🎯 Why You Need Your Own Mail Server

A self-hosted mail server provides full control over your data, independence from third-party providers, and the flexibility to customize the setup for business needs. This solution is ideal for companies that value confidentiality, want to customize their email infrastructure, or aim to reduce operational costs.

• Full control over security settings and data retention policies
• Ability to integrate with internal systems and corporate applications
• Transparency in logging and auditing email traffic
• Cost savings on licenses when scaling

---

🔧 Server Preparation and Basic Configuration

Environment Requirements

• Server running Ubuntu 20.04 LTS or newer
• Domain name with configured A and MX records
• Open ports: 25 (SMTP), 143/993 (IMAP), 587 (Submission), 465 (SMTPS)
• Root access or sudo privileges

Creating a Dedicated User

For security, it is recommended not to work as root. Create a separate user with administrator privileges:

sudo adduser info
sudo usermod -aG sudo info

Configuring Secure SSH Access

• Change the default SSH port
• Disable root login
• Allow access only to trusted users
• Set up key-based authentication

Example configuration for /etc/ssh/sshd_config:

Port 7080
PermitRootLogin no
AllowUsers info myname

After making changes, restart the service:

sudo systemctl restart sshd

---

📬 Installing and Basic Postfix Configuration

Installing Packages

sudo apt update
sudo apt -y install postfix sasl2-bin mailutils

During Postfix setup, select "No Configuration" — we will configure it manually.

Key Parameters in /etc/postfix/main.cf

myhostname = test.ru
mydomain = test.ru
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/
message_size_limit = 10485760
mailbox_size_limit = 1073741824

Configuring SMTP Authentication via Dovecot

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, permit_sasl_authenticated, reject

Apply the changes:

sudo newaliases
sudo systemctl restart postfix

---

🗂️ Configuring Dovecot for Mail Access

Installing Components

sudo apt -y install dovecot-core dovecot-pop3d dovecot-imapd

Key Settings

/etc/dovecot/dovecot.conf

listen = *, ::

/etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no
auth_mechanisms = plain login

/etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:/home/info/Maildir

/etc/dovecot/conf.d/10-master.conf — Integration with Postfix:

unix_listener /var/spool/postfix/private/auth {
  mode = 0666
  user = postfix
  group = postfix
}

Restart the service:

sudo systemctl restart dovecot

---

🔐 Configuring TLS/SSL Encryption

Obtaining a Let's Encrypt Certificate

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d test.ru

Configuring Postfix for TLS

In main.cf, add:

smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/test.ru/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/test.ru/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

Configuring Dovecot for TLS

In /etc/dovecot/conf.d/10-ssl.conf:

ssl = yes
ssl_cert = /etc/letsencrypt/live/test.ru/fullchain.pem
ssl_key = /etc/letsencrypt/live/test.ru/privkey.pem

Apply the changes:

sudo systemctl restart postfix dovecot

---

🌐 Configuring Virtual Domains and Mailboxes

Postfix Configuration for Virtual Mailboxes

In main.cf:

virtual_mailbox_domains = test.ru
virtual_mailbox_base = /home/info
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox
virtual_uid_maps = static:20000
virtual_gid_maps = static:20000

Mapping File /etc/postfix/virtual-mailbox

info@test.ru    test.ru/info/Maildir/

Apply the mapping:

sudo postmap /etc/postfix/virtual-mailbox
sudo systemctl restart postfix

Configuring Authentication in Dovecot

Create the file /etc/dovecot/users with a hashed password:

sudo doveadm pw -s CRAM-MD5

Add a line in the following format:

info@test.ru:{CRAM-MD5}password_hash

In auth-passwdfile.conf.ext, specify the path to the users file and the authentication method.

---

🛡️ Configuring DNS Records to Improve Deliverability

SPF Record

Allows email sending only from your server:

test.ru. IN TXT "v=spf1 ip4:100.90.88.77 a mx ~all"

DMARC Policy

Specifies how to handle emails that fail authentication checks:

_dmarc.test.ru. IN TXT "v=DMARC1; p=none; aspf=r; sp=none"

It is recommended to start with the p=none policy for monitoring, then transition to p=quarantine or p=reject.

DKIM (Optional, but Recommended)

Signing outgoing emails with a cryptographic key.

Setup requires installing opendkim and publishing the public key in DNS.

---

📱 Connecting a Mail Client

Configuration Parameters

• IMAP Protocol: imap.test.ru, port 143 (or 993 with SSL)
• SMTP Protocol: smtp.test.ru, port 587 (STARTTLS) or 465 (SSL)
• Authentication: login — full email address, password — as set during creation
• Security: STARTTLS or SSL/TLS depending on the port

Recommended Clients

• Mozilla Thunderbird
• OnlyOffice Mail
• Nextcloud Mail
• K-9 Mail (Android)

---

🔍 Testing and Diagnostics

Testing Sending and Receiving

echo "Test message" | mail -s "Test" info@test.ru

Viewing Logs

sudo tail -f /var/log/mail.log

Analyzing Statistics

Install pflogsumm to generate reports:

sudo apt install pflogsumm
sudo pflogsumm -d today /var/log/mail.log

Online Checks

• Spam and reputation check: mail-tester.com
• DNS record validation: mxtoolbox.com
• TLS configuration test: ssl-labs.com

Port Testing

telnet test.ru 25
 telnet test.ru 587
 telnet test.ru 143

---

⚙️ Automation and Monitoring

Configuring Log Rotation and Notifications

Add a daily report to crontab:

00 01 * * * sudo pflogsumm -e -d yesterday /var/log/mail.log | mail -s 'Postfix Daily Report' admin@test.ru

Backup

Regularly archive:

• /etc/postfix/, /etc/dovecot/ — configuration files
• /home/info/ — mailboxes
• /etc/letsencrypt/ — certificates