✉️ Setting up a personal email server
I’ve been using my own personal email server for the last week.
These are my notes, inspired by Luke’s Smith emailwiz script.
Requirements
To setup your own email server you need to:
- Investigate first to know what your getting into. See my research references 1 2 3 4 5
- A domain name
- A server to host your mail
Server setup
I’ll be using Vultr to setup my email server.
You can get 100$ credit by using Luke Smith’s reference link. You can find it in his video description.
I chose a Debian 10 Cloud Compute machine in New York whith a 10 GB SSD, 1 CPU, 512MB of Memory and 500GB Bandwidth, for $3.50/month. Don’t forget to enable IPv6.
Make sure the 25, 933 and 587 ports are open. In the case of Vultr you must open a ticket and ask for it, because port 25 is closed.
In Vultr you can also setup a firewall. Make sure to open the 25, 933 and 587 ports and the 22 port for ssh.
Domain name
My domain name provider is Namecheap.
I’m using a ‘mail’ sub-domain. This way my setup is using ‘mail’ as the Host in the DNS records, instead of ‘@’.
The difference is that I’ll be accessing my email server using ‘mail.mydomain.com’ instead of just ‘mydomain.com’. The reason is the fact that I’m already using ‘mydomain.com’ with another server.
Setup two A records with your server IPv4 address and two AAA records with your server IPv6 address.
| Type | Host | Value |
|---|---|---|
| A Record | 10.11.12.13 | |
| A Record | www.mail | 10.11.12.13 |
| AAAA Record | 1234:aaaa:0:12ab:1111a:bcd:ffff:4444 | |
| AAAA Record | www.mail | 1234:aaaa:0:12ab:1111a:bcd:ffff:4444 |
Also, add a MX record for your mail. Even if you are using ‘mydomain.com’ to point to the server, use ‘mail.mydomain.com’ in the MX record.
| Type | Host | Value | Priority |
|---|---|---|---|
| MX Record | @ | mail.mydomain.com. | 10 |
Accessing your server
You can access your server with ssh.
1ssh root@mail.mydomain.com
Copy your ssh key to the server so you don’t need to write your password every time.
1ssh-copy-id root@mail.mydomain.com
Now disable password access with ssh. This way only from your computer, with your private key your can access the server.
1vim /etc/ssh/sshd_config
Make sure ‘UsePAM’ and ‘PasswordAuthentication’ are set to ’no’
1UsePAM no
2PasswordAuthentication no
Restart ‘sshd’:
1systemctl reload sshd
Server setup and install needed software
Upgrade Debian:
1apt update && apt upgrade
Some ‘.bashrc’ configuration:
1vim .bashrc
1 # ~/.bashrc: executed by bash(1) for non-login shells.
2
3 # Note: PS1 and umask are already set in /etc/profile. You should not
4 # need this unless you want different defaults for root.
5 PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
6 umask 022
7
8 # You may uncomment the following lines if you want `ls' to be colorized:
9 # export LS_OPTIONS='--color=auto'
10 # eval "`dircolors`"
11 alias ls='ls $LS_OPTIONS'
12 alias ll='ls $LS_OPTIONS -l'
13 alias l='ls $LS_OPTIONS -lA'
14 #
15 # Some more alias to avoid making mistakes:
16 alias rm='rm -i'
17 alias cp='cp -i'
18 alias mv='mv -i'
19
20 set -o vi
21
22 TERM=xterm
Install ’nginx’ and ‘python-certbot-nginx’:
1apt install nginx python-certbot-nginx
nginx setup
Configure your ‘mail.mydomain.com’ sub-domain:
1cp /etc/nginx/sites-available/default /etc/nginx/sites-available/mail
2
3vim /etc/nginx/sites-available/mail
1 server {
2 listen 80 ;
3 listen [::]:80 ;
4
5 root /var/www/mail;
6
7 index index.html index.htm index.nginx-debian.html;
8
9 server_name mail.mydomain.com www.mail.mydomain.com;
10
11 location / {
12 try_files $uri $uri/ =404;
13 }
Enabling:
1ln -s /etc/nginx/sites-available/mail /etc/nginx/sites-enabled/
2
3systemctl reload nginx
Create a certificate with certbot
Easy as:
1certbot --nginx
1 Saving debug log to /var/log/letsencrypt/letsencrypt.log
2 Plugins selected: Authenticator nginx, Installer nginx
3 Enter email address (used for urgent renewal and security notices) (Enter 'c' to
4 cancel): me@mydomain.com
5
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 Please read the Terms of Service at
8 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
9 agree in order to register with the ACME server at
10 https://acme-v02.api.letsencrypt.org/directory
11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
12 (A)gree/(C)ancel: A
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15 Would you be willing to share your email address with the Electronic Frontier
16 Foundation, a founding partner of the Let's Encrypt project and the non-profit
17 organization that develops Certbot? We'd like to send you email about our work
18 encrypting the web, EFF news, campaigns, and ways to support digital freedom.
19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
20 (Y)es/(N)o: Y
21
22 Which names would you like to activate HTTPS for?
23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
24 1: mail.mydomain.com
25 2: www.mail.mydomain.com
26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
27 Select the appropriate numbers separated by commas and/or spaces, or leave input
28 blank to select all options shown (Enter 'c' to cancel):
29 Obtaining a new certificate
30 Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail
31
32 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
34 1: No redirect - Make no further changes to the webserver configuration.
35 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
36 new sites, or if you're confident your site works on HTTPS. You can undo this
37 change by editing your web server's configuration.
38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
39 Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
40 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/mail
41
42 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
43 Congratulations! You have successfully enabled https://mail.mydomain.com
44
45 You should test your configuration at:
46 https://www.ssllabs.com/ssltest/analyze.html?d=mail.mydomain.com
47 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Setup the mail server
Here’s where Luke Smith’s script enters.
1curl -LO lukesmith.xyz/emailwiz.sh
2
3sh emailwiz.sh
In the end the script outputs 3 TXT record lines. You should now configure these records in your domain.
| Type | Host | Value |
|---|---|---|
| TXT Record | @ | v=spf1 mx a:mail.mydomain.com -all |
| TXT Record | _dmarc | v=DMARC1; p=reject; rua=mailto:dmarc@mydomain.com; fo=1 |
| TXT Record | mail._domainkey | v=DKIM1; k=rsa; p=XXXXXXX…… |
2021-06 Update: for the SPF record, I had to change it to the following to work.
| Type | Host | Value |
|---|---|---|
| TXT Record | @ | v=spf1 a mx ~all |
Create user mailboxes
Just create a user in the system:
1useradd -G mail -m me
2passwd me
This will create a me@mydomain.com email.
You can also create alias:
1vim /etc/aliases
1dmarc: me
2mail: me
1newaliases
This will delivery mails to dmarc@mydomain.com and mail@mydomain.com to your me@mydomain.com email.
Mail Clients
I’m using Thunderbird and K9 in Android.
Setup for a me@mydomain.com email:
| Incoming | Outgoing | |
|---|---|---|
| Protocol | IMAP | SMTP |
| Server | mail.mydomain.com | mail.mydomain.com |
| Port | 993 | 587 |
| SSL | SSL/TLS | STARTTLS |
| Authentication | Normal password | Normal password |
| Username | me | me |
Testing your new server
Check these sites to test if anything is wrong:
Also send an email to a gmail account to see your you’re going directly to Spam. It can happen, it’s just something you (and the people you will be sending emails) will have to live with.
Setting up backups
Check my BorgBackup posts for more info, but basically:
1apt install borgbackup
2ssh-keygen -o -a 100 -t ed25519
3cat /root/.ssh/id_ed25519.pub
Add your key in BorgBase (Account > SSH Keys), create a new Repository and associate your SSH Key.
1borg init --encryption=repokey-blake2 xxxx@xxxx.repo.borgbase.com:repo
2echo "New backup"
3borg create --list --progress --info --log-json --json --filter=AM -C lz4 --exclude '/root/.ssh/' xxxx@xxxx.repo.borgbase.com:repo::RepoName-{now:%Y-%m-%dT%H:%M:%S} /etc /var /root /opt /usr /boot /home/
4echo "Prune"
5borg prune -v --list --stats --keep-within=10d --keep-weekly=4 --keep-monthly=6 --keep-yearly=2 xxxx@xxxx.repo.borgbase.com:repo
https://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/ ↩︎
https://www.paritybit.ca/blog/a-month-and-a-half-of-self-hosted-email ↩︎
https://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/2/ ↩︎
https://blog.paranoidpenguin.net/2020/02/self-hosting-email-in-2020-joe-nobody-vs-world/ ↩︎