Project

General

Profile

Support #776

Updated by Daniel Curtis over 8 years ago

{{>toc}} 

 One of the core services of the Internet is email, and as such I needed to setup a mail server for one of my projects. Rather than setting up postfix, dovecot, spamassassin, etc. by hand, I found the useful open source project iRedMail. Unfortunately, this project currently is not in the port tree, however the install script uses the ports tree to install each of the necessary packages. This guide uses a FreeBSD 10.3 environment. 

 h2. Update the system 

 * Login as root: 
 <pre> 
 su - 
 </pre> 

 * Update the ports tree 
 <pre> 
 portsnap fetch extract 
 </pre> 

 * Install portmaster 
 <pre> 
 pkg install portmaster 
 pkg2ng 
 </pre> 

 * Upgrade the base system 
 <pre> 
 pkg update && pkg upgrade 
 </pre> 

 * Add or modify the /etc/rc.conf file: 
 <pre> 
 vi /etc/rc.conf 
 </pre> 
 #* And make sure the hostname is set: 
 <pre> 
 hostname="mx.example.com" 
 </pre> 

 * Add or modify the /etc/hosts file: 
 <pre> 
 vi /etc/hosts 
 </pre> 
 #* And make sure the hostname is set: 
 <pre> 
 127.0.0.1     mx.example.com mx localhost 
 </pre> 

 * Check the current hostname: 
 <pre> 
 hostname -f 
 </pre> 
 #* The output should look similar to the following: 
 <pre> 
 mx.example.com 
 </pre> 

 *NOTE*: I had some issues trying to set the FQDN on a DigitalOcean droplet, I needed to set the hostname in the rc.local file: 
 <pre> 
 vi /etc/rc.local 
 </pre> 
 #* And add the following to the end of the file: 
 <pre> 
 hostname mx.example.com & 
 </pre> 

 --- 

 h2. Install iRedMail 

 * Install bash and openssl 
 <pre> 
 pkg install bash openssl 
 </pre> 

 * Fetch and extract the iRedMail stable installer: 
 <pre> 
 cd 
 fetch https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.5-1.tar.bz2 
 tar xjf iRedMail-0.9.5-1.tar.bz2 
 cd iRedMail-0.9.5-1 
 </pre> 

 * Run the iRedMail Installer: 
 <pre> 
 bash iRedMail.sh 
 </pre> 

 h3. Configure iRedMail 

 The install process will pull in all the required packages during installation. Since each mail server is a little different, my setup uses the following parameters: 
 * Default mail storage path: */var/vmail* 
 * Default web server: *nginx* 
 * Preferred backend used to store mail accounts: *MariaDB* 
 * First virtual domain name: *example.com* 
 * Optional components: 
 #* DKIM signing/verification 
 #* iRedAdmin 
 #* Roundcubemail 
 #* phpMyAdmin 
 #* Awstats 

 When the installation finishes, all the login information and URLs will be placed in the *iRedMail.tips* file. 

 --- 

 h2. Securing iRedMail with SSL/TLS 

 *NOTE*: I've switched to LetsEncrypt for providing SSL certificates. To setup SSL with LetsEncrypt refer to Issue #843 

 The default location for the self-signed certificate is in @/etc/ssl/certs/iRedMail.crt@ and the key is in @/etc/ssl/private/iRedMail.key@; I am going to change these to @/usr/local/etc/ssl/mx.example.com.crt@ and @/usr/local/etc/ssl/mx.example.com.key@, respectively. 

 * Start by create a dhparam file: 
 <pre> 
 openssl dhparam -out /usr/local/etc/ssl/dhparams.pem 4096 
 </pre> 

 * Next, generate a nice strong SSL key and CSR: 
 <pre> 
 openssl req -sha512 -out mx.example.com.csr -new -newkey rsa:4096 -nodes -keyout mx.example.com.key 
 </pre> 

 * When the SSL certificate is signed, copy it securely to */usr/local/etc/ssl/mx.example.com.crt* 

 * Edit the default nginx server block config: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/default.conf 
 </pre> 
 #* And change the *ssl_certificate_key*, *ssl_certificate*, and *ssl_dhparam* paths: 
 <pre> 
 ssl_certificate_key /usr/local/etc/ssl/mx.example.com.key 
 ssl_certificate /usr/local/etc/ssl/mx.example.com.crt 
 ssl_dhparam /usr/local/etc/ssl/dhparams.pem; 
 </pre> 

 * Edit the main postfix config: 
 <pre> 
 vi /usr/local/etc/postfix/main.cf 
 </pre> 
 #* And change the *smtpd_tls_key_file*, *smtpd_tls_cert_file*, *smtpd_tls_CAfile*, and *smtpd_tls_dh1024_param_file* paths: 
 <pre> 
 smtpd_tls_key_file = /usr/local/etc/ssl/mx.example.com.key 
 smtpd_tls_cert_file = /usr/local/etc/ssl/mx.example.com.crt 
 smtpd_tls_CAfile = /usr/local/etc/ssl/mx.example.com.crt 
 smtpd_tls_dh1024_param_file = /usr/local/etc/ssl/dhparams.pem 
 </pre> 

 * Edit the dovecot config: 
 <pre> 
 vi /usr/local/etc/dovecot/dovecot.conf 
 </pre> 
 #* And change the paths: 
 <pre> 
 ssl_cert = </usr/local/etc/ssl/mx.example.com.crt 
 ssl_key = </usr/local/etc/ssl/mx.example.com.key 
 </pre> 

 *NOTE*: To use an intermediate CA certificate nginx requires all SSL certificate be attached all in a single file. This can be done by running: 
 <pre> 
 cat mx.example.com.crt ca.cert.bundle.pem > mx.example.com.bundle.crt 
 </pre> 

 h2. DNS 

 h3. A Record 

 * From your DNS record manager, create an A record using the following template: 
 <pre> 
 NAME                  TTL       TYPE      DATA 
 www.example.com.      1800      A         10.0.0.3 
 </pre> 

 h3. PTR Record 

 * From your DNS record manager, create a PTR record using the following template: 
 <pre> 
 NAME                      TTL       TYPE      DATA 
 3.0.0.10.in-addr.arpa. 	 1800 	 PTR 	 mail.example.com. 
 </pre> 

 h3. MX Record 

 * From your DNS record manager, create a MX record using the following template: 
 <pre> 
 NAME              PRIORITY      TYPE      DATA 
 example.com.      10            mx        mail.example.com 
 </pre> 

 h3. SPF Record 

 * From your DNS record manager, create a TXT record using the following template: 
 <pre> 
 NAME              PRIORITY      TYPE      DATA 
 example.com.      3600          TXT       v=spf1 "v=spf1 mx mx:example.com -all -all" 
 </pre> 

 h3. DKIM Record 

 * Run command in terminal to show your DKIM keys: 
 <pre> 
 amavisd showkeys 
 </pre> 
 #* _Example output_: 
 <pre> 
 dkim._domainkey.example.com.     3600 TXT ( 
   "v=DKIM1; p=" 
   "YUVfMB0GCSqFGTb3DQEBAWAAA4GNADCBiQKBgQDYArsr2BKbdhv9efugByf7LhaK" 
   "txFUt0ec5+1dWmcDv0WH0qZLFK711sibNN5LutvnaiuH+w3Kr8Ylbw8gq2j0UBok" 
   "FcMycUvOBd7nsYn/TUrOua3Nns+qKSJBy88IWSh2zHaGbjRYujyWSTjlPELJ0H+5" 
   "EV711qww34omquskkwIDFMRI") 
 </pre> 

 * From your DNS record manager, create a TXT record using the following template: 
 <pre> 
 NAME                            PRIORITY      TYPE      DATA 
 dkim._domainkey.mydomain.com    3600          TXT       v=DKIM1; p=YUVfMB0GCSqFGTb3DQEBAWAAA4GNADCBiQKBgQDYArsr2BKbdhv9efugByf7LhaKtxFUt0ec5+1dWmcDv0WH0qZLFK711sibNN5LutvnaiuH+w3Kr8Ylbw8gq2j0UBokFcMycUvOBd7nsYn/TUrOua3Nns+qKSJBy88IWSh2zHaGbjRYujyWSTjlPELJ0H+5EV711qww34omquskkwIDFMRI 
 </pre> 

 h2. Resources 

 * http://www.iredmail.org/docs/install.iredmail.on.freebsd.html 
 * http://www.iredmail.org/download.html 
 * https://bitbucket.org/zhb/iredmail 
 * http://www.iredmail.org/docs/setup.dns.html

Back