Private email server on Raspberry PI with Postfix, Dovecot and Squirrelmail

Today we are used to send and receive email from internet by the great number of providers offering free mailbox services (Gmail, Hotmail, etc). However it could interesting (and funny) setting up a private email server at your home able to provide privacy to your messages (your mail will reside in your Raspberry PI server).

This week my challenge has been building a basic mail server with a web interface able to accomplish simple works expected from this service: sending and receiving email. Bonus, this will be set up on a 30$ hardware plus a smartphone charger 😀

Going directly to the article, this is intended for medium-low experienced people, able just to work with an ssh connection to a debian OS. If you want to study in deep components features and details, you can check their official sites:

• Postfix
• Dovecot
• Squirrelmail

What We Need

Before starting, we must take in consideration a few factors:

• if you want to receive emails from internet, you must have a Domain registered (may also be one of those of No-IP free service). You could also need to consider networking tasks (firewall management, port forwarding, etc), but in a standard environment you should be able to send and receive mail inside your network and (at least) sending mail to external addresses
• consider that Raspberry Pi Zero W has very poor hardware. Even if this procedure has been tested by me and is working, you could experience a bit of latency on terminal after postfix installation. However, you can test also this procedure on Raspberry PI 3 Model A+, Raspberry Pi 3 Model B or Raspberry Pi 4 Model B to improve performances
• this is a test context, so no security features (antispam, antivirus, etc) has been deployed. For production environments you should consider adding security components

That said, we’ll start from very cheap hardware. I suggest adding to your shopping chart all needed hardware, so that at the end you will be able to evaluate overall costs and decide if continuing with the project or removing them from shopping chart.

• Raspberry PI 3 Model A+ (including proper power supply or using a smartphone micro usb charger with at least 3A) or newer Raspberry PI Board
• high speed micro SD card (at least 16 GB, at least class 10)

We’ll use for our mailserver a generic FQDN “example.com“, that must be changed with whatever you decide to use (“example.com” must be changed with your domain name). So, mail addresses will appear something like user@example.com.

Check hardware prices with following links:

Step-by-step guide

Start from a fresh Raspberry PI OS Lite installation.

Connect via SSH to our Raspberry and, after login, update your system. From termina, use following command:

sudo apt update -y && sudo apt upgrade -y

Installing Postfix

Postfix is the default Mail Transfer Agent (MTA) for Ubuntu (the most known Debian distro). It is used to route email messages between different computers.

In this first installation process a few setup questions will be prompted to you. Use default settings, it will be completely configured in next step. To install it:

sudo apt install postfix

Now we’ll go to detail configurations. From terminal:

sudo dpkg-reconfigure postfix

After first setup notification, insert the following details when asked (replacing <admin_user_name> and server.example.com with your domain name if you have one):

• General type of mail configuration: Internet Site
• System mail name: example.com
• Root and postmaster mail recipient: <admin_user_name>
• Other destinations for mail: server.example.com, example.com, localhost.example.com, localhost, raspberrypi
• Force synchronous updates on mail queue?: No
• Local networks: 127.0.0.0/8
• Mailbox size limit (bytes): 0
• Local address extension character: +
• Internet protocols to use: all

Now is a good time to decide which mailbox format you want to use. By default Postifx will use mbox for the mailbox format. Rather than editing the configuration file directly, you can use the postconf command to configure all postfix parameters. The configuration parameters will be stored in /etc/postfix/main.cf file. Later if you wish to re-configure a particular parameter, you can either run the command or change it manually in the file.

To configure the mailbox format for Maildir:

sudo postconf -e 'home_mailbox = Maildir/'

You may need to issue this as well:

sudo postconf -e 'mailbox_command ='

Note: This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.

Configure Postfix to do SMTP AUTH using SASL (saslauthd):

sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'

Next edit smtpd.conf:

sudo nano /etc/postfix/sasl/smtpd.conf

and add the following lines:

pwcheck_method: saslauthd
mech_list: plain login

Generate certificates to be used for TLS encryption and/or certificate Authentication (launch each command line by line and insert user description when required at your choise):

touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt

Last command will require you some preferences to create your Distinguished Name. Compile them according your preferences. Now following command:

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

This command will again ask you for a PEM passphrase (at your choice) and again your Distinguished Name configuration. Move keys to ssl folder:

sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

Configure Postfix to do TLS encryption for both incoming and outgoing mail (remember to modify last command with your hostname):

sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo postconf -e 'myhostname = example.com' # remember to change this to yours

Restart the postfix daemon:

sudo systemctl restart postfix.service

Next steps are to configure Postfix to use SASL for SMTP AUTH.

First you will need to install the libsasl2-2, sasl2-bin and libsasl2-modules from the Main repository [i.e. sudo apt-get install them all].

sudo apt install libsasl2-2 sasl2-bin libsasl2-modules

We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to change a couple of paths to live in the false root. (ie. /var/run/saslauthd becomes /var/spool/postfix/var/run/saslauthd):
First, we edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes, add the PWDIR, PARAMS, and PIDFILE lines and edit the OPTIONS line at the end:

sudo nano /etc/default/saslauthd

so that not commented lines appears like the following:

START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Next, we update the dpkg “state” of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:

sudo dpkg-statoverride --force-all --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

This could give a warning that “–update given” and the “/var/spool/postfix/var/run/saslauthd” directory does not exist. You can ignore this because when you start saslauthd next it will be created. Finally, start saslauthd:

sudo systemctl start saslauthd.service

Installing Mail Delivery Agent (Dovecot)

In order to allow you or others to download email from other locations, you need to setup an IMAP or POP3 server.

The installation is extremely simple, just install the following packages:

• dovecot-imapd
• dovecot-pop3d

From terminal:

sudo apt install dovecot-imapd dovecot-pop3d

Let’s select protocols to be enabled when dovecot is started

sudo nano /etc/dovecot/dovecot.conf

add at the end of file the following lines:

protocols = pop3 pop3s imap imaps
pop3_uidl_format = %08Xu%08Xv
mail_location = maildir:/home/%u/Maildir

It is necessary to set mail_location in /etc/dovecot/conf.d/10-mail.conf or comment the line out. 10-mail.conf will override the mail_location in dovecot.conf:

sudo nano /etc/dovecot/conf.d/10-mail.conf

and change the following line:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

to the following:

mail_location = maildir:~/Maildir

It’s a good idea to pre-create the Maildir for future users:

sudo maildirmake.dovecot /etc/skel/Maildir
sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
sudo maildirmake.dovecot /etc/skel/Maildir/.Templates

Let’s create a sample user with our pi default user:

sudo cp -r /etc/skel/Maildir /home/pi/
sudo chown -R pi:pi /home/pi/Maildir
sudo chmod -R 700 /home/pi/Maildir

Start dovecot:

sudo systemctl start dovecot.service

Install Webmail (Squirrelmail)

Finally, we’re going to install our webmail application.
We need to start from Apache2 installation:

sudo apt install apache2

Because of some php5 dependencies, we need to enable jessie repository before proceeding in squirrelmail installation:

sudo nano /etc/apt/sources.list

add the following line to the end:

deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi

update packages list:

sudo apt-get update

Now we can install squirrelmail packages:

sudo apt-get install squirrelmail

Squirrelmail comes with a sample apache configuration file in /etc/squirrelmail/apache.conf. You can copy this file to /etc/apache2/sites-available/squirrelmail with the command:

sudo cp /etc/squirrelmail/apache.conf /etc/apache2/sites-available/squirrelmail.conf

then link it to the sites-enabled directory with the command:

sudo ln -s /etc/apache2/sites-available/squirrelmail.conf /etc/apache2/sites-enabled/squirrelmail.conf

Reload Apache Configuration:

sudo /etc/init.d/apache2 force-reload

Now test logging with a browser to “http://<<yourserver>>/squirrelmail” and using you “pi” user and password.
Enjoy!

PS: as said, be aware of

• to receive mails from internet, you must set a port forwarding rule on your router with port 25 (UDP and TCP) forwarded to your RPI server
• this is a test environment, it is strongly recommended to improve security, antivirus and antispam for production environments
• Raspberry PI Zero W hardware is really poor. It seems to work with low loads, but it has to be tested with increasing traffic and antispam enabled
• mail sent can be classified as “spam” by some mail providers (Gmail, hotmail, etc), so if you test your configuration, check recipients Spam directory

Enjoy!