Building an Ubuntu mail server with Postfix, Amavis, SpamAssassin, ClamAV, Dovecot, and OpenDMARC

Рет қаралды 18,746

Күн бұрын

A step-by-step guide on setting up a Linux mailserver for a small crocheted octopus. Follows the process in my blog post series starting here: www.sidequestninja.com/blog/h...
00:00 Intro
03:31 Part 1: DNS and Postfix
05:09 Part 1.1: Postfix
18:46 Part 1.2: TLS
22:56 Part 2: Viruses and Spam
35:37 Part 3: User Accounts
54:24 Part 4: IMAP
59:27 Part 4.1: Masking your personal IP
1:02:06 Part 4.2: SASL
1:04:22 Part 5: Mail authenticity
1:05:48 Part 5.1: Reverse DNS
1:07:15 Part 5.2: SPF
1:10:12 Part 5.3: DKIM
1:18:09 Part 5.4: DMARC
CORRECTION: At 45:54 you need to install "dovecot-imapd", not "dovecot-imap" (which doesn't exist).
Links mentioned in the video:
Blog post series: www.sidequestninja.com/blog/h...
Let's Encrypt: letsencrypt.org/
Background on weak Diffie-Hellman keys: weakdh.org/
TLS setup checker: www.checktls.com/
Latest recommended Dovecot cipher suite: wiki.dovecot.org/SSL/DovecotC...
Reverse DNS lookup tool: mxtoolbox.com/
Google advice on rolling out DMARC: support.google.com/a/answer/2...

Пікірлер: 92

@btc_noob 17 күн бұрын

I don't think I've commented on this video (because I've had it bookmarked and saw a good portion a bit ago)... lifesaver. THANK YOU!

@MatthewPenning 3 жыл бұрын

Great job! This is not an easy subject to cover with all the complicated parts that make up a mail server. Thanks for taking the time to put this together and sharing your knowledge.

@markvincent6275 3 ай бұрын

Great tutorial! Thanks for taking the time to make this, you saved me from hours of reading

@ORicketts 3 ай бұрын

Insanely informative and helpful video.

@rogernevez5187 3 жыл бұрын

One of the best tutorial available on KZfaq. Deserves more views.

@houseofjax21 2 жыл бұрын

Great video, thanks a bunch, no one goes in as deeper as you have done on this subject and this is a big and complicated subject.

@SidequestNinja 2 жыл бұрын

You're welcome, I'm glad it was helpful :)

@janoelo 4 жыл бұрын

Looks like a very complete video. Thanks!

@sanusimuhammad7466 2 жыл бұрын

the finest video i have come across on the internet that deals with mail server configuration, i have seen lots of videos but this is the most detailed one. thank you more on u and more growth. am from Nigeria

2 жыл бұрын

This was awesome. Thank you so much. Great work!

@mohammedel2035 10 ай бұрын

Too much value! This is so helpful, thank you so much.

@scriptmime1971 2 жыл бұрын

This is incredible. So useful to me as I'm building a web application for user emails and have to dynamically create emails for users. Thanks to you, I can build this on my own and not pay $350/month for this feature of my application. Not only that, but I'm also learning from one of the people responsible for the most influential game of my childhood, Runescape. I just love everything about this video. Hats off to you sir!

@SidequestNinja 2 жыл бұрын

You're very kind, and I'm glad to hear that it'll save you a lot of money over time :) PS Selling rare black lobster

@tobyhdr Жыл бұрын

Excellent work. Thank you!

@cyberintrust6054 4 жыл бұрын

You deserve more views and subscribers. Keep the good work up. I am planning to host my email server in my home office. Hope you will make video for Web server hosting as well in the future. We need more people like you to counter big Corporations like Microsoft, Amazon, Facebook, Google.

@sud0gh0st 3 жыл бұрын

WOW, i normally set my playback speed to filter the babble most tutorials have, im 37mins in and still at x1. This is how a tutorial should be done 100% informative content i wish i found this tutorial at the start of my setup process it would of literally saved me hours Subscription added

@SidequestNinja 3 жыл бұрын

Thanks, my friend, I'm glad you've found it helpful!

@sud0gh0st 3 жыл бұрын

@@SidequestNinja Only edit i would make would be sudo apt install -y python3-certbot-nginx certbot certonly --nginx -d example.com hope you dont mind xD

@MrFurriephillips 3 жыл бұрын

I LOVE SPF - the checks happen before your spammer has a chance to push any DATA at you, so saving your bandwidth. Kudos for "-all", so many providers tell you "~all", which is worse than useless, as it leads users to a false sense of security.

@SidequestNinja 3 жыл бұрын

~all does rather suggest you're not entirely sure who might be sending email from your domain, which hopefully isn't true!

@ANDRES7SANDOVAL 3 жыл бұрын

Amigo eres increíble.

@SidequestNinja 3 жыл бұрын

¡Gracias!

@giurgindemilan 3 жыл бұрын

Great work, I seriously cannot understand how come such a valuable fast and comprehensive video doesn't have hardly any view as opposed to low quality fake gurus videos containing only a portion of this content. To make it even more comprehensive out still add letsencrypt and dkim tutorials

@SidequestNinja 3 жыл бұрын

Thanks, I'm glad you found it helpful :D I do cover DKIM at 1:10:12, was there anything in there in particular that you'd have liked more detail on? I thought about covering Let's Encrypt as well, but since there are lots of different setup possibilities for certbot (depending on your proxy setup, for example) and the Let's Encrypt documentation covers them all pretty thoroughly, I thought it was best to stick to just the mailserver setup here.

@stickmenwithrayguns Жыл бұрын

One of the most informative videos on youtube IMHO. "How to" create secondary MX's and/or an eternity-store for backup/migration purposes must be just around the corner? ;-)

@SidequestNinja Жыл бұрын

Thanks! When I have the time (i.e. once my game is released) I want to do an updated version of this for the latest Ubuntu version. I could sneak in one or two extra things at that point maybe...

@abhinav054 3 жыл бұрын

nice talk bro

@mohamdkhalled8640 2 жыл бұрын

Thx for the great tutorial I've been searching for 3 days, U'll have a nice future, ur smart ❤️ I would ask about performance is it enough for a company like 200 mail per hour and also about the server requirments

@SidequestNinja 2 жыл бұрын

The main requirement is memory for all the antivirus definitions. Anything less than 2.5GB and you're likely to see clamav-daemon getting terminated when it tries to update definitions due to lack of memory. In terms of mail capacity, you should be fine. If you need to increase throughput, you can increase $max_servers on Amavis and max_proc on Postfix so that they'll handle more emails concurrently - that will also take more memory for each Amavis process, and obviously you'll need enough cores for the extra processes to have any impact.

@Hermanverschooten 7 ай бұрын

Bit late to the party, but in 2023 all info is still relevant. thx! I just had a small issue with cleanup, amavis added a header that displays the port 10026 it uses and i wanted to remove this, so I added it to the header_checks file, but that did nothing. I had to add a smtp_header_checks to my main.cf pointing to the same file to make it work.

@SidequestNinja 7 ай бұрын

That's not a bad idea! I hope at some point to make an updated version of this video, this would be a nice little tweak to include :)

@murata.9762 3 ай бұрын

This is helpful, thanks 👍 - the link to the blog post seems to be down though.

@SidequestNinja 3 ай бұрын

Ooh, well spotted. It's up again now! Thanks :)

@SidequestNinja 3 ай бұрын

...aaaaaand I rebooted the server and it hasn't come back. Time to submit a ticket to the hosting provider...

@sharrc 2 жыл бұрын

Incredible video! One question though: What if I want to receive webhooks for events like bounces, etc...? Can you please guide me in the right direction where to look for this? Really appreciate the work man, and the fact that you're still active in the comments.

@SidequestNinja 2 жыл бұрын

Thanks! Hooking into things like bounces isn't something I've ever looked into. My instinct would be to use rsyslog - you can set it up to watch for bounces in /var/log/mail.log, and get it to send whatever message you need when it spots one. The omhttp module lets you send HTTP(S) requests.

@sharrc 2 жыл бұрын

@@SidequestNinja Thanks, I'll give it a shot. Also, is there a way we can externally add domains by hitting an API? And maybe get the generated public DKIM record back in response... Maybe I'm reaching way too far here, but any hack will do too. Thanks again!

@SidequestNinja 2 жыл бұрын

@@sharrc As far as I'm aware, no, there's no such API, it's all handled by the config files. If you wanted to add domains you'd also have to add MX records for whatever domains you wanted the postfix instance to handle, so you'd have to do more than just hit an endpoint on the mailserver anyway. And if you're after the public DKIM data you can just hit the DNS records for the domain.

@dankierson Жыл бұрын

Nothing on Dovecot Mail Client configs, virtual users or setting up a webmail server. We'd have a long wait for mail. I think it might be better to do a lucid web page tutorial on this very important topic instead. But a reasonable start. Hope your game turned out well.

@SidequestNinja Жыл бұрын

Hey there, virtual users (via a Postgres DB) are covered in Part 3. I haven't got a webmail server in my setup, so I haven't dealt with that here. What extra info on Dovecot and mail clients would you want to see? (The game is expected to release in August, there's a Steam demo if you'd like to give it a spin: s.team/a/1248420)

@sanusimuhammad7466 2 жыл бұрын

i have this question i want to ask, every thing is working fine as i went through the video and implement all that i see u do, at this point i want to connect my DB to my PHP codes on my server, so that i can create users in the users table, without going on the black screen to that. in the course of that i read about the PBKDF2 hashing, and found out how i can implement it in PHP. the hashed values produce by PHP does not come with ''$" signs as the devcot do. my question is can devcot still read and understand the hash passwords, if PHP should hash them and get them drop in the DB despite there diff in output value?

@SidequestNinja 2 жыл бұрын

The Dovecot documentation shows the format that it expects for PBKDF2, here: doc.dovecot.org/configuration_manual/authentication/password_schemes/ It notes that, unfortunately, there's no standard format for this (which is probably why PHP is doing something different), but that what Dovecot wants is “$1$salt$rounds$hash”. Your best option is probably to modify your PHP code to output the format Dovecot expects. Make sure it starts with "{PBKDF2}" as well.

@sanusimuhammad7466 2 жыл бұрын

@@SidequestNinja thank u so much Sir! i read extensively about the hashing and i got to find out that PHP do return the hex value of the hashed characters. after that i decide to fall back to ARGON2I. i am trying connect PHP and postgreSQL, i am use to mariaDB, chose to learn postgresql to add to my skills and to try exploit the advantage it has over MariaDB. thank you so much once again

@sanusimuhammad7466 2 жыл бұрын

@@SidequestNinja thank u so much for ur support, i have taken care of lots of things and the PHP is weel connected to postgresql. ARGORN2I us actually working fine in PHP. i can now ad a user to the DB now is for me to create a user from frontend and let the user connect to postfix via turndabird. thank u so much i so appreciate all ur effort

@torgestehr 3 жыл бұрын

What do I need to change in order use email-addresses which haven’t the domain I used to setup the mailserver.

@SidequestNinja 3 жыл бұрын

Hi Torge, I've never tried to do this, but Postfix does support it - this documentation should get you most of the way: www.postfix.org/VIRTUAL_README.html You'll also need to set up MX records on all the additional domains pointing at your mailserver, so that senders trying to reach an address on those domains know where to send the mail.

@torgestehr 3 жыл бұрын

@@SidequestNinja Thank you

@alfonsoveder1 3 жыл бұрын

any can help me for set limit mailboxes size in devecot?

@SidequestNinja 3 жыл бұрын

Hi Alfonso, this isn't something I've ever tried to do, but it looks like the documentation on this is here: wiki2.dovecot.org/Quota/Configuration

@quokka_yt Жыл бұрын

"454 4.7.0 TLS not available due to local problem" I configured the TLS correctly with Let'sEncrypt. Any solutions?

@SidequestNinja Жыл бұрын

It's hard to know without looking over your setup in detail. Is it possible that Postfix isn't looking for the certificate in the right place? Or that Postfix doesn't have permission to read those files?

@quokka_yt Жыл бұрын

@@SidequestNinja Accidentally wrote "fullchain.pen" instead of "fullchain.pem" 🥲

@SidequestNinja Жыл бұрын

@@quokka_yt Ah, yeah, that'll do it! Glad you managed to track it down :)

@quokka_yt Жыл бұрын

@@SidequestNinja CheckTLS gives error " Cert Hostname DOES NOT VERIFY (_dc-mx.9c909617cf2a._MY DOMAIN_ != MY DOMAIN | DNS:*.MY DOMAIN | DNS:MY DOMAIN) So email is encrypted but the host is not verified " (Changed my domain to "MY DOMAIN" cus KZfaq deletes comments with URLs)

@SidequestNinja Жыл бұрын

@@quokka_yt I don't think I can diagnose this from here without being able to see your setup, I'm afraid.

@jhhassler 10 ай бұрын

I'm failing an spf check according to my logs when I try to send an email from thunderbird! any idea why?

@SidequestNinja 10 ай бұрын

Not without knowing what the error is! KZfaq comments probably aren't the easiest place to sort out a problem like this, I'd suggest visiting some tech forums. Give them as many details as you can so they're able to help.

@jhhassler 10 ай бұрын

I figured it out! I overlooked adding this override to the submission port: -o smtpd_recipient_restrictions=

@jhhassler 10 ай бұрын

@@SidequestNinja Thank you very much for taking the time to answer! Yeah there is a whole lot to it! I went back through your blog step by step (great job, btw) and realized I had quickly read through to uncomment the line on the submission port! Anyway, I figured it out and I have a much better understanding of how postfix actually works because of that one problem! A blessing in disguise I guess! Btw, I too am also a Christian, on an inexorable path to heaven only because of my Savior Jesus Christ! 👍👍God Bless Brother!

@SidequestNinja 10 ай бұрын

@@jhhassler Well, that's good news all round :D Always good to bump into a brother in Christ online!

@LryuzakiLN 2 ай бұрын

@@jhhassler Are you able to send mails to Gmail and others?

@v3n0x 3 жыл бұрын

Very good. Theres a mix and match between init.d and systemd, fuck it why not use both I guess.

@SidequestNinja 3 жыл бұрын

I should probably finally make the break with init.d and embrace the future.

@tetrendafilov348 6 ай бұрын

Is this guide still working?

@SidequestNinja 6 ай бұрын

I haven't run through it myself for some time. I'd expect it to still be broadly accurate, though some details may have changed.

@AmarjeetAnandsingh 2 жыл бұрын

Thanks for the video. BUT the background is very distracting bcz it's completely unrelatable from the fact being explained in the video.

@SidequestNinja 2 жыл бұрын

Hah, yes, looking back it wasn't the best thing to choose, a plain background would have been better.

@mariuszanonimowy7166 3 жыл бұрын

Na tygodniu będę konfigurować ale najpierw muszę zrobić kopię serwera. Ostatnio testowałem iredmail i nigdy więcej tego gówna nawet kijem nie tknę. Rozwalił cała konfigurację serwera, musiałem od nowa wszystko instalować

@SidequestNinja 3 жыл бұрын

Yikes! I've never tried iRedMail, but I hope Postfix works out better. Let me know how you get on!

@ho77iday 3 жыл бұрын

I went through the same thing. I couldn't believe the damage I caused.

@jurnyjarzabek Жыл бұрын

Zrobiłeś może ten serwer pocztowy? Działa dobrze?

@mariuszanonimowy7166 Жыл бұрын

@@jurnyjarzabek zostałem na mailcow

@stevieflyineasy 2 жыл бұрын

ty sir, saw another video saying "dont host your own email server its too hard you gotta set upa "reverse dns" " xddd

@SidequestNinja 2 жыл бұрын

That's one of the easy parts, you just need to ask your hosting provider and they do all the hard work!

@ORicketts 3 ай бұрын

@@SidequestNinja Who do you mean by hosting provider? My domain is with Google Domains and my ISP is BT. Google Domains allows me to set PTR records so who is it I'd contact......

@SidequestNinja 3 ай бұрын

@@ORicketts The hosting provider would be whoever's system you use to set up DNS records, which sounds like Google in your case. If Google Domains lets you do your own PTR record, then you should be able to do it yourself.

@ORicketts 3 ай бұрын

@@SidequestNinja Thanks! What do i put in the fields hostname and data?

@SidequestNinja 3 ай бұрын

@@ORickettsI'm not actually sure, never had to do it myself!