iRedMail setup and GoDaddy DNS records

I had it in mind to Dockerize email services on an Ubuntu server. I quickly realized email is a gongshow and opted for the fastest, easiest solution. This turned out to be iRedMail, which still proved a bit tricky when it came time to set up my GoDaddy DNS records.

Here’s what I did…

The system

  • Ubuntu 14.04 server
  • 1 vCPU
  • 2 GB (as recommended here)
  • 20 GB of storage

I buy my VMs from cloudatcost.com. They’re reasonably reliable and reasonably priced.

A (Host) records

Once your machine (wherever it be) is online, set the DNS A (Host) records right away. My DNS stuff is all managed at GoDaddy.

Then create another _A_ record and point it to the mail subdomain:

Prepare the environment

CloudAtCost sets creates a root user and sets the password. I ssh in and change it right away:

1
2
ssh root@rockyvalley.ca
passwd

There may be a compelling reason to create a non-root user, but since the iRedMail will be installed entirely as root, I’m going to skip that step until advised to do otherwise.

Set the domain name

First, 

1
vim /etc/hostname

Change whatever’s inside to:

1
mail

and save. Then,

1
vim /etc/hosts

Change it to look like this:

1
2
3
4
5
6
127.0.0.1   mail.rockyvalley.ca mail localhost localhost.localdomain

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Change your domain name wherever appropriate (my example domain is rockyvalley.ca.

Reboot the machine.

Log back in:

1
ssh root@rockyvalley.ca

Execute

1
hostname -f

If you see something similar to

1
mail.rockyvalley.ca

then your server has been named appropriately.

Install iRedMail

Download the latest package.

1
2
3
4
cd /root
wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.2.tar.bz2
tar xjf iRedMail-0.9.2.tar.bz2
cd iRedMail-0.9.2

Execute the install script:

1
bash iRedMail.sh

This will install a bunch of stuff and then guide you through configuration. Press Enter to proceed past the intro screen.

Default mail storage path

Preferred web server

Choose preferred backend used to store mail accounts

Use the space bar to select the database (here, PostgreSQL).

Password for PostgreSQL administrator: postgres

Your first virtual domain

Password for the administrator of your domain

Optional components

Proceed with installation

I answered yes when asked:

1
2
< Question > Would you like to use firewall rules provided by iRedMail?
< Question > File: /etc/default/iptables, with SSHD port: 22. [Y|n]y

I answered _no_ when asked:

1
< Question > Restart firewall now (with SSHD port 22)? [y|N]n

I figured it unwise to restart because I’m logged in to my server via ssh.

Upon sucessful completion, the installer will spit out some valuable information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
********************************************************************
* URLs of installed web applications:
*
* - Webmail:
*   o Roundcube webmail: httpS://mail.rockyvalley.ca/mail/
*
* - Web admin panel (iRedAdmin): httpS://mail.rockyvalley.ca/iredadmin/
*
* You can login to above links with same credential:
*
*   o Username: postmaster@rockyvalley.ca
*   o Password: somesecretpassword
*
*
********************************************************************
* Congratulations, mail server setup completed successfully. Please
* read below file for more information:
*
*   - /root/iRedMail-0.9.2/iRedMail.tips
*
* And it's sent to your mail account postmaster@rockyvalley.ca.
*
********************* WARNING **************************************
*
* Rebooting your system is required to enable mail services.
*
********************************************************************

Reboot now.

Set up DNS records

MX

The A records have already been set up. Create an MX record (I’m using GoDaddy, so I deleted the existing records before proceeding):

SPF

This gets set as a TXT record at GoDaddy:

DKIM

Log back into your server:

1
ssh root@rockyvalley.ca

Execute the following to determine your DKIM keys:

1
amavisd-new showkeys

This will return something like this:

1
2
3
4
5
6
7
8
9
10
; key#1, domain rockyvalley.ca, /var/lib/dkim/rockyvalley.ca.pem
dkim._domainkey.rockyvalley.ca. 3600 TXT (
    "v=DKIM1; p="
    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApTNgVVL2+vIIcq9xioc5"
    "B/ydJxaQRZ1eBKkO7mhz2ir5k3DdWl+y65GYR8TbP3z3essbwOnPocqnwX81RoW1"
    "VAhPYlHU57OLSXnk3qYcRDHpT/UU/dOGdFclpuAXazUg0l8QhTgadtxsIRDlckKg"
    "Vr6II7knZUrhfm84uJ3w858OIrzy8KOSXXfc8npTn48iy4okJGbHvVxE05m6f9/g"
    "ie63Z5XkIZeJu7Nj6O/IOVitZh3uiKoOlBHULKqpNtHtPrnZHHX51OLkiezUBvG+"
    "slHGPK710iW5ITDy5qm/VaANigXBnPrdF3S3sZMFprwa9GhGSkrnnJ40eCJVFgCm"
    "FQIDAQAB")

All the stuff between the brackets needs to be put onto one line, like this:

1
v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApTNgVVL2+vIIcq9xioc5B/ydJxaQRZ1eBKkO7mhz2ir5k3DdWl+y65GYR8TbP3z3essbwOnPocqnwX81RoW1VAhPYlHU57OLSXnk3qYcRDHpT/UU/dOGdFclpuAXazUg0l8QhTgadtxsIRDlckKgVr6II7knZUrhfm84uJ3w858OIrzy8KOSXXfc8npTn48iy4okJGbHvVxE05m6f9/gie63Z5XkIZeJu7Nj6O/IOVitZh3uiKoOlBHULKqpNtHtPrnZHHX51OLkiezUBvG+slHGPK710iW5ITDy5qm/VaANigXBnPrdF3S3sZMFprwa9GhGSkrnnJ40eCJVFgCmFQIDAQAB

All this gets set as another TXT record:

This may take some time to propagate (a couple hours even). These commands will help confirm that everything is set up okay:

1
2
dig -t txt dkim._domainkey.rockyvalley.ca
nslookup -type=txt dkim._domainkey.rockyvalley.ca

You’ll see the DKIM TXT record you just set once everything has propagated.

Verify public key availability:

1
amavisd-new testkeys

You should see this, if successful:

1
TESTING#1: dkim._domainkey.rockyvalley.ca    => pass

SSL/TLS

At this point, assuming time allowed for propagation, you should be able to send and receive email from the postmaster account. However, the certificates iRedMail sets up for you are self-signed, which means you get an ugly warning whenever you try to access your webmail. To fix this, you’ll need to get certs from a trusted certificate authority. I like to use startssl.com because they’re free.

Once obtained, transfer the certificates to the mail server:

1
scp rockyvalley.ca.tar.gz root@rockyvalley.ca:~

Login, 

1
ssh root@rockyvalley.ca

unzip, decrypt, and lockdown:

1
2
3
4
tar -zxvf rockyvalley.ca.tar.gz 
cd rockyvalley.ca
openssl rsa -in ssl.key -out iRedMail.key
chmod 400 iRedMail.key

Since I chose Nginx as my web server and StartSSL as my CA, I need to chain my ssl.crt with StartSSL’s intermediate certificate:

1
cat ssl.crt sub.class1.server.ca.pem > iRedMail.crt

The certificates are now ready to be put in place. The self-signed certificates are stored in:

  • /etc/ssl/certs/iRedMail.crt
  • /etc/ssl/private/iRedMail.key

The new certificates were already named appropriately during decryption and chaining, so now it is simply a matter of overwriting the existing self-signed certificates:

Copy the certs to the correct directories:

1
2
mv iRedMail.crt /etc/ssl/certs/
mv iRedMail.key /etc/ssl/private/

Reboot the machine.

I rebooted in lieu of restarting individual services. Once back online, test sending and receiving. Everything should be good to go.