I so wanted to use Docker for my email server, but it was not meant to be.
I had spent about a day and a half, maybe even closer to two days, working on containerizing my existing email setup (which was heavily based on a superb series on Ars Technica). I was making progress, but there are so many inter-related services, that creating a multi-container setup was rapidly becoming a headache. After searching around on the Interwebs, I stumbled across Mail-in-a-Box.
Mail-in-a-Box's approach is pretty straight-forward: take a freshly installed VPS running Ubuntu 14.04, run the install script, and blam!, you have a modern email server, using best-practices for security (DKIM, DMARC, DNSSEC). It includes:
- Postfix for the mail transport
- Dovecot for user authentication, filters, IMAP, and POP3
- SpamAssassin for spam detection
- Z-push for ActiveSync push email
- Roundcube for web email
Included with all of that is a web-based administrative interface that handles user creation, virtual domains, etc. Basically, it had everything I was currently running, plus a couple of extra goodies. And it's actively supported. Sounded like it was right up my alley.
Interestingly, there was an effort to containerize Mail-in-a-Box about 4 months ago, but it looks like it was abandoned. There's a bit of an impedance mis-match between the approach Mail-in-a-Box is taking with it's "install on a clean machine" vs. a container approach, wherein everything is already installed in the image file. I'll be keeping an eye on this effort, but since it will be a lot of work, I doubt I'll see any movement on this anytime soon.
I pretty much just followed the instructions, naturally with a couple of minor modifications:
- I did a trial installation to see what the memory requirements really were. Turns out you can easily run it (for a small number of users) with only 512MB RAM, plus 1GB swap. This required me editing
setup/preflight.shto change the memory check.
- I wanted
mail.timofejew.com, rather than the default
box.timofejew.comfor the hostname (simple to change in the install screen).
And that was about it... Everything else was as supplied. The installation went really smoothly. But because I decided to use my VPS provider's DNS, there were a few things I had to sort out. And the instructions provided for setting up a satellite mail system (I'm using a different machine for my webserver) didn't quite work out for me, but I was able to find a solution.
Using Digital Ocean's DNS
Although it's really neat that Mail-in-a-Box creates and manages a fully-functional authoritative DNS server (that will also perform DNSSEC authentication), the sheer hassle of sorting out DNS glue records, making a secondary DNS server, etc., I felt it wasn't worth the hassle. Thankfully, Mail-in-a-Box has a mechanism for allowing an external DNS system to work with it. Simply go to the 'External DNS' menu entry under 'System', and cut-n-paste all the values to the Digital Ocean DNS panel. But there are a couple of things to note:
- When creating records for hosts within
example.com, do not copy over the FQDN from the Mail-in-a-Box page. Just use everything to the left of
- Only one
MXrecord is allowed for a domain, whereas Mail-in-a-Box expects to be able to set an MX record for each host. The upshot of this is that the SPF records for each host need to be modified to use an
a:hostnamenomenclature. For example, the
www.example.commust be set to
v=spf1 a:mail.example.com -allinstead of
v=spf1 mx -all.
Once those tweaks are done, the DO DNS will function as a substitute for the built-in DNS (with one major exception: there is no DNSSEC support - but I'm not concerned about that at this point in time - maybe in a couple of years).
Here is a screenshot of my current setup for
And for those that like a more technical view, here's the zone file:
$ORIGIN timofejew.com. $TTL 1800 timofejew.com. IN SOA ns1.digitalocean.com. hostmaster.timofejew.com. 1443584735 10800 3600 604800 1800 timofejew.com. 1800 IN NS ns1.digitalocean.com. timofejew.com. 1800 IN NS ns2.digitalocean.com. timofejew.com. 1800 IN NS ns3.digitalocean.com. timofejew.com. 1800 IN MX 10 mail.timofejew.com. mail.timofejew.com. 1800 IN A 22.214.171.124 mail.timofejew.com. 1800 IN AAAA 2604:a880:cad:d0::12:3001 www.timofejew.com. 1800 IN A 126.96.36.199 www.timofejew.com. 1800 IN AAAA 2604:a880:cad:d0::c:e001 timofejew.com. 1800 IN A 188.8.131.52 timofejew.com. 1800 IN AAAA 2604:a880:cad:d0::c:e001 timofejew.com. 1800 IN TXT v=spf1 mx -all _dmarc.timofejew.com. 1800 IN TXT v=DMARC1; p=quarantine mail._domainkey.timofejew.com. 1800 IN TXT v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyoKgGNZ1tynrN7DuOtoT+5xypKmcwx9/9794U4pzitlcTmqVQtNUrbGpsceVnrIOR3mjVTWBByRUsRYNZRWvT/EtZxvyYHeeiza+soaOYVxlEEdaA+pwv2ZyLIXeitNAxldRH88sFh4eW0nV+g8gt6rvOkySvoq6s03EFm/n4yX7MqG2Q7NA4zHiao7GQ4igW0VEClBmlUTj6/OyocVRUnbW8vjFrAP6lrpak6RvnrbeUZEl+buGdBfY5UJ0ym/IjlkqfyjypMhXAowl4OTK0DUxBuVj2J90bRZisi0sqP3lyuRii11dMU8L85XLu8cqsmjVPANQwRuyd8Rk4SZXMwIDAQAB mail.timofejew.com. 1800 IN TXT v=spf1 a:mail.timofejew.com -all _dmarc.mail.timofejew.com. 1800 IN TXT v=DMARC1; p=quarantine mail._domainkey.mail.timofejew.com. 1800 IN TXT v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyoKgGNZ1tynrN7DuOtoT+5xypKmcwx9/9794U4pzitlcTmqVQtNUrbGpsceVnrIOR3mjVTWBByRUsRYNZRWvT/EtZxvyYHeeiza+soaOYVxlEEdaA+pwv2ZyLIXeitNAxldRH88sFh4eW0nV+g8gt6rvOkySvoq6s03EFm/n4yX7MqG2Q7NA4zHiao7GQ4igW0VEClBmlUTj6/OyocVRUnbW8vjFrAP6lrpak6RvnrbeUZEl+buGdBfY5UJ0ym/IjlkqfyjypMhXAowl4OTK0DUxBuVj2J90bRZisi0sqP3lyuRii11dMU8L85XLu8cqsmjVPANQwRuyd8Rk4SZXMwIDAQAB www.timofejew.com. 1800 IN TXT v=spf1 a:mail.timofejew.com -all _dmarc.www.timofejew.com. 1800 IN TXT v=DMARC1; p=quarantine mail._domainkey.www.timofejew.com. 1800 IN TXT v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyoKgGNZ1tynrN7DuOtoT+5xypKmcwx9/9794U4pzitlcTmqVQtNUrbGpsceVnrIOR3mjVTWBByRUsRYNZRWvT/EtZxvyYHeeiza+soaOYVxlEEdaA+pwv2ZyLIXeitNAxldRH88sFh4eW0nV+g8gt6rvOkySvoq6s03EFm/n4yX7MqG2Q7NA4zHiao7GQ4igW0VEClBmlUTj6/OyocVRUnbW8vjFrAP6lrpak6RvnrbeUZEl+buGdBfY5UJ0ym/IjlkqfyjypMhXAowl4OTK0DUxBuVj2J90bRZisi0sqP3lyuRii11dMU8L85XLu8cqsmjVPANQwRuyd8Rk4SZXMwIDAQAB
Satellite mail systems
I wanted to be able to send email from
www.example.com, which is on another host. Mail-in-a-Box has some instructions for setting that up, but they didn't quite work.
The trouble is
www was sending to port
25 on the mail host, and that was causing
DMARC to treat it like unauthenticated email. Sending email to port
587 will not run the
DMARC test. The fix was pretty simple. I had to tweak the config for
/etc/postfix/relay_password. Here's the new contents:
# comment out the earlier mention of 'mydestination' and 'relayhost' mydestination = relayhost = [mail.example.com]:587 smtp_tls_security_level = verify smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/relay_password smtp_sasl_tls_security_options = # Digital Ocean's IPv6 isn't working between my www and mail hosts inet_protocols = ipv4
And, of course, making
email@example.com as an email user in the Mail-in-a-Box admin interface.
Apple OS X Mail setup
If you're using Mac OS X Mail as a client, you'll want to make sure your sent email is filed in a folder called
Sent. By default, it will be set to
Sent Messages if
Sent doesn't already exist as a folder for that user. Although not normally a problem, it will manifest itself as one when also using the iOS mail client, as Z-push defaults to
Sent as it's sent folder, and won't file any email mailed from your iOS device (and there's no way to configure this on a per-user basis).
I authored a patch that was merged into the Mail-in-a-Box master branch. It will probably be part of the next (post-v0.13b) distribution - if you are installing v0.13b or earlier, you'll need to manually create the
Sent folder for each OS X user (either from the command line with
doveadm or from the Mail app itself), and then configure Mail to use
Sent for sent messages (in Mail, select the new
Sent folder, then under the menu item
Use This Mailbox As and then select
If we're in a post-v0.13b world, just ignore the last two paragraphs... It's solved...
Overall, I'm really liking the Mail-in-a-Box approach. They have migration scripts from prior setups, and assuming one doesn't mess around with what those scripts manage, further upgrades should be (relatively) painless. The admin interface is well documented, and if you have a decent knowledge of how mail systems are supposed to function, you shouldn't have any problem maintaining this system.
I'd like to run this all in Docker containers, but that's more a desire than a necessity, since this VPS is dedicated to running email. I'll probably re-install this as containers when support is added, but I'm not in a rush (and I don't want to spend a week or more doing that work myself - it's not that big of a deal since it's a dedicated machine).
There's a bit more detail that I could write about my specific setup (how I've configured Mac OS X mail, my iPhone, etc.), but there's plenty of resources on the Internet to help out with that. If I get bored one day, I may write another article with those details...