User avatar
Skraaj
Posts: 27
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Email server Rpi4 - tutorial needed

Wed Dec 04, 2019 2:57 am

Hi all!

For about two weeks I've been trying to set up an email server on my Pi without any success. Any chance someone might point me to a newbie-friendly step-by-step guide?

I've tried postfix/dovecot tutorials but it never seem to go right. Most that I've found are for a different distribution or assume the user basically knows everything (why bother with a guide then? :P).

When I tried Citadel it just gives me an error "This program was unable to connect or stay connected to the Citadel server. Please report this problem to your system administrator." (read more points me to a non-existent side on citadel.org) when I try to connect. Service is active (running) but few lines down I see an error "citserver[1252]: db: cursor still in progress on cdb 00: attempt to write during r/o cursor"

I've been trying on clean fresh raspbian, and with a LAMP setup on the Pi - no luck so far. Got IPv4, everything else is 'stock-software', even no SSL to get me started and secure it later after I even get it up and running. I'm sort of a newbie to all linux-based stuff (but still managed to successfully set up a LAMP :D) so the more newbie friendly the better. I found that a lot of users link to ducky-pond, but it seems infested with ads right now.
codedoneright.eu – newbie friendly raspberry tutorials

User avatar
topguy
Posts: 6491
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: Email server Rpi4 - tutorial needed

Wed Dec 04, 2019 10:50 am

- What is the purpose of the mail-server ? Do you have a internet domain you want to receive mail to ?
- Where/When do the guides you have tested fail ? Installation / configuration / execution ?

- Its best to choose guides for Debian if you cant find directly Raspbian guides: https://wiki.debian.org/Postfix#Install ... _on_Debian

bls
Posts: 639
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA
Contact: Twitter

Re: Email server Rpi4 - tutorial needed

Wed Dec 04, 2019 2:38 pm

Skraaj wrote:
Wed Dec 04, 2019 2:57 am
Hi all!

For about two weeks I've been trying to set up an email server on my Pi without any success. Any chance someone might point me to a newbie-friendly step-by-step guide?
I sorted out dovecot installation using https://raspberrytips.com/mail-server-raspberry-pi/ and made a script for it: https://github.com/gitbls/pistrong/blob ... ll-dovecot.

Setting up postfix is a bit more complex, but you should be able to get local email sending working easily by:

Code: Select all

sudo apt-get install bsd-mailx postfix libsasl2-modules
You don't really need bsd-mailx but it may be useful to have a local bash shell mail command for testing. Relaying to the internet gets more complex due to the variety of ISP mail servers.

HTH
Pi tools:
RPi SD Card Image Manager: https://github.com/gitbls/sdm
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo
Easy VPN installer/manager: https://github.com/gitbls/pistrong
DNS/DHCP manager:https://github.com/gitbls/ndm

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Fri Dec 06, 2019 8:39 pm

Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

User avatar
Skraaj
Posts: 27
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Re: Email server Rpi4 - tutorial needed

Mon Dec 09, 2019 1:53 am

Thank you all for the responses, been snowed under at work hence the late response. I'm trying to set up a home email, website, FTP and in future a cloud for personal use. Just so all my files and emails are mine only and not scanned by 3rd party services. Besides, the look on people's faces when I tell them that the page they're looking at runs from my room is priceless. Figured that I need a winter-friendly hobby so this is it :D
bls wrote:I sorted out dovecot installation using https://raspberrytips.com/mail-server-raspberry-pi/
Thanks, tried that but wasn't newbie friendly, got stuck on multiple steps. It's more in line of "do as I say" and not "here's how you do it".
Thank you! Looks like this is the droid I've been looking for.

So far so good, I've been able to send emails and I'm in the middle of the process of configuring my inbox. Whoever Sam is he made a great guide. Much obliged for pointing me there - it is newbie friendly and explains a lot using examples. Got some cert/SSL problems but I think I just need to read through it two times and will be fine.
codedoneright.eu – newbie friendly raspberry tutorials

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Tue Dec 10, 2019 8:01 pm

Great to hear you've had some success. It took me a few attempts to follow the tutorial, but I can now set up a new machine in about two hours. It's often just the 'insert your details here' bits that trip you up. Oh, and the certificate stuff can be tricky, too.

I have now opted for LetsEncrypt certificates, with a single certificate for my mail and web servers, and I have opted for RainLoop rather than SquirrelMail as my webmail client.

I also strongly suggest working your way through this 7-part tutorial: https://www.linuxbabe.com/mail-server/s ... ver-ubuntu
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

User avatar
Skraaj
Posts: 27
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Re: Email server Rpi4 - tutorial needed

Tue Jan 28, 2020 11:03 pm

castletonroad wrote:
Tue Dec 10, 2019 8:01 pm
Great to hear you've had some success.
Thanks, and sorry for the late reply. Been busy with the webstack, which is now live and serving multiple websites and email. Turns out documenting stuff while you work on it lets you understand it better and after a while you have a TL;DR instruction to set up a server in under an hour. Maybe I will even start making backups :D I also discovered love for Debian, which I now have on my laptop - if not for MS Office and Steam I'd switch to Debian completely!

--

Anyways, back to the topic: I want to be able to access email through browser and I would prefer the simplest solution possible and RainLoop looks like it, but is there any documentation for the package in repository somewhere? I seem to have a problem with this one... I can't even figure out what does the package do (website doesn't even specidy the need for it) :| rainloop.net states that it should work out of the box if you just do minor configuration.

Problem: FQDN/rainloop and FQDN/rainloop/?admin return 404 error
Problem(?): rainloop package from repository supposedly does nothing

Server configuration:
Apache /etc/apache2/sites-enabled/:

Code: Select all

<VirtualHost *:80>
        ServerName FQDN
        ServerAlias www.FQDN
        ServerAdmin webmaster@FQDN
        DocumentRoot /var/www/FQDN
        Redirect permanent / https://FQDN
        ErrorLog ${APACHE_LOG_DIR}/FQDN_error.log
        CustomLog ${APACHE_LOG_DIR}/FQDN_access.log combined
        RewriteEngine on
        ServerSignature Off
</VirtualHost>

<VirtualHost *:80>
        ServerName FQDN/rainloop
        ServerAdmin webmaster@FQDN
        DocumentRoot /var/www/rainloop
        Redirect permanent / https://FQDN/rainloop/
        ServerSignature Off
</VirtualHost>

Code: Select all

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName FQDN
        ServerAdmin webmaster@FQDN
        DocumentRoot /var/www/FQDN
        ErrorLog ${APACHE_LOG_DIR}/FQDN443_error.log
        CustomLog ${APACHE_LOG_DIR}/FQDN443_access.log combined
        SSLCertificateFile /etc/letsencrypt/live/FQDN/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/FQDN/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        ServerSignature Off
</VirtualHost>
</IfModule>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName FQDN/rainloop
        ServerAdmin webmaster@FQDN
        DocumentRoot /var/www/rainloop
        ErrorLog ${APACHE_LOG_DIR}/rainloop_error.log
        CustomLog ${APACHE_LOG_DIR}/rainloop_access.log combined
        SSLCertificateFile /etc/letsencrypt/live/FQDN/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/FQDN/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        ServerSignature Off
</VirtualHost>
</IfModule>
  • /var/www/rainloop/ has the files with index.php at it's root (tried basic & community)
  • Permissions are -R 755 as per rainloop.net (777 doesn't help as well)
  • Owner is -R www-data:www-data
  • php7.3
  • Since I have a working wordpress on the server php is parsed properly
  • FQDN/rainloop, FQDN/rainloop/?admin, FQDN/rainloop/index.php result in 404
  • FQDN/?admin redirects to FQDN (which after a brief moment seems right... it's not configured in apache...)

Website claims that I should just unzip everything, chmod 755, chown www-data:www-data, configure apache2 and it should work but for some reason it does not. I feel like I'm missing something that is right in front of me
codedoneright.eu – newbie friendly raspberry tutorials

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Tue Jan 28, 2020 11:09 pm

I’ll post my config later when I get home from work. DM me if I forget!
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

User avatar
pi-anazazi
Posts: 716
Joined: Fri Feb 13, 2015 9:22 pm
Location: EU

Re: Email server Rpi4 - tutorial needed

Wed Jan 29, 2020 8:39 am

Skraaj wrote:
Mon Dec 09, 2019 1:53 am
...I'm trying to set up a home email, website, FTP and in future a cloud for personal use. Just so all my files and emails are mine only and not scanned by 3rd party services. ....
Hmmm, your email is not yours if it ever touches an email server on the web before hitting your email server at home. There is some basic knowledge missing here.

Avoiding the "cloud" is perfectly fine, host your stuff on your own servers, but mind the security of your perimeter firewall and your servers or you will just loose anything within minutes (literally). Don't open standard ports to the web if you don't know how to secure them.
Kind regards

anazazi

User avatar
Skraaj
Posts: 27
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Re: Email server Rpi4 - tutorial needed

Wed Jan 29, 2020 9:11 am

pi-anazazi wrote: (...) There is some basic knowledge missing here.
Perhaps, I never said I am an expert.
pi-anazazi wrote: Don't open standard ports to the web if you don't know how to secure them.
I use ufw with deny all and opened just the ports needed for basic services, ftp has a custom port range and brute force attacks are taken care of by a very restrictive sshguard rules. But if you have any other ideas for securing the server I'd be happy to learn.
castletonroad wrote: I’ll post my config later when I get home from work. DM me if I forget!

Any luck finding the config? :P
codedoneright.eu – newbie friendly raspberry tutorials

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Wed Jan 29, 2020 9:46 am

Yep.

Rainloop path:

Code: Select all

/var/www/html/rainloop
Virtualhost file:

Code: Select all

<IfModule mod_ssl.c>
ServerName localhost

#================================ WEBSITE ===================================

        <VirtualHost *:443>

                ServerAdmin webmaster@FQDN
                ServerName FQDN:443

                DocumentRoot /var/www/html/

                <IfModule mod_headers.c>
                        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
#                       Header always append X-Frame-Options SAMEORIGIN
                        Header always set X-Frame-Options "sameorigin"
                        Header set X-XSS-Protection "1; mode=block"
                        Header always set X-Content-Type-Options nosniff
#                       Header set Content-Security-Policy "default-src 'self';"
                        Header always set X-Permitted-Cross-Domain-Policies "none"
                </IfModule>

                <Directory /var/www/html>
#                       Options Indexes FollowSymLinks MultiViews
                        Options FollowSymLinks
                        AllowOverride all
                        Order allow,deny
                        Allow from all
                </Directory>

###FQDN###
                <Directory /var/www/html/FQDN>
                        Options Indexes FollowSymLinks MultiViews
                        AllowOverride all
                        Order allow,deny
                        Allow from all
                </Directory>
###FQDN###

###NEXTCLOUD###
                <Directory /var/www/html/nextcloud>
                        DirectoryIndex index.php
                        Options -Indexes +FollowSymLinks +ExecCGI
                        AllowOverride All
                        Order deny,allow
                        Allow from all
                        Require all granted
                </Directory>
###NEXTCLOUD###

###PI-HOLE###
                <Directory /var/www/html/admin>
                        Options -Indexes
                        Deny from all
 #                       Options Indexes FollowSymLinks MultiViews
 #                       AllowOverride all
 #                       Order allow,deny
 #                       Allow from all
                </Directory>
###PI-HOLE###

###RAINLOOP###
                <Directory /var/www/html/rainloop>
                        DirectoryIndex index.php
                        Options -Indexes +FollowSymLinks +ExecCGI
                        AllowOverride All
                        Order deny,allow
                        Allow from all
                        Require all granted
                </Directory>

                <Directory /var/www/html/rainloop/data>
                        Options -Indexes
                        Deny from all
                </Directory>

###RAINLOOP###


                ErrorLog ${APACHE_LOG_DIR}/error.log
                LogLevel ssl:info
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCertificateFile      /etc/letsencrypt/live/FQDN/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/FQDN/privkey.pem


                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                </FilesMatch>

                <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
                </Directory>

                Redirect 301 /.well-known/carddav https://FQDN/nextcloud/remote.php/dav
                Redirect 301 /.well-known/caldav https://FQDN/nextcloud/remote.php/dav


                SSLProtocol -all +TLSv1.2 +TLSv1.3
                SSLHonorCipherOrder on
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
                SSLCompression off

        </VirtualHost>

</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Wed Jan 29, 2020 10:01 am

I think your problem is not setting the directory options, i.e. the lines between the <Directory> tags:

Code: Select all

###RAINLOOP###
                <Directory /var/www/html/rainloop>
                        DirectoryIndex index.php
                        Options -Indexes +FollowSymLinks +ExecCGI
                        AllowOverride All
                        Order deny,allow
                        Allow from all
                        Require all granted
                </Directory>

                <Directory /var/www/html/rainloop/data>
                        Options -Indexes
                        Deny from all
                </Directory>

###RAINLOOP###
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Wed Jan 29, 2020 10:06 am

Once you have rainloop up-and-running - and I love the interface, so much - you may encounter some final difficulties with the settings from inside the interface, - and you may not! Shout if you need more help.

To access your mail as a user: https://FQDN/rainloop/

To access as admin: https://FQDN/rainloop/?admin (Default login is "admin", password is "12345")
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

User avatar
Skraaj
Posts: 27
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Re: Email server Rpi4 - tutorial needed

Wed Jan 29, 2020 7:59 pm

For some reason it wouldn't work with FQDN/rainloop in config. I made a subdomain and it sees rainloop now. And this part nicely blocks access to data subfolder.
castletonroad wrote:
<Directory /var/www/rainloop/data>
Options -Indexes
Deny from all
</Directory>
But now I've hit a different wall. Looks like I don't have all packages that rainloop requires. The website shows "[302] The following PHP extensions are not available in your PHP configuration! cURL dom".

Fair enough - I'd be glad to install them, but it looks like I already have curl installed "curl/stable,now 7.64.0-4 armhf [installed]" unless it's a different package, Installing php7.3-curl didn't help either.

As for "apt search dom" it returns many packages but nothing just named "dom". Any chance you know which packages are to be installed?

p.s. tried "apt get search curl/dom | grep "php" " and I just don't see anything else that might be it
codedoneright.eu – newbie friendly raspberry tutorials

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Wed Jan 29, 2020 8:12 pm

I think I remember having to install some php add-ons, but can't rightly remember.

Sounds like you can't be too far away from success. I'm sure a little googling will help.

I have these php modules:

Code: Select all

:~ $ php -m
[PHP Modules]
apc
apcu
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
igbinary
imagick
imap
intl
json
libxml
mbstring
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
readline
redis
Reflection
session
shmop
SimpleXML
sockets
sodium
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

User avatar
Skraaj
Posts: 27
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Re: Email server Rpi4 - tutorial needed

Wed Jan 29, 2020 8:59 pm

castletonroad wrote:
Wed Jan 29, 2020 8:12 pm
I think I remember having to install some php add-ons, but can't rightly remember.

Sounds like you can't be too far away from success. I'm sure a little googling will help.
Ah! I was not fast enough and made you unnecessarily check installed packages. Sorry!

I issued a new certificate as the new subdomain was NOT secured (cert was issued only for the FQDN and not mail.FQDN)! After running certbot it is working! Ok, I rebooted the Pi, and installed php7.3-xml and I'm afraid to touch it since it might stop working :D But my guess is since the email config requires secured connection rainloop won't run properly without a valid certificate? Still, I'm glad it finally happened. I have to admit it's quite a rewarding work.

Thank you. I really and truly appreciate the help!
codedoneright.eu – newbie friendly raspberry tutorials

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Wed Jan 29, 2020 9:19 pm

Great news!

What do you think of the Rainloop interface?

I often use it instead of my Outlook desktop client!
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

User avatar
Skraaj
Posts: 27
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Re: Email server Rpi4 - tutorial needed

Thu Jan 30, 2020 12:35 am

I have to say that I enjoy it. Minimalistic and utilitarian, does only one job and it's good at it – just as I like it. No flash and no unnecessary settings that noone will ever use. The plugin for snow on login screen is just priceless! When I kept hitting a brick wall I was *this* close to just leaving it be and living without webmail and just using Thunderbird but this is great. I don't have the strength today to play with it around but so far I am quite happy with it. And as a newbie on the admin scene I cannot say thanks enough castletonroad for the help and pointing me to rainloop :) Great thing about RPi is that since it is Debian based everything I learn here can be transposed to a full fledged server, although backups might be a bit more problematic than just cloning an SD

One thing I would like to see in Rainloop though is a thumbnail of the file I am attaching, but I guess that it can be taken care of by a plugin. Will have to investigate that.
codedoneright.eu – newbie friendly raspberry tutorials

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Thu Jan 30, 2020 12:39 am

@Skraaj

I’m really glad you persevered with this.

Like you, I’m a new ‘admin’, running my Pi for 9 months now as a Nextcloud and mail server. I am almost ready now to bin my google email accounts, having given up using Dropbox, OneDrive and Drive.

Cheers.
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Thu Jan 30, 2020 8:13 am

Since you were successful in setting up postfix, I wanted to share my learnings on configuring /etc/postfix/main.cf for filtering unwanted emails.

I learned that the following order of ‘restrictions’ lists successively / hierarchically filters unwanted email.

/etc/postfix/main.cf:

Code: Select all

.
.
.
# Allow connections from trusted networks only (reject all client commands)
smtpd_client_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unknown_client_hostname,
        permit

# Don't talk to mail systems that don't know their own hostname (reject HELO/EHLO information)
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        ### this next one often blocks important emails such as 'verify your account email' emails - I now hash-out this rule
        reject_unknown_helo_hostname,
        check_helo_access hash:/etc/postfix/helo_access,
        permit

# Don't accept mail from domains that don't exist (reject MAIL FROM information)
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        permit

# Spam control: exclude local clients and authenticated clients from DNSBL lookups (Reject RCPT TO information)
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_pipelining,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        check_client_access hash:/etc/postfix/rbl_override,
        ####the following line is postgrey
        check_policy_service inet:127.0.0.1:10023,
        check_policy_service unix:private/policyd-spf,
        reject_rhsbl_helo dbl.spamhaus.org,
        reject_rhsbl_reverse_client dbl.spamhaus.org,
        reject_rhsbl_sender dbl.spamhaus.org,
        reject_rbl_client zen.spamhaus.org,
        permit

# Relay control (Postfix 2.10 and later): local clients and authenticated clients may specify any destination domain (reject RCPT TO information)
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destination

# Block clients that speak too early (reject DATA command)
smtpd_data_restrictions =
        reject_unauth_pipelining
.
.
.
I have since found that this ordering of rules is super effective in preventing unwanted mail getting through. In fact, postgrey was capturing pretty much ONLY legitimate email, so I have since hashed-out the postgrey rule. No issues so far.

Hope this helps make your postfix configuration even slicker and more effective!

Cheers
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

User avatar
Skraaj
Posts: 27
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Re: Email server Rpi4 - tutorial needed

Thu Jan 30, 2020 6:21 pm

castletonroad wrote:Since you were successful in setting up postfix, I wanted to share my learnings on configuring /etc/postfix/main.cf for filtering unwanted emails.

Hope this helps make your postfix configuration even slicker and more effective!
Sam Hobbs mentioned spam control in his tutorial. I am using the following:

Code: Select all

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination

smtpd_helo_required = yes
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname
        check_helo_access hash:/etc/postfix/helo_access
Apparently helo restrictions take care of most stuff.As for the rest I am too green to include expressions I don't yet understand. I don't want to break what is working. If I get spam problems I'll dig more into the subject. For now I'll be going through your config and manual to check what does what

According to postfix's manual the expression "smtpd_delay_reject =" is "yes" by default so I don't see the point of including it.

Mind explaining what "permit" at the end actually does? The explanation in postfix man is not that great. Lately in general I'm puzzled with man pages as they tend to be murky if you are not savvy and want to know more than "yup, rm removes files".

Btw. is there a way to make a user account that will have access to the mailbox but won't be actually able to login to the server via ssh? I want to give a few accounts out to friends so they can test it and I'm not keen on them being able to log in :P not that they would even know how, but just in case. I know I can make a user without ~/ but they won't be able to have the Maildir and I can chroot them to ~/ somehow but still.

And I think I know why FQDN/rainloop was not working. I should have used "Alias /rainloop" instead of "ServerName FQDN/rainloop". So far it's only a theory - I'll check out that later with a dummy site. But that would mean that I could just get a cert for FQDN and it would be encrypted for all "/services" and I wouldn't have to issue a new cert for each and every subdomain which is a pain :/ certbot should just ask for a *.FQDN wildcard when detecting multiple subdomains instead of "Specify domains you want to encrypt and enable".
codedoneright.eu – newbie friendly raspberry tutorials

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Thu Jan 30, 2020 7:18 pm

I followed the Sam Hobbs tutorial - which I then built on with wider reading, hence the more comprehensive list of restrictions I pasted above. I've read through a few articles on this, and am really happy with this configuration. I am satisfied that I am not excluding/rejecting any legitimate email. (You'll see I commented out a couple of options that I found to be causing me bother - emails I was expecting didn't show up, and I was able to identify why).

The key to this list being the specifically progressive nature of the filtering, which best ensures that only legitimate emails make it, successively, through all checks (and are not caught at the start of the checks by something too restrictive).

'PERMIT' is actually unnecessary - I put it in to remind me that the end of each list is equivalent to a PERMIT result.

I'd encourage you try these options for a few days and see if you don't receive anything you're expecting. Alternatively, if you start receiving emails you'd rather not, implement these commands. As I mentioned above, postgrey I thought was great, but actually, the preceding rules capture all the bad stuff, and postgrey was just slowing down legitimate email (and annoying my users!).

(I would often sit there with a ssh window running:

Code: Select all

sudo tail -f /var/log/mail.log
to see what was going on when I was sending/receiving emails.
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

User avatar
Skraaj
Posts: 27
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Re: Email server Rpi4 - tutorial needed

Thu Jan 30, 2020 10:24 pm

I'm not using my self-hosted email fully just yet, I still need to gain confidence that it actually works as it is supposed to. I'm also worried about redundancy like if my server stops working for some reason while I'm away and unable to SSH to it, or I just loose internet connection or power. Not like it's not happening often but still can.

Probabily I will phase out gmail gradually as I go, but for now the transition period will give me time to dig into those commands. I'm thinking of getting Postfix: The Definitive Guide
codedoneright.eu – newbie friendly raspberry tutorials

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Email server Rpi4 - tutorial needed

Fri Jan 31, 2020 1:51 am

The main hurdle I gave is my ISP won’t provide me with reverse DNA lookup.

Ultimately this means my email often lands in my friends SPAM folders until they reply back to me, whereafter my email is considered NOT spam.
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

Return to “Networking and servers”