Install iRedmail, Open-Source Mail Server, on Ubuntu
Updated by James Stewart Contributed by Nick Reichley
This is a Linode Community guide. If you’re an expert on something for which we need a guide, you too can get paid to write for us.
Why Run a Mail Server?
Running your own mail server has many benefits. It allows you to manage the size of your mailboxes and attachments, run hourly/daily email backups, view mail logs, and gives you the freedom to use any domain name available. The drawback is usually the in-depth and sometimes complicated process of installing all the necessary parts. This guide uses a streamlined process, the iRedMail install script, and should have you up and running your mail server in under 15 minutes.
Before beginning this guide you should have:
- A domain name.
- An understanding of the Linux command line.
- A Linode running Ubuntu 14.04.
This guide assumes you’ve followed the Linode Getting Started documentation If you haven’t done so, read through the guide, and return here following the completion of the “Setting the Hostname” section.
The steps required in this guide require root privileges. Be sure to run the steps below as
root or with the sudo prefix. For more information on privileges see our Users and Groups guide.
A DNS MX record tells the internet where to send email directed at you domain. Before your Linode can receive email for addresses at a domain, an MX record must be created for that domain, pointing to your Linode’s IP address. An example MX record can be found on the Linode Introduction to DNS records page.
Start by making sure your Linode is up-to-date by running the following commands:
apt-get update apt-get upgrade
Check your hostname to ensure a FQDN with a subdomain:
hostname hostname -f
iRedMail requires that you have a properly formatted Fully Qualified Domain Name (FQDN). The format is
hostname.domain.com. If your hostname is only your domain name, iRedMail will not install properly. Common hostnames for mail servers include
1 2 3 4
user@hostname:~$ hostname mail user@hostname:~$ hostname -f mail.domain.com
Download the latest release of iRedMail. The current release, as of 16 September 2014, is 0.8.7 and can be downloaded by entering the following:
cd /root/ wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.8.7.tar.bz2
Uncompress the package and run the script:
1 2 3
tar xjf iRedMail-0.8.7.tar.bz2 cd iRedMail-0.8.7 bash iRedMail.sh
The remainder of the installation refers to on-screen confirmation of default options and selections. With the exception of the backend and hostname selections, most users will simply confirm the default options and continue the installation.
The next few steps were taken directly from the iRedMail Ubuntu installation steps.
Press “enter” to say “yes” to installing iRedMail. NOTE: Ctrl-C will exit the installation process when pressed at any time prior to step #12.
Press “enter” to accept /var/vmail as the default mail storage directory
Use the “up” and down arrow keys to highlight your preferred backend. Press “space” to select your preferred option, then press “enter”. If you’re unsure, choose
Choose a password for your MySQL root administrator and press “enter”. Be sure to commit the password to memory or paper.
Enter your domain name as the first virtual domain name and press “enter”.
By default, iRedMail configures email@example.com as the default administrator. Enter a password for your iRedMail administrator and press “enter”.
The next screen lists optional components to be included in your MySQL backend. While none of these are required, We recommend the installation of all components, since the benefits of each add to the function and security of your mail server.
This step indicates that the configuration is complete, references the location of the SENSITIVE config file and asks (y or n) if you’d like to continue. Type “y”.
The installer then downloads and installs the appropriate files. After it completes, you will receive a prompt asking whether you would like to use iRedMail’s firewall rules at
/etc/default/iptables, and identifies your SSHD port. Type “y” to accept, or “n” if you want to configure your firewall manually.
After typing “y”, the install screen will ask if you’d like to restart the firewall. Type “y”.
The installation is now complete! While the bottom half of the screen is filled with useful URL information and the location of the iRedMail tips file, a couple emails will be waiting in firstname.lastname@example.org’s inbox.
Reboot the Linode and navigate to
https://mail.yourdomain.com/mailand login as “email@example.com” to retrieve the necessary info.
As a security precaution, we will remove the config file. This file is no longer needed after a successful iRedMail install, and contains sensitive information (usernames/passwords) about your mail server configuration.
iRedMail is packaged with a mail server account configuration called iRedAdmin. Below are the steps required to add a user/mailbox to your mail server.
To access iRedAdmin, navigate to
https://yourdomain.com/iredadminand log in with your firstname.lastname@example.org user.
Once the dashboard page loads, navigate to the
Adddropdown and select
Fill in the address, password, display name, and mailbox quota blocks then click Add will complete the process.
Certificates, SPF, DKIM, and rDNS
By default, iRedMail generates a key and self-signed certificate for the mail server, and web server. To avoid other email servers marking email from our server as spam, we’re going to install a trusted certificate.
The process of obtaining a trusted certificate is outside the scope of this guide. You can follow the Obtaining a Commercial SSL Certificate guide to obtain a certificate.
The next section assumes you have the .key and .crt (or .pem) file in hand and are ready to go.
Be sure to apply for a certificate covering either your subdomain (mail.yourdomain.com) or a wildcard of your domain so all subdomains are covered).
After first logging in to the postmaster account, you should have two emails waiting for you. The first is titled “Helpful Links iRedMail” and the second is titled “Details of this iRedMail installation.” In the 2nd email, there are various file paths we’ll need, since we’ll be replacing the SSL certificate and need to know the DKIM public key for our DNS TXT entry. First up, certificate replacement.
For if your certificate issuer uses
.pemfiles instead of
.crt, be sure to replace the file extension in the instructions below.
After moving your certificate and key onto your Linode, make a note of its location. The recommendation is to install in the same directories as the iRedMail default certificate and key. The certificate is located in
/etc/ssl/certs/and the key is in
mv mail.yourdomain.com.crt /etc/ssl/certs/ mv mail.yourdomain.com.key /etc/ssl/private/
To replace the certificates used by Apache2, substitute the following paths in
default-ssl.confwith the location of your certificate and key:
SSLCertificateFile /etc/ssl/certs/mail.yourdomain.com.crt SSLCertificateKeyFile /etc/ssl/private/mail.yourdomain.com.key
To replace the certificates used by Postfix, substitute the following paths in
main.cfwith the location of your certificate and key:
smtpd_tls_cert_file = /etc/ssl/certs/mail.yourdomain.com.crt smtpd_tls_key_file = /etc/ssl/private/mail.yourdomain.com.key
To replace the certs used by Postfix, substitute the following paths in
dovecot.confwith the location of your certificate and key:
ssl_cert = </etc/ssl/certs/mail.yourdomain.com.crt ssl_key = </etc/ssl/private/mail.yourdomain.com.key
To apply the certificate changes to both your web and mail server, run the following commands:
1 2 3
service apache2 restart service dovecot restart service postfix restart
If you encounter error messages during these commands, go back and confirm the correct paths are in place for your certificates.
SPF, DKIM and rDNS
This section covers the insertion of SPF and DKIM records in your DNS entry. SPF records allow us to specify the authority to send mail from our domain to specific IP addresses. DKIM records are another way of proving the validity of an email by allowing the receiver to check a public key, or the mail server’s DNS TXT record, against the DKIM key included in every email message sent by your mail server.
Navigate to your DNS provider, either where you purchased your domain name or Linode if you’ve transferred your DNS, and enter the following bits of information in your subdomain area to activate SPF. If you are using Linode’s DNS manager, you can leave the name field blank, but other DNS providers may require you to specify @ for the hostname.
1 2 3
hostname | ip address/url | record type | ttl -------- | ----------------------------- | ----------- | --- @ | v=spf1 ip4:22.214.171.124 -all | txt | 1800
For more information, you can check out the SPF website link recommended by iRedMail.
In the same area of your DNS host records, add the following entry to enable DKIM. The IP address/url entry following the “p=“ is your public DKIM key, which can be found in your “Details of this iRedMail installation” email about halfway down under the “DNS record for DKIM support” section. Copy everything BETWEEN the double quotes and place after the “p=“ portion of the dkim._domainkey DNS entry.
1 2 3
hostname | ip address/url | record type | ttl -------------- | ------------------- | ----------- | --- dkim._domainkey | v=DKIM1; p=MIGFdfs… | txt | 1800
A good way to test your mail server’s DKIM is to enter the following command:
You should receive
=> passas output.
For more information on DKIM records, you can check out the DKIM website link recommended by iRedMail.
To set your rDNS, check out the Setting Reverse DNS section of the DNS Manager guide. This is optional but gives additional credibility to a mail server for certain spam filters.
Apache Authentication Fix for Cluebringer and AWStats Login
Cluebringer (a.k.a. PolicyD v2) is a policy server utility for our mail transfer agent, Postfix. It provides a web-based interface (example) where you can fine tune policies applied to Postfix. For more info, see the Policy D documentation.
AWStats quickly analyzes and displays log files/server activity via a few web-based (or command line) statistical graphs. Using the configuration outlined below, it will display the # of emails sent, the total size of the emails, sender and receiver, time (hourly/daily/monthly), and SMTP error codes. An example can be seen here. For more info, see the AWStats documentation.
Due to “mod-auth-mysql” not working with Apache 2.4, the default installation cannot use the module to log in to Cluebringer or AWStats. Below is the fix, which can also be found in this iRedMail forum post.
apt-get install libaprutil1-dbd-mysql
Enable the two dbd apache modules:
a2enmod dbd authn_dbd
apache2.confby adding the text block below to the end of the file. Make sure to comment out the existing Auth_MySQL lines at the end of the file.
1 2 3 4 5 6 7 8 9
#MySQL auth (mod_dbd, libaprutil1-dbd-mysql) <IfModule mod_dbd.c> DBDriver mysql DBDParams "host=127.0.0.1 dbname=vmail user=vmail pass=(SUBSTITUTE WITH YOUR PASSWORD: see in your iRedMail.tips file)" DBDMin 1 DBDKeep 8 DBDMax 20 DBDExptime 300 </IfModule>
awstats.confto mirror the example text below, by adding the
mod_authn_dbdsection and commenting out the
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
<Directory /usr/lib/cgi-bin/> DirectoryIndex awstats.pl Options ExecCGI AuthType Basic AuthName "Authorization Required" ############################## # mod_auth_mysql (deprecated)# ############################## # AuthBasicAuthoritative Off # AuthUserFile /dev/null # # # Database related. # AuthMySQL_Password_Table mailbox # Auth_MySQL_Username_Field username # Auth_MySQL_Password_Field password # # # Password related. # AuthMySQL_Empty_Passwords off # AuthMySQL_Encryption_Types Crypt_MD5 # Auth_MySQL_Authoritative On # #AuthMySQLUserCondition "isglobaladmin=1" ################# # mod_authn_dbd # ################# # Password related. AuthBasicProvider dbd AuthDBDUserPWQuery "SELECT password FROM mailbox WHERE mailbox.username=%s" Order allow,deny Allow from all Require valid-user </Directory>
cluebringer.confto mirror the example text below, by adding the
mod_authn_dbdsection and commenting out
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
<Directory /usr/share/postfix-cluebringer-webui/webui/> DirectoryIndex index.php AuthType basic AuthName "Authorization Required" ############################## # mod_auth_mysql (deprecated)# ############################## # AuthMYSQL on # AuthBasicAuthoritative Off # AuthUserFile /dev/null # # # Database related. # AuthMySQL_Password_Table mailbox # Auth_MySQL_Username_Field username # Auth_MySQL_Password_Field password # # # Password related. # AuthMySQL_Empty_Passwords off # AuthMySQL_Encryption_Types Crypt_MD5 # Auth_MySQL_Authoritative On ################# # mod_authn_dbd # ################# # Password related. AuthBasicProvider dbd AuthDBDUserPWQuery "SELECT password FROM mailbox WHERE mailbox.username=%s" Order allow,deny Allow from all Require valid-user </Directory>
Restart Apache for the changes to take effect, then test them by logging in to either Cluebringer or Awstats.
service apache2 restart
Greylist a Recommendation
By default, Cluebringer starts with the greylisting feature enabled. While the implementation of greylisting does protect a mail server from receiving spam, there are unintended consequences to its operation. This was tested by sending a few emails from a well-known “free” email account to my new mail server. Most of the “free” email SMTP services are provided by SEVERAL SMTP servers that upon receiving the 4XX reply code from your server, since the hostname and IP of the SMTP server isn’t “known”, does retransmit the email. However, usually, the retransmitted email is from either another host or from the same host but from another IP address. The greylisting feature of Cluebringer either severely delayed, or completely denied, a few of the test emails.
For this reason, the author recommends turning this module off. Note, since being disabled, neither delays nor denials of email have been observed on the author’s mail server. Additionally, the mail server has yet to receive any spam.
Edit the Cluebringer config file (/etc/cluebringer/cluebringer.conf) to disable the Greylisting module.
Search for the term “Greylisting” (without the quotation marks).
Change the “1” to “0” to disable.
Restart Cluebringer to complete the changes.
service postfix-cluebringer restart
Final Test and Conclusion
As a final test, you can utilize a service such as Mail Tester to ensure that your records have been configured correctly. If you have followed this guide precisely, you should receive a score of 10/10 on Mail Tester’s site. If not, Mail Tester will provide you with a report indicating what portion of your configuration needs improvement.
While some DNS records update almost instantaneously, updates can take up to 24 hours to propagate. You may receive a lower score on these tests if your records have not yet updated.
Familiarize yourself with the various files, configs, and settings listed in the iRedMail emails and website and start adding users to your mail server. Happy Mailing!
This guide is published under a CC BY-ND 4.0 license.