talk to us on WhatsApp now

Knowledgebase

  1. The Right Partner in Hosting
  2. Knowledgebase
  3. Linux
  4. How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with iRedMail

  Tag Cloud

Backup ceph MariaDB Non Linux S3 client Proxmox RocksDB S3 S3 Client S3 mobile client Storage Ubuntu VM

  Support

  My Support Tickets   Announcements   Knowledgebase   Downloads   Network Status   Open Ticket

How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with iRedMail Print

  • 1

Setting up your own email server on Linux from scratch is a pain in the butt, if you are not an advanced user. This tutorial will be showing you how to use iRedMail to quickly set up a full-featured mail server on Ubuntu 18.04, saving you lots of time and headaches.

What is iRedMail?

iRedMail is a shell script that automatically installs and configures all necessary mail server components on your Linux/BSD server, thus eliminating manual installation and configuration. With iRedMail, you can easily create unlimited mailboxes and unlimited mail domains in a web-based admin panel. Mailboxes can be stored in MariaDB/MySQL, PostgreSQL database, or OpenLDAP. The following is a list of open-source software that will be automatically installed and configured by iRedMail.

  • Postfix SMTP server
  • Dovecot IMAP server
  • Nginx web server to serve the admin panel and webmail
  • OpenLDAP, MySQL/MariaDB, or PostgreSQL for storing user information
  • Amavised-new for DKIM signing and verification
  • SpamAssassin for anti-spam
  • ClamAV for anti-virus
  • Roundcube webmail
  • SOGo groupware, providing webmail, calendar (CalDAV), contacts (CardDAV), tasks and ActiveSync services.
  • Fail2ban for protecting SSH
  • mlmmj mailing list manager
  • Netdata server monitoring
  • iRedAPD Postfix policy server for greylisting

Step 1: Choose the Right Hosting Provider and Buy a Domain Name

To set up a complete email server with iRedMail, you need a server with at least 2GB RAM, because after the installation, your server will use more than 1GB of RAM.

Go to SiveHost website to create an account. Choose the 2GB unmanaged Linux VPS plan

Once you created an account, SiveHost will send you an email with the server SSH login details. To log into your server, you use an SSH client. If you are using Linux or macOS on your computer, then simply open up a terminal window and run the following command to log into your server. Replace 12.34.56.78 with your server’s IP address.

ssh root@12.34.56.78

You will be asked to enter the password. If you are using Windows, please read the following article on how to use SSH client.

It is highly recommended that you follow the instructions below on a clean install of Ubuntu 18.04 system. Installing a piece of complex server software like iRedMail on a non-LTS Ubuntu is discouraged as you will probably encounter problems when upgrading your OS every 9 months. The software author doesn’t have time to support every Ubuntu release. It is far better for your mail server to stay stable for 2 or 5 years.

 

You also need a domain name. 

The MX record specifies which host or hosts handle emails for a particular domain name. For example, the host that handles emails for linuxbabe.com is mail.linuxbabe.com. If someone with a Gmail account sends an email to somebody@linuxbabe.com, then Gmail server will query the MX record of linuxbabe.com. When it finds out that mail.linuxbabe.com is responsible for accepting email, it then query the A record of mail.linuxbabe.com to get the IP address, thus the email can be delivered.

In your DNS manager, create a MX record for your domain name. Enter @ in the Name field to represent the main domain name, then enter mail.your-domain.com in the Value field.

https://sive.host/images/lwati/iredmail-email-server-create-MX-record.png

Note: The hostname for MX record can not be an alias to another name. Also, It’s highly recommended that you use hostnames, rather than bare IP addresses for MX record.

Your DNS manager may require you to enter a preference value (aka priority value). It can be any number between 0 and 65,356. A small number has higher priority than a big number. It’s recommended that you set the value to 0, so this mail server will have the highest priority for receiving emails. After creating MX record, you also need to create an A record for mail.your-domain.com , so that it can be resolved to an IP address. If your server uses IPv6 address, be sure to add AAAA record.

Hint: If you use Cloudflare DNS service, you should not enable the CDN feature when creating A record for mail.your-domain.com. Cloudflare does not support SMTP proxy.

Step 3: Configuring Hostname

Log into your server via SSH, then run the following command to update existing software packages.

sudo apt update

sudo apt upgrade

And set a fully qualified domain name (FQDN) for your server with the following command.

sudo hostnamectl set-hostname mail.your-domain.com

We also need to update /etc/hosts file with a command line text editor like Nano.

sudo nano /etc/hosts

Edit it like below. (Use arrow keys to move the cursor in the file.)

127.0.0.1       mail.your-domain.com localhost

Save and close the file. (To save a file in Nano text editor, press Ctrl+O, then press Enter to confirm. To close the file, press Ctrl+X.)

To see the changes, re-login and then run the following command to see your hostname.

hostname -f

Step 4: Setting up Mail Server on Ubuntu 18.04 with iRedMail

Run the following commands to download the latest version of iRedMail script installer from its Github repository.

sudo apt install git

git clone https://github.com/iredmail/iRedMail.git

Then cd into the newly created directory.

cd iRedMail/

Add executable permission to the iRedMail.sh script.

chmod +x iRedMail.sh

Next, run the Bash script with sudo privilege.

sudo bash iRedMail.sh

 

The mail server setup wizard will appear. Use the Tab key to select Yes and press Enter.

https://sive.host/images/lwati/ubuntu-18.04-iredmail-server.png

The next screen will ask you to select the mail storage path. You can use the default one /var/vmail, so simply press Enter.

https://sive.host/images/lwati/iredmail-1.0-default-storage-path.png

Then choose whether you want to run a web server. It’s highly recommended that you choose to run a web server because you need the web-based admin panel to add email accounts. Also, it allows you to access the Roundcube webmail. By default, Nginx web server is selected, so you can simply press Enter.  (An asterisk indicates the item is selected.)

https://sive.host/images/lwati/iredmail-1.0-nginx-web-server.png

Then select the storage backend for email accounts. Choose one that you are familiar with. This tutorial chose MariaDB. Press up and down arrow key and press the space bar to select.

https://sive.host/images/lwati/ubuntu-18.04-email-server-1.png

If you selected MariaDB or MySQL, then you will need to set the MySQL root password.

https://sive.host/images/lwati/ubuntu-18.04-mail-server-1.png

Note that if you selected MariaDB, then you don’t need password to log into MariaDB shell. Instead of running the normal command mysql -u root -p, you can run the following command to login, with sudo and without providing MariaDB root password.

sudo mysql -u root

This is because the MariaDB package on Ubuntu 18.04 uses unix_socket authentication plugin, which allows users to use OS credentials to connect to MariaDB, but you still need to set root password in iRedMail setup wizard.

Next, enter your first mail domain. You can add additional mail domains later in the web-based admin panel. This tutorial assumes that you want an email account like john.doe@your-domain.com. In that case, you need to enter your-domain.com here, without sub-domain. Do not press the space bar after your domain name. I think iRedMail will copy the space character along with your domain name, which can result in installation failure.

https://sive.host/images/lwati/set-up-mail-server-on-ubuntu-18.04-1.png

Next, set a password for the mail domain administrator.

https://sive.host/images/lwati/ubuntu-18.04-email-server-step-by-step-1.png

Choose optional components. By default, 4 items are selected. If you like to have SOGo groupware, then select it and press Enter.

https://sive.host/images/lwati/iredmail-components.png

Now you can review your configurations. Type Y to begin the installation of all mail server components.

https://sive.host/images/lwati/iredmail-review-1.png

At the end of installation, choose y to use firewall rules provided by iRedMail and restart firewall.

https://sive.host/images/lwati/iredmail-firewall-rules-fail2ban-1.png

Now iRedMail installation is complete. You will be notified the URL of webmail, SOGo groupware and web admin panel and the login credentials. The iRedMail.tips file contains important information about your iRedMail server.

https://sive.host/images/lwati/iredmail-full-featured-mail-server-1.png

Reboot your Ubuntu 18.04 server.

sudo shutdown -r now

Once your server is back online, you can visit the web admin panel.

https://mail.your-domain.com/iredadmin/

Note that in the above URL, the sub-directory for accessing the admin panel is /iredadmin/, not /iredmail/. And because it’s using a self-signed TLS certificate, you need to add security exception in your web browser.

Step 5: Installing Let’s Encrypt TLS Certificate

Since the mail server is using a self-signed TLS certificate, both desktop mail client users and webmail client users will see a warning. To fix this, we can obtain and install a free Let’s Encrypt TLS certificate.

Obtaining the Certificate

First, log into your server again via SSH and run the following commands to install Let’s Encrypt (certbot) client on Ubuntu 18.04.

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt install certbot

iRedMail has already configured TLS settings in the default Nginx virtual host, so here I recommend using the webroot plugin, instead of nginx plugin, to obtain certificate. Run the following command. Replace red text with your actual data.

sudo certbot certonly --webroot --agree-tos --email you@example.com -d mail.your-domain.com -w /var/www/html/

 

When it asks you if you want to receive communications from EFF, you can choose No.

https://sive.host/images/lwati/iredmail-letsencrypt.png

If everything went well, you will see the following text indicating that you have successfully obtained a TLS certificate. Your certificate and chain have been saved at /etc/letsencrypt/live/mail.your-domain.com/ directory.

https://sive.host/images/lwati/iredmail-certbot.png

Failure to Obtain TLS Certificate

If certbot failed to obtain TLS certificate, maybe it’s because your DNS records are not propagated to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://dnsmap.io, enter your mail server’s hostname (mail.your-domain.com) to check DNS propagation.

If certbot failed to obtain a certificate and you saw the following message,

Failed authorization procedure. mail.linuxbabe.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://mail.linuxbabe.com/.well-known/acme-challenge/IZ7hMmRE4ZlGW7cXYoq2Lc_VrFzVFyfW6E0pzNlhiOA: Timeout during connect (likely firewall problem)

It might be that you have set AAAA record for mail.your-domain.com, but Nginx web server doesn’t listen on IPv6 address. To fix this error, edit the /etc/nginx/sites-enabled/00-default.conf file

sudo nano /etc/nginx/sites-enabled/00-default.conf

Find the following line.

#listen [::]:80;

Remove the # character to enable IPv6 for this Nginx virtual host.

listen [::]:80;

Save and close the file. Then edit the SSL virtual host /etc/nginx/sites-enabled/00-default-ssl.conf.

sudo nano /etc/nginx/sites-enabled/00-default-ssl.conf

Add the following line.

listen [::]:443 ssl http2;

https://sive.host/images/lwati/iredmail-certbot-renew.png

Save and close the file. Then test Nginx configuration.

sudo nginx -t

If the test is successful, reload Nginx for the change to take effect.

sudo systemctl reload nginx

Run the following command again to obtain TLS certificate. Replace red text with your actual data.

sudo certbot certonly --webroot --agree-tos --email you@example.com -d mail.your-domain.com -w /var/www/html/

Now you should be able to successfully obtain TLS certificate.

Installing the Certificate in Nginx

After obtaining a TLS certificate, let’s configure Nginx web server to use it. Edit the SSL template file.

sudo nano /etc/nginx/templates/ssl.tmpl

Find the following 2 lines.

ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

Replace them with:

ssl_certificate /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.your-domain.com/privkey.pem;

Save and close the file. Then test nginx configuration and reload.

sudo nginx -t

sudo systemctl reload nginx

Visit iRedMail admin panel again, your web browser won’t warn you any more because Nginx is now using a valid TLS certificate.

https://sive.host/images/lwati/iredadmin.png

Installing TLS Certificate in Postfix and Dovecot

We also need to configure Postfix SMTP server and Dovecot IMAP server to use the Let’s Encrypt issued certificate so that desktop mail client won’t display security warning. Edit the main configuration file of Postfix.

sudo nano /etc/postfix/main.cf

Find the following 3 lines. (line 95, 96, 97).

smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

Replace them with:

smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.your-domain.com/chain.pem

Save and close the file. Then reload Postfix.

sudo systemctl reload postfix

Next, edit the main configuration file of Dovecot.

sudo nano /etc/dovecot/dovecot.conf

Fine the following 2 lines. (line 47, 48)

ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key

Replace them with:

ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem

Save and close the file. Then reload dovecot.

sudo systemctl reload dovecot

From now on, desktop mail users won’t see security warnings.

Step 6: Sending Test Email

Log into iredadmin panel with the postmaster mail account (postmaster@your-domain.com). In the Add tab, you can add additional domains or email addresses.

https://sive.host/images/lwati/add-email-addresses-in-iredadmin.png

 

After you create a user, you can visit the Roundcube webmail address and login with the new mail user account.

https://mail.your-domain.com/mail/

https://sive.host/images/lwati/iredmail-roundcube-webmail.png

Now you can test email sending and receiving. Please note that you may need to wait a few minutes to receive emails because iRedMail by default enables greylisting, which is a way to tell other sending SMTP servers to try again in a few minutes. The following line in mail log file /var/log/mail.log indicates greylisting is enabled.

Recipient address rejected: Intentional policy rejection, please try again later;

Step 7: Checking If Port 25 (outbound) is blocked

Your ISP or hosting provider won’t block incoming connection to port 25 of your server, which means you can receive emails from other mail servers. However, many ISP/hosting providers block outgoing connection to port 25 of other mail servers, which means you can’t send emails.

If your email didn’t arrive at your other email address such as Gmail, then run the following command on your mail server to check if port 25 (outbound) is blocked.

telnet gmail-smtp-in.l.google.com 25

If it’s not blocked, you would see messages like below, which indicates a connection is successfully established. (Hint: Type in quit and press Enter to close the connection.)

Trying 74.125.68.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP y22si1641751pll.208 - gsmtp

If port 25 (outbound) is blocked, you would see something like:

Trying 2607:f8b0:400e:c06::1a...
Trying 74.125.195.27...
telnet: Unable to connect to remote host: Connection timed out

In this case, your Postfix can’t send emails to other SMTP servers. Ask your ISP/hosting provider to open it for you. If they refuse your request, you need to set up SMTP relay to bypass port 25 blocking.

Step 8: Using Mail Clients on Your Computer or Mobile Device

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account.

  • In the incoming server section, select IMAP protocol, enter mail.your-domain.com as the server name, choose port 993 and SSL/TLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

https://sive.host/images/lwati/iredmail-desktop-mail-client-configuration.png

Fail2ban Blocking Your Own IP Address

If you made a mistake and failed to log in to mail server multiple times, then the Fail2ban service on the mail server might block your IP address. You can add your IP address to whitelist by editing the jail.local file.

sudo nano /etc/fail2ban/jail.local

Add your own IP address to the ignore list like below. Replace 12.34.56.78 with your real IP address.

ignoreip = 12.34.56.78 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

Save and close the file. Then restart Fail2ban.

sudo systemctl restart fail2ban

Step 9: Improving Email Deliverablity

To prevent your emails from being flagged as spam, you should set PTRSPFDKIM and DMARC records.

PTR record

A pointer record, or PTR record, maps an IP address to a FQDN (fully qualified domain name). It’s the counterpart to the A record and is used for reverse DNS lookup, which can help with blocking spammers. Many SMTP servers reject emails if no PTR record is found for the sending server.

To check the PTR record for an IP address, run this command:

dig -x IP-address +short

or

host IP-address

Because you get IP address from your hosting provider or ISP, not from your domain registrar, so you must set PTR record for your IP in the control panel of your hosting provider, or ask your ISP.  Its value should be your mail server’s hostname: mail.your-domain.com. If your server uses IPv6 address, be sure to add a PTR record for your IPv6 address as well.

To edit the reverse DNS record for your SiveHost VPS, log into Hostwinds client area, select Domains -> Manage rDNS, Then you can edit the reverse DNS record for both IPv4 and IPv6 address.

https://sive.host/images/lwati/mail-server-reverse-DNS-record.png

SPF Record

SPF (Send

Was this answer helpful?
Back