Building a secure mail server

Naturally with owning a domain, I can setup e-mail. Now I could use any number of free services to do this, but I’m choosing to host my own solution here. With the theme of containerization, I looked to see if there was a good solution using docker, and that’s how I found Mailu.io. This project is a secure by design set of docker images which makes setting up a secure e-mail server surprisingly easy.

This is a fully fleshed out e-mail solution. Beyond providing simple POP, IMAP, and SMTP services; Mailu.io provides web access to a mail client out of the box. Security can be enabled simply with Let’s Encrypt (Bonus!). It has anti-spam and anti-virus modules. This project even has a setup utility that builds you a docker-compose.yml.

Before I can even set this up though I had to consider where I would run this server. As a mail server it’s desirable to have 100% up-time, if possible. This is why I decided on running this mail server in the Digital Ocean cloud. If I can minimize the memory foot print, I may be able to use this server for multiple purposes. I picked the smallest size for this server. 1 GB of RAM, and 25 GB of SSD. More than enough for now. Digital Ocean automatically setup my SSH keys, and installed a copy of Centos 7. I then ran the same few commands from the WordPress docker host setup.

# curl -fsSL https://get.docker.com/ | sh
# systemctl enable docker
# systemctl start docker
# curl -L https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# chmod 755 /usr/local/bin/docker-compose

I also need to add a few records to DNS so that other mail servers can find mine:

The top record is a SPF record used for reducing e-mail forgery by preventing changes to the sender address. The A record simply reports the mail.ericpark.dev IP, and the MX record says who manages mail for this domain.

After using the setup utility from Mailu.io I copied the resulting docker-compose.yml and after inspecting it, started it on my new cloud host. After it started I was able to access the admin console and away I went. It was much less painful than I have experienced previously. Admittedly, neither implementation ever met any real load, they are more like proof-of-concepts. However, it does enable me to receive e-mails at eric@ericpark.dev!

The server has a rather mild footprint, so I’ll be able to host other services on this host as well!

Under 500 MB. Still have half the memory left on this host for other services.

Upon further inspection of the docker-compose.yml, I thought it was interesting to see that it is implemented at its core with dovecot and postfix which ironically were what I manually set up the last time I built a mail server.

After the server was up and running I was able to send and receive a few e-mails from my gmail account. I went on to test the server for compliance using the following tool: MXToolbox

Looks good!

We like to see a good report! Particularly important is the Open Relay check. If this fails, your server could be used as a spam relay. No one wants more spam.

Leave a comment

Your email address will not be published. Required fields are marked *