Archiveopteryx mail server from scratch with Debian

8:26pm 10th September 2008

So I have finally set up my own managed mail server. Why? Well, there are many benefits to running your own mail server. POP3 is the standard ISP service offered by ISPs today, however IMAP offers many benefits over it, mainly the ability to have your email accessible from many PCs and have it automatically synced. The other main benefit is that there is no need to back up your email any more, because it is stored on a server. Thus, you get all the power of a full email program without losing the safety and portability of web mail. The following table compares web mail (such as Hotmail), POP3 which is the usual mail type offered by your ISP and IMAP.

Benefit Webmail POP3 IMAP
Available on multiple PCs Yes No Yes
Available Offline No Yes Yes
Easy to manage large mail volumes No Yes Yes
Can use standard email client Maybe Yes Yes
Can apply filters to sort mail Maybe Yes Yes
Free of annoying ads No Yes Yes
Safe against PC crashes etc Yes No Yes

Running a mail server is not easy, there are many potentially complex programs that are involved, each of which needs configuration. You also need to own or control the domain name you want to run it on. This article will show you, step by step, how to set up a fast, scalable and reliable mail server using Postfix and the most excellent Archiveopteryx package on a Debian server. Archiveopteryx is a mail server that uses a PostgreSQL database back end to store and retrieve mail. This makes it incredibly fast and scalable out of the box. It also supports all relevant mail standards such as POP3, IMAP, SMTP/LMTP, TLS and Sieve. I have been using it now for only a few days and I must say that my experience thus far has been excellent.

By the end of this guide you will have a mail server that can handle multiple domains, provides IMAP and optionally POP3, authenticated SMTP services as well as TLS security on all communications. Lets get started.

Preliminary server configuration

First things first; set up a firewall. My personal favorite script is Arno's iptables script, which can be installed with the following line:

aptitude install arno-iptables-firewall

This script is great, as it allows you to configure your firewall with a "wizard" type set of questions using the familar Debian configuration tool. You will need to leave the following ports open:

  • 22 (ssh)
  • 25 (smtp)
  • 143 (imap)
  • 587 (smtp-submission)

If you need to reconfigure your firewall at a later date, you can do so by typing:

dpkg-reconfigure arno-iptables-firewall

Now that your new server is secure, you'll need to install a few packages that will be used later on.

aptitude install build-essential libreadline5-dev \
zlib1g-dev vim

Configure your MTA

I changed the MTA (program that relays mail to and from the server) to Postfix from Debian's default exim4, because my reading on the web gave me the impression that people consider Postfix to be a higher performing MTA than exim. This is done by issuing the following commands:

aptitude install postfix
dpkg-reconfigure postfix

Debian will ask you a few questions, just say "yes" to all of them. Note that Postfix needs to be given the mail server type "Internet site", and also needs to be told what domains it will be receiving mail for. You can put in multiple entries, if your mail server will be handling mail for more than one domain. In addition, make sure that you leave the value for "Local networks" as 127.0.0.0/8, as we do not want your mail server acting as an open relay to be abused by spammers. Leave all other values at their defaults.

Domain Configuration

MX Record

You need to be aware that in order for the rest of the world to know where your mail server is, at very least, you need to put its host name into your domain's MX record. You can usually do this by logging into the web site for your DNS registrar, or whoever manages your DNS. Personally, I use No-IP, as they offer a very reliable and competitively priced service. They also have an excellent and easy to use control panel. Just go into your domain name's properties page, and put the host name for your mail server (e.g., mail.mydomain.com) into the MX record field. You can have multiple mail servers for redundancy, but that's a story for a more advanced article.

Add SPF to your domains

It is also advisable to enable SPF on your domain to reduce the incidence of email backscatter. I won't provide detailed instructions on how to do this, except to say that you should add the following string to your domain names' DNS TXT records:

"v=spf1 a mx ptr -all"

PTR records on your mail server's IP

You can further increase the "reputation" of your SMTP server by ensuring that your server's PTr record resolves to the host name that Postfix claims to own, so that other MTAs don't think that your MTA is faking its address for nefarious reasons. You can do this by ensuring that the domain name that your mail server thinks it has matches the reverse lookup on the IP that you are using. In other words, you should have a valid PTR record on your IP that matches your machine's fully qualified domain name (FQDN). To find out your machine's FQDN as perceived by Postfix, you can issue this command:

postconf | grep myhostname

And look for the value under myhostname = . If your IP is able to be reverse resolved to this host name, your outgoing mail will be far less likely to be classified as spam.

So that's Postfix and your domain configuration taken care of. Next, we need to install PostgreSQL. I don't use the Debian packages for PostgreSQL, I prefer building it from source (this is why the -dev packages were installed earlier, just in case you were wondering).

Install PostgreSQL

Go to the PostgreSQL web site and download the latest stable source package, and install it according to the PostgreSQL documentation's installation instructions. This is very easy to do, and shouldn't take more than 5 minutes. This blog entry is not about installing PostgreSQL, and if you need help with that, please go to the PostgreSQL mailing lists or #postgresql on Freenode IRC. You'll find the community is exceptionally active, helpful and friendly.

There is no reason that you can't use Debian package management to install PostgreSQL, and if you want a recent version then you can get it from Debian's backports repository. Personally however, I've always preferred PostgreSQL from source, however the choice is yours.

Download, install and configure Archiveopteryx

Once you have PostgreSQL up and running, you can download and install Archiveopteryx. Go to the website and download the latest package. Unpack it, and then type make && make install. Note that you do not type ./configure. This will install Archiveopteryx to /usr/local/archiveopteryx. Once it has been installed, you need to create Archiveopteryx's initial configuration files using the command:

/usr/local/archiveopteryx/lib/installer

Once you have done that and supplied the details that it asks for, you will need to make a small modification to your Postfix configuration, so that it knows to deliver the mail to Archiveopteryx, and not store it in the file system. Add the following to the bottom of your /etc/postfox/main.cf file:

mailbox_transport = lmtp:inet:127.0.0.1:2026
local_destination_recipient_limit = 10
local_recipient_maps =

Secure access

If you like, you can disable plain text log in. Archiveopteryx supports TLS by default, so disabling plain text is enough to enforce secure access. I highly recommend this, as there is no real down side. Do this by setting the following directive in your archiveopteryx.conf file:

allow-plaintext-access = never
allow-plaintext-passwords = never

If you do this, users need to tell their email client to use TLS when logging in. It's a simple check box, and is supported by all common email programs such as Thunderbird, Outlook and Outlook Express.

Start Archiveopteryx

Archiveopteryx is now installed, and you can start it with the following command:

/usr/local/archiveopteryx/bin/aox start

If all has gone well, the server should now be running. The following are some useful commands you can use to get started using and administering your new mail server:

Start the server:
./aox start
Stop the server
./aox stop
Restart the server
./aox restart
Show the server's configuration
./aox show cf
Add a user
./aox add user [username] [password] [email address]
E.g., ./aox add user me@mydomain.com mypass me@mydomain.com
List the users on the server
./aox list users
Delete a user
./aox delete user [username]

Note when adding a user I recommend using the full email address as the user name, and not just the part before the @. This ensures that the user name will be unique if you run a mail server that serves multiple domains. If you add a user using the command above, you'll be able to log into your server using any email IMAP client such as Outlook, Outlook Express or Thunderbird, using the email address as a username.

Set up outgoing SMTP (optional)

At this stage you're nearly done. You can stop here if you don't want to worry about TLS and you're happy to use your ISP's SMTP server for sending email. Personally, I travel a lot, and so I wanted to be able to send mail from anywhere and not worry about hunting for the local SMTP server when at Internet cafes in some foreign city, so I continued setting up Aox so that it would handle mail sending as well. I also wanted to use TLS to secure it, so my passwords weren't sent over hostile networks in plain text.

First, enable SMTP submit by adding the following to the bottom of your archiveopteryx.conf file:

# Configuring SMTP Submission
use-smtp-submit = enabled
smtp-submit-address = mail.mrnaz.com
smtp-submit-port = 587
use-smtps = enabled
auth-login = enabled
check-sender-addresses = on

Because you set Postfix to relay mail from 127.0.0.0/8 Archiveopteryx will be allowed to relay mail through it to the open Internet, but no remote machines will be allowed to do so. Your email clients will now be able to use your mail server's address as an SMTP server. They will need to use port 587, and the same username and password as for their IMAP log in. I.e., their email address as the username and the password that was set when you created the account with ./aox add user

The line auth-login is to work around an Outlook bug. If you know for a fact that none of your users are using Outlook, you should remove it, however there is no harm in leaving it on, so I do, just in case.

The last line is optional, however it will prevent users from sending mail unless they use a From or Sender address that is their Archiveopteryx email address or an alias. This will ensure that the only mail that goes through your servers is authenticated email from your users and that they do not inadvertently expose email addresses that they want to keep private. I recommend this setting, disable it only if you know what you are doing and why.

Done!

You now have a fully functional mail server that allows your users to send and receive mail using the same username and password as well as TLS security for all communication with the server. You will also need to set up anti-spam, which is quite easy to do, but that's another article. There are plenty of guides on the Internet that explain how to set up SpamAssassin with Postfix under Debian.

One final note: Please keep in mind that your new, highly scalable, high performance mail server was made possible because of Archiveopteryx, Postfix and PostgreSQL. If you have used this tutorial to set up a mail server, please stop by their project sites and thank them for their exceptional contributions to the open source software ecosystem.

Lakes Entrance road trip and Optus Wireless Broadband

10:30am 26th January 2008

Well it's the time of year when road trips are the in thing, so some friends and I as well as my brother and his girlfriend jumped into a van and a car and headed over to Lakes Entrance. It's a 4 hour dive, but thanks to a bunch of unnecessary stops including one at an SES managed stop off for drowsy drivers where they serve free tea, coffee and Milo. We eventually arrived at 2am, and the owner of the flats where we are staying was waiting up for us.

I have access to the Internet via Optus Wireless Broadband. I've tried the service a few times already, but it proved to be too much of a hassle to be worth it. The new USB modems however make it a snap. The software and drivers are all on the USB device itself, which has a standard USB mass media storage device. It's literally plug in, wait a bit, connected.

Anyway, I'm hoping to be back in Melbourne on Tuesday. Hopefully tomorrow we'll catch some fish when we visit the local jetty, it'd be nice to have some lemon baked flathead that we caught ourselves. Here's to hoping!

Phuket, Maya Bay, Tigers and the River Kwai

11:36am 10th June 2007

I've been in Thailand about 10 days now and it's been by far my most hectic stay here yet. Two days after meeting with Rap, we flew to Phuket, where we stayed for 2 nights. We took a day trip to the now famous Maya Bay, the setting for many of the scenes in the movie "The Beach". We went to one of the agents to ask about ticket prices etc, and after having worked out all the details, the agent asked us if we had any questions. I did not. Rap did. I would have thought one would want to know how many other people would be on the tour, or how long we'd spend at the beach or perhaps what was served in the included lunch. Nope, not Rap. Rap asked if there was mobile phone reception at Maya Bay. There were some spectacular views there, and I will be posting some photos to a new album as soon as I get a decent connection to plug my laptop into.

Aside from the Phi Phi island and Maya Bay trip though, Phuket was a disappointment. The locals there are obviously more touristified, and have lost much of their local character, having adopted a watered down culture which feels like it's more for the benefit of the tourists than a desire to retain their heritage. It does not feel authentic at all, especially given that I have spent much effort getting to know the feel and flavour of traditional Thai culture. After about 6pm you cant walk anywhere without being accosted by bar girls asking you to buy them a drink. My airport driver tells me that they get 50/50 splits with the bar on the drinks they manage to squeeze out of tourists. The shoppingthereis pretty poor, the products are all sweatshop trash, and there's STT (Stupid Tourist Tax) on everything. If I go back to Phuket, it will be only as a stop over for a dive trip to Phi Phi island.

A few days after our Phuket excursion, we hired a minivan and hit the road bound for Kanchanaburi, a province in western Thailand on the Myanmar border. We visited the Erawan Dam and falls, which was an incredibly scenic and tranquil place to visit. We also visited the Tiger Temple, which was a huge let down, as we were both expecting to see wild tigers being trained for repatriation to the wild. Instead, we got to stand in line with a bunch of babbling European and American tourists and have our photo taken next to a couple of thoroughly non-wild tigers so bloated with high calorie food they looked like they'd have troubly hauling their fat bellies off the ground. I've seen fiercer poodles. It was a far cry from the images of a majestic apex predator that the word "Tiger" invokes.

Finally, we had a lovely lunch of freshwater fish at a floating restaurant on the River Kwai, very near to the famous Burma Railway and the site where the movie Bridge on the River Kwai is set. All up, the Kanchanaburi expedition was a fascinating exploration into part of South East Asia that I've read much about.

Anyways, this has been a longer than usual entry, I'll post an update to my travels soon. I'm heading out to Europe soon to meet the guys for the CouchSurfing Collective in Rotterdam. More on that as events unfold. Watch this space!