How do you manage your e-mail?

One of the most critical aspects of our communication is e-mail, especially when you own a domain name on which e-mail accounts also depend.

More specifically, you have to pay attention to security and privacy profiles since the risks of attacks on e-mail systems are well known.

There are several solutions, even free ones, that allow you to create an e-mail box and manage the e-mail of a domain.

Among these solutions that we consider more secure, we can mention ProtonMail; once an account is created, it is possible to set up a domain name (option available only for paid plans).

Several other solutions, basically paid ones, allow you to manage e-mail linked to a domain name.

Our experience (we have tested several solutions) has led us to opt for a so-called self-hosted solution that involves the installation of a mail server on its own server to manage e-mail independently.

In this way, we are sure that the e-mail messages, the whole server configuration, and the mail server are under our control. That allows us to adopt the appropriate security measures in compliance with the current legislation on protecting personal data.

We want to point out that, for those who do not have much experience or familiarity with operating system commands (basically Linux) and package management, it might not be easy since the whole mail server requires the installation and configuration of some services.

However, we have located Mailcow, the free self-hosted solution for managing our mail server.

Mailcow: a valid solution for a mail server also self-hosted

Mailcow is a dockerized software solution for managing a mail server that makes use of several open-source applications.

Mailcow is realized and provided by the German company Servercow, which they describe as “The easy groupware1 solution based on modern and open software.”.

Mailcow comes in two different versions:

  1. managed” version;
  2. self-hosted” version.

The managed solution is the one that Servercow entirely controls, while with the self-hosted version, the user will have to provide installation, configuration, and maintenance.

For the self-hosted version, you can pay a quarterly fee that allows you to get assistance via ticket. Still, the interventions on the server are always borne by the installer.

For commercial solutions, you have to contact Servercow.

In any case, on the Servercow website, there are the necessary indications for each solution.

Why Mailcow?

Our choice of Mailcow is related, on the one hand, to the experience gained with other solutions for the management of self-hosted mail servers and, on the other hand, to the evaluation of the product itself.

Mailcow is a dockerized solution, i.e., managed through Docker; essentially, all application packages are contained in a single “container.”

Docker is a software solution with “packaged”, distributed, and executed through containers.

These are solutions that facilitate the user in installing and updating applications. Indeed, instead of proceeding to the installation and configuration of every single package, the developer inserts in the container all the application packages ready to be installed and automatically configured.

The so-called dockerized solution from our point of view is an advantage.

Another aspect we have considered concerns the single applications contained in the dockerized version of Mailcow as indicated in the official page. Mailcow comes with several containers that are connected “in one bridged network” and precisely:

The content of emails is encrypted on the server as it appears from the official guide from which we read “Mails are stored compressed (lz4) and encrypted. The key pair can be found in crypt-vol-1.”.

Another not negligible aspect concerns the release of updates.

There is also a very active community on both Forum and Telegram.

Last but not least, Mailcow also allows the configuration of XMPP accounts for exchanging messages.

Therefore, Mailcow seems to us, at the moment, the best solution.

Self-hosted solution: how to install Mailcow on Ubuntu server 20.04

We believe it is helpful to propose a small guide to the installation of Mailcow, re-proposing the steps that we performed for its installation on a server with Ubuntu 20.04.

Prerequisites

Some prerequisites are necessary and preciseness:

  1. have a server or VM accessible via SSH;
  2. have or set up an FQDN (Fully Qualified Domain Name) - a domain name dedicated to the mail server.

Concerning the domain name (FQDN), you will need to configure the DNS as outlined below.

Preliminary activities

Before installation, you need to configure the DNS records for the chosen domain name.
Assuming that the domain name is domain.com for e-mail management, we should create an FQDN as mail.domain.com or webmail.domain.com (the FQDN will be requested during the installation).
Then, at the provider of the domain name, you will have to manage the DNS records and precisely (we will refer only to mail.domain.com as an example):

  1. set the record A for mail.domain.com pointing to the IP address of the mail server;
  2. set the record CNAME for autodiscover.domain.com to point to the hostname mail.domain.com;
  3. set the record CNAME for autoconfig.domain.com to point to the hostname mail.domain.com;
  4. set the record MX to point to the hostname mail.domain.com with priority 10
  5. add a record TXT with the value v=spf1 ip4:serveripaddress mx ~all (e.g., “v=spf1 ip4:95.XXX.XXX.XXX mx ~all” [you have to put the correct IP address] will allow the server specified in the MX record to send e-mails with the domain mail. domain.com as the sender domain only from the IP address of the mail server. The ~all parameter indicates that other servers are not allowed to send e-mails from the domain mail.domain.com, although the e-mails will be delivered anyway - so-called SoftFail when SPF or Sender Policy Framework records fail; we also mention SPF hard fails and other SPF failures.).
  6. set up a PTR record (Pointer Record or Reverse DNS) from the provider’s control panel or for AWS by opening a ticket.

Installing the necessary packages

  1. log in via SSH to the server or the VM on AWS and then, after logging in, acquire root privileges and type:
sudo su
  1. then to update the system, type the following commands:
apt update && apt upgrade -y

or run the above two commands separately with:

apt update

and then

apt upgrade -y
  1. install the necessary packages with the following command (if some of the packages are already installed, the system will return a message to that effect):
apt install curl nano git apt-transport-https ca-certificates gnupg2 software-properties-common -y

Installing the Docker

Once you have completed the installation of the above system packages, you must install the Docker.

Docker Engine installation

So, assuming that there are no previous versions of docker installed on the VM, we report below the necessary commands as they result on the official page (https://docs.docker.com/engine/install/ubuntu/):

  1. allow apt to use the repository over HTTPS
apt-get install
    ca-certificates
    curl
    gnupg
    lsb-release
  1. Add the official Docker GPG key:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
  1. add the “stable” repository with the following command:
echo
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
  1. Then you update the system with:
apt update
  1. You proceed with installing the latest version of Docker Engine with the following command:
apt install docker-ce docker-ce-cli containerd.io

installation of Docker Compose

At this point, we must install Docker Compose, and we report the commands on the official page in the Linux section https://docs.docker.com/compose/install/:

  1. Download the latest release of Docker Compose:
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  1. apply for permissions as follows:
chmod +x /usr/local/bin/docker-compose
  1. verify the installation by requesting the version with the following command:
docker-compose --version

the system should respond with a message like
docker-compose version 1.29.2, build 5becea4c

Installing Mailcow

  1. move to the opt folder by running the command
cd /opt
  1. download Mailcow with the command:
git clone https://github.com/mailcow/mailcow-dockerized
  1. move to the Mailcow folder with the command
cd /opt/mailcow-dockerized
  1. generate the configuration file of Mailcow with the command
./generate_config.sh
  1. at this point, you will be asked to enter the FQDN (domain name) to be used, which could be mail.domain.com (replace this with the real domain name you chose for your mail server) and then press Enter
  2. The file containing the configuration of Mailcow has been created and is mailcow.conf; if you want to access the content to modify the configuration, you have to run the command
nano mailcow.conf

The suggestion is not to change the settings unless you have a real need and know the values to change.
If you access the configuration file with nano to save the changes you have made, you must type
CTRL+X and then type Y.

  1. Now, you have to download the necessary Mailcow images with the command
docker-compose pull
  1. Then start the Mailcow container with the command
docker-compose up -d

Mailcow will request an SSL certificate from Let’s Encrypt for the given domain name (FQDN - in our example, it was mail.domain.com).

SSL and reverse proxy of Nginx

Redirect from HTTP to HTTPS is disabled by default.
Therefore you need to configure Nginx reverse proxy as follows:

  1. create an Nginx configuration file with the following command.
nano /opt/mailcow-dockerized/data/conf/nginx/redirect.conf
  1. add the following content
server {
  root /web;
  listen 80 default_server;
  listen [::]:80 default_server;
  include /etc/nginx/conf.d/server_name.active;
  if ( $request_uri ~* "%0A|%0D" ) { return 403; }
  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
  }
  location / {
    return 301 https://$host$uri$is_args$args;
  }
}

Close the nano editor saving the file’s content with the command CTRL+X and then write Y and confirm by pressing Enter.

At this point, you have to restart Nginx with the command

docker-compose restart nginx-mailcow

Mailcow configuration via the web interface

If the installation has been successful, it is necessary to complete the configuration via the web interface, pointing from the browser to

https://mail.domain.com

The page will show the need to log in as the administrator with login and password, which are set by default as follows:

login: admin
password: moohoo

The first time you log in, you have to change the password by clicking on the edit button on the top right corner on the same line where the username (admin) is shown. It would be advisable to change the username with another one chosen by the user.

You can configure the mail server from the administration page by choosing the settings you want.

To get an idea of what you will see, you can access an online demo by going to this page https://demo.mailcow.email and using the same login credentials as above.

Configuration if the mail server is on AWS

If you perform the Mailcow installation on an AWS VM, you will have to ask the support via ticket to open port 25 - closed by default - related to the instance.

Then you will have to configure the security group by opening the needed ports for email and precisely:

  • 993
  • 143
  • 110
  • 995
  • 25 (ask for opening it via ticket)
  • 587
  • 465

If you decide to activate XMPP accounts, you’ll need to open the ports as well:

  • 5269
  • 4190
  • 5443
  • 5222

You will open the ports for the webmail:

  • 80
  • 443

Finally, you will have to ask by opening a ticket to set a PTR record (Pointer Record or Reverse DNS) to reach the address https://mail.domain.,com.

Mailcow Help

Mailcow provides an online guide, found here https://mailcow.github.io/mailcow-dockerized-docs/ where you can get all the directions such as those for configuring email clients.

Conclusions and privacy

As usual, we conclude with the feedback of our experience “in the field,” and we can say, without a shadow of doubt and hoping not to be contradicted, that Mailcow is a good solution for the management of a mail server with particular attention to the profiles of security and privacy.

Concerning security, in our opinion, counts the infrastructure where the server or the VM we intend to use is located. The setting of every security measure, from the firewall to the opening of the necessary ports, is the responsibility of the sysadmin, who will have to evaluate everything.

It is also important to set strong passwords for each email account created, set two-factor authentication for access to the configuration page, and adopt any other security criteria.

It has been mentioned that emails are encrypted on the server, which is an additional guarantee.

Regarding privacy, Mailcow seems to be a good solution that, in considering the necessary security measures, is oriented to the full respect of the discipline on personal data protection.

Stay tuned!


  1. The term “groupware” refers to collaborative software. ↩︎