Archiveopteryx mail server from scratch with Debian

8:26pm 10th September 2008

So I have finally set up my own managed mail server. Why? Well, there are many benefits to running your own mail server. POP3 is the standard ISP service offered by ISPs today, however IMAP offers many benefits over it, mainly the ability to have your email accessible from many PCs and have it automatically synced. The other main benefit is that there is no need to back up your email any more, because it is stored on a server. Thus, you get all the power of a full email program without losing the safety and portability of web mail. The following table compares web mail (such as Hotmail), POP3 which is the usual mail type offered by your ISP and IMAP.

Benefit Webmail POP3 IMAP
Available on multiple PCs Yes No Yes
Available Offline No Yes Yes
Easy to manage large mail volumes No Yes Yes
Can use standard email client Maybe Yes Yes
Can apply filters to sort mail Maybe Yes Yes
Free of annoying ads No Yes Yes
Safe against PC crashes etc Yes No Yes

Running a mail server is not easy, there are many potentially complex programs that are involved, each of which needs configuration. You also need to own or control the domain name you want to run it on. This article will show you, step by step, how to set up a fast, scalable and reliable mail server using Postfix and the most excellent Archiveopteryx package on a Debian server. Archiveopteryx is a mail server that uses a PostgreSQL database back end to store and retrieve mail. This makes it incredibly fast and scalable out of the box. It also supports all relevant mail standards such as POP3, IMAP, SMTP/LMTP, TLS and Sieve. I have been using it now for only a few days and I must say that my experience thus far has been excellent.

By the end of this guide you will have a mail server that can handle multiple domains, provides IMAP and optionally POP3, authenticated SMTP services as well as TLS security on all communications. Lets get started.

Preliminary server configuration

First things first; set up a firewall. My personal favorite script is Arno's iptables script, which can be installed with the following line:

aptitude install arno-iptables-firewall

This script is great, as it allows you to configure your firewall with a "wizard" type set of questions using the familar Debian configuration tool. You will need to leave the following ports open:

  • 22 (ssh)
  • 25 (smtp)
  • 143 (imap)
  • 587 (smtp-submission)

If you need to reconfigure your firewall at a later date, you can do so by typing:

dpkg-reconfigure arno-iptables-firewall

Now that your new server is secure, you'll need to install a few packages that will be used later on.

aptitude install build-essential libreadline5-dev \
zlib1g-dev vim

Configure your MTA

I changed the MTA (program that relays mail to and from the server) to Postfix from Debian's default exim4, because my reading on the web gave me the impression that people consider Postfix to be a higher performing MTA than exim. This is done by issuing the following commands:

aptitude install postfix
dpkg-reconfigure postfix

Debian will ask you a few questions, just say "yes" to all of them. Note that Postfix needs to be given the mail server type "Internet site", and also needs to be told what domains it will be receiving mail for. You can put in multiple entries, if your mail server will be handling mail for more than one domain. In addition, make sure that you leave the value for "Local networks" as 127.0.0.0/8, as we do not want your mail server acting as an open relay to be abused by spammers. Leave all other values at their defaults.

Domain Configuration

MX Record

You need to be aware that in order for the rest of the world to know where your mail server is, at very least, you need to put its host name into your domain's MX record. You can usually do this by logging into the web site for your DNS registrar, or whoever manages your DNS. Personally, I use No-IP, as they offer a very reliable and competitively priced service. They also have an excellent and easy to use control panel. Just go into your domain name's properties page, and put the host name for your mail server (e.g., mail.mydomain.com) into the MX record field. You can have multiple mail servers for redundancy, but that's a story for a more advanced article.

Add SPF to your domains

It is also advisable to enable SPF on your domain to reduce the incidence of email backscatter. I won't provide detailed instructions on how to do this, except to say that you should add the following string to your domain names' DNS TXT records:

"v=spf1 a mx ptr -all"

PTR records on your mail server's IP

You can further increase the "reputation" of your SMTP server by ensuring that your server's PTr record resolves to the host name that Postfix claims to own, so that other MTAs don't think that your MTA is faking its address for nefarious reasons. You can do this by ensuring that the domain name that your mail server thinks it has matches the reverse lookup on the IP that you are using. In other words, you should have a valid PTR record on your IP that matches your machine's fully qualified domain name (FQDN). To find out your machine's FQDN as perceived by Postfix, you can issue this command:

postconf | grep myhostname

And look for the value under myhostname = . If your IP is able to be reverse resolved to this host name, your outgoing mail will be far less likely to be classified as spam.

So that's Postfix and your domain configuration taken care of. Next, we need to install PostgreSQL. I don't use the Debian packages for PostgreSQL, I prefer building it from source (this is why the -dev packages were installed earlier, just in case you were wondering).

Install PostgreSQL

Go to the PostgreSQL web site and download the latest stable source package, and install it according to the PostgreSQL documentation's installation instructions. This is very easy to do, and shouldn't take more than 5 minutes. This blog entry is not about installing PostgreSQL, and if you need help with that, please go to the PostgreSQL mailing lists or #postgresql on Freenode IRC. You'll find the community is exceptionally active, helpful and friendly.

There is no reason that you can't use Debian package management to install PostgreSQL, and if you want a recent version then you can get it from Debian's backports repository. Personally however, I've always preferred PostgreSQL from source, however the choice is yours.

Download, install and configure Archiveopteryx

Once you have PostgreSQL up and running, you can download and install Archiveopteryx. Go to the website and download the latest package. Unpack it, and then type make && make install. Note that you do not type ./configure. This will install Archiveopteryx to /usr/local/archiveopteryx. Once it has been installed, you need to create Archiveopteryx's initial configuration files using the command:

/usr/local/archiveopteryx/lib/installer

Once you have done that and supplied the details that it asks for, you will need to make a small modification to your Postfix configuration, so that it knows to deliver the mail to Archiveopteryx, and not store it in the file system. Add the following to the bottom of your /etc/postfox/main.cf file:

mailbox_transport = lmtp:inet:127.0.0.1:2026
local_destination_recipient_limit = 10
local_recipient_maps =

Secure access

If you like, you can disable plain text log in. Archiveopteryx supports TLS by default, so disabling plain text is enough to enforce secure access. I highly recommend this, as there is no real down side. Do this by setting the following directive in your archiveopteryx.conf file:

allow-plaintext-access = never
allow-plaintext-passwords = never

If you do this, users need to tell their email client to use TLS when logging in. It's a simple check box, and is supported by all common email programs such as Thunderbird, Outlook and Outlook Express.

Start Archiveopteryx

Archiveopteryx is now installed, and you can start it with the following command:

/usr/local/archiveopteryx/bin/aox start

If all has gone well, the server should now be running. The following are some useful commands you can use to get started using and administering your new mail server:

Start the server:
./aox start
Stop the server
./aox stop
Restart the server
./aox restart
Show the server's configuration
./aox show cf
Add a user
./aox add user [username] [password] [email address]
E.g., ./aox add user me@mydomain.com mypass me@mydomain.com
List the users on the server
./aox list users
Delete a user
./aox delete user [username]

Note when adding a user I recommend using the full email address as the user name, and not just the part before the @. This ensures that the user name will be unique if you run a mail server that serves multiple domains. If you add a user using the command above, you'll be able to log into your server using any email IMAP client such as Outlook, Outlook Express or Thunderbird, using the email address as a username.

Set up outgoing SMTP (optional)

At this stage you're nearly done. You can stop here if you don't want to worry about TLS and you're happy to use your ISP's SMTP server for sending email. Personally, I travel a lot, and so I wanted to be able to send mail from anywhere and not worry about hunting for the local SMTP server when at Internet cafes in some foreign city, so I continued setting up Aox so that it would handle mail sending as well. I also wanted to use TLS to secure it, so my passwords weren't sent over hostile networks in plain text.

First, enable SMTP submit by adding the following to the bottom of your archiveopteryx.conf file:

# Configuring SMTP Submission
use-smtp-submit = enabled
smtp-submit-address = mail.mrnaz.com
smtp-submit-port = 587
use-smtps = enabled
auth-login = enabled
check-sender-addresses = on

Because you set Postfix to relay mail from 127.0.0.0/8 Archiveopteryx will be allowed to relay mail through it to the open Internet, but no remote machines will be allowed to do so. Your email clients will now be able to use your mail server's address as an SMTP server. They will need to use port 587, and the same username and password as for their IMAP log in. I.e., their email address as the username and the password that was set when you created the account with ./aox add user

The line auth-login is to work around an Outlook bug. If you know for a fact that none of your users are using Outlook, you should remove it, however there is no harm in leaving it on, so I do, just in case.

The last line is optional, however it will prevent users from sending mail unless they use a From or Sender address that is their Archiveopteryx email address or an alias. This will ensure that the only mail that goes through your servers is authenticated email from your users and that they do not inadvertently expose email addresses that they want to keep private. I recommend this setting, disable it only if you know what you are doing and why.

Done!

You now have a fully functional mail server that allows your users to send and receive mail using the same username and password as well as TLS security for all communication with the server. You will also need to set up anti-spam, which is quite easy to do, but that's another article. There are plenty of guides on the Internet that explain how to set up SpamAssassin with Postfix under Debian.

One final note: Please keep in mind that your new, highly scalable, high performance mail server was made possible because of Archiveopteryx, Postfix and PostgreSQL. If you have used this tutorial to set up a mail server, please stop by their project sites and thank them for their exceptional contributions to the open source software ecosystem.