1 (edited by stilez 2018-07-02 17:08:32)

Topic: First time email server - some questions

==================== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): Current release (not yet installed)
- Linux/BSD distribution name and version: FreeBSD 11.x
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Unsure
- Web server (Apache or Nginx): Unsure
- Manage mail accounts with iRedAdmin-Pro? Probably
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

I'm a newcomer to managing my own email server. I currently manage email for several of my family, I have constant annoyances with the existing email providers, and no love of personal data on other people's computers. I also already have some FreeBSD experience, been running my own NAS/cloud for years, and running my own email server has been an idea for a long time. I discovered iRedMail  a couple of years ago, and now I want to finally "do it".

As a noob, I have some questions....... please understand if some are a bit "basic"!


My expected email use would be small ("family" not "business") scale, maybe up to 10-20 accounts on 2 domains. Email traffic will be very light, maybe daily totals of only 20 - 100 incoming emails and 5 - 50 outgoing emails per day, mostly small < 1MB but occasionally up to 10-20MB (attached PDFs/photos). I'll probably dedicate a new small server to email, but I will be using AV/spam scanning, webmail interface, as well as usual POP/IMAP, which will add some load. The emails aren't very urgent, so fast CPU/processing isn't critical. I don't have any domain or certificates yet, because I have never needed them so far, but I will now need them.  I'm not using LDAP or any directory locally. The internet link here is fast and stable.


These are my questions... please be understanding!

  1. CPU spec:  I've already assumed 4GB 1600+ RAM, decent baseboard and SSD, and Intel NIC, but what sort of CPU (cores, generation, capabilities) is appropriate for my rather small use?

  2. Server security: As I'm security conscious but not so security experienced, I prefer to trust the work of others with more experience, so I will probably use a new (dedicated) FreeBSD server and the iRedMail ezjail install. I'm comfortable about securing the router/LAN/open ports, so it's just the email server itself that this is about. My concern is that the iRedMail jail may be well configured, but I haven't set up a FreeBSD server personally, so I don't have experience securing one. (All my FreeBSD servers are preconfigured "appliance style" as regards security: FreeNAS, pfSense, etc). I'm quite comfortable with CLI and happy to learn what I need, though.  How severe a probem do I have in setting up a reasonably secured server to run iRedMail, and what is my best way to do it? Or does the iredMail installer also set good general config on the server?

  3. Certificates: I've read the SSL knowledgebase article. What changes do I need to make to the instructions, if I want to host emails for 2 email domains?

  4. IP address issues?: I will be using email/SSL/WebUI from inside as well as outside the LAN. But inside the LAN the email server will be accessed using private instead of public IPs. What must I do, so that iRedMail and my certificates work properly from both LAN and WAN?

  5. Install options: MySQL or PostGreSQL? Apache or Nginx? Which options are least likely to give me trouble? smile

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by duckprojects 2018-07-03 05:02:17)

Re: First time email server - some questions

Hello stillez,

I'll try to answer some of your questions the best I can :

1) CPU spec:
My primary MX has been set up on an Ubuntu 16.04 machine with an AMD Athlon 64 X2 Dual Core Processor 4200+ (2.2GHz), 8 GB of DDR2 and IDE HDDs. I have also set up Monitorix on this machine and according to this tool, here are the mean stats for a beginning mail service with 2 domains and about 10 users :
Average system load: 0.15 0.14 0.12 (max never exceed 0,6)
About 4GB of RAM

So in your case, I think you will be able to set it up on a machine with at least 6GB RAM DDR2 with a x64 CPU (2GHz at least) with no or few overload

2) Secure at least your SSH access, iRedMail install script provides and configures every tools needed to secure the access for the services it set up (fail2ban, iptables, auto-updates of amavisd DB,...). It is also possible (and very simple) to add your own configuration after iRedMail install.

Look on this forum, there is a lot of resources on how to make changes in order to keep them even after an iRedMail components update.

iRedMail is very simple to install and the basic configuration is secured enough for a home use.

3) iRedMail install script provides self-signed certificate for your primary domain. I advise you to follow this simple tuto in order to generate LetsEncrypt signed certificates for all domains you host on the server : https://forum.iredmail.org/topic12500-i … nginx.html

4) Generate LetsEncrypt certificates for example.org (See 3) and access your server from inside and outside your LAN by the same domain name (example.org/iredadmin/).

For outside LAN access config :
In the DNS server that manage your domain (generally your domain provider through a Web Interface), add an A record with your public IP for example.org.

For inside LAN access config, two solutions :

- If possible, configure the reverse proxy of your router with "example.org" (in this case, the DNS servers of all your machines on the LAN must be your router IP). It is the easiest solution if all machines (except servers) on your LAN are getting their IP configuration through your router DHCP.

- If first solution is not possible, set up a DNS server on your LAN (on a RasPi or some low power board) and add an entry with your  server local IP and your domain name "192.168.0.xxx example.org"  (in this case, the DNS servers of all your machines on the LAN must be your fresh DNS server IP).

5) MySQL but it is totally subjective. I began with it so... And I find that there is a lot of resources on the net about it.

Nginx: I used to work with Apache before but I recently dropped it for Nginx which I find simpler than Apache to configure and I read it is also faster. Anyways, iRedMail doesn't support Apache anymore so if you want to use Apache, you have to choose to not install Nginx in the iRedMail install script and set up Apache manually. If you are new to this, I advise you to let iRedMail script configure Nginx.

Please correct if I'm wrong,
Duck

(Sorry for mistakes, english is not my native language)

3

Re: First time email server - some questions

Read @duckprojects's reply, it's very useful. thanks for sharing, @duckprojects. smile

Some additional info:

- Hardware spec: at least 2GB RAM is required, other specs don't matter that much (SSD, CPU, ...).
- Server security: if you don't mind try OpenBSD, then give it a try. iRedMail supports the latest OpenBSD 6.3. FYI: https://docs.iredmail.org/install.iredm … enbsd.html

4 (edited by stilez 2018-07-04 03:56:34)

Re: First time email server - some questions

@duckprojects, ZhangHuangbin - these are such helpful replies, thank you!

My quick comments and follow-up:

  • Hardware - This solved my questions on hardware. I'm happy, thanks.

  • OS security - I like OpenBSD a lot, but have never yet used it (I'm more used to FreeBSD!). But it's the obvious thing - as OpenBSD's basic install is secure by design, and all I run is iRedMail, then the only security issues exposed could be issues that iRedMail exposes - not issues that my own basic OS setup exposes. For my email server to have a security issue, it would have to be a fault in iRedMail, not something I do myself, which degrades the default install, and execute actual insecure actions... and if it did that, I think people on this forum might just comment a lot and I would see it! So this seems a sensible way to ensure I get a reassuring safe installation. Correct?
    (Also, if there are small scale changes, like pf firewall, some sysctls, etc, I feel comfortable I can do these without compromising the OS, because I've used pfctl via pfSense CLI for many years)

  • File store/data safety - I originally planned to use FreeBSD with a ZFS dataset for the ezjail, and run a cron ZFS send/receive sync job to replicate it on my file server, but this isn't possible as OpenBSD doesn't have ZFS. So my one sadness is, I will have to give up ZFS, but I can experiment with putting the email store on a remote share on my file server (10G LAN/fast file server), or using rsync or something else. Will these both work? What do other people do?

  • Software - MySQL and Nginx seem as good as any, I'll be guided by comments above.

  • Domains/DNS records - I have a very competent and helpful ISP (UK only), the kind where the CEO takes technical calls if needed. I've been with them for 10 years. Their reply was that once I choose the domains, they'd be happy to help by setting up the full set of correct/optimal DNS records for email (including reverse PTR etc), at their end, or check I've done it right myself, whichever I prefer. Helpful! I'll configure private IPs and host resolution on my local resolver for LAN use.

  • Certificates - my main area of doubt in my own understanding. If I need more help to be sure I get this right, I'll ask. The rest seems straightforward now, thank you both!

  • Multi-domain email - I realise that I don't really understand what is needed, so that a single email server can handle email for >1 domains. Clearly I set external DNS for both domains, to point to the same (or different??) public IPs, but I'm a bit unclear what happens after that. Do they point to the same public IP or different? What do I need to do, either in the local DNS/resolver, or in iRedMail, so it is handled correctly?

Any other comments/advice/hints welcome of course!

5

Re: First time email server - some questions

Hello stillez

Still try to answer your remaining questions :-P I will just answer to those I can/know :

The solution I have to backup my datas :
I have a NAS in my LAN (OpenMediaVault FYI) and so is my main MX. All my network is Gigabit Ethernet wired. I wrote a simple script in BASH and launch it via cron every 5 hours on all servers I have to backup. The script algorithm :
- If it is the first backup of the week, make a full TAR backup of the server
- If it is not the first backup of the week, make an incremental TAR backup
- Push it through FTP (explicit TLS) to the NAS

TAR is easily configurable in one command line to make incremental backups and excludes some unneeded folders.
With this solution, it is very fast and simple to restore datas and configuration of your server after a crash but you can loose up to 5 hours of data. In my case, i decided it was acceptable.
(I can post it on GitHub or other if someone is interested in)

Your backup solution complexity really depends on how much data is acceptable to loose. The solution will be more complex if you want to loose the minimum of conf/datas.

For an easy and fast 100% mail recovery, I'm thinking about a solution which implies a second MX in front of the first which will store and forward mails to the first. So in case of failure, all e-mails have already transited through the front MX so all mails can be recovered and accessed. I didn't test the solution now but it should work.

For the multi-domains :
Yes, one server with iRedMail installed can manage all your domains. You just have to add it through the iRedAdmin interface after install (mx.example.com/iredadmin).

Example of DNS configuration
Assuming that : primary domain set up on iRedMail install is "example.com"; Second owned domain is "mysecdomain.com"; MX is "mx.example.com"; Public IP of your MX is 1.2.3.4.

Edit the DNS for domain "example.com" as following :
- A "MX" record "example.com mx"
- An "A" record "mx.example.org 1.2.3.4"

Edit the DNS for domain "mysecdomain.com" (and all others domains you manage with this MX) as following :
- A "MX" record "mysecdomain.com mx.example.org"

Duck

6 (edited by stilez 2018-07-04 14:21:38)

Re: First time email server - some questions

That sounds easy. My config won't change often, and there isn't much difference between a backup script run every 20 mins or every 5 hours - I think it's only if you have a large email store, or want to lose almost no emails, that it's going to be a problem. I can live with your solution, and script an equivalent. Which directories do you see as needed v. unneeded?

The multi-domain hint is very helpful, thanks! Now I'm just waiting for hardware to arrive.....