Mailinabox Home Server

"Can I run my Mail-in-a-Box at home? No. " more like "Should I run my Mail-in-a-Box at home? No."

The best set-up for Mail-in-a-Box is a dedicated VPS (virtual private server), with a public IP-4 address. However outlined below is how I used Mail-in-a-Box, on my home server.

Tl;DR; It is possible, rDNS means email will be most likely marked as spam by others 1st time received.

The server is Ubuntu 18.04 running LXC (Linux Containers). A virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel. My home router has a single IP address, with alas rDNS (reverse DNS resolution) not controlled by myself. My iSP does not block ports.

My home server runs lots of things

alt text

I want to add a mailserver, using mail in a box, to this set-up.

alt text

Step 1 - Register Domain Name

I choose lxc-mailinabox.co.uk I registered with names.co.uk. This was an error as they do not do glue records), but it did cost £0 for 1st year.

Step 2 - Make new container and install mailinabox

From the server hosting lxc instances, make a new instance and drop into bash.


$ lxc launch ubuntu:18.04 mailinabox
$ lxc exec mailinabox  -- /bin/bash

Inside the container:-

root@mailinabox:~# curl -s https://mailinabox.email/setup.sh | sudo -E bash

Let the magic happen, it takes a while. When prompted for enter email/user.

Step 3 - Configure Using Web Browser

Ignore the "Please log in to the control panel for further instructions at: https://92.232.47.67/admin" Instead, find the local IP Address


root@mailinabox:~# hostname -I
192.168.1.134

The fire up a web browser,visit https://192.168.1.134/admin replacing 192.168.1.134 with the correct local IP Address. Logging in I get the following error

alt text

Step 4 - Port Forwarding, DNS and Proxy Pass

So it is time to add port forwarding at my router to the local IP Address of the instance.

alt text

The same for ports 587 & 993 & 4190

DNS

As the registrar I brought the (free) domain from does not have glue records. I need to go to System -> External DNS and copy these to my registrar dns zone records.

alt text

Note external DNS, will take sometime to update - this can be a source of errors. Just double check DNS entries and be patient. Once this is done, head to (replacing 192.168.1.134 with the correct local IP Address.):-

https://192.168.1.134/mail/

Good time to check DKIM and SPF via : https://dkimvalidator.com

Proxy_pass

Exit mailinabox-lxc and set-up nginx


root@mailinabox:~# exit
$ lxc exec nginx  -- /bin/bash

NB: Replace box.lxc-mailinabox.co.uk with you box and domain name e.g. box.exmaple.com


$ sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/box.lxc-mailinabox.co.uk
$ sudo nano /etc/nginx/sites-available/box.lxc-mailinabox.co.uk

With the following contents, NB replacing the server names with your domainname and box.domainname and (replacing 192.168.1.134 with the correct local IP Address.) Using IP addresses is ugly, but otherwise you get a redirected loop:

server {
        listen 80;
        listen [::]:80;

        server_name lxc-mailinabox.co.uk box.lxc-mailinabox.co.uk;

        root /var/www/html;
        index index.html;

        location / {
                proxy_pass https://192.168.1.134/;
                proxy_ssl_server_name on;
        }
}

$ sudo ln -s /etc/nginx/sites-available/box.lxc-mailinabox.co.uk /etc/nginx/sites-enabled/
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful`
$ sudo systemctl restart nginx

Assuming certbot is already installed


$ sudo certbot --nginx -d lxc-mailinabox.co.uk -d box.lxc-mailinabox.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for box.lxc-mailinabox.co.uk
http-01 challenge for lxc-mailinabox.co.uk
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/box.lxc-mailinabox.co.uk
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/box.lxc-mailinabox.co.uk

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/box.lxc-mailinabox.co.uk
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/box.lxc-mailinabox.co.uk

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://lxc-mailinabox.co.uk and
https://box.lxc-mailinabox.co.uk

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=lxc-mailinabox.co.uk
https://www.ssllabs.com/ssltest/analyze.html?d=box.lxc-mailinabox.co.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/lxc-mailinabox.co.uk/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/lxc-mailinabox.co.uk/privkey.pem
   Your cert will expire on 2020-05-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Set the hostname in Home Router to point to nginx IP Address

alt text

All nicely set-up

alt text

Step 5 - Stop Mail-in-a-Box asking for Certificates

The certificate management is handled by nginx proxy. So exit out of mailinabox and enter nginx


$ exit
exit
$ lxc exec mailinabox  -- /bin/bash 
root@box:~# nano /root/mailinabox/management/daily_tasks.sh

Comment our the line "management/ssl_certificates.py -q"

Step 5 - Optional but Advised

As virgin ISP gives me a static IP address, ask nicely for the IP block to be removed from https://www.spamhaus.org/pbl/removal/ I used one of my fresh new email address. Not that spamhaus_pbl_verify@spamhaus.org will be grey listed, so will take ~10 minutes (well 5m 46s in my case) for the verify email code to arrive.

Enjoy

Thanks to the Mail-in-a-Box team.