Raspberry Pi Email Server

Powered by Drupal

raspberry-pi-email-server.png

The RasPi’s small size and low power consumption make it an ideal choice for use as a home email server. After trying a couple of different pieces of software, I finally found an excellent combination: Postfix with Dovecot and Squirrelmail, plus Spamasssassin and Sieve for spam filtering. There are many, many tutorials out there for the first trilogy of programs, but since the configuration is slightly different for each distribution I kept coming unstuck when setting mine up on the Pi. Having finally got mine configured properly, I’ve put together a set of 5 tutorials, which will take you from a vanilla Raspbian image to a fully functioning email server in no time. When writing the tutorial I made an effort to explain what each setting does instead of just dumping commands. With a bit of luck at the end of the process you’ll not only have a working server, you’ll understand how it works… without having to wade through reams of documentation like I did! If you follow the tutorials from start to finish, here’s what you’ll end up with:

  1. An email server that you can run 24/7/365 for under £5 of electricity per year
  2. Personalised email address like you@yourdomain.com (requires you to have registered a domain name with a registrar like namecheap.com - see my DNS basics tutorial)
  3. The ability to connect from anywhere, and read & send email, using a secure IMAP connection on your phone, tablet or computer
  4. Log in to webmail using any web browser on a secure HTTPS connection, read & send email
  5. Complete control over your personal communication. Your emails are stored on YOUR server, and nobody is scanning them to sell you adverts.
  6. Smart spam filtering with Spamassassin
  7. Customisable mail sorting with Sieve rules

Postfix, the Mail Transfer Agent

Postfix Logo

Postfix is the program that lets you send and receive email using Simple Mail Transfer Protocol (SMTP). Whilst you, the user, may connect to your email server using IMAP (on port 143 or 993), or POP (on port 110 or 995), email servers talk to each other using SMTP on port 25. So, this is the basic core of the server. Without it, you wouldn’t be able to send or receive any emails! I’ve covered the setup here: Raspberry Pi Email Server Part 1: Postfix

Dovecot, the POP/IMAP Server

dovecotLogo-300x130_0.png

Dovecot is used for two things:

  1. It provides you with IMAP functionality
  2. It checks that you are who you say you are using Simple Authentication and Security Layer (SASL) before you send or fetch mail

If you’re not interested in connecting with IMAP on your devices, you still need Dovecot. Not only is it doing SASL for you, but Squirrelmail connects using IMAP in order to provide you with webmail. I’ve covered Dovecot installation and configuration here: Raspberry Pi Email Server Part 2: Dovecot

Squirrelmail, for Webmail

Squirrelmail Logo

Squirrelmail is handy because it allows you to check your email in any browser, from anywhere. Of the first three, it’s probably the easiest to configure. I’ve covered it here: Raspberry Pi Email Server Part 3: Squirrelmail

Spamassassin, for Marking Spam

Spamassassin Logo

Spamassassin is the program that we will use to audit incoming mail and decide whether or not it’s spam. Spamassassin doesn’t actually sort the mail into the spam folder, it only changes information in the headers based on the results of the scan. I’ve covered it here: Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin.

LMTP & Sieve for Spam Sorting & Mailbox Organisation

After Spamassassin has checked incoming mail to see if it’s spam or not, we need another program to sort it into the right mail folder. This final step will be done with Dovecot’s Local Mail Transfer Protocol (LMTP) daemon and a Sieve plugin. Sieve is a simple programming language that allows users to define what to do with incoming email based on a predefined set of rules – think “if the header contains this flag, put it in the spam folder” kind of thing and you’ll get the gist. Aside from spam filtering, Sieve can be used to automatically sort & de-clutter your inbox. These steps are covered in the final tutorial: Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve Enjoy! I’d love to hear how you get on, so leave a comment below :)

Comments

So I started with you suggestion re: Mutt, and after toying with it a bit was able to determine you were right - it was IMAP related. So I checked my Dovecot settings and sure enough although I'd reconfigured mail_location I'd neglected to delete the default value. As a result, Dovecot appeared to be looking in that directory. All is running smoothly now.

Thank you again for your help. I'd convinced myself that Spamassassin was the culprit and would've never found this without your insight!

Jake

No problem :) breaking the problem down into small chunks and verifying each bit is working is always a good approach when troubleshooting. Sam

I have followed the 5 tutorials, and set up my new mailserver without any problems. Your documentation is not only accurate, but also educational. Most howto's are just a bunch of sudoing commands and config edits.
Your tutorials are excellent and it works!
I must say your postfix config with helo rules is brilliant, and has reduced the amount of spam that reaches spamassasin to a tiny fraction.
The future looks bright as My PI is now cloned, and the image kept safe together with regular /Maildir backups. So if it ever comes to a halt, I'll be up and tunning again in no time :)

Thanks again, Life is good
greetings from Norway

Brilliant - sheer joy at the end. I made a bunch of rookie errors that had me tearing out my hair.
I used dynu.com as a relay and put a space before my password in the relay login field after the colon (username:password) so the first thing to fail was the relay.

The relay and postfix have been configured to use port 2525 because port 25 outgoing is blocked. But I made the mistake of not mapping port 25 incoming to port 2525 on my server in my router. This meant that nothing arrived from outside of my lan and of course this meant there was absolutely nothing to see in the logs. I am a bit confused by this because I believed that everything from outside would be using port 993. I wasted hours trying to troubleshoot this but it was not wasted time of course, it was learning time. No pain, no brain.

I even tried setting up citadel suite in a virtual machine instead at one point and learned a whole other bunch of stuff about things not working.

I struggled with registering to get a certificate, following your tutorial, because it asked if I owned the mail address that I wanted to use. So I guess this means that to register I need to give the mail address at my server. I could not do this because I could not receive mail at that point. Hopefully this will be fine now. I think the single hardest thing to get a clear handle on is the SSL certificate and request for signing (csr) shenanigans. I have a bunch of questions about how many certs I need - can I use the same one for my Apache https and my mail server? Can postfix and dovecot refer to the same certificate? I sort of get it that a wildcard certificate can be used for all virtual web hosts in the same domain and that these are more expensive from commercial providers. I am not sure if I understand why they should be more expensive though.

Am all set for squirrel mail and anti-spam now.

Thanks for your work in putting this all together. I am by nature lazy and I guess I will have to put some effort into learning the SSL methodology properly.

Phill

Love that phrase, I think I'll steal it :) well done and congratulations at working it all out. Yeah you have to be able to receive email at that address for email verification with CAcert, but you don't need to already have a TLS cert for obvious reasons. As for how many certs you need, it depends on which subdomain names you are using with your various services. If you have a website at yourdomain.com and your mail server's DNS A record is also yourdomain.com, then a single cert for yourdomain.com will do. You can use the same cert for multiple services without any issues, as long as the fully qualified domain name of the service (subdomain and domain name) are the same. If you have a website at www.yourdomain.com and a mail server at mail.yourdomain.com then you need two (one for each subdomain) or a wildcard. If you get a commercial cert like the commodo cert I use then it might be valid for both yourdomain.com and www.yourdomain.com, which can be handy. I think the wildcard certs are more expensive for purely commercial reasons. For some of the more expensive certificates where the CA verifies more than just domain control I guess more work could be involved when issuing a wildcard. For examples of additional info included in a cert, compare my certificate to Amazon's - on Amazon's, the CA has verified the name of the organisation on the cert too; on mine it has been stripped out. On ubuntu.com, the location (London, GB) is included on the cert as well as the organisation, so the CA must have verified them. Sam

Hello,

for me, the Mail server is working, i can send and receive emails.
But i just can log in via K9-Mail and not via Thunderbird.
Also i needed to accept, that the certificate i sunsafe, when i logged in via K9. (once for imap and once for smtp)
I created my certificate like in ur tutorial and added the correct paths into the postfix and dovecot configuration files.

What could be wrong here?

Best regards
Hannes Beck

It's worth trying another client, yes. Not sure which one to recommend if you're on windows, sorry. Yes you will need to install the cacert root certificate on android too. If you have lots of people using the same server and you don't want to install certificates on every client machine then you can get a commercial cert quite cheaply (see this article). Sam

Ok, i installed the Ca-Cert Root Certificates on my Android Phone now. Then i tried logging in via K9 again.
I succeeded logging in, but again i got the Error, that the Certificate is not trusted.
What options do i need to check over in the configs of Postfix and Dovecot?
Maybe i did something wrong while creating the cert? The .key and the .crt File are in the correct location.

I've got another question, is it valuable to use this setup as my main Email Adress?
Sorry for my bad english ;)

Greetings
HB

Im creating a new cert now, i think i did paste the wrong thing at the CA-Cert Website.
I'll write back here if its working, it seems to last very long for the Cert to be accepted at the moment...
Thank you to this point :)

HB

Hello, i did configure everything again with the new cert:

sise-it.crt is in /etc/ssl/certs
sise-it.key is in /etc/ssl/private
The CA-Cert Root Certificate ist installed to the Server and to my PC as Client. I did this again to verify.
The paths in the config files of Postfix and Dovecot are correct.
After that i did restart dovecot and postfix.
What could be the Problem now? I can give you more information if it helps to solve my Problem.
My Domain Name is sise-it.com

I would be very happy about any idea.
Have a nice day. :)

Greetings
HB

I tried to connect with openssl and got a connection refused error most times, but did manage to connect on a couple of occasions and received a certificate signed by cacert. Are you currently working on the server? Sam

No, it shouldn't affect it. Check to see what the load on the system is, and make sure you're not being attacked by loads of bots (I think the behaviour would be similar if you were receiving a ton of connection requests and it couldn't handle them all). Sam

Hello,

i checked the system load with "top" and my server is in idle most of the time....
Maybe its caused by my bad internet connection at home, i just have 16mbit download and about 1,5-2mbit upload.
I already planned to upgrade to 50mbit(10 upload) here.
Additionally im running a Website, a Nextcloud, a Emby Media Server and the Mail Server, maybe this is to heavy for my connection.
But anyway, how else could i check if im spammed with tons of requests, and how can i avoid that? Is cloudflare a good option?

But the thing with the certificate must be another problem, right?

Greets
HB

I'd check the mail log to see how much activity there is. It could be dodgy connection, especially if your server is connected via WiFi? I wasn't able to work out if there actually is a cert problem because I got half way through testing and was getting inconsistent results (couldn't always connect). Sam

Rob Heron

Tue, 11/14/2017 - 10:55

Hi Sam,

Hope you are well.
I was wondering whether you would be able to shed some light on a strange issues i'm having. Recently my pi crashed and required rebooting, (i'm not sure what caused it and couldnt find anything obvious in the logs). I logged into my webmail and was able to check email - all OK, however on going to send an email within Squirrelmail I receive "554 5.7.1 : Relay access denied". I first thought perhaps spam filters, so went down that rabbit hole, only to find its not related. It turns out my outlook client on my mobile works fine for sending emails from this account. So the line in my postfix main.cf i'm questioning is mynetworks = 127.0.0.0/8 which is specified under smtpd_relay_restrictions = permit_mynetworks. This had worked before, so i'm unsure what has changed.

Nov 14 10:35:37 raspberrypi001 postfix/smtpd[21015]: connect from localhost[127.0.0.1]
Nov 14 10:35:37 raspberrypi001 postfix/smtpd[21015]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=
Nov 14 10:35:37 raspberrypi001 postfix/smtpd[21015]: lost connection after RCPT from localhost[127.0.0.1]
Nov 14 10:35:37 raspberrypi001 postfix/smtpd[21015]: disconnect from localhost[127.0.0.1]

Could I again be chasing the wrong thing and simply need to restart a service?

Also, do you have any articles on setting up an additional mail server within the same network in case one is down a load balancer could take care of it?

Thanks,

Rob

Hi Rob, Bit of a difficult one to troubleshoot because I don't use squirrelmail any more, but the reason squirrelmail used to work when sending is because it's a local service and therefore gets a free pass with permit_mynetworks in the restriction lists like you said. I don't think I ever configured it to use SMTP authentication when sending email, but can you check your current settings to see what it's doing? It would be worth comparing the settings to the sender, recipient, helo and relay restriction lists to see where it might be being rejected. As for your other question, you can use an MX backup for additional redundancy when one server is down. This helps ensure you receive incoming mail, but doesn't solve your outgoing mail issue. I've never investigated using load balancing servers. Sam

Michael Chare

Mon, 12/04/2017 - 17:30

My Raspberry Pi email server has worked fine for the past year.

The Pi itself is running jessie. Should I upgrade this to stretch?
(I have had one attempt, but it was unsuccessful, and I had to restore the image backup.)

Sam Hobbs

Mon, 12/04/2017 - 21:32

In reply to by Michael Chare

I would make a backup image, and then upgrade. Be careful during the upgrade if it asks you if you want to replace your current config files with updated maintainer versions... keep the current config. Sam

I have tried upgrading to Stretch but I then find that if I use xrdp to connect to the Pi all I get is a blank screen rather than the desktop.
Google does not know the answer to that problem!

Xrdp works fine on a fresh install of Stretch.

Any notes on how to copy the email configuration from one Pi to another would be appreciated.

Hi Sam,

Have come across your website a few days ago. I have also spent some time looking for other mail server solution on Raspberry Pi. I have been working on Citadel for the last few days, but it's not working properly and it won't login.

I want to consider your solution here, but I must first ask if this is still a good option to go with considering that this article been written a few years ago.

My main objective is to have my own mail server.

Please advise.

Kind regards,
Saeed

Saeed, Yes the tutorial should still work (with the exception of squirrelmail, which seems to have a packaging bug - it depends on php5 but only php7 is in the repos). As far as I know, that's the only problem people have been having. You can just skip the squirrelmail tutorial and everything else will work fine (but with no webmail). I started out by trying citadel many years ago, and had a very negative experience. The postfix/dovecot combination should be much more secure IMO. Sam

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.