How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with iRedMail

Setting up your own email server on Linux from scratch is a pain in the butt, if you are not an advanced user. This tutorial will be showing you how to use iRedMail to quickly set up a full-featured mail server on Ubuntu 18.04, saving you lots of time and headaches.

What is iRedMail?

iRedMail is a shell script that automatically install and configure all necessary mail server components on your Linux/BSD server, thus eliminating manual installation and configuration. With iRedMail, you can easily create as many mailboxes as you want in a web-based admin panel. Mailboxes can be stored in MariaDB/MySQL, PostreSQL database or OpenLDAP. Open-source software used in iRedMail are as follows:

  • Postfix SMTP server
  • Dovecot IMAP server
  • Nginx web server
  • OpenLDAP, ldapd
  • MySQL/MariaDB, PostgreSQL
  • Amavised-new
  • SpamAssassin
  • ClamAV
  • Roundcube webmail
  • SOGo Groupware
  • Fail2ban
  • mlmmj mailing list manager
  • Netdata server monitoring
  • iRedAPD Postfix policy server for greylisting

Prerequisites

To set up a complete email server with iRedMail, you need a server with at least 2GB RAM, because after the installation, your server will use more than 1GB of RAM. This tutorial is done on a $10/month Linode VPS (virtual private server). Once you have a VPS, install Ubuntu on it and follow the instructions below. You also need a domain name. I registered my domain name from NameCheap because the price is low and they give whois privacy protection free for life.

It is recommended that you follow the instructions below on a clean install of Ubuntu 18.04 system.

Also, make sure your server IP address isn’t listed in any email blacklist. You can go to mxtoolbox.com and dnsbl.info to check your server IP address. If it’s in a blacklist, you can delete your VPS instance in Linode and create a new one. As Linode uses an hourly billing model, you won’t be charged by month, but by how many hours you used, which makes it convenient to delete a VPS instance at any time.

Step 1: Creating DNS MX Record

The MX record specifies which host or hosts handle emails for a particular domain name. For example, the host that handles emails for linuxbabe.com is mail.linuxbabe.com. If someone with a Gmail account sends an email to [email protected], then Gmail server will query the MX record of linuxbabe.com. When it finds out that mail.linuxbabe.com is responsible for accepting email, it then query the A record of mail.linuxbabe.com to get the IP address, thus the email can be delivered.

In your DNS manager, create a MX record for your domain name. Enter @ in the Name field to represent the main domain name, then enter mail.your-domain.com in the Value field.

modoboa web interface

Note: The hostname for MX record can not be an alias to another name. Also, It’s highly recommended that you use hostnames, rather than bare IP addresses for MX record.

Your DNS manager may require you to enter a preference value (aka priority value). It can be any number between 0 and 65,356. A small number has higher priority than a big number. You can enter 0 for your email server, or accept the default value. After creating MX record, you also need to create an A record for mail.your-domain.com , so that it can be resolved to an IP address. If your server uses IPv6 address, be sure to add AAAA record.

Step 2: Configuring Hostname

SSH into your server, then update software packages.

sudo apt update

sudo apt upgrade

Then set a fully qualified domain name (FQDN) for your server with the following command.

sudo hostnamectl set-hostname mail.your-domain.com

We also need to update /etc/hosts file.

sudo nano /etc/hosts

Edit it like below:

127.0.0.1       mail.your-domain.com localhost

Save and close the file. To see the changes, re-login and then run the following command to see your hostname.

hostname -f

Step 3: Setting up Mail Server on Ubuntu 18.04 with iRedMail

Run the following command download the iRedMail Bash installer with wget. At the time of this writing, the latest version of iRedMail is 0.9.8, released on April 3, 2018. Please go to iRedMail download page (http://www.iredmail.org/download.html)  to check out the latest version.

wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.8.tar.bz2

Extract the tarball.

tar xvf iRedMail-0.9.8.tar.bz2

Then cd into the newly created directory.

cd iRedMail-0.9.8/

Add executable permission to the iRedMail.sh script.

chmod +x iRedMail.sh

Next, run the Bash script with sudo privilege.

sudo bash iRedMail.sh

The ncurse-based setup wizard will appear. Select Yes and press Enter.

ubuntu 18.04 iredmail

The next screen will ask you to select the mail storage path. You can use the default one /var/vmail, so simply press Enter.

iredmail default storage path

Then choose whether you want to run a web server. It’s highly recommended that you choose to run a web server because you need the web-based admin penal to add email accounts. Also it allows you to access the Roundcube webmail. By default, Nginx web server is selected, so you can simply press Enter.  (An asterisk indicates the item is selected.)

iredmail nginx web server

Then select the storage backend. Choose one that you are familiar with. This tutorial chose MariaDB. Press up and down arrow key and press the space bar to select.

ubuntu 18.04 email server

If you selected MariaDB or MySQL, then you will need to set the MySQL root password.

ubuntu 18.04 mail server

Note that if you selected MariaDB, then you don’t need password to log into MariaDB shell. Instead of running the normal command mysql -u root -p, you can run the following command to login, with sudo and without providing MariaDB root password.

sudo mysql -u root

This is because the MariaDB package on Ubuntu 18.04 uses unix_socket authentication plugin, which allows users to use OS credentials to connect to MariaDB, but you still need to set root password in iRedMail setup wizard.

Next, enter your first mail domain. You can add additional mail domains later in the web-based admin panel. This tutorial assumes that you want an email account like [email protected], in that case, you need to enter your-domain.com here, without sub-domain. Do not press the space bar after your domain name. I think iRedMail will copy the space character along with your domain name, which can result in installation failure.

set up mail server on ubuntu 18.04

Next, set a password for the mail domain administrator.

ubuntu 18.04 email server step by step

Choose optional components. By default, 4 items are selected. If you like to have SOGo groupware, then select it and press Enter.

iredmail component

Now you can review your configurations. Type Y to begin the installation of all mail server components.

iredmail review

At the end of installation, choose y to use firewall rules provided by iRedMail and restart firewall.

iredmail firewall rules fail2ban

Now iRedMail installation is complete. You will be notified the URL of webmail, SOGo groupware and web admin panel and the login credentials. The iRedMail.tips file contains important information about your iRedMail server.

iredmail full featured mail server

Reboot your Ubuntu 18.04 server.

sudo shutdown -r now

Once your server is back online, you can visit the web admin panel.

https://mail.your-domain.com/iredadmin/

Because it’s using a self-signed TLS certificate, you need to add security exception.

Step 4: Installing Let’s Encrypt TLS Certificate

Since the mail server is using a self-signed TLS certificate, both desktop mail client users and webmail client users will see a warning. To fix this, we can obtain and install a free Let’s Encrypt TLS certificate.

Obtaining the Certificate

First, install Let’s Encrypt (certbot) client on Ubuntu 18.04

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt install certbot

iRedMail has already configured TLS settings in the default Nginx virtual host, so here I recommend using the webroot plugin, instead of nginx plugin, to obtain certificate. Run the following command. Replace red text with your actual data.

sudo certbot certonly --webroot --agree-tos --email your-email-address -d mail.your-domain.com -w /var/www/html/

When it asks you if you want to receive communications from EFF, you can choose No.

iredmail letsencrypt

If everything went well, you will see the following text indicating that you have successfully obtained a TLS certificate. Your certificate and chain have been saved at /etc/letsencrypt/live/mail.your-domain.com/ directory.

iredmail certbot

Installing the Certificate in Nginx

After obtaining a TLS certificate, let’s configure Nginx web server to use it. Edit the SSL template file.

sudo nano /etc/nginx/templates/ssl.tmpl

Find the following 2 lines.

ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

Replace them with:

ssl_certificate /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.your-domain.com/privkey.pem;

Save and close the file. Then test nginx configuration and reload.

sudo nginx -t

sudo systemctl reload nginx

Visit iRedMail admin panel again, your web browser won’t warn you any more because Nginx is now using a valid TLS certificate.

iredadmin

Installing TLS Certificate in Postfix and Dovecot

We also need to configure Postfix SMTP server and Dovecot IMAP server to use the Let’s Encrypt issued certificate so that desktop mail client won’t display security warning. Edit the main configuration file of Postfix.

sudo nano /etc/postfix/main.cf

Find the following 3 lines. (line 95, 96, 97).

smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

Replace them with:

smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.your-domain.com/chain.pem

Save and close the file. Then reload Postfix.

sudo systemctl reload postfix

Next, edit the main configuration file of Dovecot.

sudo nano /etc/dovecot/dovecot.conf

Fine the following 2 lines. (line 47, 48)

ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key

Replace them with:

ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem

Save and close the file. Then reload dovecot.

sudo systemctl reload dovecot

From now on, desktop mail users won’t see security warnings.

Step 5: Sending Test Email

Log into iredadmin panel with the postmaster mail account. In the Add tab, you can add additional domains or email addresses.

add email addresses in iredadmin

If you see “no domain under control” error, please refer to this article.

After you create a user, you can visit the Roundcube webmail address and login with the new mail user account.

https://mail.your-domain.com/mail/

roundcube webmail

Now you can test email sending and receiving. Please note that you may need to wait for a few minutes to receive emails because greylisting is enabled by default.

Note: If your hosting provider or ISP blocks port 25, ask them to open it for you. If they refuse to open it, then you can’t send emails directly. You need to set up SMTP relay to solve this problem. The following message in /var/log/mail.log indicates port 25 is blocked.

Nov 3 10:43:43 mail postfix/smtp[9969]: connect to gmail-smtp-in.l.google.com[74.125.200.27]:25: Connection timed out
Nov 3 10:44:13 mail postfix/smtp[9969]: connect to gmail-smtp-in.l.google.com[2404:6800:4003:c03::1b]:25: Connection timed out

Step 6: Using Mail Clients on Your Computer or Mobile Device

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account.

  • In the incoming server section, select IMAP protocol, enter mail.your-domain.com as the server name, choose port 993 and SSL/TLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

iredmail-desktop-mail-client-configuration

Step 7: Improving Your Email Server Reputation

To prevent your emails from being flagged as spam, you should set PTR, SPF and DKIM records.

PTR record

A pointer record, or PTR record, maps an IP address to a FQDN (fully qualified domain name). It’s the counterpart to the A record and is used for reverse DNS lookup, which can help with blocking spammers. Many SMTP servers reject emails if no PTR record is found for the sending server.

To check the PTR record for an IP address, run this command:

dig -x IP-address +short

or

host IP-address

Because you get IP address from your hosting provider or ISP, not from your domain registrar, so you must set PTR record for your IP in the control panel of your hosting provider or ask your ISP.  Its value should be your mail server’s hostname: mail.your-domain.com. If your server uses IPv6 address, be sure to add a PTR record for your IPv6 address as well.

SPF Record

SPF (Sender Policy Framework) record specifies which hosts or IP address are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain. In your DNS management interface, create a new TXT record like below.

modoboa spf record

Explanation:

  • TXT indicates this is a TXT record.
  • Enter @ in the name field to represent the main domain name.
  • v=spf1 indicates this is a SPF record and the version is SPF1.
  • mx means all hosts listed in the MX records are allowed to send emails for your domain and all other hosts are disallowed.
  • ~all indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as forged.

To check if your SPF record is propagated to the public Internet, you can use the dig utility on your Linux machine like below:

dig your-domain.com txt

The txt option tells dig that we only want to query TXT records.

DKIM Record

DKIM (DomainKeys Identified Mail) uses a private key to digitally sign emails sent from your domain. Receiving SMTP servers verify the signature by using the public key, which is published in the DNS DKIM record.

The iRedMail script automatically configured DKIM for your server. The only thing left to do is creating DKIM record in DNS manager. Open the iRedMail.tips file under iRedMail-0.9.8 directory.

sudo nano iRedMail.tips

Scroll down to DNS record for DKIM support section.

iredmail amavis dkim

Then in your DNS manager, create a TXT record, enter dkim._domainkey in the name field. Copy everything in the parentheses and paste into the value field. Delete all double quotes.

amavisd-new ubuntu

After creating PTR, SPF, DKIM record, go to https://www.mail-tester.com. You will see a unique email address. Send an email from your domain to this address and then check your score. As you can see, I got a perfect score. In the test result, you should check if your PTR record, SPF and DKIM record is valid.

imporve email server reputationMail-tester.com can only show you a sender score. There’s a another service called GlockApps that allow you to check if your email is landed in the recipient’s inbox or spam folder, or rejected outright. It supports many popular email providers like Gmail, Outlook, Hotmail, YahooMail, iCloud mail, etc

glockapps email placement test

Adding Multiple Mail Domains

I wrote this article to show you how to add multiple mail domains in iRedMail.

How to Disable Greylisting

By default, iRedMail has enabled greylisting, which tells other sending SMTP servers to try again in a few minutes. This is mainly useful to block spam, but it also degraded user experience. If you prefer to disable greylisting, follow the instructions below.

Add write permission to the /opt/iredapd/settings.py file.

sudo chmod 600 /opt/iredapd/settings.py

Then edit the configuration file.

sudo nano /opt/iredapd/settings.py

Find the following line.

plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy"]

Remove "greylisting" from the list. Save and close the file. Then restart iredapd.

sudo systemctl restart iredapd

Change the configuration file back to read only mode.

sudo chmod 400 /opt/iredapd/settings.py

That’s it! I hope this tutorial helped you set up a mail server on Ubuntu 18.04 with iRedMail. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 4 Average: 5]

2 Responses to “How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with iRedMail

  • Will this work with Ubuntu Desktop?

    • To make it work on Ubuntu desktop in your home, you need to

      1). Have a static IP address, or set up dynamic DNS if your have a dynamic IP address.

      2). Configure port forwarding in your router. (IMAP port 993)

      3). If your ISP blocks port 25, then set up SMTP relay.

      It’s totally doable, if you are willing to get your hands dirty.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • If my answer helped you, please consider supporting this site. Thanks :)