💾 Archived View for zaibatsu.circumlunar.space › ~visiblink › phlog › 20240713 captured on 2024-08-25 at 03:27:15.
⬅️ Previous capture (2024-08-18)
-=-=-=-=-=-=-
Unfederated Email, Part II ========================== A few years ago, I wrote a phlog entry about self-hosting an unfederated email server (which only sends emails among the users on the local machine). I set up the server on my home network and used it to send notes and files to my old devices. Since it was on my LAN, the server sent and received mails in clear text, without certificates and without encryption. I mentioned in that post that my ultimate aim was to add encryption, so that I could access the server with my email client over the open internet. Several months later, a reader let me know that they'd like the setup details when I did it. Well, I finally set it up, and the details are below. It's the simplest possible system. Each system user automatically has an email account on the server, using their regular username and password. It also requires the use of TLS on all connections. If you want to add new email users, just create a system user account for them. If you don't want them actually using the system, permit server logins with an RSA certificate only. Why? ==== If you're wondering why a person might want an unfederated email server, I get it. But it does have uses. Mine is to send myself emails. I often send myself emails containing reminders, notes, and files. If I look at my inbox, almost all of the incoming traffic consists of commercial notifications. I hardly ever respond to those emails. In fact, when I look at my sent items, almost all of the outgoing traffic is notes to myself or emails to family. So why not keep some of that traffic away from my email provider? I'm sure there are other reasons to do this as well. You might want to set up a private Delta Chat server. Or you might want to send emails among a small group of people or set up something like a groupchat or mailing list. How? ==== The following setup guide is for an unfederated server running Debian 12 (Bookworm). The server makes use of Dovecot for IMAP connections (for retrieving email), OpenSMTPD for SMTP (for sending), and mailutils (for some of the local setup on the machine). Since the server is unfederated and you don't have to scan for spam, the demands on the system are very light. All of the setup below must be done as root. 1. Pre-installation ------------------- A. Add backports to your repositories. The version of OpenSMTPD in Debian Bookworm has a TLS bug that prevents it from establishing secure connections. This caused me serious amounts of frustration before I found out about the bug! To add backports, edit your /etc/apt/sources.list Add the following line: deb http://deb.debian.org/debian bookworm-backports main B. Update your server apt-get update apt-get upgrade 2. Installation --------------- Install dovecot, OpenSMTPD, and mailutils: apt-get install mailutils dovecot-imapd apt-get install opensmtpd/bookworm-backports When openSMTPD asks for the server name, give it the fully-qualified domain name (the whole URL for your server). 3. Dovecot Configuration ------------------------ A. Edit /etc/dovecot/conf.d/10-ssl.conf Change the line "ssl = yes" to: ssl = required If you want to use the self-signed certificate automatically created by Dovecot, make sure the following lines are uncommented (remove the octothorpe at the beginning of the line, if any): ssl_cert = </etc/dovecot/private/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.key Alternatively, if you have Let's Encrypt certificates on the server, you can link to them instead. In my case, I had them for the Apache2 webserver already, so the two lines above look like this instead: ssl_cert = </etc/apache2/ssl/fullchain.pem ssl_key = </etc/apache2/ssl/private/key.pem Note: you have to put the < before the file link. It's mandatory! B. Edit /etc/dovecot/conf.d/10-auth.conf Uncomment the line: disable_plaintext_auth = yes C. Edit /etc/dovecot/conf.d/10-master.conf Find these lines: service imap-login { inet_listener imap { #port = 143 } inet_listener imaps { #port = 993 #ssl = yes } Edit them to look like this: service imap-login { #inet_listener imap { #port = 143 #} inet_listener imaps { port = 993 ssl = yes } 4. OpenSMTPD Configuration -------------------------- Edit /etc/smtpd.conf Save the existing file as smtpd.conf.bak or something like that. Then delete the existing contents of /etc/smtpd.conf and cut and paste everything from "table" to the final "local" below into the file. You can use the self-signed certificate/key pair created by Dovecot, or your Let's Encrypt set if you have one. Just comment out the certificate/key pair that you don't want to use. If your Let's Encrypt certificates are kept in a different directory, change the links as necessary (here and in Dovecot's /etc/dovecot/conf.d/10-ssl.conf file). Wherever it says "your.domain.name" substitute your fully-qualified domain name. table aliases file:/etc/aliases #pki your.domain.name cert "/etc/dovecot/private/dovecot.pem" #pki your.domain.name key "/etc/dovecot/private/dovecot.key" pki your.domain.name cert "/etc/apache2/ssl/fullchain.pem" pki your.domain.name key "/etc/apache2/ssl/private/key.pem" listen on your.domain.name port 465 smtps pki your.domain.name auth action "local" mbox alias <aliases> match for local action "local" match from any for domain "localhost" action "local" match from any for domain "localhost.localdomain" action "local" match from any for domain "your.domain.name" action "local" 5. Restart the services to reload the configuration files: ---------------------------------------------------------- systemctl restart dovecot systemctl restart opensmtpd 6. Open Ports ------------- Open ports 465 and 993 in your firewall. If you don't have a firewall, look up ufw (uncomplicated firewall). It is very simple to use. If the server is at home, you'll have to set up port forwarding on your router to gain external access. If your internet provider blocks ports 465 and 993, you can use different numbers. Just don't use ports regularly used by other services. You can find lists of commonly used ports by searching online. 7. Set up your email client --------------------------- I use Claws-Mail and set it up as follows. Note that myusername is the username from my account on the server. Basic Tab --------- Email Address: yourusername@your.domain.name Protocol: IMAP Server for Receiving: your.domain.name SMTP server (send): your.domain.name User ID: yourusername <-- don't include the @your.domain.name! Password: password for the user account on the server Send Tab -------- Check the box for SMTP Authentication. You don't have to fill in the User ID or Password. TLS Tab ------- Select the checkbox for "Use TLS" for both IMAP and SMTP. Advanced Tab ------------ Select the checkbox for SMTP port and enter 465. Select the checkbox for IMAP port and enter 993. 8. Final Notes -------------- A. I suspect that in some situations using regular user accounts for email could pose a security risk by increasing the possibility of revealing usernames and passwords, but I only permit RSA key logins on my servers (and no root logins). B. If you use a Let's Encrypt certificate, you'll probably want to add Dovecot and OpenSMTPD to the services that restart after each renewal. How you do that will depend on the client you use to update Let's Encrypt. Both certbot and acme.sh have that capability.