How to Easily Set Up a Full-Featured Mail Server on Ubuntu 22.04 with iRedMail

Setting up your own email server on Linux from scratch is a pain in the butt, if you are not an advanced user. This tutorial will be showing you how to use iRedMail to quickly set up a full-featured mail server on Ubuntu 22.04, saving you lots of time and headaches.

What is iRedMail?

iRedMail is a shell script that automatically installs and configures all necessary mail server components on your Linux/BSD server, thus eliminating manual installation and configuration. With iRedMail, you can easily create unlimited mailboxes and unlimited mail domains in a web-based admin panel. Mailboxes can be stored in MariaDB/MySQL, PostgreSQL database, or OpenLDAP. The following is a list of open-source software that will be automatically installed and configured by iRedMail.

  • Postfix SMTP server
  • Dovecot IMAP server
  • Nginx web server to serve the admin panel and webmail
  • OpenLDAP, MySQL/MariaDB, or PostgreSQL for storing user information
  • Amavised-new for DKIM signing and verification
  • SpamAssassin for anti-spam
  • ClamAV for anti-virus
  • Roundcube webmail
  • SOGo groupware, providing webmail, calendar (CalDAV), contacts (CardDAV), tasks and ActiveSync services.
  • Fail2ban for protecting SSH
  • mlmmj mailing list manager
  • Netdata server monitoring
  • iRedAPD Postfix policy server for greylisting

Step 1: Choose the Right Hosting Provider and Buy a Domain Name

To set up a full-featured email server with iRedMail, you need a server with at least 3GB RAM, because after the installation, your server will use more than 2GB of RAM.

It is highly recommended that you install iRedMail on a clean fresh Ubuntu 22.04 server. If you use an existing production server, iRedMail might wipe away your existing database.

This tutorial is done on a $9/month Kamatera VPS (virtual private server) with 1 CPU and 3GB RAM. They offer a 30-day free trial.

Kamatera is a very good option to run a mail server because

  • They don’t block port 25, so you can send unlimited emails (transactional email and newsletters) without spending money on SMTP relay service. Kamatera doesn’t have any SMTP limits. You can send a million emails per day.
  • The IP address isn’t on any email blacklist. (At least this is true in my case. I chose the Dallas data center.) You definitely don’t want to be listed on the dreaded Microsoft Outlook IP blacklist or the spamrats blacklist. Some blacklists block an entire IP range and you have no way to delist your IP address from this kind of blacklist.
  • You can edit PTR record to improve email deliverability.
  • They allow you to send newsletters to your email subscribers with no hourly limits or daily limits, whatsoever.
  • You can order multiple IP addresses for a single server. This is very useful for folks who need to send a large volume of emails. You can spread email traffic on multiple IP addresses to achieve better email deliverability.

Other VPS providers like DigitalOcean blocks port 25. DigitalOcean would not unblock port 25, so you will need to set up SMTP relay to bypass blocking, which can cost you additional money. If you use Vultr VPS, then port 25 is blocked by default. They can unblock it if you open a support ticket, but they may block it again at any time if they decide your email sending activity is not allowed. Vultr actually may re-block it if you use their servers to send newsletters.

Go to Kamatera website to create an account, then create your server in your account dashboard.

kamatera server types

I recommend following the tutorial linked below to properly set up your Linux VPS server on Kamatera.

Once you created a server, Kamatera will send you an email with the server SSH login details. To log into your server, you use an SSH client. If you are using Linux or macOS on your computer, then simply open up a terminal window and run the following command to log into your server. Replace 12.34.56.78 with your server’s IP address.

ssh [email protected]

You will be asked to enter the password.

You also need a domain name. I registered my domain name from NameCheap because the price is low and they give whois privacy protection free for life.

Step 2: Creating DNS MX Record

The MX record specifies which host or hosts handle emails for a particular domain name. For example, the host that handles emails for linuxbabe.com is mail.linuxbabe.com. If someone with a Gmail account sends an email to [email protected], then Gmail server will query the MX record of linuxbabe.com. When it finds out that mail.linuxbabe.com is responsible for accepting email, it then query the A record of mail.linuxbabe.com to get the IP address, thus the email can be delivered.

In your DNS manager, create a MX record for your domain name. Enter @ in the Name field to represent the main domain name, then enter mail.your-domain.com in the Value field.

iredmail email server create MX record

Note: The hostname for MX record can not be an alias to another name. Also, It’s highly recommended that you use hostnames, rather than bare IP addresses for MX record.

Your DNS manager may require you to enter a preference value (aka priority value). It can be any number between 0 and 65,356. A small number has higher priority than a big number. It’s recommended that you set the value to 0, so this mail server will have the highest priority for receiving emails. After creating MX record, you also need to create an A record for mail.your-domain.com , so that it can be resolved to an IP address. If your server uses IPv6 address, be sure to add AAAA record.

Hint: If you use Cloudflare DNS service, you should not enable the CDN feature when creating A record for mail.your-domain.com. Cloudflare does not support SMTP proxy.

Step 3: Configuring Hostname

Log into your server via SSH, then run the following command to update existing software packages.

sudo apt update

sudo apt upgrade

I strongly recommend creating a sudo user for managing your server rather than using the default root user. Run the following command to create a user. Replace username with your preferred username.

adduser username

adduser scalahosting

Then add the user to the sudo group.

adduser username sudo

Then switch to the new user.

su - username

Next, set a fully qualified domain name (FQDN) for your server with the following command.

sudo hostnamectl set-hostname mail.your-domain.com

We also need to update /etc/hosts file with a command line text editor like Nano.

sudo nano /etc/hosts

Edit it like below. (Use arrow keys to move the cursor in the file.)

127.0.0.1       mail.your-domain.com localhost

Save and close the file. (To save a file in Nano text editor, press Ctrl+O, then press Enter to confirm. To close the file, press Ctrl+X.)

To see the changes, re-login and then run the following command to see your hostname.

hostname -f

Step 4: Setting up Mail Server on Ubuntu 22.04 with iRedMail

Run the following commands to download the latest version of iRedMail script installer from its Github repository.

wget https://github.com/iredmail/iRedMail/archive/1.6.0.tar.gz

Extract the archived file.

tar xvf 1.6.0.tar.gz

Then cd into the newly-created directory.

cd iRedMail-1.6.0/

Add executable permission to the iRedMail.sh script.

chmod +x iRedMail.sh

Next, run the Bash script with sudo privilege.

sudo bash iRedMail.sh

The mail server setup wizard will appear. Use the Tab key to select Yes and press Enter.

ubuntu-18.04-iredmail-server

The next screen will ask you to select the mail storage path. You can use the default one /var/vmail, so simply press Enter.

iredmail-1.0-default-storage-path

Then choose whether you want to run a web server. It’s highly recommended that you choose to run a web server because you need the web-based admin panel to add email accounts. Also, it allows you to access the Roundcube webmail. By default, Nginx web server is selected, so you can simply press Enter. (An asterisk indicates the item is selected.)

iredmail-1.0-nginx-web-server

Then select the storage backend for email accounts. Choose one that you are familiar with. This tutorial chose MariaDB. Press up and down arrow key and press the space bar to select.

ubuntu-18.04-email-server

If you selected MariaDB or MySQL, then you will need to set the MySQL root password.

ubuntu-18.04-mail-server

Note that if you selected MariaDB, then you don’t need password to log into MariaDB shell. Instead of running the normal command mysql -u root -p, you can run the following command to login, with sudo and without providing MariaDB root password.

sudo mysql -u root

This is because the MariaDB package on Ubuntu 22.04 uses unix_socket authentication plugin, which allows users to use OS credentials to connect to MariaDB, but you still need to set root password in iRedMail setup wizard.

Next, enter your first mail domain. You can add additional mail domains later in the web-based admin panel. This tutorial assumes that you want an email account like [email protected]. In that case, you need to enter your-domain.com here, without sub-domain. Do not press the space bar after your domain name. I think iRedMail will copy the space character along with your domain name, which can result in installation failure.

set-up-mail-server-on-ubuntu-18.04

Next, set a password for the mail domain administrator.

ubuntu-18.04-email-server-step-by-step

Choose optional components. By default, 4 items are selected. Please note that SOGo groupware doesn’t support Ubuntu 22.04 right now, so don’t select it.

iredmail components

Now you can review your configurations. Type Y to begin the installation of all mail server components.

iredmail review

At the end of installation, choose y to use firewall rules provided by iRedMail and restart firewall.

iredmail-firewall-rules-fail2ban

Now iRedMail installation is complete. You will be notified the URL of webmail, SOGo groupware and web admin panel and the login credentials. The iRedMail.tips file contains important information about your iRedMail server.

iredmail-full-featured-mail-server

Reboot your Ubuntu 22.04 server.

sudo shutdown -r now

Once your server is back online, you can visit the web admin panel.

https://mail.your-domain.com/iredadmin/

Note that in the above URL, the sub-directory for accessing the admin panel is /iredadmin/, not /iredmail/. And because it’s using a self-signed TLS certificate, you need to add security exception in your web browser.

Step 5: Installing Let’s Encrypt TLS Certificate

Since the mail server is using a self-signed TLS certificate, both desktop mail client users and webmail client users will see a warning. To fix this, we can obtain and install a free Let’s Encrypt TLS certificate.

Obtaining the Certificate

First, log into your server again via SSH and run the following commands to install Let’s Encrypt (certbot) client on Ubuntu 22.04.

sudo apt install certbot python3-certbot-nginx -y

iRedMail has already configured TLS settings in the default Nginx virtual host, so here I recommend using the webroot plugin, instead of nginx plugin, to obtain certificate. Run the following command. Replace red text with your actual data.

sudo certbot certonly --webroot --agree-tos --email [email protected] -d mail.your-domain.com -w /var/www/html/

When it asks you if you want to receive communications from EFF, you can choose No.

iredmail letsencrypt

If everything went well, you will see the following text indicating that you have successfully obtained a TLS certificate. Your certificate and chain have been saved at /etc/letsencrypt/live/mail.your-domain.com/ directory.

iredmail certbot

Failure to Obtain TLS Certificate

If certbot failed to obtain TLS certificate, maybe it’s because your DNS records are not propagated to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://dnsmap.io, enter your mail server’s hostname (mail.your-domain.com) to check DNS propagation.

If certbot failed to obtain a certificate and you saw the following message,

Failed authorization procedure. mail.linuxbabe.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://mail.linuxbabe.com/.well-known/acme-challenge/IZ7hMmRE4ZlGW7cXYoq2Lc_VrFzVFyfW6E0pzNlhiOA: Timeout during connect (likely firewall problem)

It might be that you have set AAAA record for mail.your-domain.com, but Nginx web server doesn’t listen on IPv6 address. To fix this error, edit the /etc/nginx/sites-enabled/00-default.conf file

sudo nano /etc/nginx/sites-enabled/00-default.conf

Find the following line.

#listen [::]:80;

Remove the # character to enable IPv6 for this Nginx virtual host.

listen [::]:80;

Save and close the file. Then edit the SSL virtual host /etc/nginx/sites-enabled/00-default-ssl.conf.

sudo nano /etc/nginx/sites-enabled/00-default-ssl.conf

Add the following line.

listen [::]:443 ssl http2;

iredmail certbot renew

Save and close the file. Then test Nginx configuration.

sudo nginx -t

If the test is successful, reload Nginx for the change to take effect.

sudo systemctl reload nginx

Run the following command again to obtain TLS certificate. Replace red text with your actual data.

sudo certbot certonly --webroot --agree-tos --email [email protected] -d mail.your-domain.com -w /var/www/html/

Now you should be able to successfully obtain TLS certificate.

Installing the Certificate in Nginx

After obtaining a TLS certificate, let’s configure Nginx web server to use it. Edit the SSL template file.

sudo nano /etc/nginx/templates/ssl.tmpl

Find the following 2 lines.

ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

Replace them with:

ssl_certificate /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.your-domain.com/privkey.pem;

Save and close the file. Then test nginx configuration and reload.

sudo nginx -t

sudo systemctl reload nginx

Visit iRedMail admin panel again, your web browser won’t warn you any more because Nginx is now using a valid TLS certificate.

iredadmin

Installing TLS Certificate in Postfix and Dovecot

We also need to configure Postfix SMTP server and Dovecot IMAP server to use the Let’s Encrypt issued certificate so that desktop mail client won’t display security warning. Edit the main configuration file of Postfix.

sudo nano /etc/postfix/main.cf

Find the following 3 lines. (line 95, 96, 97).

smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

Replace them with:

smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.your-domain.com/chain.pem

Save and close the file. Then reload Postfix.

sudo systemctl reload postfix

Next, edit the main configuration file of Dovecot.

sudo nano /etc/dovecot/dovecot.conf

Fine the following 2 lines. (line 47, 48)

ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key

Replace them with:

ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem

Save and close the file. Then reload dovecot.

sudo systemctl reload dovecot

From now on, desktop mail users won’t see security warnings.

Step 6: Sending Test Email

Log into iredadmin panel with the postmaster mail account ([email protected]). In the Add tab, you can add additional domains or email addresses.

add email addresses in iredadmin

If you see “no domain under control” error, please refer to this article.

After you create a user, you can visit the Roundcube webmail address and login with the new mail user account.

https://mail.your-domain.com/mail/

iredmail roundcube webmail

Now you can test email sending and receiving. Please note that you may need to wait a few minutes to receive emails because iRedMail by default enables greylisting, which is a way to tell other sending SMTP servers to try again in a few minutes. The following line in mail log file /var/log/mail.log indicates greylisting is enabled.

Recipient address rejected: Intentional policy rejection, please try again later;

Adding Swap Space

ClamAV is used to scan viruses in email messages. ClamAV can use a fair amount of RAM. If there’s not enough RAM on your server, ClamAV won’t work properly, which will prevent your mail server from sending emails. You can add a swap file to your server to increase the total RAM on your server. (Note that using swap space on the server will degrade server performance. If you want better performance, you should upgrade the physical RAM instead of using swap space.)

To add swap space on the server, first, use the fallocate command to create a file. For example, create a file named swapfile with 1G capacity in root file system:

sudo fallocate -l 1G /swapfile

Then make sure only root can read and write to it.

sudo chmod 600 /swapfile

Format it to swap:

sudo mkswap /swapfile

Output:

Setting up swapspace version 1, size = 1024 MiB (1073737728 bytes)
no label, UUID=0aab5886-4dfb-40d4-920d-fb1115c67433

Enable the swap file

sudo swapon /swapfile

To mount the swap space at system boot time, edit the /etc/fstab file.

sudo nano /etc/fstab

Add the following line at the bottom of this file.

/swapfile    swap    swap     defaults    0   0

Save and close the file. Then reload systemd and restart ClamAV.

sudo systemctl daemon-reload

sudo systemctl restart clamav-daemon

Step 7: Checking If Port 25 (outbound) is blocked

Your ISP or hosting provider won’t block incoming connection to port 25 of your server, which means you can receive emails from other mail servers. However, many ISP/hosting providers block outgoing connection to port 25 of other mail servers, which means you can’t send emails.

If your email didn’t arrive at your other email address such as Gmail, then run the following command on your mail server to check if port 25 (outbound) is blocked.

telnet gmail-smtp-in.l.google.com 25

If it’s not blocked, you would see messages like below, which indicates a connection is successfully established. (Hint: Type in quit and press Enter to close the connection.)

Trying 74.125.68.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP y22si1641751pll.208 - gsmtp

If port 25 (outbound) is blocked, you would see something like:

Trying 2607:f8b0:400e:c06::1a...
Trying 74.125.195.27...
telnet: Unable to connect to remote host: Connection timed out

In this case, your Postfix can’t send emails to other SMTP servers. Ask your ISP/hosting provider to open it for you. If they refuse your request, you need to set up SMTP relay to bypass port 25 blocking.

Still Can’t Send Email?

If port 25 (outbound) is not blocked, but you still can’t send emails from your own mail server to your other email address like Gmail, then you should check the mail log (/var/log/mail.log).

sudo nano /var/log/mail.log

For example, some folks might see the following lines in the file.

host gmail-smtp-in.l.google.com[2404:6800:4003:c03::1b] said: 550-5.7.1 [2a0d:7c40:3000:b8b::2] Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information

This means your mail server is using IPv6 to send the email, but you didn’t set up IPv6 records. You should go to your DNS manager, set AAAA record for mail.your-domain.com, then you should set PTR record for your IPv6 address, which is discussed in step 9.

Step 8: Using Mail Clients on Your Computer or Mobile Device

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account.

  • In the incoming server section, select IMAP protocol, enter mail.your-domain.com as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

ubuntu postfix dovecot letsencrypt https

Fail2ban Blocking Your Own IP Address

If you made a mistake and failed to log in to mail server multiple times, then the Fail2ban service on the mail server might block your IP address. You can add your IP address to whitelist by editing the jail.local file.

sudo nano /etc/fail2ban/jail.local

Add your own IP address to the ignore list like below. Replace 12.34.56.78 with your real IP address.

ignoreip = 12.34.56.78 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

Save and close the file. Then restart Fail2ban.

sudo systemctl restart fail2ban

Step 9: Improving Email Deliverablity

To prevent your emails from being flagged as spam, you should set PTR, SPF, DKIM and DMARC records.

PTR record

A pointer record, or PTR record, maps an IP address to a FQDN (fully qualified domain name). It’s the counterpart to the A record and is used for reverse DNS lookup, which can help with blocking spammers. Many SMTP servers reject emails if no PTR record is found for the sending server.

To check the PTR record for an IP address, run this command:

dig -x IP-address +short

or

host IP-address

PTR record isn’t managed by your domain registrar. It’s managed by the organization that gives you an IP address. Because you get IP address from your hosting provider or ISP, not from your domain registrar, so you must set PTR record for your IP in the control panel of your hosting provider, or ask your ISP. Its value should be your mail server’s hostname: mail.your-domain.com. If your server uses IPv6 address, be sure to add a PTR record for your IPv6 address as well.

To edit the reverse DNS record for your Kamatera VPS, log into the Kamatera client area, then open a support ticket and tell them to add PTR record for your server IP addresss to point the IP address to mail.your-domain.com. It’s not convenient, you might think, but this is to keep spammers away from the platform, so legitimate email senders like us will have a great IP reputation.

SPF Record

SPF (Sender Policy Framework) record specifies which hosts or IP address are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain. In your DNS management interface, create a new TXT record like below.

modoboa spf record

Explanation:

  • TXT indicates this is a TXT record.
  • Enter @ in the name field to represent the main domain name.
  • v=spf1 indicates this is a SPF record and the version is SPF1.
  • mx means all hosts listed in the MX records are allowed to send emails for your domain and all other hosts are disallowed.
  • ~all indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as forged.

To check if your SPF record is propagated to the public Internet, you can use the dig utility on your Linux machine like below:

dig your-domain.com txt

The txt option tells dig that we only want to query TXT records.

DKIM Record

DKIM (DomainKeys Identified Mail) uses a private key to digitally sign emails sent from your domain. Receiving SMTP servers verify the signature by using the public key, which is published in the DNS DKIM record.

The iRedMail script automatically configured DKIM for your server. The only thing left to do is creating DKIM record in DNS manager. Run the following command to show the DKIM public key.

sudo amavisd-new showkeys

The DKIM public key is in the parentheses.

iredmail amavis dkim

Then in your DNS manager, create a TXT record, enter dkim._domainkey in the name field. Copy everything in the parentheses and paste into the value field. Delete all double quotes and line breaks.

amavisd-new ubuntu

After saving your changes, run the following command to test if your DKIM record is correct.

sudo amavisd-new testkeys

If the DKIM record is correct, the test will pass.

TESTING#1 linuxbabe.com: dkim._domainkey.linuxbabe.com => pass

Note that your DKIM record may need sometime to propagate to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://www.dmarcanalyzer.com/dkim/dkim-check/, enter dkim as the selector and enter your domain name to check DKIM record propagation.

DMARC Record

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC can help receiving email servers to identify legitimate emails and prevent your domain name from being used by email spoofing.

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following. (You should create the [email protected] email address.)

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

create dmarc record txt

The above DMARC record is a safe starting point. If you want to read the full explanation of DMARC, please check the following article. Note that this is optional.

Step 10: Testing Email Score and Placement

After creating PTR, SPF, DKIM record, go to https://www.mail-tester.com. You will see a unique email address. Send an email from your domain to this address and then check your score. As you can see, I got a perfect score. In the test result, you should check if your PTR record, SPF and DKIM record is valid.

Testing Email Score and PlacementMail-tester.com can only show you a sender score. There’s a another service called GlockApps that allow you to check if your email is landed in the recipient’s inbox or spam folder, or rejected outright. It supports many popular email providers like Gmail, Outlook, Hotmail, YahooMail, iCloud mail, etc

glockapps-email-placement-test-scalahosting-vps

Email is Rejected by Microsoft Mailbox?

Microsoft uses an internal blacklist that blocks many legitimate IP addresses. If your emails are rejected by Outlook or Hotmail, you need to follow the tutorial linked below to bypass Microsoft Outlook blacklist.

What if Your Emails Are Still Being Marked as Spam?

I have more tips for you in this article: How to stop your emails being marked as spam. Although it will take some time and effort, your emails will eventually be placed in inbox after applying these tips.

Adding Multiple Mail Domains

I wrote this article to show you how to add multiple mail domains in iRedMail.

How to Disable Greylisting

By default, iRedMail has enabled greylisting, which tells other sending SMTP servers to try again in a few minutes. This is mainly useful to block spam, but it also degrades user experience. If you prefer to disable greylisting, follow the instructions below.

Add write permission to the /opt/iredapd/settings.py file.

sudo chmod 600 /opt/iredapd/settings.py

Then edit the configuration file.

sudo nano /opt/iredapd/settings.py

Find the following line.

plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy"]

Remove "greylisting" from the list. Save and close the file. Then restart iredapd.

sudo systemctl restart iredapd

Change the configuration file back to read only mode.

sudo chmod 400 /opt/iredapd/settings.py

Enabling SMTPS Port 465

If you are going to use Microsoft Outlook client, then you need to enable SMTPS port 465 in Postfix SMTP server.

Troubleshooting Tips

First, please use a VPS with at least 4GB RAM. Running iRedMail on a 1GB RAM VPS will cause the database, SpamAssassin, or ClamAV to be killed because of out-of-memory problem. If you really want to use a 1GB RAM VPS, you are going to lose incoming emails and have other undesirable outcomes.

If the iRedMail web interface isn’t accessible, like a 502 gateway error, you should check the Nginx logs in /var/log/nginx/ directory to find clues.

If you can’t send or receive emails, check the mail log /var/log/mail.log.

Also, check if the various services are running.

systemctl status postfix

systemctl status dovecot

systemctl status nginx

systemctl status mariadb

systemctl status clamav-daemon

systemctl status amavis

If you enabled the firewall, you should open the following ports in the firewall.

HTTP port:  80
HTTPS port: 443
SMTP port:  25
Submission port: 587 (and 465 if you are going to use Microsoft Outlook mail client)
IMAP port:  143 and 993

If you would like to use the UFW firewall, check my guide here: Getting started with UFW firewall on Debian and Ubuntu.

How to Renew TLS Certificate

Let’s Encrypt issued TLS certificate is valid for 90 days only and it’s important that you set up a Cron job to automatically renew the certificate. You can run the following command to renew certificate.

sudo certbot renew -w /var/www/html

You can use the --dry-run option to test the renewal process, instead of doing a real renewal.

sudo certbot renew -w /var/www/html --dry-run

If you see the following error when renewing TLS certificate.

The client lacks sufficient authorization :: Invalid response

Then you need to create the hidden directory.

sudo mkdir -p /var/www/html/.well-known/acme-challenge

And set www-data as the owner of the webroot.

sudo chown www-data:www-data /var/www/html/ -R

Also, edit the SSL virtual host /etc/nginx/sites-enabled/00-default-ssl.conf. Add the following lines.

location ~ /.well-known/acme-challenge {
     root /var/www/html/;
     allow all;
}

iredmail letsencrypt renew

Save and close the file. Test Nginx configuration and reload.

sudo nginx -t
sudo systemctl reload nginx

Create Cron Job

If now the dry run is successful, you can create Cron job to automatically renew certificate. Simply open root user’s crontab file.

sudo crontab -e

Then add the following line at the bottom of the file.

@daily certbot renew -w /var/www/html --quiet && systemctl reload postfix dovecot nginx

Reloading Postfix, Dovecot and Nginx is necessary to make these programs pick up the new certificate and private key.

Setting Up Backup Mail Server

Your primary mail server could be down sometimes. If you host your mail server in a data center, then the downtime is very minimal, so you shouldn’t be worried about losing inbound emails. If you host your mail server at home, the downtime can’t be predicted so it’s a good practice for you to run a backup mail server in a data center to prevent losing inbound emails. The backup mail server needs just 512MB RAM to run. Please check the full detail in the following article.

For Advanced Users

iRedMail doesn’t include a DMARC verification service, you can check out the following tutorial to set up OpenDMARC to block email spoofing.

You may want to customize the SpamAssassin content filter to better detect spam.

If your website and mail server are running on two different VPS (virtual private server), you can set up SMTP relay between your website and mail server, so that your website can send emails through your mail server. See the following article.

Wrapping Up

That’s it! I hope this tutorial helped you set up a mail server on Ubuntu 22.04 with iRedMail. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 56 Average: 4.8]

289 Responses to “How to Easily Set Up a Full-Featured Mail Server on Ubuntu 22.04 with iRedMail

  • Xiao Guoan (Admin)
    6 years ago

    I mentioned this in the article, but I want to say it again: The best practice to run iRedMail is using a clean fresh OS.

    Generally speaking, if there’s a script that will install lots of software, it’s a good practice to install it on a clean freash OS. Otherwise, the install script might mess up the existing configurations of your software, making it unusable. Or maybe a component of the softwar stack needs to bind to a port, but it’s already been taken by an existing process on the server, resulting in installation failure.

    Unless you are very knowledgeable about every piece of software on the server and can spead lots of time debugging, it’s not recommended to install iRedMail on a server that has other applications running.

    I have seen many folks who didn’t follow this advice bork the applications on their servers.

  • i can send mail but no mail is being received atm, i dont know why?

  • After disabling the “greylisting” it works. thank you very much this tutorial. appreicate

  • Farax Abdi
    5 years ago

    Could we use another port (NOT 25) for sending email WITHOUT SMPT relay?

    • Xiao Guo An (Admin)
      5 years ago

      No. Receiving email servers expect you to hit them on port 25. They are listening on port 25 to accept incoming email.

      You can’t ask them to change the port. It’s SMTP standard. Similarly, you can’t ask websites to change port 80 or 443 to another port.

  • ihasaface
    5 years ago

    The first time i go to mail.mywebsite.com/iredadmin, I don’t get anything whatsoever… my website is up and running just fine though. Maybe because I have my webserver on a different VM than mail? please help.

    • Xiao Guo An (Admin)
      5 years ago

      To use iredadmin, you need to install a web server along with other components of iRedMail, preferably on the same VM. If you didn’t choose to run web server in the setup wizard, you can’t use iredadmin.

      • ihasaface
        5 years ago

        Is that going to mess with my website though? Changing hostname and hosts files and whatnot.

    • Xiao Guo An (Admin)
      5 years ago

      Changing hostname and hosts file won’t affect your website. The Nginx web server installed by iRedmail could interrupt your the operation of your website.

      And it’s a good idea to separate your website and email server on different boxes, because your email server can leak the origin IP address of your website if they are on the same box. To protect your website from DDoS attack, you probably want to use a CDN service, which will hide the IP address of your website.

      • Ihasaface
        5 years ago

        I’m confused…. I had my webserver on a different virtual box than my mail server…. But installing this on a separate box didn’t work. What am I missing?

    • Xiao Guo An (Admin)
      5 years ago

      Maybe you can just start it over.

  • How to create PTR, SPF, DKIM and DMARK records on Ubutu Desktop?

    • Xiao Guo An (Admin)
      5 years ago

      They are not created using command line. You need to ask your ISP or hosting provider to set the PTR record. For SPF, DKIM and DMARC records, create them in the DNS manager (on your domain registrar’s website).

  • Hi, I have two VPS servers with different IP addresses. On one of these servers I have my websites. Can I install iRedmail on second VPS and use it as mail server for domains from first server (with websites)?

  • zydecci
    5 years ago

    Hey all,

    Was just trying this out on my AWS t2.micro EC2 instance. I got all the way up to the reboot just after the initial installation. I rebooted the machine and it is showing as running in the AWS EC2 console but I can’t SSH to it. I destroyed the instance, built a new one, and tried saying no to changing the firewall rules and I get the same result. Any ideas?

    • Xiao Guo An (Admin)
      5 years ago

      iRedMail uses the Linux iptables firewall, but you also need to make sure port 22 is opened at the AWS firewall.

      • zydecci
        5 years ago

        Thanks for the reply. I configured the AWS firewall as you said. It ended up being the fact that the t2.micro instance in EC2 only has 1GB of RAM. That’s not enough to run the whole suite and you kind of end up DOSing yourself if you use it. The t2.medium has 2GB of RAM which is enough. My server is up and running well.

        For those that come after me and are doing this on AWS here’s a couple things to look out for:

        As Xiao Guo An said, make sure your iptables allow all the necessary ports. There’s a good table of ports that iRedMail needs open at this link https://docs.iredmail.org/network.ports.html

        Like I said, use a t2.medium or larger EC2 instance. t2.micro doesn’t provide enough resources.

        If you’re using Route53 for DNS, the syntax is a little bit different on there than it shows in the pictures. Pay attention to the syntax that Route53 likes.

        If you’ve attempted to use AWS SES in the past, be sure to remove any mention of it from your DNS records. They don’t play well together, especially when it comes to DKIM.

        • zydecci
          5 years ago

          When I said “make sure your iptables allow all the necessary ports” I really meant “make sure your security groups allow all the necessary groups.”

  • Steve Johnson
    5 years ago

    I understand why you need to setup mail.mydomain in /etc/hosts, but what is the purpose of changing the hostname itself? Because if there are multiple domains setup in the mailserver, you can only have one hostname.

    • Xiao Guo An (Admin)
      5 years ago

      If you don’t explicitly set a hostname in /etc/postfix/main.cf file, Postfix will use the OS hostname by default, so changing the OS hostname can prevent Postfix from using other hostnames that may be unresolvable.

    • Xiao Guo An (Admin)
      5 years ago

      When you add additional domains in iRedMail, you don’t need to change the hostname. This hostname should have an A record, pointing to the IP address of the server and the IP address should have a PTR record, pointing back to the same hostname. This is a good practice to pass spam filters.

  • Thanks for that.
    One question, is there a way to autorenew letsencrypt certificates or is that always a manual task?
    Thanks

    • Xiao Guo An (Admin)
      5 years ago

      The certbot deb package comes with a cron job (/etc/cron.d/certbot) and it will automatically renew certificate every 60 days.

  • Maybe you will expand this tutorial to add email aliases via MariaDB? E.g. webmaster, admin.

  • In my /etc/hosts file I have:

    127.0.0.1       localhost
    IP-address   vpsName.mydomain.com vpsName
    
    ::1     localhost ip6-localhost ip6-loopback
    xx02::1 ip6-allnodes
    xx02::2 ip6-allrouters
    IP-address vpsName.providerserver.net vpsName

    Should the second line be after changes? Like this:

    127.0.0.1      mail.mydomain.com localhost
    IP-address   vpsName.mydomain.com vpsName

    And what with IPv6 lines?
    I ask because when I run

    dig -x IP-address +short

    I get:

    vpsName.mydomain.com.
    vpsName.
    vpsName.providerserver.net.

    And I think that something is wrong…

    • Xiao Guo An (Admin)
      5 years ago

      In /etc/hosts file only one entry is needed for mail.your-domain.com. The dig command will first check /etc/hosts file when looking up PTR record. When you run

       dig -x IP-address +short

      on another machine, there would be only one answer.

      • OK. Thx. My /etc/hosts file looks like this:

        127.0.0.1      mail.mydomain.com localhost
    • Xiao Guo An (Admin)
      5 years ago

      That’s good.

  • How do I create virtual hosts for each sub domain?

    • Xiao Guo An (Admin)
      5 years ago

      This is only one sub-domain in this article: mail.your-domain.com

  • Stephen
    5 years ago

    Hi, Everything seems to be working but I get the following meaages sent to the postmaster:

    netdata notification
    mail.mydomain.com is critical
    mem.available

    ram available = 4.5%
    estimated amount of RAM available for userspace processes, without causing swapping
    ALARM
    system
    FAMILY
    CRITICAL
    SEVERITY

    Is this because my server is only 2gb ram?
    Could this stop emails being sent?

    I am having trouble working out how to monitor things to see if emails are being rejected or sent etc. Any guidance appreciated, thanks

    • Xiao Guo An (Admin)
      5 years ago

      On a fresh installed Ubuntu server, the RAM usage is little more than 1GB after installing iRedMail. You might have other software installed that causes such high RAM usage. Use htop to find RAM-hungry programs on your server and stop those services that you don’t need. You can also enable swap space to prevent OOM (Out of Memory) problems.

      If your emails cannot be sent at all, there will be logs generated in /var/log/mail.log and if your emails are rejected, you will receive an automated email from the Postfix daemon.

      • Stephen
        5 years ago

        It seems something is being rejected but cant understand why? When I try to register on a list using a form using email: [email protected] I get the folowing mail.log error:

        Jan 23 11:01:54 mail postfix/submission/smtpd[11910]: warning: hostname premium47.web-hosting.com does not resolve to address 68.65.123.240
        Jan 23 11:01:54 mail postfix/submission/smtpd[11910]: connect from unknown[68.65.123.240]
        Jan 23 11:01:55 mail postfix/submission/smtpd[11910]: Anonymous TLS connection established from unknown[68.65.123.240]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
        Jan 23 11:01:56 mail postfix/submission/smtpd[11910]: NOQUEUE: reject: RCPT from unknown[68.65.123.240]: 554 5.7.1 : Recipient address rejected: Sender is not same as SMTP authenticate username; from= to= proto=ESMTP helo=
        Jan 23 11:01:56 mail postfix/submission/smtpd[11910]: disconnect from unknown[68.65.123.240] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7

        • Stephen
          5 years ago

          So is this the main reason emails arent being sent?

          Recipient address rejected: Sender is not same as SMTP authenticate username

        • Stephen
          5 years ago

          I believe its sorted now? I added this to setting.py
          ALLOWED_LOGIN_MISMATCH_SENDERS = [‘[email protected]’]

          Is this safe? Thanks for letting my (pardon the pun) BOUNCE off of you. Much appreciated. for the great post.

    • Xiao Guo An (Admin)
      5 years ago

      It seems you are trying to send email from another server using the SMTP submission port but the login name isn’t the same as the sender email address.

      If I were you, I would just create an separate email account for that sender, but you can add exceptions in /opt/iredapd/settings.py. It is safe in my opinion.

      • Stephen
        5 years ago

        Thank you, It is working fine now after much frustration. I just need to find the cause of the high ram usage. But at least its working now. Il dig deeper based on your comment above. Thanks again, I couldnt have done this without you.

    • Xiao Guo An (Admin)
      5 years ago

      Glad to know it’s working now 🙂

      • Stephen
        5 years ago

        Using htop it seems most of the 1.49GB memory being used is used by the following two processes:

        clamav – 31.4% /usr/sbin/clamd –forground=true
        mysql – 18.6% /usr/sbin/mysql –daemonize –pid-file=/run/mysqld/mysqld.pid

        Not sure what that means though.

    • Xiao Guo An (Admin)
      5 years ago

      That means ClamAV (Clam Antivirus) is using 31.4% of RAM and MySQL/MariaDB database server is using 18.6% of RAM. This is normal.

      I can see that you are running netdata on your mail server. If you selected all components in the iRedMail setup wizard, your server will use more RAM.

      My iRedMail server is using about 1.1GB RAM. I didn’t install netdata.

  • Stephen
    5 years ago

    Thanks Xiao, I will leave it installed for now and see if I can learn from it over the long term. When I get up and running I can easily update the vps at a reasonable cost. So thanks for the help. I do appreciate it.

  • Andrei Valentin Niculae
    5 years ago

    Hi,

    I used your tutorial and everything went smooth until I tried sending an email with a newly created account. In Roundcube I am seeing the following error: “SMTP Error (454): Authentication failed.”

    Looking into postmaster account I can see an email with containing the following:

    Transcript of session follows.
    
     Out: 220 mail.nemesyslabs.ro ESMTP Postfix
     In:  EHLO _
     Out: 250-mail.nemesyslabs.ro
     Out: 250-PIPELINING
     Out: 250-SIZE 15728640
     Out: 250-ETRN
     Out: 250-STARTTLS
     Out: 250-ENHANCEDSTATUSCODES
     Out: 250-8BITMIME
     Out: 250-DSN
     Out: 250 SMTPUTF8
     In:  STARTTLS
     Out: 454 4.7.0 TLS not available due to local problem
     In:  RSET
     Out: 530 5.7.0 Must issue a STARTTLS command first
     In:  QUIT
     Out: 221 2.0.0 Bye
    
    
    For other details, see the local mail logfile

    Can you please give me an idea where I should look and what I need to do to fix this?

    Thank you!

    • Xiao Guo An (Admin)
      5 years ago

      This line

      454 4.7.0 TLS not available due to local problem

      indicates that there might be a problem with your TLS configuration in either Postfix or Dovecot.

      • Andrei Valentin Niculae
        5 years ago

        Now I found the error in the Postfix configuration, but another problem appeared. I can send emails but the ones that I should receive don’t arrive in my inbox. I don’t have any error now in the postmaster account. What should I look for?

    • Xiao Guo An (Admin)
      5 years ago

      Check /var/log/mail.log file.

      • Andrei Valentin Niculae
        5 years ago

        The file seems to be empty. Is there a know reason why it shouldn’t have any data?

        • Andrei Valentin Niculae
          5 years ago

          Do you have any feedback in regards to what I need to look forward from here? It seems that my emails are sent but the ones that I receive are not arriving in my inbox.

    • Xiao Guo An (Admin)
      5 years ago

      Your domain name nemesyslabs.ro doesn’t have a MX record.

  • ckhatton
    5 years ago

    DigitalOcean now allows port 25 by default. They must have had too many complaints and gave up.

    • Xiao Guo An (Admin)
      5 years ago

      No. My DigitalOcean VPS still can’t send emails directly on port 25.

  • Thanks for a great howto! It is one of the best out there! So thank you for making it and sharing it!

  • recently i tried to send bulk mails, but gmail and outlook marked mail as spam. Any idea?

  • And also this one:)

    • managed-keys-zone: Unable to fetch DNSKEY set ‘.’: timed out

    • Xiao Guo An (Admin)
      5 years ago

      It appears that you are running BIND and it’s not working.

  • Monsieur Apple
    5 years ago

    Thanks for the guide! I got Let’s Encrypt working on my mail server, which is great, though the problem is that I am no longer able to send emails from the same domain as my mail server. For example, like [email protected] to [email protected]. I get SMTP error 454: authentication failed when sending though Roundcube. How can I fix this? It seems to have something to do with not finding a certificate, I checked but I think I spelled them all properly. What should I do?

    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: cannot load Certification Authority data, CAfile="/etc/letsencrypt/live/mail/mail.mydomain.net/chain.pem", CApath="/etc/ssl/certs": disabling TLS support
    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/etc/letsencrypt/live/mail/mail.mydomain.net/chain.pem','r'):
    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: warning: TLS library problem: error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: warning: TLS library problem: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:../crypto/x509/by_file.c:199:
    Feb 14 20:26:51 mail postfix/submission/smtpd[3677]: connect from mail.mydomain.net[127.0.0.1]
    Feb 14 20:26:51 mail roundcube: ERROR: Invalid response code received from server (454)
    Feb 14 20:26:51 mail roundcube: ERROR: Invalid response code received from server (530)
    
    • Xiao Guo An (Admin)
      5 years ago

      Your CAfile is wrong. It should be “/etc/letsencrypt/live/mail.mydomain.net/chain.pem”.

      • Patrick
        5 years ago

        Thanks a lot! 🙂 This article was great. I can’t believe I missed that lol.

  • Hi Xiao,

    Thanks for your incredible guide, i wonder how to change a little thing on my config, but i can not find the way to do it, i would like that the when people type my ip adress in the url bar 162.x.x.x.x it will be redirected directly on https://mail.my-domain.com

    How can i do that ?

    Thanks a lot 🙂

    • Xiao Guo An (Admin)
      5 years ago

      Create a new virtual host in /etc/nginx/sites-enabled/ directory.

      sudo nano /etc/nginx/sites-enabled/ip.conf

      Copy and paste the following text into the file.

      server {
              server_name your-server-ip-address;
              listen 80;
              return 301 https://mail.your-domain.com$request_uri;
      }

      Replace with your own IP address and domain name. Save and close the file. Then reload Nginx.

      sudo systemctl reload nginx
  • Hi Xiao,

    I followed your instructions, but i still have this page 🙁

    screenshot

    I searched but i did not find why it was not working …

    Thanks in advance for your help.

    🙂

    • Xiao Guo An (Admin)
      5 years ago

      Clear your browser cache and restart Nginx web server.

      sudo systemctl restart nginx
  • Branden
    5 years ago

    Hello,

    Thank you for this guide it is very well laid out and easy to follow. I was wondering if you could add hot to setup the mailcrypt plugin for Dovecot? It wold be really cool to have the email encrypted at rest on the vps.

    Thanks.

  • I have done everything as per ur tutorial but on final step I got this error. I have copied the error text from console below. will you please review what to do to solve this problem????

    php-xml is already the newest version (2:7.3+69+ubuntu18.10.1+deb.sury.org+2+php7.3).
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:
    
    The following packages have unmet dependencies:
     mariadb-server : Depends: mariadb-server-10.1 (>= 1:10.1.29-6ubuntu2) but it is not going to be installed
    E: Unable to correct problems, you have held broken packages.
    <> Installation failed, please check the terminal output.
    <> If you're not sure what the problem is, try to get help in iRedMail
    <> forum: https://forum.iredmail.org/
    • Xiao Guo An (Admin)
      5 years ago

      Please run this command.

       sudo apt install mariadb-server-10.1 mariadb-server
      • please give me a solution. After successfully installing all i am getting error when i go to my roudcube webmail .
        it says database error. and also when i tried to connect on webadmin panle its says Internal Server error.

        DATABASE ERROR: CONNECTION FAILED!
        Unable to connect to the database!
        Please contact your server-administrator.

    • Xiao Guo An (Admin)
      5 years ago

      Run the following command to check if you can log into MariaDB server.

      mysql -u root -p

      You need to enter the MariaDB root password.

  • Thank you for making this guide. It helped me quickly setup an email server for one of my clients. Much appreciated for the work you put in! It worked flawlessly without needing any additional configuration.

  • let’s encrypt failed. tried to disable https. now letsencrpypt wont issue cert for another week after 5 tries.

    • ckhatton
      5 years ago

      It sounds like you have the same problem as me! It reports that the firewall is preventing it from renewing.

      • Yes, that was it. Reinstalled making sure Nguni full was allowed. Ty

        • ckhatton
          5 years ago

          Oh really? Maybe I’ll try that then.

  • You… are absolutely amazing. Thanks, once again, for teaching me something new.

  • ckhatton
    5 years ago

    I am still having letsencrypt problems. I commented out the HTTPS redirect in the “00-default.conf”, and now I get…

    Invalid response from http://mail.ckhatton.com/.well-known/acme-challenge/AJFepDxAdkvW7q0_AO2qrQopXXuTIiVniI_jVSKg1i4 [
    46.101.15.21]: “\r\n404 Not Found.”

    • ckhatton
      5 years ago

      The certificate has expired now, so I am stuck what to do! 🙁

    • Xiao Guo An (Admin)
      5 years ago

      You can try the DNS validation method in Certbot, instead of using the normal HTTP-01 challenge.

      • ckhatton
        5 years ago

        Awesome! That did it! Thank you so much!!

        • ckhatton
          4 years ago

          This is now no longer an issue. The normal method of HTTP-01 challenge is now working having given it another go again. It seems to have fixed itself maybe via an update.

        • Hi, i am having the same issue. Any help would be much appreciated! Iget the same invalid repsonse error, i noticed however that the url requested is http instead of using https. I checked and my redirect rules are correct.

          How do i change the validation method in certbot to use DNS validation instead of normal http-01?

        • ckhatton
          4 years ago

          @Alex I can’t reply to your comment directly, but I hope you will see this.

          `sudo certbot -d mail.domain1.com,mail.domain2.com –cert-name mail.domain1.com –manual –preferred-challenges dns certonly`

          Be careful, as once you go this route you can’t go back. Although going back to the regular method worked for me the other day…

          Good luck!

  • maximumwarp
    5 years ago

    Hello, I followed this guide and the other to use Sendinblue as SMTP relay server and my mail everything works like a charm.
    I installed on a VirtualBox virtual machine with Debian 9.9 as OS.
    I need to use the same virtual machine as web server form my personal website (built with WordPress) and a couple of webapps, I can’t configure a different virtual machine because the real machine isn’t powerful enough to run 2 VMs at same time.
    How must I configure Nginx to host multiple websites?

    • Xiao Guo An (Admin)
      5 years ago

      iRedMail comes with a LEMP stack and there’s no need to change PHP configurations. To host multiple websites, you just need to create new virtual host file in /etc/nginx/conf.d/ directory.

  • Webmail from Roundcube works perfectly but I tried to configure a couple of email clients (Android and Windows) and they can’t reach the mail server, do I need to open/port-forward 993 and 587 ports on my modem-router?

    • Xiao Guo An (Admin)
      5 years ago

      Yes, if you set up a mail server at your home, you need to port forward 993 and 587 for mail client to login. You also need to port forward 25 to receive email from other mail servers.

  • Alexandru Gagea
    5 years ago

    Hello,

    I’m having issues with my DKIM record. I did exactly as instructed however, the command : sudo amavisd-new testkeys results in invalid. The test does not pass.

    Iredmail was installed on an ec2 instance.

    Please help.

    • Xiao Guo An (Admin)
      5 years ago

      It’s likely because you didn’t enter your DKIM record correctly in your DNS manager.

      • Alexandru Gagea
        5 years ago

        Solved it. I had to make the string on a single line. The current issue is with the SPF record. I’ve added in my DNS Manager the following : v=spf1 mx ~all and it says that i’m not fully authenticated. What am i missing ? I created the rule in Route 53.

  • Hello

    what is the exact difference with the article https://www.linuxbabe.com/mail-server/ubuntu-16-04-iredmail-server-installation

    Sorry I am newbie with iredmail servers, I need your help.

    Thanks

    • Xiao Guo An (Admin)
      5 years ago

      They are no major differences between the two articles. One is for ubuntu 16.04 and this article is for ubuntu 18.04.

      • Thanks Xiao

        I have read through this article , it is great. I have some doubts about hostname and mx record value.

        1. the hostname must be the same with mx record value ?
        2. the hostname value must be a real FQDN domain name ? can I use something like “demo.demo.demo” ?

    • Xiao Guo An (Admin)
      5 years ago

      The hostname can be different than the MX record value.
      The hostname must be a real FQDN domain name, because many mail servers check the A record of the hostname. Hostname without a valid A record increases your chance of landing in spam folder or being rejected outright.

      • I have install it succesully , thanks xiao.

        I can see the tips in system dump like this

        * – Roundcube webmail: https://mail.example.com/mail/
        * – netdata (monitor): https://mail.example.com/netdata/
        * – Web admin panel (iRedAdmin): https://mail.example.com/iredadmin/

        I can see everything from iredmail resides in sub domain mail.example.com, is it possible to make it in root domain ?

        * – Roundcube webmail: https://example.com/mail/
        * – netdata (monitor): https://example.com/netdata/
        * – Web admin panel (iRedAdmin): https://example.com/iredadmin/

    • Xiao Guo An (Admin)
      5 years ago

      Yes, you can.

      Just replace mail.example.com with example.com in /etc/nginx/sites-enabled/mail.example.com.conf file and obtain a TLS certificate for example.com with Certbot, then reload Nginx.

  • Hello

    if I do a fresh installation, how can I achive this ? I can see this tutoiral is for subdomain

    • Xiao Guo An (Admin)
      5 years ago

      iRedMail by default uses a subdomain for the hostname and webmail URL, but you will have an email address like [email protected].

      • My iredmail cant receive emails

        I check the logs it said

        Recipient address rejected: Intentional policy rejection, please try again later;

    • Xiao Guo An (Admin)
      5 years ago

      This indicates greylisting is enabled. You can go to the end of this article and follow the instructions to disable greylisting if you don’t want it.

  • Maxim Ellenberg
    5 years ago

    Very good article!

  • Hi Mr. Xiao,

    Very good article, how to make mail list or alias?

    Thank You very Much

    • Xiao Guo An (Admin)
      5 years ago

      iRedMail integrates mlmmj as the mailing list manager. However, it requires you to purchase a Pro account to use it in the web-based admin panel. If you don’t like spending money, I recommend using the Mailtrain self-hosted mailing list app.

      Creating alias in the web-based admin panel also requires purchasing a Pro account. However, you can create alias in the SQL database console. After creating alias, you can create the corresponding identity in RoundCube webmail, so you can use the alias address in the From header when replying emails.

    • Hi Mr.Xiao,

      thank you for your information, please provide information for creating email groups? can you use mailtrain?

      Thx,

  • Jeremy Willson
    5 years ago

    Hello linuxbabe
    Thank you for your tutorial for a ubuntu mail server. I am attempting to install using a clean Kubuntu 9.04.
    However, I get a message telling me of a failure to install. (see last few lines of install info below telling about missing packages.

    [ INFO ] Installing package(s): postfix postfix-pcre libsasl2-modules mariadb-client mariadb-server postfix-mysql libdbd-mysql-perl php-cli php-fpm php-json php-gd php-curl mcrypt php-intl php-xml php-mbstring php-mysql nginx-full dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-managesieved dovecot-sieve dovecot-mysql amavisd-new libcrypt-openssl-rsa-perl libmail-dkim-perl clamav-freshclam clamav-daemon spamassassin altermime arj nomarch cpio lzop cabextract p7zip-full rpm ripole libmail-spf-perl unrar-free pax lrzip mlmmj sogo sogo-activesync sope4.9-gdl1-mysql python-sqlalchemy python-dnspython python-mysqldb python-pymysql python-jinja2 python-netifaces python-webpy python-beautifulsoup python-lxml python-pycurl python-requests uwsgi uwsgi-plugin-python python-bcrypt fail2ban zlib1g libuuid1 libmnl0 curl lm-sensors netcat bzip2 acl patch cron tofrodos logwatch unzip bsdutils liblz4-tool
    Reading package lists...
    Building dependency tree...
    Reading state information...
    Package ripole is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    
    Package python-webpy is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    
    E: Package 'ripole' has no installation candidate
    E: Unable to locate package sogo-activesync
    E: Unable to locate package sope4.9-gdl1-mysql
    E: Couldn't find any package by glob 'sope4.9-gdl1-mysql'
    E: Couldn't find any package by regex 'sope4.9-gdl1-mysql'
    E: Package 'python-webpy' has no installation candidate
    <> Installation failed, please check the terminal output.
    <> If you're not sure what the problem is, try to get help in iRedMail
    <> forum: https://forum.iredmail.org/
    jeremy@mail:~/iRedMail-0.9.9$ 
    

    I did try using apt-get to install python-webpy, but it too failed as below.

    jeremy@mail:~/iRedMail-0.9.9$ sudo apt-get install python-webpy
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Package python-webpy is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    

    E: Package ‘python-webpy’ has no installation candidate
    jeremy@mail:~/iRedMail-0.9.9$

    Also, the script failed because iRedMail-0.9.8 wasn’t the latest, so I had to change the commands to iRedMail-0.9.9

    • Xiao Guo An (Admin)
      5 years ago

      iRedMail only supports LTS release of Ubuntu (Currently Ubuntu 16.04 & Ubuntu 18.04). I won’t try to install iRedMail on non-LTS Ubuntu to create unnecessary problems.

  • michaelIXOT
    5 years ago

    These were excellent instructions. With that said, now that it’s time to renew certbot certs I’m getting the following error:
    ‘Attempting to renew cert (mail..com) from /etc/letsencrypt/renewal/mail.ironbridgeenterprise.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
    Select the webroot for mail.ironbridgeenterprise.com:
    Choices: [‘Enter a new webroot’, ‘/var/www/html’]

    I want to try setting the webroot value, what should we use for iredmail?

  • Gerald Blondel
    4 years ago

    Amazing page! Thanks a lot.
    fyi, there is absolutely no problem on digitalocean; but Google Cloud is the one blocking port 25! I gave up using them.

    • Xiao Guo An (Admin)
      4 years ago

      I did an iRedMail install on DigitalOcean at several data centers (San Francisco, New York, Bangalore). Port 25 (outbound) is blocked and DigitalOcean refused to unblock it.

  • Hi, Xiao…
    I am a newbie in Linux OS, I found your web so much knowledge and useful for me. I just setup iRedmail in ubuntu 18.04 with Kamatera server that had recommended by you and follow your instruction. However, I had face a problem in installing certbot Letsencrypt. Here is what I get:

    The following errors were reported by the server:

    Domain: mail.ohsemmarketing.com
    Type: connection
    Detail: Fetching
    https://mail.ohsemmarketing.com/.well-known/acme-challenge/qD7xuY2O1B_NOyEsqm7pPdFaF00Hy51Nmmo_yDSpTfU:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    – Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

    For the A & AAAA records for my Ipv4 & Ipv6 had been recorded in DNS.So I think the only error is in firewall. How can I fix this?Thank you

    • Xiao Guo An (Admin)
      4 years ago

      It’s likely because the Nginx virtual host didn’t enable IPv6. To enable IPv6 in Nginx virtual host. Open the /etc/nginx/sites-enabled/000-default.conf file

      sudo nano /etc/nginx/sites-enabled/000-default.conf

      and find the following line.

      #listen [::]:80;

      Remove the # symbol to enable IPv6.

      listen [::]:80;

      Save and close the file. Then edit the SSL virtual host /etc/nginx/sites-enabled/00-default-ssl.conf. Add the following line.

      listen [::]:443 ssl http2;

      Save and close the file. Then test Nginx configuration.

      sudo nginx -t

      If the test is successful, reload Nginx for the change to take effect.

      sudo systemctl reload nginx

      Next, run the certbot command to obtain TLS certificate.

      sudo certbot certonly --webroot --agree-tos --email your-email-address -d mail.your-domain.com -w /var/www/html/
  • Ok,thank you so much Xiao. As I had followed your instruction to enable the 80 port for ipV6, it still could not install the certificate. However I had try to remove the AAAA record from my server’s ipv6. Install the certbot using ipv4 A records,it works again. Just don’t know why ipv6 from this server had been blocked by Letsencrypt? Or letsencrypt blocked port 80?

    • Xiao Guo An (Admin)
      4 years ago

      If your mail server hostname has an IPv6 record, Let’s Encrypt validation server will try to reach your mail server via IPv6 protocol. If there’s no IPv6 record, it will do so via IPv4 protocol. Let’s Encrypt does not block anything. If you see errors when trying to obtain TLS certificate, it’s almost always due to something on your own server.

      It’s fine to only use IPv4 address on your mail server.

  • Alexandru Gagea
    4 years ago

    Hello,

    I’m trying to renew my certificate and I get the bellow error when using “sudo certbot renew”.

    Attempting to renew cert (my.domain) from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Missing command line flag or config entry for this setting: Select the webroot for my.domain:
    Choices: [‘Enter a new webroot’, ‘var/www/html’]

    Any ideas would be much appreciated.

    Thank you

  • Alexandru Gagea
    4 years ago

    I’ve solved the above issue myself. I’

    If anyone else will encounter this issue its because of multiple domains. So to fix it you have to go to /etc/letsencrypt/renewal/example.conf and under section [[webroot_map]] add the second domain.

    [[webroot_map]]
    mail.domain1.com = var/www/html
    mail.domain2.com = var/www/html

    After you save the file, run again sudo certbot renew –dry-run to see if the issue its fixed.
    The post that helped me fix this issue also says thats it’s a good idea to restart nginx after you renew the certificate.

    service nginx reload

    • Robert Aitken
      4 years ago

      Alexandru, Thanks for the pointers. I’ve been searching for days to find out how to solve this. Only suggestion would be to change “/etc/letsencrypt/renewal/example.conf ” to “/etc/letsencrypt/renewal/.conf” just in case someone thinks they should have an example.conf.

      Xiao Guoan, Thanks for the easy to follow instructions. I had my mail server up and running on a virtual machine in a couple off days. Second day was finding out why my external IP was getting blacklisted. Once sorted it ran wonderfully.

      Thanks Both of you.

  • Hi! I want to make a website where users can create an email address @mywebsite.com I want them to be able to create this on their own upon entering the site. Anyone knows if I can use this tool to do this. How? Thanks!

    • Xiao Guoan (Admin)
      4 years ago

      By default only admin can create email address. To allow visitors to create email address, you need an additional web application.

      • Makes sense. Can you elaborate more on what else would be needed?

    • Xiao Guoan (Admin)
      4 years ago

      You should ask a web developer.

  • Massimiliano Iavazzo
    4 years ago

    Hello, just after installation by iRedmail Easy and making all records in DNS, I can sent email but not receive it with following error:

    554 5.7.1 : Relay access denied

    • Xiao Guoan (Admin)
      4 years ago

      I can’t help you if you don’t use my method.

  • Hi Xiao.
    I am in the process of trying your guide. Thanks for sharing.
    I encountered errors related to nginx while installing iRedMail and it did not finish as seen in your guide. In “/var/log/nginx/error.log”
 I found “(socket() [::]:80 failed (97: Address family not supported by protocol)
”. It seems nginx would like to have IPv6 enabled during installation – just a guess. I disabled IPv6 before installing iRedMail.
    I changed /etc/nginx/sites-available/default
 – and restarted
    #listen [::]:80;
    Running the installation again did now succeed and I will proceed.

  • Hi Xiao,
    your instructions were perfect! Exectly what I was looking for, in order to set up my own mail server – thank you!

  • I followed all the steps properly. I am not able to login with the admin account. I am directly copying the password from iRedmail.tips so I am sure I am not making any mistakes. I tried the setup 3-4 times now. Every time I am getting the same issue.

  • Phillip Katete
    4 years ago

    Thank you for this article. I installed this on a VPS with Ubuntu 18.04, 1GB ram, 1GB drive and it is working fabulously, but that was not the case initially. Memory consumption (including swap usage) and CPU utilisation were extremely high to an extent that both the ssh and web interfaces were barely useable. I noticed from the logs (and htop) that antivirus and netdata activity was high so this is what I did.

    1. I run sa-update (to update spam assassin) then restarted it.
    2. I edited the netdata conf to change the frequency of polling from 3 seconds to 300 (five minutes), then restarted it
    3. I also removed the greylisting as this was not only creating queues but was also blocking legitimate email

    I did some other changes to postfix configuration but I do not think those affected the performance of the VPS. More importantly, it is now working absolutely fine with memory usage down to around 30% on average with swap fluctuating between20% and 45%.

    Just one question. Why does fail2ban keep jailing my IP when I try to access email on my iPhone? I completed setting up configuration for outlook but I am waiting to try it out until I can get to the bottom of why fail2ban keeps jailing my IP.

    • Xiao Guoan (Admin)
      4 years ago

      Edit the /etc/fail2ban/jail.local file and add your own IP address to the ignoreip list, then restart fail2ban.

      • Phillip Katete
        4 years ago

        This is not a good work-around as this may change depending on where I am. At the moment it is blocking my home IP because my iphone is on wifi but this will not be the case if I am not home.
        I really need to find out why rather than how to fix it – is there a ‘greylisting’ type setting or a less aggressive mode for fail2ban?

    • Xiao Guoan (Admin)
      4 years ago

      You can check the fail2ban log (/var/log/fail2ban.log) to find out which Fail2ban jail banned your IP address.

      You can also setting up a VPN server on your mail server and always use VPN on your computer and mobile phone, so you will have the same IP address no matter where you are.

      • Phillip Katete
        4 years ago

        I was jailed in the iptables chain ‘f2b-dovecot’ so I suppose that is dovecot – any clues on what to look for in the log (I recall there was a log about icmq or something)?

    • Xiao Guoan (Admin)
      4 years ago

      The fail2ban log is very easy to read. For example, the following line indicates the [postfix] jail banned the IP address 61.186.65.48

      2019-11-02 11:59:50,528 fail2ban.actions        [667]: NOTICE  [postfix] Ban 61.186.65.48
      • Phillip Katete
        4 years ago

        I must have switched off the fail2ban logs as I have nothing in there since 31st Oct. In any case, I believe this is an authentication failure – so the question is: What credentials do we apply in the Outgoing Mail Server? I have entered the same credentials for a user account I created in iRedAdmin (not the postmaster account) for both the Incoming and Outgoing servers but I suspect the latter is the one causing issues and getting my IP jailed. Thoughts?

    • Xiao Guoan (Admin)
      4 years ago

      You should use the same email address and password for incoming and outgoing email server.

      If your IP address is jailed in the iptables f2b-dovecot chain, I think you can not authenticate with Dovecot IMAP server, which is the incoming email server.

      You can check the mail log (/var/log/mail.log) to find other clues.

      • Phillip Katete
        4 years ago

        This is a chicken and egg sort of thing since I only get jailed when I ‘provide incorrect credentials’ and fail to authenticate. I think the iPhone mail client keeps retrying forever (even when it gets my IP jailed!).
        PS: like I mentioned, something turned the logging off by mistake … logs are empty since they were recycled. I tried to set permissions to all read and write to no avail … maybe I need to reboot.

    • Xiao Guoan (Admin)
      4 years ago

      You can flush the f2b-dovecot chain with the following command.

      sudo iptables -F f2b-dovecot

      So your IP address will be released from jail.

      • Phillip Katete
        4 years ago

        Yes – I have been doing that, but that does not solve the underlying issue (which is why I posted) of why I am failing authentication with dovecot when I have the correct credentials entered.

  • Hi Xiao … Greetings from Panama
    I have to develop a mail server project.
    I skip steps 1 and 2 since I have to run it locally.
    I installed only that when writing
      https: //mail.miip/iredadmin/ doesn’t show me anything.
    Thanks in advance.
    Skipping steps 1 and 2 affects me ????

    does not show me if ip the ip address

    • Xiao Guoan (Admin)
      4 years ago

      You have to use a domain name, or you won’t have an email address.

  • Christopher Gilchrist
    4 years ago

    Ok Guys this is what I did after two weeks of fighting with this Mail Server running internally at home – now stable and monitoring for a few days

    Hardware Specifications – Old Slow Computer but stable reliable and quick enough
    HP Mini Notebook 21-4000 32 Bit 2 CPUs 4GB Memory 480GB SSD
    Operating System Ubuntu Mate 18.04.3 Clean Install

    Creation of MX and SPF Records

    *.christophergilchrist.co.uk A 81.174.138.41 120 Disable IPv4 Wildcard Alias
    *.christophergilchrist.co.uk AAAA 120 Disable IPv6 Wildcard Alias
    mx.christophergilchrist.co.uk A 81.174.138.41 120
    christophergilchrist.co.uk MX mx.christophergilchrist.co.uk [Priority: 10] 90
    christophergilchrist.co.uk SPF v=spf1 mx mx:christophergilchrist.co.uk -all 120

    Internet Firewall Router Setup and Port Forwarding to internal mx machine

    IMAP port forward to mx

    Type Router Port mx Port
    TCP 143 143

    Pop3 SSL TLS
    Type Router Port mx Port
    TCP 110 110
    TCP 995 995

    SMTP SSL TLS
    Type Router Port mx Port
    TCP 25 25
    TCP 587 587

    Installation on HP Mini Notebook – clean install of Ubuntu Mate 32 BIt 18.04.03

    Pre requisites after clean install

    Edit your etc hosts file for loopback and internal network card interfaces – DO BOTH in the order shown OTHERWISE iRedmail falls over after a day and a half and messes everything up.

    sudo vi /etc/hosts

    127.0.1.1 mx.christophergilchrist.co.uk mx localhost localhost.localdomain
    192.168.1.69 mx.christophergilchrist.co.uk mx localhost localhost.localdomain

    Make sure you have all Ubuntu Default Repositories Active!
    If not it will not install clamav properly

    Install the following packages

    sudo apt update
    sudo apt upgrade
    sudo apt-get install ssh
    sudo apt-get install dksm

    Open up your internal firewall ports

    sudo ufw allow 22/tcp
    sudo ufw allow 25/tcp
    sudo ufw allow 80/tcp
    sudo ufw allow 110/tcp
    sudo ufw allow 443/tcp
    sudo ufw allow 587/tcp
    sudo ufw allow 995/tcp

    Download https://www.iredmail.org/download.html Stable Version 0.9.9

    Follow the install guide from
    https://docs.iredmail.org/install.iredmail.on.debian.ubuntu.html at this stage – Download the latest release of iRedMail

    Do it as user with sudo privileges it should install all packages cleanly and properly and complete in around 45 minutes – 1 hour

    Check the mail.log for any errors

    cd /var/log
    less mail.log

    After the iRedmail install is complete reboot the machine you should be able to goto

    https://mx.christophergilchrist.co.uk/mail
    https://mx.christophergilchrist.co.uk/iredadmin

    I also had problems with International Policy rejecting @outlook.com @gmail.com
    There are admin scripts to reset the banned top level domains and do other admin tasks.

    Have fun.

    Chris

    Chris

  • Mag. Martin Heiduk
    4 years ago

    Hi, Vultr lures you into believing, that you can use their service, since they block port 25 after you have used it for a few times. Their policy states, that it CAN NOT BE USED FOR DOUBLE-OPT-IN-MAILS !!! And they refuse to unblock it!!!

    • Xiao Guoan (Admin)
      4 years ago

      Their anti-spam policy stats you can not send unsolicited emails or use mailing lists to promote Vultr products.

    • Xiao Guoan (Admin)
      4 years ago

      If this happened to you, I would suggest you use Kamatera VPS instead. I just confirmed via live chat that they do not block port 25 by default, and you can send newsletters.

    • Xiao Guoan (Admin)
      4 years ago

      If you don’t like the hassle of migrating to a different VPS provider, you can set up SMTP relay to bypass port 25 blocking. SMTP relay services are designed for sending newsletters/marketing emails.

  • Jason Sackett
    4 years ago

    Xiao Guoan,
    I followed this guide and got every step working, and would LOVE to see a guide to add encryption-at-rest to the mail folders (dovecot mail-crypt-plugin easy guide?). Even a quick and dirty one covering the main path would be great.
    Thank you,
    Jason

  • Ramon Silva
    4 years ago

    Hi Xiao,

    before (Step 9: Improving Email Deliverablity), thunderbird was able to connect send and receive emails from other computers. but after I complete all the steps, thunderbird was not able to connect anymore, I just see the following errors in mail.log:

    Nov 14 16:56:37 mail postfix/submission/smtpd[5210]: connect from unknown[158.116.186.2]
    Nov 14 16:56:37 mail postfix/submission/smtpd[5210]: Anonymous TLS connection established from unknown[158.116.186.2]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
    Nov 14 16:56:40 mail postfix/submission/smtpd[5210]: warning: unknown[158.116.186.2]: SASL PLAIN authentication failed:
    Nov 14 16:56:46 mail postfix/submission/smtpd[5210]: warning: unknown[158.116.186.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

    do you think ‘the Improving Email Deliverablity’ configuration is blocking thunderbird to send emails?

    regards,

    • Xiao Guoan (Admin)
      4 years ago

      It would not block login from mail client.

  • Tajinder
    4 years ago

    Please make a guide to create mutliple users using txt file on iredmail step by step. I will become very happy

  • Hello Xiao,

    I am actually following your tutorial on how to install mautic. So I’ve followed your link and bought the $10/month hosting with Vultr. But I am having serious challenge with this iRedmail setup on ubuntu18.04 as you directed here.

    I had first installed the iRedmail following your tutorial but when I visited mail.my-domain.com/iredmail Got “404 Not Found nginx” but when I visted my-domain/mail roundcube mail login interface showed up very well.

    After trying severally to get a solution I decided to destroy my instance and re-deployed.

    But now as I try to edit the etc/hosts file as you directed, the shell reports that no such file or directory exists. I have destroyed my instance severally and re-deployed but the same issue persists.

    Please what do You advice me to do?

    Thanks in advance for your help.

    • Please never mind, I was entering the wrong directory. That is etc instead of /etc…

      However I still want to know the reason behind the 404 Not Found nginx error.

      If you can help.

    • Xiao Guoan (Admin)
      4 years ago

      It’s mail.your-domain.com/iredadmin, not mail.your-domain.com/iredmail.

      • Thanks a million. It now works with iredadmin. But now I am stuck trying to login…

        I am attempting to login with [email protected]

        with the password I created on installation and I it is not allowing me to login.

        How do I go about that?

        Please what could be wrong

    • Xiao Guoan (Admin)
      4 years ago

      If you are sure your password is correct, but can’t login, you might as well re-install the OS and iRedMail.

      • Thanks alots. I figured out the actual issue. There was a space in my postmaster email. I put the space there at the point of installation unknowingly. So it read postmaster@ my-domain.com instead of [email protected].

        I have done the correction by re-deploying and re-installing and I am now able to login.

        Thanks for your help.

  • Hello,

    Everything is all set now for the iredmail. Including roundcube mail. I have got port 25 unlocked by vultr support team.But as I tested as you said in your tutorial step number 6. I get this error as I try to send an email to my gmail accounts.

    ‘SMTP Error (454): Authentication failed.’

    I have also tried sending emails to the newly created email accounts including [email protected] but the emails are not coming through.

    Instead I keep receiving several error emails (up to 35 now) in my postmaster account with the following message:

    Transcript of session follows.

    Out: 220 mail.dockymail.com ESMTP Postfix
    In: EHLO _
    Out: 250-mail.dockymail.com
    Out: 250-PIPELINING
    Out: 250-SIZE 15728640
    Out: 250-ETRN
    Out: 250-STARTTLS
    Out: 250-ENHANCEDSTATUSCODES
    Out: 250-8BITMIME
    Out: 250-DSN
    Out: 250 SMTPUTF8
    In: STARTTLS
    Out: 454 4.7.0 TLS not available due to local problem
    In: RSET
    Out: 530 5.7.0 Must issue a STARTTLS command first
    In: QUIT
    Out: 221 2.0.0 Bye

    For other details, see the local mail logfile

    Any advice?

  • Hello,

    I didn’t get any answer from you. So I am thinking of changing to another mail server postal mail. Can it still work well with Mautic?

    • Xiao Guoan (Admin)
      4 years ago

      I have never seen the error in your comment before. Maybe it’s because you made some careless mistake. Mautic works with any mail server. You can try Modoboa, which is less error-prone.

      • I tried installing modoboa as you recommended but the installation was throwing error.

        Because from my research on the iredmail error I submitted above, going through the mail error log file, I found out the issue was with the letsencrypt certificate.

        Now I can confirm that the iredmail error is actually from the letsencrypt certificate. Because I just made a brand new install of iredmail and I just tested with the self signed certificate and the error is not there.

        So can I go ahead with my mautic installation without the certificate since iredmail is delivering without the certificate or what do you advise?

    • Xiao Guoan (Admin)
      4 years ago

      You can use the self-signed certificate if you don’t mind the security warning.

      • Thanks.

        Chrome won’t let me do anything. So I followed vultr article on how to install the letsencrypt generally. And after the installation from their guide, My site is now secured and I can now send email receive email to and from my gmail account. I’ll now proceed with your tutorial.
        Once more thanks.

  • Hi, thanks for this great tutorial. I have a question about Letsencrypt TLS certificate.

    I thought that in Ubuntu 18.04 (certbot 0.31) there is already the cron job ready for use (/etc/cron.d/certbot). So we don’t have to create our own. Just install certbot, obtain certificate, test renewal, done.

    You mentioned it in the discussion (Xiao Guo An (Admin):…That’s why I didn’t write about certificate auto renewal…).

    And yet in this article you wrote about creating cronjob like this:

    @daily letsencrypt renew --quiet && systemctl reload postfix dovecot nginx

    Is that just for restarting daemons? Are there 2 cron jobs for the same thing? (Plus there is “letsencrypt” not “certbot”.)

    Can you please clarify: in Ubuntu 18.04 do we need to create the renewal cron job or not? If so, why?

    Thanx again.

    • Xiao Guoan (Admin)
      4 years ago

      I said “That’s why I didn’t write about certificate auto-renewal”, because there is already the cron job ready for use (/etc/cron.d/certbot).

      However, several visitors said they have problem in renewing the certificate. So later I added detailed instructions on how to renew certificate when the mail hostname has IPv6 address.

      In my opinion, it’s better to use the following cronjob than the default certbot cronjob.

      @daily letsencrypt renew --quiet && systemctl reload postfix dovecot nginx

      The letsencrypt command is simply a symlink to /usr/bin/certbot. So you can use either one.

  • Nordweb
    4 years ago

    tnx. good how to

  • Eric Chang
    4 years ago

    why backup mail server does not use iredmail ?

    • Xiao Guoan (Admin)
      4 years ago

      The backup mail server is simply an SMTP server that queues incoming email when the primary mail server is down, and forwards emails to the primary mail server when its back online.

      If you prefer to create an identical email server, then you will need to set up iRedMail on the second server and also sync the database and mail files between the two servers.

  • Hi,
    I’ve installed the iRedMail 1.0 and all is running ok. I can login to iredadmin panel and roundcube webmail.

    But, the next step is to make available the roundcube login using credentials stored in an Microsoft Active Directory server.

    Do you know how can I proceed to accomplish that?

  • Tamal Biswas
    4 years ago

    How can I do this setup with Apache instead of nginx?

  • Hi Xiao!

    I have running my email server full function with your tutorial! Wow! Is the first time that I finish a tutorial and all work as in the tutorial teach us!! Fantastic job!

    I have a little question. Can I host a website also? I want to put a wordpress on the same server and I don’t want break the server and start again…

    Thank You!

    • Xiao Guoan (Admin)
      4 years ago

      Yes, you can. But iRedMail comes with a LEMP stack and uses TCP sockets instead of Unix sockets for PHP-FPM. You need to make some modifications to the Nginx configuration file if you follow WordPress tutorials on the Internet.

  • Configure todo y todo quedo bien, pero en el momento de configurar un correo por medio de Laravel 6.0 genera el siguiente error “tls_process_server_certificate:certificate verify failed” al parecer el error es por el certificado pero esta bien configurado, lo genere con Certbot

    • Frank Aguirre
      4 years ago

      Que pena el error era mio ya lo solucione, muchas gracias por el post

    • whats modifications are needed to the Nginx configuration file in order to install wordpress?

  • Johnny Benton
    4 years ago

    I’m getting an error when I test my dkim key:

    TESTING#1 mysite.com: dkim._domainkey.mysite.com => invalid (public key: not available)

    I formatted the key without the double quotes and entered the text as a single line. Suggestions please.

    • Xiao Guoan (Admin)
      4 years ago

      Maybe your DNS record needs sometime to propagate to the Internet.

    • Johnny Benton
      4 years ago

      Thanks, Xiao, testing okay now, there should not have been a space after the p=

  • Thanks for a great tutorial! Well done and easy to follow! I am 90% there with my new email server but running into a issue that seem to be preventing me from consistently sending/receiving email. I tested my email using mail tester .com and my score is 9.5 out of 10. I lost a 1/2 point due to DNS issues.

    mail test flagged my Reverse DNS

    Your reverse DNS does not match with your sending domain.
    Reverse DNS lookup or reverse DNS resolution (rDNS) is the determination of a domain name that is associated with a given IP address.
    Some companies such as AOL will reject any message sent from a server without rDNS, so you must ensure that you have one.
    You cannot associate more than one domain name with a single IP address.
    Your IP address nnn.nnn.nnn.nnn is associated with the domain xxxx-nnnnnn.scala-hosting.com.
    Nevertheless your message appears to be sent from mail..com.
    
    You may want to change your pointer (PTR type) DNS record and the host name of your server to the same value.
    
    Here are the tested values for this check:
    IP: nnn.nnn.nnn.nnn
    HELO: mail..com
    rDNS: xxxx-nnnnnn.scala-hosting.com
    

    I’m not sure how to resolve this.

    3. mail test also said I do not have a DMARC record

    You do not have a DMARC record
    A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.
    You do not have a DMARC record, please add a TXT record to your domain _dmarc..com with the following value:
    
    v=DMARC1; p=none
    Verification details:
    
    mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=.com [email protected] header.b=HbHlYYet; dkim-atps=neutral
    mail-tester.com; dmarc=none header.from=.com
    mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=.com [email protected] header.b=HbHlYYet; dkim-atps=neutral
    mail..com (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=.com
    From Domain: .com
    DKIM Domain: .com
    

    I followed the “Part 5: Creating DMARC Record to Protect Your Domain Name From Email Spoofing” tutorial but I am still getting the warning from mail test .com

    If needed I can re-post this issue in the other tutorial but thought it best to provide all the issues here as well.

    • I just noticed that a couple of the edits I did to the mail test .com messages removed my domain name rather than replacing it with a generic.

      HELO: mail..com in the reverse DNS message for example does show my domain name as do the other places where you see .com in the DMARC error message.

    • Xiao Guoan (Admin)
      4 years ago

      You need to edit the rDNS record in your Kamatera account, as described in step 9. Point the IP address to your mail server hostname.

      Maybe your DNS records didn’t propagate to the whole Internet yet, so mail-tester.com produced a false positive.

      You simply need to create the DMARC record as described in step 9. You don’t need to follow the part 5 tutorial to get DMARC working. It is for those who want to learn more about DMARC.

  • Thanks for the help! I am making good forward progress.

    1. Per your feedback I went back to step 9 and walked through it again. I made two changes
    A. I found a typo in my DKIM record and corrected it.
    B. I edited the rDNS entries at Kamatera.
    2. I reran both mailtester and mxtoolbox tests and got good results

    I am now able to send and receive email. I did, however, run into one error when walking back through the steps.

    root@mail:/etc/letsencrypt/keys# host IP-address
    Host IP-address not found: 2(SERVFAIL)
    

    Things do seem to be working so I’m not sure if this is an issue and if so how to correct it.

    Thanks
    Tom G

  • Johnny Benton
    4 years ago

    Hi Xiao,

    How do I add an SSL certificate to my website; the mail server (sub-domains) is secure?

  • Newb question but should be easy for you to answer:

    Where do I go for Step 2 (Creating DNS MX Record)?

    To the domain registrar (NameCheap)? I can’t find any option for adding an MX record under their advanced Domain menu item.

    Is it somewhere on Kamatera?

  • Thank you for such a wonderful tutorial. I followed all your Instructions and the Installation went smoothly.

    However, all emails are going to spam folder in GMAIL.

    When I check “Show Original” in gmail, it shows
    SPF: PASS
    DKIM: PASS
    DMARC: PASS.

    Also in mail-tester website I got a good score. Why are all the emails going to spam? How to fix it?

  • Thank You so much. I integrated Sendinblue and now the mails are being delivered to my Inbox.

    However, when I add a new domain, I am unable to verify it using the TXT record provided by Sendinblue. Even though I have populated the TXT records in the DNS Server for the new domain, it fails to recognize it.
    (I have included the MX record(mail.your-domain.com) in the DNS settings for the new domain)

    What could I be doing wrong?

    • I could fix it. I was configuring the TXT records in the DNS panel of the Domain Registrar which was why it was not being detected. I added the TXT record in my VPS where I have hosted the domain website and it works fine.

      Thank You so much for such an exhaustive and useful tutorial. Found it very useful

  • Ratanak
    4 years ago

    Hi!

    Thanks for a very detail tutorial.

    I managed to install iRedMail and get it to work properly. However, I am only able to send messages, but can’t receive any messages.

    I am currently using SMTP relay suggested by your other tutorial. What am I doing wrong?

    • Xiao Guoan (Admin)
      4 years ago

      Can you tell me what’s your domain name? If you don’t like to show your domain name in public, you can reply to my email.

      • Ratanak
        4 years ago

        Thanks for your prompt reply. My domain is: mail.henghengmattress.com

        I can receive email ok if sent from the same domain.

      • Ratanak
        4 years ago

        Does it matter if my naked domain is pointed to a different public IP, and my mail.mydomain.com is pointed to another IP? Or do the two have to be pointed at the same public IP?

    • Xiao Guoan (Admin)
      4 years ago

      Your naked domain name doesn’t have an MX record. You should create MX record for henghengmattress.com, not for mail.henghengmattress.com.

      IP addresses can be different.

      • Ratanak
        4 years ago

        Thanks for your help. I changed the MX record for my naked domain, and still cannot receive any email.

    • Xiao Guoan (Admin)
      4 years ago

      You should open port 25 in your firewall. For example, with UFW, you need to run:

      sudo ufw allow 25/tcp
  • NovaWuff
    4 years ago

    Hi There!

    I am getting the same issue as Ratanak, I am unable to receive email but I can send them out just fine. Any help is greatly appreciated and I can post screenshots if they are needed via private email

    • NovaWuff
      4 years ago

      I changed a setting in the GoDaddy control panel and now it won’t connect at all…

      I will give this a break until I can get some pro advice 🙂

    • NovaWuff
      4 years ago

      Actually scrap that, I can’t access it via IP either… seems the service isn’t running or something? (total linux noob here)

      • NovaWuff
        4 years ago

        *UPDATE*
        I have reinstalled the whole thing, followed the guide step by step but I am still unable to receive email, only send.. it’s weird as everything is open and setup unless something in GoDaddy is incorrectly configured

        • NovaWuff
          4 years ago

          Using this tool resulted in an email being received: https://www.wormly.com/test-smtp-server

          however, trying to send an email from my outlook email simply won’t work

    • Xiao Guoan (Admin)
      4 years ago

      If you use Microsoft outlook email, then you should enable SMTPS service as described here: https://www.linuxbabe.com/mail-server/enable-smtps-port-465-postfix

      And if you encounter any errors, post your question under that article. You can check your mail log (/var/log/mail.log) to debug errors.

      • NovaWuff
        4 years ago

        Good afternoon,

        The issue is now sorted… turns out the MX record was wrong 🙂

        Thank you for your help anyway, keep up the good work!

        • Hi, many thanks for your manual. I installed iRedMail following your instructions, and it works like a charm for over a year. I opened port 465 on the iRedMail server using (https://www.linuxbabe.com/mail-server/enable-smtps-port-465-postfix) and use it to send emails from my another server, running on Windows, to my gmail account.

          I use the following settings for the vbs script running on my Windows server:

          Const ToAddress = “[email protected]
          Const SendUserName = “[email protected]
          Const SMTPPassword = “mypass”
          Const SMTPServer = “mail.myiredmailserver.com”
          Const SMTPServerPort = 465
          Const SMTPFrom = “me ”
          Const SMTPUseSSL = True

          Now I want to send updates from my other server, running on Ubuntu, to my gmail account, using the same email account on the same iRedMail server. I am struggling with this for nearly a week already. I tried ssmtp as the easiest utility to setup.

          Here is my configuration file for ssmtp (nano /etc/ssmtp/ssmtp.conf) running on my Ubuntu server:

          FromLineOverride=YES
          root=postmaster
          mailhub=mail.myiredmailserver.com:465
          hostname=myiredmailserver
          [email protected]
          AuthPass=mypass
          FromLineOverride=YES
          UseTLS=YES

          I tried playing with different settings (UseSTARTTLS=Yes, removing UseTLS=Yes, setting port to 25 and 586, etc.), but when I launch ssmtp -v [email protected] on my Ubuntu server, it typically hangs, and I see the following in /var/log/mail.log on my Ubuntu server:

          Oct 6 16:27:17 intromonitor sSMTP[4805]: Unable to connect to “mail.myiredmailserver.com” port 465

          It is obvious that it is a certificate issue, but I am quite new to certificates, and it is obvious that the vbs script on my Windows machine manages to connect to the iRedMail server without any certificate. It would be cool if you could add instructions for setting up SSMTP or another command line MTA to this page or to https://www.linuxbabe.com/mail-server/enable-smtps-port-465-postfix.

  • Gintaras
    4 years ago

    Hi! Many thanks for the tutorial, glass of beer was sent to PP :-).

    It is possible to enable zxcvbn (or some similar) plugin in Roundcube, to force users to use stronger email passwords? I tried to enable zxcvbn driver, but without success. It seems that some specific settings like “$config[‘password_zxcvbn_min_score’]” were ignored.

    • Xiao Guoan (Admin)
      4 years ago

      To enable the zxcvbn password strength driver, edit the Rouncube config.inc.php file.

      sudo chmod 600 /opt/www/roundcubemail/plugins/password/config.inc.php
      sudo nano /opt/www/roundcubemail/plugins/password/config.inc.php

      Change

      $config['password_strength_driver'] = null;

      To:

      $config['password_strength_driver'] = "zxcvbn"

      To set minimal password strength score, change the value of $config['password_minimum_score']. The $config[‘password_zxcvbn_min_score’] parameter works in the vanilla Roundcube package, but it won’t work with iRedMail.

  • To check DNS propagation, there is a good alternative to dnsmap.io. That tool is
    https://dnschecker.org/
    The tool provides more than 100 public DNS servers in the regular and country/region lists, which can be used to check real-time DNS propagation results. Enter the domain, and then select DNS records as needed. Compared with any other online similar tool, this tool provides you with detailed real-time DNS propagation results on a global scale.

  • Thank you. Awesome guide. I am your new Subscriber!

  • Hello,

    After the installation, I reboot the Ubuntu server. But, my server doesn’t go online. Do you have any idea?

    Sincerely,

    Fauqi

  • Hello,

    It’s me again.

    I want to ask. How to create DKIM text for the another domain?

    Sincerely,

    Fauqi

  • Hey @Xiao
    Many thanks – excellent and very complete tutorial.
    ired set up and running in an hour or so.
    Brilliant!

  • LookMomNoHands
    3 years ago

    Thanks this was so much easier then the previous setup I used.
    Since I’m not about to pony up for the “pro” version I got to learn MySQL while I’m at it 🙂

    I used this
    https://github.com/drlogout/iredmail-cli
    to learn how to actually manipulate the correct values, if you read the .go source code on for example forwarding.go you can learn how to add forwarding, create mail box, add domains all via MySQL in the terminal.

    I used this method to make some automatic throw away mails that I can now use on any site that requires confirming the mail address.
    Using “openssl rand -hex 3 > temp.mail” I get a random string every 15 minutes (cron job), then I edit the MySQL entry for the temp mail to that new value using “employee id” to select the mail (since the address always chances).

    That way I can sign up for random stuff, and it will automatically forward any mail I get for 15 minutes, then “delete” the mail so I don’t get spam 😀

    • Xiao Guoan (Admin)
      3 years ago

      That’s a clever trick. I simply add a new alias when subscribing to newsletters. If I found a stranger sending emails to the alias email address, I delete the alias.

  • Tito Yulianto
    3 years ago

    After searching and trying various instructions on the internet, finally found this very helpful article. This really worked! Thank you brother

  • peter G
    3 years ago

    Can I change the mail.domain.com to mail.domainnew.com without re-install? How do I add multiple domains? Do I need multiple installs or can I append the 2nd domain to hosts file?

  • Peter G
    3 years ago

    thanks! need to move from centos 6 to 7 on GoDaddy and wanted to take the opportunity to try a new email server. A great suggestion to use Kamatera VPS (virtual private server). Looked at it yesterday and even if I added another 200GB of storage it was still very reasonable. But for now, I need to stick with my existing more expensive option (just renewed 3 months ago).
    Off-topic question, ever installed on GoDaddy cloudlinux?

    • Xiao Guoan (Admin)
      3 years ago

      Cloudlinux is for hosting companies to provide shared hosting service for their customers. It’s not meant to be used on a virtual private server (VPS) by a customer.

  • Awesome tutorial! I finished the installation and everything went smoothly.

  • How do I disable mailing lists with IPv6?

    • Xiao Guoan (Admin)
      3 years ago

      Simply run the following command to disable IPv6 in Postfix.

      sudo postconf -e "inet_protocols = ipv4"

      Then restart Postfix.

      sudo systemctl restart postfix
  • You’ll need to download the clamav files to var/lib/clamav. For some reason it doesn’t do this and if you try freshclam it’ll timeout as it’s set to 30 seconds.

    wget http://database.clamav.net/main.cvd
    wget http://database.clamav.net/daily.cvd
    wget http://database.clamav.net/bytecode.cvd

    • Xiao Guoan,

      just a quick question, I am using the amavis-new test to test my DKIM, but it failed with the following error?

      TESTING#1 tester.com: dkim._domainkey.tester.com => invalid (public key: OpenSSL error: bad base64 decode)

      I am using both 1024 and 2048 keys, both also failed. when I google the same error. it said this.

      DKIM-Patch – public key: OpenSSL error: bad base64 decode

      The used dns-server must a TXT-record with a length > 255 chars if you use a key-strength > 1024 bit. Otherwise amavis reports during the key-checks
      public key: OpenSSL error: bad base64 decode.

      If you run your own dns (bind) with ISPConfig just adjust the database dbispconfig on your dns-server, too:
      ALTER TABLE `dns_rr` CHANGE `data` `data` TEXT NOT NULL DEFAULT ”;

      is that mean i need to change DB tables?

      Thanks a lot.
      Cheers
      Jonny

    • Xiao Guoan (Admin)
      3 years ago

      If your DNS zone is hosted on an ISPconfig server, then you need to change the db tables.

      • Hi Xiao Guoan,

        Thanks for your response. I have already solved the problem. As I am using namecheap for DNS record. Apparently their text record doesn’t support 2048 bit length DKIM, so I downgrade to 1024 bit length DKIM. Which is working fine. In your script. If at the end you didn’t specify 1024, default is 2048. So please let people know this as well if they face this same issue. Thanks

  • Hello,
    Would anyone be so kind to help me… I’ve a little problem in my mail log file. I can’t see the source IPs of the clients, the logs seems like that:

    postfix/smtps/smtpd[336526]: disconnect from _gateway[10.36.28.1] ehlo=1 auth=0/1 commands=1/2
    postfix/smtps/smtpd[337004]: lost connection after AUTH from _gateway[10.36.28.1]

    But why!? I didn’t set this hostname anywhere… where is the problem, any idea?

    Thans a lot!

    Sincerely,
    ZoLee

    • Xiao Guoan (Admin)
      3 years ago

      10.36.28.1 is a private IP address. It seems you put your mail server behind a mail gateway. And Postfix can only see the IP address of the gateway.

  • Hello my brother, how are you. thank you very much for the work you do to help us install and configure our mail servers brother i took your iredmail server installation course and i installed it fine and it is installed fine but i have problem after install. when I test sending to my yahoo address I receive it in the inbox but when I want to send more than 5 mails I no longer receive the messages…
    however i have a 2g vps you have an explanation for what might help me? thank you in advance

    • Xiao Guoan (Admin)
      3 years ago

      Don’t send spam. Yahoo Mail has a mechanism that detects if the recipient marks your emails as spam. If marked as spam, the rest of the bulk email will be temporarily deferred.

      If you have a low spam rate ( less than 1%) with Yahoo users, Yahoo will accept the rest of the bulk email.
      If you have a high spam rate, Yahoo will defer the rest of the bulk email.

      If you have a Yahoo mail account, and the email sent from your own domain is put into spam folder, you can click the Not Spam link to report it as not spam. Future emails are more likely to land in the inbox. This works for me.

  • Hello can you give us a full tutoria on powerMTA and i tried sending to gmail its talking about IPV6 which i did set up but still get the same error.

  • Kingsley
    3 years ago

    Hi Xiao, thanks for the detailed article, is there any api, I can call to send mail from my app through the mail server. Also, how can I configure iredmail to use postgres db in another server thanks

    • Xiao Guoan (Admin)
      3 years ago

      To send emails from your app, you just need to create an email account in iRedMail, then use SMTP authentication on port 587.

      Normally, you need to enter the following information in your app.

      hostname of the mail server
      port number: 587
      Encryption: TLS
      Authentication: yes
      username 
      password
      
  • Shalabh
    3 years ago

    Hi Xiao,

    Thank you for this excellent tutorial.

    I have Ubuntu 18.04 LTS running Odoo ERP. NGINX is not installed. I am concerned if I install iRedmail now, will my odoo installation be affected. I mean will it continue working from https://mydomain.com?

    • Xiao Guoan (Admin)
      3 years ago

      iRedMail is designed to be installed on a clean fresh OS.

      Generally, if there’s a script that will install and configure lots of software, the best practice is to use a clean OS, to avoid borking your existing software applications. Unless you are very knowledgeable about every piece of software and can spend lots of time debugging, I don’t recommend installing iRedMail on your existing Odoo ERP server.

  • Hello, i have one question, can i use Iredmail with apache? There is a solution? Thanks

    • Xiao Guoan (Admin)
      3 years ago

      iRedMail originally supports Apache, but dropped support for Apache in version 0.9.8. So the developer doesn’t want to support Apache, and as a system administrator, I don’t want to do something the developer refuses to do.

    • Shalabh
      3 years ago

      Thank you for the advice Xiao. Appreciate it.

  • Hi Xiao,

    Thanks for your excellent tutorial!

    Do you have any idea of how to run the ‘doveadm’ command on the freshly installed iRedMail setup? I kept getting the following error:

    ben@u18iredmail:/var/vmail$ sudo doveadm search ALL
    doveadm(root): Error: User initialization failed: Namespace '': mkdir(/home/ben/Maildir) failed: Permission denied (euid=2000(vmail) egid=2000(vmail) missing +w perm: /home/ben, dir owned by 1000:1000 mode=0755)
    doveadm(root): Error: User init failed
    

    I’d like to try out doveadm so as to be able to manually manipulate the mail as root/admin.

    • Xiao Guoan (Admin)
      3 years ago

      iRedMail create virtual users in the database. If you use the ALL keyword, then the command will be performed for all users, including users with a lower UID than the one configured with the first_valid_uid setting, which means the system users.

      Instead, use this command to search for all users in your domain.

      sudo doveadm search -u *@yourdomain.com search_query
  • Thank you Xiao! I’ve figured it out.

    If doveadm is executed without the ‘-u’ the ‘-A’ argument, it will perform the query for the current logged in user on the terminal, which is not a valid user in the db.

  • babeimalreadyonlinux
    3 years ago

    I’d recommend disabling mlmmj for now if you do not need mailing list.
    ##for Linux system that use systemctl:
    systemctl stop mlmmj
    systemctl disable mlmmj
    ############run as root ###########

    source:
    https://github.com/iredmail/mlmmjadmin/issues/14
    I had to shut down my sever for a day, on Noveber 10 2020 at 16:54, my mail sever turned to a spam server.
    Turns out the mlmmj user or “mailing list” user can just spam as many mail as they want.

  • lookmomnohand
    3 years ago

    Hey again, really big thanks for your tutorial(s) they are flawless to follow through, and has saved me a couple of times when I forgot some things…
    Pro tip instead of:
    sudo certbot certonly –webroot –agree-tos –email [email protected] -d mail.domain.com -w /var/www/html/

    You should use:
    sudo certbot certonly –webroot –agree-tos –email [email protected] -d domain.com -d www.domain.com -w /var/www/html/

    In your tutorial you use mail.domain.com so normally that wouldn’t be resolved to www.mail.domain.com, but if you don’t want to use mail.domain.com and instead just use a single top domain you’ll end up with a SSL_ERROR_BAD_CERT_DOMAIN where “this cerfiticat is not valid for www.domain.com it is only valid for domain.com” and you’ll look like a complete idiot when you’re trying to show it off 🙂
    That’s one thing I forgot about last time I sat up the server (4 months ago)
    Ff you don’t include the subdomain, top domain and www. the certificate might show up as bad on some browsers/OS

    This happened two days ago, for some reason all my devices resolved my domain as just domain.com even if I linked https://domain.com, but for some reason some device this resolves to www.domain.com and I got the error.
    it was reported by somebody else and I just said “probably out dated browser try on opera” and it worked… now I feel stupid for not seeing the obvious message that was in the image they sent me 🙂

    Good tutorial, I just through I’d share my “issue” here encase somebody search for the problem and lands back here

    ps: before you burn me at the stake for using the root user…. I REGRET NOTHING!
    also using sudo is redundant when logged in at root, but it’s faster to copy paste then to write it down especially as root 😎🤙

    • Xiao Guoan (Admin)
      3 years ago

      I’m pretty sure I said it’s highly recommended you install iRedMail on a clean fresh server.

      The mail.example.com certificate is just for the mail.example.com virtual host. If you have example.com and www.example.com virtual host, you can always obtain a separate certificate for www.example.com and example.com.

      I’m not sure what you mean by the following sentence. Why would someone want to redirect mail.domain.com to www.mail.domain.com?

      In your tutorial you use mail.domain.com so normally that wouldn’t be resolved to www.mail.domain.com
  • Hi Xiao, I’ve followed some of your tuts and they are awesome, thank you for that.

    Got a question for you. I’ve already my server configured (LEMP Stack) but I would like to configure this iRedMail email server in it.

    Do you have any tips what to do differently from this tutorial?

    Thank you!

    • Xiao Guoan (Admin)
      3 years ago

      I would recommend purging your LEMP stack and then install iRedMail.

  • Murtuza Husain
    3 years ago

    these are so many concepts on 1 single blog!

    Really appreciate your efforts in putting this together!

  • Sachin Sagar Rai
    3 years ago

    Thanks for the great article and the setup process which I did on Ubuntu 18.04
    All went fine except the allocating of the swap space.
    The command `fallocate` above doesn’t work for the SSD drives. It would be better and don’t mind to ease it even more with what i did to achieve.

    “`
    sudo dd if=/dev/zero of=/swapfile count=4096 bs=1M
    sudo chmod 600 /swapfile
    sudo mkswap /swapfile
    sudo swapon /swapfile
    “`
    Thanks a lot.

  • Dan Ran
    3 years ago

    Thanks for the great tutorial. Is it possible to build a LEMP webserver on the same box as my iRedmail email server? Or must I have two boxes? If it isn’t possible, then is it possible if I follow one of your other tutorials for manually ing installing a postfix/dovecot email server on a box that also servers websites?

  • Hi,

    I really like your tutorial and it works as intended, only I have 1 problem. When I acces the webpage I would like to do that on subdomain.domain and this works. The problem is that I can also acces it on the root domain. I have looked in sites-enabled and the server address is right. So what happens is I type example.com and it redirects me to example.com/mail. (This is the page where you can acces your mail) So what could cause this problem?

  • Neville Aga
    3 years ago

    Great tutorial!

  • Segun Oloye
    3 years ago

    I am really stressed out with setting up a mail server. After setting them up they won’t sent mail. very frustrating.

    However, I thank God I saw this.

    Please I will also like to install a control panel on the Ubuntu server. How can I do that please?

  • Thanks for the great tutorial! I have a working email server on VPS 🙂

  • Anderson Koh
    3 years ago

    Hi Xiao Guoan,

    Great article, however. I do not know what settings I have done since a few days ago I cannot receive any mail from outside but instead, I can send it to everyone.

    My problem seems like IMRON HS however my mail.log shows different:

    Jul  5 21:48:20 webmin dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=21759, secured, session=
    Jul  5 21:48:20 webmin dovecot: imap(anderson.koh-asign.com.my): Logged out in=90 out=898
    Jul  5 21:48:36 webmin postfix/smtpd[21800]: warning: /etc/postfix/main.cf, line 75: overriding earlier entry: milter_protocol=2
    Jul  5 21:48:36 webmin postfix/proxymap[21801]: warning: /etc/postfix/main.cf, line 75: overriding earlier entry: milter_protocol=2
    Jul  5 21:48:36 webmin postfix/tlsmgr[21802]: warning: /etc/postfix/main.cf, line 75: overriding earlier entry: milter_protocol=2
    Jul  5 21:48:36 webmin postfix/smtpd[21800]: connect from mail-wr1-f49.google.com[209.85.221.49]
    Jul  5 21:48:36 webmin postfix/anvil[21803]: warning: /etc/postfix/main.cf, line 75: overriding earlier entry: milter_protocol=2
    Jul  5 21:48:36 webmin postfix/smtpd[21800]: warning: connect to Milter service inet:localhost:8892: Network is unreachable
    Jul  5 21:48:38 webmin postfix/trivial-rewrite[21804]: warning: /etc/postfix/main.cf, line 75: overriding earlier entry: milter_protocol=2
    Jul  5 21:48:38 webmin postfix/smtpd[21800]: warning: connect to 127.0.0.1:10023: Connection refused
    Jul  5 21:48:38 webmin postfix/smtpd[21800]: warning: problem talking to server 127.0.0.1:10023: Connection refused
    Jul  5 21:48:39 webmin postfix/smtpd[21800]: warning: connect to 127.0.0.1:10023: Connection refused
    Jul  5 21:48:39 webmin postfix/smtpd[21800]: warning: problem talking to server 127.0.0.1:10023: Connection refused
    Jul  5 21:48:39 webmin postfix/smtpd[21800]: NOQUEUE: reject: RCPT from mail-wr1-f49.google.com[209.85.221.49]: 451 4.3.5 : Recipient address rejected: Server configuration problem; from= to= proto=ESMTP helo=
    Jul  5 21:48:39 webmin postfix/smtpd[21800]: disconnect from mail-wr1-f49.google.com[209.85.221.49] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7
    
    • Xiao Guoan (Admin)
      3 years ago

      Looks like you added extra configurations to your /etc/postfix/main.cf file.

      You may have a duplicate milter configs in the file.

      milter_default_action = accept
      milter_protocol = 6
      smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8892
      non_smtpd_milters = $smtpd_milters
      

      And check if you have the following line in this file.

      check_policy_service inet:127.0.0.1:10023

      Remove it.

      Then restart Postfix

      sudo systemctl restart postfix

      Please don’t add extra configs from the Internet if you don’t really understand what you are doing.

      • Anderson Koh
        3 years ago

        Hi Xiao Guoan,

        Thanks, it does solve the problem!

        Also, can I get some tips for changing mailname?

        I won’t be able to receive my mail after I change my mailname in /etc/mailname same as FQDN.

        However, I check my /var/log/mail.log results to send to my old mailname address before sending it to its origin.

        Can I get some tips for this?

        • Anderson Koh
          3 years ago

          P.S:

          I’m wondering where to change the incoming address before it hits the origin.

  • Hi Xiao,
    I followed your tutorial and love it. I have a problem though. My email server wont receive emails. It has worked but not now and I’m not sure why. I have set up the DKIM from your tutorial and set UFW properly as well allowing all necessary ports. I have also stopped greylisting. I can send emails just fine but not receive them. Any ideas on what I should look at?

    • Xiao Guoan (Admin)
      3 years ago

      Read the “troubleshooting tips” section.

      • Hi and thanks for your reply. Already been through the troubleshooting tips, as well as previous questions posted here and have no luck. Anything else you may suggest?

    • Xiao Guoan (Admin)
      3 years ago

      Paid support is available.

    • Xiao Guoan (Admin)
      3 years ago

      What’s your domain name?

      • mail is mail.nerdcomputers.com.au. MX record is set up to point to mail.nerdcomputers.com.au. Mail tester reports there is no MX which there clearly is, and it has been propagated. below is a screenshot of my DNS. I will send a donation tomorrow when I get paid.

    • Xiao Guoan (Admin)
      3 years ago

      Your MX record isn’t progapated. Check on dnsmap.io.

    • Xiao Guoan (Admin)
      3 years ago

      You should create MX record for your main domain name (nerdcomputers.com.au), not for the sub-domain.

      The main domain nerdcomputers.com.au should have a MX record which tells the Internet that you are using mail.nerdcomputers.com.au as the mail server.

      • I need it to go to 103.195.6.106 as that’s where the mail server is. a website at nerdcomputers.com.au will follow from a different server with a different IP. I just removed the MX mail.nerdcomputers.com.au to mail.nerdcomputers.com.au and only have it now pointing at the A record for mail.nerdcomp…

        • Thank you so much!!! Always the simplest of mistakes! Everything is working perfectly now. You tutorials are the best!

    • Xiao Guoan (Admin)
      3 years ago

      You have MX record in the wrong order. Swap the hostname and value field.

  • Roberto Torres
    3 years ago

    LEMP stack – on VPS server before iredMail. I have two sites installed on server (LEMP stack). Both sites were running ok. Now Installing iredMail came up to following output on terminal and stopped for a while :

    Created syslink /etc/systemd/system/multi-user.target.wants/mariadb.service -> /lib/systemd/system/mariadb.service

    Then occurred time out for Mariadb service, then stopped for several minutes at

     [INFO] Configure mariaDB database server. 

    Both web sites are down since several minutes. Please help

    • Xiao Guoan (Admin)
      3 years ago

      A big yellow box warning message at the beginning of this article:

      "It is highly recommended that you follow the instructions below on a clean install of Ubuntu system."

      Restore your VPS using the snapshot of your hosting provider. Then install iRedMail on a clean fresh server.

  • Stephen Hawkins
    2 years ago

    This install has served me well as I make preparations. But I have a mall issue with netdata upgrade

    Is it possible to uninstall and reinstall just netdats? If so what are the commands. Much appreciated. Thanks.

  • Stephen Hawkins
    2 years ago

    I actually just fixed this, but thanks!

  • Jim Byrne
    1 year ago

    Hello Xiao,

    The only trouble I am having is creating the swap space using the fallocate command. When I enter the command as written, I get the message: “fallocate: fallocate failed: Text file busy”

    Do you have any instructions for fixing this? Thanks.

  • Yael Clark
    1 year ago

    Hey Xiao, I am trying to connect the SMTP in mailwizz EMS, using mail.income4youonline.com as hostname, the username, and the password of one of the users we created in iredmail panel, port 587 and tried all the protocols (tls,ssl,starttls). The mailwizz is unable to connect with the smtp server. Please can you advise me, on how to escalate it?

  • Daniel
    1 year ago

    I am having a issue with installing iRedMail next to nextcloud+collabora
    I followed your tutorial for installing nextcloud+collabora exactly and did so for the iRedMail as well, but after restarting I am getting 502 error on nextcloud website

  • Zakirul Karim
    12 months ago

    I can received mail from google but could not send mail. pls help me, how to solve this

  • Hi, will this all work using Ubuntu 23.04?

    Thanks

  • I have a issue, my RAM resources always increase every day never decrease, why?
    usually RAM activity goes up and down

  • https://www.postfix.org/smtp-smuggling.html it should be mentioned and how to quickfix it for now.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here