Unfederated Email, Part II
==========================
A few years ago, I wrote a phlog entry about self-hosting an unfederated
email server (which only sends emails among the users on the local
machine). I set up the server on my home network and used it to send
notes and files to my old devices. Since it was on my LAN, the server
sent and received mails in clear text, without certificates and without
encryption.
I mentioned in that post that my ultimate aim was to add encryption, so
that I could access the server with my email client over the open
internet. Several months later, a reader let me know that they'd like
the setup details when I did it. Well, I finally set it up, and the
details are below.
It's the simplest possible system. Each system user automatically has an
email account on the server, using their regular username and password.
It also requires the use of TLS on all connections. If you want to add
new email users, just create a system user account for them. If you
don't want them actually using the system, permit server logins with an
RSA certificate only.
Why?
====
If you're wondering why a person might want an unfederated email server,
I get it. But it does have uses. Mine is to send myself emails.
I often send myself emails containing reminders, notes, and files. If I
look at my inbox, almost all of the incoming traffic consists of
commercial notifications. I hardly ever respond to those emails. In
fact, when I look at my sent items, almost all of the outgoing traffic
is notes to myself or emails to family. So why not keep some of that
traffic away from my email provider?
I'm sure there are other reasons to do this as well. You might want to
set up a private Delta Chat server. Or you might want to send emails
among a small group of people or set up something like a groupchat or
mailing list.
How?
====
The following setup guide is for an unfederated server running Debian 12
(Bookworm).
The server makes use of Dovecot for IMAP connections (for retrieving
email), OpenSMTPD for SMTP (for sending), and mailutils (for some of the
local setup on the machine).
Since the server is unfederated and you don't have to scan for spam, the
demands on the system are very light.
All of the setup below must be done as root.
1. Pre-installation
-------------------
A. Add backports to your repositories. The version of OpenSMTPD in
Debian Bookworm has a TLS bug that prevents it from establishing secure
connections. This caused me serious amounts of frustration before I
found out about the bug!
To add backports, edit your /etc/apt/sources.list
Add the following line:
deb http://deb.debian.org/debian bookworm-backports main
B. Update your server
apt-get update
apt-get upgrade
2. Installation
---------------
Install dovecot, OpenSMTPD, and mailutils:
apt-get install mailutils dovecot-imapd
apt-get install opensmtpd/bookworm-backports
When openSMTPD asks for the server name, give it the fully-qualified
domain name (the whole URL for your server).
3. Dovecot Configuration
------------------------
A. Edit /etc/dovecot/conf.d/10-ssl.conf
Change the line "ssl = yes" to:
ssl = required
If you want to use the self-signed certificate automatically created by
Dovecot, make sure the following lines are uncommented (remove the
octothorpe at the beginning of the line, if any):
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key
Alternatively, if you have Let's Encrypt certificates on the server, you
can link to them instead. In my case, I had them for the Apache2
webserver already, so the two lines above look like this instead:
ssl_cert = </etc/apache2/ssl/fullchain.pem
ssl_key = </etc/apache2/ssl/private/key.pem
Note: you have to put the < before the file link. It's mandatory!
B. Edit /etc/dovecot/conf.d/10-auth.conf
Uncomment the line: disable_plaintext_auth = yes
C. Edit /etc/dovecot/conf.d/10-master.conf
Find these lines:
service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
#port = 993
#ssl = yes
}
Edit them to look like this:
service imap-login {
#inet_listener imap {
#port = 143
#}
inet_listener imaps {
port = 993
ssl = yes
}
4. OpenSMTPD Configuration
--------------------------
Edit /etc/smtpd.conf
Save the existing file as smtpd.conf.bak or something like that.
Then delete the existing contents of /etc/smtpd.conf and cut and paste
everything from "table" to the final "local" below into the file. You
can use the self-signed certificate/key pair created by Dovecot, or your
Let's Encrypt set if you have one. Just comment out the certificate/key
pair that you don't want to use. If your Let's Encrypt certificates are
kept in a different directory, change the links as necessary (here and
in Dovecot's /etc/dovecot/conf.d/10-ssl.conf file). Wherever it says
"your.domain.name" substitute your fully-qualified domain name.
table aliases file:/etc/aliases
#pki your.domain.name cert "/etc/dovecot/private/dovecot.pem"
#pki your.domain.name key "/etc/dovecot/private/dovecot.key"
pki your.domain.name cert "/etc/apache2/ssl/fullchain.pem"
pki your.domain.name key "/etc/apache2/ssl/private/key.pem"
listen on your.domain.name port 465 smtps pki your.domain.name auth
action "local" mbox alias <aliases>
match for local action "local"
match from any for domain "localhost" action "local"
match from any for domain "localhost.localdomain" action "local"
match from any for domain "your.domain.name" action "local"
5. Restart the services to reload the configuration files:
----------------------------------------------------------
systemctl restart dovecot
systemctl restart opensmtpd
6. Open Ports
-------------
Open ports 465 and 993 in your firewall. If you don't have a
firewall, look up ufw (uncomplicated firewall). It is very simple to
use.
If the server is at home, you'll have to set up port forwarding on your
router to gain external access. If your internet provider blocks ports
465 and 993, you can use different numbers. Just don't use ports
regularly used by other services. You can find lists of commonly used
ports by searching online.
7. Set up your email client
---------------------------
I use Claws-Mail and set it up as follows. Note that myusername is the
username from my account on the server.
Basic Tab
---------
Email Address: yourusername@your.domain.name
Protocol: IMAP
Server for Receiving: your.domain.name
SMTP server (send): your.domain.name
User ID: yourusername <-- don't include the @your.domain.name!
Password: password for the user account on the server
Send Tab
--------
Check the box for SMTP Authentication. You don't have to fill in the
User ID or Password.
TLS Tab
-------
Select the checkbox for "Use TLS" for both IMAP and SMTP.
Advanced Tab
------------
Select the checkbox for SMTP port and enter 465.
Select the checkbox for IMAP port and enter 993.
8. Final Notes
--------------
A. I suspect that in some situations using regular user accounts for
email could pose a security risk by increasing the possibility of
revealing usernames and passwords, but I only permit RSA key logins on
my servers (and no root logins).
B. If you use a Let's Encrypt certificate, you'll probably want to add
Dovecot and OpenSMTPD to the services that restart after each renewal.
How you do that will depend on the client you use to update Let's
Encrypt. Both certbot and acme.sh have that capability.