Adventures in emailing

I so wanted to use Docker for my email server, but it was not meant to be.

I had spent about a day and a half, maybe even closer to two days, working on containerizing my existing email setup (which was heavily based on a superb series on Ars Technica). I was making progress, but there are so many inter-related services, that creating a multi-container setup was rapidly becoming a headache. After searching around on the Interwebs, I stumbled across Mail-in-a-Box.

Mail-in-a-Box's approach is pretty straight-forward: take a freshly installed VPS running Ubuntu 14.04, run the install script, and blam!, you have a modern email server, using best-practices for security (DKIM, DMARC, DNSSEC). It includes:

Included with all of that is a web-based administrative interface that handles user creation, virtual domains, etc. Basically, it had everything I was currently running, plus a couple of extra goodies. And it's actively supported. Sounded like it was right up my alley.

Interestingly, there was an effort to containerize Mail-in-a-Box about 4 months ago, but it looks like it was abandoned. There's a bit of an impedance mis-match between the approach Mail-in-a-Box is taking with it's "install on a clean machine" vs. a container approach, wherein everything is already installed in the image file. I'll be keeping an eye on this effort, but since it will be a lot of work, I doubt I'll see any movement on this anytime soon.

Installation

I pretty much just followed the instructions, naturally with a couple of minor modifications:

  • I did a trial installation to see what the memory requirements really were. Turns out you can easily run it (for a small number of users) with only 512MB RAM, plus 1GB swap. This required me editing setup/preflight.sh to change the memory check.
  • I wanted mail.timofejew.com, rather than the default box.timofejew.com for the hostname (simple to change in the install screen).

And that was about it... Everything else was as supplied. The installation went really smoothly. But because I decided to use my VPS provider's DNS, there were a few things I had to sort out. And the instructions provided for setting up a satellite mail system (I'm using a different machine for my webserver) didn't quite work out for me, but I was able to find a solution.

Using Digital Ocean's DNS

Although it's really neat that Mail-in-a-Box creates and manages a fully-functional authoritative DNS server (that will also perform DNSSEC authentication), the sheer hassle of sorting out DNS glue records, making a secondary DNS server, etc., I felt it wasn't worth the hassle. Thankfully, Mail-in-a-Box has a mechanism for allowing an external DNS system to work with it. Simply go to the 'External DNS' menu entry under 'System', and cut-n-paste all the values to the Digital Ocean DNS panel. But there are a couple of things to note:

  • When creating records for hosts within example.com, do not copy over the FQDN from the Mail-in-a-Box page. Just use everything to the left of example.com (e.g., enter _dmarc instead of _dmarc.example.com or _dmarc.mail instead of _dmarc.mail.example.com)
  • Only one MX record is allowed for a domain, whereas Mail-in-a-Box expects to be able to set an MX record for each host. The upshot of this is that the SPF records for each host need to be modified to use an a:hostname nomenclature. For example, the TXT record for www.example.com must be set to v=spf1 a:mail.example.com -all instead of v=spf1 mx -all.

Once those tweaks are done, the DO DNS will function as a substitute for the built-in DNS (with one major exception: there is no DNSSEC support - but I'm not concerned about that at this point in time - maybe in a couple of years).

Here is a screenshot of my current setup for timofejew.com:

Digital Ocean domain records for timofejew.com

And for those that like a more technical view, here's the zone file:

$ORIGIN timofejew.com.
$TTL 1800
timofejew.com. IN SOA ns1.digitalocean.com. hostmaster.timofejew.com. 1443584735 10800 3600 604800 1800  
timofejew.com. 1800 IN NS ns1.digitalocean.com.  
timofejew.com. 1800 IN NS ns2.digitalocean.com.  
timofejew.com. 1800 IN NS ns3.digitalocean.com.  
timofejew.com. 1800 IN MX 10 mail.timofejew.com.  
mail.timofejew.com. 1800 IN A 159.203.4.75  
mail.timofejew.com. 1800 IN AAAA 2604:a880:cad:d0::12:3001  
www.timofejew.com. 1800 IN A 159.203.14.195  
www.timofejew.com. 1800 IN AAAA 2604:a880:cad:d0::c:e001  
timofejew.com. 1800 IN A 159.203.14.195  
timofejew.com. 1800 IN AAAA 2604:a880:cad:d0::c:e001  
timofejew.com. 1800 IN TXT v=spf1 mx -all  
_dmarc.timofejew.com. 1800 IN TXT v=DMARC1; p=quarantine  
mail._domainkey.timofejew.com. 1800 IN TXT v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyoKgGNZ1tynrN7DuOtoT+5xypKmcwx9/9794U4pzitlcTmqVQtNUrbGpsceVnrIOR3mjVTWBByRUsRYNZRWvT/EtZxvyYHeeiza+soaOYVxlEEdaA+pwv2ZyLIXeitNAxldRH88sFh4eW0nV+g8gt6rvOkySvoq6s03EFm/n4yX7MqG2Q7NA4zHiao7GQ4igW0VEClBmlUTj6/OyocVRUnbW8vjFrAP6lrpak6RvnrbeUZEl+buGdBfY5UJ0ym/IjlkqfyjypMhXAowl4OTK0DUxBuVj2J90bRZisi0sqP3lyuRii11dMU8L85XLu8cqsmjVPANQwRuyd8Rk4SZXMwIDAQAB  
mail.timofejew.com. 1800 IN TXT v=spf1 a:mail.timofejew.com -all  
_dmarc.mail.timofejew.com. 1800 IN TXT v=DMARC1; p=quarantine  
mail._domainkey.mail.timofejew.com. 1800 IN TXT v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyoKgGNZ1tynrN7DuOtoT+5xypKmcwx9/9794U4pzitlcTmqVQtNUrbGpsceVnrIOR3mjVTWBByRUsRYNZRWvT/EtZxvyYHeeiza+soaOYVxlEEdaA+pwv2ZyLIXeitNAxldRH88sFh4eW0nV+g8gt6rvOkySvoq6s03EFm/n4yX7MqG2Q7NA4zHiao7GQ4igW0VEClBmlUTj6/OyocVRUnbW8vjFrAP6lrpak6RvnrbeUZEl+buGdBfY5UJ0ym/IjlkqfyjypMhXAowl4OTK0DUxBuVj2J90bRZisi0sqP3lyuRii11dMU8L85XLu8cqsmjVPANQwRuyd8Rk4SZXMwIDAQAB  
www.timofejew.com. 1800 IN TXT v=spf1 a:mail.timofejew.com -all  
_dmarc.www.timofejew.com. 1800 IN TXT v=DMARC1; p=quarantine  
mail._domainkey.www.timofejew.com. 1800 IN TXT v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyoKgGNZ1tynrN7DuOtoT+5xypKmcwx9/9794U4pzitlcTmqVQtNUrbGpsceVnrIOR3mjVTWBByRUsRYNZRWvT/EtZxvyYHeeiza+soaOYVxlEEdaA+pwv2ZyLIXeitNAxldRH88sFh4eW0nV+g8gt6rvOkySvoq6s03EFm/n4yX7MqG2Q7NA4zHiao7GQ4igW0VEClBmlUTj6/OyocVRUnbW8vjFrAP6lrpak6RvnrbeUZEl+buGdBfY5UJ0ym/IjlkqfyjypMhXAowl4OTK0DUxBuVj2J90bRZisi0sqP3lyuRii11dMU8L85XLu8cqsmjVPANQwRuyd8Rk4SZXMwIDAQAB  

Satellite mail systems

I wanted to be able to send email from www.example.com, which is on another host. Mail-in-a-Box has some instructions for setting that up, but they didn't quite work.

The trouble is www was sending to port 25 on the mail host, and that was causing DMARC to treat it like unauthenticated email. Sending email to port 587 will not run the DMARC test. The fix was pretty simple. I had to tweak the config for www's /etc/postfix/main.cf and /etc/postfix/relay_password. Here's the new contents:

/etc/postfix/main.cf

# comment out the earlier mention of 'mydestination' and 'relayhost'

mydestination =  
relayhost = [mail.example.com]:587  
smtp_tls_security_level = verify  
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt  
smtp_sasl_auth_enable = yes  
smtp_sasl_password_maps = hash:/etc/postfix/relay_password  
smtp_sasl_tls_security_options =  
# Digital Ocean's IPv6 isn't working between my www and mail hosts
inet_protocols = ipv4  

/etc/postfix/relay_password

[mail.example.com]:587 www-host@example.com:secret-password

And, of course, making www-host@example.com as an email user in the Mail-in-a-Box admin interface.

Apple OS X Mail setup

If you're using Mac OS X Mail as a client, you'll want to make sure your sent email is filed in a folder called Sent. By default, it will be set to Sent Messages if Sent doesn't already exist as a folder for that user. Although not normally a problem, it will manifest itself as one when also using the iOS mail client, as Z-push defaults to Sent as it's sent folder, and won't file any email mailed from your iOS device (and there's no way to configure this on a per-user basis).

I authored a patch that was merged into the Mail-in-a-Box master branch. It will probably be part of the next (post-v0.13b) distribution - if you are installing v0.13b or earlier, you'll need to manually create the Sent folder for each OS X user (either from the command line with doveadm or from the Mail app itself), and then configure Mail to use Sent for sent messages (in Mail, select the new Sent folder, then under the menu item Mailbox select Use This Mailbox As and then select Sent).

If we're in a post-v0.13b world, just ignore the last two paragraphs... It's solved...

Further thoughts

Overall, I'm really liking the Mail-in-a-Box approach. They have migration scripts from prior setups, and assuming one doesn't mess around with what those scripts manage, further upgrades should be (relatively) painless. The admin interface is well documented, and if you have a decent knowledge of how mail systems are supposed to function, you shouldn't have any problem maintaining this system.

I'd like to run this all in Docker containers, but that's more a desire than a necessity, since this VPS is dedicated to running email. I'll probably re-install this as containers when support is added, but I'm not in a rush (and I don't want to spend a week or more doing that work myself - it's not that big of a deal since it's a dedicated machine).

There's a bit more detail that I could write about my specific setup (how I've configured Mac OS X mail, my iPhone, etc.), but there's plenty of resources on the Internet to help out with that. If I get bored one day, I may write another article with those details...