The ArchWiki site is good, but on that or the Gentoo Wiki are there examples of "Recipes" -- e.g. here is the best setup for doing this kind of thing. Here is the best setup for that thing.
What prompted this is I've done a competent exchange replacement with Postfix, Roundcube, Z-Push, mysql backend, shared calendar, contacts, etc. Based initially on Kolab packages. I'm doing a how-to, in order to set that up. It turned out way better than I expected. But to setup a competent mail server even things like yunohost just don't give you the most awesomest thing that Open Source can give you. All these how-tos out there seem to just setup a few packages which don't cover a lot of the cool stuff. If I didn't have 100,000 kilometers of experience with Postfix already a lot of stuff would be left in a default config which is a bit yucky.
Check out these kinds of how-tos from howtoforge:
http://www.howtoforge.com/the-perfect-desktop-linux-mint-17.1-qiana (perhaps a bit pedestrian)
http://www.howtoforge.com/perfect-server-centos-7-x86_64-nginx-dovecot-ispconfig-3 (somewhat mroe esoteric)
Howtoforge doesn't have the social momentum it once did, imho, for these longer tutorials. I do like the AskUbuntu format, but I'm not aware of anything that is this in depth. However, I could see a section of the site that is "what's the best way for me to get a tray instant messenger in gnome 3?" being a question then askubuntu/stackoverflow style answers covering the vast, vast array of instant messaging programs and the pros/cons of that kind of thing. The thing that Howtoforge fails specifically on (for these longer tutorials) is improvements from the community, better packages, updates with time, etc. So the wiki format could be useful there if the changelog can be a little more accessible to normal users (like commit diffs on github).
Anyway, here's my longass draft of a howto that I'm going to publish soon along with a video. The format for these how-tos are "Here is a video showing you this setup which is ferrari-like that used eleventy billion packages, but look how awesome it is. it is amazing. check out all these features and all this stuff it does blah blah blah" and then if you want a step by step guide for that, you get that from the article and not the video. Who can sit through 3 hours watching someone stumble their way through apt-get, man and vi? But A format that shows you the "after" first to get you hooked, then show you the step by step.. that might be something that would generate a lot of traffic.
Eventually, we could take how-tos from the community on our site (I could imagine us paying for said how-tos in exchange for the right to publish them exclusively for 5 years) and then do the how-tos and put a little video in front of it showing the features, why you'd want to do that and the mindset. That's the other problem with howtoforge. No one knows where to look to see the greener grass in order to desire it. That's the momentum problem Linux has that we can solve. maybe.
Anyway, Longass article:
Exchange for Fun and Profit
Prerequisities
So, you want an awesome mail server that can do mail, calendars, contacts and file storage. Great! However, fo you to have that awesome domain [email protected] you will have to have bought yourdomain.com, and you will have to have configured your DNS entries with your domain registrar to point at your new mail server.
You can run your mail server anywhere – there typically are not a lot of restrictions. You can even do it with a dynamic IP address as long as you use a dynamic DNS service and keep your IP address up to date in DNS. However, you should know that a lot of internet service providers block inbound port 25 on residential home connections. So if you want to run your mail server on a home connection, check that it is allowed with your ISP. Otherwise use Linode, yunohost, or another inexpensive linux VM provider.
Install Debian Wheezy. Name your system something appropriate.
Since this is a tutorial on setting up your own mail server, you should have your own domain name. Specify that on the next screen:
Next up you'll set up a user account and password, and another password for the root user. The next question is about partitioning. Since you are most likely planning to setup this mailbox for personal use and not a lot of mailboxes, guided -- use entire disk is probably all you need.
Depending on the particulars of how you plan to run your mail server, you may be able to use encrypted LVM to encrypt your entire mail server. It means that when your mail server reboots, though, that you would have to log into your VM's host, service provider or hypervisor and supply the LVM password to continue booting the machine. SSH is usually not an option to logging in to specify the LVM password. It is possible to create a root and boot file system using only a portion of the disk, and setup an encrypted partiton later. That would allow you to SSH into the box and mount the encrypted mail store with a password.
Finally, it is also possible to use something like a loopback file system to handle the encryption that way as well. For simplicity's sake, we'll just use the entire disk for this tutorial. Feel free to ask about more esoteric setups in our forum at teksyndicate.com, however.
You can next through most of the next questions until you get to the “Software Selection” prompt. We're going to select Web Server, Mail Server, SSH server and Standard system utilities. To keep things light, we want to be sure we disable the desktop environment.
Next up, the install should complete and reboot the machine. A login prompt should come up. Login with your root account, and let's secure the box.
Securing Your Box
You just logged in with root! That's terrible! The first thing we want to do is update the box, but it'll ask us for the install CD. We want it to download whatever it needs and not pull from the CD. You want to edit /etc/apt/sources.list and place a # in front of the CD line to comment it out.
If this box is on the internet, I hope you picked a suitably complex root password because there is probably someone, somewhere, trying to brute force their way into your machine. SSH to your machine and make sure it is working for you. Once you've got your SSH session open, do
apt-get update
followed by
apt-get dist-upgrade
to bring you to the current version of Debian Wheezy. Once that's done, we need to install a firewall. My two favorites for debian are the package ufw and arno-iptables-firewall . UFW is worth your time to learn – it'll allow you a little more flexibility than arno-iptables-firewall but for our purposes here we'll install arno-iptables-firewall. Stay tuned for a guide on UFW from teksyndicate, and as always, if you have any questions ask them in our forum.
apt-get install arno-iptables-firewall
answer “Yes” to managing the firewall with debconf (for now). We'll want to specify the primary ethernet interface, which is usually eth0. If in doubt, ssh in on a second connection and type ifconfig and look at the interface that has been assigned the IP address you are using, and use that as the external interface.
We'll specify the following ports to be open:
22 – for ssh
443 – for SSL HTTP
80 – for unencrypted HTTP
25 – for inbound email
143 – for unencrypted imap
993 – for encrypted imap
For now, we will not have any inbound udp ports. To reconfigure later, you can use the command:
dpkg-reconfigure arno-iptables-firewall
If you install ufw later, don't forget to apt-get remove arno-iptables-firewall first.
Next up, we want to secure the SSH server a bit better. Edit
/etc/ssh/ssd_config
and go down to PermitRootLogin and change yes to no (or make sure it says no). It would be a good idea if you did away with passwords alltogether and only used SSH keys, but since this is a personal server, we'll let that slide for right now. You would set the options
PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
– but you should only do this if you've added your public key(s) to ~/.ssh/authorized_keys and have tested key-based logins on your server.
Run
service ssh restart
to make the changes to the ssh configuration active.
You can also run the command
iptables -L
and verify your output looks similar to the below. The default rules with Arno's setup are pretty good in terms of trapping synfloods, resets, window shrinks and other random bad things. It also has some stuff for logging stealth scans, which work pretty well for advance warnings of people poking about your system.
Next up, we'll install fail2ban which will automatically block hosts that fail to login properly repeatedly.
apt-get install fail2ban
the options are at /etc/fail2ban but the defaults are okay most of the time.
If you're going to treat this box like an appliance, I would recommend that you configure automatic updates.
apt-get install unattended-upgrades
It won't ask you any questions, and the defaults are basically okay. However, you are welcome to look at
/etc/apt/apt.conf.d
and the unattended upgrade options there. Generally you at least want the security updates. As this is Debian Stable, it is probably also okay to uncomment the line that says
o=Debian,a=stable
If you don't mind being bothered via email, there are a few sections of this how-to that will allow you to get status reports from your machine via email. This is generally a handy thing and in this particular instance, we can get a report about available updates. (I'd recommend mailing a gmail or other mail address not hosted on this box for best results.)
alt-get install apticron
You will need to edit
/etc/apticron/apticron.conf
to specify the address you want to receive those update emails.
Finally, you might want to also install logwatch – it will email you copies of the system's logs.
apt-get install logwatch
then edit the file located at
/etc/cron.daily/00logwatch
to change --output mail to --mailto [email protected] instead as the comment in the file indicates. You can optionally tack on --detail high to the end of that to get more verbose emails.
I feel like I need to put a note in here for very experienced Linux Folks: In a “do it the modern way” mindset, if you are doing this kind of thing for a lot of hosts or virtual machines, almost all of this should be automated by your configuration/container management platform. Even a script doing this type of securing is too much work – you want to have all this stuff managed by your management platform. Puppet or Chef are good starting points for this kind of thing, but there are many more choices. If this is just for your personal mail server, just ignore that and we'll march on.
There is a lot more you can do to secure your system; these are just the basics. You should check out a package called 'snoopy' that will allow you to see all commands entered into the system. If you're extra paranoid I'd suggest you look into encrypting the file system and services that ship the system logs, in real time, to other machines. Another favorite of mine is the integrit package. It emails you any files that change on the filesystem and includes the md5 sums of the files. There is generally a lot more that I normally do to secure the system, but this is an okay start.
Next Up – Let's install Postfix! And related packages.
Gone are the days that one expects a mail server to simply listen for connections on port 25 and then dump messages to flat files on the file system. Today, the modern mail client expects their mail server to have encryption (TLS, in our case, probably), to have IMAP connectivity and they may also expect other advanced features such as the availability of ActiveSync or MAPI protocols. With the advent of smartphones, it has become commonplace to expect calendar and contact sync as well.
On the Microsoft side of things, Exchange provides all of this functionality and more. At the core of Exchange, a modified version of Microsoft SQL server was used as the message store engine. This isn't an unreasonable choice; it provides proven resiliency in the face of failures, crash-log replayability, ACID compliance, etc. Exchange isn't even the only program necessary for a functional enviornment – it also relies on the IIS web server to handle the webmail front-end and the ActiveSync protocol interface.
Similarly on Linux, we're going to have a lot of different packages working in concert together to create a choeshive feature-rich mail experience. In addition to Postfix for the mail, we'll also need Apache to handle the web side of things, but we'll get into that in the next section. The Kolab packages also take care of a huge number of moving parts on the web site – CalendarDAV, ActiveSync (via Synchroton), webmail client via roundcube with extensions for contacts, files, notes etc.
For Postfix, we'll also enable antispam, greylisting and some other cool features.
Finally, once we've got Postfix working, we're going to install Kolab, which is a great groupware package that provides webmail and an ActiveSync interface with full Outlook 2013 compatibility.
To Be Continued. (I have pictures too for many steps so.. its even more longer!) Apologies for lack of formatting.