While the e-mail is one of the most ancient internet protocols, like DNS, it has been integrated with many pieces and bit over the decades to evolve it to an usable state today.

E-Mail has tons of issues, like spam, abuse and plain brute-force attacks on top of no default encryption and limited overall security. To address most of these issues over the years new protocols and standards emerged, like DKIM, SPF, DMARC and so on. The basic SMTP has been integrated with TLS/SSL to provide wire encryption, and the ancient POP3 is nowadays replaced by IMAP. JMAP is growing, but as of today it still lacks from both server and client side.

Hosting an email server is not a simple task. Historically it was a matter of setting up tools like Postfix, Dovecot, OpenDKIM, OpenDMARC, spamassassin, interface them properly and fine tune a bunch of settings using decade old syntax and overall pretty hard. Add that you also had to understand and setup various DNS entries and deal with stuff like blacklists…

One important detail: you need to host an email server on a real public and static IP address. No dynamic IP or port forwarding will really work properly. I will show you how to host your email server on your external server. A different point relies in how to forward emails generated by your home server to your external server, and it is described here.

While today there are a few all-in-one solutions that could greatly help you with the process, i couldn't find one that actually worked as well for me as the manual stack composition.

I tried the Stalwart Mail Server, because it's an all in one modern solution, probably the most promising new approach in town for email hosting, but after fiddling with it for two weeks i had to give up because my external server is not powerful enough or it is not (yet) optimized enough to handle my mail volume.

I also tried mailcow which is a ready made containerized solution encompassing all the above tools. While it's indeed a great tool, after trying it out i hit some issues and overall it didn't feel quite the best approach for me. It is heavily dependent on Docker, and while i use podman, i couldn't figure out if some basic errors i faced where due to the use of Podman or other unrelated issues. In any case, i gave up shortly after wasting on it a few hours.

If i have to use Postfix and Dovecot, today, then i can go back to how i hosted my mail for the last 20+ years and do it manually once again.

So, my solution is to implement the mail stack with the good old tools, and i will show it in the following pages.

Simply put do not self-host an email server on your home server. An email server must have a public IP address and tunnels like wireguard or any kind of port-forwarding will not work.

Let me stress that again: you must host your email on a server with a public IP - do not put it behind a port forward or a tunnel.

The reasons are quite a lot, and all critical:

• 90% of email security comes from IP banning, and this cannot happen behind a port-forward or a tunnel, because the mail server will always see the tunnel IP address, or the NAT IP address of the client connecting, making the ban impossible
• E-Mail uses a lot of ports (25, 465, 993, 443, 587, 143, 4190, 110…) and while you can get rid of some, it's still a pain to forward them all, and ensure the return path is properly NAT'd
• E-Mail sending today is heavily dependent on DKIM and DMARC. You must ensure your email server outgoing connections always go trough the same IP address, because this must be defined in a DNS record. So you would need to forcefully route your email outbound data trough your tunnel, which usually is not your home default gateway
• Tunnels and port-foward (VPN…) make GeoIP lookups of email clients useless, or just mess with that. This again is not desirable for email security reasons.
• E-Mail needs to be a reliable service. Home hosting would require setup a secondary mail server somewhere else to cover for situations in which your ISP is acting up
• I am not even considering that any of the email standard ports can be opened toward your home. Residential addresses are usually blocked to prevent spam, so a VPN or tunnel would be needed even if you have a static IP address
• No, DynDNS and such solutions would not work for email, since email delivery is a serious affair, changing IPs would get you blacklisted in no time
• Residential IPs would get you banned, again, blacklisted quickly by most major email providers (gmail, hotmail, etc.)

Probably not, since there are lots of email providers out there that for a little money will let you use them to host email for your domain. But is it fun? Yes, so, let's go and do it.

Most content in the following pages is taken (and adjusted to my liking) from The Gentoo Virtual Mail Server guide which is a deep and very detailed read on the topic. I will stray a little bit from that guide.

The main changes to the wiki pages is using SQLite3 instead of MySQL / PostgreSQL, which is perfectly fine for a few users like my use case, and a different folders & permission layout.

In addition, since the wiki page is a bit outdated, i am also following the great resources from PostfixAdmin here, i strongly suggest your read and document yourself too.

I will show you how to install and interconnect:

• Postfix, the MTA (Mail Transfer Agent)
• Dovecot, the IMAP server
• NGINX + PHP-FPM for web access (admin console + webmail)
• PostfixAdmin, the email configuration WEB gui
• RoundCube webmail, installation here.
• OpenDKIM
• OpenDMARC
• Spam (SpamAssassin or RSpamd - WIP)

                                                                
       ┌──────────────────────┐                                     
       │                      │                                     
       │ Roundcube (webmail)  ├────────────────┐                    
       │                      │                │                    
       └─┬────────────────────┘                │                    
         │                                ┌────▼────────────┐       
         │                                │                 │       
         │    ┌───────────────────────────► Dovecot (IMAP)  │       
         │    │                           │                 │       
         │    │                           ├─────┬───────────┘       
         │    │                           │     │                   
         │    │         ┌────────────┐    │     │                   
         │    │   ┌─────► Engine-SPF │    │     │                   
 ┌───────▼────┼──────┐  └───────┬────┘    │     │  ┌───────────────┐
 │                   │    ┌─────▼────┐    │     │  │               │
 │ Postfix (SMTP)    │    │OpenDKIM  │    │     │  │ PostfixAdmin  │
 │                   │    └─────┬────┘    │     │  │               │
 └────────────▲──────┘     ┌────▼────┐    │     │  └───┬───────────┘
         │  ┌─┼─────────┐  │AntiSpam │    │     │      │            
         │  │ OpenDMARC ◄──┴─────────┘    │     │      │            
         │  └───────────┘                 │     │      │            
         │                                │     │      │            
         │              ┌─────────────────▼─┐  ┌▼──────▼────┐       
         │              │                   │  │            │       
         └─────────────►│   Mail storage    │  │ Database   │       
                        │                   │  │            │       
                        └───────────────────┘  └────────────┘