Unfederated Email, Part II
==========================

A few years ago, I wrote a phlog entry about self-hosting an unfederated 
email server (which only sends emails among the users on the local 
machine). I set up the server on my home network and used it to send 
notes and files to my old devices. Since it was on my LAN, the server 
sent and received mails in clear text, without certificates and without 
encryption.

I mentioned in that post that my ultimate aim was to add encryption, so 
that I could access the server with my email client over the open 
internet. Several months later, a reader let me know that they'd like 
the setup details when I did it. Well, I finally set it up, and the 
details are below.

It's the simplest possible system. Each system user automatically has an 
email account on the server, using their regular username and password. 
It also requires the use of TLS on all connections. If you want to add 
new email users, just create a system user account for them. If you 
don't want them actually using the system, permit server logins with an 
RSA certificate only.


Why? 
====

If you're wondering why a person might want an unfederated email server, 
I get it. But it does have uses. Mine is to send myself emails. 

I often send myself emails containing reminders, notes, and files. If I 
look at my inbox, almost all of the incoming traffic consists of 
commercial notifications. I hardly ever respond to those emails. In 
fact, when I look at my sent items, almost all of the outgoing traffic 
is notes to myself or emails to family. So why not keep some of that 
traffic away from my email provider?

I'm sure there are other reasons to do this as well. You might want to 
set up a private Delta Chat server. Or you might want to send emails 
among a small group of people or set up something like a groupchat or 
mailing list.


How?
====

The following setup guide is for an unfederated server running Debian 12 
(Bookworm).

The server makes use of Dovecot for IMAP connections (for retrieving 
email), OpenSMTPD for SMTP (for sending), and mailutils (for some of the 
local setup on the machine).

Since the server is unfederated and you don't have to scan for spam, the 
demands on the system are very light.

All of the setup below must be done as root.


1. Pre-installation
-------------------

A. Add backports to your repositories. The version of OpenSMTPD in 
Debian Bookworm has a TLS bug that prevents it from establishing secure 
connections. This caused me serious amounts of frustration before I 
found out about the bug!

To add backports, edit your /etc/apt/sources.list

Add the following line:

deb http://deb.debian.org/debian bookworm-backports main

B. Update your server

apt-get update
apt-get upgrade


2. Installation
---------------

Install dovecot, OpenSMTPD, and mailutils:

apt-get install mailutils dovecot-imapd
apt-get install opensmtpd/bookworm-backports

When openSMTPD asks for the server name, give it the fully-qualified 
domain name (the whole URL for your server). 


3. Dovecot Configuration
------------------------

A. Edit /etc/dovecot/conf.d/10-ssl.conf

Change the line "ssl = yes" to:

ssl = required

If you want to use the self-signed certificate automatically created by 
Dovecot, make sure the following lines are uncommented (remove the 
octothorpe at the beginning of the line, if any):

ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key

Alternatively, if you have Let's Encrypt certificates on the server, you 
can link to them instead. In my case, I had them for the Apache2 
webserver already, so the two lines above look like this instead:

ssl_cert = </etc/apache2/ssl/fullchain.pem
ssl_key = </etc/apache2/ssl/private/key.pem

Note: you have to put the < before the file link. It's mandatory!

B. Edit /etc/dovecot/conf.d/10-auth.conf

Uncomment the line: disable_plaintext_auth = yes

C. Edit /etc/dovecot/conf.d/10-master.conf

Find these lines: 

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }

Edit them to look like this:

service imap-login {
  #inet_listener imap {
    #port = 143
  #}
  inet_listener imaps {
    port = 993
    ssl = yes
  }


4. OpenSMTPD Configuration
--------------------------

Edit /etc/smtpd.conf

Save the existing file as smtpd.conf.bak or something like that. 

Then delete the existing contents of /etc/smtpd.conf and cut and paste 
everything from "table" to the final "local" below into the file. You 
can use the self-signed certificate/key pair created by Dovecot, or your 
Let's Encrypt set if you have one. Just comment out the certificate/key 
pair that you don't want to use. If your Let's Encrypt certificates are 
kept in a different directory, change the links as necessary (here and 
in Dovecot's /etc/dovecot/conf.d/10-ssl.conf file). Wherever it says 
"your.domain.name" substitute your fully-qualified domain name.

table aliases file:/etc/aliases

#pki your.domain.name cert         "/etc/dovecot/private/dovecot.pem"
#pki your.domain.name key          "/etc/dovecot/private/dovecot.key"
pki your.domain.name cert         "/etc/apache2/ssl/fullchain.pem"
pki your.domain.name key          "/etc/apache2/ssl/private/key.pem"

listen on your.domain.name port 465 smtps pki your.domain.name auth

action "local" mbox alias <aliases>

match for local action "local"
match from any for domain "localhost" action "local"
match from any for domain "localhost.localdomain" action "local"
match from any for domain "your.domain.name" action "local"


5. Restart the services to reload the configuration files:
----------------------------------------------------------

systemctl restart dovecot
systemctl restart opensmtpd


6. Open Ports
-------------

Open ports 465 and 993 in your firewall. If you don't have a 
firewall, look up ufw (uncomplicated firewall). It is very simple to 
use. 

If the server is at home, you'll have to set up port forwarding on your 
router to gain external access. If your internet provider blocks ports 
465 and 993, you can use different numbers. Just don't use ports 
regularly used by other services. You can find lists of commonly used 
ports by searching online.


7. Set up your email client 
---------------------------

I use Claws-Mail and set it up as follows. Note that myusername is the 
username from my account on the server.

Basic Tab
---------

Email Address: yourusername@your.domain.name
Protocol: IMAP
Server for Receiving: your.domain.name
SMTP server (send): your.domain.name
User ID: yourusername <-- don't include the @your.domain.name!
Password: password for the user account on the server

Send Tab
--------

Check the box for SMTP Authentication. You don't have to fill in the 
User ID or Password.

TLS Tab
-------

Select the checkbox for "Use TLS" for both IMAP and SMTP.

Advanced Tab
------------

Select the checkbox for SMTP port and enter 465.
Select the checkbox for IMAP port and enter 993.


8. Final Notes
--------------

A. I suspect that in some situations using regular user accounts for 
email could pose a security risk by increasing the possibility of 
revealing usernames and passwords, but I only permit RSA key logins on 
my servers (and no root logins).


B. If you use a Let's Encrypt certificate, you'll probably want to add 
Dovecot and OpenSMTPD to the services that restart after each renewal. 
How you do that will depend on the client you use to update Let's 
Encrypt. Both certbot and acme.sh have that capability.