This is part two of a tutorial series for Running Your Own Open Source Email Server. In this tutorial, I'll guide you through configuring and customizing iRedMail's administrative back-end console, iRedAdmin. You can use iRedAdmin to add domains, manage users and more. I'll also cover how to configure your DNS records to help your server coexist well with other mail servers and their spam filters.
Administering iRedMail With iRedAdmin
As we touched on briefly in part one, iRedAdmin is the free back-end administrative console for iRedMail. It's designed to help you only with the basics of managing your mail server. A more feature-rich premium version, iRedAdmin-Pro, is available from the iRedMail team.
You don't need to upgrade and I'm not encouraging you to, but here are some of the basics about the Pro edition:
The Premium Alternative: iRedAdmin Pro
Here's a portion of the feature comparison between the free and pro versions:
Reviewing Our Configuration
You can review your iRedMail installation settings and credentials by browsing the iRedMail.tips file—wherever you moved it to for safe keeping:
It will provide you your initial administrator account information as well as the URL for logging into the administrative console. Here's an example copy and a portion of what it will look like:
iRedAdmin - official web-based admin panel: * Version: 0.4 * Configuration files: - /usr/share/apache2/iRedAdmin-0.4/ - /usr/share/apache2/iRedAdmin-0.4/settings.py* * URL: - https://red.lookahead.me/iredadmin/ * Login account: - Username: firstname.lastname@example.org, password: xxxxxxxxxx * SQL database account: - Database name: iredadmin - Username: iredadmin - Password: XxXXXXXXXXXXXXXXXxXXXXXX * Settings: - /usr/share/apache2/iRedAdmin-0.4/settings.py * See also: - /etc/apache2/conf-available/iredadmin.conf
Let's log in again and explore our administration panel for iRedMail. Visit http://yourdomain.com/iredadmin to see the back-end login panel:
When you log in, you'll see the iRedAdmin Dashboard:
Adding a Domain
If we want our mail server to receive email for multiple domains, we can visit the Domains and Accounts page:
Click Add Domain and add your new domain name:
You'll be taken to the domain view page:
And, your new domain will appear back on the Domains list:
Of course, you'll need to add MX records with your domain name registrar for your new domain to route email to your iRedMail server. Here's an example:
lookahead.io. 1800 MX red.lookahead.me. 10
From the Domains and Accounts page, click Add Users and provide the mailbox information for your next user:
When you add them, you'll be taken to the User View page:
You can make a new user an Administrator by clicking Global Admin.
If you return to the Domains and Accounts page and click on the Domain view icon, you can then click on the Users thumbnail menu to see the users associated with the domain:
And you can manage administrators with the Admin tab:
Configuring Catch-All User
I recommend you set up a catch-all mailbox with your iRedMail server. Whenever I sign up at websites, I use email@example.com as the email registration address. This helps somewhat with minimizing the data mining between advertising services by email address. It can also help you identify the source of spam generated from third parties. I describe a few more ways to enhance personal privacy here.
You must configure this manually via the database in the free version of iRedAdmin.
Follow these steps to configure a catch-all mailbox for your domain. Log in to your iRedMail server instance. Then, log in to mysql with your administrator password (also in the iRedMail.tips file listed above):
mysql -u root -p
From MySQL, for each domain, provide the forwarding mailbox address to deliver to:
use vmail; INSERT INTO alias (address, goto) VALUES ('@yourdomain.com','firstname.lastname@example.org');
Configuring Mail Server Domain Records (DNS)
If you read So You'd Like to Send Some Email (Through Code) which I linked to in the last tutorial, you likely saw that mail servers are requiring a number of DNS settings to help them filter out likely spammers. To ensure the reliable delivery of mail from our own server, there are a few DNS settings we will want to customize.
Set Up a Reverse PTR Record
The iRedMail documentation does a good job of describing how Reverse PTR records work and why you need them:
The most common use for looking up a PTR record is done by spam filters. Concept behind this idea is that fly by night spammers who send e-mails out using fake domains generally will not have the appropriate reverse PTR setup at the ISP DNS zone. This criterion is used by spam filters to detect spam. If your domain does not have an appropriate reverse PTR record setup then chances are email spam filtering softwares MIGHT block e-mails from your mail server.
Reverse PTR records are configured by the owner of the IP address you're using, so this is likely your hosting provider. For example, in my case it's Digital Ocean, which configures your Reverse PTR automatically based on your server's hostname. Consult your hosting provider to determine the best way to configure your own Reverse PTR.
If you're receiving mail for multiple domains, setting up the Reverse PTR record with a hosting provider may be more complicated.
Set Up DomainKeys Identified Mail (DKIM)
Coding Horror describes how your server uses DKIM to help other mail servers trust you:
With DKIM, you "sign" every email you send with your private key, a key only you could possibly know. And this can be verified by attempting to decrypt the email using the public key stored in your public DNS records.
iRedMail makes this fairly easy. From Terminal, type the amavisd showkeys command (for some servers it's amavisd-new):
This will display the keys which iRedMail has configured for your server. These are the DNS settings that you need to add to configure DKIM successfully. Add these records with your DNS provider:
; key#1, domain mailserver.lookahead.me, /var/lib/dkim/mailserver.lookahead.me.pem dkim._domainkey.mailserver.lookahead.me. 3600 TXT ( "v=DKIM1; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMvBfXBpfZCnyvQAcsaTVkt+t8" "G0HG1NgfgqKpuC+mRQTlKLNJwNzwVLXUrPc2jQSTJGuiV8OYRGTo6FkkO37/EDsh" "HsVtPJkOE45TOf1R3jcu3+IzaTWXI6RpqZ+QvSdYGWHQYg18xfTgK+oFkGV876iu" "IwxXGuhc+cJRl1NYuQIDAQAB")
Set Up an SPF / Sender Id Record
SPF is a spam and phishing scam fighting method which uses DNS SPF-records to define which hosts are permitted to send e-mails for a domain. This setting is reportedly less important.
You can use the Microsoft wizard to generate an SPF DNS record for your domain. It will likely look something like this:
mydomain.com. 3600 IN TXT "v=spf1 mx mx:mydomain.com -all"
Securing Your Server
I recommend reviewing my Securing Your Server tutorial at Tuts+. I highly recommend implementing and restricting login to SSH keys and disabling password-based login.
Next, let's double check that your SMTP server is not open to the public, i.e. exposed to spammers. Visit a tool like SpamHelp's Open Relay Test:
Enter your mail hostname or IP address and click Test. We want to see the Error - could not connect to server result. This ensures that our SMTP server is NOT open to spammers.
A Note on Backups
Your e-mail is vitally important to you. Make sure you back up your server. There are a number of approaches to this which I won't delve into here. For example, my provider Digital Ocean offers automated backups for a small surcharge on each droplet or instance. If you're using Amazon AWS, Skeddly provides automated backups as a service. AWS's RDS database instances provide automated backups on their own. You can also explore backing up email through mail protocols—see GMail and IMAP backup services.
Keep in mind that each backup you create introduces potential security vulnerabilities and attack vectors between hackers and your email.
In the next tutorial, I'll guide you through customizations and configurations you can make with the Roundcube web-based email client.