- Requirements
- OS installation
- Hardware installation
- Initial Ubuntu setup
- Upgrade your system & enable automatic updates
- Local network access
- Remote network access
- Restrict SSH access
- Set up Mailinabox
- Configure your DNS zone
- Request TLS certificates from Let's Encrypt
- Configure backups
In order to host your emails, your Internet Service Provider (ISP) needs to match some requirements:
- Your ISP must give you a static IP address
- Your ISP must allow you to configure your reverse DNS
- Your ISP must not block ports 25 and 465 (SMTP)
In France, the ISP called "Free" matches these requirements.
In order to host your emails, you'll need a domain name that you can buy from a domain name registrar. Your domain name registrar needs to match some requirements:
- Your registrar must offer you to host your DNS zone
- Your registrar must allow you to set up NS, A, AAAA, SPF, TXT, DKIM, TLSA, SSHFP, SRV, and DMARC records in your DNS zone
The registrar called "OVH" matches these requirements.
Note: prefer a domain name that will be dedicated to this usage (do not use it for other things like web hosting). This is better to control your sender reputation that will prevent your emails from being flagged as SPAM.
- 1 × Raspberry Pie 4 (4 GB RAM)
- 1 × Raspberry Pie 4 case
- 1 x Raspberry Pie 4 power supply
- 1 × SanDisk microSD card 128 Go
- 1 × Ugreen ethernet cable Cat 7 10Gbps
- 1 × Ugreen USB 3.0 SD card reader 30333 (optional if you already have a SD card reader)
- 1 × Ugreen micro HDMI to HDMI adapter
- 1 × Ugreen HDMI cable 0,9 m
- 1 × keyboard
- 1 × screen
- Download the Ubuntu 18.04 64 bits image for Raspberry Pie 4.
- Put your microSD card in your SD card reader and connect it to your computer.
- Follow instructions in order to flash the downloaded image onto the microSD card.
- Disconnect everything when the process is finished.
- Put your microSD card containing the installed OS in your Raspberry Pie.
- Put your Raspberry Pie into its case.
- Connect your Raspberry Pie to your router with the ehernet cable.
- Connect your keyboard and screen to your Raspberry Pie.
- Connect the power adaptators of your Rasberry Pie and screen.
Your Ubuntu machine will boot up!
You can login with "ubuntu" as default login and password. You may experienced login errors if you try to login directly as soon as the prompt is displayed. This is because some background installations processes are not completed yet. Wait until SSH keys are displayed on the screen then press "Enter". You will be prompted to change your password immediately after login.
Note: Ubuntu 18.04 for Raspberry Pie 4 is by default using a "qwerty" keyboard layout which might not be your layout. To prevent loosing access to your account, I suggest you to set up something universal like "hellohello" for now, set up appropriate keyboard layout and change the password later.
sudo dpkg-reconfigure keyboard-configurationsudo rebootBecause you might want something more personal than "ubuntu" as a username, you can change it. We will need the root account for that so we will temporary allow root login:
sudo passwd root
logoutLogin as root and use these commands to rename your username and change your password to something more meaningful to you:
# Change username
usermod -l <newUserName> ubuntu
# Rename home directory
usermod -d /home/<newUserName> -m <newUserName>
# Change password
passwd <newUserName>When it's done, you can disallow root login. For security reasons, you should never leave your root account accessible.
# Disable root account
passwd -l root
# Logout from root user
logoutUpgrading the system will ensure that all your softwares are using latest security fixes.
sudo apt update && sudo apt dist-upgrade -yThen, we'll enable automatic updates to be sure that all futures security fixes are installed as soon are they are released:
# Make a backup of the config files
sudo cp /etc/apt/apt.conf.d/10periodic /etc/apt/apt.conf.d/.10periodic.backup
sudo cp /etc/apt/apt.conf.d/50unattended-upgrades /etc/apt/apt.conf.d/.50unattended-upgrades.backup
# Download upgradable packages automatically
echo "APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Download-Upgradeable-Packages \"1\";
APT::Periodic::AutocleanInterval \"7\";" | sudo tee /etc/apt/apt.conf.d/10periodic > /dev/null
# Ask for email
if [[ -z "${email}" ]]; then
read -r -p "Enter your email (needed to set up email monitoring): " email
fi
# Install updates automatically
echo "Unattended-Upgrade::Allowed-Origins {
\"\${distro_id}:\${distro_codename}\";
\"\${distro_id}:\${distro_codename}-security\";
\"\${distro_id}ESMApps:\${distro_codename}-apps-security\";
\"\${distro_id}ESM:\${distro_codename}-infra-security\";
\"\${distro_id}:\${distro_codename}-updates\";
};
Unattended-Upgrade::DevRelease \"false\";
Unattended-Upgrade::Mail \"${email}\";
Unattended-Upgrade::MailOnlyOnError \"true\";
Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";
Unattended-Upgrade::Remove-Unused-Dependencies \"true\";
Unattended-Upgrade::Automatic-Reboot \"true\";
Unattended-Upgrade::Automatic-Reboot-Time \"05:00\";" | sudo tee /etc/apt/apt.conf.d/50unattended-upgrades > /dev/nullIf you want to access your machine from another computer on your local network instead of directly with a keyboard and a screen, you'll need to reserve a static IP address for it. If not, the attributed IP address inside your network will change each time your router starts up, so it's quite annoying.
ifconfig | grep -i etherLogin to your router according to your ISP and/or router documentation.
Note: for the "Free" ISP, the URL of the admin panel is: https://subscribe.free.fr/login/.
Register the static IP address according to your ISP and/or router documentation.
The IP address you choose must not be in the DHCP server range. You can start with something like "192.168.0.101".
Note: for the "Free" ISP, once logged in, go under "Ma Freebox" > "Paramétrer mon routeur Freebox" > "Redirections / Baux DHCP" and fill the form like bellow.
With this, you should now be able to access your Raspberry Pie from your computer (which must be connected to the same network as your Pie) through SSH with this command:
ssh <yourUserName>@<yourIpAddress>For now, your router is the target of all requests made to your public IP address, and it does not do anything with them.
We need to instruct it to redirect the traffic to the Pie so that we can access it from outside the local network, from the Internet.
According to your ISP/router documentation, redirect the traffic from ports 80, 443, 22, 25, 587, 993, 4190, 53 and 3022 to your static local IP address.
Note: for the "Free" ISP, once logged in, go under "Ma Freebox" > "Paramétrer mon routeur Freebox" > "Redirections / Baux DHCP" and fill the form like bellow.
Your ISP can also block SMTP ports by default to prevent hijacked computers from sending SPAM.
If it's your case, this will prevent you from sending emails.
According to your ISP/router documentation, disable SMTP blocking.
Note: for the "Free" ISP, once logged in, go under "Ma Freebox" > "Blocage du port SMTP sortant".
The reverse DNS is the way we can retreive your domain name from your IP address. You can view the full explanation of what is it on this blog post.
This process is used by anti-spam systems to check if an IP address associated with a sender address for example (john@example.com) is related to its domain name (example.com).
The Mailinabox software that we'll install later will use a specific
subdomain to install its stuffs: box.<yourdomainname>
and this will be your reverse DNS.
For example, you want to send mail from "john@example.com",
your reverse DNS will be box.example.com.
According to your ISP/router documentation, configure your reverse DNS.
Note: for the "Free" ISP, once logged in, go under "Ma Freebox" > "Personnaliser mon reverse DNS".
The root account is disabled but now, anybody can potentially access your machine through your user account if they found your password.
Your user account is not root but have some sudo privileges. So if it's compromised, an attacker can do pretty much everything he want with your machine, including accessing your datas.
To protect your account from being accessed by another person that you, we will disable SSH password authentication and only let your authorized computers to login with your user account (note that this will not disable password authentication direcly with a keyboard and a screen connected).
On each computer you want to access your Raspberry Pie with, follow these steps:
If you don't have an SSH key (look for "~/.ssh/id_rsa" and
"~/.ssh/id_rsa.pub" files), use this command to generate one:
ssh-keygen -t rsa -b 4096 -N '' -f ~/.ssh/id_rsaFrom your computer, run:
ssh <yourUserName>@<yourIpAddress> "echo '$(cat ~/.ssh/id_rsa.pub)' | tee -a ~/.ssh/authorized_keys > /dev/null"If you try to reconnect to your machine through SSH, you should now be able to login without being asked for a password. SSH will automatically log you if your local SSH key matches one indicated in the remote "~/.ssh/authorized_keys" file.
Now that you have a passwordless SSH access to your Raspberry Pie, we will disallow password authentication. This will prevent all non authorized computers from being able to access it through SSH.
I recommend you to backup your "~/.ssh/id_rsa" and "~/.ssh/id_rsa.pub"
files in a safe place, for example in a password manager app protected
by a master password.
This will prevent you from loosing access to your Pie if your only authorized computer dies (in that case, you only have to copy these files in your next computer to allow connections from it).
To disable SSH password authentication, connect to your Pie and run:
# Update the config and save the original in a "/etc/ssh/sshd_config.backup" file
sudo sed -i'.backup' -e 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
# Restart SSH
sudo service ssh restartThis will prevent SSH connections to disconnect prematurely.
# Keep alive client connections
echo "
ClientAliveInterval 120
ClientAliveCountMax 3" | sudo tee -a /etc/ssh/sshd_config > /dev/null
# Restart SSH
sudo service ssh restartIf the default SSH port is available, this will make an eventual attackers task harder.
sudo sed -i'.backup' -e 's/#Port 22/Port 3022/g' /etc/ssh/sshd_config
# Restart SSH
sudo service ssh restart# Install some dependencies
sudo apt install -y libffi-dev python-paramiko
# Install Mailinabox v0.45
git clone https://github.com/mail-in-a-box/mailinabox
cd ~/mailinabox
git checkout v0.45
sudo ./setup/start.shDuring the install process, you will be asked for your domain name and the main email address that will be set up as the admin account of the system.
When the install process ends, you will be prompted to access your Mailinabox admin panel through your public IP address:
https://<yourIP>/admin
Accept the security warning and login with your credentials.
By default, Mailinabox makes backups on the machine itself, which will take a lot a space on your disk. Let's disable this feature (we will configure external backups later).
Go under "System > Backup status" and set the "Backup to" option to "Nowhere".
If you go now in the "Status Checks" tab, you will see red issues everywhere.
We did instruct our router to redirect the traffic from our public IP address to the local IP address of the Pie. But we did not instruct anybody to redirect traffic from our domain name to our public IP address.
Let's do that.
By default, Mailinabox configure everything to host your DNS configuration directly on your machine.
This can be an issue in case of a breakdown, because there is no redundancy. If your Pie dies prematurely, all the instructions regarding to where your domain name should send your traffic is lost. And reset everything is not as easy as it sounds.
By experience, I found it safer to host the DNS configuration directly on the registrar (which has redundancy). If your machine dies or if you want to host your datas elsewhere, having the configuration hosted on the registrar side allows you to do this smoothly.
To do that, go in your Mailinabox admin panel, go under "System > External DNS" to display your external DNS configuration.
Now you need to configure your DNS zone extacly like this. Go into your registrar admin panel and add all these records according to its documentation.
This looks like this with OVH:
Even if the modifications are made instantly in the interface, the DNS configuration can make several hours (up to 24 hours) to be fully propagated around the world, so wait few hours before continue.
Once your DNS configuration is propagated and OK, you can ask TLS certificates in order to access your machine with your own domain over HTTPS.
Go under "System > TLS (SSL) Certificates" and hit the "Provision" button to automatically get a TLS certificates for your domains.
After that, you may see an error. You just need to access your admin panel directly with your domain name instead of the IP address:
https://box.<yourDomainName>/admin
Now, if you go to "Status Checks", you should have green lines everywhere:
Note: I have one red line on the reverse DNS check because Mailinabox checks that the reverse DNS is set for both IPV4 and IPV6 but my ISP only allow me to set up reverse DNS for IPV4 yet. It's not yet and issue because IPV6 is almost unused for now.
Your need redundancy for your datas, because they are not protected from a burglary, a fire, a water leak or an overvoltage.
Whatever the case, you always need a place, different from the place where you installed your machine to set up a backup machine (a different office, a family or friend house...).
This is the only way to provide a bullet proof redundancy system for your data.
You can set up a backup machine with a second Raspberry Pie. Find instructions here: https://github.com/RomainFallet/home-backupserver.
A specific user must be created on the backup machine to isolate the backups of this machine and to enable passwordless connection.
Follow these instructions to create a new backup access.
# Install cpulimit
sudo apt install -y cpulimit
# Create the service file to launch cpulimit on startup
echo "[Unit]
Description=CPU limit for rsync backups
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/cpulimit -e rsync -l 50
Restart=on-failure
[Install]
WantedBy=multi-user.target" | sudo tee /etc/systemd/system/cpulimitrsync.service > /dev/null
# Enable the service file
sudo systemctl daemon-reload
sudo systemctl enable cpulimitrsync
# Start the service
sudo service cpulimitrsync start# Get credentials
read -r -p "Enter your backup machine SSH username: " backupusername
read -r -p "Enter your backup machine SSH hostname: " backuphostname
read -r -p "Enter your backup machine SSH port: " backupport
# Backup command
backupcroncommand="0 * * * * root pgrep rsync > /dev/null || rsync -e 'ssh -p ${backupport}' --delete -av /home/user-data ${backupusername}@${backuphostname}:~/ > /dev/null"
# Enable hourly backups
if ! sudo grep "^${backupcroncommand}" /etc/crontab > /dev/null
then
echo "${backupcroncommand}" | sudo tee -a /etc/crontab > /dev/null
fi# Ask for email
if [[ -z "${email}" ]]; then
read -r -p "Enter your email (needed to set up email monitoring): " email
fi
# Set up email monitoring
mailmonitoringconfig="MAILTO=${email}"
if ! sudo grep "^${mailmonitoringconfig}" /etc/crontab > /dev/null
then
sudo sed -i'.backup' -E "s/^PATH=(.+?)/PATH=\1\n${mailmonitoringconfig}/" /etc/crontab > /dev/null
fiTo ensure you have a final backup, first block access to your machine to all services besides SSH.
# Reset all firewall rules
sudo ufw reset
# Only allow SSH (if not, we loose access to the machine)
sudo ufw allow 22
# Reactive the firewall
sudo ufw enableYou can trigger a manual backup with this:
# Login as root
sudo su
# Get credentials
read -r -p "Enter your backup machine SSH username: " backupusername
read -r -p "Enter your backup machine SSH hostname: " backuphostname
read -r -p "Enter your backup machine SSH port: " backupport
# Perform backup
rsync -e "ssh -p ${backupport}" --delete -av /home/user-data ${backupusername}@${backuphostname}:~/
# Logout from root
exitsudo mailinabox