Building Your Own Mail Server on FreeBSD

05.05.2021 1,178 0

Having your own email server looks like a very challenging job for many, but don’t worry. We are here to show you how to build your own mail server on FreeBSD

What do you need for your mail server? 

A server with open port 25. You can get a Cloud server or a Dedicated server. You can get: 

OpenSMTPd – the MTA (message transfer agent), which we will use for the tutorial. It will execute the communication process (via the SMTP protocol) with the other mail servers and deliver the incoming emails to the inboxes of the users in our FreeBSD

Dovecot – This will be the MDA (mail delivery agent) for this guide. This one will be using IMAP or POP3 for delivering the emails to the users. 

Spamd – A spam filter. You can use different criteria to filter the emails and organize them in lists. 

The idea is: 

Outside world ➡️Firewall ➡️ spamd ➡️ OpenSMTPD ➡️ Mail boxes of users

Outside world ➡️ Firewall (spamd-allow list) ➡️ OpenSMTPD ➡️ Mail boxes of users

Outside world ➡️Firewall (IMAP/POP3)➡️Dovecot

Outside world ➡️ Firewall (SMTPD submission)

Installing the software for the mail server

The first step will be installing all the necessary software. For that purpose, you need to be an admin (have sudo permissions). You will need to use the following command: 

sudo pkg install opensmtpd dovecot spamd

We will need to edit the configuration by adding a few lines to the /etc/rc.conf:

pf_enable=”YES”

pf_rules=”/usr/local/etc/pf.conf”

pflog_enable=”YES”

pflog_logfile=”/var/log/pflog”

obspamd_enable=”YES”

obspamd_flags=”-v”

obspamlogd_enable=”YES”

dovecot_enable=”YES”

FreeBSD firewall configuration

We will be using the PF firewall, so our next step will be to create our configuration in  /usr/local/etc/pf.conf. Use the following default configuration:

## Set public interface ##

ext_if=”vtnet0″

## set and drop IP ranges on the public interface ##

martians = “{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \

          10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \

          0.0.0.0/8, 240.0.0.0/4 }”

table <spamd> persist

table <spamd-allow> persist

# Allowed webmail services

table <webmail> persist file “/usr/local/etc/pf.webmail.ip.conf”

## Skip loop back interface – Skip all PF processing on interface ##

set skip on lo

## Set the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##

set loginterface $ext_if

# Deal with attacks based on incorrect handling of packet fragments 

scrub in all

# Pass spamd allow list

pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \

    -> 127.0.0.1 port 25

# Pass webmail servers

rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \

    -> 127.0.0.1 port 25

# pass submission messages.

pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state

# Pass unknown mail to spamd

rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \

    -> 127.0.0.1 port 8025 

## Blocking spoofed packets

antispoof quick for $ext_if

## Set default policy ##

block return in log all

block out all

# Drop all Non-Routable Addresses 

block drop in quick on $ext_if from $martians to any

block drop out quick on $ext_if from any to $martians

pass in inet proto tcp to $ext_if port ssh

# Allow Ping-Pong stuff. Be a good sysadmin 

pass inet proto icmp icmp-type echoreq

# Open up imap/pop3 support

pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state

# Allow outgoing traffic

pass out on $ext_if proto tcp from any to any modulate state

pass out on $ext_if proto udp from any to any keep state

Here we define a $ext_if variable for the vtnet0 device to use later on. We also define invalid IP addresses that should not be allowed on the external interface.

There are two tables spamd and spamd-allow that appear as default from the spamd. We also have another table webmailHere we will add big webmail providers.

To view a table, you can use the command:

pfctl -t tablename -T show 

The idea behind it is to skip processing on the local interface, enable statistics on the external interface and scrub incoming packets.

The next step is to manage the outgoing traffic to spamd or OpenSMTPd.

The syntax of the redirect rules is the old PF syntax. You can find some things strange. All the traffic that we receive on SMTP from hosts in the spamd table or not in the spamd-allow table will be redirected through the spamd deamon which will manage it. There are a few pass-through rules for receiving emails. We allow messages from the IP addresses listed in the spam-allow and the webmail tables to the OpenSMTPd. And we will accept messages on port 587 (submission port).

The next steps are a few housekeeping rules, for establishing default policy, and accepting SSH and ICMP messages.

Then pass IMAP and POP3 on our external interface to access Dovecot.

The following step is to allow all outgoing traffic. 

Start firewall PF:

sudo service pf start

Done with the firewall. 

OpenSMTPd

Configuring the OpenSMTPd is easy. It is just 14 lines of configuration: 

#This is the smtpd server system-wide configuration file.

# See smtpd.conf(5) for more information.

ext_if=vtnet0

# If you edit the file, you have to run “smtpctl update table aliases”

table aliases file:/etc/mail/aliases

table domains file:/etc/mail/domains

# Keys

pki mail.example.com key “/usr/local/etc/letsencrypt/live/mail.example.com/privkey.pem”

pki mail.example.com certificate “/usr/local/etc/letsencrypt/live/mail.example.com/fullchain.pem”

# If you want to listen on multiple subdomains (e.g. mail.davidlenfesty) you have to add more lines

# of keys, and more lines of listeners

# Listen for local SMTP connections

listen on localhost hostname mail.example.com

# listen for filtered spamd connections

listen on lo0 port 10026

# Listen for submissions

listen on $ext_if port 587 tls-require auth pki mail.example.com tag SUBMITTED

# Accept mail from external sources.

accept from any for domain <domains> alias <aliases> deliver to maildir “~/mail”

accept for local alias <aliases> deliver to maildir “~/mail”

accept from local for any relay tls

accept tagged SUBMITTED for any relay tls

First, we define the external interface, tables, aliases, and domains. After that, we go to the SSL certificate for the domain. 

We listen to the localhost for the domain in the example – mail.example.com. We then listen to the filtered spamd messages and these from the external interface. 

Last, we listen to these on port 587 and check their authentication. 

We then go to the accept setting where we are able to accept any messages from the domains in the domain table to be delivered to the maildir (home directory). We accept all local connections for the local mailboxes and relay the messages in order to send emails.

Aliases

FreeBSD ships with a default alias file /etc/mail/aliases in the following format:

vuser1: user1

vuser2: user1

vuser3: user1

vuser4: user2

These will be the different mailboxes. You can create local users who will have mailboxes on the server. 

Domains

Creating a domain file on FreeBSD is not hard:

# Domains

example.com

mail.example.com

smtp.example.com

It is a simple plain text file that you want to listen to on a new line. The “#” symbol is for you to make a comment. 

SSL Certificates

You can use self-signed or signed certificates. You can use Let’s Encrypt to get a free one. 

Let’s install the certbot program.

sudo pkg install py-certbot

After that, go to your certificate, but make sure that you have port 80 opened. In your filtering rules add the following lines in /usr/local/etc/pf.conf:

pass quick on $ext_if from any to any port http

Then run pfctl -f /usr/local/etc/pf.conf to reload the set of rules.

Now run the command for any domain that you wish to get a certificate for:

certbot certonly --standalone -d mail.example.com

You can make crontab run certbot renew every 6 months so you always have a certificate. 

Then for every relevant domain, you can modify the lines to point to the correct key file:

pki mail.example.com key “/usr/local/etc/letsencrypt/live/mail.example.com/privkey.pem”

pki mail.example.com certificate “/usr/local/etc/letsencrypt/live/mail.example.com/fullchain.pem”

Edit the securities:

sudo chmod 700 /usr/local/etc/letsencrypt/archive/mail.example.com/*

You will have to do this for each original key file or else OpenSMTPd won’t open them.

After that, we can start the service:

sudo service smtpd start

Configuring spamd

We’ll use spamd to block spam from known sources. We will greylist certain connections. Spammers won’t try to resend the mail after an error while normal people will. 

Run the following to mount fdescfs:

mount -t fdescfs null /dev/fd

Add this line to /etc/fstab:

fdescfs /dev/fd fdescfs rw 0 0

The default configuration file (/usr/local/etc/spamd/spamd.conf.sample) will work fine. You can edit it to add new sources:

sudo cp /usr/local/etc/spamd/spamd.conf.sample /usr/local/etc/spamd/spamd.conf

Now start the service with the following:

sudo service obspamd start

Spamd is now ready to work.

Enabling Webmail Services

One problem with greylisting is that big mail services (like Google) will send mails from different servers for different messages. We will need to allow the IP address ranges for these big webmail services. This is the part of the webmail able in the PF configuration. 

To add an IP address range in the webmail table you can run the following command:

pfctl -t webmail -T add 192.0.2.0/24

Dovecot

If you want users to have a more comfortable experience you will need an MDA with IPAM/POP3 support. We have chosen Dovecot in this case because it is easy to use and configure.  Copy the default configuration:

cd /usr/local/etc/dovecot
cp -R example-config/* ./

The configuration is made up of quite a few different files. To see the differences between your configuration and the dovecot defaults, run the command below:

sudo doveconf -n

Here’s an example of a working configuration:

# 2.3.2.1 (0719df592): /usr/local/etc/dovecot/dovecot.conf

# OS: FreeBSD 11.2-RELEASE amd64  

# Hostname: mail.example.com

hostname = mail.example.com

mail_location = maildir:~/mail

namespace inbox {

  inbox = yes

  location = 

  mailbox Archive {

    auto = create

    special_use = \Archive

  }

  mailbox Archives {

    auto = create

    special_use = \Archive

  }

  mailbox Drafts {

    auto = subscribe

    special_use = \Drafts

  }

  mailbox Junk {

    auto = create

    autoexpunge = 60 days

    special_use = \Junk

  }

  mailbox Sent {

    auto = subscribe

    special_use = \Sent

  }

  mailbox “Sent Mail” {

    auto = no

    special_use = \Sent

  }

  mailbox “Sent Messages” {

    auto = no

    special_use = \Sent

  }

  mailbox Spam {

    auto = no

    special_use = \Junk

  }

  mailbox Trash {

    auto = no

    autoexpunge = 90 days

    special_use = \Trash

  }

  prefix = 

  separator = /

}

passdb {

  args = imap

  driver = pam

}

ssl = required

ssl_cert = </usr/local/etc/letsencrypt/live/mail.example.com/fullchain.pem

ssl_dh = </usr/local/etc/dovecot/dh.pem

ssl_key = </usr/local/etc/letsencrypt/live/mail.example.com/privkey.pem

userdb {

  driver = passwd

}

Most config files will be in conf.d.

The important ones are 10-auth.conf, 10-mail.conf, and 10-ssl.conf.

You can configure the different mailboxes for different users in 15-mailboxes.conf. This configuration works fine for most people, but you can modify it for your particular needs. 

Authentication

Most default settings will be correct. If you want the system users to authenticate, you will have to edit 10-auth.conf.

Remove the comment on the following line:

!include auth-system.conf.ext

Encryption

We have to generate Diffie-Hellman parameters:

sudo nohup openssl dhparam -out /usr/local/etc/dovecot/dh.pem

NoteThis will take a long time to run. Much longer than you might expect.

Now that it is done, start Dovecot:

sudo service dovecot start

Conclusion

Now we have a fully functional, safe, and spam-protected email server on a FreeBSD OS. You can further reduce the spam with additional software, but this configuration will be enough for most organizations like this. 

If you need another type of mail server, see the following article:

Leave a Reply

Your email address will not be published.