Who is this for Self-hosting email for small to medium companies, business owners, non-profit organizations and individuals. There is no real limit to who may self-host, but will benefit directly and see immediate results. Small to medium companies will get a fully functioning system that adheres to all current encryption and security protocols, especially the PCI specification. privacy conscious groups Why self-hosting There are tons of reasons why self-hosting is beneficial, here are some of them: Privacy Enhanced security Customization Lower costs Privacy Hosting at the major known providers is free, at first glance. A second look at their business practices will give you an indication that nothing is free, since . Your information is being analysed, categorized, fed into AI, given to advertisers and other 3rd parties. YOU are the product Enhanced security The major players have to be very compatible, to make sure everyone has access. In a self-hosting environment that does not apply. You can set your own rules, enforce strict limits that wouldn’t be applicable to general hosting. Customization Self-hosting allows you to do a lot more, like use custom configuration options, run experimental code, test new features and provide a more bespoke environment for your hosting needs. Lower costs can be achieved with open source tools, a huge saving over commercial control panels and enterprise solutions. Self-hosting Prerequisites A new server, dedicated or virtual, with internet access A RHEL-based Linux distribution: Alma, Rocky, Oracle or Fedora Server Root access Server hostname Please make sure your server has a fully qualified domain name (FQDN) and the file has the IP of the server point to the FQDN and not the short name. This is a requirement for some tools like OpenDKIM, which will fail to work without an FQDN. /etc/hosts To test if your FQDN is properly setup, run: # hostname -f
server.example.tld If you only see the server name and not the FQDN then use the systemd command to set your FQDN: hostnamectl # hostnamectl set-hostname server.example.tld Step 1 - Required packages The first step is to install some basic packages, use your package manager: dnf for newer versions of EL8/EL9: # dnf install php php-cli php-pdo php-mbstring epel-release unzip wget yum for EL7: # yum install php php-cli php-pdo php-mbstring epel-release unzip wget for Fedora the packages are slightly different: # dnf install php php-cli php-pdo php-mbstring unzip wget Step 2 - Install Aetolos In the second step we’ll install the Aetolos virtual hosting control panel, which only generates configuration files and does not make any other modifications to the system: # wget -O /root/master.zip 'https://gitlab.com/noumenia/aetolos/-/archive/master/aetolos-master.zip'
# unzip /root/master.zip -d /root/
# mv /root/aetolos-master /root/aetolos
# rm -rf /root/master.zip The latest development code can be downloaded from the git repository: git clone 'https://gitlab.com/noumenia/aetolos.git' Step 3 - Enable services Now it is time to choose what services the server will provide. Run Aetolos with the status parameter to get an idea of all the available services: # ~/aetolos/aetolos --status
+---------+--------------+---------+------------+--------------+
| Enabled | Module       | SystemD | Repository | Dependencies |
+---------+--------------+---------+------------+--------------+
| [ ]     | apache       |         |            |              |
| [ ]     | clamav       |         | epel       | postfix      |
| [ ]     | dehydrated   |         |            |              |
| [ ]     | dovecot      |         |            |              |
| [ ]     | haproxy      |         |            |              |
| [ ]     | mariadb      |         |            |              |
| [ ]     | mtasts       |         |            | apache       |
| [ ]     | nsd          |         | epel       |              |
| [ ]     | opendkim     |         | epel       | postfix      |
| [ ]     | opendmarc    |         | epel       | postfix      |
| [✓]     | php          |         |            |              |
| [ ]     | postfix      |         |            |              |
| [ ]     | postgrey     |         | epel       | postfix      |
| [ ]     | spamassassin |         |            | postfix      |
| [✓]     | virtualhost  |         |            |              |
+---------+--------------+---------+------------+--------------+ As this is going to be a self-hosted email server, we are going to enable the services that give us a complete set of features for email hosting: Apache, a web server for responding on ACME requests Dehydrated, a bash script for Let’s Encrypt certificates Dovecot, a POP3/IMAP mail server OpenDKIM, a DKIM validator and signer OpenDMARC, a DMARC validator Postfix, an SMTP server Spamassassin, spam protection We will not enable ClamAV because it requires at least 4GB of memory, the reader may opt to enable it based on the resources available on the server. Let’s enable these services with Aetolos: # ~/aetolos/aetolos --enable=apache
# ~/aetolos/aetolos --enable=dehydrated
# ~/aetolos/aetolos --enable=dovecot
# ~/aetolos/aetolos --enable=opendkim
# ~/aetolos/aetolos --enable=opendmarc
# ~/aetolos/aetolos --enable=postfix
# ~/aetolos/aetolos --enable=spamassassin Now we may re-run Aetolos with the status parameter to see the following table: # ~/aetolos/aetolos --status
+---------+--------------+---------+------------+--------------+
| Enabled | Module       | SystemD | Repository | Dependencies |
+---------+--------------+---------+------------+--------------+
| [✓]     | apache       | dead    |            |              |
| [ ]     | clamav       |         | epel       | postfix      |
| [✓]     | dehydrated   |         |            |              |
| [✓]     | dovecot      | dead    |            |              |
| [ ]     | haproxy      |         |            |              |
| [ ]     | mariadb      |         |            |              |
| [ ]     | mtasts       |         |            | apache       |
| [ ]     | nsd          |         | epel       |              |
| [✓]     | opendkim     | dead    | epel       | postfix      |
| [✓]     | opendmarc    | dead    | epel       | postfix      |
| [✓]     | php          | dead    |            |              |
| [✓]     | postfix      | dead    |            |              |
| [ ]     | postgrey     |         | epel       | postfix      |
| [✓]     | spamassassin | dead    |            | postfix      |
| [✓]     | virtualhost  |         |            |              |
+---------+--------------+---------+------------+--------------+ Note the SystemD column which shows most services as . This is not an issue, because we have not configured/started those services, yet. dead Step 4 - Setup Finally, we may run Aetolos setup to install the required RPM packages and generate all the configuration files. We prefer to see the verbose output with the extra parameter. --verbose You will notice two warnings, the first warning is about the dehydrated script, which tells us to specify the registration email address for Let’s Encrypt and the second warning is about generating the DH parameters prime number, this procedure takes quite some time (10 minutes on average), so please take the time to read the rest of this article and prepare for what is to come. # ~/aetolos/aetolos --verbose --setup
[DEBUG] Check running system
[DEBUG] Detected: AlmaLinux 8.7 (Stone Smilodon)
[DEBUG] Check system memory
[DEBUG] Detected: 460MiB
[DEBUG] Check CPU cores
[DEBUG] Detected: 2
[DEBUG] Check proxy
[DEBUG] Loading Aetolos configuration
[DEBUG] Starting operating system setup
[DEBUG] Checking repository dependencies
[DEBUG] Checking package dependencies
[DEBUG] Checking SELinux requirements
[DEBUG] SELinux: enable dovecot_home_etc_aetolos.pp
[DEBUG] SELinux: enable postfix_socket_clamav_aetolos.pp
[DEBUG] SELinux: enable spamd_resolv_aetolos.pp
[DEBUG] Checking certificate requirements
[DEBUG] Checking ACME client
[DEBUG] Downloading ACME client: dehydrated 0.7.1
[DEBUG] Installing ACME client under: /root/dehydrated/
[WARNING] ACME registration email set to: postmaster
[WARNING] Please change the ACME registration email by executing: '/root/aetolos/aetolos --verbose --module=dehydrated --registration-email=new-email'
[DEBUG] Checking module dependencies
[DEBUG] Save configuration: dehydrated
[DEBUG] Writing to file: /root/dehydrated/config
[DEBUG] Writing to file: /root/dehydrated/hook.sh
[DEBUG] Writing to file: /etc/pki/letsencrypt/domains.txt
[DEBUG] Writing to file: /etc/cron.daily/dehydrated.cron
[DEBUG] Save configuration: dovecot
[WARNING] Generating DH parameters. This is going to take a long time...
[DEBUG] Writing to file: /etc/dovecot/dovecot.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/10-auth.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/10-mail.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/10-master.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/10-ssl.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/15-lda.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/15-mailboxes.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/20-imap.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/20-pop3.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/90-acl.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/90-quota.conf
[DEBUG] Writing to file: /etc/dovecot/conf.d/auth-passwdfile.conf.ext
[DEBUG] Save configuration: opendkim
[DEBUG] Writing to file: /etc/sysconfig/opendkim
[DEBUG] Writing to file: /etc/opendkim.conf
[DEBUG] Save configuration: opendmarc
[DEBUG] Writing to file: /etc/cron.weekly/publicsuffix.cron
[DEBUG] Writing to file: /etc/opendmarc.conf
[DEBUG] Save configuration: php
[DEBUG] Writing to file: /etc/systemd/system/php-fpm.service.d/override.conf
[DEBUG] Writing to file: /etc/php.ini
[DEBUG] Writing to file: /etc/php.d/10-opcache.ini
[DEBUG] Save configuration: postfix
[DEBUG] Writing to file: /etc/postfix/virtual_mailbox_domains
[DEBUG] Writing to file: /etc/postfix/transport
[DEBUG] Writing to file: /etc/postfix/smtp_header_checks
[DEBUG] Writing to file: /etc/postfix/mime_header_checks
[DEBUG] Override template file: /root/aetolos/modules/el8/postfix/templates.d/maincf.tpl
[DEBUG] Writing to file: /etc/postfix/main.cf
[DEBUG] Writing to file: /etc/postfix/master.cf
[DEBUG] Save configuration: spamassassin
[DEBUG] Writing to file: /etc/mail/spamassassin/init.pre
[DEBUG] Writing to file: /etc/sysconfig/spamass-milter
[DEBUG] Writing to file: /etc/mail/spamassassin/local.cf
[DEBUG] Save configuration: virtualhost
[DEBUG] Writing to file: /etc/tmpfiles.d/hometmp.conf As per the warning, we add an email address for Let’s Encrypt: # ~/aetolos/aetolos --verbose --module=dehydrated --registration-email=postmaster@example.tld Add virtual hosts Now we are ready to add as many virtual hosts as we like (or as many as the server can handle). Before running any commands, we may take a second to think which virtual hosts will have a prefix subdomain, sometimes we may have a domain like example.tld with a www subdomain (www.example.tld), other times we may not want to use a prefix because we want our email addresses only at the top domain (user@example.tld and not user@www.example.tld). As an example, we will add three virtual hosts, two of them without a subdomain: # ~/aetolos/aetolos --verbose --module=virtualhost --add-virtualhost=example1.tld --no-prefix
[DEBUG] Verify domain: example1.tld
[DEBUG] Add virtual host: example1.tld
# ~/aetolos/aetolos --verbose --module=virtualhost --add-virtualhost=example2.tld --no-prefix
[DEBUG] Verify domain: example2.tld
[DEBUG] Add virtual host: example2.tld
# ~/aetolos/aetolos --verbose --module=virtualhost --add-virtualhost=example3.tld
[DEBUG] Verify domain: example3.tld
[DEBUG] Add virtual host: example3.tld We can now list all virtual hosts: # ~/aetolos/aetolos --module=virtualhost --list-virtualhosts
+----+---------------------+--------------+-------------+----------------+--------+--------------+
| ID | Timestamp           | Virtual host | System user | MariaDB prefix | Parked | Prefix alias |
+----+---------------------+--------------+-------------+----------------+--------+--------------+
| 1  | 2023-01-10 08:51:36 | example1.tld | example1tld | example1       | [ ]    |              |
| 2  | 2023-01-10 08:51:40 | example2.tld | example2tld | example2       | [ ]    |              |
| 3  | 2023-01-10 08:51:45 | example3.tld | example3tld | example3       | [ ]    | www          |
+----+---------------------+--------------+-------------+----------------+--------+--------------+ Each virtual host will “live” isolated within its own home directory, with its own user/group ownership, so lets take a look at our /home: # ls -la /home
total 0
drwxr-xr-x.  5 root        root         63 Jan 20 10:51 .
dr-xr-xr-x. 17 root        root        224 Dec 21  2021 ..
drwx--x--x.  8 example1tld example1tld 159 Jan 10 08:51 example1tld
drwx--x--x.  8 example2tld example2tld 159 Jan 10 08:51 example2tld
drwx--x--x.  8 example3tld example3tld 159 Jan 10 08:51 example3tld Setup After we made modifications with the Aetolos command, we need to generate new configuration files for all the relevant services (Apache, Dovecot, Postfix, etc). Thus, we execute Aetolos setup one last time. # ~/aetolos/aetolos --setup TLS certificates At this point all services will use the same self-signed certificate, thus it is now a good time to run dehydrated manually to gather all virtual host certificates. Since Aetolos uses the ACME protocol with domain validation via HTTP port 80, we first start our Apache server to service those requests. # systemctl start httpd
# ~/dehydrated/dehydrated --cron --config /root/dehydrated/config --keep-going
# systemctl stop httpd
# ~/aetolos/aetolos --setup Services We may now enable and start all services. # systemctl --now enable httpd httpd@example1.tld httpd@example2.tld httpd@example3.tld dovecot opendkim opendmarc postfix spamassassin
Created symlink /etc/systemd/system/multi-user.target.wants/httpd@example1.tld.service → /usr/lib/systemd/system/httpd@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/httpd@example2.tld.service → /usr/lib/systemd/system/httpd@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/httpd@example3.tld.service → /usr/lib/systemd/system/httpd@.service. You will notice that each virtual host has its own Apache service, this is a feature provided by systemd and allows us to define the virtual hosts into separate systemd services. The parameter will start all services. --now DNS setup For optimal deliverability we need to setup at least SPF and DKIM records, optionally we may also setup DMARC. While the setup of these TXT records falls outside the scope of this guide, we should point out that the DKIM key is stored under . Aetolos has wiki pages with additional help: /etc/opendkim/keys/default.txt SPF DKIM DMARC Manage email addresses Add new email First create a text file with the password, it is better security to not pass the password as a command-line parameter. Then add the new email address, optionally set a quota in bytes: # ~/aetolos/aetolos --module=dovecot --virtualhost=example1.tld --add-email=sales --password-file='password.txt' --quota=5000000000 Change password To change the password of an existing email address, is pretty straight forward: ~/aetolos/aetolos --module=dovecot --virtualhost=example1.tld --modify-email=sales --password-file='password.txt' Change quota To change the quota use any value above zero in bytes, while a zero value will remove the quota limit: ~/aetolos/aetolos --module=dovecot --virtualhost=example1.tld --modify-email=sales --quota=0 Remove email It is equally easy to remove an email address, just keep in mind that all stored emails and related files will be deleted: ~/aetolos/aetolos --module=dovecot --virtualhost=example1.tld --remove-email=info List email addresses It is possible to list all email addresses associated with a virtual host: # ~/aetolos/aetolos --module=dovecot --virtualhost=example1.tld --list-emails
+-------+-------+-------+----------------------+
| Email | Quota | Usage | Last password change |
+-------+-------+-------+----------------------+
| sales | 0     |       | 10/10/23             |
+-------+-------+-------+----------------------+ The architecture There should be special mention about the architecture used for storing the emails within dovecot. For security reasons, each virtual host is isolated within unix accounts stored under their own directory. Email accounts and their passwords are under the subdirectory and mail is stored under the subdirectory . /home etc mail /home/example1tld                               -> virtual host home
/home/example1tld/etc                           -> virtual host + parked domains
/home/example1tld/etc/example1.tld/forwarders   -> forwarder addresses
/home/example1tld/etc/example1.tld/passwd       -> email addresses
/home/example1tld/etc/example1.tld/shadow       -> passwords
/home/example1tld/mail/example1.tld             -> email storage Aetolos At this point Aetolos has configured the server without any custom modifications, all changes are done on the default configuration files. We may delete Aetolos from the server and continue modifications manually or we may keep Aetolos in case we want to add more virtual hosts and/or email addresses in the future. Credits Article photo by Manuel Geissinger from pexels

The writer is smart, but don't just like, take their word for it. #DoYourOwnResearch

The code in this story is for educational purposes. The readers are solely responsible for whatever they build with it.

Stick It To The Man and Self-Host Your Own Email Server

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Stick It to The Man and Self-Host Your Own Web Server

IMAP Email Server on AWS

Linux Postfix-How to Add OpenDKIM to DNS

10 Use Cases for Using Laravel to Build Web App Development Projects

2.6 Million Domains and ~45,000 Exposed Phpinfo() Later… the Story of Unprotected Phpinfo()

2016 In Review: The Year of Exploits

Stick It to The Man and Self-Host Your Own Web Server

IMAP Email Server on AWS

Linux Postfix-How to Add OpenDKIM to DNS

10 Use Cases for Using Laravel to Build Web App Development Projects

2.6 Million Domains and ~45,000 Exposed Phpinfo() Later… the Story of Unprotected Phpinfo()

2016 In Review: The Year of Exploits

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps