Running Your Own Email Server: A Stubborn Person's Guide
Want to truly own your @yourdomain.com email? This is how I built mine. A ground up guide to setting up a complete, hardened mail server on Debian. It covers the stack, the critical DNS config, and the tweaks needed to make sure your emails land in the inbox.
archives for finished projects and old blogs at https://archive.opama.dev
Setting Up a Mail Server
You want to run your own email server and don't want to rely on some faceless corporation for your @yourownemail.com emails.
Then welcome to the "no-bullshit" guide, I guess. I'll walk you through the steps as fast as possible. It's not hard, but it's boring, at least for me now. That is why I use a script to set my email server up, but you probably came here to escape the automated options and want to do it by yourself. So we will do it as manually as possible, so then you can get bored as well and eventually do your own script too.
Time we will spend on this: The technical part will take about an hour or so. The real wait is for your VPS provider to open the email ports (port 25, mainly), which can take a day (for my VPS at least). So let's get started.
Before We Start
You'll need:
- A VPS (I use Debian 12)
- A domain name pointed to your VPS IP
- Port 25 unblocked (request this from your VPS provider)
- About an hour of focused time
We're using Postfix, Dovecot, and OpenDKIM. This is the standard stack that actually works.
1. Install the Packages
sudo apt update
sudo apt install postfix dovecot-imapd dovecot-lmtpd opendkim opendkim-toolsWhen Postfix asks for configuration:
- Select "Internet Site"
- Enter your domain name (like
yourdomain.com)
This gives us a basic starting point. We'll configure everything properly in the next steps.
2. DNS Setup
A Records:
TXT
mail.yourdomain.com A 192.0.2.5
yourdomain.com A 192.0.2.5MX Record:
TXT
yourdomain.com MX 10 mail.yourdomain.com.Reverse DNS:
Go to your VPS provider's control panel and set reverse DNS for your IP to mail.yourdomain.com.
This is non-negotiable. Without proper reverse DNS, major email providers will reject your messages.
3. Postfix Configuration
Edit
/etc/postfix/main.cf
# Basic settings
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
# Network settings
inet_interfaces = all
inet_protocols = ipv4
# Mail delivery
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
local_recipient_maps =
relay_domains = $mydestination
home_mailbox = Maildir/
# Security
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destinationEdit uncomment the submission service in:
/etc/postfix/master.cf
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,rejectRestart Postfix:
sudo systemctl restart postfix4. Dovecot Configuration
Edit:
/etc/dovecot/dovecot.conf
protocols = imap lmtp
mail_location = maildir:~/MaildirEdit
/etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain loginEdit and configure the auth service in:
/etc/dovecot/conf.d/10-master.conf
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}Restart Dovecot:
sudo systemctl restart dovecot5. OpenDKIM Configuration
Generate a domain key:
sudo opendkim-genkey -b 2048 -d yourdomain.com -D /etc/opendkim/keys/yourdomain.com -s default -vSet proper permissions:
sudo chown opendkim:opendkim /etc/opendkim/keys/yourdomain.com/default.privateEdit
/etc/opendkim.conf
Domain yourdomain.com
KeyFile /etc/opendkim/keys/yourdomain.com/default.private
Selector default
Socket inet:12301@localhostEdit
/etc/default/opendkim
SOCKET="inet:12301@localhost"Add to Postfix configuration in:
/etc/postfix/main.cf
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
Restart both services:
sudo systemctl restart opendkim
sudo systemctl restart postfix6. DNS Authentication Records
Get your DKIM key:
TXT
sudo cat /etc/opendkim/keys/yourdomain.com/default.txtAdd to your DNS:
SPF:
TXT
yourdomain.com TXT "v=spf1 mx -all"DKIM:
TXT
default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_HERE"DMARC:
TXT
_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"7. Testing
Create a user account:
sudo adduser usernameTest with your mail client:
- IMAP server: mail.yourdomain.com (port 993, SSL)
- SMTP server: mail.yourdomain.com (port 587, STARTTLS)
- Username: username (not full email)
- Password: the user's password
Send a test email to mail-tester.com to verify your configuration.
8. Security
Set up a firewall:
sudo apt install ufw
sudo ufw allow ssh
sudo ufw allow 993
sudo ufw allow 587
sudo ufw enableInstall fail2ban for brute force protection:
sudo apt install fail2banThis gives you a solid, production-ready mail server. It's not the easiest path, but it's the one that actually teaches you how email works. When something breaks, you'll know how to fix it.
Now you own your email. Completely.
Comments