Mailserver Reloaded – Step 1

Standard

To reproduce the latest setup of my email server and being able to work on this series of posts as promised months ago, I created a new LXC container with Debian Wheezy first. As LXC is not part of this series, no further details about it are provided here.

Like always, the first thing to do on a brand new machine is checking for the latest updates:

apt-get update && apt-get dist-upgrade

First we need to install a mail transfer agent (MTA), which in our case will be Exim. As some enhanced capabilities, such as SASL authentication are required, the Debian package exim4-daemon-heavy must be installed:

apt-get install exim4-daemon-heavy

Given that we are going to manually create an Exim configuration from scratch later, answers to configuration related questions during the installation process are irrelevant to this setup.

Now that our machine has an MTA installed, MySQL server can be installed:

apt-get install mysql-server

Hint: If you try to installed MySQL server before an MTA is installed, Debian might choose an other MTA than Exim to fulfill MySQL’s requirements. This may lead to additional, unnecessary steps or even a configuration conflict that you would have to resolve when installing Exim.

After that, Dovecot can be installed with the following command:

apt-get install dovecot-core dovecot-mysql dovecot-lmtpd dovecot-imapd dovecot-sieve dovecot-managesieved

Additionally to the more or less obvious packages dovecot-mysql, dovecot-lmtpd and dovecot-imapd, the packages dovecot-sieve and dovecot-managesieved are also installed, so that server-side filtering based on Sieve is possible. Roundcube has some great plugins to create and manage Sieve filter rules.

Talking about Roundcube: This is the last of piece we have to install, before we can glue everything together. Though I generally prefer distribution packages, I mostly end up with installing software manually when in comes to web applications. As Roundcube is written in PHP, we need web server that is capable of executing PHP scripts. For simplicity we choose Apache plus the appropriate PHP 5 module in this howto:

apt-get install libapache2-mod-php5

That’s it for the first step. All required software is installed, so we can proceed with the configuration of each in the next step.

Mailserver Reloaded – The Idea

Standard

It has been a while since the last big update of my email server configuration. For years it has been running solid as a rock based on Exim/Dovecot with a LDAP-backed configuration.

You may ask: Why change a running system?

One of the things that bugged me for months, was the fact that I am using self-signed certificates on that server. That means that all email clients have been set to accept ANY SSL certificate without further checks (at least manual pinning or something would be great). So any evil hacker in a public WiFi network could use SSL interception to get my username and password. To eliminate this risk, replacing the self-signed certificate with ones signed by a well-know CA (I’d never call them trustworthy!) would probably be enough, but who really wants such a simple solution?

So additionally to replacing the self-signed certificates, I decided to add some extra security by implementing application-specific passwords. Google user’s may already now how they work, for all others here comes a little introduction: Application-specific passwords allow users to create unique passwords for each application that is interacting with your email server. That means that regular user passwords, that are often used for other services as well, must neither be stored in email clients nor will they ever get transferred via SMTP, IMAP or POP3. The whole setup could even be hardened more, by creating a whole new username-password combination for each application, but that seems to be a little over the top to me.

As I also wanted to easily support multiple email domains in the future, I completely moved away from the LDAP backend, that was a partly replication of my LDAP database I use at home for authentication the accounts of my family, to a MySQL-backed setup. To reduce complexity and be more flexible in the future, I also made Dovecot my MDA (LMTP) and authentication service (SASL).

One thing that I also had to solve was the problem that no tools exist to allow users the management of their application-specific passwords. As I am using Roundcube Webbmail for years now and still more than happy with it, I decided to use Roundcube as the one and only tool that I provide users for managing their email settings, including the application-specific passwords. A corresponding plugin was therefore developed by me and has been published on GitHub in the meanwhile. Access to Roundcube is possible only with the normal user passwords BUT requires the use of one-time-passwords created with Google Authenticator (or compatible).

Now you know what I did and why I did it. I know that you now want to know how I actually implemented that setup, but unfortunately you must be patient. I’ll reproduce the setup in a brand new LXC container in order to provide a series of blog posts with precise information how to set this up on your own within the next two weeks. So stay tuned!