Unfederated Email, Part III =========================== This is a quick post to update the setup for my unfederated email server. Here are links to the previous phlog entries on this subject: gopher://zaibatsu.circumlunar.space/0/~visiblink/phlog/20210806 gopher://zaibatsu.circumlunar.space/0/~visiblink/phlog/20240713 This update is necessary because the settings for dovecot have changed with version 2.4. Here's the updated version of the setup guide: The basic idea of an unfederated email server is that users on the server can email one another, but not users on other servers. The system is set up to allow them to use regular email clients to log into their email accounts. To make configuration as simple as possible, each user on the server automatically gets an email account, using their regular username and password. The system also requires the use of TLS on all connections. If you want to add new email users, just create a system user account for them. If you don't want them actually logging into the server as system users (as opposed to logging into their email accounts), permit server logins with an RSA certificate only and don't set up a certificate for them. The following setup guide is for Debian 13 (Trixie). The server makes use of Dovecot for IMAP connections (for retrieving email), OpenSMTPD for SMTP (for sending email), and mailutils (for some of the local setup on the machine). Since the server is unfederated and you don't have to scan for spam, the demands on the system are very light. All of the setup below must be done as root. 1. Pre-installation ------------------- Update your server: apt-get update apt-get upgrade 2. Installation --------------- Install dovecot, OpenSMTPD, and mailutils: apt-get install mailutils dovecot-imapd apt-get install opensmtpd When openSMTPD asks for the server name, give it the fully-qualified domain name (the whole URL for your server). 3. Dovecot Configuration ------------------------ A. Edit /etc/dovecot/conf.d/10-ssl.conf Change the line "ssl = yes" to: ssl=required If you want to use the self-signed certificate automatically created by Dovecot, make sure the following lines are uncommented (remove the octothorpe at the beginning of the line, if any): ssl_server_cert_file = /etc/dovecot/private/dovecot.pem ssl_server_key_file = /etc/dovecot/private/dovecot.key Alternatively, if you have Let's Encrypt certificates on the server, you can link to them instead. In my case, I had them for the Apache2 webserver already, so the two lines above look like this instead: ssl_server_cert_file = /etc/apache2/ssl/fullchain.pem ssl_server_key_file = /etc/apache2/ssl/private/key.pem B. Edit /etc/dovecot/conf.d/10-auth.conf Uncomment the line: auth_allow_cleartext=no C. Edit /etc/dovecot/conf.d/10-master.conf Find these lines: service imap-login { inet_listener imap { #port = 143 } inet_listener imaps { #port = 993 #ssl = yes } Edit them to look like this: service imap-login { #inet_listener imap { #port = 143 #} inet_listener imaps { port = 993 ssl = yes } 4. OpenSMTPD Configuration -------------------------- Edit /etc/smtpd.conf Save the existing file as smtpd.conf.bak or something like that. Then delete the existing contents of /etc/smtpd.conf and cut and paste everything from "table" to the final "local" below into the file. You can use the self-signed certificate/key pair created by Dovecot, or your Let's Encrypt set if you have one. Just comment out the certificate/key pair that you don't want to use. If your Let's Encrypt certificates are kept in a different directory, change the links as necessary (here and in Dovecot's /etc/dovecot/conf.d/10-ssl.conf file). Wherever it says "your.domain.name" substitute your fully-qualified domain name. table aliases file:/etc/aliases #pki your.domain.name cert "/etc/dovecot/private/dovecot.pem" #pki your.domain.name key "/etc/dovecot/private/dovecot.key" pki your.domain.name cert "/etc/apache2/ssl/fullchain.pem" pki your.domain.name key "/etc/apache2/ssl/private/key.pem" listen on your.domain.name port 465 smtps pki your.domain.name auth action "local" mbox alias match for local action "local" match from any for domain "localhost" action "local" match from any for domain "localhost.localdomain" action "local" match from any for domain "your.domain.name" action "local" 5. Restart the services to reload the configuration files: ---------------------------------------------------------- systemctl restart dovecot systemctl restart opensmtpd 6. Open Ports ------------- Open ports 465 and 993 in your firewall. If you don't have a firewall, look up ufw (uncomplicated firewall). It is very simple to use. If the server is at home, you'll have to set up port forwarding on your router to gain external access. If your internet provider blocks ports 465 and 993, you can use different numbers. Just don't use ports regularly used by other services. You can find lists of commonly used ports by searching online. 7. Set up your email client --------------------------- I use Claws-Mail and set it up as follows. Note that myusername is the username from my account on the server. Basic Tab --------- Email Address: yourusername@your.domain.name Protocol: IMAP Server for Receiving: your.domain.name SMTP server (send): your.domain.name User ID: yourusername <-- don't include the @your.domain.name! Password: password for the user account on the server Send Tab -------- Check the box for SMTP Authentication. You don't have to fill in the User ID or Password. TLS Tab ------- Select the checkbox for "Use TLS" for both IMAP and SMTP. Advanced Tab ------------ Select the checkbox for SMTP port and enter 465. Select the checkbox for IMAP port and enter 993. 8. Final Notes -------------- A. I suspect that in some situations using regular user accounts for email could pose a security risk by increasing the possibility of revealing usernames and passwords, but I only permit RSA key logins on my servers (and no root logins). B. If you use a Let's Encrypt certificate, you'll probably want to add Dovecot and OpenSMTPD to the services that restart after each renewal. How you do that will depend on the client you use to update Let's Encrypt. Both certbot and acme.sh have that capability.