrade.php -
Create an
admin
user for PostfixAdmin:bash /var/www/postfixadmin/scripts/postfixadmin-cli admin addFollow the prompts to add your email address and create the admin user.
-
Create an Nginx configuration file for PostfixAdmin::
nano /etc/nginx/sites-available/mail.example.com.confAdd the following configuration:
server {listen 80;server_name mail.example.com;root /var/www;location / {try_files $uri $uri/ /index.php;}location /postfixadmin {index index.php;try_files $uri $uri/ /postfixadmin/public/login.php;}location ~ \.php$ {fastcgi_pass unix:/run/php/php8.1-fpm.sock;fastcgi_index index.php;include fastcgi_params;fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;}} -
Activate the Nginx configuration and reload:
ln -s /etc/nginx/sites-available/mail.example.com.conf /etc/nginx/sites-enabled/systemctl reload nginx
Generate and apply a Let’s Encrypt TLS/SSL certificate
-
Install Certbot for Nginx:
apt install certbot python3-certbot-nginx -y -
Run the following command to generate a Let’s Encrypt TLS/SSL certificate for your mail domain:
certbot --nginx -d mail.example.comFollow the prompts to enter your email, agree to terms, and choose HTTPS options. Certbot will automatically configure SSL for Nginx and restart the service.
-
Visit
https://mail.example.com
to ensure your website is now accessible via HTTPS with the TLS/SSL certificate applied.
Install and configure Postfix and Dovecot
-
Install Postfix, Dovecot, and necessary packages:
apt install postfix postfix-mysql dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysql -y -
After installing Postfix, update its configuration to use the Let’s Encrypt certificate:
postconf -e 'smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem'postconf -e 'smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem'postconf -e 'smtpd_use_tls=yes'postconf -e 'smtpd_tls_security_level=may'postconf -e 'smtp_tls_security_level=may' -
Configure Dovecot to use the SSL certificate: Edit the file
/etc/dovecot/conf.d/10-ssl.conf
:nano /etc/dovecot/conf.d/10-ssl.confUpdate the SSL settings:
ssl = yesssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pemssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pemssl_dh = </etc/ssl/certs/dhparam.pemssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDHssl_prefer_server_ciphers = yes -
Restart Dovecot to apply the changes:
systemctl restart dovecot
Configure DKIM with Rspamd
-
Install Redis and Rspamd:
apt install redis-server rspamd -y -
Generate DKIM keys and configure Rspamd for signing:
mkdir /var/lib/rspamd/dkim/rspamadm dkim_keygen -b 2048 -s mail -k /var/lib/rspamd/dkim/mail.key > /var/lib/rspamd/dkim/mail.pub -
Add DKIM signing configuration by opening the file
/etc/rspamd/local.d/dkim_signing.conf
in a text editor:nano /etc/rspamd/local.d/dkim_signing.confThen add the following content:
selector = "mail";path = "/var/lib/rspamd/dkim/$selector.key";allow_username_mismatch = true; -
Restart Rspamd to apply the configuration:
systemctl restart rspamd -
Retrieve the DKIM public key for your domain:
cat /var/lib/rspamd/dkim/mail.pubAdd the output as a
TXT
record to your domain’s DNS zone to publish your DKIM public key in DNS. Refer to How to manage DNS records for furher information.
Install Roundcube Webmail
-
Install the PHP dependencies for Roundcube:
apt install php-intl php-mail-mime php-net-smtp php-net-socket php-pear php-xml php-intl php-gd php-imagick -y -
Log into MariaDB using the
root
user:mysql -u root -pExecute the following SQL commands to create a MariaDB database for Roundcube:
CREATE DATABASE roundcubemail;GRANT ALL ON roundcubemail.* TO 'roundcube'@'localhost' IDENTIFIED BY 'your_secret_password';FLUSH PRIVILEGES;EXIT; -
Download and install Roundcube:
wget
https://github.com/roundcube/roundcubemail/releases/download/1.6.1/roundcubemail-1.6.1-complete.tar.gz tar xzf roundcubemail-1.6.1-complete.tar.gz mv roundcubemail-1.6.1 /var/www/webmail chown -R www-data: /var/www/webmail
4. Edit the Nginx configuration file (`/etc/nginx/sites-enabled/mail.example.com.conf`):```bashnano /etc/nginx/sites-enabled/mail.example.com.conf
And add the following section for Roundcube:
location /webmail {index index.php;try_files $uri $uri/ /webmail/index.php;}
-
Restart Nginx to apply changes:
systemctl restart nginx -
Complete the Roundcube setup by visiting
https://mail.example.com/webmail/installer/
and following the web-based setup. -
Remove the installer directory for security:
rm -rf /var/www/webmail/installer
Automate SSL renewal with Certbot
Let’s Encrypt certificates have a limited validity. Ensure the SSL certificates renew automatically:
certbot renew --dry-run