How to Host a Personal Email Server on Google Cloud (for Free!): Part III

Configuring Dovecot & Encryption

Articles in this series

1. Introduction & GCP Setup
2. Configuring Postfix, Mailgun, & DNS Records
3. Configuring Dovecot & Encryption
4. Managing Virtual Mailboxes with MariaDB & Postfixadmin
5. Hosting Webmail with Roundcube
6. Filtering Spam with Rspamd & Sieve

If you have not read the previous articles in this series, please follow the links above to catch up. We now have our server running on GCP configured to send and receive email via the SMTP protocol and have configured our DNS records to ensure email is delivered to & from us. Now we need to ensure that we can connect to our server from a mail client to check our email and submit new mail to be sent out.

Securing Our Email Traffic

The first thing we should do is secure our email traffic by obtaining a TLS certificate. We will use Let’s Encrypt to do this at no cost. We will start by installing the Let’s Encrypt client.

sudo apt install certbot -y

Now we will use certbot to spin up a temporary server to confirm that we are in fact the owners of the domain and issue a certifcate.

sudo certbot certonly -d mail.example.com

Use your mail subdomain and select option 1. Spin up a temporary web server (standalone). You will have to enter an email address and answer a couple of questions to proceed. If you receive a DNS error, make sure that the mail A record is pointing to the correct address. If you recently created or updated the record, wait a few minutes and try again. Once the command is successful, our TLS certificate can be found at /etc/letsencrypt/live/mail.example.com.

Let’s go ahead and configure Postfix to use our new certificate to enforce traffic encryption by editing /etc/postfix/main.cf.
First, replace the default cert & key files.

#TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem

We also want to enforce TLS version ≥ 1.2, so add the following lines:

#Enforce TLSv1.2 or TLSv1.3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Now that our encryption is setup, let’s enable email submission via Postfix.
For this, we will edit /etc/postfix/master.cf. Find the submission section in the service list and uncomment these lines:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
# add this value to following following line
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

Also add the following 2 lines:

  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

The previous settings apply to submissions from email clients on port 587. Below the submission section is the smtps section. It applies to submissions from mail clients on port 465. It is necessary to enable this as well if you plan to use an email client that requires this port, such as Microsoft Outlook. If so, uncomment or add the following lines:

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Now restart Postfix to apply the settings.

sudo service postfix restart

Setting up Dovecot

We will use Dovecot to interact with our mailbox via IMAP. The following will install Dovecot’s core library, IMAP daemon, and LMTP daemon. The latter will be used to connect Postfix to Dovecot for mail storage (Inbox, Sent, Trash, Junk, etc).

sudo apt install dovecot-core dovecot-imapd dovecot-lmtpd -y

Next, we want to configure Dovecot to use the Maildir format to store our mail. Open /etc/dovecot/conf.d/10-mail.conf and change the mail_location.

mail_location = maildir:~/Maildir

Then we need to add the dovecot user to the mail group so that Dovecot can read our Inbox.

sudo adduser dovecot mail

Use Dovecot to Deliver Email to Mail Storage

Now we will connect Postfix to Dovecot to allow the latter to sort & deliver email to our mail storage. Open /etc/dovecot/conf.d/10-master.conf and update to lmtp service definition.

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
  }
}

Go back to /etc/postfix/main.cf and tell Postfix to use Dovecot LMTP for mailbox transport.

mailbox_transport = lmtp:unix:private/dovecot-lmtp
# SMTPUTF8 not supported by Dovecot-LMTP
smtputf8_enable = no

Configure Authentication

Next, we need to disable plain text auth unless SSL/TLS. Open /etc/dovecot/conf.d/10-auth.conf and uncomment this line (near the top of the file):

disable_plaintext_auth = yes

Configure TLS Encryption

Now we will configure Dovecot to use our TLS certificate from Let’s Encrypt. Open /etc/dovecot/conf.d/10-ssl.conf. Find the following ssl_cert & ssl_key variables and update the values path to your certificate & key.

NOTE: Don’t leave out the < character. It is required.

ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

Like we did with Postfix, we want to ensure Dovecot uses TLS version ≥ 1.2, so find the ssl_min_protocol variable, uncomment the line, and update the value to TLSv1.2.

ssl_min_protocol = TLSv1.2

Then find the ssl_prefer_server_ciphers variable, uncomment the line, and change the value to yes.

ssl_prefer_server_ciphers = yes

Configure SASL Authentication

Next, we need to configure the Dovecot authentication server so that Postfix can use it. Open /etc/dovecot/conf.d/10-master.conf and update the service auth section, uncommenting the following lines:

unix_listener /var/spool/postfix/private/auth {
  mode = 0666
}

Automate Default Folder Creation

We can configure Dovecot to automatically create folders in our mailbox (Sent, Trash, Junk, etc). To do so, edit /etc/dovecot/conf.d/15-mailboxes.conf. We can see a list of common folders in the namespace inbox section. To auto-create a folder, we just need to add auto = create in the mailbox section. For example:

mailbox Junk {
  auto = create
  special_use = \Junk
}

You probably want to do this for theDrafts, Junk, Trash, and Sent folders. Finally, restart Dovecot & Postfix for all of our changes to take effect.

sudo service dovecot restart && sudo service postfix restart

Now check the status of each service.

sudo service dovecot status
sudo service postfix status

If both services are running without errors, your configuration is most likely good up to this point. If you have any errors, please double check that you did not miss any steps and do not have any typos. If you cannot find a reason for the error, feel free to reach out to me.

Conclusion

Whew! We covered a lot in this article, but we’re still not quite done. If we were setting this up on our own PC, we could not connect from a mail client using our username & password. Unfortunately, we cannot access our server from an email client just yet because our user doesn’t have a password. You may recall we are authenticating through GCP with SSH tokens. We will address this issue in our next article by creating virtual mailboxes. Let’s review what we accomplished in this article, though.

• We used Let’s Encrypt to acquire a TLS Certificate via the certbot client.
• We configured Postfix for mail submission from email clients.
• We installed and configured Dovecot as our IMAP server software.
• We configured Postfix and Dovecot to use our TLS certificate.
• We connected Postfix to Dovecot for authentication & mail sorting.
• We automated default mailbox folder creation with Dovecot.

Take a breather and pat yourself on the back for making it this far. We accomplished a lot today, but we have a little more to do. In the next article, we will setup MariaDB as our database, setup our virtual mailboxes, and install Postfixadmin to make mailbox/domain administration super easy.

Thank you for reading! If you found this article helpful and are interested in following the rest of the series, please clap and follow to be updated when the upcoming pieces are published.