How to Build the Perfect Mail Server with Debian 13

Building a reliable mail server from scratch may seem daunting, but with Debian 13 and the right configuration, you can create a secure and efficient email system. This comprehensive guide will walk you through every step of the process.

1. Prerequisites

Before we begin, ensure you have:

• A fresh Debian 13 server with at least 2GB RAM
• A static IP address
• A domain name with full DNS control
• Root or sudo access
• At least 25GB storage space

2. DNS Configuration

Proper DNS setup is crucial for mail delivery. Configure these records:

A/AAAA Records

mail.yourdomain.com.    IN    A    192.168.1.100
mail.yourdomain.com.    IN    AAAA    2001:db8::100

MX Record

yourdomain.com.        IN    MX    10    mail.yourdomain.com.

SPF Record

yourdomain.com.        IN    TXT    "v=spf1 mx -all"

DKIM and DMARC (we'll configure these later)

3. System Preparation

Update System

apt update && apt upgrade -y
apt install -y curl wget gnupg2 software-properties-common

Set Hostname

hostnamectl set-hostname mail.yourdomain.com
echo "mail.yourdomain.com" > /etc/hostname
echo -e "127.0.0.1\tmail.yourdomain.com mail" >> /etc/hosts

4. Install Postfix (MTA)

Install Postfix

apt install -y postfix postfix-pcre

Configure Postfix

Edit /etc/postfix/main.cf:

# Basic settings
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# Mailbox format
home_mailbox = Maildir/

# Security settings
smtpd_tls_cert_file=/etc/ssl/certs/mail.yourdomain.com.crt
smtpd_tls_key_file=/etc/ssl/private/mail.yourdomain.com.key
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = encrypt

# Anti-spam
smtpd_helo_required = yes
smtpd_recipient_restrictions = 
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_rbl_client zen.spamhaus.org

5. Install Dovecot (IMAP/POP3 Server)

Install Dovecot

apt install -y dovecot-core dovecot-imapd dovecot-pop3d dovecot-sieve dovecot-lmtpd

Configure Dovecot

Edit /etc/dovecot/dovecot.conf:

!include conf.d/*.conf
!include_try local.conf

protocols = imap pop3 lmtp sieve
listen = *
base_dir = /var/run/dovecot/
instance_name = dovecot

Edit /etc/dovecot/conf.d/10-mail.conf:

mail_location = maildir:~/Maildir
mail_privileged_group = mail

Edit /etc/dovecot/conf.d/10-auth.conf:

auth_mechanisms = plain login
!include auth-passwdfile.conf.ext
passdb {
  driver = passwd-file
  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/users
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}

6. SSL/TLS Configuration

Generate SSL Certificate

apt install -y certbot python3-certbot-postfix
certbot certonly --standalone -d mail.yourdomain.com

Configure Postfix SSL

postconf -e 'smtpd_tls_cert_file=/etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem'
postconf -e 'smtpd_tls_key_file=/etc/letsencrypt/live/mail.yourdomain.com/privkey.pem'

7. User Management

Create Virtual Mail User

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail/vhosts -s /bin/false
mkdir -p /var/mail/vhosts/yourdomain.com
chown -R vmail:vmail /var/mail/vhosts

Create Email Users

# Generate password hash
doveadm pw -s SHA512-CRYPT -p yourpassword

# Add user to /etc/dovecot/users
echo "[email protected]:{SHA512-CRYPT}yourhash::::::" >> /etc/dovecot/users

8. Install and Configure OpenDKIM

Install OpenDKIM

apt install -y opendkim opendkim-tools

Configure OpenDKIM

Edit /etc/opendkim.conf:

Syslog                  yes
UMask                   002
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
AutoRestart             yes
AutoRestartRate         10/1M
Background              yes
DNSTimeout              5
TrustAnchorFile         /usr/share/dns/root.key

Generate DKIM Keys

mkdir -p /etc/opendkim/keys/yourdomain.com
cd /etc/opendkim/keys/yourdomain.com
opendkim-genkey -s mail -d yourdomain.com
chown opendkim:opendkim mail.private

Configure KeyTable and SigningTable

Edit /etc/opendkim/KeyTable:

mail._domainkey.yourdomain.com yourdomain.com:mail:/etc/opendkim/keys/yourdomain.com/mail.private

Edit /etc/opendkim/SigningTable:

*@yourdomain.com mail._domainkey.yourdomain.com

9. Configure DMARC

Add this DNS record for DMARC:

_dmarc.yourdomain.com.    IN    TXT    "v=DMARC1; p=quarantine; rua=mailto:[email protected]"

10. Install SpamAssassin

Install and Configure

apt install -y spamassassin spamc
adduser --system --home /var/lib/spamassassin --no-create-home --group spamd

Edit /etc/default/spamassassin:

ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
SAHOME="/var/lib/spamassassin/"
PIDFILE="/var/run/spamd.pid"

11. Install ClamAV for Virus Scanning

apt install -y clamav clamav-daemon
freshclam

12. Configure Postfix with Filters

Edit /etc/postfix/master.cf, add these lines:

smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin

spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

13. Firewall Configuration

ufw allow 22/tcp
ufw allow 25/tcp
ufw allow 587/tcp
ufw allow 993/tcp
ufw allow 995/tcp
ufw enable

14. Testing Your Mail Server

Test SMTP Connection

telnet mail.yourdomain.com 25
EHLO mail.yourdomain.com

Test IMAP Connection

telnet mail.yourdomain.com 993

Send Test Email

echo "Test email body" | mail -s "Test Subject" [email protected]

15. Monitoring and Maintenance

Log Files

# Mail logs
tail -f /var/log/mail.log

# Postfix queue
postqueue -p

# Dovecot logs
tail -f /var/log/dovecot.log

Regular Maintenance

# Update spam definitions
sa-update

# Update virus definitions
freshclam

# Clean mail queue
postsuper -d ALL

16. Security Best Practices

• Fail2Ban Setup: Install fail2ban to protect against brute force attacks
• Regular Updates: Keep all packages updated
• Backup Strategy: Regularly backup /etc/postfix, /etc/dovecot, and /var/mail
• Monitor Logs: Set up log monitoring for unusual activity
• Rate Limiting: Configure rate limits to prevent abuse

17. Troubleshooting Common Issues

Email Not Sending

• Check DNS records (MX, A, PTR)
• Verify firewall settings
• Check mail logs for errors
• Test with telnet connections

Authentication Issues

• Verify user credentials in Dovecot
• Check SSL certificate validity
• Review authentication logs

Spam Filtering Problems

• Adjust SpamAssassin thresholds
• Check DKIM/SPF records
• Review spam logs

18. Performance Optimization

Postfix Tuning

# Add to main.cf
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
smtpd_client_message_rate_limit = 100
queue_run_delay = 300s
minimal_backoff_time = 300s
maximal_backoff_time = 1800s

Dovecot Tuning

# Add to conf.d/10-master.conf
service imap-login {
  process_min_avail = 2
  process_limit = 256
}

service pop3-login {
  process_min_avail = 1
  process_limit = 64
}

19. Conclusion

Congratulations! You now have a fully functional, secure mail server running on Debian 13. Your server includes:

Remember to regularly maintain your server, monitor logs, and keep all software updated. With proper maintenance, your mail server will provide reliable service for years to come.