Email hosting server: your own mail server

Reliable email hosting on your own mail server requires a specialized VPS with sufficient resources, a configured MTA (e.g., Postfix) and MDA (Dovecot) stack, as well as correct DNS records (SPF, DKIM, DMARC) to ensure email deliverability and combat spam.

In the era of digitalization, where email remains a cornerstone of business and personal communication, the question of choosing the right solution for email server hosting becomes critically important. Many companies and individuals still rely on third-party email services such as Google Workspace or Microsoft 365. However, this approach comes with certain compromises in terms of privacy, control, and flexibility. This is why more and more users are considering deploying their own mail server on a VPS.

Your own mail server offers an unprecedented level of control over the entire infrastructure: from data storage to spam filter configuration and security policies. This is especially relevant for organizations working with confidential information or for those striving for complete independence from large corporations. Setting up such a server typically involves installing and configuring Mail Transfer Agents (MTA) like Postfix, Mail Delivery Agents (MDA) like Dovecot, as well as meticulous work with DNS records (SPF, DKIM, DMARC), which are key to successful email deliverability and protection against spoofing.

In this article, we will delve into all aspects of creating and managing your own mail server on a VPS, from choosing optimal hardware resources to the intricacies of software configuration and spam fighting mechanisms. We will also show how Valebyte's plans can become the ideal foundation for your mail server VPS.

Why Consider Your Own Mail Server: Advantages of Self-Hosted Email

Deciding to deploy a self-hosted email server instead of using third-party providers is a step towards complete autonomy and control. While cloud email services are convenient, they don't always meet all the requirements of businesses or individual users. Let's look at the key advantages of your own mail server.

Control, Security, and Privacy

The main advantage of your own mail server is complete control. You decide where data is stored, who has access to it, and what security policies are applied. This is critically important for companies working with sensitive information or subject to strict regulatory norms (GDPR, HIPAA, etc.). You are not dependent on changes in third-party providers' privacy policies and can be sure that your data is not analyzed for advertising purposes.

• Full data ownership: All your emails, contacts, and metadata are on your server, under your control.
• Custom security settings: You can implement your own firewall rules, intrusion detection systems, and use specific encryption and authentication algorithms that may not be available from standard providers.
• Independence from third parties: No reliance on outages or policy changes of third-party services.

Flexibility and Scalability

When you use your own mail server, customization possibilities are virtually limitless. You can integrate it with other internal systems, configure specific routing rules, use your own spam filters or antivirus solutions that perfectly suit your needs. This is especially useful for growing companies that require unique features or high scalability.

• Customization: Installation of any necessary extensions, plugins, web interfaces (Roundcube, SOGo), and integration with CRM, ERP, or other business applications.
• Scalability: As your company grows, you can easily increase VPS resources (RAM, CPU, disk space) or even migrate to a more powerful dedicated server without needing to change email providers or transfer data between different platforms.
• Resource management: Precise control over how many resources your mail server consumes and the ability to optimize its performance.

Long-term Savings

While the initial costs of setting up and maintaining your own mail server may seem higher than subscribing to SaaS solutions, in the long run, it often proves more cost-effective, especially for medium and large organizations. As the number of users increases, the subscription cost for third-party services grows linearly, whereas the cost of maintaining your own VPS increases significantly slower.

• Predictable costs: You pay for the VPS, not per user. This allows for better budget planning.
• License savings: Most components of your own mail server (Postfix, Dovecot, SpamAssassin) are open source and do not require licensing fees.
• Optimization: Fine-tuning capabilities allow for more efficient use of hardware resources, reducing overall operating costs.

What VPS is Needed for Email Hosting: Choosing a Mail Server VPS

Choosing the right VPS is a key factor for the stable and efficient operation of your email server hosting. Server characteristics determine email processing speed, the volume of stored emails, and overall system performance. It's important to consider not only hardware resources but also IP address reputation and the type of virtualization.

Minimum and Recommended Requirements for a Mail Server VPS

VPS requirements for a mail server vary depending on the anticipated load: the number of users, the volume of emails sent, and the frequency of their receipt/dispatch.

Minimum Requirements (for 1-10 users, small email volume):

• CPU: 1-2 vCPU (e.g., Intel Xeon E3/E5 or AMD EPYC).
• RAM: 2 GB. This is sufficient for Postfix, Dovecot, and basic anti-spam filters.
• Disk: 40-60 GB NVMe SSD. NVMe provides high read/write speeds, which is critical for databases and mail queues.
• Bandwidth: 100 Mbps.

Recommended Requirements (for 10-50 users, medium email volume, extended features):

• CPU: 2-4 vCPU (the higher the frequency, the better for single-threaded tasks).
• RAM: 4-8 GB. This will allow comfortable operation with more aggressive anti-spam filters, web interfaces, and a larger number of simultaneous connections.
• Disk: 80-160 GB NVMe SSD. Consider mailbox volume and logging.
• Bandwidth: 1 Gbps.

High-Load Scenarios (50+ users, very large email volume):

• CPU: 4+ vCPU, preferably with a high clock speed.
• RAM: 8-16+ GB.
• Disk: 200+ GB NVMe SSD, possibly with a RAID array for fault tolerance and performance.
• Bandwidth: 1 Gbps or higher.

Important note: Always choose SSD, and even better, NVMe drives. Disk subsystem performance is critical for a mail server, as it constantly involves reading and writing a large number of small files (emails) and database operations.

The Importance of IP Reputation and Reverse DNS Record (PTR)

One of the most important factors affecting the deliverability of your emails is the reputation of the IP address from which mail is sent. Spam filters of email providers (Gmail, Outlook, Mail.ru) are very sensitive to this parameter. If the IP address was previously used for sending spam, your emails will likely end up in the "Spam" folder or be rejected entirely.

• Clean IP address: When choosing a VPS for email server hosting, ensure that the provider offers "clean" IP addresses not listed in blacklists (RBLs). At Valebyte, we monitor the reputation of our IP addresses.
• Reverse DNS record (PTR): For any mail server, a reverse DNS record (PTR record) must be configured, which maps an IP address to a domain name. This allows receiving mail servers to verify that the IP address indeed belongs to your domain. The PTR record should match your mail server's hostname (e.g., mail.yourdomain.com). Typically, your hosting provider configures this record upon your request.

KVM VPS vs. OpenVZ for Email

When choosing the type of virtualization for your mail server VPS, KVM is the preferred option compared to OpenVZ.

• KVM (Kernel-based Virtual Machine): Provides full hardware virtualization. This means your VPS operates as a complete physical server with its own Linux kernel. This offers maximum isolation, stability, and the ability to use any kernel modules or specialized software. For a mail server, KVM is ideal as it ensures predictable performance and full control over system resources.
• OpenVZ: Uses container-based virtualization, where all VPS instances share the same host system kernel. This can lead to resource "overselling" and unstable performance under high load on neighboring VPS instances. Additionally, some specific kernel or file system settings required for certain mail components or anti-spam solutions may be limited in OpenVZ.

Thus, for a critically important service like a mail server, KVM VPS is the optimal choice, providing the necessary reliability, isolation, and performance.

Basic Mail Server Components: Postfix and Dovecot

Creating your own mail server requires an understanding of its core components. The heart of most modern Unix-like mail systems are Postfix and Dovecot. They work in tandem, ensuring the sending, receiving, and storage of email.

Postfix: Your Mail Transfer Agent (MTA)

Postfix is a Mail Transfer Agent (MTA) responsible for routing and delivering email. Its primary task is to receive emails from other mail servers or local clients, and then deliver them to recipients, either by forwarding them to other MTAs or by storing them for local delivery. Postfix is known for its security, performance, and ease of configuration compared to older MTAs like Sendmail.

Key Postfix functions:

• Receiving mail: Postfix listens on port 25 (SMTP) for incoming connections from other mail servers.
• Sending mail: Postfix sends outgoing emails to other mail servers, using MX DNS records to determine the recipient.
• Local delivery: Transfers incoming emails to local Mail Delivery Agents (MDA), such as Dovecot, for storage in user mailboxes.
• Security: Supports TLS/SSL for connection encryption, as well as various authentication mechanisms (SASL).
• Filtering: Allows integration of anti-spam and antivirus solutions.

Example basic Postfix configuration (/etc/postfix/main.cf file):

# Server hostname
myhostname = mail.yourdomain.com

# Domains for which this server accepts mail
mydomain = yourdomain.com
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost

# Networks allowed to relay mail through your server
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# Use TLS for encryption
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.yourdomain.com.crt
smtpd_tls_key_file = /etc/ssl/private/mail.yourdomain.com.key

# SASL authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

# Local delivery (transfer to Dovecot)
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -a "$EXTENSION@"

Dovecot: IMAP/POP3 Server

Dovecot is a Mail Delivery Agent (MDA) and IMAP/POP3 server that allows users to access their mail. After Postfix accepts an email, it passes it to Dovecot, which stores it in the appropriate mailbox. Users then connect to Dovecot via mail clients (Outlook, Thunderbird, mobile apps) using IMAP or POP3 protocols to read and manage their emails.

Key Dovecot functions:

• Mail storage: Manages mail storage in various formats (Maildir, mbox). Maildir is preferred as it stores each email in a separate file, which is more reliable and performant.
• IMAP/POP3 access: Provides access to mailboxes via IMAP (Internet Message Access Protocol) and POP3 (Post Office Protocol 3). IMAP allows mail synchronization across multiple devices, while POP3 typically downloads emails to one device and deletes them from the server.
• Authentication: Supports various user authentication methods, including PAM, databases (SQL), LDAP. Often used for authenticating Postfix users via SASL.
• Security: Ensures secure connections via SSL/TLS for IMAPS (port 993) and POP3S (port 995), as well as STARTTLS for IMAP (port 143) and POP3 (port 110).

Example basic Dovecot configuration (/etc/dovecot/dovecot.conf and /etc/dovecot/conf.d/10-mail.conf files):

# dovecot.conf
protocols = imap pop3 lmtp

# 10-mail.conf
mail_location = maildir:~/Maildir

# SSL/TLS
ssl = required
ssl_cert = </etc/ssl/certs/mail.yourdomain.com.crt
ssl_key = </etc/ssl/private/mail.yourdomain.com.key

# Authentication
auth_mechanisms = plain login
!include auth-sql.conf.ext # If using a database for users

The combined operation of Postfix and Dovecot allows you to create a full-fledged and reliable email server hosting on your VPS. Postfix handles external communication and transfer, while Dovecot manages user storage and access.

Database for Users and Domains (PostgreSQL/MariaDB)

For more flexible management of users, domains, and their passwords, especially when working with multiple domain names or a large number of accounts, it is recommended to use a database. The most popular options are PostgreSQL or MariaDB (MySQL).

Advantages of using a database:

• Centralized management: All user data (logins, passwords, quotas) and domains are stored in one place.
• Ease of administration: With web interfaces like PostfixAdmin, you can easily add/remove users, change passwords, and manage aliases and mail domain names.
• Scalability: Easily add new domains and thousands of users without modifying Postfix and Dovecot configuration files.

Interaction scheme: Postfix and Dovecot query the database to authenticate users and retrieve mailbox information. PostfixAdmin (or a similar tool) is used to manage this data via a web interface.

DNS Configuration: SPF, DKIM, DMARC – The Foundation of Deliverability

Correct DNS record configuration is critically important for the successful deliverability of emails from your email server hosting. SPF, DKIM, and DMARC are email authentication standards that help prevent sender spoofing, reduce the risk of emails landing in spam, and increase trust in your mail.

All these records are added to your domain's DNS zone. You can manage them through your domain registrar's or hosting provider's DNS control panel.

SPF (Sender Policy Framework)

SPF is a DNS TXT record that specifies which IP addresses (or hosts) are authorized to send mail on behalf of your domain. The receiving mail server checks the sender's SPF record: if an email originates from an IP address not listed in the SPF record, it may be marked as spam or rejected.

Example SPF record:

yourdomain.com. IN TXT "v=spf1 ip4:192.0.2.1 include:_spf.google.com ~all"

• v=spf1: Indicates the SPF version.
• ip4:192.0.2.1: Authorizes mail sending from IP address 192.0.2.1 (replace with your VPS IP).
• include:_spf.google.com: If you also use Google Workspace for some mail, this directive includes their SPF records.
• ~all: Softfail. Emails from other IPs will be accepted but may be marked as suspicious.
  • -all: Hardfail. Emails from other IPs will be rejected. Recommended after thorough testing.
  • ?all: Neutral. Provides no recommendation. Not recommended for production.

Important: Ensure that your SPF record includes all IP addresses from which your domain may send mail (your VPS, third-party mailing services, etc.).

DKIM (DomainKeys Identified Mail)

DKIM is an authentication method that allows the receiving server to verify that an email was sent by the domain owner and has not been altered during transit. This is achieved by adding a digital signature to the email header. The signature is generated using a private key on your mail server, and the public key is published in your domain's DNS TXT record.

Example DKIM record:

default._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDz+..."

• default._domainkey: This is the DKIM selector. You can use any selector (e.g., mail, 2023).
• v=DKIM1: DKIM version.
• k=rsa: Encryption algorithm.
• p=...: Your public DKIM key. This key is generated on your mail server (e.g., using the opendkim-genkey utility or PostfixAdmin).

How DKIM works:

1. Your mail server signs outgoing emails with a private key.
2. The receiving server looks for the public key in your domain's DNS record.
3. Using the public key, the receiving server verifies the email's signature. If the signature matches, the email is considered authentic.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is a policy that unifies SPF and DKIM, providing instructions to receiving mail servers on what to do with emails that fail SPF or DKIM checks. DMARC also allows you to receive reports on attempts to spoof your domain.

Example DMARC record:

_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"

• v=DMARC1: DMARC version.
• p=quarantine: Policy for emails that fail checks.
  • none: Monitoring only (receiving reports, but no actions applied). Recommended in the initial phase.
  • quarantine: Place the email in spam.
  • reject: Reject the email. Recommended after confidence in correct SPF/DKIM.
• rua=mailto:[email protected]: Address for receiving aggregate reports (daily).
• ruf=mailto:[email protected]: Address for receiving forensic reports (on each failure).
• fo=1: Send reports if at least one of the checks (SPF or DKIM) failed.

Recommendation: Start with p=none, collect reports, analyze them, ensure all legitimate emails pass SPF/DKIM, and only then move to p=quarantine, and then to p=reject.

MX and A/AAAA Records

In addition to SPF, DKIM, and DMARC, basic DNS records are required for a mail server to function:

• MX (Mail Exchanger) record: Points to the mail server responsible for receiving mail for your domain.

  
  yourdomain.com. IN MX 10 mail.yourdomain.com.
          

  10 is the priority. The smaller the number, the higher the priority.
• A/AAAA record: Maps a domain name (or subdomain) to your VPS's IP address.

  
  mail.yourdomain.com. IN A 192.0.2.1
          

  If you have an IPv6 address, add an AAAA record:

  
  mail.yourdomain.com. IN AAAA 2001:db8::1
          

Correct configuration of these DNS records ensures that your own mail server will reliably deliver emails and will not be perceived as a source of spam.

Spam Fighting and Security for Your Mail Server

One of the biggest challenges when operating email server hosting is fighting spam and ensuring its security. Without adequate measures, your server will quickly become a hotbed of unwanted mail or fall victim to attacks. Effective protection requires a multi-layered approach.

Spam Filtering Tools (SpamAssassin, RBLs)

Spam filtering is a continuous process that requires constant configuration and updates. Here are the main tools:

• SpamAssassin: This is a powerful, flexible, and extensible framework for spam filtering. It uses a wide range of rules and techniques to identify spam, including:
  • Heuristic analysis: Checks email headers and body for spam characteristics.
  • Scoring: Assigns "spam scores" to each email, and if the total score exceeds a threshold, the email is marked as spam.
  • Network tests: Checks the sender's IP address against various blacklists (RBLs).
  • Bayesian filter: Learns based on your personal mail to better distinguish spam from legitimate emails.
  SpamAssassin integrates easily with Postfix and Dovecot.

  
  # Install SpamAssassin (example for Debian/Ubuntu)
  sudo apt update
  sudo apt install spamassassin spamc
  
  # Start the service
  sudo systemctl enable spamassassin
  sudo systemctl start spamassassin
          

• RBLs (Real-time Blackhole Lists): These are publicly available databases of IP addresses that have been observed sending spam. Your mail server can query these lists when receiving incoming emails. If the sender's IP address is in an RBL, the email may be rejected or marked as spam. Popular RBLs include Spamhaus SBL/XBL, SORBS, CBL.

  
  # Example RBL configuration in Postfix (in main.cf)
  smtpd_recipient_restrictions =
      ...
      reject_rbl_client zen.spamhaus.org,
      reject_rbl_client bl.spamcop.net,
      ...
          

• Greylisting: A technique where the mail server temporarily rejects emails from unknown senders, requesting a retry. Legitimate mail servers usually retry sending after a few minutes, while most spam bots do not expend resources on this. This is an effective way to filter out a significant portion of spam.
• DCC (Distributed Checksum Clearinghouse): A distributed system that helps identify mass spam mailings by comparing email checksums.
• Razor / Pyzor: Systems that report spam and exchange information about it in real-time.

Brute-Force and DDoS Protection (Fail2Ban, Firewall)

Your mail server VPS is constantly subjected to brute-force password attempts and DDoS attacks. Protection against them is critically important:

• Fail2Ban: This is a powerful tool for brute-force protection. It scans server logs (Postfix, Dovecot, SSH) for repeated failed login attempts and automatically blocks attacker IP addresses for a specified period using a firewall (iptables/nftables).

  
  # Install Fail2Ban
  sudo apt install fail2ban
  
  # Example jail for Postfix/Dovecot (in /etc/fail2ban/jail.local)
  [postfix]
  enabled = true
  port = smtp,ssmtp,submission
  logpath = /var/log/mail.log
  maxretry = 3
  bantime = 3600
  
  [dovecot]
  enabled = true
  port = pop3,pop3s,imap,imaps
  logpath = /var/log/mail.log
  maxretry = 3
  bantime = 3600
          

• Firewall (UFW/iptables/nftables): Configure a firewall to restrict access to your server. Allow only necessary ports:
  • 25 (SMTP): For incoming and outgoing mail (TLS STARTTLS).
  • 587 (Submission): For sending mail by authenticated clients (TLS STARTTLS).
  • 465 (SMTPS): Alternative port for sending mail (TLS/SSL).
  • 143 (IMAP): For receiving mail (TLS STARTTLS).
  • 993 (IMAPS): For receiving mail (TLS/SSL).
  • 110 (POP3): For receiving mail (TLS STARTTLS).
  • 995 (POP3S): For receiving mail (TLS/SSL).
  • 22 (SSH): Only for administrative access, preferably restricted by IP or using keys.

  
  # Example UFW configuration
  sudo ufw allow 22/tcp # SSH
  sudo ufw allow 25/tcp # SMTP
  sudo ufw allow 587/tcp # Submission
  sudo ufw allow 465/tcp # SMTPS
  sudo ufw allow 143/tcp # IMAP
  sudo ufw allow 993/tcp # IMAPS
  sudo ufw enable
          

• Rate Limiting: Limiting the number of connections or emails per unit of time from a single IP address. This helps mitigate DDoS attacks and prevent mass mailings through compromised accounts.

SSL/TLS for Traffic Encryption

Encryption is a fundamental aspect of mail server security. All connections between mail clients and the server, as well as between mail servers, must be encrypted using SSL/TLS.

• Let's Encrypt Certificates: Obtain free SSL/TLS certificates using Certbot. They are easy to install and automatically renew, providing encryption for Postfix and Dovecot.

  
  # Install Certbot (example for Apache/Nginx, but standalone can be used)
  sudo apt install certbot
  
  # Obtain a certificate for the domain mail.yourdomain.com
  sudo certbot certonly --standalone -d mail.yourdomain.com
          

• Postfix and Dovecot Configuration: Specify the paths to the obtained certificates and keys in the Postfix configuration files (smtpd_tls_cert_file, smtpd_tls_key_file) and Dovecot (ssl_cert, ssl_key). Ensure that mandatory encryption is enabled for all services (SMTP, SMTPS, Submission, IMAP, IMAPS, POP3, POP3S) (smtpd_tls_security_level = may or encrypt for Postfix, ssl = required for Dovecot).

A comprehensive approach to fighting spam and ensuring security will allow your own mail server to operate reliably and efficiently, protecting your users from unwanted mail and malicious attacks.

Step-by-Step Installation and Configuration of Postfix and Dovecot on Ubuntu

Deploying your own mail server on a VPS requires sequential configuration of several components. We will cover the installation and basic configuration of Postfix, Dovecot, and MySQL/MariaDB on Ubuntu 22.04 LTS. This process will allow you to get a functional Postfix server.

System Preparation and Installation of Required Packages

Before starting, ensure your VPS is updated and you have SSH access with root privileges or a user with sudo.

1. System update:

   
   sudo apt update
   sudo apt upgrade -y
           

2. Install dependencies:

   
   sudo apt install -y postfix dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd mariadb-server postfix-mysql dovecot-mysql opendkim opendkim-tools mailutils certbot
           

   During Postfix installation, you will be prompted to choose a configuration type:
   • Select "Internet Site".
   • "System mail name": Enter your domain (e.g., yourdomain.com).
3. Configure hostname and PTR record: Set the Fully Qualified Domain Name (FQDN) for your server. It should match the PTR record you requested from your provider (e.g., mail.yourdomain.com).

   
   sudo hostnamectl set-hostname mail.yourdomain.com
           

   Check /etc/hosts:

   
   127.0.0.1       localhost
   127.0.1.1       mail.yourdomain.com mail
   your_vps_ip     mail.yourdomain.com mail
           

4. Create database for PostfixAdmin (users and domains):

   
   sudo mysql_secure_installation
           

   (Follow the instructions: set root password, remove anonymous users, disallow remote root login, remove test DB).

   
   sudo mysql -u root -p
           

   Inside MySQL:

   
   CREATE DATABASE postfixadmin;
   CREATE USER 'postfixadmin'@'localhost' IDENTIFIED BY 'your_db_password';
   GRANT ALL PRIVILEGES ON postfixadmin.* TO 'postfixadmin'@'localhost';
   FLUSH PRIVILEGES;
   EXIT;
           

   Remember your_db_password.
5. Obtain SSL/TLS certificate: We use Certbot for Let's Encrypt.

   
   sudo certbot certonly --standalone -d mail.yourdomain.com --pre-hook "sudo systemctl stop postfix" --post-hook "sudo systemctl start postfix"
           

   Follow the instructions. Certificates will be in /etc/letsencrypt/live/mail.yourdomain.com/.

Postfix Configuration

Edit the main Postfix configuration file: /etc/postfix/main.cf.

# General settings
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all

# Domains for which this server accepts mail
mydestination = $myhostname, localhost.$mydomain, localhost
virtual_alias_domains = $mydomain
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains-maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

# Networks allowed to relay mail
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# TLS settings
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtp_tls_security_level = may

# SASL authentication via Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes # For old clients
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

# DKIM settings (see below)
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891

Create configuration files for MySQL (/etc/postfix/mysql-virtual-*.cf), using your DB data:

# /etc/postfix/mysql-virtual-alias-maps.cf
user = postfixadmin
password = your_db_password
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

# /etc/postfix/mysql-virtual-domains-maps.cf
user = postfixadmin
password = your_db_password
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'

# /etc/postfix/mysql-virtual-mailbox-maps.cf
user = postfixadmin
password = your_db_password
hosts = 127.0.0.1
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

Ensure these files are only accessible by Postfix:

sudo chmod 640 /etc/postfix/mysql-virtual-*.cf
sudo chown root:postfix /etc/postfix/mysql-virtual-*.cf

Dovecot Configuration

Edit /etc/dovecot/dovecot.conf:

protocols = imap pop3 lmtp
listen = *, ::

Edit /etc/dovecot/conf.d/10-mail.conf:

mail_location = maildir:~/Maildir
mail_privileged_group = mail

Edit /etc/dovecot/conf.d/10-auth.conf:

disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-sql.conf.ext

Edit /etc/dovecot/conf.d/10-master.conf:

# In the service lmtp section
unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
}

# In the service auth section
unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
}

Edit /etc/dovecot/conf.d/10-ssl.conf:

ssl = required
ssl_cert = </etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.yourdomain.com/privkey.pem

Create the file /etc/dovecot/conf.d/auth-sql.conf.ext:

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

Create the file /etc/dovecot/dovecot-sql.conf.ext:

driver = mysql
connect = host=127.0.0.1 dbname=postfixadmin user=postfixadmin password=your_db_password
default_pass_scheme = CRAM-MD5 # Or SHA512-CRYPT, if PostfixAdmin is configured for it
password_query = SELECT username as user, password FROM mailbox WHERE username = '%u' AND active = '1'
user_query = SELECT maildir, 2000 AS uid, 2000 AS gid FROM mailbox WHERE username = '%u' AND active = '1'

Ensure that dovecot-sql.conf.ext is only accessible by Dovecot:

sudo chmod 640 /etc/dovecot/dovecot-sql.conf.ext
sudo chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext

OpenDKIM Configuration

Edit /etc/opendkim.conf:

AutoRestart             Yes
AutoRestartRate         10/1M
Canonicalization        relaxed/simple
Mode                    sv
SubDomains              No
ADSPDiscard             No
Selector                default # Can be changed if you use multiple
Socket                  inet:8891@localhost
KeyFile                 /etc/opendkim/keys/yourdomain.com/default.private # Will be created
PidFile                 /var/run/opendkim/opendkim.pid
TrustAnchorFile         /usr/share/certs/ca-certificates.crt
UserID                  opendkim:opendkim
UMask                   002
OversignHeaders         From

# Create this file
KeyTable                /etc/opendkim/KeyTable
SigningTable            /etc/opendkim/SigningTable
ExternalIgnoreList      /etc/opendkim/TrustedHosts
InternalHosts           /etc/opendkim/TrustedHosts

Edit /etc/default/opendkim:

SOCKET="inet:8891@localhost"

Create DKIM keys:

sudo mkdir -p /etc/opendkim/keys/yourdomain.com
sudo opendkim-genkey -D /etc/opendkim/keys/yourdomain.com/ -d yourdomain.com -s default
sudo chown -R opendkim:opendkim /etc/opendkim/keys
sudo chmod -R 700 /etc/opendkim/keys

The content of the public key from /etc/opendkim/keys/yourdomain.com/default.txt will need to be added to your domain's DNS TXT record.

Create /etc/opendkim/KeyTable:

default._domainkey.yourdomain.com yourdomain.com:default:/etc/opendkim/keys/yourdomain.com/default.private

Create /etc/opendkim/SigningTable:

*@yourdomain.com default._domainkey.yourdomain.com

Create /etc/opendkim/TrustedHosts:

127.0.0.1
localhost
192.168.0.1/24 # Your local network, if any
mail.yourdomain.com
yourdomain.com

Restarting Services and Testing

After all changes, restart the services:

sudo systemctl restart postfix dovecot opendkim
sudo systemctl enable postfix dovecot opendkim

Check logs for errors:

sudo tail -f /var/log/mail.log

Now your email server hosting is ready to send and receive mail. All that remains is to install PostfixAdmin for convenient user and domain management via a web interface.

Valebyte Plans for Email Server Hosting: Choosing the Optimal VPS

Choosing the right VPS is an investment in the reliability and performance of your email server hosting. Valebyte offers a wide range of plans that can be adapted to any needs, from a small personal mail server to an enterprise solution with hundreds of users. All our VPS are based on KVM virtualization with NVMe SSDs, which guarantees high performance and stability.

Recommendations for Choosing a VPS for Different Workloads

To help you choose the optimal mail server VPS, we have categorized recommendations by workload:

1. For personal use or small business (1-10 users):

   If you plan to use a mail server for yourself or a small team, not expecting huge traffic volumes, basic plans will suit you. The main requirements are a stable IP and sufficient disk space for storing emails.

   • CPU: 1-2 vCPU
   • RAM: 2 GB
   • Disk: 40-60 GB NVMe SSD
   • Bandwidth: 100 Mbps
2. For medium business (10-50 users):

   Medium-sized companies with active email exchange will require more resources to process incoming/outgoing emails, run anti-spam filters, and handle simultaneous client connections.

   • CPU: 2-4 vCPU
   • RAM: 4-8 GB
   • Disk: 80-160 GB NVMe SSD
   • Bandwidth: 1 Gbps
3. For large companies and providers (50+ users):

   For high-load mail systems, where every millisecond matters and thousands of emails per hour need to be processed, serious resources and scalability are required.

   • CPU: 4+ vCPU (with high clock speed)
   • RAM: 8-16+ GB
   • Disk: 200+ GB NVMe SSD (possibly with expansion capability or external storage)
   • Bandwidth: 1 Gbps or higher

Comparison of Valebyte Plans for Email Server Hosting

We offer several configurations ideally suited for deploying your own mail server. Below is a table with examples of Valebyte plans and their applicability for various scenarios:

Valebyte Plan	vCPU	RAM	NVMe SSD	Bandwidth	Price (approx.)	Recommended for
Entry Mail (VPS-1)	1	2 GB	40 GB	100 Mbps	from $8/month	Personal mail server, small business (up to 10 users)
Standard Mail (VPS-2)	2	4 GB	80 GB	1 Gbps	from $16/month	Medium business (10-30 users), active email exchange
Pro Mail (VPS-3)	4	8 GB	160 GB	1 Gbps	from $32/month	Growing business (30-50 users), intensive use of anti-spam filters
Enterprise Mail (VPS-4)	6	16 GB	320 GB	1 Gbps	from $64/month	Large companies (50+ users), high performance and storage requirements

Important notes when choosing a VPS from Valebyte:

• KVM Virtualization: All our VPS use KVM, which ensures full resource isolation and guaranteed performance for your mail server VPS.
• NVMe SSD: The use of NVMe drives significantly speeds up read/write operations, which is critically important for the performance of mail systems, especially when dealing with large volumes of emails and databases.
• Clean IP address: We provide IP addresses with a good reputation, which is a key factor for the successful deliverability of your emails.
• PTR record support: You can easily configure a PTR record for your IP address through our control panel or by contacting support.
• Geographical location: Choose a server location that is closer to your primary audience to minimize latency.

We recommend starting with a plan that matches your current needs and, if necessary, easily scaling resources by upgrading to more powerful Valebyte plans.

Frequently Asked Questions About Your Own Mail Server

Deploying your own mail server can raise a number of questions. Here we will answer the most common ones to clarify some aspects.

Is a Dedicated IP Address Necessary for Email Hosting?

Yes, for email server hosting, it is critically important to have a dedicated IP address. Using a shared IP address, which is shared by multiple users, carries a high risk: if one of the IP neighbors sends spam, the reputation of the entire IP address will suffer, and your emails may also end up in spam or be blocked. A dedicated IP address gives you full control over its reputation.

How Long Does It Take to Set Up Your Own Mail Server?

Setup time varies greatly. A basic installation of Postfix and Dovecot on a VPS with Ubuntu can take 2 to 4 hours for an experienced sysadmin. However, a full configuration, including SPF, DKIM, DMARC, anti-spam filters (SpamAssassin), Fail2Ban, SSL certificates, and a web interface for management (PostfixAdmin), can take from one to several days. This requires attention to detail and an understanding of each component.

Can I Use My Own Mail Server for Mass Mailings?

Technically, yes, but it is strongly discouraged. Most email providers are very strict about mass mailings from regular mail servers. Your IP address will quickly end up on blacklists, which will negatively affect the deliverability of all your mail, including regular business emails. For mass mailings, it is better to use specialized services such as Mailgun, SendGrid, or Amazon SES, which have established infrastructure and reputation for such tasks.

What Disk Space is Needed for a Mail Server?

Disk space depends on the number of users and the average size of their mailboxes. For 10 users, each storing 5-10 GB of mail, 50-100 GB will be required. Add to this the space for the operating system, logs, and temporary files (10-20 GB). Always allow for extra. If you plan to store large attachments or archives, choose a larger volume or consider using external storage.

Are Special Skills Required to Manage Your Own Mail Server?

Yes, managing your own mail server requires deep technical knowledge in Linux administration, DNS management, network protocols (SMTP, IMAP, POP3), as well as an understanding of security principles and spam fighting. This is not a task for a beginner. If you lack such knowledge, consider a Managed VPS option or consult specialists.

What is PostfixAdmin and Why is it Needed?

PostfixAdmin is a web interface for managing virtual mail domains, accounts, aliases, and mailing lists stored in a database (MySQL/MariaDB). It significantly simplifies mail server administration by allowing you to avoid manually editing configuration files when adding a new user or domain. This is a very convenient tool for managing your email server hosting.

Conclusion

Your own mail server on a VPS is a powerful solution for those seeking maximum control, security, and flexibility in email management. While setup requires technical knowledge and time, the benefits of data privacy, full customization, and long-term savings justify these efforts. Choosing an optimal mail server VPS from Valebyte with KVM virtualization and NVMe drives, combined with careful configuration of Postfix, Dovecot, and DNS records, will allow you to create a reliable and efficient email infrastructure.