Setup Your Own Email Server

Setup Your Own Email Server

E-mail is complex and oldest but still-recognizable component of the Internet. At the same time email is a most critical resource for your business.

From a normal person’s point of view, email seems to be a pretty easy thing: sign up  and your provider gives you an e-mail address. There are lot of providers like Google, Hotmail, Yahoo, etc who will hook you up with e-mail accounts with plenty of online storage and lots of value-added features.

Then why the heck would you want to setup your own e-mail solution?

Reason: Because if it’s in the cloud, it’s not yours. If you are choosing any of the free email provider, you must rely on those for your security and privacy. You have no control over who can read your messages — you must allow your data to be mined and your marketing profile extracted. You can’t imagine if your personal data is collected or if your inbox is vacuumed up by a secret government request. You see adverts popping up every time you log into your mailbox. Another reason may be if you own a domain and using domain based emails for your small or medium-sized business, you should be paying annual fee to your email provider for each email account. This annual fee grows as the number of email accounts grow in your organization. In this situation you might look forward to host your own email server.

Pitfalls and Caveats

E-mail server setup is hard but not impossible. It is a lot more complex, with many more parts with continuously changing data. Running your own email solution gives you the full control on your data and privacy but there are pitfalls and caveats — the biggest of which is that if you run your own e-mail server, you will be the sysadmin. The upside of this is that no bored or tired customer service is required to reset your e-mail passwords. The downside is that you are responsible for the care and maintenance of your system. This is not an impossible task — but it is never-ending. Applying critical updates to server is your responsibility. It is your responsibility to keep track of when do critical updates come out.

And most important of all, if you screw up and your server is compromised or used as spam relay, your domain will almost certainly listed on blacklists. Your ability to send and receive e-mail will be diminished or perhaps even eliminated. Scrubbing yourself from email blacklists is very very difficult task. So, You have been warned once again.

Assumptions & Prerequisites

So you want your own e-mail server. Excellent! The first decision is where you are going to put your email server. First of all you need a static IP with your internet connection. Generally, every ISP assigns a dynamic IP to your modem. You need to pay some amount to your ISP in order to get a static IP. And if you have a residential ISP connection, you will face many challenges while running an e-mail server. These challenges include the blocked standard TCP ports for emails and your IP address may be already listed in one or more blacklists. You can use MXToolBox to see if your address is on a blacklist.

Blacklist-Check-MXToolBox

If you just want to do this at home with a non-functional test domain for learning, then a virtual machine will do just fine; but if you want to setup real email server for your business, you will either need to be on a business-class internet connection with unblocked ports and a non-blacklisted IP address, or you will need a hosting service. You don’t need a high-end dedicated server, but you do need at least a VPS with enough control to install software on via command line.

You also need a registered domain name if you are setting up a real email server, and that means you need a registrar and an external DNS provider. There are lot of registrars you can choose from GoDayy, Namecheap, Hostgator etc.

MUA, MTA, and MDA

MUA – Mail User Agent – Program that runs on your computer like Microsoft Outlook or Thunderbird.
MTA – Mail Transfer Agent – The program that runs on server and actually transmits the email messages between servers. For example Postfix, Sendmail, qmail etc.
MDA – Mail Delivery Agent – The program that gets messages from mail server into the users’ mailbox using email protocols like POP or IMAP. For example Dovecot.

In this tutorial, I am going to demonstrate how to install and configure Zimbra Collaboration Suite (ZCS) in CentOS 7. Zimbra Collaboration Suite (ZCS) is a collaborative software suite, which includes an email server and web client.

The following guide shows you with basic steps to install and configure Zimbra Collaboration Suite ver. 8.6 Open Source Edition with single server installation on CentOS Server 7 where all the three components (Zimbra MTA, Zimbra LDAP Server and Zimbra Mailbox Server) are installed on single server.

Basic Requirements

  • Server or Virtual Machine running with CentOS 7 64-bit
  • Memory: 4 GB is required (8 GB recommended)
  • CPU: 2.0 GHz or more
  • There should be no other services like web server, database or MTA services running on server
  • DNS A record with fully qualified domain name must be configured to resolve host name
  • DNS A record with fully qualified domain name must be configured to resolve host name
  • Firewall should be disabled or all the required ports for Zimbra should be allowed in firewall.

Initial Setup

  • Install CentOS 7 on the Server or Virtual Machine
  • Login as a root user on CentOS server
  • Set the hostname to mail.techtutsonline.com with following command:
# hostnamectl set-hostname mail.techtutsonline.com
  • Disable SELINUX and Firewall on CentOS with following commands:
# setenforce 0
# systemctl stop firewalld
# systemctl disable firewalld
  • Make sure that the other services like HTTP, database and MTA services are not running on server since Zimbra server has its own set of services. Stop and disable them so that they won’t start at boot with following commands:
 # systemctl stop httpd
 # systemctl disable httpd
 # systemctl stop mysqld
 # systemctl disable mysqld
 # systemctl stop postfix
 # systemctl disable postfix
 # systemctl stop sendmail
 # systemctl disable sendmail
  • Update your CentOS to make sure it has installed all the latest security updates with the following command:
# yum update -y

Install and configure DNS Server in CentOS 7

CentOS use BIND (Berkeley Internet Name Domain) package to work with DNS. To install bind, run the following commands:

# yum install bind bind-utils -y

The main configuration file of BIND is /etc/named.conf. Edit the configuration file using any of your favorite text editor. I am going to use vim to edit the file with following command:

# vim /etc/named.conf

If vim is not installed, you can install it using yum install vim -y command.

Make sure that the file contains following configuration information. Entries marked in bold green should match as per your own organization:

options {       
listen-on port 53 { 127.0.0.1;192.168.0.250; };       
listen-on-v6 port 53 { ::1; };       
directory     "/var/named";       
dump-file     "/var/named/data/cache_dump.db";       
statistics-file "/var/named/data/named_stats.txt";       
memstatistics-file "/var/named/data/named_mem_stats.txt";       
allow-query     { localhost;192.168.0.0/24; };
forwarders {8.8.8.8;}

At the end of file, enter the following information:

zone "techtutsonline.com" IN {
type master;
file "fwd.techtutsonline.com";
allow-update {none;};
};

zone "0.168.192.in-addr.arpa" IN {
type master;
file "0.168.192.in-addr.arpa";
allow-update {none;};
};

Keep the last 2 lines of files as shown below:

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Now, save and close the file.

Now, create the zone files with exactly same name as mentioned in/etc/named.conf file. The files should be created in the ‘/var/named’ directory.

To create forward lookup file, enter the following command:

# vim /var/named/fwd.techtutsonline.com

Copy the following information to file and save the file.

$TTL 86400
@   IN  SOA     ns1.techtutsonline.com. support.techtutsonline.com. (        
2010031500  ;Serial        
3600        ;Refresh        
1800        ;Retry        
604800      ;Expire        
86400       ;Minimum TTL
) 

@   IN  A           192.168.0.250
@   IN  NS          ns1
@   IN  MX          10 mail.techtutsonline.com. 

ns1     IN  A   192.168.0.250
mail    IN  A   192.168.0.250

Note: Adjust the IP and names as per your organizational setup. I assume that IP for my mail server is 192.168.0.250 and hostname is mail.techtutsonline.com.

Similarly create the file for reverse lookup. To create the reverse lookup file, enter the following command:

# vim /var/named/0.168.192.in-addr.arpa

Note that the name of reverse lookup file should start with reverse of network ID of your mail server’s IP subnet. For more information on Network ID and IP subnetting, see IP Subnetting. In my case, the network ID is 192.168.0, therefore the name of reverse lookup file starts with 0.168.192.

Copy the following information to file and save it.

$TTL 86400
@   IN  SOA     ns1.techtutsonline.com.com. admin.techtutsonline.com. (        
2010031500  ;Serial        
3600        ;Refresh        
1800        ;Retry        
604800      ;Expire        
86400       ;Minimum TTL
) 

0.168.192.in-addr.arpa.      IN     NS     ns1.techtutsonline.com. 

250 IN PTR ns1.techtutsonline.com.
250 IN PTR mail.techtutsonline.com.

Note: Adjust the number 250 (marked red) at the ending lines according to the last octet of your CentOS server and names as per your organizational setup. In my case, the server IP is 192.168.0.250.

Next step is to verify if your DNS configuration files are correct. To verify the configuration files, enter the following command:

# named-checkconf -z

If the above command does not generate any error, it means your configuration files are correctly formatted.

Now, start the DNS service with following commands:

# systemctl enable named.service 
# systemctl start named.service

Make sure that the DNS service starts fine. You can check the status of service with following command:

# systemctl status named.service

named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; 
vendor preset: disabled)   
 Active: active (running) since Sat 2016-03-19 20:16:37 IST; 1 day 18h ago 
 Main PID: 2166 (named)   
  CGroup: /system.slice/named.service           
          ??2166 /usr/sbin/named -u named

Preparing To Install Zimbra

Edit the /etc/hosts file with following command:

# vim /etc/hosts

The file should contain only the information as shown below:

127.0.0.1   localhost.localdomain localhost
192.168.0.250  mail.techtutsonline.com mail

Of course adjust the server IP and server FQDN as per your need.

Next step is to edit the /etc/resolv.conf file. Use the following command to edit the file:

# vim /etc/resolv.conf

The file should contain only the information as shown below:

search techtutsonline.com
nameserver 192.168.0.250

Remove other lines from this file (if any) and adjust the server IP and domain name as per your need.

Now, Restart network service with following command:

# systemctl restart network

Zimbra email server is highly dependent on DNS server. If your DNS server is not configured or working properly, you will surely going to have trouble using Zimbra email server. So, before starting Zimbra installation, I would recommend testing your DNS server.

Below are some commands which will help you test your DNS functionality. The actual commands are marked green and the output is black.

# nslookup techtutsonline.com

The output should be something as shown below:

Server:         192.168.0.250
Address:        192.168.0.250#53
Name:   techtutsonline.com
Address: 192.168.0.250

If the above test is successful, run the dig command as shown below:

# dig techtutsonline.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> techtutsonline.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47064
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:;techtutsonline.com.                    IN      A 

;; ANSWER SECTION:techtutsonline.com.             86400   IN      A       192.168.0.250 

;; AUTHORITY SECTION:techtutsonline.com.             86400   IN      NS      ns1.techtutsonline.com. 

;; ADDITIONAL SECTION:ns1.techtutsonline.com.         86400   IN      A       192.168.0.250 

;; Query time: 0 msec
;; SERVER: 192.168.0.250#53(192.168.0.250)
;; WHEN: Mon Mar 21 15:16:43 IST 2016
;; MSG SIZE  rcvd: 89

The MX record is one of the most important component which receives emails for your domain. To check the MX record of your domain, run the dig command as shown below:

# dig techtutsonline.com mx
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> techtutsonline.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36270
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:;techtutsonline.com.                    IN      MX 

;; ANSWER SECTION:techtutsonline.com.             86400   IN      MX      10 mail.techtutsonline.com. 

;; AUTHORITY SECTION:techtutsonline.com.             86400   IN      NS      ns1.techtutsonline.com. 

;; ADDITIONAL SECTION:
mail.techtutsonline.com.        86400   IN      A       192.168.0.250
ns1.techtutsonline.com.         86400   IN      A       192.168.0.250 

;; Query time: 0 msec
;; SERVER: 192.168.0.250#53(192.168.0.250)
;; WHEN: Mon Mar 21 15:17:32 IST 2016
;; MSG SIZE  rcvd: 110

You can also try dig command as shown below.

# dig techtutsonline.com any

  ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> techtutsonline.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29582
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3 
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:;techtutsonline.com.                    IN      ANY 

;; ANSWER SECTION:techtutsonline.com.             86400   IN      SOA     ns1.techtutsonline.com. 
support.techtutsonline.com. 2010031500 3600 1800 604800 86400
techtutsonline.com.             86400   IN      A       192.168.0.250
techtutsonline.com.             86400   IN      NS      ns1.techtutsonline.com.
techtutsonline.com.             86400   IN      MX      10 mail.techtutsonline.com. 

;; ADDITIONAL SECTION:
ns1.techtutsonline.com.         86400   IN      A       192.168.0.250
mail.techtutsonline.com.        86400   IN      A       192.168.0.250 

;; Query time: 0 msec
;; SERVER: 192.168.0.250#53(192.168.0.250)
;; WHEN: Mon Mar 21 15:19:25 IST 2016
;; MSG SIZE  rcvd: 170

Final verification of DNS Server

Run the command host $(hostname) and check the output. The output of command should be exactly as shown below:

# host $(hostname)

mail.techtutsonline.com has address 192.168.0.250
# host -t mx techtutsonline.com

techtutsonline.com mail is handled by 10 mail.techtutsonline.com.

If output of commands does not match the above output, check your /etc/resolv.conf and /etc/hosts files and ensure the information is correct.

Install ZCS Open Source Edition

Before starting the installation of Zimbra, make sure that required dependencies for Zimbra are installed. Without required dependencies, installation process will not work. We can install the dependencies packages by using single command as shown below:

# yum install nptl nmap-ncat sudo-1.8.6p7-13 libidn-1.28-3 gmp-6.0.0-11 libaio-0.3.109-12 gmp-6.0.0-11 libaio-0.3.109-12 libstdc++-4.8.3-9 unzip-6.0-13 perl-core perl-5.16.3 sysstat sqlite -y

Once all the dependency packages get installed, follow the procedure below:

  • Create a new directory, enter into that directory and download the latest Zimbra Collaboration Open Source Edition Suite. To do this run the following commands:
# mkdir /zimbra
# cd /zimbra
zimbra]# wget https://files.zimbra.com/downloads/8.6.0_GA/zcs-8.6.0_GA_1153.RHEL7_64.20141215151110.tgz
  • Now, extract “zcs-8.6.0_GA_1153.RHEL7_64.20141215151110.tgz” package in same directory with the following command:
zimbra]# tar zxvf zcs-8.6.0_GA_1153.RHEL7_64.20141215151110.tgz
  • After extraction process completes, get inside newly created directory which contains all the Zimbra packages you just extracted into:
zimbra]# cd zcs-8.6.0_GA_1153.RHEL7_64.20141215151110/
  • Run the following command to start the installation script:
[[email protected] zcs-8.6.0_GA_1153.RHEL7_64.20141215151110]# ./install.sh --platform-override

The installation script checks the installation software to verify that Zimbra packages are present.

Press “Y” to accept the License Agreement.

Press “Y” to install all the required packages and “N” for the rest that you don’t want to install.

Zimbra Installation

Now press “Y” to continue after that system will be modified with the above selected installation packages.

  • After these selections you will now come to Main Menu Configurations where you can configure each package settings manually.

i). Select option 1 and enter for Common Configurations to update its settings
ii). Press r to return to main menu and choose option 2 for Zimbra-ldap configurations
iii). Press 4 to set Admin password.
iv). Press r to return to main menu.
v). When your see *** CONFIGURATION COMPLETE – press ‘a’ to apply
vi). Type ‘a’ and press enter.
vii). Type ‘y’ twice to confirm and it will save the configuration to a file.
viii). It will take time depending upon speed of your server. When setup completes you will see Configuration complete – press return to exit.

Start Zimbra Services

The Zimbra installation script automatically creates a user with the name zimbra on your server. To manage and work with the Zimbra services, you need to switch the user to Zimbra. Enter the following command:

# su - zimbra
Last login: Tue May  3 03:39:09 IST 2016
[[email protected] ~]$

By default it does not require any password and you will immediately see the shell prompt changes to $.

To start Zimbra services, enter the following command:

[[email protected] ~]$ zmcontrol start

To check the status of Zimbra services any time, enter the command:

[[email protected] ~]$ zmcontrol status
Host mail.techtutsonline.com
        amavis                  Running
        antispam                Running
        antivirus               Running
        cbpolicyd               Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        memcached               Running
        mta                     Running
        opendkim                Running
        proxy                   Running
        service webapp          Running
        snmp                    Running
        spell                   Running
        stats                   Running
        zimbra webapp           Running
        zimbraAdmin webapp      Running
        zimlet webapp           Running
        zmconfigd               Running

Similarly you can use zmcontrol stop command to stop all the services and zmcontrol restart to restart all the Zimbra services.

Access Zimbra Web Admin Panel

All the further activities like creating email accounts for users, resetting passwords, assigning quotas, etc can be done via Zimbra web administration console. To access  the web administration console, just launch your favorite web browser and type in the following address:

https://mail.techtutsonline.com:7071 OR https://192.168.0.250:7071

Zimbra Web Admin Console Login

Login with user: admin and password you set during installation.

The Zimbra administration console will look like image shown below:

Zimbra Web Admin Console

Here you can create and manage email accounts, distribution lists and reset passwords and much more.

Similarly, your users can access the webmail client using their web browser and typing in the address  https://mail.techtutsonline.com. Users can also use email clients such as Microsoft Outlook or Mozilla Thunderbird to configure the email for your domain.

What’s Next?

Zimbra is designed to work out of the box. As soon as the installation completes and all the services get started, you should be able to send the emails to internal as well external domains. You will also be able to receive the emails from users within your own domain (techtutsonline.com in my case). However, to be able to receive the emails from other domains on internet, you need to purchase the public domain name from any domain registrar and then you must login into domain registrar control panel to setup MX record for your domain. By default every domain registrar have configured the MX record for your domain to point towards their own mail servers. If you want to use your own email server (Zimbra server which we have configured earlier), you need to modify the MX record and point it towards the public IP of your email server. Wait, I said public IP of your email server? Yes! I said it right since private IP address space is not accessible over internet. Therefore, you have to have a static public IP so that all the other servers on internet can see it and talk to it while sending emails.

To obtain a public IP you can ask your ISP. Your ISP will provide you a static IP by charging some fee. Today most of people use DSL connections. So, lets consider that we are using a simple DSL broadband connection for internet connectivity. Generally, ISP does not assign any static IP in your Modem. The Modem dynamically receives the random public IP every time you restart your internet Modem. To get your Zimbra email server working, you need to ask your ISP for static IP which will not get changed when Modem is restarted. Once you get the IP, configure that IP in the Modem (or ask your ISP to do it for you).

Port Forwarding To Zimbra Server

Now, we need to setup what is known as port forwarding. Port forwarding is an application of Network Address Translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This means when anyone from internet sends traffic destined to your static public IP address on specific port numbers (25, 110, 995 or 587), the request will be directly forwarded by your gateway (modem/router/firewall) to your Zimbra email server located inside your local network and configured with private IP address (192.168.0.250).

Just login into your modem/router and look for port forwarding or virtual servers option. For example, I am using Binatone ADSL2 modem which calls this option as virtual servers. This option is available under Advanced Setup and then NAT. If you are using some other brand, you will have to search for Port Forwarding or Virtual Servers option.

Once you are in correct place, start adding your port forwarding rules. You have to specify or select Application name, protocol, start/end port and Local IP address. See the following example for help.

To verify if you have correctly configured your port forwarding, just open command prompt and type telnet public_IP 587 command. If you get connected, it means port forwarding is working. If you get an error, re-check your configuration.

Modify Domain A Record and MX Record

Login to your domain registrar control panel. Then click on Manage DNS and Edit the zone file.

You need to modify the Host (A) record of your domain and point the A record to the static IP address of your DSL Modem (assigned by ISP). See the example below:

A Record (DNS)

Click on Add Record option and create a new Host (A) record with the hostname as mail and IP as your Modem’s static IP. This record will reference to our mail server.

Similarly modify the MX record and point it towards your static public IP.

MX Record (DNS)

Once you have modified the records, the changes will start replicating to other public DNS servers and it may take upto 48 hours for changes to get replicated all over the world.

To confirm if DNS replication has finished and your PC is resolving your domain name to your own static IP, use the nslookup command as shown below:

nslookup

Note the IP address returned by the nslookup command. If the IP is your Modem’s static IP, it means DNS replication has finished and your Zimbra server can start receiving emails on your domain from outside world (internet).

Also make sure that you are able to telnet your public IP as well as domain name with SMTP and POP3 port numbers. It will prove that your port forwarding and domain forwarding is working. Zimbra server is by default configured to work with on secure port numbers. So, instead of using in-secure SMTP (25) and POP3 (110), you should use SMTP with TLS(587)  and POP3s (995).

Telnet

You can use Zimbra web administration console to add more than one domains to your infrastructure and you can also setup multiple Zimbra mail servers to minimize the risk of downtime.

In the next article we will look into how to make your Zimbra mail server more secure from spammers and attackers on internet. So, stay tuned for more.

  Back

 



Microsoft Certified Professional | Cisco Certified Network Associate

2 Comments

Leave a Reply