GNet Solutions » FreeBSD Administration

• Table of contents
• Prepare the Environment
• Install iRedMail
  • Configure iRedMail
• Securing iRedMail with SSL/TLS
• DNS
  • A Record
  • PTR Record
  • MX Record
  • SPF Record
  • DKIM Record
• Resources

Prepare the Environment¶

• Make sure system is up to date:
  

  pkg update && pkg upgrade
  

• Update the ports tree
  

  portsnap fetch extract
  

• Install dependencies
  

  pkg install portmaster screen
  

• Edit the /etc/rc.conf file:
  

  vi /etc/rc.conf
  

  • And make sure the hostname is set:
    

    hostname="mx.example.com" 
    

• Add or modify the /etc/hosts file:
  

  vi /etc/hosts
  

  • And make sure the hostname is set:
    

    127.0.0.1   mx.example.com mx localhost
    

• Check the current hostname:
  

  hostname -f
  

  • The output should look similar to the following:
    

    mx.example.com
    

---

Install iRedMail¶

• Install bash and openssl
  

  pkg install bash openssl
  

• Fetch and extract the iRedMail stable installer:
  

  cd
  fetch https://github.com/iredmail/iRedMail/archive/1.3.2.tar.gz
  tar xzf 1.3.2.tar.gz
  cd iRedMail-1.3.2
  

• Run the iRedMail Installer:
  

  chmod +x iRedMail.sh
  bash iRedMail.sh
  

Configure iRedMail¶

The install process will pull in all the required packages during installation. Since each mail server is a little different, my setup uses the following parameters:

• Default mail storage path: /var/vmail
• Default web server: nginx
• Preferred backend used to store mail accounts: MariaDB
• First virtual domain name: example.com
• Optional components:
  • DKIM signing/verification
  • iRedAdmin
  • Roundcubemail
  • phpMyAdmin
  • Awstats

When the installation finishes, all the login information and URLs will be placed in the iRedMail.tips file.

---

Securing iRedMail with SSL/TLS¶

NOTE: I've switched to LetsEncrypt for providing SSL certificates. To setup SSL with LetsEncrypt refer to Issue #843

The default location for the self-signed certificate is in /etc/ssl/certs/iRedMail.crt and the key is in /etc/ssl/private/iRedMail.key; I am going to change these to /usr/local/etc/ssl/mx.example.com.crt and /usr/local/etc/ssl/mx.example.com.key, respectively.

• Start by create a dhparam file:
  

  openssl dhparam -out /usr/local/etc/ssl/dhparams.pem 4096
  

• Next, generate a nice strong SSL key and CSR:
  

  openssl req -sha512 -out mx.example.com.csr -new -newkey rsa:4096 -nodes -keyout mx.example.com.key
  

• When the SSL certificate is signed, copy it securely to /usr/local/etc/ssl/mx.example.com.crt

• Edit the default nginx server block config:
  

  vi /usr/local/etc/nginx/conf.d/default.conf
  

  • And change the ssl_certificate_key, ssl_certificate, and ssl_dhparam paths:
    

    ssl_certificate_key /usr/local/etc/ssl/mx.example.com.key
    ssl_certificate /usr/local/etc/ssl/mx.example.com.crt
    ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
    

• Edit the main postfix config:
  

  vi /usr/local/etc/postfix/main.cf
  

  • And change the smtpd_tls_key_file, smtpd_tls_cert_file, smtpd_tls_CAfile, and smtpd_tls_dh1024_param_file paths:
    

    smtpd_tls_key_file = /usr/local/etc/ssl/mx.example.com.key
    smtpd_tls_cert_file = /usr/local/etc/ssl/mx.example.com.crt
    smtpd_tls_CAfile = /usr/local/etc/ssl/mx.example.com.crt
    smtpd_tls_dh1024_param_file = /usr/local/etc/ssl/dhparams.pem
    

• Edit the dovecot config:
  

  vi /usr/local/etc/dovecot/dovecot.conf
  

  • And change the paths:
    

    ssl_cert = </usr/local/etc/ssl/mx.example.com.crt
    ssl_key = </usr/local/etc/ssl/mx.example.com.key
    

NOTE: To use an intermediate CA certificate nginx requires all SSL certificate be attached all in a single file. This can be done by running:

cat mx.example.com.crt ca.cert.bundle.pem > mx.example.com.bundle.crt

DNS¶

A Record¶

• From your DNS record manager, create an A record using the following template:
  

  NAME                TTL     TYPE    DATA
  www.example.com.    1800    A       10.0.0.3
  

PTR Record¶

• From your DNS record manager, create a PTR record using the following template:
  

  NAME                    TTL     TYPE    DATA
  3.0.0.10.in-addr.arpa.    1800    PTR    mail.example.com.
  

MX Record¶

• From your DNS record manager, create a MX record using the following template:
  

  NAME            PRIORITY    TYPE    DATA
  example.com.    10          mx      mail.example.com
  

SPF Record¶

• From your DNS record manager, create a TXT record using the following template:
  

  NAME            PRIORITY    TYPE    DATA
  example.com.    3600        TXT     v=spf1 mx mx:example.com -all
  

DKIM Record¶

• Run command in terminal to show your DKIM keys:
  

  amavisd showkeys
  

  • Example output:
    

    dkim._domainkey.example.com.   3600 TXT (
      "v=DKIM1; p=" 
      "YUVfMB0GCSqFGTb3DQEBAWAAA4GNADCBiQKBgQDYArsr2BKbdhv9efugByf7LhaK" 
      "txFUt0ec5+1dWmcDv0WH0qZLFK711sibNN5LutvnaiuH+w3Kr8Ylbw8gq2j0UBok" 
      "FcMycUvOBd7nsYn/TUrOua3Nns+qKSJBy88IWSh2zHaGbjRYujyWSTjlPELJ0H+5" 
      "EV711qww34omquskkwIDFMRI")
    

• From your DNS record manager, create a TXT record using the following template:
  

  NAME                          PRIORITY    TYPE    DATA
  dkim._domainkey.example.com  3600        TXT     v=DKIM1; p=YUVfMB0GCSqFGTb3DQEBAWAAA4GNADCBiQKBgQDYArsr2BKbdhv9efugByf7LhaKtxFUt0ec5+1dWmcDv0WH0qZLFK711sibNN5LutvnaiuH+w3Kr8Ylbw8gq2j0UBokFcMycUvOBd7nsYn/TUrOua3Nns+qKSJBy88IWSh2zHaGbjRYujyWSTjlPELJ0H+5EV711qww34omquskkwIDFMRI
  

Resources¶

• http://www.iredmail.org/docs/install.iredmail.on.freebsd.html
• http://www.iredmail.org/download.html
• https://github.com/iredmail/iRedMail
• http://www.iredmail.org/docs/setup.dns.html