anandology
commented
3 years ago @abhishekbalam suuggested https://github.com/tomav/docker-mailserver
Open anandology opened 3 years ago
anandology
commented
3 years ago @abhishekbalam suuggested https://github.com/tomav/docker-mailserver
knadh
commented
3 years ago We use https://postal.atech.media
Works out of the box and has a nice admin + logs UI. Worth evaluating.
anandology
commented
3 years ago We use https://postal.atech.media
Works out of the box and has a nice admin + logs UI. Worth evaluating.
Looks like that is built for sending email, not receiving.
abhas
commented
3 years ago Postal can do incoming mails as well. But its quite an atypical mail server. Its built mainly to be used as an email relay. I use it in that manner as well for providing mail relays to various applications.
For a full email experience that will replace an existing mail system, its better to setup mail services natively on a gnu/linux computer. You could use Postfix (or Haraka or maddy) (SMTP) with Dovecot (LMTP + IMAP) and Roundcube or SoGO (webmail).
The next question would that of where to store user information and passwords. OpenLDAP is a great way to do that so that the same authentication and user info can be easily reused for other applications (eg. Nextcloud and Matrix/Synapse). Otherwise using system users in a SQL database will also work.
A quick way to implement LDAP (if you don't want to edit config / LDIF files and want a web interface as well) is to use FreeIPA. The downside is only that FreeIPA is complex (it runs on a centos/fedora container and needs dbus + systemd inside the container to function).
knadh
commented
3 years ago https://www.webmin.com -- might be a bit of an overkill, but WebMin offers management abstractions on top of some of these things. It's a FOSS cPanel alternative. If we're using Postfix/Dovecot, it can help with mailbox, user management.
anandology
commented
3 years ago @abhishekbalam has volunteered to setup the mail server. I'm going to create a $10 droplet and hand it over to @abhishekbalam to setup mail server for beta.fossunited.org. Once that is ready, we can test it and recreate a new instance for fossunited.org.
I'm keeping LDAP on hold for now. We'll look into it once the simple setup is ready.
abhishekbalam
commented
3 years ago @anandology I think there has been some misunderstanding. I am willing to pair on this with you for setup and testing, but I don't have the bandwidth to do it myself.
Also 10$ droplet and beta subdomain sound good. 👍
anandology
commented
3 years ago After spending sometime evaluating these options, I decided to go with Mail in a Box. One big reason is that it has a good maintanance guide with good backup support.
I've setup self-hosted mail server for beta.fossunited.org, just by following the instructions. It worked smoothly and I'm able to send and receive emails.
PROS:
CONS:
anandology
commented
3 years ago @abhas any suggestions to deal with the CONS mentioned above?
abhas
commented
3 years ago CONS:
* It is not possible for the user to change his/her own password
I think mailinabox does install a password change plugin with the webmail (roundcube). So it must be possible for a user to change their password using webmail. Do check it out:
https://github.com/mail-in-a-box/mailinabox/blob/master/setup/webmail.sh#L165
* Email is stored in plain-text on the server and anyone with access to the server can access all the mails
That is always true for all mail server implementation. Unless you do two things:
Since Dovecot would be delivering the mail (and not the MTA - Postfix in this case), it will encrypt the mail while delivering it to the mailbox. Similarly, when the mail is accessed via IMAP (or POP3), Dovecot would decrypt it. Instructions on how to configure Dovecot to do this are available here:
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
I would glad to help you evaluate this configuration.
* Software like nextcloud (written in PHP) are running on the same machine, any vunerabilty in them will compromize the entire system
If you keep upgrading nextcloud as and when they release a security update, you should be able to manage this aspect well. I run several Nextcloud installations on the same machine as mail servers and the trick is usually to keep upgrading php and nextcloud regularly.
You can test how secure you nextcloud installation is via this link:
* The default setup starts a name server on the node and it is recommended to move the nameserver of the domain to the same node. It is possible to work with external DNS, but seems more work
I guess they do that so that it is possible to manage the DNS records related to DKIM, DMARC and SPF (among other things) easily and behind-the-scenes. Many people have problems adding the correct records and that causes these systems to malfunction.
If you can add the DNS records to an external nameserver correctly, I think that should be sufficient for mailinabox to work.
anandology
commented
3 years ago CONS:
* It is not possible for the user to change his/her own passwordI think mailinabox does install a password change plugin with the webmail (roundcube). So it must be possible for a user to change their password using webmail. Do check it out:
https://github.com/mail-in-a-box/mailinabox/blob/master/setup/webmail.sh#L165
Oh cool, I didn't relialize this. I've tried it now and it works!
* Email is stored in plain-text on the server and anyone with access to the server can access all the mailsThat is always true for all mail server implementation. Unless you do two things:
1. Submit the mails to Dovecot to deliver via LMTP 2. Configure Dovecot to encrypt a user's mailbox.Since Dovecot would be delivering the mail (and not the MTA - Postfix in this case), it will encrypt the mail while delivering it to the mailbox. Similarly, when the mail is accessed via IMAP (or POP3), Dovecot would decrypt it. Instructions on how to configure Dovecot to do this are available here:
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
I would glad to help you evaluate this configuration.
Nice, I didn't realize this. I surely want to get here, but I would like to roll out a version without encryption and come to this after that.
* Software like nextcloud (written in PHP) are running on the same machine, any vunerabilty in them will compromize the entire systemIf you keep upgrading nextcloud as and when they release a security update, you should be able to manage this aspect well. I run several Nextcloud installations on the same machine as mail servers and the trick is usually to keep upgrading php and nextcloud regularly.
You can test how secure you nextcloud installation is via this link:
I'm not very comfortable running PHP directly on this server. I would prefer to run it inside docker to have clear separation. However, given how closely nextcloud and email credetials are linked, I think that is not going to be straight forward.
* The default setup starts a name server on the node and it is recommended to move the nameserver of the domain to the same node. It is possible to work with external DNS, but seems more workI guess they do that so that it is possible to manage the DNS records related to DKIM, DMARC and SPF (among other things) easily and behind-the-scenes. Many people have problems adding the correct records and that causes these systems to malfunction.
If you can add the DNS records to an external nameserver correctly, I think that should be sufficient for mailinabox to work.
Yes, it is just little more work. It already provides a page in the admin interface with all the DNS entries that need to be created.
Hosting a mail server is not as hard as it sounds.
One of the tricky parts is to make sure DKIM keys etc are set up properly otherwise gmail will start treating it as spam. Fortunately, there are lot of good resources out there.
References
Issue #1