How to set up a complete SMTP + POP/IMAP mail server.

[hanzer]

I would like to set up a complete email system on my 11.2-RELEASE server. This will be the first time I've dealt with this facet (configuration and administration) of the email technology. I have a static IP address and I've registered a domain name. My impression is mail/postfix and mail/dovecot is a reasonable way to go. This server is also running databases/postgresql10-server and if that can be used for email account management, it seems like that would be convenient. Chapter 28. Electronic Mail of the Handbook seems a little vague on a few points. Just to get started, the relevant part of /etc/rc.conf looks like this:

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
postfix_enable="YES"
dovecot_enable="YES"

And /etc/mail/mailer.conf looks like this:

#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
#sendmail       /usr/libexec/sendmail/sendmail
#mailq          /usr/libexec/sendmail/sendmail
#newaliases     /usr/libexec/sendmail/sendmail
#hoststat       /usr/libexec/sendmail/sendmail
#purgestat      /usr/libexec/sendmail/sendmail
#
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail        /usr/local/sbin/sendmail
send-mail       /usr/local/sbin/sendmail
mailq           /usr/local/sbin/sendmail
newaliases      /usr/local/sbin/sendmail

Am I on the right track, and what are the next steps? Guidance or pointers to specific documentation will be much appreciated!

 

[ShelLuser]

There really isn't one best way here. I agree that mail/postfix in combination with mail/dovecot can make a good mail server. But so can Sendmail and mail/cyrus-imapd30

The most important aspects are: disable Sendmail if you're going to use another MTA (such as Postfix), but you've already done that. If you're not sure about some things simply take a look at /etc/defaults/rc.conf, that will list all the services which are enabled by default.

But you also want to disable some Sendmail related cleanup activities which are ran through the periodic system (see /etc/defaults/periodic.conf). It roughly boils down to:

# Postfix setup (disable sendmail)
daily_clean_hoststat_enable="NO"
daily_status_include_submit_mailq="NO"
daily_status_mail_rejects_enable="NO"
daily_queuerun_enable="NO"
daily_submit_queuerun="NO"

If you add this to /etc/periodic.conf you should be more than set.

The main thing to take care off when running a mailserver is that you make triple sure not to set up a so called open relay. In other words: misconfigure your system so that everyone can (ab)use it to send mail through, because things can go bad really quick.

Also: if your ISP provides mail services then it might be a good idea to use their SMTP server for your outgoing e-mail (as a smart host or relay host) while your setup takes care of any incoming messages. That's because many mail servers won't "just" accept mail from random hosts. For example: many mail servers only accept mail when the IP address of the originating host actually has a PTR record assigned (in other words: if reverse lookups work). Not every customer connection has that, which could result in your mail server getting a lot of denials.

 

[hanzer]

many mail servers only accept mail when the IP address of the originating host actually has a PTR record assigned

That is a very interesting point. Thank you! I registered the domain name through GoDaddy. They don't have a PTR record type but there is mention here that something similar can be accomplished through a TXT type record. It says: "Copy the HASH code from your hosting provider". I have no idea what that means. Any ideas?

 

[ShelLuser]

I registered the domain name through GoDaddy. They don't have a PTR record type but there is mention here that something similar can be accomplished through a TXT type record.

It won't be the same. Basically only the owner of the IP range can assign a PTR record, that's simply the way this thing works. TXT records are something completely different, and also something no other ISP would even bother to try and use. The only exception being SPF; the Sender Policy Framework. That's also what that link you shared is referring to.

However, it won't necessarily help you for outgoing mail.

SPF is basically a way to warn other mail servers that any mail sent using a certain domain should only originate from a pre-determined host or set of hosts. So the moment they process incoming mail and check the sending domain they can then check if the sending server is actually mentioned within the SPF record.

But there also lies the problem. The reverse lookup check I mentioned happens before all this; at the moment the mailservers first make contact. Postfix accounts for this through the smtpd_helo_restrictions setting (restrictions which apply during the 'HELO' phase, aka first contact), smtpd_sender_restrictions; this is the moment when the sender domain gets checked. And of course we have smtpd_recipient_restrictions. Every step has its own set of restrictions and checks.

Can't comment on the hash value and all, makes little sense to me either.

 

[hanzer]

Wow, this is wonderfully educational. Thanks, again. I think Comcast (my ISP) might be the place to set up the PTR record. I just made the request and will report back with their response.

 

[kpa]

Requirement that your mailserver's IP address has a reverse mapping is utterly bogus, there are plenty of well respected domains where the MX records and addresses of sending hosts have no reverse mapping and they work just fine. The reverse mapping proves nothing, instead what actually counts are things like the mentioned SPF records and other verification methods that don't rely on co-operation between you and your ISP.

 

[MikeL]

Requirement that your mailserver's IP address has a reverse mapping is utterly bogus, there are plenty of well respected domains where the MX records and addresses of sending hosts have no reverse mapping and they work just fine. The reverse mapping proves nothing, instead what actually counts are things like the mentioned SPF records and other verification methods that don't rely on co-operation between you and your ISP.

FYI: yahoo requires reverse DNS - all email will be rejected without it.

 

[Lamia]

Most providers, and invariably email servers, do.
Your ISP can set it for you.

 

[tommiie]

This server is also running databases/postgresql10-server and if that can be used for email account management, it seems like that would be convenient.

I would not do that. Using anything other than the plain-text files that Postfix or Sendmail use by default (e.g. LDAP or SQL) is overkill for a simple mail server. I would only consider such backends when you have a lot of domains to manage email for with each a lot of email accounts.