When it comes to a complete personal internet services setup, the single most important service is probably e‑mail. It is crucial for many different tasks:
- Of course, sending and receiving information to and from other people.
- Having a base for the other services to verify or re-verify authentication – ever tried to reset a password to a service without an e‑mail account?
- Getting information about the health of the own systems or confirmation messages of automatic tasks.
E‑mail is important. The question is: Host yourself or use a service? To be clear: Hosting an e‑mail server yourself these days is not a simple task. There is a plethora of – more or less clever – schemes against spamming and fraud and if your server does not follow them, it is quite likely that outgoing messages will simply be blocked or even thrown away by other systems. If you mess up your setup, the same could accidentially happen to incoming messages. And unfortunately, you will not find a tool which you install out of the box so that you just „have” a mail server. You have to configure multiple programs so that they play nicely together.
The advantages, however, are obvious: It’s your own e‑mail on your own server. You are not bound to any storage capacities you have to pay for. You can configure the services as you like. If you misconfigure them, it’s your fault and only your fault.
Having said all this, there is one thing that is absolutely impossible today: Running an e‑mail server for a domain without an IPv4 address. While this is technically no problem, there are so many e‑mail servers out there which are frankly IPv4-only that you are more or less cut off any meaningful e‑mail service. And due to the aforementioned anti-spam measures, it is also not possible to use port-forwarding from the physical host into the virtual machine for the IPv4 connectivity. At least, I could not figure out how to do this reliably.
So, unfortunately the very first „real” service we describe in this „IPv6-only” article series will be dual-stacked with its own IPv4 address.
Basic server and network setup
So, here we are. Start with bringing up a fresh virtual server as described in the previous article of this series. All the advises I mentioned there apply. I gave my e‑mail server a virtual harddisk of 250 GB – of which 60 GB are currently used. It has 6 GB of main memory. This is rather a lot, but with 64 GB of physical memory in the host, it is no problem either…
Perform all steps so that you have your e‑mail server-to-be accessible from outside via IPv6 ssh connections with an DNS entry of your domain.
Add IPv4 connectivity
As I explained, our virtual server with the e‑mail services needs its own IPv4 address. We add this only for the needs of the e‑mail system. Apart from that, the server is still IPv6-only. If we ever come to a point where e‑mail servers can operate IPv6-only, it can simply be switched off and everything continues to work. Add IPv4 connectivity to the virtual mail host as follows:
- Obtain an additional IPv4 address for your server from your hoster. If you already have a network of them assigned to your server, you can use one of those, of course.
- The actual setup, of course, depends on the network scheme of your provider. Hetzner implements a direct peer-to-peer routing of IPv4 addresses. With Ubuntu 18.04, do this:
- On a system with systemd-network setup, add an entry to the bridge device configuration. In the initial article of this series, this is the file
/etc/systemd/network/21-br0-conf.network. Add the following lines:123[Address]Address=<IPv4 address of the host>Peer=<IPv4 address of the guest for e-mail server>/32
There are two [Address] entries now in this file which both have the same Address but different Peer entries. That’s intentional.
- If the host is configured with Netplan, add the route to the virtual guest explicitly:
- On the virtual mail server, add the IPv4 address to the Netplan configuration, usually in
/etc/netplan/01-netcfg.yaml. It reads completely like this:12345678network:version: 2renderer: networkdethernets:ens3:dhcp6: yesaddresses: [ IPv4 address for the guest/24 ]gateway4: IPv4 address OF THE HOST
- Now, add DNS and reverse DNS entries for both the IPv4 and IPv6 address for the mail server.
root@merlin ~ # cat /etc/netplan/01-netcfg.yaml
- to: 241.61.86.104/32 # <– IPv4 address of the virtual machine
via: 241.61.86.241 # <– IPv4 address of the host
After these steps, your virtual e‑mail server should be accessible via ssh by both IPv4 and IPv6 connections.
Setup of the mail system
After having the server prepaired on network and system level, it is time to actually setup the mail system. And here I must admit, that I have not developed my own scheme. Instead, I followed
Thomas describes the setup of a modern e‑mail server setup. The server allows for incoming and outgoing traffic. It is setup according to all anti-spam requirements with DKIP, DMARC and SPF entries in DNS. It offers SMTP and IMAP access for clients. It is a multi-user multi-domain setup. I run this for nearly a year now without any problems.
Having said this, there are some points to add:
First and foremost, it helped me tremendously to understand that you should use a totally unrelated domain for the mail server – especially, if you plan to serve multiple domains on it. Let’s assume you want to serve
example.com e‑mail on your server. My advise to setup this:
beispiel.deas an independent domain only for e‑mail. For my own setup, I obtained a
.dedomain, but it’s really nifty…
- Use this domain as primary domain in the setup documentation.
- Let the main e‑mail name server, usually
AAAADNS entries. After all, this setup works for both IP address spaces.
- Point the
MXentry for any domain you want to serve on your server to that
mx0.beispiel.de. Remember – the MX for a domain can be in any domain!
- After having setup the DNS for the first „real” domain, say
example.net, you can simply copy SPF, DMARC, and DKIP entries from that domain to
example.comand whichever other domain you want to serve.
- Add the IPv4 addresses and the IPv6 network of the whole server to the
/etc/postfix/main.cf. That makes your mailserver a smart host for all other servers. So, every of your virtual servers – and even the physical machine – can send e‑mail without any further setup steps. You just have to add the mail server as smart host (or forwarding host) for all outgoing e‑mail.
- Regarding the DNS setup of the mail server itself: This is the only of your virtual servers which should not use the DNS64/NAT64 setup of the physical host! This server is fully connected to IPv4, so it can reach all IPv4 servers directly. It also must do so, otherwise outgoing IPv4 connections would come from the „wrong” IPv4 address and the whole anti-spam mayhem would start again. The mail server setup instructions suggest to install a small DNS server on the mail server. Just follow that instructions and you’re done.
Setting things up like this makes the further DNS setup rather simple: All your mail clients connect to the dedicated mail server domain, in the example
mx0.beispiel.de, also those for
example.com or whatever. This way, you only need SSL certificates for the mail domain.
Consistency of DNS entries
Two things are absolutely crucial regarding the name service setup of the mail server:
- The DNS and reverse DNS entries for the mail exchange server must be consistent! The
mx0.beispiel.demust both point to the virtual server in your setup and the
PTRreverse entries of the IP addresses must point back to
mx0.beispiel.de. This is the main reason why we need that additional IPv4 address and why I strongly recommend to use a dedicated domain for this. If you fail in this setup step, you will have massive problems with outgoing e‑mail being spamblocked (and noone willing to help you…).
- It is also important that the
/etc/postfix/main.cfmust contain the full qualified domain name of that mail server, i.e.
mx0.beispiel.dein this example. The whole mail server is mainly known in DNS by its mail domain name.
Setup of mail clients
As I already explained, the mail domains which are hosted on the system can have totally different names! There are also no
PTR records needed. For each mail domain, the following steps must be done:
- An MX entry in DNS must exist and point to
- The domain and the users must be entered in the data storage for postfix and dovecot (no reboot required after changes). Just follow the setup description of Thomas Leister above.
- Users set the login name in their mail programs to e.g.
- They should, as already explained, set IMAP and SMTP server name to the name of the mail server, e.g.
mx0.beispiel.de, not to anything in their actual domain! Even if there are DNS entries pointing to the mail server, there would be massive certificate warnings as the SSL certificates do not contain the mail domains, but only the domain of the mail server.
As I wrote, I use this setup now for almost a year without any problems. I’ve also added a number of domains to my server. This takes only minutes, works without problems and covers all kinds of setups like local delivery, delivery to multiple addresses, forwarding, catch-all addresses. It is a really fine thing.
You might miss a webmail interface. I have decided not to add that to the mail server, but to one of the virtual web servers. Setup of those is covered in the next article of this series. Stay tuned.
2020-03-19: Enhance description of Netplan-based configuration of the host