As certainly many of us do, I use email a lot.
Currently I am using fastmail, it works quite well, but I have a few issues:
- Spam filter is hard to tune to my exact needs
- IMAP is slow from my location
In this post, I'll share how I configured my own IMAP server.
This is part one of two, which focus on IMAP.
First, to make the transition graduate, I'm going to buy a random domain and configure a redirection within fastmail.
I'm going to use my kuon.org site that has no setup for email yet.
The plan is to use kuon.org domain for testing. When everything works, I will
setup fastmail to send a copy to my me@kuon.org email then, after a few weeks,
I'l change the kuon.ch MX.
So the (temporary) configuration will be:
me@kuon.ch -> fastmail -> redirect to me@kuon.org -> mail server
While in this setup, there will be no spam filter running on the server as we will relie on fastmail spam filter.
MX and DNS
Setup your MX record (whic must not be a CNAME). If you want to use SMTP delivery directly without a relay, you need a reverse DNS record.
SSL
The first thing is to create an SSL certificate for SMTP and IMAP.
I use let's encrypt certbot with DNS validation, which gives me an easy way to have my certificate. But your mileage may vary.
On OpenBSD, the rfc2136 plugin is not in port, but it can be installed with
pip after installing certbot.
# pkg_add certbot
# pip install certbot-dns-rfc2136
This let me generate certificate easily for mx.kuon.org, I am going to use
this for everything, but you might prefer using smtp.example.com
imap.example.com...
SMTP
For SMTP, we will use OpenSMTP from OpenBSD. It is a small, easy to configure and stable SMTP server.
There will be three types of connection to the SMTP server:
- Any SMTP server on the internet sending email to
@kuon.ch - Authenticated users using SMTP as relay (for example me with my phone when I am outside)
- Internal client sending emails (for notification for example)
2 and 3 can send email to any address while 1 only to local domains.
Here is the commented SMTP config:
# Let's encrypt keypair, be sure to set permission for the _smtpd user/group
pki keypair cert "/etc/letsencrypt/live/mx.kuon.org/fullchain.pem"
pki keypair key "/etc/letsencrypt/live/mx.kuon.org/privkey.pem"
table relaycreds file:/etc/mail/relaycreds
table creds file:/etc/mail/creds
table vdoms file:/etc/mail/vdoms
table vusers file:/etc/mail/vusers
# This is internal listener on port 25, this is an open relay for my internal
# servers, this is a private network so I do not need encryption
listen on vlan4
# Outside listener on port 25
listen on vlan10 tls pki keypair
# Both following listener requires authentication
# SMTPS sending port
listen on vlan10 port 465 smtps pki keypair auth <creds>
# SMTP + STARTTLS sending port
listen on vlan10 port 587 tls-require pki keypair auth <creds>
# Action to deliver email to IMAP
action deliver lmtp "/var/dovecot/lmtp" virtual <vusers>
# For now, we will use fastmail SMTP, as SMTP without relay requires a reverse
# DNS record that I do not have yet
action send relay host "smtps://kuon@smtp.fastmail.com/" auth <relaycreds>
# Deliver local emails, this will deliver everything to user kuon because of
# catch all in vusers
match from local for local action deliver
# Accept email for domains in vdoms
match from any for domain <vdoms> action deliver
# Allow authenticated users to send emails
match from auth for any action send
# Allow local net (on vlan 4) to send email
match from src xxxx:xxxx:xxxx::/48 for any action send
match from src 10.0.0.0/8 for any action send
relaycreds
Be sure to set permission correctly on this file.
mypassword is in clear
kuon myusername:mypassword
creds
IMAP and SMTP credentials.
Generate password with smtpctl encrypt
kuon:$2b$09$12345678123456781234567812345678123567812345678123456
vdoms
Accept email for the following domains.
kuon.org
vusers
This redirects everything to my user account.
@ kuon
IMAP
For IMAP, install dovecot:
pkg_add dovecot
pkg_add dovecot-pigeonhole
This installs dovecot and sieve filtering.
Be sure to update /etc/login.conf to allow more file descriptor to dovecot:
add:
dovecot:\
:openfiles=5000:\
:tc=daemon:
The put dovecot in this class:
usermod -L dovecot _dovecot
Then, the package installs a lot of configuration files in /etc/dovecot, you
don't need all that, just create/replace /etc/dovecot/dovecot.conf
# Select where you store emails
mail_home=/srv/mail/%Lu
mail_location=sdbox:~/Mail
protocols = imap lmtp sieve
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
service lmtp {
user = vmail
unix_listener lmtp {
mode = 0666
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
vsz_limit = 128M
}
service managesieve {
process_limit = 1024
}
passdb {
driver = passwd-file
args = username_format=%n /etc/mail/creds
}
userdb {
driver = static
args = uid=vmail gid=vmail
}
ssl=yes
ssl_cert=</etc/letsencrypt/live/mx.kuon.org/fullchain.pem
ssl_key=</etc/letsencrypt/live/mx.kuon.org/privkey.pem
namespace {
inbox = yes
separator = /
}
plugin {
sieve = /srv/mail/%Lu/rules.sieve
}
This is quite self explanatory, what is important is that this enables the manage sieve server which allows users to upload sieve filters with their IMAP credentials.
References
I based a lof of the config on the following excellent article that I recommend you to read as well.