Guide to a FreeBSD mail server

herrbischoff

Active Member

Reaction score: 73
Messages: 173

I'm looking for a guide to build a FreeBSD mail server. Googling results in literally hundreds of Linux-based tutorials and articles, with just a handful of FreeBSD entries in the field, with most of them being very old, basing the approach on 6.x or 8.x. And every single "mail-in-a-box" type setups are Linux-only exclusively. There's iRedMail of course but that requires you to buy the commercial version to be really useful.

What I'm looking for is a modern guide that takes effective anti-spam measures, SPF, DMARC and DKIM into consideration along with a SpamAssassin alternative, (if possible) doesn't require to run a SQL setup and does not rely on some crappy PHP or Python web config panel. Most use cases I'm looking to use this setup for involve just a couple dozen users and me as the sole administrator.

I thought that should be easy to do when looking through various guides and tutorials. What I didn't count on was that every single guide does things differently and often without explaining why. This makes a complex setup like a mail server very hard to understand. I haven't been able to find reliable, moderately easy to follow information about how to pull this off — ideally, a guide that is more focused on the tools than the OS. Packages I can install myself and figure out what may be missing. What I cannot figure out is how to configure and wire up the different components needed for a mail server reliably.

I have years of system administration experience with UNIX system but email has always been a point of major frustration for me. When you try to dive into the inner workings and configuration of open source components like Postfix, Dovecot and its plumbing, getting a reliable and modern setup out of it is a bit akin to dabbling with dark arts. The difficulty, I believe, is in the dozens of possible combinations of MTAs, MDAs and other tools.

My preferred setup is a rather basic one: Postfix, Dovecot, a DMARC tool, some Anti-Spam tools, everything in plain text config files (including users), ability to forward and copy mails, aliases, server-side mail filters. Virtual users and multiple domains would be nice to have but not completely necessary.

Thank you for any and all pointers.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,183
Messages: 29,471

Googling results in literally hundreds of Linux-based tutorials and articles, with just a handful of FreeBSD entries in the field
Why do you think setting up Postfix, Dovecot, etc, would be any different on FreeBSD? Applications like this are set up exactly the same way, using exactly the same configurations, regardless of the OS. The only difference will be the exact location of those configuration files. And that's typically really easy to figure out.
 
OP
OP
herrbischoff

herrbischoff

Active Member

Reaction score: 73
Messages: 173

The difference is that I’m looking for a modern guide to set one up, ideally one without SQL and possibly even FreeBSD-based. Because this is a FreeBSD forum. The guides I was talking about are highly complex, require either a SQL backend, a LDAP server, weird control panels and/or more. I’d like to keep it basic and extensible which is exactly the opposite of what’s generally to be found.

Do you have any concrete ideas, links or materials to share? Your comments thus far are not helpful.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,183
Messages: 29,471

The guides I was talking about are highly complex,
That's not surprising. What you want to do is fairly complex, especially if you've never done anything comparable. I would start with a basic Postfix/Dovecot configuration. Getting mail to properly send and receive is already quite a challenge. Once that's set up and working you can add the other features, one by one.
 
OP
OP
herrbischoff

herrbischoff

Active Member

Reaction score: 73
Messages: 173

Here is the guide. It will get you started but you need some additional resources to get a close to standard mailserver for the Internet.
Thanks. However, I'm looking for something simpler to start with to be able to understand what I'm doing.

I would start with a basic Postfix/Dovecot configuration. Getting mail to properly send and receive is already quite a challenge. Once that's set up and working you can add the other features, one by one.
That sounds like a reasonable approach and mirrors my experiences with setting it up just by reading the manuals and manpages. There are instructions for almost anything under the sun but I couldn't find simple "standard" instructions that lead to an extensible setup. Most guides require a setup to be exactly the way they describe without explanation as to why.

If there are no descriptive tutorials, is there any useful literature walking you through it while explaining it?
 

Lamia

Active Member

Reaction score: 31
Messages: 182

Thanks. However, I'm looking for something simpler to start with to be able to understand what I'm doing.



That sounds like a reasonable approach and mirrors my experiences with setting it up just by reading the manuals and manpages. There are instructions for almost anything under the sun but I couldn't find simple "standard" instructions that lead to an extensible setup. Most guides require a setup to be exactly the way they describe without explanation as to why.

If there are no descriptive tutorials, is there any useful literature walking you through it while explaining it?
The guide must have been the simplest and useful [and you can ignore some parts like mailgun etc] for FreeBSD users to keep pointing at it. Many other guides are not that presented in such a format. The guide won't get postfix running immediately for you though. It has not been updated for some time. And you getting content filters (e.g. amavis, mailscanner, etc) working with postfix also depends on where you want to run your mailserver - host vs jail....... Here [ [1], [2] ] are some threads that might be of help.

I quite agree that you need start with the basics - particularly main.cf vs master.cf for postfix. This is another informative and well-referenced guide on postfix. And if you are considering other MTAs, such as OpenSMTPD, SSMTP, etc, there are resources out there too. Here is another guide from the same author on OpenSMTPD. Postfix/dovecot is superior though. An advice for you is to try not to burn your IP address - i.e. get on SBL, Spamhaus, etc - as you start the voyage.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,183
Messages: 29,471

I've set up my mail server a long time ago. I don't think I used just one tutorial but a whole bunch of them. And combined all that information with experiences I had with Postfix through DirectAdmin (I 'borrowed' their configuration) and how I wanted my setup to work.
 
OP
OP
herrbischoff

herrbischoff

Active Member

Reaction score: 73
Messages: 173

vermaden: That's a nice writeup, it misses a critial part though, namely the LDAP server setup. One could argue that sysadmins should be able to figure it out for themselves, however, it defeats the purpose of the guide to some extent.

In the end I went with the Purplehat one, compensating for several changes and errors, adapting it to be able to run in a jail (permissions issues) and learned quite a bit while doing so. The missing explanations turned out to be not too forbidding since browsing the manuals of the components revealed most of what I was looking for.

Since there appears to be no current (and complete, for that matter) guide to a working mail server setup for FreeBSD, I might just take the Purplehat instructions as a basis for a GitHub repository to create one that is easy to keep current when changes occur. Blog posts age quickly and are often never updated to reflect changes.
 

Lamia

Active Member

Reaction score: 31
Messages: 182

In the end I went with the Purplehat one, compensating for several changes and errors, adapting it to be able to run in a jail (permissions issues) and learned quite a bit while doing so. The missing explanations turned out to be not too forbidding since browsing the manuals of the components revealed most of what I was looking for.
Awesome. I found the PurpleHat guide as a good start; hence my recommendation of it. I can point you at other useful guides - opendkim/spf, mailscanner, [cyrus-]saslauthd, content-filter, etc. Did you get amavis (previously maia) or maia itself working in the mailserver jail?

Lest I forget, you definitely would need an outbound smtp unless you want to rely on free services like Gmail to relay your emails to difficult servers - Microsoft, etc.
 
OP
OP
herrbischoff

herrbischoff

Active Member

Reaction score: 73
Messages: 173

I can point you at other useful guides - opendkim/spf, mailscanner, [cyrus-]saslauthd, content-filter, etc.
Please do. Especially DKIM.

Did you get amavis (previously maia) or maia itself working in the mailserver jail?
I have maia running in the jail. I just had to add the jail IP as a mynetworks parameter in master.cf to allow it connecting back to port 10025 from within the jail.

Lest I forget, you definitely would need an outbound smtp unless you want to rely on free services like Gmail to relay your emails to difficult servers - Microsoft, etc.
Outbound SMTP is running as expected as the server is running on a static IP, I have added SPF records and set it up as IPv4-only for the time being. IPv6 with pf plus jails is still a little confusing to me.
 
OP
OP
herrbischoff

herrbischoff

Active Member

Reaction score: 73
Messages: 173

The only issue that remains is a recurring status email with the following warning:

Code:
warn: FuzzyOcr: Cannot find executable for gifinter
I found out that gifinter used to be part of graphics/giflib long ago and it's apparently now recommended to use ImageMagick via

Code:
focr_bin_gifinter /usr/local/bin/convert -interlace
in FuzzyOcr.cf but couldn't get it to work.

I now wonder if there's a measurable upside to using FuzzyOcr at all.
 

Lamia

Active Member

Reaction score: 31
Messages: 182

I have maia running in the jail. I just had to add the jail IP as a mynetworks parameter in master.cf to allow it connecting back to port 10025 from within the jail.
As much as I would have loved to get maia running, it s**ks. Having to go administer it - allow/reject mail & sender/recipient - every now and then is irritating. I got ports 10024 and 10025 to work back then, when I first used maia, but at some point the 10025 won't just work for content filtering again.

Anyway, I had to jump on the mailscanner bandwagon. Mailscanner does a decent job though I now receive one or two unsolicited emails ones in awhile - like poker/hot babes/etc. I know we have given out some of our email addresses in webform/webpages/paperforms/etc and GODKNOWSWHO sold the info or how it got into other hands. I am now training Bayes with spam filtering via a Roundcube plugin. The Mailscanner UI has got a complex setup, but one does not really need it to get a standard email server running.

Please do. Especially DKIM.
You might find these two guides [1, 2] very helpful. There are good for creating your DKIM keys, particularly the stevejenkins' guide. The Archlinux guide is also very informative.

I spent some time getting it to work too. Where the problem often lies is getting opendkim to work. You will have to drift between running it as a unix socket or deamon/milter.
Here are some additional guides on milteropendkim [which I am using]:
Add-dkim-signing-to-freebsd-servers
A thread on Opendkim and SPF

You should pay a close attention to the ownership and permission on /var/run/milteropendkim and the opendkim dir (i.e. files - signingtable/keytables/trustedhosts with subdir 'keys'), respectively.


Outbound SMTP is running as expected as the server is running on a static IP, I have added SPF records and set it up as IPv4-only for the time being. IPv6 with pf plus jails is still a little confusing to me.
***OLD STATIC IP ADDRESS***
Good to know that you got SPF records. You are advised to also add DMARC and the likes if you are yet to do so.

in FuzzyOcr.cf but couldn't get it to work.

I now wonder if there's a measurable upside to using FuzzyOcr at all.
I often get the FuzzyOcr error report in our daily server report. And I have tried to fix it - using imagemagick and so on - but no luck.
 

Lamia

Active Member

Reaction score: 31
Messages: 182

I found before that even trying to do something simple is not for the faint of heart. If you do get your setup fully working, please post back here.
herrbischoff wanted a standard email server with his/her domain name(s). What you have done their is different. You are relying on the freenom free domain & infrastructure. That is not bad. You are fine as long as you are not receiving emails like SirDice mentioned.
 
OP
OP
herrbischoff

herrbischoff

Active Member

Reaction score: 73
Messages: 173

I found before that even trying to do something simple is not for the faint of heart.
Well, setting up ssmtp is rather trivial and there's no need for complex setups if the mails are only meant to be forwarded. Here is a simple config showing you how to send via a Gmail account. That's my standard go-to solution for stand-alone servers. Not Gmail though but my own mail server. It just shows that it's possible without any advanced fiddling.

Code:
# /usr/local/etc/ssmtp/ssmtp.conf

# The user that gets all the mails (UID < 1000, usually the admin)
root=username@gmail.com

# The mail server (where the mail is sent to), both port 465 or 587 should be acceptable
# See also https://support.google.com/mail/answer/78799
mailhub=smtp.gmail.com:587

# The address where the mail appears to come from for user authentication.
rewriteDomain=gmail.com

# The full hostname.  Must be correctly formed, fully qualified domain name or GMail will reject connection.
hostname=yourlocalhost.yourlocaldomain.tld

# Use SSL/TLS before starting negotiation
UseTLS=Yes
UseSTARTTLS=Yes

# Username/Password
AuthUser=username
AuthPass=password
AuthMethod=LOGIN

# Email 'From header's can override the default domain?
FromLineOverride=yes
Code:
# /etc/ssmtp/revaliases

root:username@gmail.com:smtp.gmail.com:587
mainuser:username@gmail.com:smtp.gmail.com:587
You see? Rather self-explaining. Works every time.

If you do get your setup fully working, please post back here.
I did get it to work almost immediately and it's running already in testing mode with one of my domains. So far, it's been working smoothly. It has mainly been figuring out some smallish issues and differences with regard to jails. I'm going to experiment a bit and when deemed stable, will move it into production. I'm quite impressed by the performance of this setup.
 

Lamia

Active Member

Reaction score: 31
Messages: 182

Well, setting up ssmtp is rather trivial and there's no need for complex setups if the mails are only meant to be forwarded.
Thanks herrbischoff for that note. Ssmtp works great and it is simple. Simple as OpenSMTPD. I was using OpenSMTPD for that task until it started failing me. I then switched to Ssmtp and things have been fine.
 

Lamia

Active Member

Reaction score: 31
Messages: 182

herrbischoff Are the additional resources helpful too?
You may hit the thanks/thumb up link for me if they are do. I am shy to sometimes ask for that.
 
OP
OP
herrbischoff

herrbischoff

Active Member

Reaction score: 73
Messages: 173

I couldn't find the time to look at it yet. Thank you for this, I will review if as soon as I can.

Regarding the missing gifinter, the config setting apparently gets ignored but creating a simple shell script with the same name calling /usr/local/bin/convert -interlace, it works.
 

ekingston

Active Member

Reaction score: 57
Messages: 213

Thank you all for this thread. As the free mail services increasingly disappoint me, I have decided to once again think about running my own mail server(2). This thread is proving invaluable.

One thing I don't see in the instructions I've looked at is any sort of estimate of minimum system requirements.

Cloud VPSes appear to come as cheaply as US$2.50 per month. Would 512MB of RAM on a single-core VPS be sufficient for a low volume mail server?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,183
Messages: 29,471

My VPS is a 2 core, 4GB VM. It's running my mail server (including web mail), a low volume website (Webtrees) and recently added a complete Phabricator install. Everything runs smoothly but it's all very low volume traffic. I get more traffic from malware bots than actual people visiting.
 
OP
OP
herrbischoff

herrbischoff

Active Member

Reaction score: 73
Messages: 173

Regarding the minimum requirements for smooth operation, I'd suggest to just add up the requirements of the used components. Given the Purplehat guide as a reference, I'd suggest at least 2 GB of RAM and two cores for it to be responsive and useful. If you plan to use just the bare essentials and no spam filter, I guess you could get away with that mini-VPS. However, space quickly becomes an issue as those cheapo VPS offerings are often severely restricted in this regard. YMMV, it all depends on your expectations. There are people who successfully run a home mail server off a Raspberry Pi 2 (1 GB RAM, 4-core 32-bit ARM, slow SD flash memory). Although I'd obviously install FreeBSD on that thing first. :) Which is actually something to consider. I for one are not aware of mini-VPS offerings apart from Digital Ocean that offer FreeBSD.
 

ekingston

Active Member

Reaction score: 57
Messages: 213

My VPS is a 2 core, 4GB VM. It's running my mail server (including web mail), a low volume website (Webtrees) and recently added a complete Phabricator install. Everything runs smoothly but it's all very low volume traffic. I get more traffic from malware bots than actual people visiting.
Thanks, that fits my usage expectations (just me) and usage.

Regarding the minimum requirements for smooth operation, I'd suggest to just add up the requirements of the used components. Given the Purplehat guide as a reference, I'd suggest at least 2 GB of RAM and two cores for it to be responsive and useful. ...
Thanks.

... I for one are not aware of mini-VPS offerings apart from Digital Ocean that offer FreeBSD.
There are may in that category: Atlantic.net, Linode.com, and Vultr.com (to name very few) are very similar in terms of price, service, and reliability. Personally I currently use Vultr.com and previously used liteserver.nl (no complaints, changes in the value of the euro made Vultr more cost-effective).
 

trev

Aspiring Daemon

Reaction score: 133
Messages: 706

I use a Vultr.com 512MB/20G SSD/1vCore ($US 2.50/month) plus 10G SSD block storage ($US 1/month) for a low volume mail server (replete with milters), web server, web proxy server and backup server (the 10G block storage addon is used for hourly backups of my main home server). 512M swap file of which currently 14M used.
 
Top