Building an Email Server on CloudRaya Using iRedMail
In the previous tutorial, we have learned on how SMTP relay can increase email delivery. Today, we will show you how to create an email server in CloudRaya using iRedMail, as this configuration allows you to have full access to your email infrastructure.
- About iRedMail
- iRedMail Installation
- Exploring and Using iRedMail
iRedMail is an open-source platform based on a Linux/BSD server. The great advantage of iRedMail is its shell script, which allows users to automatically install and configure the entire components needed for an email server. iRedMail also provides mission-critical features needed to operate an email server such as antispam, antivirus, and user management tools. Last but not least, it allows us to infinitely create mailboxes and mail domains that can be stored in database systems such as MariaDB/MySQL, PostgreSQL, or OpenLDAP.
▶️ System Requirement
There are several requirement we need to fulfill before installing iRedMail in Debian or Linux Ubuntu, which are as follows:
- It is highly recommended to use a vanilla server (vanilla as in no component such as MySQL, Postfix, Dovecot, etc. installed in the server), as iRedMail will automatically install all the necessary components in the installation process.
- CloudRaya recommends a VM with at least 4 GB of RAM. This size of VM can already accommodate low-traffic email server with antispam/antivirus protection enabled.
- Make sure the following UID/GID is not used by other users/groups: 2000, 2001, and 2002.
grep -E "^user[0-9]*:.*:(2000|2001|2002):" /etc/passwd
grep -E "^group[0-9]*:.*:(2000|2001|2002):" /etc/group
- Make sure you have the following ports open. You can open the ports in the Access Control List configuration at CloudRaya VPC. You can read more about how to open a port in CloudRaya VPC here.
▶️ Set FQDN as CloudRaya VM hostname
We will use an Ubuntu server in this tutorial.
First, we need to change the hostname of our VM. The hostname will be used by iRedMail as a link to access our web panel. Use the standard FQDN (Fully Qualified Domain Name) with the following as an example:
# hostnamectl hostname mail3.cloudforindonesia.com
Next, update the static table lookup file of the hostname with the following at directory
# nano /etc/hosts
Add our hostname in the following line:
Reboot VM to apply the changes
To check does the changes have been applied or not, use the following:
# hostname -f
Install the following packages needed for iRedMail installer:
# sudo apt-get install gzip dialog
▶️ Download the Latest iRedMail Version
Download the latest iRedMail version using the following command wget
# wget https://github.com/iredmail/iRedMail/archive/refs/tags/1.6.2.tar.gz
# cd /root/
# tar zxf 1.6.2.tar.gz
Open the extracted folder with the following command:
# cd iRedMail-1.6.2/
▶️ Run iRedMail Installer
.sh within the folder with bash
# bash iRedMail.sh
You can configure your email server through several pop-up dialogues that appear throughout the installation process.
Choose your storage location. The default location is
Next, choose what web server will be used for iRedMail. This tutorial will choose NGINX as the web server.
Decide which database system to store the email account. We recommend you choose the system you are familiar with. This tutorial will choose MariaDB as the database system.
Create password for your MySQL root.
In the next pop-up, you will be asked to input the desired domain name. To add more email domain, you can do it in iRedMail admin panel.
Make sure to not use the same domain as the VM hostname domain.
Next, create a password for the administrator domain email.
You will be given several optional components in the next pop-up. We recommend you install all of them.
Your final configuration will be shown to you. To install all of the server mail components as configured, type Y
The installation process will take time. If complete, you will be shown the list of installed components by iRedMail wizard.
The last step of the process is to decide whether or not you want to activate the firewall rules provided by iRedMail. To activate it, type Y.
iRedMail installation is complete. Several important pieces of information will be shown to you, such as the URL for webmail, the URL to monitor the server through netdata, and the URL for the iRedAdmin panel with the login credential. You can find detailed information about the iRedMail through iRedmail.tips file.
Reboot the VM to apply the installation with the command above.
▶️ Add MX Record
Now, we need to add an MX record to our DNS management panel to register the domain we use to be recognized as a mail exchange.
The function of the MX record is to choose which server is responsible for sending and receiving emails for our domain. MX record installation to our server ensures our email delivery.
Create A and MX records as new records in the DNS management panel and wait for the propagation to finish (can be up to 48 hours).
▶️ Let’s Encrypt TLS Certificate Installation
A ‘not secure’ message will appear if you attempt to access the web panel. It happens due to the self-signed TLS certificate iRedMail uses. To avoid the message, you can install TLS from Let’s Encrypt for free.
⏭️ Obtain the Certificate
Access the VM through SSH, then run the following command to install certbot and its plug-in for NGINX at the Ubuntu repository.
# apt install certbot python3-certbot-nginx -y
Let’s use the webroot plugin to obtain the certificate since iRedMail has configured the TLS in the NGINX virtual host as default.
# sudo certbot certonly –webroot –agree-tos –email email@example.com -d mail3.cloudforindonesia.com -w /var/www/html/
The above message will appear if every step is performed correctly. In this tutorial, all certificates and their components are stored at
⏭️ Installing the Certificate in NGINX
Now, we have to configure the NGINX web server to be able to use the new TLS certificate. First, let’s edit the SSL template file.
# sudo nano /etc/nginx/templates/ssl.tmpl
In the last 2 lines, you will find the following information:
In this tutorial, we will change it to:
Save and close. Test the NGINX configuration and don’t forget to reload it with the following command.
# sudo nginx -t
# sudo systemctl reload nginx
At this point, when you open the admin page, you should not receive the ‘not secure’ message screen since the web server already uses the new TLS certificate.
⏭️ How to Install the Certificate in Postfix and Dovecot
You cannot just secure your web server with a TLS certificate. You also need to configure the Postfix SMTP and Dovecot IMAP server. It is important to configure these servers to avoid false warnings from mail client desktops, such as Outlook and Thunderbird, that the email is not equipped with a TLS certificate.
First, let’s edit the Postfix configuration:
# sudo nano /etc/postfix/main.cf
Find these 3 lines:
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
In this tutorial, we will change it into:
smtpd_tls_key_file = /etc/letsencrypt/live/mail3.cloudforindonesia.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail3.cloudforindonesia.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail3.cloudforindonesia.com/chain.pem
Save and close, followed with reload-ing the configuration:
# sudo systemctl reload postfix
Next, we edit the configuration file for Dovecot:
# sudo nano /etc/dovecot/dovecot.conf
Find these 2 lines:
ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key
And change it into:
ssl_cert = </etc/letsencrypt/live/mail3.cloudforindonesia.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail3.cloudforindonesia.com/privkey.pem
Save and close, followed with reload-ing the configuration:
# sudo systemctl reload dovecot
▶️ Increasing Email Delivery Rate
SPF, DKIM, and DMARC work together to ensure that any emails you receive come from legitimate sources and are not being tampered with in transit, reducing the risk of phishing and spoofing.
⏭️ SPF record
SPF (Sender Policy Framework) is a DNS record that contains list hosts or IP addresses allowed to send email on behalf of our domain, effectively validating the email and preventing it from being falsified. Within the record is also an additional configuration regulating what will happen if the email is sent not following the proper configuration.
Create a new TXT record at the DNS management panel. In this tutorial, we will create the record as follow:
The point of the above configuration is to allow any IP addresses tied to the domain to sent emails and to send it from server registered in MX record, with ~all mark as a soft fail.
⏭️ DKIM record
DKIM (DomainKeys Identified Mail) is the technology used to verify the legitimacy of the email received comes from the sender domain. It works by encrypting a private key to the email sent, which is then saved as a public key into our DNS record domain.
When the email is received, the receiver server will perform DKIM verification using the public key stored in the DNS record. Successful verification means the email is legitimate and there is no tampering or change during transit.
iRedMail installation has automatically configured the DKIM private key into our email server during the installation process. What you only need to do is to add the DKIM public key to the DNS management.
Run the following command to display the DKIM public key:
# sudo amavisd-new showkeys
Create a new TXT record in the DNS management panel based on the public key displayed. Make sure to delete all quotation marks and spacing as displayed below.
Check the DKIM record using the following command.
# sudo amavisd-new testkeys
The process may take some time depending on the propagation process. If the propagation is finished and the DKIM record you input is correct, you will see the pass as follows.
⏭️ DMARC record
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email verification protocol that regulates how to handle received emails that fail to be verified by either SPF or DKIM.
DMARC allows email receivers to create a regulation on what to do if the email received fails to be verified, such as rejecting the email or quarantining the email in the spam folder. DMARC also allows the sender to receive a report about the status of the sent email, thus increasing the security of the email.
To add DMARC, create a new TXT record filled with common DMARC configuration as follow.
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org
The above example will activate the “none” policy for our domain. This policy will make the receiver server send reports to email@example.com if there are any emails that fail SPF or DKIM verification without giving special instructions on how to handle the failed-to-verified emails.
By choosing the “none” policy, we can collect the report and analyze emails sent from our domain. Thus, we can quickly find a rising problem and make sure emails from our domains can be verified by others. After a while, we can decide to tighten the policy into “quarantine” or “reject” if necessary.
Exploring and Using iRedMail
Now, we can start to explore iRedMail admin panel and start sending our first email.
▶️ Web Panel Access
You can find several things that you can do within the panel, such as managing domain, account, etc.
Now, let’s add the email account we want to use to send our first email with.
Access the web mail of the account you previously created. You can find further example from the following page https://mail3.cloudforindonesia.com/mail/
Create and send your first email.
Check if the email you sent from the iRedMail is received to the designated receiver.
That is all from this tutorial of building iRedMail mail server in CloudRaya’s virtual infrastructure.
Don’t forget to check other knowledge base at CloudRaya Knowledge Base and visit our blog to learn the up-to-date news of the IT world. Perhaps you like to learn from a video instead? Then go to our YouTube channel, where you can find the video version of this tutorial and many others.