Private mail server on Raspberry PI Zero W with Postfix, Dovecot and Squirrelmail

Today we are used to send and receive email from internet by the great number of providers offering free mailbox services (Gmail, Hotmail, etc). However it could interesting (and funny) setting up a mail server at your home able to provide privacy to your messages (your mail will reside in your server).
This week my challenge has been building a basic mail server with a web interface able to accomplish simple works expected from this service: sending and receiving email. Bonus, this will be set up on a 30$ hardware plus a smartphone charger 😀
Going directly to the article, this is intended for medium-low experienced people, able just to work with an ssh connection to a debian OS.
If you want to study in deep components features and details, you can check their official sites:

What we need

Before starting, we must take in consideration a few factors:

  • if you want to receive emails from internet, you must have a Domain registered (may also be one of those of No-IP free service: see here). You could also need to consider networking tasks (firewall management, port forwarding, etc), but in a standard environment you suold be able to send and receive mail inside your network and (at least) sending mail to external addresses
  • consider that raspberry Pi Zero W has very poor hardware. Even if this procedure has been tested by me and is working, you could experience a bit of latency on terminal after postfix installation. However, you can test also this procedure on Raspbery Pi 3 to improve performances
  • this is a testing context, so no security features (antispam, antivirus, etc) has been deployed

That said, we’ll start from a Raspberry Pi Zero W with Raspbian installed following our guide.
We’ll use for our mailserver the FQDN “server.example.com“, that must be changed with whatever you decide to use (“example.com” must be changed with your domain name). So, mail addresses will appear something like user@server.example.com.

Step-by-step guide

My guide is strongly based on the ubuntu official (here the webpage). I’ve only correctes some steps adapting to Raspbian.
Let’s connect via SSH to our Raspberry and, after login, update our system:

sudo apt-get update
sudo apt-get upgrade

Installing Postfix

As described on Ubuntu Official Wiki, “Postfix is the default Mail Transfer Agent (MTA) for Ubuntu. It is in Ubuntu’s main repository, which means that it receives security updates. This guide explains how to install and configure postfix and set it up as an SMTP server using a secure connection.”.

sudo apt-get install postfix

Accept the defaults when the installation process asks questions. Configurations will be perfected in greater detail in the next steps.
Now we’ll go to detail configurations. From terminal:

sudo dpkg-reconfigure postfix

Insert the following details when asked (replacing <admin_user_name> and server.example.com with your domain name if you have one):

  • General type of mail configuration: Internet Site

  • NONE doesn’t appear to be requested in current config

  • System mail name: server.example.com

  • Root and postmaster mail recipient: <admin_user_name>

  • Other destinations for mail: server.example.com, example.com, localhost.example.com, localhost

  • Force synchronous updates on mail queue?: No

  • Local networks: 127.0.0.0/8

  • Yes doesn’t appear to be requested in current config

  • Mailbox size limit (bytes): 0

  • Local address extension character: +

  • Internet protocols to use: all

Now is a good time to decide which mailbox format you want to use. By default Postifx will use mbox for the mailbox format. Rather than editing the configuration file directly, you can use the postconf command to configure all postfix parameters. The configuration parameters will be stored in /etc/postfix/main.cf file. Later if you wish to re-configure a particular parameter, you can either run the command or change it manually in the file.

To configure the mailbox format for Maildir:

sudo postconf -e 'home_mailbox = Maildir/'

You may need to issue this as well:

sudo postconf -e 'mailbox_command ='

Note: This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.

Configure Postfix to do SMTP AUTH using SASL (saslauthd):

sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'

Next edit /etc/postfix/sasl/smtpd.conf

sudo nano /etc/postfix/sasl/smtpd.conf

and add the following lines:

pwcheck_method: saslauthd
mech_list: plain login

Generate certificates to be used for TLS encryption and/or certificate Authentication (launch each command line by line and insert user description when required at your choise):

touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

Configure Postfix to do TLS encryption for both incoming and outgoing mail (remember to modify last command with your hostname):

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo postconf -e 'myhostname = server.example.com' # remember to change this to yours

Restart the postfix daemon:

sudo /etc/init.d/postfix restart

The next steps are to configure Postfix to use SASL for SMTP AUTH.

First you will need to install the libsasl2-2, sasl2-bin and libsasl2-modules from the Main repository [i.e. sudo apt-get install them all].

sudo apt-get install libsasl2-2 sasl2-bin libsasl2-modules

We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to change a couple of paths to live in the false root. (ie. /var/run/saslauthd becomes /var/spool/postfix/var/run/saslauthd):
First, we edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes, add the PWDIR, PARAMS, and PIDFILE lines and edit the OPTIONS line at the end:

sudo nano /etc/default/saslauthd

so that not commented lines appears like the following:

START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Next, we update the dpkg “state” of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:

sudo dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

Finally, start saslauthd:

sudo /etc/init.d/saslauthd start

Installing Mail Delivery Agent (Dovecot)

In order to allow you or others to download email from other locations, you need to setup an IMAP or POP3 server.

The installation is extremely simple, just install the following packages:

  • dovecot-imapd
  • dovecot-pop3d

From terminal:

sudo apt-get install dovecot-imapd dovecot-pop3d

Let’s select protocols to be enabled when dovecot is started

sudo nano /etc/dovecot/dovecot.conf

add at the end of file the following lines:

protocols = pop3 pop3s imap imaps
pop3_uidl_format = %08Xu%08Xv
mail_location = maildir:/home/%u/Maildir

It is necessary to set mail_location in /etc/dovecot/conf.d/10-mail.conf or comment the line out. 10-mail.conf will override the mail_location in dovecot.conf:

sudo nano /etc/dovecot/conf.d/10-mail.conf

and change the following line:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

with the following:

mail_location = maildir:~/Maildir

It’s a good idea to pre-create the Maildir for future users:

sudo maildirmake.dovecot /etc/skel/Maildir
sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
sudo maildirmake.dovecot /etc/skel/Maildir/.Templates

Let’s create a sample user with our pi default user:

sudo cp -r /etc/skel/Maildir /home/pi/
sudo chown -R pi:pi /home/pi/Maildir
sudo chmod -R 700 /home/pi/Maildir

Start dovecot:

/etc/init.d/dovecot start

Install Webmail (Squirrelmail)

Finally, we’re going to install our webmail application.
We need to start from Apache2 installation:

sudo apt-get install apache2

Because of some php5 dependencies, we need to enable jessie repository before proceeding in squirrelmail installation:

sudo nano /etc/apt/sources.list

add the following line to the end:

deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi

update packages list:

sudo apt-get update

Now we can install squirrelmail packages:

sudo apt-get install squirrelmail

Squirrelmail comes with a sample apache configuration file in /etc/squirrelmail/apache.conf. You can copy this file to /etc/apache2/sites-available/squirrelmail with the command:

sudo cp /etc/squirrelmail/apache.conf /etc/apache2/sites-available/squirrelmail.conf

then link it to the sites-enabled directory with the command:

sudo ln -s /etc/apache2/sites-available/squirrelmail.conf /etc/apache2/sites-enabled/squirrelmail.conf

Reload Apache Configuration:

sudo /etc/init.d/apache2 force-reload

Now test logging with a browser to “http://<<yourserver>>/squirrelmail” and using you “pi” user and password.
Enjoy!
PS: as said, be aware of

  • this is a test environment, it is strongly recommended to improve security, antivirus and antispam for production environments
  • Raspberry PI Zero W hardware is really poor. It seems to work with low loads, but it has to be tested with increasing traffic and antispam enabled
  • mail sent can be classified as “spam” by some mail providers (Gmail, hotmail, etc), so if you test your configuration, check recipients Spam directory

Bye!

Please follow and like us:
error