Projects

Raspberry Pi Mail Server: Final Touches

Updates: It turns out the relayhost setting below didn’t work for me. Here’s what I did instead.

If you’ve read any of my prvious posts about this (previous posts listed here), you’ll know they pretty much all included a “Next Steps” section. I have finally finished everything on the lists, so unless I discover I’ve done something wrong, or I think of something else this needs, I should be done with this project. Here’s what was left, which I’ll cover in this post:

Setting Up a Relay Mail Server

This was pretty straightforward, at least at the start. I bought a Linode and then used the same guide from the original “How” post to get Postfix up and running on it. From there, I just followed this guide to set up the new Postfix server as a relay back to my Raspberry Pi.

The big issue I ran into here was that I initially had both Postfix servers configured with the same hostname (just rlesthom.as) in main.cf. This caused a problem when trying to communicate between the two servers. To fix this, I just changed the my_hostname field to the same name they have on my DNS server. After that, I was able to relay mail from my backup Linode server to my Raspberry Pi. The only problem was that it was relaying the mail over port 25; the communication was unencrypted.

Using Stunnel to Make the Relay Server Send Mail to the Main Server Using an Encrypted Connection

It turns out that Postfix is incapable of relaying mail with encryption. After some DuckDuckGo-ing (If Googling can be a word, so can DuckDuckGo-ing), I found the answer to this problem was stunnel. Stunnel is in apt, so it was easy to install. The configuration was relatively simple, too, although I did hit a stumbling block: stunnel is encrypted at the start, but STARTTLS works by opening a plain-text connection, and then telling the server to Start the TLS encryption (hence the name). Stunnel can do this, too – you just have to add protocol = smtp to the stunnel config. However, in all the guides I found, this was not mentioned. Stunnel config is really short and sweet, so I’ll just dump my config here. This is /etc/stunnel/stunnel.conf:

client = yes
output = /var/log/stunnel4/stunnel.log
sslVersion = SSLv3
[smtps]
accept = 127.0.0.1:466
connect = primary.mail.server.com:465
protocol = smtp

It should be fairly obvious what’s going on here: stunnel is running in client mode, logging to /var/log/stunnel4/stunnel.log, using SSL version3, listening to plain-text connections on localhost (127.0.0.1), and sending the encrypted traffic to primary.mail.server.com, port 465. Again, the protocol field is important; the connection won’t open to the remote server without it.

There’s one important thing left to do in order to get this working: reconfigure Postfix to relay mail through stunnel, instead of sending it to the main Postfix server directly. This is done by changing the relay_hosts field in /etc/postfix/main.cf to this:

relay_hosts = 127.0.0.1:466

Regularly Making an Encrypted Backup

This was probably the easiest step of the entire process, mostly because I am already familiar with tar and gpg. I created a cron job on the Raspberry Pi to create an encrypted tarball in my home directory once per day. (gpg compresses by default, so there’s no need to gzip it, too.) Now when I’m on my laptop at home, I’ll just scp it down. And, as I’ve mentioned in previous posts, I have a Time Machine drive at work for offsite backup.

Here’s the cron job:

2 3 * * * tar -cO /home/email_user/Maildir | gpg -r email_address --encrypt > /home/system_user/mail.tar.gpg

Encrypting the Maildir File System

This was pretty easy to set up, too. I used this blog post’s EncFS section as a guide. One important note on that, though: If you look at the comments section, you’ll see people having trouble with the encfs command. I found the solution, and posted a comment, but at the time of this writing, the comment hasn’t been approved by the blog’s author. At any rate, here is the version of the command that worked for me:

encfs –public /encrypted_mail /decrypted_mail

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s