RAJUBK BLOGS

Mail Server

Written by

Raju BK

in

---------------------------> START DNS Records

A Record to Server IP for mail.domain.tld
CNAME autodiscover for mail.domain.tld
CNAME autoconfig for mail.domain.tld
MX Record for Domain.tld with Content mail.domain.tld
SRV Record _autodiscover._tcp with Content 0 5 Port 443 Target mail.domain.tld
TXT Record for Domain.tld with Content "v=spf1 ip4:YOUR_IPV4 ip6:YOUR_IPV6 -all"
TXT Record for _DMARC with Content "v=DMARC1; p=quarantine; adkim=s; aspf=s"

---------------------------> END DNS Records
---------------------------> START Docker Installation

apt update && apt upgrade -y
dpkg-reconfigure tzdata

sudo apt-get install ca-certificates curl 

sudo install -m 0755 -d /etc/apt/keyrings 

sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc 

sudo chmod a+r /etc/apt/keyrings/docker.asc 

echo \ 
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ 
 $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \ 
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null 

sudo apt-get update 

apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin 

systemctl start docker 

systemctl enable docker 

docker run hello-world

---------------------------> END Docker Installation
---------------------------> START Mailcow Installation

mkdir /docker
mkdir /docker/mailcow && cd /docker/mailcow

git clone https://github.com/mailcow/mailcow-dockerized

cd mailcow-dockerized

./generate_config.sh

Vim mailcow.conf

# SMTP
sudo ufw allow 25/tcp

# Submission
sudo ufw allow 587/tcp

# SMTPS (deprecated but sometimes used)
sudo ufw allow 465/tcp

# IMAP (unencrypted, STARTTLS)
sudo ufw allow 143/tcp

# IMAPS (SSL/TLS)
sudo ufw allow 993/tcp

# POP3 (unencrypted, STARTTLS)
sudo ufw allow 110/tcp

# POP3S (SSL/TLS)
sudo ufw allow 995/tcp

# Sieve (for mail filtering scripts like vacation replies)
sudo ufw allow 4190/tcp

sudo ufw status

Vim docker-compose.yml

docker compose up -d

---------------------------> END Mailcow Installation
---------------------------> START NGINX Installation
mkdir /root/.secrets/certbot/
vim /root/.secrets/certbot/cloudflare.ini

dns_cloudflare_api_token = TOKEN

chmod 600 /root/.secrets/certbot/cloudflare.ini 

apt install certbot python3-certbot-dns-cloudflare

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini \
  -d '*.domain.tld' -d domain.tld \
  --preferred-challenges dns-01 \
  --agree-tos --no-eff-email --email [email protected]

apt install nginx

cd /etc/nginx/sites-available
vim mail_domain_tld

cd ../sites-enabled
ln -s ../sites-available/mail_domain_tld

nginx -t

systemctl reload nginx

---------------------------> END NGINX Installation
---------------------------> START Mailcow Login

admin
moohoo

---------------------------> START Mailcow Login
---------------------------> START DNS Records Part 2

TLSA for _25._tcp.mail.domain.tld 3 1 1 [Value from Mailcow]

TXT for dkim._domainkey.domain.tld [Value from Mailcow]

---------------------------> END DNS Records Part 2

server {
    server_name domain.tld mail.domain.tld autodiscover.domain.tld autoconfig.domain.tld;
    client_max_body_size 1G;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header Permissions-Policy "geolocation=(), microphone=()" always;
    add_header X-XSS-Protection "1; mode=block" always;
}

# HTTP redirect block
server {
    listen 80;
    server_name domain.tld mail.domain.tld autodiscover.domain.tld autoconfig.domain.tld;
    return 301 https://$host$request_uri;
}

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts