Fast email server deployments with iRedMail
Email the Easy Way
Friends and workmates often tell me that email is obsolete as a means of communication. Everybody is using some mobile messaging app or another these days. Solutions such as Signal Messenger or WhatsApp let users send and receive documents and messages, and they are comparatively free from the spam and scam campaigns that plague the email ecosystem. Thus, I am told, email is irrelevant.
People couldn't be more wrong.
Email is vital for many businesses because it allows them to deliver messages to both customers, employees, and associates by standard, open protocols that are not controlled by a single organization. Servers can be configured to email error reports to a system administrator with every incident, and email is still the most popular password recovery mechanism when somebody forgets the password to their favorite web forum.
This battle-tested communication mechanism is not free of shortcomings, however. Email accounts are bound to receive illegitimate messages containing malware or unsolicited advertisement (spam). Therefore, a modern email service must be equipped with smart filters capable of identifying legitimate mail (colloquially known as ham) and stopping the rest. Another complaint against email services is that they are built by joining many unrelated components that are not trivial to configure. A typical email service needs a web server for hosting both a management interface for the system administrator and webmail for regular users. A Simple Mail Transfer Protocol (SMTP) daemon is needed to deliver messages to users of different email services, whereas Post Office Protocol (POP) or Internet Message Access Protocol (IMAP) daemons let users check email with clients such as Thunderbird or Mutt.
In the face of such complexities, many small organizations prefer to have a third party host their email service, and they end up purchasing plans with email providers such as Google or Microsoft. Family businesses in particular have a tendency to use free email plans from big providers such as these.
Setting up your own email service, however, has been a solved problem for quite a long time, so you have no excuse for letting Google handle your email (or worse, having your employees use a Gmail account to communicate with your customers). Canned solutions that build a functional email server in a matter of minutes already exist. Previously, I discussed Citadel [1], and now I want to introduce iRedMail.
Enter iRedMail
iRedMail is a for-profit operation built on the freemium model as a free "open source, fully fledged, full-featured mail server" [2]. The website lists three iRedMail-related products.
The downloadable installer is the product I focus on in this article. The free-tier product, licensed as free open source software under the GPL3, is a set of scripts that turns a machine into an email server when run on top of any of the supported operating systems or Linux distributions. To do this, the scripts download and install all the components required by the email server from the distribution's repositories and then configure them for you.
iRedMail Easy (Figure 1) is a web-based deployment platform. To use it, you have to create an account [3] and give iRedMail the credentials to log on to your servers over SSH (Figure 2). In this way, you can command their web deployer to turn your machines into email servers in a similar fashion as the downloadable installer.
The website does a poor job trying to convince you of the advantages of iRedMail Easy over the downloadable installer, but in practical terms, it looks like its only real benefit is getting commercial support and making it easier to submit support tickets. It is worth noticing that support tickets that require SSH access are paid at a premium.
iRedAdmin-Pro is the high-end version, and its source code is available to paying customers. It is clearly marketed at email administrators who intend to host the email services of multiple different organizations or customers. It includes features not available in the free version, such as the ability to assign different resource quotas to each hosted domain, to have different administration accounts per hosting domain, and to manage quarantined email with a flexible system.
Getting Started
To build your iRedMail server, you need a fresh install of a supported platform. The list in Table 1 was valid at the time of writing this article. Keep in mind that support is not equal for all platforms: For example, my production iRedMail servers all run on OpenBSD and, although all the core functionality works, certain integrations need some fiddling. iRedMail does not necessarily support the most recent OpenBSD release, either.
Table 1
Supported Platforms
Platform | Versions |
---|---|
CentOS Stream | 8, 9 |
Rocky Linux | 8, 9 |
Alma Linux | 8, 9 |
Debian | 11, 12 |
Ubuntu | 20.04, 22.04 |
FreeBSD | 13.x |
OpenBSD | 7.3 |
I recommend the downloadable installer, but I will skip the detailed instructions for installation because they are documented on the project's website [4]. The procedure will be a breeze for system administrators and power users, but some basic IT knowledge is required. For example, you are asked which back end to use to store user accounts (Figure 3) and which optional applications you want to install (Figure 4). A successful install gives you a server featuring all the components you need for a small system (Figure 5; Table 2).
Table 2
iRedMail Components
Tool | Functionality |
---|---|
Postfix | SMTP server |
Dovecot | IMAP server |
Nginx | Web server (optional) |
iRedAdmin | Web-based management interface (optional) |
Roundcube | Webmail (optional) |
SOGo | Webmail and groupware (optional) |
Fail2Ban | Brute force protection (optional) |
Netdata | System monitor (optional) |
Amavis | Content filtering |
SpamAssassin | Spam filtering |
ClamAV | Malware detection |
Postmaster's Office
Unless you go out of your way to disable it, an iRedMail install will feature a management interface, reachable with a web browser at https://<yourserver>/iredadmin , where <yourserver> is your server's fully qualified domain name (FQDN) or IP address. From this control panel, you can perform most of the basic administrative tasks, such as creating new email accounts for users, adding domains to the list of domains for which you host email, managing quotas, and viewing the logs (Figures 6 and 7).
The free version of iRedAdmin [5], which is set up by the iRedMail downloadable installer, falls a bit short for all but the simplest scenarios. Theoretically, an unlimited number of domains may be hosted, but in practice you need to configure DomainKeys Identified Mail (DKIM) email authentication signing for each (see the "Email Connectivity" box). DKIM keys cannot be managed from iRedAdmin, so you must configure them manually.
Email Connectivity
An email server requires a reputable, static, publicly reachable IP address. You might manage to make it work with dynamic IP addresses, but I don't recommend it unless you are testing only.
Each domain for which you host mail needs to have a mail exchange (MX) entry on its DNS records pointing to your server, such as:
linuxrocks.es. 3600 IN MX 10 linuxmag.operationalsecurity.es.
This record lets email servers trying to send mail to your users learn to which host they need to connect. In other words, if a Gmail user wants to send email to ruben@linuxrocks.es , Gmail will look up the MX record for linuxrocks.es and discover that the associated mail server is at linuxmag.operationalsecurity.es .
Adding a sender policy framework (SPF) record lets other mail servers know that the owner of linuxrocks.es has authorized your server to send email in their name.
linuxrocks.es. 3600 IN TXT "v=spf1 a:linuxmag.operationalsecurity.es -all"
Proper DKIM records sets up a mechanism that uses public key cryptography to certify that your email has actually been sent from your server. The server's public keys reside within a publicly available DNS record. Once DKIM is set up, your server will sign all outgoing mail. Servers that receive email from your server will then download the public key from the DNS records and verify the signatures of the email messages against it to determine whether they are legitimate or forged.
iRedMail sets up a DKIM engine on install, and outgoing mail is signed by default. Still, you need to upload your public key to the DNS registry manually. It is worth noticing that iRedMail will use the same DKIM key to sign every message, so if you are hosting email for both linuxrocks.es and linuxrules.es , both domains will be covered by the same key. I have found this does not work well (despite what the documentation says). Therefore, my advice is to use a separate DKIM key for each domain. More information about DKIM and other DNS records can be found in the documentation [6] [7].
The free iRedAdmin lacks quarantine management. By default, incoming email may be prevented from reaching the Inbox and stored in quarantine until the postmaster decides its fate. One reason an email might be quarantined is if looks like it might carry malware or spam. The problem is, because iRedAdmin does not have an interface for dealing with quarantined messages, email that is quarantined will never be checked and can't be released. Quarantine management is a paid feature included in iRedAdmin-Pro.
Buy this article as PDF
(incl. VAT)