An AWS-Hosted Email Server

Building a Mail Server

Why?

I like the idea of taking back control of my email, as cheaply as possible. Afterall if you’re not paying, you are the product. Plus the data security rules in the USA (where most public email services end up) are rather lax, so I wanted something hosted in Europe.

Which Mail Server?

Opted for iRedMail as it seemed to be touted as one of the best for functionality out the box. Specifically i cared about…

• SpamAssassin
• ClamAV
• ActiveSync (Push notifications)
• Some kind of admin console
• Control over resources.

The last point is what made me pick iRedMail over mailcow. You can’t easily control what mailcow does inside its Docker, but you can on a good ol’ Linux box.

Where?

Initially I wanted it all on an AWS EC2. However it turns out AWS block port 25 (SMTP) outbound by default, so ended up bolting SES onto it.

Also mounted EFS so as to more securely store my mailbox (cross AZ resilience) compared to EBA.

Additional things…

• Encrypt drives
• Static Elastic IP
• Security group to alow SMTP/IMAP/HTTPS/HTTP and the EFS endpoint. HTTP is required to allow LetsEncrypt to issue/renew.
• Generate an AMI once I had everyrhing working.

What was involved?

EC2

A t3a.micro EC2 with an encrypted Root drive. I went with 30GB.

Assign it a static Elastic IP.

IAM

Save time and assign a role to your EC2 with the below permissions. The first two give SSM the ability to manage the EC2s. Third is to access EFS.

• Managed policy: AmazonSSMManagedInstanceCore

• Managed policy: AmazonElasticFileSystemsUtils

• Inline policy for elasticfilesystem:ClientMount, ClientWrite, ClientRootAccess.

Systems Manager

With a little time, you can configure SSH access to be via SSM, so you don’t have to expose Port 22 to the world. You can also configure managed patching to use Amazon’s baseline security patches on a schedule.

SSM Guide

Pagefile

First the EC2 needs a chunky page file, to get away with using the smaller instances. Fine for a lightweight mail server. Set tor count to 64 in the below guide, to get a swap of 8GB.

Guide to add a swap

EFS

With EFS you can get unlimited, replicated storage that can be shared across multiple EC2s. Relatively cheap too, as low as €0.02/GB/Month depending what config you do. I use Standard-IA at €0.04/GB/Month. Not bad for my 3GB mailbox!

• Install the EFS Tools

• Create an EFS mountpoint and add it to a security group, granting access to another security group containing your EC2 mail server.

• Mount the EFS endpoint. I mounted it to /efs

Break

Take a snapshot here. It saves a lot of time if something goes wrong later.

iRedMail

iRedMail have their own very detailed step by step

• iRedMail Guide

I installed everything except Roundcube. Remember to store the mail in the EFS mount (/efs).

• iRedMail with LetsEncrypt

LetsEncrypt with 4096bit Cert

--rsa-key-size 4096

As security was a driver, as was the desire to use official AMIs, Ubuntu was the choice - out the box support for TLSv1.3. Centos 7 lacks the necessary version of OpenSSL and compiling it manually comes with risks. Specifically no official support thus no security patches.

DNS

Great a mail server! However it still needs DNS entries

• mx :10 mail.stx.ie
• A : mail.stx.ie : ELASTIC IP
• DKIM : Configured by SES
• SPF (to comply with DMARC): v=spf1 include:amazonses.com ~all to allow emails to be sent from SES with softfail
• DMARC : v=DMARC1; p=quarantine; rua=mailto:[email protected] : quarantine if DMARC fails and send alets to the address.
• Configure SES MAILFROM

SES

• Configure Postfix to use SES using this guide
• "smtp_use_tls = yes" needs to be set to "may" , to allow Postfix to integrate correctly with spamassassin locally.

Spam and AntiVirus

These are still on the To Do list, and I suspect could overload the limited t3a.micro resources.

• ClamAV Definitions : Stumbled across this. and this.

• Spam : SpamAssassin has to be trained. Luckily I have an old gmail account that gets bombarded. So I’ll configure fetchmail using steps similar to here to retrieve my junk every hour and use it to train SpamAssassin.

• Email spam test : this site

• Also these steps

Conclusion

Building a reliable and resiliant mail server on the cheap isnt’t for the faint hearted. However it can be done with a t3a.micro (~5€/month) and some creative thinking, to give you a service just as comparable to some of the paid options, with a lot more flexibility - unlimited addresses, near total control of data, unlimited storage, and proper ActiveSync for mobile devices.