Summary from [WayBack] Dear #lazyweb, can anyone point me to a modern email server setup (just email) with letsencrypt, some spam filter, multi domain preferably on RHEL/Cent… – Jan Wildeboer – Google+
- many SMTP servers on the interwebs do not have proper TLS setups, so do not require remote SMTP servers to deliver email with a proper certificate
- delivering mail via SMTP using STARTTLS with a proper certificate yourself is a good step forward
- postfix
- dovecot
- greylisting (although in practice it does not make much of a difference any more)
- fail2ban
- dnsbl (often called rbl)
- spamassasin
- rspamd (supports SPF, DKIM and many others)
- letsencrypt automation can be tough, so here is a small wrapper: [WayBack] GitHub – DrGlitchMX/update-letsencrypt: Tiny script for updating “Let’s Encrypt!” certificates from cron
- it helps having letsencrypt and the mail server to be on one machine:
- multidomain let’s encrypt cert that has my webserver name and the mailserver in the Subject Alternative Names field. As both are on the same machine certbot can automatically update it and I just point Postfix and Dovecot to the LE files.
- Hans-Martin Mosner SMTP as-is is just not suitable for the kind of decentralized mail that you would prefer. You need some mechanism to determine which mail senders to trust and which not. Cryptography is suitable at the MUA level and should be used much more, but at the MTA level, TLS for privacy and SPF(bleh) or DKIM(meh) for sender domain authentication are basically your only weapons -much too weak. The PGP web of trust must be considered a failed experiment – who of your mail contacts uses PGP properly or at all? Ironically the only secure messaging solutions for the masses are centralized.
- A bit large but, might be an option: Zimbra. Multidomain and spam out of the box. Certs are well documented. Just disable logging which consumes way too much resources.
- Guides
- [WayBack] Mailserver mit Dovecot, Postfix, MySQL und Rspamd unter Debian 9 Stretch
[WayBack] ISPmail tutorials – workaround.org (Postfix, Dovecot IMAP/POP3 and MySQL backend on a Debian server just)
- [WayBack] ISPmail guide for Debian Stretch – workaround.org
- [WayBack] What’s new in the Stretch guide? – workaround.org
- [WayBack] Migrating from a Jessie to a Stretch mail server – workaround.org
- [WayBack] The big picture – workaround.org
- [WayBack] Types of email domains – workaround.org
- [WayBack] Install Debian Stretch on your server – workaround.org
- [WayBack] Install the software packages – workaround.org
- [WayBack] Creating a TLS encryption key and certificate – workaround.org
- [WayBack] Preparing the database – workaround.org
- [WayBack] Making Postfix get its information from the MySQL database – workaround.org
- [WayBack] Setting up Dovecot – workaround.org
- [WayBack] Making Postfix send emails to Dovecot – workaround.org
- [WayBack] Testing IMAP and setting up Roundcube webmail – workaround.org
- [WayBack] Testing email delivery – workaround.org
- [WayBack] Relaying with SMTP authentication – workaround.org
- [WayBack] Filtering out spam with rspamd – workaround.org
- The SMTP equivalent to the EICAR virus test is the GTUBE test which you can download at [WayBack] GTUBE
- [WayBack] Filtering out viruses and malware – workaround.org
- [WayBack] DNS MX records – workaround.org
- [WayBack] Prevent spoofing with DKIM – workaround.org
- [WayBack] Managing users, aliases and domains – workaround.org
- [WayBack] Fighting brute force attacks – workaround.org
- [WayBack] ISPmail guide for Debian Jessie – workaround.org
- The above cover (though I wish it did without MariaDB / MySQL):
- Receive emails on your domain(s).
- Filter out spam and malware.
- Send emails out to any other servers/domains on the internet. Connections will be encrypted when possible.
- Add cryptographic signatures (DKIM) to outgoing emails.
- Store as many emails for as many email addresses as you have disk space. Set limits (“quotas”) per user.
- Let your users fetch email using IMAP or POP3 and send email through your servers using SMTP.
- Allow users to manage server-based filter rules. Distribute incoming emails to different folders. Forward copies. Or send out-of-office notifications.
- Provide a webmail interface so users can access their emails securely from any location.
- Mitigate brute force attacks.
- [WayBack] ISPmail guide for Debian Stretch – workaround.org
Things to do:
- find a proper multi-MX fallback setup guide for postfix
–jeroen