本文最后更新于 284 天前，其中的信息可能已经有所发展或是发生改变,如有失效可到评论区留言。

Contents

Preface

I was free and thought that my home data center should have its own email address with a domain name suffix, so I planned to build a mail server myself. I did a lot of research on the choice of software. I first looked at EwoMail, and the official recommendation was centos7/8, so I installed centos 8. Then I found that after the end of its life cycle on 2021-12-31, the Linux community no longer maintained this version, so the yum command could not be used. Even after changing the source, a lot of errors were reported when using the installation script to install it. I was angry and changed it directly.

I also looked at some open source mail server software, such as Postal and mailcow, but they either had a single function (only outbound, no mailbox management, etc.), or they were too comprehensive and too resource-intensive. I refined my requirements: support webmail, support sending and receiving mails, support docker deployment, and not too resource-intensive. After searching around, I found that paste could meet all my requirements.

Introduction to poste

Poste is an open source mail service software that can easily build: SMTP + IMAP + POP3 + anti-spam + anti-virus + Web management + Web email, supporting the following features:

Native implementation of SPF, DKIM, DMARC, SRS with simple wizards
Antivirus engine for detecting Trojans, viruses, and malware (ClamAV)
Built-in spam filter (RSPAMD)
Webmail client over HTTPS (Roundcube)
Email redirection, autoresponders and other filtering via Sieve scripts (managed by email owners, every action can be scripted)
Quotas to limit mailbox space or number of emails
Web management with different permissions for system administrators, domain administrators, and email owners.
Built-in auto-discovery for Microsoft products, Thunderbird
Diagnostics to help properly set up your domain and mail server
By default, all passwords are stored as salted SHA512 hashes (5000 rounds). This makes it very difficult for an attacker to crack your password.

It looks very powerful, and the key is that it natively supports Docker deployment, and our own mail server relies on it.

Network environment requirements

First, confirm the network environment requirements when using paste.io to build a mail server. Take a look at the official instructions of paste:

These ports will be mapped using the -p parameter when creating a docker, but which ports are required?

First, let’s take a look at the inspection results of the paste mail server I built. The red box indicates abnormal inspection results:

Abnormal cause analysis:
LE（Let's Encrypt）
This is probably because my home broadband does not have port 443, so it cannot be used. This has little impact, but I cannot rely on Let's Encrypt to automatically apply for and update certificates. Each account on Tencent Cloud has a quota of 20 free one-year certificates, so I just had to use it for free.
outbound port 25
There is a problem with the outgoing port 25, but it is actually ok. It is mainly testing the connectivity of Gmail's port 25, so it is normal to have this problem.
inbound 80,443,4190
Port 80 and 443 are definitely not available on home broadband. It is normal if there is a problem. You can change to other ports when building Docker. Port 4190 is optional. There is no impact if it is abnormal. Just ignore it.

The above results show that my home broadband can send and receive emails normally without ports 80, 443, and 4190, so these ports are not necessary. The remaining ports 110, 143, 587, 993, and 995 are actually used by the mail client to connect to the mail server using various protocols (pop3, imap) and their corresponding TLS versions. Even if some of them are not available, it just means that the mail client cannot directly connect to the mail server in the corresponding way, but at least it can be used in the webmail way, which means that they are not necessary.

There is still port 25 left. Is it necessary? For building a mail server, port 25 is necessary. In fact, to be more specific, SMTP port 25 is divided into two directions: "inbound" and "outbound" (as shown in the test item in the figure above). For sending mail, outbound is necessary; for receiving mail, inbound is necessary.

This starts with the working process of SMTP.

Let's first look at the entire process of the email sent by the sender through the SMTP protocol reaching the receiving end:

Let's simplify it a bit more:

As can be seen in the figure above, the first step from the mail client to the sender mail server does not necessarily require port 25, and other ports can also be used (if port 25 is used, this is the inbound direction for the sender mail server); and the second step actually only specifies that the receiving server must use port 25 to receive mail (the destination port for the sending server to send requests to the receiving server is 25, which is the outbound direction for the sending server), and there is no requirement for the source port of the sending server to send requests.

To summarize in one sentence: SMTP port 25 outbound means that the mail server uses the SMTP protocol to access other people's port 25; SMTP port 25 inbound means that others use the SMTP protocol to access port 25 of the mail server.

The specific process of sending mail from the sending server to the receiving server can be seen in the figure below. This is the packet capture process when I use my own mail server to send mail to the 139 mailbox. You can see that my mail server (sending server) first establishes a TCP three-way handshake with the 25th port of the 139 mailbox server (receiving server), and then the 139 mailbox server actively initiates an SMTP request to my mail server with port 25 as the source port:

Generally speaking, cloud server providers will block port 25 of the cloud host. This blocking of port 25 actually refers to the outbound blocking, which is to prevent you from setting up a mail server and sending spam. After all, the SMTP protocol itself appeared relatively early, resulting in a lack of verification mechanism for the sender. The lack of authentication mechanism makes the SMTP protocol inclusive, which of course includes spam.
In fact, even if the cloud provider blocks port 25 (outbound), it only prevents your mail server from directly sending emails using the SMTP protocol. The inbound SMTP port 25 is not blocked, so you can still receive emails sent by other mail servers using SMTP.

If you want to apply to the cloud provider to unblock port 25, first of all, you need to buy a relatively expensive annual prepaid cloud host. Secondly, whether the application for unblocking can be approved depends on luck. Because the Tencent cloud host I bought is the cheapest lightweight server, I am not eligible to apply for unblocking, and finally I can only use home broadband.

Configure domain name resolution records

To set up a mail server, you must first set up the relevant DNS records on your domain name provider. Taking the domain name example.com as an example, the DNS records that need to be added to the example.com domain on the domain name provider are as shown below:

The host records corresponding to the MX and TXT types above @ indicates that the email suffix is example.com. If the email suffix is another second-level domain name, such as "@mail.example.com", then the @ here should be changed to "mail.example.comThe purpose of the three CNAMEs is to provide email clients with server addresses for access via different protocols. This is just for easy memorization, but it is not necessary. Using mail.example.com directly is the same.

The first three records must be configured: A record and MX record together, these two records can allow your mailbox to receive emails normally. A record and TXT (this TXT should be SPF record, because some domain providers do not support SPF record, so TXT is used instead, the content is the same) together, so that the emails sent by your mailbox can pass the basic SPF security test of the recipient's mailbox.

If your mailbox is able to use outbound SMTP port 25, it can send out emails normally to the email servers of various email providers. However, whether the emails can eventually reach the recipient's inbox or even the spam folder is another issue. We will discuss this separately in the next section "Email Scoring".

In addition, because the export address of my home broadband is a dynamic public IPv4, I need to use a tool to synchronize the export public address to Tencent Cloud's dnspod domain name management in real time. I use the dynamic domain name tool that comes with the iKuai router to complete this. This is very important because it involves SPF records. The details will be discussed in the next section.

Email Rating

In the previous section, we mentioned that as long as the outbound SMTP port 25 is available, all emails sent from your mailbox to other email addresses can reach the destination email server (thanks to the inclusiveness of the SMTP protocol). However, due to this inclusiveness, spam can also reach the destination email server. Therefore, each email service provider has its own rating system to identify whether an email is spam. Although the rating systems are different, there are some basic judgment steps that are consistent:

rDNS

Reverse DNS, based on the reverse resolution of IP to domain name, is mainly the receiving server reverse query domain name according to the source IP address of the received email (it is called reverse because the forward direction is the domain name to query IP), and then compare it with the sender's email domain name. There are two possible results:
1. If it is found but inconsistent, it means it is fake.
2. If the sender cannot find the PTR record, it means that the sender's domain name has no PTR record configured on the DNS. Although it may not be a bad guy, it is definitely not a regular army. Different operators will deal with this situation differently. They may directly reject or discard the email, or just reduce the impression score.

I have a home broadband and cannot do PTR records, so it belongs to the second case. From my test results, Gmail and QQ mailboxes cannot receive it (not even qualified to go to the spam mailbox...), but 163 mailboxes and 139 mailboxes can.

SPF Record

The purpose of the Sender Policy Framework is to prevent the sender from forging the sender at will. The principle of implementation is very simple: the recipient's mailbox server will query the IP address corresponding to the sender's mailbox suffix, and then compare it with the sender's IP address of the received email to see if they are consistent. This requires setting an SPF record or TXT record in the DNS domain corresponding to the sender's suffix domain name (see the previous section). There are multiple syntaxes for SPF record values to specify different IPs. You can search for the detailed syntax yourself.

Note that different domain name providers may have some differences in syntax symbols. For example, for the "mx _{"all", which means to deny all IP addresses except the IP resolved by the mx record.}"all" is the way it is written on Tencent Cloud dnspod. If it is Alibaba Cloud mailbox, it is "-all", so when adding SPF records, please read the relevant instructions of various domain name providers.

DKIM

DomainKeys Identified Mail is used to add the sender's digital signature to the email header of the email content. After the recipient receives the email, he or she needs to verify the digital signature in the email header. If the verification is successful, the email is sent by the sender himself or she, otherwise it is forged.

The basic working principle of DKIM is also based on the traditional key authentication method. It will generate two sets of keys, a public key and a private key. The public key will be stored in the DNS, while the private key will be stored in the mailing server. The private key will be automatically generated and attached to the email header and sent to the sender's server. The public key is placed on the DNS server for automatic acquisition. The receiving server will receive the private key enclosed in the email header and the public key obtained on the DNS, and then compare them to see if the sender's domain name is legal. If it is not legal, it will be judged as spam.

The DKMI of poste needs to be generated in the web console (we will talk about it later), and then added as TXT type (actually the public key mentioned above).

DMARC

DMARC (Domain-based Messaging, Authentication, Reporting and Conformance standard) is a solution based on SPF and DKMI. It is essentially a set of agreements: the sender of the email publicly indicates the sending server he will use through his DNS (through SPF) and uses a private key to electronically sign the sent email (through DKMI); the recipient of the email will check whether the received email comes from the sender's authorized email server (query the SPF record corresponding to the email domain name) and whether the electronic signature is authentic (based on the public key provided by the DKMI record), how to deal with emails that fail the check (reject or put them in the spam box) and whether to send a notification email to the sender's mailbox.

How to configure

The above-mentioned four points actually correspond to four records in the DNS of the sending mailbox: one PTR record for (rDNS), one SPF record (or TXT record) for SPF, one TXT record for DKIM, and one TXT record for DMARC.

Some VPS providers can provide PTR records directly, but it is difficult in China. Anyway, the PTR records on Tencent Cloud have requirements for the cloud host type, and 5 PTRs cost 1,500 per year.

I have already talked about how to add SPF records in the previous section. You can add the SPF record type directly or use the TXT record method. The content is the same.

DKIM is added in the form of TXT records. We will talk about the specific addition content later.

DMARC is added as a TXT record. Take Tencent Cloud DNSPod as an example:

Record type: TXT Host record: _dmarc Record value: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]

Parameter explanation:
v=DMARC1
dmarc version number
p=none
It is used to inform the recipient what to do when a forged sender is detected in an email. There are 3 options: p=none; the recipient does not take any action p=quarantine; the recipient marks the email as spam p=reject; the recipient rejects the email
rua=mailto:[email protected]
Optional, used to tell the recipient which email address should be used to notify the sender of the summary report. This is a "recommended retail price", and it is hard to say whether the recipient will accept the suggestion.
ruf=mailto:[email protected]
Optional, used to tell the recipient which email address to use to notify the sender if the email fails the SPF or DKMI check. Same as rua, also considered "recommended".

In fact, in addition to the previous aspects, the sender's IP address itself is also very important: whether it is on the blacklist, whether it is a fixed IP, etc. are important criteria for the recipient's scoring.

You can use some tool websites to check online whether the IP address or domain name is in the blacklist, as follows:
https://mxtoolbox.com/blacklists.aspx

docker install poste

The docker command for poste is as follows:

docker run --name mailserver -d --restart=always --network=public-net \ --hostname "mail.example.com" \ -p 25:25 \ -p 110:110 \ -p 143:143 \ -p 465:465 \ -p 587:587 \ -p 993:993 \ -p 995:995 \ -p 4190:4190 \ -p 8080:80 \ -p 8443:443 \ -e "TZ=Asia/Shanghai " \ -e "DISABLE_CLAMAV=TRUE" \ -e "DISABLE_RSPAMD=FALSE" \ -e "DISABLE_ROUNDCUBE=FALSE" \ -e "HTTPS=OFF" \ -v /docker/poste.io/data:/data \ -v /etc/localtime:/etc/localtime:ro \ -t analogic/poste.io

Port Description:

If the server where the mail is set up is a cloud host with a public IP, except for webmail 8080 and 8443, which can be adjusted according to your actual environment, the mapping ports of other ports on the host machine should not be changed, and the values in the above figure should remain unchanged. However, if it is deployed in an intranet, like my home broadband, then the mapping port on the host machine does not matter, and the main thing is to map the ports in the above figure to the ports configured on the host machine on the egress router.

Parameter Description:
–hostname "mail.example.com"Specify the domain name corresponding to the public IP of the server where the mailbox is built, which is the record value after the MX record in the domain name configuration in the previous section
-e “DISABLE_CLAMAV=TRUE”
Disable anti-virus function to reduce system resource consumption
-e “DISABLE_RSPAMD=FALSE”
Disable the anti-spam function to reduce system resource consumption
-e “DISABLE_ROUNDCUBE=FALSE”
Disable the web sending and receiving function. If you only use the client to send and receive emails, this can be disabled, but generally speaking, it is better to keep it.
-e “HTTPS=OFF”
If you want to use it with a reverse proxy, you need this option to turn off the function of redirecting the http port to the https port. Generally, if you use this, you don't need-p 8443:443This maps
-v /docker/poste.io/data:/data
The host machine/docker/poste.io/dataThe directory is mounted to the container's /data directory
-v /etc/localtime:/etc/localtime:ro
Synchronize host clock
-t analogic/poste.io
Specify the image name, which is mainly used to distinguish between the free version and the professional version

After docker runs successfully, usehttp://host IP:8080/admin/ You can access the poste console. Because I use it with a reverse proxy, I used-e "HTTPS=OFF"Parameters, so it can be accessed directly using http.

Configuring poste

initialization

usehttp://host IP:8080/admin/Log in to the device:

The first time you log in, you need to configure the public domain name of the mail server (specified by the A record in the domain name part).In this case, it is mail.example.com, specify the administrator's email address and password, and click Submit after setting.

Create DKIM

In Virtual Select example.com on the right side of domains:

Click on create a new key in the red box in the middle right:

Here is the generated DKIM:

In the above picture, thes20231026459._domainkeyThe part is the host record of the TXT record corresponding to DKIM, the one in the red box

k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+dbUYLiyTlvAhyUINYw7FdHFNO8DSCMkQHbOAwQe0kWyGyDaXRRjp5LYPYawHIg+JyX+drnGepkg2w2rsN9UgNxkgKTnEmWLPGDdAwf2phjI KUT4Xw8y1TzL2nGaQK80lQWr1fNMxR8urcmiUZBCbQ dPGRlqAVX1moymHd66Mk3MssvMW2WV9EjMJ5dqTplbP2NABuA+ygTtoP7zt1zo6QLTUvjsoD2hg26xtQy4DcXEtVzdlCjW22GUOwip7FyqiIgKfY2EGEzlsl7J5V+nisQzYqS6m7UUFS xqHr0EwKB8xMTvKCFofrwuWogTqsp9Gim01HDqLuTfLsHrynOhwIDAQAB

It is the record value of the TXT record.

Setting up TLS certificates

If you want to use an email client to send and receive emails and use encrypted connection methods such as SMTPs, IMAPs, and POP3s, you need to set up a TLS certificate for the mailbox:

Poste supports two methods: Let's Encrypt automatic certificate application and manual certificate upload, see the red box on the right:
The Let's Encrypt method is relatively simple, as follows:

After the configuration is complete, click Save Changes below to automatically apply for a certificate. However, this method should require port 443. My home broadband does not have it, so the application failed. So I used Tencent Cloud to apply for a free certificate and uploaded it manually:

The first line is the private key file of the domain name mail.example.com certificate. Select the public key certificate file of the domain name in the second and third lines. Finally, click Save changes below to save.

Note: After saving, there will be no success message. Flash back and then return to the original state:

This is normal. You can see that the certificate already exists in the ssl folder of the mapping directory:

At this point, Poste can send and receive emails normally. However, there is no problem with receiving emails. Whether the sent emails can be delivered to other people's inboxes depends on the configuration of the previous email scoring part. The email scoring situation can be found on the following scoring website:

Email Scoring Tool:https://www.mail-tester.com/

This website can test one mailbox three times a day. For example, the test results of my mailbox are as follows:

You can see the deduction items. Orange and red indicate the severity of the problem. For example, I got 3.1 points deducted for item 2. Click on it to see the details:

You can see that the biggest deductions are PYZOR_CHECK and RDNS. RDNS is my death knell. There is no other way. Just this one item has caused the emails sent by my mailbox to be rejected by large email service providers. So what is PYZOR_CHECK? I read the explanation and found that it requires the content of the emails to be authentic. I sent a two-word test and was probably despised.

This test score is just for reference. For example, the score was as high as 8.9 when I took the test last time:

It doesn’t matter, if you can’t receive it, you still can’t receive it.

Finally, to log into webmail, usehttp://host IP:8080/webmail/You can log in to your mailbox:

Configuring public network access

If you want to publish to the public Internet, you need to choose the most suitable publishing method according to the actual environment and the reverse proxy you use. You can refer to my previous articles:
1,Docker series uses Docker to build its own reverse proxy based on NPM
2,Linux panel series configure reverse proxy and use non-443 port for publishing
3.Home data center series uses domestic cloud hosting to get free cloudflare to achieve fast access to domestic sites from abroad
4.Home Data Center Series: Use cloudflare to build a website quickly with no public IP in your home broadband (general purpose)

The first and second methods are suitable for environments with public IP but no legal 443 port (home broadband, unregistered cloud host). You need to add a non-standard port after the URL (if you use cloudflare to build a website, you don't need to add a port, but you need to customize the source station port. You can refer to:Home data center series uses cloudflare's Origin Rules to solve the problem of having a public IP but no legal ports 80 and 443 when building a websiteThe third method is suitable for cloud hosts with a record, and the fourth method is suitable for all environments (including environments without public IP), which is also the method I recommend (regardless of whether your environment has a public IP or not, because this method does not require running https traffic directly on the public network).

In addition: Using the replacement function of nginx reverse proxy can hide the word "pro" on the web page, which looks a little bit cleaner, but it is useless.

Afterword

Finally finished writing, writing this article is very tiring, I have to look up a lot of information, the effort I spent is equivalent to writing many ordinary articles. I will see if there is anything else to add later. It is okay to use home broadband email to receive emails, but it depends on luck to send emails (I guess emails from regular large email providers are not good). Now I tested that 163 and 139 emails can receive emails, but gmail and QQ emails cannot. If you really want to set up a serious email server, try to use a foreign VPS that supports rDNS.

In addition: If you only need to receive emails, you can use Cloudflare's email routing function. In just a few steps, you can achieve the same email receiving function as your own mail server. For specific configuration steps, please refer to the article:Home Data Center Series Use Cloudflare to create a small mailbox with your own domain suffix .