Set up mailserver

[dutt]

Hi,

Yesterday I got my bubba3 and I have plans to move most of my digital life from facebook, gmail, g+, picasa etc etc to it.

One of the steps is e-mail. I bought a domain and am now wondering how to set up the included e-mail server to handle incoming and outgoing e-mails for that domain. I've been looking around on the forums and the wiki but haven't found any guides from the ground up. Is dovecot the mailserver or is postfix the mailserver? I talked to my ISP and they block port 25(SMTP, sending e-mail) but if I only go with encrypted e-mails it goes over another port and that should work fine, does the included e-mailserver support that?

Regards,

[RandomUsername]

The web interface gets you set up with the basics quite simply. Just put all your information in the fields provided and you should be good (make sure you turn on the appropriate services and open the firewall ports).

Dovecot = mail server
Postfix = MTA (mail transfer agent)

Does your ISP provide their own SMTP server you can use?

[Cheeseboy]

Hi!

If you are happy to use your ISPs email service, please stop reading now....

If you plan to use your own registered domain for your email server, you should be aware that DNS(es) does not work the same for emails as for simple host lookups. The DNS databases has several types of entries. 'A' for normal lookups for a web or ftp server for example. They only return one (or several) IP address, so it is up to the application/protocol to decide what port number to use. The entry type for email is called 'MX'. It often contains one or several host names in a prioritized list.

When you send an email, the SMTP protocol is used. It looks up the MX entry in the DNS, and it is only possible to use port 25. You cannot specify a port number in an email address.

Here is an example of google's DNS 'A' record of dn.se (a popular Swedish newspaper):

Code: Select all

$ dig @8.8.8.8 dn.se A

; <<>> DiG 9.7.3 <<>> @8.8.8.8 dn.se A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49083
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dn.se.				IN	A

;; ANSWER SECTION:
dn.se.			17503	IN	A	212.28.194.152

;; Query time: 27 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 20 19:22:47 2012
;; MSG SIZE  rcvd: 39

It can contain several IP addresses, but it is pretty simple with just the one.

Here is the same same for the MX record:

Code: Select all

$ dig @8.8.8.8 dn.se MX

; <<>> DiG 9.7.3 <<>> @8.8.8.8 dn.se MX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55449
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dn.se.				IN	MX

;; ANSWER SECTION:
dn.se.			600	IN	MX	10 dn-mf03.dn.se.
dn.se.			600	IN	MX	10 dn-mf02.dn.se.

;; Query time: 61 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 20 19:22:34 2012
;; MSG SIZE  rcvd: 71

This is for email sent to ...@dn.se. As you see they list actual host names rather than IP addresses.
They can list several options, and even given them priority.

Here is your first problem:
You must make sure that your domain registrar allows you to control ALL your entries in the DNS database.
I had to change mine as they didn't even know what a MX record was... They are not happy to give up control over "their" domains, even though it belongs to you.

As all SMTP uses port 25, and almost ALL ISPs block that port to avoid spam, you have to do some trickery to set up your own proper postfix and dovecot solution.
When you send email, postfix will try to send it on port 25, as all other email servers uses that port. This won't work as the ISP blocks it. You can use relay email services who accepts incoming SMTP messages on other ports.
The problem is that even if you set up postfix to use a relayhost with another port, the relayhost will most likely not accept messages in clear text. Postfix can be configured to use another port, but it will still use plain text SMTP.

The solution is stunnel4 (available in the repositories, and easy to configure). It opens a listener port on your B3 where postfix can connect to and send it's stuff. Stunnel4 is configured to encrypt the traffic with SSL, making it acceptable to the relayhost. This is called SMTPS and it is somewhat of an afterthought (or hack). The port used is traditionally 465.

Now for reading your email through dovecot, it must first be delivered to postfix.
There are several ways of doing this. I opted for a company that receives my email and then send it to my server on port 52525. I have to pay for this service. I also have to point my DNS MX records to the service provider's email servers. I'm sure there are better solutions than this, but I've been using for ever, and I can't be arsed to shop around for better solutions. Perhaps SASL could be worth looking into.

Once your email is on your server, the communications between dovecot and your preferred email client already has the means to encrypt your data.

Hope this might be of some help,
(and please feel free to correct me if I'm talking out of my arse again )

Cheeseboy

PS:
Google for postfix stunnel4 SASL

[RandomUsername]

Just to totally contradict everything above, I have never had any of the problems Cheeseboy mentions. Possibly, this is a difference between ISPs/registrars in the UK (me) and Europe (him). Depends where you are I suppose.

[Binkem]

I'm in the Netherlands. And I had no problem getting my a-record and mx-record to point to my (fixed) ip-adress. The only problem I've got is to use my B3 to send mail. If I send from webmail there's no problem (I do this using my isp's SMTP server). My ISP stopped relaying mail after having some problem with open relay servers on the network, which ended the possibility of mailing via my B3 from outside home. i cannot mail though from outside home by mailing via my B3. Then I get the message that I may not relay mail. Before my first bub a I used a windows machine as mail host/server and I had no problem sending mail directly using SMTP. I've never been able to get my B3 (or my b2 before that) to do this though. Perhaps Cheeseboy's solution would solve that problem for me.

[nobody]

Me neither, and I am in mainland europe. The story of registrars not allowing you to set mx records sounds really really strange, and is a signal you should run away asap. As or blocking of port 25, this does occur if you have a cheap and clueless isp. Generally isps that give you a fixed ip address are only a little more expensive and they take their service seriouusly, icluding full control of incoming traffic. For example xs4all in .nl gives you a full ipv4 and ipv6 range and has an opt-in rule for port blocking. If they detect spamruns coming from your ip, they block the port and send you a polite email explaining their action. If you then prove you fixed the issue they open the port again and charge you nothing.

So in short, if you are serious about deploying servers, take a serious isp. In the end it is cheaper then having to pay for proxy services.

Apologies if you live in places where there is no choice of isp and youre stuck with a clueless hoster.

[nobody]

Binkem: just turn on the smtp-submission service in master.cf. This uses port 587 which is rarely blocked. Then set relayhost to your isps mx server and you are good to go

[Cheeseboy]

The story of registrars not allowing you to set mx records sounds really really strange, and is a signal you should run away asap. As or blocking of port 25, this does occur if you have a cheap and clueless isp.

Agreed on the DNS horror story. Mind you this was in 2007. It seemed a big complicated thing to move my registrar from a Swedish company to a U.S. company considering it was concerning a domain with the Swedish TLD (.se)

So in short, if you are serious about deploying servers, take a serious isp. In the end it is cheaper then having to pay for proxy services.

Well, I'm not serious... I'm a hobbyist
I don't think ISPs which offer fixed IPs and the kind of service you describe even offer products like that to private customers where I live - and if they did, I doubt I could afford it

Cheers!

[nobody]

You can still be serious as well as a hobbyist! An SMTP server is a complex and potential dangerous thing, and if not taken seriously, can give you trouble. But the same can be said for a car, and many people use one every day.

I have of course no knowledge of your situation or availability of ISPs. Here in .nl there is one big ISP that offers static IPs and serious support for about 10E /month over the cheapest offer available. Then there is a few small and lesser-known isps that have similar but slightly cheaper offers.

My choice in deciding which one to take was to ask the sales dude if they let me set reverse-DNS for my account. The good ones say "sure thing!". The clueless ones say "What's a DNS?".

0.02

[Cheeseboy]

Ah. My question was "do you block TCP port 25 for incoming and outgoing traffic?"
I chose the ISP who answered "yes", rather than the one who answered "I've no idea what you are talking about..."

I feel I have somewhat kidnapped the OP's thread here...
Dutt might have it very easy to achieve what he/she wants, like RandomUsername said.
Perhaps there is time for a new thread, perhaps with more details of the circumstances and the desired result?

Cheers!
SF

[Gordon]

That's a load of information from RandomUsername and Cheeseboy, but let's not overcomplicate stuff.

Yes, the prerequisite is that you know something about setting up DNS correctly. You can however also let someone else do it. Every nameservice provider should allow you access to some kind of domain editor and most of them will specify what type of records you can alter through that editor. If you can't add/change MX records than you need another nameservice provider (this doesn't have to be your ISP).

In terms of "mailserver" you actually always need two: one for reading ("incoming") and one for sending ("outgoing"). Whenever you setup email in your desktop reader, e.g. Outlook (yagh), Thunderbird, Pegasus, it will always ask for these two parameters. On the B3 the "incoming" server is called Dovecot and this provides the mail reading protocols POP3 and IMAP along with their secure (SSL) counterparts. There's no MAPI (Windows mail protocol) on the B3. To read email you always need to authenticate to the server.

The interesting stuff is on the "outgoing" server, which is called Postfix on the B3. Postfix is very versatile in that you can make it listen and send out email on every TCP port you like, however to be able to receive emails from servers that use the DNS MX records to reach your server you must have TCP port 25 configured and vice versa to send using this method always target port 25. Apart from being a regular internet email send and receive service (officially named MTA, aka "smarthost") it can also mimic email client behaviour for sending (aka relaying!) emails; i.e. to a different "smarthost".

Why is all of this important?
The problem is that many ISP's are blocking TCP port 25 as a countermeasure towards spam. This is especially true if you're in the Netherlands, because as you know we like to implement EU ruling even before it has been offered to parliament In most cases you'll find that your ISP requires you to use their email server for sending email, so that they can monitor your email sending behaviour (and of course block you if you start sending out thousands of emails). This is not an issue for Postfix (in fact it is the default behaviour on the B3), but as a rule of thumb if you need to logon to that ISP email server it will replace your original sending address with yourlogonname@yourISP.domain. In that case you will not be able to send emails originating from your own domain!

My own ISP has another trick up their sleeve: they also block public access to port 25 for incoming traffic and thus prevent me from receiving emails for my domain. Obviously that would mean that they could never sell their services to businesses, but they are actually the largest provider in The Netherlands (KPN). What they do is they set the MX records for your domain to their servers and then pass the messages on to your server using what they call BSMTP, where the "B" may either stand for Batched or Buffered. In reality the "B" stands for Bullocks because it's just regular SMTP; they just configured their email servers to lookup MX records in a non-public DNS server that lists your IP address as the MTA for your domain and relay the messages. Naturally they want you to subscribe to that service and receive money for it, but you can actually configure it yourself if you know the IP address of their relay server.

Of course none of the call-desk ladies will be able to provide you with this info and will also refuse to connect you to someone who does know. And yes I know how frustrating that is, so here's how to cheat KPN in delivering your email:

Code: Select all

mail.yourdomain.nl.   IN   A        10.10.10.10

yourdomain.nl.        IN   MX       100   mailrelay.direct-adsl.nl.
yourdomain.nl.        IN   MX       1     mail.yourdomain.nl.

As to all the do-s and don't-s, just stick to the B3 webadmin interface for configuring the mailserver. The B3 is configured to block any mail that is either not meant for your domain or does not originate from your local network. Just don't touch the configuration files yourself and you'll be safe enough.

[Gordon]

Oh and if you DO want to live dangerously and send emails from your domain wherever you are, you can simply add these two firewall rules:

Code: Select all

iptables -A PREROUTING -p tcp -i eth0 -d 10.10.10.10/32 --dport nnn -j DNAT --to-destination 127.0.0.1:25
-A FORWARD -d 127.0.0.1/32 -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT 

Replace 10.10.10.10 with your public IP and nnn with your secretly chosen TCP port.

[nobody]

Gordon, can you please explain me what the benefit of that firewall trick is compared to having postfix just listen on port nnn instead?

This is especially true if you're in the Netherlands, because as you know we like to implement EU ruling even before it has been offered to parliament

Please stop spreading this bullshit. I know you dont like the dutch government but the blocking of port 25 has nothing to do with national or eu regulation and you know it. Making up fud just because you have an axe to grind is not very constructive. NL has a lot of isps that allow you to open port 25. You chose kpn which is one of the dummest in the country and does not allow you to do this. This is not because of national legislation but because their own business decision (and because they do. Ot understand their own product).

[Gordon]

Gordon, can you please explain me what the benefit of that firewall trick is compared to having postfix just listen on port nnn instead?

Because you can't receive emails if the server does not listen to port 25. And second because to be able to relay you must be on either localhost or on eth1/br0. And no you do not want this to be on port 25 because that means you will be an open relay that anyone can find (by doing this you are an open relay!).

[offtopic content]

This is especially true if you're in the Netherlands, because as you know we like to implement EU ruling even before it has been offered to parliament

Please stop spreading this bullshit. I know you dont like the dutch government but the blocking of port 25 has nothing to do with national or eu regulation and you know it.

I was actually not talking about the government in this case but about Dutch mentality. As far as choices go, mine was limited to having 256Kb SDSL (no, that's not a typo) with some 10+ providers or 50Mb fiber with KPN. While theoretically that implies having a choice, in practice I'm bound to a monopolist that used to be part of the government. Through this same company I own a Topfield brand DVB-T harddisk recorder that was especially altered for the Dutch market by having the USB port removed to prevent users from storing recordings on a secondary harddisk or burn them to DVD - I've owned this device for at least five years and to this day no law exists that says I'm not allowed to store recordings indefinitely and in the process move them to different media. They're morons trying to do politics and yes the majority of the politicians are idiots as well (probably all, but some do sound somewhat smart sometimes).

[/offtopic content]

[Gordon]

Gordon, can you please explain me what the benefit of that firewall trick is compared to having postfix just listen on port nnn instead?

Because you can't receive emails if the server does not listen to port 25. And second because to be able to relay you must be on either localhost or on eth1/br0. And no you do not want this to be on port 25 because that means you will be an open relay that anyone can find (by doing this you are an open relay!).
d to prevent users from storing recordings on a secondary harddisk or burn them to DVD - I've owned this device for at least five years and to this day no law exists that says I'm not allowed to store recordings indefinitely and in the process move them to different media. They're morons trying to do politics and yes the majority of the politicians are idiots as well (probably all, but some do sound somewhat smart sometimes).

Come to think about it, you may need to SNAT (table POSTROUTING) the packets as well to make this work. I haven't tried this myself, nor am I about to.