Secure silent mail server

An Openismus client demanded that all email communication with them should be over TLS tunnelling, with the mail server being on-site, so my regular hosted mail accounts won’t do, and even a hosted server wouldn’t be enough. Frankly, I’d rather not have the trouble and expense of maintaining my own servers, but it’s a nice client so to please them I set up a mail server like so:

  • Buy a quiet (no fan) low-power PC. I chose an ichbinleise PC LL10. It’s not very pretty or powerful or small, but it’s enough for a mail server. Ichbinleise (MR Computertechnik), seem to use cases and parts from Silverstone.
    • The new AMD Geode-based PCs are cheaper and require much less power, but pre-built systems don’t seem to be properly on the market yet.
    • This list of mini PCs is interesting.
    • It’s not low-power and fanless, I think, but the A-Open Mini PC is pleasantly Mac Mini-like, though I suppose the new intel Mac Minis will support Linux distros some time soon.
  • Get a new DSL broadband login from Via, so I can have a static IP Address. The contrast between their web site (simple, what you need) and service (simple, quick) and that of T-Online/Deutsche-Telekom (insanely complex, obscure, beaurocratic, inflexible, expensive) is vast.
  • Get an extra domain name just for this email account. I’m not going to risk putting my regular email through this experimental system.
  • The domain registrar doesn’t let me enter IP addresses for the DNS name server, so I can’t set up my own DNS server that specifies which of the PCs on my network is the mail server, and of course I can’t create a ns.something.com without having a DNS server. This is probably normal – I wonder how this chicken and egg problem is normally solved. So, I used EasyDNS to get a DNS server, and told the domain registrar to use that name server. Then my DNS entries at EasyDNS specify my static IP address.
  • I set up port-forwarding rules on my router (a cheap wireless/DSL thing that I got from Deutsche Telekom), telling it to direct traffic on the POP and IMAP ports to the mail server PC.
  • Instead of using port forwarding, I suspect I could have a local DNS server (which would know about the IP addresses on my local subnet) in addition to the EasyDNS server (which can’t use my local IP addresses because they aren’t really assigned, being behind a NAT), but I’m not sure how that would work.
  • Now to install the mail server software:

  • I tried Ubuntu Breezy (I have one thousand CDs, so it’s easy to find one, and was too lazy to download Dapper), but installation failed half-way saying there was a problem with the CD drive.
  • Ubuntu Dapper installed perfectly.
  • Thanks to a reply to my previous blog about mail servers, I found a great page about installing an email server on Ubuntu. It explained what the point of the different parts is, and told me exactly what to do to install postfix and dovecot with support for IMAP and SMTP using TLS. There’s a scary series of commands that it tells me to type in, but if I have to do that then I’d rather not have to figure it out by myself.
  • I found it odd that the email account is defined by the linux shell account, with the same password, so I’d have to add a new shell account just to add a new email account. Those wiki documents mention something about virtual mail hosts, but they seem to be about serving mail for multiple domains. Maybe that’s also how you separate email accounts from shell accounts.

9 thoughts on “Secure silent mail server

  1. of course I can’t create a ns.something.com without having a DNS server. This is probably normal – I wonder how this chicken and egg problem is normally solved.

    This is usually done by creating NS entries in the WHOIS database.

  2. The out of the box behavior of Dovecot is just to handle email for shell accounts on the server, but the virtual mail hosting should pretty much be able to handle separating accounts. There’s more info about setting it up in the dovecot wiki at http://wiki.dovecot.org/VirtualUsers.

    One of the other mail servers that the Ubuntu help page covers is Cyrus, which only supports operating on virtual user accounts. I’ve always found it to be significantly more effort to make it work comfortably, but I’m not really their target use case.

  3. Did you know that with your easyDNS account you could use our outbound SMTP with TLS?

    Not sure if that helps you in this situation.

  4. Mark, thanks for the information. I already had TLS SMTP with my regular host (dreamhost), but this client needs it to be real end-to-end security, so it can’t be off-site. Yes, that is unusual to me.

  5. Another advantage of the aforementioned cyrus imap is that you don’t need UNIX accounts to have mailboxes as everything is stored inside of the cyrus mail db (db4) and uses cyrus sasl as a password auth which can use GSSAPI and kerberos for auth if required.

    Regarding your DNS registra and your nameserver problem i’d suggest trying 123reg.co.uk they have excellent servers which update almost immediately and they have their own DNS servers which you are free to use for pointing to whatever IP address you wish. They don’t however support dynamic DNS so you’ve got to ensure that your IP won’t change (static or always on).

  6. I run Ubuntu 6.06LTS on my G4-based mac mini and use it as an (almost-)silent media box. Works great! The only missing components are Flash and a couple win32-only codecs that can be loaded via pitfdll or mplayer on x86. I imagine the x86 mac mini would be even better. If I ever need another set top box, it’ll definitely be a mac mini or one of system76.com’s koala models.

  7. I recently purchased x86 Mac Mini because it was the cheapest tiny dual core based offering around. I’ve been pleasantly surprised how awesome the cute little box actually is. It’s powerful, quiet and easy to handle. Being mostly legacy free is a big bonus for those who want to develop tomorrow’s Linux distributions and software. And yeah, I’ve got Flash and codecs too :-)

Comments are closed.