SELF-HOSTED | Set up and run your own Mailserver with Mailcow | DNS, Security, Installation, Test

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
they always tell you it is too hard and too complicated to run your own mail server well that's a lie [Music] hi this is carson with opentec and while you are here don't forget to like to subscribe and to hit the notification bell since it helps and in this video we are going to talk about how to set up your own mail server how to secure it and how to ultimately get rid of microsoft's or google's offerings let's get into it so the first question obviously is why the hell would you run your own mail server there are several answers to that question but it basically boils down to just a few first of all maximum control your mail server is your mail server it is not a maze server owned by google microsoft or other big vendors in the market so you control it you know what is installed there and they won't be able to insert any advertisement or do any scanning on your email second email is actually a decentralized medium so whenever you use things like microsoft 365 or google for business or whatever those offerings might be called you basically bet on them being able to keep their infrastructure up and running and you know they probably are able to do that but in the end those providers are targets they are very very interesting targets for those interested in getting a bit more of information and or just disrupt the internet so when you bet on your mail servers being more secure and more resilient with microsoft or google or any other big vendor in the market could be the wrong assumption third no additional costs your server just costs you roughly 5 to 10 bucks a month and that is that you have no limitations in the amount of users you don't pay extra for any users and you can add add-ons as you like it but there are obviously challenges associated with that first and foremost you are responsible for everything so you are responsible for setting up your mail server properly you are responsible for configuring it properly you are responsible for backup and ultimately you are responsible for security so it is up to you to decide whether an additional layer of freedom an additional layer of control and lower costs would make up for being responsible for proper setup and configuration backup and security in my mind there is not even a question and that is why we now start setting up our mail server wait wait wait wait stop there are requirements you have to fulfill before being able to run your own mail server first of all you need to have a domain and you should be able to manage that domain i personally added my domains to cloudflare and then i do all the management from the cloudflare dns dashboard second you need to run your own mail server on a virtual machine or a vps in the internet it would not make sense to have it in your home lab reason for that is may servers are to be expected to have static ip addresses and then number three you should be able and you need to be able to manage the reverse dns of that machine check with your hoster wherever you are able to set and customize the reverse dns entry if you can do that well you are good to go number four you need to decide for a mail server there are literally dozens if not hundreds of free and open source maze servers out there so i go and install mailcow which is a simple to setup mail server actually it is way more than a maze server because it gives you webmail it gives you calendar and address block functionalities and you can manage everything from a great web admin panel so let's get into it okay the first thing you want to do is to provision your vm or vps i recommend the following settings eight gigabytes of ram for a production ready-made server for vcpus for a production great system and at least 10 gigabytes of storage per user plus roughly 10 gigabytes for the system and the mail server itself so you end up with a minimum of 20 gigabytes of storage i'd rather go with 50 60 or even 100 gigabytes that is depending on your needs and depending on the number of users you want to run your mail server with having said that you can actually go with pretty much every modern linux distribution i personally lean towards debian because it is a very very functional distribution it's updated regularly and it's very very stable so my recommendation eight gigabits of ram 4v cpus minimum of say 40 gigabytes of ssd storage debian as operating system you can set that up with your provider i provisioned that on my own proxmox environment so what i do first is to set up the machine i use a debian image as already pointed out i go with a storage of 100 gigabytes since i expect a lot of mails to have on that machine i go with four cores meaning 4 v cpus and i go with 8 gigabytes of ram but i enable ballooning meaning the machine can scale down to 4 gigabytes if required on the network side of things i leave everything on its defaults and then i just finish the setup and start the machine the installation is absolutely straightforward i just touch on a few important points here so make sure that you have the proper selection of country location and keyboard and low kales so you feel comfortable with the system and you need to give the system a proper hostname i go with mail.opentag.net then you need to give a secure root password and you need to create a user my user is called open tech i also give that user a secure password and then the actual installation process can start we will use the whole disk and we will basically just make sure that we have as much space as possible to our disposal then with a debian distribution you will want to add your proper package source i go with a packaged drawers nearby in germany and then basically i just make sure that i don't install some sort of desktop environment instead i install a ssh server and that is that now the actual installation goes through and once finished our machine is set up and ready to be used before you can do anything else just make sure that you secure your newly set up system ssh into the machine by using the ip address that you have either selected or have been given and then switch over to the super user account and now we do an apt update and apt upgrade to make sure the system is on the latest patch levels now we will install the sudo tool after we have done that we add our user to the sudo group and now we can log off the system next thing to do is to copy your ssh public key over to the machine you have an ssh public key don't you if not create one and then copy that one over the command is ssh minus copy minus id and then you can log into your machine without having to provide a password going forward [Music] now we want to make sure that we completely disable password based authentication so we open etsy ssh sshd underscore config and look for the password authentication entry which we will set to know save the file and then restart the ssh service perfect the next thing we want to do is to install fail to bend to make sure that brute force attacks to our system are at least way more challenging to the attacker now we will install ufw a simple firewall and with that firewall being installed we first of all deny any incoming traffic then we allow outgoing traffic and now we allow specific ports you will find them in the description below after we have done that we enable the firewall and now our system is set up and secured the first thing you now want to do is to make sure that the reverse dns entry is set up properly you do that not within your dns providers console but instead you do that with your actual hoster so open the hosters dashboard and look for a reverse dns entry and then add the dns name of that machine which is not yet set you will do that later on as a reverse dns entry in my case it is mail.opentag.net in your case it will be your machine's dns name save that and then you are good to go now you are required to do some dns setup you need to have the ip address of your machine attend and then you can basically open the dns dashboard of your provider as i already pointed out i go with cloudflare and the first thing you want to do is to add an a record this a record basically needs to point to your ip address edit make sure that the cloudflare proxy is not enabled and hit save now we need to add a mx record the mx record is required for mail servers mail exchange mx to be there if you don't have an mx record you won't be able to receive an email so we add a record of type mx the name we use is just at since it is available for the whole domain and we then point that one to the machine we just installed and where the a record points to so we go with mail.opentag.net you obviously go with your mail server's name we give that record a priority the lower the priority the more likely foreign servers are to talk to that machine but you can add multiple mx entries with different priorities to have some sort of a fallback in case your machine is going down we give it a priority of 10 and then we hit save and now the basic dns management is done now we can do the actual installation of the mail server and that is quite simple ssh into your machine and the first thing you might want to do is to switch over to the super user account again and install the curl tool [Music] now we will switch to the root directory and install docker the command is listed in the description below after having installed docker we will enable the docker daemon and now we install docker compose now we install the git tool and after that one has finished we switch into the opt directory and here we clone the mailcow dockerized git repository we now switch over to the mail card dockerized subfolder and here we now run generate underscore config.sh here we enter the host name of your mail server that is mail.opentag.net in my case a timezone and now some basic certificates are generated next the magic starts we type in docker minus compose pull and now all the required docker images are downloaded to your machine we just have to wait a few seconds and now we can run docker compose up minus d to actually start our mail server that might take a few minutes so enjoy your cup of tea and now in the end you have a running mail server if everything went well you would just enter https double point double slash and then the domain name of your mail server in my case it is mail.opentag.net and you would now log in with your admin credentials the initial credentials for mailcow are username admin and password m-o-o-h-o-o enter them and obviously you want to change that admin password as soon as possible so head over to your admin account hit edit and then enter a new password and save it perfect you have done and mastered that very important step now comes the fun part we need to add a domain and we need to finish the dns setup there are many steps that we will have to master now but bear with me we go them one by one the first thing we want to do is we want to head over to configuration mail setup and add our mail domain which is opentag.net in my case so i entered that one and i now can give a description i can add tags whatever to my liking and i can now change the number of aliases mailboxes the default mailbox quota meaning maximum size of mailboxes and so on and so forth once i've done i just hit add domain and restart so go soco is the web front end for the users once we have done that we can hit the dns button and now a number of dns records are displayed allow me to tell you what the required dns records are first of all we will need to add the auto discover and auto config dns entries those are for the clients those clients will then be able to automatically retrieve the required information for accessing the mail server apart from username and password that is i guess quite obvious so you don't have to enter them by hand and then there is that three authentication and security entries we need to add dkim spf and dmarc so the dkim entry stands for domain keys identified mail and that is an authentication technique that is basically working on top of a digital signature which is added to each mail our server sends out a dkim the main key entry is used by the recipient to make sure that the signature is valid and the email is in fact coming from where it says it comes from and has not been altered the spf entry is basically used to tell the receiving server which origins it is allowed to accept and how suspicious emails are to be handled they can completely be dropped they can put into some sort of soft failing mode where the server could add them to a junk folder or whatever or they just could be accepted and then there is the dmarc entry the dmarc entry is used to add some sort of reporting functionalities so you would basically give information about your domain and how to handle then again suspicious emails plus you would add some sort of a reporting email address which can be used by the receiving email server to report back if it receives some sort of suspicious emails here in our dns records view we can see all the required dns records we discussed them already so first thing we want to add is the auto disk cover entry which is basically just pointing towards the mail server so we head over to our dns server add a new record select the type cname and give it a name or to discover the target is our mail server so it will read mail.opentag.net in my case i don't use a proxy here and then i hit save next thing i want to do is to add the auto config dns entry which is again just a cname entry so just some sort of an alias i hit add record select the type cname the name is autoconfig and the target is mail.opentech i disable the proxy again and hit save now let's come to the more complex ones let's first of all add the dkim domain key so we copy the name of that entry and add the record type is txt we now add the name and we then copy the value that is already visible in the dns records page of the mail server copy it hit save and we are good to go here the next entry we want to add is the dmarc entry we use the dmarc assistant here that is a small handy website we add our domain name and the aggregate data reporting address and we say don't discard any emails that might be suspicious we just copy the resulting entry and then add it as a new txt entry to our mail server the name is underscore dmarc and then we just add the value which we have just copied and the last thing we want to do is to add the spf record so we use that spf record syntax website and we go for the entry reading week like spf 1 a mx all so we copy that one and add another txt entry the name is at and the value is what we just copied we hit save and now the domain settings are complete and we can now use our mail server awesome the last step in the configuration is now to just add a mailbox and an alias so to add a mailbox we head over to the mailboxes section and hit add mailbox we give it a username it is info in my case the domain is opentag.net i can now add full name and tags to my liking i can create or add a password and then i hit add now after that mailbox has been created i head over to the alias section and here i hit at alias the alias is dmarc at opentag.net i talked about that in a dns section and the go to address is info at opentag.net i hit add and now we have our email setup completed we can now log out and then actually start using our mail server so what we want to do now is we want to log in our web front end and i do that with the info email address [Music] and once i have done that i can now just utilize all of the capabilities of my mail server before we now go and send dozens or hundreds of emails let's first of all make sure that our configuration is truly working so we open now a website called mailminustester.com and that website is awesome if you want to check your email configuration so we copy the email address that is visible there and then use that email address to write a new email so over in our mail server we just add the copied email address as recipient we give the email a subject and a buddy and then we hit this send button now we can head over to the mail tester website and here we can now wait for the outcome of the test it should be minimum and eight better nine or ten and we have received a 10 out of 10 score which is great you can now go a bit more into detail with the outcome here so spam assassin likes our email everything is set up properly and every entry is explained properly our authentication is properly set up obviously the message could be improved so we would probably add some more information there and we can basically ignore the list unsubscribe header and we are currently not blacklisted awesome [Music] and now let's just use our maze summer so what i do now is i now write an email which is sent towards a gmail address so i registered a gmail account there and i send that email to opentag gmail.com give it a subject and obviously give it a buddy and then just send it on the right side you can now see that the email is being received pretty much instantly and everything looks great here we now reply hit send and now we have to wait roughly 30 to 60 seconds that is because gmail delays the sending once the email is there we can see everything worked as intended congratulations you have now completed the setup of your own mail server okay great you have set up your mail server you have done all the dns configuration stuff you have secured your machine everything now is nice and smooth and up and running to keep it that way just make sure that you regularly update your operating system that you update the mail server you get information about how to do that in the mail card documentation which i have linked below and you want to set up some sort of backup mechanism if you have a vps with a public provider they probably back up the whole machine if you have your own custom vm as i do that i think of some sort of mechanism since your emails are very valuable assets apart from that just enjoy it add email accounts and aliases to your liking add additional software to your liking and just enjoy the independence from the big male providers just to make sure that you do not get blacklisted check the dmarc reportings and probably add an abuse email address as well so you would basically get information about things going wrong with your email configuration but my personal experience is that if you just do the basics like doing backups and securing and updating your system you should be good to go for quite a long time [Music] so what do you think is running a mail server a good idea let me know in the comments below and while you're there don't forget to like to subscribe and to hit the notification bell since it helps thanks for watching see you next time and don't forget let's make the world a better place now more than ever thanks for dropping by see you later bye [Music] you
Info
Channel: OPENTAQ
Views: 82,652
Rating: undefined out of 5
Keywords: Mailcow, Mailcow Dockerized, Docker, Docker-Compose, Self-Hosted, Self-Hosting, Homelab, DNS, DMARC, DKIM, SPF, Cloudflare, Mail, Email, E-Mail, Mailserver, E-Mail-Server, Debian, Linux, Debian Linux, VPS, VM, Domain, Karsten Samaschke, Open-Source, OpenSource, Open Source, UFW, Fail2Ban
Id: _z6do5BSJmg
Channel Id: undefined
Length: 31min 6sec (1866 seconds)
Published: Thu Jun 02 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.