Raspberry Pi Email Server

raspberry-pi-email-server.png

The RasPi’s small size and low power consumption make it an ideal choice for use as a home email server. After trying a couple of different pieces of software, I finally found an excellent combination: Postfix with Dovecot and Squirrelmail, plus Spamasssassin and Sieve for spam filtering.

There are many, many tutorials out there for the first trilogy of programs, but since the configuration is slightly different for each distribution I kept coming unstuck when setting mine up on the Pi. Having finally got mine configured properly, I’ve put together a set of 5 tutorials, which will take you from a vanilla Raspbian image to a fully functioning email server in no time.

When writing the tutorial I made an effort to explain what each setting does instead of just dumping commands. With a bit of luck at the end of the process you’ll not only have a working server, you’ll understand how it works… without having to wade through reams of documentation like I did!

If you follow the tutorials from start to finish, here’s what you’ll end up with:

  1. An email server that you can run 24/7/365 for under £5 of electricity per year
  2. Personalised email address like you@yourdomain.com (requires you to have registered a domain name with a registrar like namecheap.com - see my DNS basics tutorial)
  3. The ability to connect from anywhere, and read & send email, using a secure IMAP connection on your phone, tablet or computer
  4. Log in to webmail using any web browser on a secure HTTPS connection, read & send email
  5. Complete control over your personal communication. Your emails are stored on YOUR server, and nobody is scanning them to sell you adverts.
  6. Smart spam filtering with Spamassassin
  7. Customisable mail sorting with Sieve rules

Postfix, the Mail Transfer Agent

Postfix Logo
Postfix is the program that lets you send and receive email using Simple Mail Transfer Protocol (SMTP). Whilst you, the user, may connect to your email server using IMAP (on port 143 or 993), or POP (on port 110 or 995), email servers talk to each other using SMTP on port 25.

So, this is the basic core of the server. Without it, you wouldn’t be able to send or receive any emails!

I’ve covered the setup here:
Raspberry Pi Email Server Part 1: Postfix

Dovecot, the POP/IMAP Server

dovecotLogo-300x130_0.png
Dovecot is used for two things:

  1. It provides you with IMAP functionality
  2. It checks that you are who you say you are using Simple Authentication and Security Layer (SASL) before you send or fetch mail

If you’re not interested in connecting with IMAP on your devices, you still need Dovecot. Not only is it doing SASL for you, but Squirrelmail connects using IMAP in order to provide you with webmail.

I’ve covered Dovecot installation and configuration here:
Raspberry Pi Email Server Part 2: Dovecot

Squirrelmail, for Webmail

Squirrelmail Logo
Squirrelmail is handy because it allows you to check your email in any browser, from anywhere.

Of the first three, it’s probably the easiest to configure. I’ve covered it here:
Raspberry Pi Email Server Part 3: Squirrelmail

Spamassassin, for Marking Spam

Spamassassin Logo
Spamassassin is the program that we will use to audit incoming mail and decide whether or not it’s spam. Spamassassin doesn’t actually sort the mail into the spam folder, it only changes information in the headers based on the results of the scan. I’ve covered it here: Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin.

LMTP & Sieve for Spam Sorting & Mailbox Organisation

After Spamassassin has checked incoming mail to see if it’s spam or not, we need another program to sort it into the right mail folder. This final step will be done with Dovecot’s Local Mail Transfer Protocol (LMTP) daemon and a Sieve plugin.

Sieve is a simple programming language that allows users to define what to do with incoming email based on a predefined set of rules – think “if the header contains this flag, put it in the spam folder” kind of thing and you’ll get the gist. Aside from spam filtering, Sieve can be used to automatically sort & de-clutter your inbox. These steps are covered in the final tutorial: Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve

Enjoy! I’d love to hear how you get on, so leave a comment below :)

Type: 

Comments

a2dismod is only for apache modules, you want sudo systemctl stop apache2 and sudo systemctl disable apache2 to stop and disable apache.

Sam

Hi Sam, just following on from my previous issue. As I mentioned earlier I replaced my modem-router and I stopped receiving emails from external domains--I could send and receive emails to myself, and send emails out, but not receive emails from outside. After updating the MX records I waited a few days and no change (not really surprising). So I tried opening port 25 and it all works now. So I am confused now, because I thought I had previously only had port 465 open for SMTP. Why does the server now also need port 25?

All server to server communication happens on port 25, which is why so many people have problems if their ISPs block port 25.

Port 465 is used for mail submission (mail client to sever).

The end of part 2 has a section about which ports to forward!

Sam

Dear Sam and all,
First, thank you very much for this tutorial. I already have a raspberry Pi Model B+ (512MB). I am wondering if it can run smoothly the mail server described above. I will run also a LAMP server (personal use). All in command line. Do you have any experience ?
Greetings,
Vincent

Hello Sam

you're just great with all your tutorials - so enlightening.

On the email one I am just stuck with my dynamic dns & domain configuration.

Let me tell you how am I organised, to see if you can help me here:

I have a Raspberry at home, with postfix dovecot etc, and I have a dynamic IP.
I set up a dynamic dns hostname on one of the many providers --> uga.ns0.it points to my router
I also have a full domain registered under my name, called lmyc.it
By filling its CNAME field www.lmyc.it points to uga.ns0.it.
This works OK for apache-served content to be reached from www.lmyc.it
So far so good.

Now what I want is have "alberto@lmyc.it" hosted on the same Raspberry.

My problem is that I can't figure out how (or if....) I can fill the MX records on uga.ns0.it and/or lmyc.it.
What I did is to put "mail.uga.ns0.it" on dyndns's MX record
and added anothe CNAME record to lmyc.it: mail.lmyc.it -> mail.uga.ns0.it
but it just doesn't work.

Thanks in advance for any help :)

Ciao
Alberto

Sounds like port blocking to me, do you get a connection timed out error if you:

telnet samhobbs.co.uk 25

?

If so, your ISP is blocking outbound connections on port 25.

Sam

I could receive email from any other email servers but when I replay them (in the roundcube) it says message seccussfully sent and I tried in outlook too. it sends but never been received by them (I check junk files, spam, ...).

I tried telnet example.com 25
and when I put
mail from: test@example.com
ok
rcpt to: ssss@gmail.com
454 4.7.1 : Relay access denied

Did you really test a connection to example.com or samhobbs.co.uk? I'm trying to test outgoing connections on port 25 from your LAN to see if you can make a connection, because it will tell us if the port is blocked (don't try and send an email).

Sam

this is my email log!

Dec 3 21:03:58 webserver postfix/qmgr[6297]: 7136421C2: from=, size=232, nrcpt=1 (queue active)
Dec 3 21:04:28 webserver postfix/smtp[15687]: connect to gmail-smtp-in.l.google.com[173.194.79.26]:25: Connection timed out
Dec 3 21:04:58 webserver postfix/smtp[15687]: connect to alt1.gmail-smtp-in.l.google.com[74.125.200.27]:25: Connection timed out
Dec 3 21:05:28 webserver postfix/smtp[15687]: connect to alt2.gmail-smtp-in.l.google.com[64.233.188.26]:25: Connection timed out
Dec 3 21:05:58 webserver postfix/smtp[15687]: connect to alt3.gmail-smtp-in.l.google.com[64.233.188.27]:25: Connection timed out
Dec 3 21:06:28 webserver postfix/smtp[15687]: connect to alt4.gmail-smtp-in.l.google.com[74.125.30.26]:25: Connection timed out
Dec 3 21:06:28 webserver postfix/smtp[15687]: 7136421C2: to=, relay=none, delay=4478, delays=4328/0.05/150/0, dsn=4.4.1, status=deferred (connect to alt4.gmail-smtp-in.l.google.com[74.125.30.26]:25: Connection timed out)

I did run the grc scan and this was the result:

GRC Port Authority Report created on UTC: 2016-12-05 at 12:38:12

Results from scan of ports: 0-1055

6 Ports Open
0 Ports Closed
1050 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be CLOSED.

Ports found to be OPEN were: 21, 25, 80, 143, 465, 993

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

This indicates your ISP is blocking outgoing connections on port 25. Have a look and see if you can remove the block, sometimes if you get a static IP those restrictions are lifted.

Sam

I contacted my ISP provider, they told me they aren't blocking port 25. What could be another reason? in the config files maybe, where should I look for? in the Hosts, aliases, nameserver, ...
It is really annoying I receive emails but can't send!

I don't think they told you right, unless you're on a university campus or something like that, or your router firewall is configured to block outgoing connections on port 25 (which would be very unusual, and you'd probably know about it since you would have done it yourself!).

Try contacting them again and see if you get a different answer from a different employee?

Your postfix configuration won't affect the telnet connection test, which is why I asked you to try that. The time out suggests to me that there is port blocking.

Sam

root@webserver:# telnet samhobbs.co.uk 143
Trying 163.172.156.248...
Connected to samhobbs.co.uk.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Port scanning yourself from inside or outside your LAN won't help because the port might be blocked outbound but not inbound, and also because if you're scanning from inside your LAN and the block is between you and the internet, then you won't hit it.

Also, server to server communication happens on port 25, which is the one you can't connect to me on (all the other tests are irrelevant). This is why I think your ISP is blocking port 25, and why it would be a good idea to ask them about it again!

Sam

I asked them again, again they told me they didn't block. But I asked the community of my ISP and some people commented that is blocked. It is open just for the Ziggo (my provider's SMTP email). Now, my question is, how can I use their outgoing smpt server to connect to my own server? is this possible?

It's possible, but the configuration is completely dependent on your ISP, so you're better off asking on your ISP's community forums.

Good luck :)

Sam

The grc scan test says port is open, can't be trusted?
in /etc/postfix/main.cf

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
smtpd_helo_required = yes
smtpd_helo_ristrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
check_helo_access hash:/etc/postfix/helo_access
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes

Maybe I have done something wrong, about ssl key, or permit to mynetworks, ...?

root@webserver: openssl s_client -connect samhobbs.co.uk:993 -quiet
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = samhobbs.co.uk
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

root@webserver:/# openssl s_client -connect samhobbs.co.uk:465 -quiet
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = samhobbs.co.uk
verify return:1
220 samhobbs.co.uk ESMTP Postfix (Ubuntu)
ehlo samhobbs.co.uk
250-samhobbs.co.uk
250-PIPELINING
250-SIZE 102400000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: sam
250 2.1.0 Ok
rcpt to: xxxx@gmail.com
554 5.7.1 : Helo command rejected: Get lost - you're lying about who you are

Hi Sam,

This tutorial looks fantastic and is exactly what I was hoping to find when typing "raspberry pi email server". Before I get started setting mine up, I have a few questions:
I'm thinking of using a Raspberry Pi Zero with Minibian. Is it (likely to be) up to the job?

How secure should your setup be against your server getting abused by spammers? I don't really know much about setting up email servers (I guess this is who guides like this are for!), but I've read that this is a big potential pitfall.

What sort of maintenance is required once up and running? Regular backups and having spare hardware ready to swap out if necessary are already on my list, but what else would you recommend?

Thanks again for the fantastic tutorial.
Mick

Mick,

It should be fine for personal use if the pi isn't doing anything else, the most processor intensive part is spam checking with spamassassin.

In terms of spam and maintenance, fail2ban is your friend. I would recommend checking the logs every now and then or using a log analyser (there are many) to get a summary of the email server usage emailed to you periodically, which will help you to identify any problems.

Sam

Hey Sam,
great guide!

I was just wondering if you think a Raspberry Pi is able to handle the small-ish load of a small business.

We are about 5 people. I don't think it should have a lot of trouble with that amount of traffic, but I want to be somewhat certain before it fails.

Thanks again for the great guide!

(and sorry for my bad english ;D)

Pages

Add new comment