Overture

It’s been about ten years since I started following the fantastic guide by Christoph Haas and available at https://workaround.org/ to setup my email server. Christoph based his guide on Debian, Postfix, Dovecot, MySQL, Apache, and RoundCube. Everything worked fine for me, and I consider Christoph’s work impressive. I would like to thank him for sharing his knowledge.

Something changed in my mind, basically on these personal considerations:

1. We have several VPS micro instances available at a very affordable price; you can find them at Gandi or even Infomaniak. I successfully tested these two providers, and they worked fine for me; people who are more agnostic about location may prefer Gandi; a more Swiss focused person like me can consider Infomaniak; it’s just matter of choice and despite I don’t recommend none of the two, I consider both good providers; however, resources may be limited, and a resource-hungry product like MySQL can be challenging in terms of memory usage; in addition for a personal/family and friends low traffic email server, SQLite can best fit the needs: File based, less resource demanding; so I moved away from Christoph setup changing MySQL in favour to SQLite;
2. I used and I still use debian on many VPS I handle; however I feel RHEL distros more “security & enterprise focused”, maybe for the SELinux provided out of the box, maybe for a more appealing package handling system (yum/dnf instead of aptitude); considering that on some organizations a RHEL distro can be the only available choice I migrated from debian to RHEL; again: Nothing to say about debian; just a personal choice! Linux means freedom so here we are.

These two points convinced me to work on a parallel guide, broadly inspired on Christoph job but adapted to SQLite & RHEL; my guide diverge on several points and is less theory and shorter; for any extra understanding needed, please point your browser to ISPMail at workaround.org or consult official documentation of the product.

Some disclaimer

First and most importantly: I don’t personally know Christoph, and my guide is merely inspired by his work; I wish thank to him to share his knowledge but he cannot be held responsible for any issue on my guide and vice versa.

Second – You know the rules of the game: With great power comes great responsibility; data loss? security breach? Sorry I made my best with my knowledge to keep everything safe but I cannot be responsible for any data loss or security issue; it’s your choice to follow my guide; don’t take everything literally, first read, then think and finally type.

Third – Improvements? For sure a lot! Please write me and I’ll do my best to follow constructive suggestions.

Now, sit comfortably, fasten your seat belts, grab some beverages and food, and enjoy the trip.

Versions

This guide has been written beginning of 2025 and is based on the following products / versions:

• AlmaLinux 9.5 x86_64;
• Postfix 3.5;
• Dovecot 2.3;
• SQLite 3.34;
• Apache Web Server 2.4;
• php 8.0;
• certbot 2.11;
• RoundCube 1.5;
• OpenDKIM 2.11.

The setup is now hosted on a VPS Lite instance on Infomaniak, with 2 vCPU, 4Gb RAM and 60Gb hard disk; of course one single static IPv4 and a single static IPv6. On this instance I have other services running so I cannot estimate the requirement of a clean setup.

Installing AlmaLinux

People who takes the adventure to setup an email server on a linux box, should not be teach how to setup a linux box, where to find the installation CD/DVD or to choose the right installation media. If you’re not comfortable with this basic steps, this guide is not for you; get an address to gmail or whatever.

Said that, all the mentioned providers provide a ready instance with basic AlmaLinux installed and running, with the command prompt and blinking cursor ready to receive commands.

The OS installation has to be performed if you’re going to setup a VM on an own host server; again: If you own a server with some virtualized machines, you should know how to setup AlmaLinux. In my case I setup a basic installation of AlmaLinux with no graphic interface and no extra packages.

Early steps I performed

1. SELinux – RHEL distros has SELinux installed and running in enforcing mode; to keep things simple I put SELinux in permissive mode, so all denials are simply logged but not denied; later in this guide you’ll find all the SELinux modules I setup and you can switch back SELinux in enforcing; how to do that?

# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

Check the Current mode and Mode from config file lines; meaning is obvious.

To switch SELinux to permissive mode, you have two ways:

• Momentary disable: Type setenforce 0 – This is a temporary modification and a successive reboot reverts SELinux in enforcing mode. If you type the sestatus command you’ll get the following (please checkout the lines mentioned above):

# setenforce 0
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

• Permanent disable: Edit your SELinux configuration file at /etc/selinux/config and change the SELINUX=enforcing to SELINUX=permissive; remember to switch back to enforcing when you’re done. To have the SELinux policy applied you have to reboot your box.

2. firewalld – RHEL distros has also firewalld; however on Infomaniak I found no firewalld installed BUT they provide their own firewall feature you have to customize with their management console! If you choose other provider be careful about other firewall and your box. Read bullet 3 below for other warnings about firewalld. If you need to check whether firewalld is running, type firewall-cmd --state on your server to get a clear status (it answer running in my case); through my guide I suggest some firewalld command to be issued to open related ports; I say suggest because firewall is managed by zones; if your NIC is configured on a zone, you have to act on that zone! Again: Think before you type;

NOTE: To prevent abuses, some providers like Infomaniak close port 25 and you have to contact them to have the port open on both directions; be sure your provider don’t do the same.

3. fail2ban – I feel fail2ban very useful to keep crooks away from my box; consider, however, that fail2ban install firewalld; in such case you may have two firewalls running together: The one from your provider and the second on your box…
4. Enable EPEL repository – I enable this repo on all my RHEL boxes by default; if you need extra useful packages like htop you’ll find them there; how to do that? Get a look at https://wiki.almalinux.org/repos/Extras.html or simply:

# dnf install epel-release

NOTE: As mentioned on the webpage above: “Most EPEL packages require packages from PowerTools/CRB repository as dependencies.” If installations fails, consider that point and save you from headaches. Go on that page and get all the infos you need.

Packages I installed

• SQLite: A lightweight and honestly fast database, useful for small-sized installations; Christoph suggest MySQL but is resources-hungry: for small VPS instances this can be the only option; use SQLite also if you have a big VPS and you don’t have any other service running with MySQL (like WordPress): Why waste resources for something you don’s use?

# dnf install -y sqlite
# dnf info sqlite
Installed Packages
Name : sqlite
Version : 3.34.1
Release : 7.el9_3
Architecture : x86_64
Size : 1.5 M
Source : sqlite-3.34.1-7.el9_3.src.rpm
Repository : @System
From repo : appstream
Summary : Library that implements an embeddable SQL database engine
URL : http://www.sqlite.org/
License : Public Domain
Description : SQLite is a C library that implements an SQL database engine. A large
: subset of SQL92 is supported. A complete database is stored in a
: single disk file. The API is designed for convenience and ease of use.
: Applications that link against SQLite can enjoy the power and
: flexibility of an SQL database without the administrative hassles of
: supporting a separate database server. Version 2 and version 3 binaries
: are named to permit each to be installed on a single host

• Postfix: This is the SMTP mail server; it relays outgoing emails and receives email from the net. It processes emails before sending and also keeps track of quotas; yes, you really really need it so, to install it (the first is the server itself, the second is the SQLite driver):

# dnf install -y postfix postfix-sqlite
# dnf info postfix postfix-sqlite
Installed Packages
Name : postfix
Epoch : 2
Version : 3.5.25
Release : 1.el9
Architecture : x86_64
Size : 4.4 M
Source : postfix-3.5.25-1.el9.src.rpm
Repository : @System
From repo : appstream
Summary : Postfix Mail Transport Agent
URL : http://www.postfix.org
License : (IBM and GPLv2+) or (EPL-2.0 and GPLv2+)
Description : Postfix is a Mail Transport Agent (MTA).

Name : postfix-sqlite
Epoch : 2
Version : 3.5.25
Release : 1.el9
Architecture : x86_64
Size : 21 k
Source : postfix-3.5.25-1.el9.src.rpm
Repository : @System
From repo : appstream
Summary : Postfix SQLite map support
URL : http://www.postfix.org
License : (IBM and GPLv2+) or (EPL-2.0 and GPLv2+)
Description : This provides support for SQLite maps in Postfix. If you plan to use SQLite
: maps with Postfix, you need this.

• Dovecot: This is the IMAP and POP3 email server; it answer when your email client want to retrieve emails! It also applies the sieve rules; the packaging is quite different from the debian distro so with the dovecot package you get also the database drivers and for the sieve features the package is called dovecot-pigeonhole!

# dnf install -y dovecot dovecot-pigeonhole
# dnf info dovecot dovecot-pigeonhole
Installed Packages
Name : dovecot
Epoch : 1
Version : 2.3.16
Release : 14.el9
Architecture : x86_64
Size : 18 M
Source : dovecot-2.3.16-14.el9.src.rpm
Repository : @System
From repo : appstream
Summary : Secure imap and pop3 server
URL : https://www.dovecot.org/
License : MIT and LGPLv2
Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
: primarily in mind. It also contains a small POP3 server. It supports mail
: in either of maildir or mbox formats.
:
: The SQL drivers and authentication plug-ins are in their subpackages.

Name : dovecot-pigeonhole
Epoch : 1
Version : 2.3.16
Release : 14.el9
Architecture : x86_64
Size : 374 k
Source : dovecot-2.3.16-14.el9.src.rpm
Repository : appstream
Summary : Sieve and managesieve plug-in for dovecot
URL : https://www.dovecot.org/
License : MIT and LGPLv2
Description : This package provides sieve and managesieve plug-in for dovecot LDA.

• Certbot: Certbot is the client to get and renew SSL certificates from Let’s Encrypt; more information at https://letsencrypt.org/ and https://certbot.eff.org/.

NOTES:

• This package came from the epel repository;
• I know there are other clients to get Let’s Encrypt certificates that can modify DNS records in case you need a wildcard certificate (we will use wildcard certificates!); I don’t tested them right now and I don’t know more; if you want to enter the wild: https://github.com/acmesh-official/acme.sh/

# dnf install -y certbot
# dnf info certbot
Installed Packages
Name : certbot
Version : 2.11.0
Release : 1.el9
Architecture : noarch
Size : 136 k
Source : certbot-2.11.0-1.el9.src.rpm
Repository : @System
From repo : epel
Summary : A free, automated certificate authority client
URL : https://github.com/certbot/certbot
License : Apache-2.0
Description : certbot is a free, automated certificate authority that aims
: to lower the barriers to entry for encrypting all HTTP traffic on the internet.

• OpenDKIM: Used to sign and verify email flowing through your mailserver; if you want to earn reputation it’s strongly suggested to install and setup OpenDKIM milter (“milter” => Mail fILTER!).

# dnf install -y opendkim
# dnf info opendkim
Installed Packages
Name : opendkim
Version : 2.11.0
Release : 0.36.el9
Architecture : x86_64
Size : 552 k
Source : opendkim-2.11.0-0.36.el9.src.rpm
Repository : @System
From repo : epel
Summary : A DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail
URL : http://opendkim.org/
License : BSD-3-Clause AND Sendmail
Description : OpenDKIM allows signing and/or verification of email through an open source
: library that implements the DKIM service, plus a milter-based filter
: application that can plug in to any milter-aware MTA, including sendmail,
: Postfix, or any other MTA that supports the milter protocol.

NOTE: This package came from the epel repository.

• apache hhtpd: The webserver! You need it if you plan to install roundcube but also to setup MTA-STS; strongly suggested to have a good reputation so:

# dnf install -y httpd
# dnf info httpd
Installed Packages
Name : httpd
Version : 2.4.62
Release : 1.el9_5.2
Architecture : x86_64
Size : 59 k
Source : httpd-2.4.62-1.el9_5.2.src.rpm
Repository : @System
From repo : appstream
Summary : Apache HTTP Server
URL : https://httpd.apache.org/
License : ASL 2.0
Description : The Apache HTTP Server is a powerful, efficient, and extensible
: web server.

NOTE: Other webservers can be used to setup an MTA-STS; however I don’t tested them and I cannot provide info about.

• Webmail suite: What I call the webmail suite consists of the packages needed to provide a full webmail service, such as php and roundcube; these can be installed with:

# dnf install -y php roundcubemail
# dnf info php roundcubemail
Installed Packages
Name : php
Version : 8.0.30
Release : 1.el9_2
Architecture : x86_64
Size : 0.0
Source : php-8.0.30-1.el9_2.src.rpm
Repository : @System
From repo : appstream
Summary : PHP scripting language for creating dynamic web sites
URL : http://www.php.net/
License : PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
Description : PHP is an HTML-embedded scripting language. PHP attempts to make it
: easy for developers to write dynamically generated web pages. PHP also
: offers built-in database integration for several commercial and
: non-commercial database management systems, so writing a
: database-enabled webpage with PHP is fairly simple. The most common
: use of PHP coding is probably as a replacement for CGI scripts.

Name : roundcubemail
Version : 1.5.9
Release : 1.el9
Architecture : noarch
Size : 30 M
Source : roundcubemail-1.5.9-1.el9.src.rpm
Repository : @System
From repo : epel
Summary : Round Cube Webmail is a browser-based multilingual IMAP client
URL : http://www.roundcube.net
License : GPLv3+ with exceptions and GPLv3+ and GPLv2 and LGPLv2+ and CC-BY-SA and MIT and BSD and PHP
Description : RoundCube Webmail is a browser-based multilingual IMAP client
: with an application-like user interface. It provides full
: functionality you expect from an e-mail client, including MIME
: support, address book, folder manipulation, message searching
: and spell checking. RoundCube Webmail is written in PHP and
: requires a database: MySQL, PostgreSQL and SQLite are known to
: work. The user interface is fully skinnable using XHTML and
: CSS 2.

NOTES:

• roundcube came from the epel repository;
• Last time I installed roundcube on debian, the openpgp.js file needed to run the enigma extension (the extension in roundcube that allows you to manage PGP keys and to encrypt/decrypt mails) has to be downloaded separately, I think due to licensing issue; in RHEL distro you don’t have this issue: The roundcube package is complete.

Wrapup

This is the first part about my adventure on installing an email server on a RHEL box; stay tuned to read the followings.