Project

General

Profile

Support #958

Install iRedMail 1.3.2 on FreeBSD 12

Added by Daniel Curtis about 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Mail Server
Target version:
Start date:
02/12/2021
Due date:
% Done:

100%

Estimated time:

Description

Prepare the Environment

  • Make sure system is up to date:
    pkg update && pkg upgrade
    
  • Update the ports tree
    portsnap fetch extract
    
  • Install dependencies
    pkg install portmaster screen
    
  • Edit the /etc/rc.conf file:
    vi /etc/rc.conf
    
    • And make sure the hostname is set:
      hostname="mx.example.com" 
      
  • Add or modify the /etc/hosts file:
    vi /etc/hosts
    
    • And make sure the hostname is set:
      127.0.0.1   mx.example.com mx localhost
      
  • Check the current hostname:
    hostname -f
    
    • The output should look similar to the following:
      mx.example.com
      

Install iRedMail

  • Install bash and openssl
    pkg install bash openssl
    
  • Fetch and extract the iRedMail stable installer:
    cd
    fetch https://github.com/iredmail/iRedMail/archive/1.3.2.tar.gz
    tar xzf 1.3.2.tar.gz
    cd iRedMail-1.3.2
    
  • Run the iRedMail Installer:
    chmod +x iRedMail.sh
    bash iRedMail.sh
    

Configure iRedMail

The install process will pull in all the required packages during installation. Since each mail server is a little different, my setup uses the following parameters:
  • Default mail storage path: /var/vmail
  • Default web server: nginx
  • Preferred backend used to store mail accounts: MariaDB
  • First virtual domain name: example.com
  • Optional components:
    • DKIM signing/verification
    • iRedAdmin
    • Roundcubemail
    • phpMyAdmin
    • Awstats

When the installation finishes, all the login information and URLs will be placed in the iRedMail.tips file.


Securing iRedMail with SSL/TLS

NOTE: I've switched to LetsEncrypt for providing SSL certificates. To setup SSL with LetsEncrypt refer to Issue #843

The default location for the self-signed certificate is in /etc/ssl/certs/iRedMail.crt and the key is in /etc/ssl/private/iRedMail.key; I am going to change these to /usr/local/etc/ssl/mx.example.com.crt and /usr/local/etc/ssl/mx.example.com.key, respectively.

  • Start by create a dhparam file:
    openssl dhparam -out /usr/local/etc/ssl/dhparams.pem 4096
    
  • Next, generate a nice strong SSL key and CSR:
    openssl req -sha512 -out mx.example.com.csr -new -newkey rsa:4096 -nodes -keyout mx.example.com.key
    
  • When the SSL certificate is signed, copy it securely to /usr/local/etc/ssl/mx.example.com.crt
  • Edit the default nginx server block config:
    vi /usr/local/etc/nginx/conf.d/default.conf
    
    • And change the ssl_certificate_key, ssl_certificate, and ssl_dhparam paths:
      ssl_certificate_key /usr/local/etc/ssl/mx.example.com.key
      ssl_certificate /usr/local/etc/ssl/mx.example.com.crt
      ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
      
  • Edit the main postfix config:
    vi /usr/local/etc/postfix/main.cf
    
    • And change the smtpd_tls_key_file, smtpd_tls_cert_file, smtpd_tls_CAfile, and smtpd_tls_dh1024_param_file paths:
      smtpd_tls_key_file = /usr/local/etc/ssl/mx.example.com.key
      smtpd_tls_cert_file = /usr/local/etc/ssl/mx.example.com.crt
      smtpd_tls_CAfile = /usr/local/etc/ssl/mx.example.com.crt
      smtpd_tls_dh1024_param_file = /usr/local/etc/ssl/dhparams.pem
      
  • Edit the dovecot config:
    vi /usr/local/etc/dovecot/dovecot.conf
    
    • And change the paths:
      ssl_cert = </usr/local/etc/ssl/mx.example.com.crt
      ssl_key = </usr/local/etc/ssl/mx.example.com.key
      

NOTE: To use an intermediate CA certificate nginx requires all SSL certificate be attached all in a single file. This can be done by running:

cat mx.example.com.crt ca.cert.bundle.pem > mx.example.com.bundle.crt

DNS

A Record

  • From your DNS record manager, create an A record using the following template:
    NAME                TTL     TYPE    DATA
    www.example.com.    1800    A       10.0.0.3
    

PTR Record

  • From your DNS record manager, create a PTR record using the following template:
    NAME                    TTL     TYPE    DATA
    3.0.0.10.in-addr.arpa.    1800    PTR    mail.example.com.
    

MX Record

  • From your DNS record manager, create a MX record using the following template:
    NAME            PRIORITY    TYPE    DATA
    example.com.    10          mx      mail.example.com
    

SPF Record

  • From your DNS record manager, create a TXT record using the following template:
    NAME            PRIORITY    TYPE    DATA
    example.com.    3600        TXT     v=spf1 mx mx:example.com -all
    

DKIM Record

  • Run command in terminal to show your DKIM keys:
    amavisd showkeys
    
    • Example output:
      dkim._domainkey.example.com.   3600 TXT (
        "v=DKIM1; p=" 
        "YUVfMB0GCSqFGTb3DQEBAWAAA4GNADCBiQKBgQDYArsr2BKbdhv9efugByf7LhaK" 
        "txFUt0ec5+1dWmcDv0WH0qZLFK711sibNN5LutvnaiuH+w3Kr8Ylbw8gq2j0UBok" 
        "FcMycUvOBd7nsYn/TUrOua3Nns+qKSJBy88IWSh2zHaGbjRYujyWSTjlPELJ0H+5" 
        "EV711qww34omquskkwIDFMRI")
      
  • From your DNS record manager, create a TXT record using the following template:
    NAME                          PRIORITY    TYPE    DATA
    dkim._domainkey.example.com  3600        TXT     v=DKIM1; p=YUVfMB0GCSqFGTb3DQEBAWAAA4GNADCBiQKBgQDYArsr2BKbdhv9efugByf7LhaKtxFUt0ec5+1dWmcDv0WH0qZLFK711sibNN5LutvnaiuH+w3Kr8Ylbw8gq2j0UBokFcMycUvOBd7nsYn/TUrOua3Nns+qKSJBy88IWSh2zHaGbjRYujyWSTjlPELJ0H+5EV711qww34omquskkwIDFMRI
    

Resources

Also available in: Atom PDF