How to Setup Secure Email Server

Learn how to set up your own email server using Mail-in-a-Box on a fresh Ubuntu server.

You are already aware of all challenges and responsibilities of running a secure email server and you still want to have your own email server. That's great! This guide will help you set up a secure email server.

In this tutorial, we'll use open-source email server software called Mail-in-a-Box. It's a batteries-included solution for setting up a mail server on a fresh Ubuntu server. It provides all basic features like webmail, calender, contacts, spam filtering, etc. out of the box. You can start using emails with your own domain right away after the setup.

Prerequisites

• A fresh Ubuntu 22.04 server (a VPS from any provider will do).
• A domain name (you can buy one from any domain registrar).
• Basic knowledge of using the terminal and SSH.

Step 1: Prepare Your Server

I'll use DigitalOcean droplets for this tutorial, but you can use any VPS provider with port 25 unblocked. Most of them block port 25 to prevent spam, so make sure to check that first. DigitalOcean is a good choice as they don't block port 25 as default. Port 25 is essential for sending emails so it's important that your VPS provider allows it.

To be able to connect your VPS server you'll need to add your SSH public key to the server. SSH keys are a secure way to connect to your server in terminal. And you'll be able to do run some installation commands later on. You can follow this guide to create SSH keys if you don't have one already.

When you have your SSH key ready, create a new droplet with the following steps:

1. Create a new droplet with Ubuntu 22.04, it's important to use this version as Mail-in-a-Box doesn't support newer versions yet.
2. Choose a plan (the cheapest one is usually sufficient for personal use).
3. Choose a data center region close to you.
4. Add your SSH key for secure access.
5. Create the droplet and note down its IP address.

Here is a detailed tutorial on how to create a droplet on DigitalOcean: How to Create a Droplet on DigitalOcean

Once your droplet is created, you also need to set a reverse DNS (PTR) record for your server's IP address. This is important for email deliverability as many email providers check for a valid PTR record to prevent spam. When you change your droplet's name in DigitalOcean, the PTR record is automatically updated to match the new name. So, you can set your droplet's name to your domain name to have a matching PTR record. We'll you use box.yourdomain.com as the hostname for the rest of this tutorial.

Step 2: Point Your Domain to Your Server

Before setting up the email server, you need to do some DNS configuration for your domain. Mail-in-a-Box requires you to create glue records for your domain. Your domain registrar should have a glue record management section in their dashboard. I'd recommend using porkbun.com as your domain registrar, their pricing is reasonable and provide a good DNS management options.

Assuming you have purchased a domain from Porkbun, follow these steps to create glue records:

1. Log in to your Porkbun account and go to the "Domain Management" section.
2. Click details button at the right side of your domain name.
3. Scroll down to the "Glue Records" section and click "Manage".

4. Create two glue records:
   ns1.yourdomain.com pointing to your server's IP address.
   ns2.yourdomain.com pointing to your server's IP address.

5. Save the changes.

Next, you need to set your domain's nameservers to the glue records you just created. In the same domain settings page, find the "Nameservers" section and set the nameservers to:
ns1.yourdomain.com
ns2.yourdomain.com

Save the changes. It may take some time for the DNS changes to propagate, usually within a few hours but sometimes up to 48 hours. Here is more detailed guide on how to set up glue records on porkbun: How to Set Up Glue Records on Porkbun

If you want to learn more about glue records and why they are important, you can read this article: What are Glue Records?

Step 3: Connect to Your Server

Once your droplet is created, you can connect to it using SSH. Open your terminal and run the following command (replace your_droplet_ip with the actual IP address of your droplet):

ssh root@your_droplet_ip

You should now be logged into your server as the root user. Before proceeding, it's a good practite to create a new user with sudo privileges for better security. Using root user grants full access to the system, which can lead to accidental system damage or the server a prime target for malicious attacks if compromised. Creating a new user with limited privileges helps mitigate these risks.

Creating a new user can be done with the following command (replace your_username with your desired username):

adduser your_username

Then, add the new user to the sudo group to grant administrative privileges:

usermod -aG sudo your_username

You logged in to your root account using SSH keys. You will need to add a copy of your local public key to the new user’s ~/.ssh/authorized_keys file to log in successfully as the new user.

rsync --archive --chown=your_username:your_username ~/.ssh /home/your_username

It's done! Now you can log out from the root account by typing exit and log in again using the new user:

ssh your_username@your_droplet_ip

Step 4: Install Mail-in-a-Box

Now, let's do some initial setup on the server. First, update the package list and upgrade all packages to their latest versions:

sudo apt update && sudo apt upgrade -y

Next, install mail-in-a-box. The installation process is straightforward. Run the following commands:

curl -s https://mailinabox.email/setup.sh | sudo -E bash

The script will guide you through the installation process. When it asks domain name, enter your hostname (box.yourdomain.com) as same as the PTR record you set earlier. The installation process may take some time as it installs and configures all necessary components.

Once the installation is complete, because your SSL certificate is not yet signed, you need to log in using https://your_droplet_ip/admin for the first time. You login using the email account you created during the installation process. After logging in, navigate to the "System" tab and click on "TLS (SSL) Certificates" section. If you already have a domain name pointed to your server, the instructions to obtain a free SSL certificate from Let's Encrypt will show up automatically. Follow the instructions to get your SSL certificate.

Now you can access the mail-in-a-box admin interface by navigating to https://box.yourdomain.com/admin in your web browser. Now you can go to the "Mail & Users" tab to create new email accounts with your domain name like username@yourdomain.com.

You can visit Mail in a box official website for more detailed instructions on how to create email accounts and manage your server.

Conclusion

That's it! You have successfully set up your own secure email server using Mail-in-a-Box. You can now create email accounts, manage your server, and start sending and receiving emails with your own domain.