Setup Email Server - Part 4

In previous posts we Listed the assets that we are using to setup the server, uploaded the encryption certificates and installed the email server components.
In this post we will enable SSL encryption for HTTPS and will test the email client (Outlook).
To enable SSL encryption for the https traffic in apache we first instruct apache to listen to port 443:

$ sudo vi /etc/httpd/conf/httpd.conf
# line 42
Listen 80 #already here
Listen 443 #add if not included

Also, will setup our domain name so apache knows it:

$ sudo vi /etc/httpd/conf/httpd.conf
# uncomment and setup:
ServerName inspiracode.net

Once we are listening to 443, the ssl configuration file comes to play with apache, so we will configure the certificates location in that file:

$ sudo vi /etc/httpd/conf.d/ssl.conf
# Line 71
SSLEngine on# Line 101
SSLCertificateFile /certs/public.pem# Line 108
SSLCertificateKeyFile /certs/private.pem

Remember that in a previous post we generated and transfer those certificate files to /cert/ directory.
For the certificate modules to be loaded by apache, we will need to install these packages:

$ sudo yum install mod_ssl openssl

Next, we will force all http traffic to use the https:

$ sudo vi /etc/httpd/conf/httpd.conf
# line 42
Listen 80
Listen 443<VirtualHost *:80>
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

Finally we restart our apache server and https traffic will be enabled and forced:

$ sudo systemctl restart httpd

navigation to "https://inspiracode.net", when tryign "http://inspiracode.net" we get redirected:

Now that we have encrypted secure traffic with our server it is time to setup an email account and configure our client.
First, we will create our account using Linux:

$ sudo useradd support
$ sudo passwd support
#setup the new password for support user

Now we configure outlook to use this account:

1. Open outlook and goto file >> add account
   
2. Select "Manual setup or additional server types"
   
3. Select POP or IMAP
   
4. Select the account settings for your new installed account, including the server, user and password:
   
5. Select the more settings option and setup the outgoing server to be authenticated:
   
6. In the advanced tab of the more settings options, select the SSL encryption and the secure ports to be used:
   

Once completed, when you click next, you will receive the connection test results from outlook:

Now you can check your email using Outlook.
Keep tuned because in an the next post we will configure webMail client using RainLoop.
--D

Setup Email Server - Part 3

In previous posts, setting up an Email Server, we Listed the required assets and Uploaded the SSL certificates to the server
In this post we will install and configure Postfix and Dovecot to inbound and outbound email using IMAP protocol.

First thing is to remove sendmail from our server (the default MTA installed in our Fedora distribution):

$ sudo yum remove sendmail

Then we install postgres:

$ sudo yum install postgres

Once installed, we will configure to resolve to our domain and listen to our email ports:

$ sudo vi /etc/postfix/main.cf

Set the following values in the postfix main.cf:

$ sudo vi /etc/postfix/main.cf

# line 75:
myhostname = inspiracode.net # (your domain name)# line 83:
mydomain = inspiracode.net # (your domain name)# line 99:
myorigin = $mydomain

# line 113:
inet_interfaces = all

# line 118:

inet_protocols = ipv4

# line 165:
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

# line 264:
mynetworks = 127.0.0.0/8

# line 419:
home_mailbox = Maildir/

# line 574:
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

Note: using the vi editor, to show line number type:

:set nu

To go to a given line number type:

:[line number]

For example when going to line 100:

:100

At the end of the file add the following lines:

# limit an email size 10M
message_size_limit = 10485760# limit mailbox 1G
mailbox_size_limit = 1073741824#for SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_client_restrictions = permit_mynetworks,reject_unknown_client,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject

# SSL/TLS
smtpd_use_tls = yes
smtpd_tls_cert_file = /certs/public.pem
smtpd_tls_key_file = /certs/private.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache

# use smtp2go as relay
# tryed gmail first, but changes FROM header to gmail address.
relayhost = [smtpcorp.com]:2525
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:user@smtpcorp.com:secret
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
header_size_limit = 4096000

relay_destination_concurrency_limit = 20

Note: using the vi editor, to go to the last line type [G].
Also note the configuration for relayhost: As GoDaddy is blocking the outbound for email ports, we would be unable to send mail using our server to the world. One of our options is to keep trying to configure the REVERSE DNS records and research for port allowance options.
Instead, we have selected a relayhost provider (smtp2go).
You can use even your gmail, hotmail or any other private mail server account to relay your email, basically you will use that account to delegate the email sending functionality, postfix will be in charge of changing the headers for you, so the FROM field in your email looks like going from your account at this server (myaccount@inspiracode.net for me).
The problem that we faced with this approach was that when trying to use a gmail account, the resulting email remails with the gmail account in the FROM field, so when reaching it's destination, instead of showing myaccount@mydomain.com it was showing myaccount@gmail.com.
The problem was fixed opening a smtp2go account: for an affordable price, you can get a decent amount of email traffic. You actually have 20 daily free emails!
The trick is to configure the smtp_sasl options to connect to your account; in my case I'm using static option to specify username and password in the same configuration file.
If you have any troubles configuring this sasl options (or postfix not accepting them), try installing the following sasl tools:

$ sudo yum install cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain

Now we Install Dovecot:

$ sudo yum install dovecot

Dovecot configuration
listening protocols and IP addresses ; . To configure dovecot execute:

$sudo vi /etc/dovecot/dovecot.conf
# line 24
protocols = imap pop3 lmtp# line 30
listen = * # ipv4 only (as goDaddy VPS does not give you an IPv6 address)

authentication methods

$sudo vi /etc/dovecot/conf.d/10-auth.conf
# line 100
auth_mechanisms = plain login

mail location

$sudo vi /etc/dovecot/conf.d/10-mail.conf
# line 30
mail_location = maildir:~/Maildir

postfix smtp-authentication

$sudo vi /etc/dovecot/conf.d/10-master.conf
# line 96-100
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}

email traffic encryption

$sudo vi /etc/dovecot/conf.d/10-ssl.conf
# line 8
ssl = yes#line 14, 15
ssl_cert = </certs/public.pem
ssl_key = </certs/private.pem

Note the location of the certificates, that's the location that we stated in the last post.
Finally we will install a log tool:

$sudo yum install rsyslog

With those tools installed now we enable our email server to start on reboot:

$sudo systemctl enable rsyslog
$sudo systemctl enable postfix
$sudo systemctl enable dovecot

Finally we start the server components:

$sudo systemctl start rsyslog
$sudo systemctl start postfix
$sudo systemctl start dovecot

Your server should start smoothly, if it does not, please feel free to post your issue.
You can see what's up with your email server by looking at it's log at:

$sudo tail -f /var/log/maillog
or
$sudo less /var/log/maillog
[F] - To tail the file
[G] - To go to the last line

In the next post we will setup HTTPS and email client.
Regards.
--D

Setup Email Server - Part 2

Hello, in this blog we will continue the email server installation/setup.

In our previous post we instructed about the assets we purchased from GoDaddy and DNS configuration to resolve to our server.

In this post we will install the SSL certificates in our server so we can use them to encrypt and secure our https and email traffic.
To accomplish this you will need:

• OpenSSL software to generate private key and certificate signing request (CSR)
• SSL certificate available to be Set Up in GoDaddy
• SCP software to transfer files through the ssh (like pscp)

Generating the private key and CSR using OpenSSL

Execute using the command line:

openssl req -out request.csr -new -newkey rsa:2048 -nodes -keyout private.key

You will be prompted to provide information that will be present in the certificate to authenticate you and your company as the issuer:

• Country Name (2 letter code) [AU]: MX
• State or Province Name (full name) [Some-State]: Chihuahua
• Locality Name (eg, city) []: Ciudad Juarez
• Organization Name (eg, company) [Internet Widgits Pty Ltd]: Inspiracode
• Organizational Unit Name (eg, section) []: software development
• Common Name (e.g. server FQDN or YOUR name) []: inspiracode.net
• Email Address []: diego.torres@inspiracode.net

This process will generate 2 main files:

• A private.key file: This file is like your password, please save it in a secure place and don't share it with anyone. You will have to transfer this file later to the server, so the server can be capable of negotiate SSL transactions.
• A request.csr file: This file is your formal request for signing the certificate, you will share the contents of your Certificate Signing Request (CSR) with your Certification Authority (in my case, I will share this contents with GoDaddy).

In GoDaddy, we will request for signing the SSL certificate using the CSR file:

1. Open "My Account" in GoDaddy and scroll down to the SSL Certificates section
2. Expand the SSL Certificates section and you should see an available certificate for "Set Up", click the "Set Up" button
3. You will see now a new certificate available in the SSL Certificates section, click the "Launch" button
4. The Certificates section will open, click on "Set Up" for your SSL certificate
5. Open the request.csr file with a notepad, copy the contents and paste them in the text area for CSR
6. Read and agree the terms and conditions of the "Subscriber Agreement"
7. Click the "Request Certificate" button

You will be redirected to the certificate evaluation results and if everything went good with your domain verification, you will be able to download the certificate. One of the questions that the verification process will do is: Does the domain belongs to you or anyone else? If it belongs to another person, that person will be asked for permission for the certificate to be generated.
When you download your certificate, you will receive a zip file containing 2 files:

• A GoDaddy bundle certificate (gd_bundle-g2-g1.crt)
• A certificate file named with the serial number of your certificate ([certserialnumber].crt)

Unzip the contents in your machine and let's transfer those certificate files to your server:

1. Use the scp command to upload the certificate (the one named with the serial number) to your server.Basically, the scp command will work like this:
   
   $ scp [origin] [destination]

   [origin] and [destination] can be either a local file, in which case you will use a reference path to reach the file you are transfering like: "/path/to/file" or they can be remote locations. In the case of a remote location [origin] and [destination] will have these parts: user@server:/path/to/resource. In my case I'm transferring my certificate 2b6db4c267ac13.crt to the inspiracode server:

   $ scp 2b6db4c267ac13.crt user@inspiracode.net:/home/user/
   you will be prompted for certificate sharing for ssh session and password.
2. Use the same method used to upload the private.key file

Now we have to Move the certificates files to a shared location so the apache server has access to them.

1. Use an ssh tool to login to your server and create a directory to store your certificates, I'm creating the directory "/certs/":
   
   $ sudo mkdir /certs/
2. copy the certificates to your just created directory:
   
   $ sudo cp ~/private.key /certs/private.pem
   $ sudo cp ~/2b6db4c267ac13.crt /certs/public.pem

Note that when I'm creating a copy of my certificate files I'm renaming them to private.pem and public.pem, this is just for a more clear reference in the following configurations.
In the next post we will install and configure postfix and dovecot, and we will also configure the SSL secure traffic for email and http content.

Setup Email server - Part 1

Hi, in this post I will show you the steps to follow in order to install and setup an email server.

We are using the following components:

• GoDaddy domain and SSL certificates.
• GoDaddy virtual private server (VPS) hosting
• Postfix MTA
• Dovecot email server
• smtp2go outbound smtp account for outgoing email

GoDaddy assets

We first purchased our domain name and SSL in goDaddy and we also purchased a VPS hosting. This will give you the following assets:

• An IP address for your VPS. The VPS is a server that you can access by an SSH terminal and install whatever you like. In our case we will host web pages and email. Later, we will add web services and products information. Will keep you posted about it.
• DNS configuration access: So the internet can resolve your VPS' IP address as your domain name.
• SSL certificate that you can request using a Certificate Signing Request (CSR) and encrypt your server's traffic

Configure the DNS in goDaddy

For now we have the following assets from what we have purchased:

• We can browse to our VPS server using an internet browser using the IP address:
  
• We can login to our VPS using SSH (Putty is the tool we are using here):
  
• Domain is listed in our GoDaddy domains account:
  
• We have an available certificate in GoDaddy SSL CERTIFICATES section.
  

To configure the domain name (inspiracode.net) to be resolved to the given IP address for the VPS server (192.169.235.218) we can use the following steps in GoDaddy.

1. In the domains section select the Launch action from the domain that you want to configure (in our case it is inspiracode.net).
2. Select the DNS Zone File tab.
3. Add an A(Host) record to resolve to your server IP address. (in our case 192.169.235.218)

More advanced information about other configuration options can be found here.

As our certificate has been purchased to certify and encrypt inspiracode.net we have these options:

1. We use the same domain name and IP address to serve all items that we would like to encrypt and secure.
2. We purchase a different certificate for each different sub domain that we would like to secure (mail.inspiracode.net; smtp.inspiracode.net; ftp.inspiracode.net; etc.).
3. We purchase a multiple domain certificate or wildcard certificate to encrypt all our different subdomains (*.inspiracode.net)

We have decided that for now, while we have some growth in our business we will use the option 1 and use the same domain name for the different services that we will allow in our server.

This decision affects the way we will create our DNS MX records.

Normally you will add MX records for your email server in a domain like mail.inspiracode.net or smtp.inspiracode.net. In our case we will add the MX records in the same inspiracode.net domain. To configure the mx records we can use the following steps in GoDaddy:

1. In the domains section select the Launch action from the domain that you want to configure (in our case it is inspiracode.net).
2. Select the DNS Zone File tab.
3. Add an MX record to resolve to your server IP address. (in our case 192.169.235.218)

The result of doing this is that your DNS is configured to resolve your domain name (in our case inspiracode.net) to your VPS server (in our case 192.169.235.218).

Now, when navigating to http://inspiracode.net you will receive our Apache home page:

In the next post we will continue with:

• obtaining and uploading the SSL Certificates
• Postfix and Dovecot installation and configuration
• Email client configuration

keep tuned.

--D