The RasPi’s small size and low power consumption make it an ideal choice for use as a home email server. After trying a couple of different pieces of software, I finally found an excellent combination: Postfix with Dovecot and Squirrelmail, plus Spamasssassin and Sieve for spam filtering. There are many, many tutorials out there for the first trilogy of programs, but since the configuration is slightly different for each distribution I kept coming unstuck when setting mine up on the Pi. Having finally got mine configured properly, I’ve put together a set of 5 tutorials, which will take you from a vanilla Raspbian image to a fully functioning email server in no time. When writing the tutorial I made an effort to explain what each setting does instead of just dumping commands. With a bit of luck at the end of the process you’ll not only have a working server, you’ll understand how it works… without having to wade through reams of documentation like I did! If you follow the tutorials from start to finish, here’s what you’ll end up with:
- An email server that you can run 24/7/365 for under £5 of electricity per year
- Personalised email address like firstname.lastname@example.org (requires you to have registered a domain name with a registrar like namecheap.com - see my DNS basics tutorial)
- The ability to connect from anywhere, and read & send email, using a secure IMAP connection on your phone, tablet or computer
- Log in to webmail using any web browser on a secure HTTPS connection, read & send email
- Complete control over your personal communication. Your emails are stored on YOUR server, and nobody is scanning them to sell you adverts.
- Smart spam filtering with Spamassassin
- Customisable mail sorting with Sieve rules
Postfix, the Mail Transfer Agent
Postfix is the program that lets you send and receive email using Simple Mail Transfer Protocol (SMTP). Whilst you, the user, may connect to your email server using IMAP (on port 143 or 993), or POP (on port 110 or 995), email servers talk to each other using SMTP on port 25. So, this is the basic core of the server. Without it, you wouldn’t be able to send or receive any emails! I’ve covered the setup here: Raspberry Pi Email Server Part 1: Postfix
Dovecot, the POP/IMAP Server
Dovecot is used for two things:
- It provides you with IMAP functionality
- It checks that you are who you say you are using Simple Authentication and Security Layer (SASL) before you send or fetch mail
If you’re not interested in connecting with IMAP on your devices, you still need Dovecot. Not only is it doing SASL for you, but Squirrelmail connects using IMAP in order to provide you with webmail. I’ve covered Dovecot installation and configuration here: Raspberry Pi Email Server Part 2: Dovecot
Squirrelmail, for Webmail
Squirrelmail is handy because it allows you to check your email in any browser, from anywhere. Of the first three, it’s probably the easiest to configure. I’ve covered it here: Raspberry Pi Email Server Part 3: Squirrelmail
Spamassassin, for Marking Spam
Spamassassin is the program that we will use to audit incoming mail and decide whether or not it’s spam. Spamassassin doesn’t actually sort the mail into the spam folder, it only changes information in the headers based on the results of the scan. I’ve covered it here: Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin.
LMTP & Sieve for Spam Sorting & Mailbox Organisation
After Spamassassin has checked incoming mail to see if it’s spam or not, we need another program to sort it into the right mail folder. This final step will be done with Dovecot’s Local Mail Transfer Protocol (LMTP) daemon and a Sieve plugin. Sieve is a simple programming language that allows users to define what to do with incoming email based on a predefined set of rules – think “if the header contains this flag, put it in the spam folder” kind of thing and you’ll get the gist. Aside from spam filtering, Sieve can be used to automatically sort & de-clutter your inbox. These steps are covered in the final tutorial: Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve Enjoy! I’d love to hear how you get on, so leave a comment below :)
clamdis part of ClamAV (antivirus scanner) so the default "mailserver" configuration may be passing messages to ClamAV to scan for viruses (rather like postfix passes mail to spamassassin in this tutorial). That's not a bad thing, but unnecessary if all of your devices run Linux.
saslauthdmight be the Cyrus SASL implementation (used for authentication - this tutorial uses Dovecot's implementation of SASL instead). Maybe your outgoing email goes directly through the ISP and your sent messages are just picked up again with IMAP by Fetchmail? Do you run anything on port 80? It's not a good idea to leave it open if not. Also, take a look at
/var/log/auth.log, guaranteed some bots are hammering your SSH. I'd recommend running fail2ban and/or using publickey authentication (i.e. disable password authentication) if you're not already doing so! Let me know if you need help! Sam
1. I set sylpheed up to send straight to my ISP with SSL. The copy of the email that I want to preserve is stored away by sylpheed in the IMAP structure. I tried to get it to go through Synology but it gets rejected (SASL authorisation failure, 5126.96.36.199) by my ISP, which I now know is not surprising as I don't see anything in main.cf on the Synology. (BTW: you have main.conf at at least one place in the tutorial.)
2. Synology displays the number of "naughty" attempts at logging in etc. (Hello 188.8.131.52 just now.) It doesn't do it by an auth.log but it's easy to see them. I'm not inundated.
3. I have a pathetic home webpage on 80.
No: none of the rest of the family will touch Linux. Mixture of Windows and Apple and Andoid and Windows phones.
I think I may have wasted enough of your time talking about the vagaries of the Synology variant of Linux. I have learned a vast amount from a) your tutorial and b) the experiments you have lead me to perform on the Synology. I shall now try to replicate the "spirit" of the Synology setup on the Pi using your tutorial with more understanding of what's going on.
I now owe you 2 bottles of good wine but have no idea how I can get them to you. Suggestions?
auth.logI discovered a bot was going mad trying to bruteforce SSH (no danger because I was using publickey authentication only, password authentication was turned off), but it didn't stop them trying every username under the sun, three per second for months, which is a waste of resources. The virus scanner is probably a good idea then - there are lots of nasty windows viruses out there that get transmitted by email (like the one that encrypts your home folder and ransoms you the key!). I'm not one to refuse a bottle of wine ;) that really is too kind of you. Where abouts in the country are you (actually, are you even from the UK?). Here's a neat trick for you to try on your Pi:
sudo apt-get update sudo apt-get install whois whois samhobbs.co.ukSam
I'll send you a private email if that is OK so you can see who I am. Is it OK?
If you can see my "hidden" (hidden from whom?) email address then you can see where I live. I suspect I should pay the fee to hide it though.
whenever i send an email to a external email account, such as gmail, i an email sent sraight back saying 'undelivered mail returned to sender'. In the email it says that it s likely that the email was 'unsolicited mail'. Does anyone know how to fix this?
Thanks in advance,
Thanks for the quick response!
How exactly do I use my ISP's SMTP server to relay outgoing mail?
I am sure many people find your instructions useful. However, I got stuck at step 3, modify the main.cf file. Using the editor in the accessories only led to my being told I don't have permissions. As always in my experience with Linux based systems it means going off to do yet another tutorial or go to some bulletin board asking for more help. Although I studied computer science as my undergraduate degree a number of decades ago, seems that nothing has changed with the way people write operating systems. Sorry if I appear jaded with the whole process, but this started with my loading the Raspbian operating system a couple of days ago. All I wanted to do then was to stop the screen blanking after 10 minutes. 3 hours later after trolling through websites and forums in amongst others who also had the same problem I seem to have fixed that problem. 3 steps later another show-stopper. Anyway, perhaps you can tell me what I am doing wrong at this juncture??
Just used nano out of the console rather than 'my favorite text editor' and that seems to have gotten around the permissions problem. Moving forward until I hit the next road-block.
sudoto run a command you are telling the computer to run the command that follows as the superuser (administrator/root), i.e.
sudo="SuperUser DO". By the way, this isn't just a Linux thing - if you wanted to do something similar in windows you'd have to right click notepad and "run as administrator" or something like that. If you want to run a graphical application as root you have to use a different command to
sudo, for example
gksudo, but this depends on which graphical desktop you're using. Bit of a pain, right? This is why almost every tutorial expects you to be using a terminal to make edits. I'm going to change the tutorial so that it says "command line text editor", hopefully that'll make it clearer. Using a graphical editor really didn't occur to me because I actually never use the graphical desktop on a Pi, I prefer to connect with secure shell (SSH) from my normal computer, which gives me a remote terminal session. This is handy if you don't want to have a monitor attached to the pi all the time. You can get s secure shell from Linux (or Mac) to Linux by opening the terminal and typing:
ssh email@example.comOr use the hostname of the sever instead of the IP address, like:
ssh pi@raspberrypiIf you want to connect from windows to Linux, there's a free software program called PuTTY you can download. Hope that helps, don't get put off by things like this - every thing you learn makes the next thing easier. I've only been using Linux for a year and a half now and I've learned so much! Sam
I've been using nano for the time being, I'll chase up a visual editor later.
I've gotten as far as installing dovecot and about to testing SASL. I commented out a "}" by accident, and fixed it and now don't get any more error messages when I restart postfix and dovecot. Getting late, so I'll leave it for today and try to complete the installation process tomorrow.
THanks for your help.
I have two Raspberry Pi machines connected to a single router. That router is addressable as rpibee.com via dyndns and I have the respective email port pointed to one of the aforementioned Raspberry Pi.
I am using Postfix with Dovecot and Squirrelmail, as your tutorial suggested, on the one RPi and it sends and receives email fine.
The question is can I get the other RPi to route email thru the 1st one without getting another dyndns name? One complication is that both boxes are headless and therefore the email from the second box is either from a script or a compiled program.
BTW Both RPi are running raspbian.
Awesome couple of tutorials! Thanks.
Would be great to be able to turn this into a multi-domain setup <-- hint hint
mydestination = yourdomain.com, yourdomain, localhost.localdomain, localhost, yourdomain2.com...then mail sent to firstname.lastname@example.org and email@example.com will land in system user foo's Maildir. Outgoing email is more difficult, because if you only have one IP address you can only have one PTR record (for reverse DNS lookups). So if you send mail from yourdomain2.com to some other server, and that server does a rDNS lookup and sees that the IP address is supposed to be for yourdomain1.com, it might reject it as spam. Not every server is configured like this, but I found out that some do the hard way when some of my email was getting rejected until I asked my ISP to change my PTR record to samhobbs.co.uk from the generic one. Also, what do you do about all the SSL/TLS parts - you can't have a SSL cert that is valid for yourdomain.com and yourdomain2.com at the same time, and postfix needs to know which cert to use at the start of the connection, before it knows which domain the client is trying to connect to. I have a feeling that people who have one server for multiple domains either don't use SSL/TLS, or they have multiple IP addresses (but I could be wrong!). So basically, it's not as easy as it seems. You might find the postfix documentation for virtual hosting an interesting read. Thanks for your comment :) Sam
You have some valid concerns about hosting multiple domains on a single server!
The DNS and PTR should not be a challenge: http://help.dnsmadeeasy.com/spry_menu/ptr-record/
Easy to setup and a lot of servers serve multiple email domains so it can't be that hard (famous last words).
I absolutely agree with your easy solution of adding the extra domains to the 'mydestination' field and be done with it (I use this right now).
The more elegant way would be the way of the "Virtual Domain Hosting": http://www.postfix.org/VIRTUAL_README.html. But this will take some re-configuration of the server so maybe your tutorial could follow these rules from the start but implement only one domain, this way the setup is future proof or "built to change".
The Postfix book is a good help; http://www.amazon.com/exec/obidos/ASIN/1593270011/postfixbook-20/ref=no…
Also available at your local (Arrr) e-book supplier.
ps. your homepage field above this reply needs "http://", stringent! :D
feathers-mcgraw@Hobbs-T440s:~$ dig samhobbs.co.uk ; <<>> DiG 9.9.5-4.3-Ubuntu <<>> samhobbs.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14778 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;samhobbs.co.uk. IN A ;; ANSWER SECTION: samhobbs.co.uk. 32569 IN A 184.108.40.206 ;; Query time: 3 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Fri Nov 07 23:32:13 GMT 2014 ;; MSG SIZE rcvd: 48
feathers-mcgraw@Hobbs-T440s:~$ dig -x 220.127.116.11 ; <<>> DiG 9.9.5-4.3-Ubuntu <<>> -x 18.104.22.168 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48713 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;22.214.171.124.in-addr.arpa. IN PTR ;; ANSWER SECTION: 126.96.36.199.in-addr.arpa. 43200 IN PTR samhobbs.co.uk. ;; Query time: 29 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Fri Nov 07 23:33:21 GMT 2014 ;; MSG SIZE rcvd: 85The problem that I was referring to in my original post is that you can only have one PTR record per IP address. Show me a person with multiple IP addresses pointing to a Raspberry Pi and I will eat my hat! You will notice that the virtual domain hosting link you posted is the same one I sent you in the comment you are replying to! I understand that it can be done, I just don't think it's appropriate for a RasPi tutorial because it means adding a lot of complexity. I gave you the link because I didn't want to hold you back, if you want to do it then go for it! I've tried to keep it simple - if you're using a Pi for a really busy email server with multiple domains you're doing something wrong. The reason I wrote this guide is that I couldn't find any tutorials aimed at Raspbian (or Ubuntu/Debian) that taught me the basics - how to set up a small home email server for personal use, plus a handful of people (think close family). I think that if I changed the tutorial to add lots of virtual bits it would make it less useful for people like me, and I always try to write the tutorial I was looking for but couldn't find. Of course, that doesn't mean that I won't write a new tutorial someday covering a more advanced setup - I'm certainly interested in learning about virtual hosting, I just don't need it myself right now and I'm working on other things so I don't have the time. I'd like to leave this tutorial as it is because I think it's more useful for beginners this way. As for my homepage field... if anything it would be "https://" ;) - the protocol was left off deliberately. Sam
Thanks for the pages, they seem to be quite comprehensive. Reading the comments, it works for many.
However, I am lost at the requirements:
"2. Personalised email address like firstname.lastname@example.org (requires you to own a cool domain name) "
What do you mean by "own a domain name". For the last decade or more one can't own a domain name. It must be registered by an official registrar.
But say one did register 'reallycool.com'. There is no connection between this name and the ISP/IP I am connected to/via.
How will the email my friend sends me find my 'reallycool.com' email server?
Could you extend on this please?
digcommand like so:
~$ dig samhobbs.co.uk MX ; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> samhobbs.co.uk MX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37870 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samhobbs.co.uk. IN MX ;; ANSWER SECTION: samhobbs.co.uk. 60000 IN MX 10 samhobbs.co.uk. ;; Query time: 26 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Tue Dec 16 18:38:27 GMT 2014 ;; MSG SIZE rcvd: 59Then the MTA will look up the DNS A record for the domain in the result. In this case it's
samhobbs.co.ukbut it is often
mail.yourdomain.comfor domains that have a separate server at a different IP address for email. Again, with the
~$ dig samhobbs.co.uk ; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> samhobbs.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36866 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samhobbs.co.uk. IN A ;; ANSWER SECTION: samhobbs.co.uk. 59209 IN A 188.8.131.52 ;; Query time: 3 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Tue Dec 16 18:43:17 GMT 2014 ;; MSG SIZE rcvd: 59... which gives the IP address for the domain name - in my case it's
Thank you very much for this comprehensive tutorial. I was trying to install postfixadmin to manage postfix but didn't succeed. Would you be able to help me with this topic?
Thank you for the great tutorials! I am a relative newbie, so please bear with me.
One thing that that puzzles me is the requirement to "have a registered domain name".
I followed your tutorial and installed owncloud in one of my raspberry pi's and am considering setting up a pi for an e-mail server. I got my owncloud pi working by opening port 80 to the pi and using http. It's shut down now because I would like to use SSL.
For external ssh access to my pi's (I have 10 of them), I set a unique port number and a unique ip address on my LAN for each pi.
Can't I just use my static external IP address (as my "domain name") and open appropriate ports (like 443) in my router that forward traffic to an owncloud pi or email server pi?
I followed your instructions to get a CAcert SSL certificate and got to the point "After you have created your account and logged in, navigate to server certificates --> new". I put in my CSR and tried to submit, but CAcert can't send to webmaster@MYIPADDRESS. I don't have a domain name (and would like to do this without one) and I don't have an email server set up because I don't have a domain name.
So, my questions are:
Can I use owncloud with SSL with my static external IP address instead of a domain name?
Can I make a pi email server with my static external IP address instead of a domain name?
Thanks for you help!
email@example.com, which gives a hostname (commonly
domain.com)... they then do a DNS A lookup on the hostname to get the IP address to connect to. You can't get a CA to sign a certificate for an IP address for good reasons. One of these reasons is that sometimes they change (if you had a dynamic IP address, you could ask them to verify a cert for your current IP, then power cycle your router, get a new IP, verify the new one... at which point the CA would be telling everyone you control an IP address that isn't assigned to you... there's no way for an automated service like CAcert to know if an IP address is static or dynamic, and even if you have a static IP you can often ask for a new one, so that wouldn't be a guarantee. What is a reliable guarantee is domain name registration, since registration is generally for a long period of time, and this is more flexible because once you've registered a domain name you can choose which IP address to point it at, and change it without changing the certificate. Not having a signed cert won't stop you from running services on 443 (https) with just an IP address, but if you do you'll get a browser error because the certificate has not been verified. One handy workaround could signing up with a free service like noip.com which will give you a valid domain name to use (it'll be a subdomain though, foobar.noip.com or something similar - OK for something like a web page only you will use, but not ideal for email... still better than an IP address though!). Not sure what would happen if you tried to verify a certificate for a noip subdomain, but there's no harm in trying, I think it would work. You can get a "proper" domain name really cheap, mine was 5 years for ~£15 with namecheap.com which I think is great value (avoid GoDaddy!). So... yes, you can use SSL for owncloud without a domain name (but you'll get certificate errors). And yes, technically i think you could set up an email server for sending and receiving mail with only your IP address, but you'd probably be marked as a spammer and people would have to type in firstname.lastname@example.org with the square brackets, which is a bit unnatural. You wouldn't have a valid cert for your mail server either. You'll save yourself some pain if you get a domain name. Sam
Thank you. That all makes perfect sense.
Ok, I'll get a domain name and a certificate from CAcert.
But when I submit my CSR to CAcert, how do they respond/authenticate to a webmaster@MYDOMAINNAME if it doesn't exist yet since I don't have my @MYDOMAINNAME or my mail server set up yet.
I took your advice and got a domain name from namecheap. $10.87/year for mydomain.com with free whoisguard protection.
I got the cacert certificate (had to disable whoisguard, temporarily to do this).
I opened up ports 80 and 443 on my router for the ownCloud pi - LAN static IP. Any problem here?
I use Linux Mint Mate 17.1 (love it) and successfully connected to my ownCloud at https://mydomain.com using Konqueror, Firefox, and Chromium.
I get my ownCloud site with a green check in the shield. No problem.
For Firefox and Chromium I followed the instructions in http://wiki.cacert.org/FAQ/BrowserClients#Linux and connect with lock in Firefox and green lock and https in Chromium.
Thanks again for your great tutorials! Now I'll move on to the pi e-mail server.
I followed your 'howto' to the letter but I cannot receive e-mails. I get the following error message:
Delivery to the following recipient has been delayed:
Message will be retried for 2 more day(s)
Technical details of temporary failure:
DNS Error: Address resolution of mail. failed: Domain name not found
MelbourneIT have my DNS records set as:
A, CNAME, AAAA Records:
www.mydomain.com.au. myIP 86400 A
mail.mydomain.com.au. myIP 86400 A
mydomain.com.au. mail. 86400 10
I have tried changing the Postfix hostname to mail.mydomain.com.au from mydomain.com.au without success.
I'm out of ideas. Any help would be appreciated.