Advice for 1 user / mailaccount Ubuntu mailserver

[player02]

Hi,

The goal is owning my own email infra structure (without mailserver hosting).
While it's only for me, 1 user (mailaccount) is sufficient.

On all my devices (phone, laptop, pc) there should be access to calendar and email for me.
This by IOS on my phone and Linux laptop and PC (through Evolution or Thunderbird).

At this moment my DNS records for my domain are ok.
For the email serving purpose I have another PC with Ubuntu Server 22.04 installed.
This with Postfix and Dovecot.
The mail server PC is only meant for serving, so it would be nice if I can take over this machine from my laptop or my main PC.

Last big things to set up for this server PC are the SSL certificate and calendar software.
My ISP blocks port 25 so I need a certificate for port 587.

Excuses for the long introduction.

Through all the instructions on the internet it's hard (for me as novice) to pick one or two for my needs.
Searches mostly lead to web server installation instrutions

For the calendar serving purpose I think I must turn my mail server into a web server.
DAViCal can perhaps take care of the calendar need.

For the SSL certificate I can make use of the letsencrypt shell certbot option.
Or free SSL / TLS certificate from cloudflare.

Can you please give some advice for certificate and de calendar software?
Do I really need to turn my mail server into a web server?
What would be the best way (for me) to obtain a letsencrypt certificate?
Is DAViCal a smart way to get a calendar running (on linux machines and IOS phone).

[SeijiSensei]

for 3)

Install acme.sh from https://github.com/acmesh-official/get.acme.sh

Then look here: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt

Passing "-s letsencrypt" to the script makes it use the LetsEncrypt servers.

[player02]

Hi Sensei,
Thanks a lot. You made my view a bit clearer.
It made me move my dns records to another registrar. But I am still struggling with the certificates and keys.
The good thing is that I can take the short cut. Setting up a web server does not make this key and certificate fiddling go away,
It seems I need a lot of time to get this right.
There are a lot of ways to generate keys and certificates, but they don't fit very well with Thunderbird (Yes it's my opinion).
I have very good experience with the syncing of Evolution (ews). Much better than with the Thunderbird plugins. But I think it's even more a b*tch. Time to go to bed.
Hopefully next time better news.
Regards

[TheFu]

Last big things to set up for this server PC are the SSL certificate and calendar software.
My ISP blocks port 25 so I need a certificate for port 587.

587/tcp is typically for authenticated clients to connect to an email server. That's for Thunderbird to authenticate the connection and to send emails. 465/tcp is often used for the same purpose, authenticated client SMTP connections.

25/tcp is typically for SMTP to SMTP communications. I suppose it can be any port, I've only seen email forwarding services using 2525/tcp. They run about $25/month. I don't know how to tell other SMTP servers which port to use. It would need to be in DNS somewhere. Making postfix listen on 2525/tcp isn't hard - that's not the issue. Announcing that your MX happens on port 2525 to the world is what I don't know off the top of my head. https://serverfault.com/questions/45...ternative-port has some alternatives.

As usual, there are 1000 solutions. Having an ISP that doesn't block port 25 would be the best answer. Many will allow this when you sign up for a business account, not a residential account. All will allow 25/tcp if you have business and complain.

Other solutions is to get a cheap VPS to be your email gateway. It wouldn't hold any email, just provide an interface for all inbound and outbound email. This is what I do. I use a VPN to connect to that VPS with services on my home "public services" LAN. The VPS may block port 25 too. Just open a ticket and jump through their hoops to get it opened. Took me 3 emails to get my VPS to do that. Honestly, I appreciated they weren't push overs - spammers wouldn't go to the effort they needed. They just asked a few questions about the planned email use, volumes, stuff like that.

There are mail-in-a-box services too. https://mailinabox.email/ I've never used it. I'm old and have been running email servers since around 1994. I'd rather pay for a monthly VPS than have to trust someone too much with emails.

Regardless, you should put each of these public services into either a separate VM or container to make upgrades easier. Mixing services just makes the software stack for each harder to maintain and upgrade. Don't. Just don't. The hard part is that running a good VPN inside a container usually breaks the security of the container by requiring root to run it. That's a 100% no-go for me, so my VPN servers on both sides are inside full VMs.

Calendaring is a different issue completely.

[player02]

In the heat of the moment I was a bit too negative about Thunderbird and Evolution.
Just after writing my last text (above) I realized I should have mentioned that telnet also does not receive and send external.
That is something I should use more as an starting point (for problem solving).

587/tcp is typically for authenticated clients to connect to an email server. & Having an ISP that doesn't block port 25 would be the best answer.

Excuses, no praphrasing intended.
Well, the info for the silly people like me is different. With ISP's blocking port 25 and reading texts like (https://www.cloudflare.com/learning/...port-25-587/):
What SMTP port should be used?

Originally, the Simple Mail Transfer Protocol (SMTP) used port 25. Today, SMTP should instead use port 587 — this is the port for encrypted email transmissions using SMTP Secure (SMTPS).


There you go after seeing people on YouTube setting up a mailserver in 5 minutes. Let's go for port 587. Not knowing the mess you step in.
Perhaps the smart people keep the stupid people silly, to prevent more poor people to set up a mailserver for bombing the world with crappy emails.

The fact is that it would be more handy to have some good information about what is actually needed to get mail over port 587.
Which certificates and keys are there that are needed for port 587? How with self signed? How with not self signed? etc...

I found out that I can move to another ISP for port 25. They actually have a good product for a nice price. But for me it's going to be a good setup or no setup.
I don't have the intention to frequently struggle with black lists. If that's the alternative, than my new server is going to get a new home in the near future.

For the calendar I think it's better to use some cloud help. I always saw it as something that's part of the email configuration. But there is little reason to push that idea through setting up a mailserver (I think now).

As before, hopefully next time better news.

Thank you!

[TheFu]

What SMTP port should be used?

There are 2 SMTP ports. They serve different purposes.

For server-to-server SMTP, port 25/tcp should be used. This is unauthenticated email. No userid/password. TLS certs can be of any sort, including self-signed. It makes little difference, since DNS hacking of clients (servers) would be completely outside the control of the target SMTP server. All TLS does is to ensure that messages aren't molested between the client and the server involved. Little need for a paid/official cert.

For client-to-server SMTP, port 465/tcp or 587/tcp should be used to SEND emails. There's no mode for receiving emails between servers on port 587/tcp. These are authenticated senders using specific userids and passwords. They also use TLS (or STARTSSL) to encrypt the connection, but that's outside the userid/password authentication.

I don't know how to make it any clearer.

SMTP follows standards. These are outlined in the RFCs and they aren't exactly long, but since SMTP has been modified slightly over the decades, there are probably 5+ RFCs (that's "standards") for how SMTP works.https://www.rfc-editor.org/rfc/rfc5321.html might be the most recent SMTP standard. IDK.

Calendar programs follow different standards. CalDAV is one. ICS files are another. These aren't part of SMTP standards, so if they are provided or used, it is separate. Don't get me wrong, from an end-user standpoint, calendaring and email are tightly coupled. When a calendar invitation is sent, it is usually an ISC file and the fat email client program handles it, if it does anything with calendars.

MS-Exchange is why calendaring and email become coupled in the world. In the Unix world, there are a number of "communications servers" that merge email and calendaring.

Client programs use SMTP to send email 587/tcp and IMAPS (993) or POP3S (995) to receive email. These ports are in the /etc/services file on every UNIX system.

I don't have the intention to frequently struggle with black lists.

Good luck with that.

If you care about privacy enough to run your own SMTP server, where does the "use the cloud" for calendaring make sense? Calendaring is 100x easier than SMTP. Nextcloud-Calendar makes it pretty easy, I understand. I use Zimbra for my "communications server", mainly because of the amazing search, enterprise calendaring, LDAP, and SMTP integration. It is pretty huge and ugly, with trade-offs. Today I'd choose a different solution with nextcloud+roundcube on my short list. https://roundcube.net/news/2023/11/3...-for-roundcube . There are others, but they feel "off".

Zimbra is slick like gmail, but 100% local. Zimbra follows standards for LDAP, SMTP, IMAP, CalDAV, CardDAV, and lots of other standards. OTOH, Zimbra is a monster and difficult to upgrade because of the 20 F/LOSS projects are all tightly coupled. I don't let Zimbra directly on the internet. An email gateway for all inbound/outbound SMTP is part of my security architecture. That email gateway runs bog standard postfix on a new 22.04 system. This gateway is easy to maintain, patched weekly. It is where I do massive anti-spam stuff, though Zimbra has junk-mail filters too.

Like I posted above, there are 1000 solutions. Only you can figure out what will work for you and your skills.

[player02]

The 25 and 875 ports I understand. But how and when to use this information is another thing.
And server to server and client to server.

Here comes the stupid question:
Do you mean with this that I have to swap ports with iptables?

The online calendar was a bit fed by the thought of not making spaghetti installs.
I hope I ever come that far that I can install calendar software on my machine, At this moment I am not really positive about the first goal, the mail server.

And for the privacy. My activities are a bit more cryptic than my mails, but you have point.

Tomorrow I will go further with trying out the 1000 solutions (I can find on the internet).
The instructions on the Ubuntu pages for the Postfix and Dovecot combi did not work for me. But of course you can say I made it not work.
Probably I will remove all the installs and search for another instruction for Postfix.
For Dovecot I hope to use the Dovecot instruction as a basis:
https://doc.dovecot.org/configuratio...configuration/

Thanks!

[TheFu]

The 25 and 875 ports I understand. But how and when to use this information is another thing.

You've lost me. https://mailinabox.email/static/architecture.svg is a simple email server architecture.

[SeijiSensei]

I use Google Calendar. Available everywhere on every device. If someone wants badly to learn that I saw my ophthalmologist last week, I really don't care.

[TheFu]

I use Google Calendar. Available everywhere on every device. If someone wants badly to learn that I saw my ophthalmologist last week, I really don't care.

For many people, their appointments ARE a life and death choice and sometimes we don't know the connection that makes it so. https://en.wikipedia.org/wiki/Nothing_to_hide_argument