delthas

Setting up a personal email server with simple, modern software

Rationale

Setting up a personal email server in 202X is simple, easy, secure, and non-intrusive to your system thanks to the latest generation of email software.

Email is becoming more and more centralized, so by using your own email server you can also help delay the inevitable!1

Email software: maddy

maddy is a simple, all-in-one open source email server (SMTP as MTA, SMTP as MX, IMAP) with easy configuration and deployment (no external DB needed, doesn’t use system accounts by default). It’s written in Go.

Follow the installation steps on its documentation page.

Namely, make sure to follow the DNS records creation documentation, as well as MTA-STS. DANE is optional.

You should also create reverse PTR DNS records for your email server (not mentioned in the doc at the time of writing). This reverse DNS record lets users know what is the hostname for IP “1.2.3.4”. Usually this is configurable from your server service provider dashboard. Set your reverse IP hostname to be your email domain.

Note: If your server has an IPv6 address but no way to set reverse PTR records for your IPv6 block, you’ll have to configure maddy to send outgoing emails through IPv4 so that submission servers see your server as owning that PTR record. In maddy, you’ll need a very recent version (try cloning master) and to add the following line in your configuration, in the target.remote outbound_delivery: force_ipv4 yes.

At this point you should be able to connect to your email server with any email client, and send emails.

Checking your configuration

Run the following checks:

Properly passing security tests (SPF, DKIM, DMARC) is not only a “theoretical” issue for passive & active MITM, but also makes your outbound emails less likely to be tagged as spam by other email servers.

Checking acceptance by Google

Thanks to webapps.stackexchange.

Google, like most other providers, will mark your emails as spam at first. Ensuring your server is well configured will increase the chances your emails eventually get considered as not spam.

Send an email to a Gmail inbox you own. Click “Show original” on the email. Make sure “SPF”, “DKIM”, “DMARC” are all marked as “PASS”. Otherwise, your server has a configuration issue.

You can see additional info about what Google thinks of your domain at: https://postmaster.google.com

Make sure Google considers any website hosted on your domain as “safe” at: https://transparencyreport.google.com/safe-browsing/search

Getting whitelisted by Microsoft

Thanks to Mailinabox for this info.

Microsoft has a very strict inbound email policy that is essentially a whitelist by IP.

Fill the form for getting whitelisted.

The error message you should say you have received is:

Unfortunately, messages from [XX.XX.XX.XX] weren’t sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.

They will probably reply that your IP address is not eligible for mitigation. Reply with an email like this:

Hi,

The server at XX.XX.XX.XX is my own, dedicated business and personal email server, to which only I have access.

This is a relatively newly acquired IP address, as I got it ago.

I have set up my email server today and haven’t send any emails to Microsoft owned domains before.

This server is used solely for the purpose of me sending and receiving emails, and hosting additional personal files for my personal website. SSH access is only granted to me.

The email server is properly configured with SPF, DMARC, MTA-STS, TLS & STARTTLS.

Could you unblock my IP?

Regards.

They may ask questions like providing a proof of ownership of your IP, answer them with the applicable info, and your IP should be whitelisted.

You can additionally see your IP status & request a copy of emails from your domain that users marked as spam, from the Smart Network Data Service panel.

Configuration tweaks

Some servers do not support TLS for email submission. You can tell maddy to allow sending email to them by editing the line in target.remote outbound_delivery: min_tls_level encrypted -> min_tls_level none.

I like to redirect all incoming email for my domain to my inbox, since I am the only user. To redirect *@domain.tld to you@domain.tld, you can set your msgpipeline local_routing configuration block as below:

msgpipeline local_routing {
    modify {
        # Apply local rewrites (/etc/maddy/aliases, plus-addressing, etc).
        replace_rcpt &local_rewrites
    }

    # If there exists an explicitly created mailbox with that name - send it there.
    destination_in &local_mailboxes {
        deliver_to &local_mailboxes
    }
    # If that's a disabled address - reject the message.
    destination_in file /etc/maddy/disabled-aliases {
        reject
    }
    # Otherwise, send it to me
    destination postmaster $(local_domains) {
        modify {
            replace_rcpt regexp ".*" "YOU@$(primary_domain)" # Set your username here!
        }
        deliver_to &local_mailboxes
    }
    default_destination {
        reject 550 5.1.1 "User doesn't exist"
    }
}

Next steps

The official maddy documentation deals with many use cases you could have.

Come chat at irc://irc.libera.chat/##maddy to thank its developers or ask questions :)


  1. Primary e-mail providers according to consumers in the United States ↩︎