
Configuring an AlmaLinux VPS server to send and receive emails when port 25 outbound is blocked for outgoing traffic and securing the server with Let’s Encrypt certificates can be achieved through the following steps:
Step 1: Set Up an Alternative Port for SMTP (Outgoing)
Since port 25 is blocked for outgoing traffic, you’ll need to use an alternative port for SMTP. Common alternatives are port 587 (submission port) and port 465 (SMTPS). For this guide, we’ll use port 587.
- Install Postfix: If you haven’t already, install Postfix on your AlmaLinux server:
sudo yum install postfix
- Edit the Postfix Configuration File: Open the main configuration file for Postfix:
sudo nano /etc/postfix/main.cf
- Update the Configuration: Add or update the following lines to configure Postfix to use port 587:
smtpd_tls_security_level = encrypt
smtpd_sasl_auth_enable = yes
smtpd_client_restrictions = permit_sasl_authenticated,reject
submission inet n - y - - smtpd
- Restart Postfix: Apply the changes by restarting Postfix:
sudo systemctl restart postfix
Step 2: Configure Firewall to Allow Port 587 (Outgoing)
- Open Port 587: Use
firewalldto open port 587:
sudo firewall-cmd --zone=public --add-port=587/tcp --permanent
sudo firewall-cmd --reload
Step 3: Set Up SendPulse for Email Relay (Outgoing)
To send emails via a relay SMTP server using SendPulse, follow these steps:
- Sign Up for SendPulse: Create an account on SendPulse and navigate to the SMTP settings.
- Copy SMTP Credentials: Obtain your SMTP server address, port, login, and password from SendPulse.
- Configure Your Email Client: Use the SMTP credentials to configure your email client or application to send emails through SendPulse.
Step 4: Configure Postfix to Receive Emails (Incoming)
Since port 25 is open for incoming traffic, you can use it to receive emails.
- Edit the Postfix Configuration File: Open the main configuration file for Postfix:
sudo nano /etc/postfix/main.cf
- Update the Configuration: Add or update the following lines to configure Postfix to receive emails on port 25:
myhostname = yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
- Restart Postfix: Apply the changes by restarting Postfix:
sudo systemctl restart postfix
Step 5: Configure Firewall to Allow Port 25 (Incoming)
- Open Port 25: Use
firewalldto open port 25 for incoming traffic:
sudo firewall-cmd --zone=public --add-port=25/tcp --permanent
sudo firewall-cmd --reload
Step 6: Enable TLS for Encrypted Connections with Let’s Encrypt
To encrypt your email communications, we will use Let’s Encrypt certificates.
- Install Certbot: Certbot is a tool that automates the process of obtaining and installing Let’s Encrypt certificates:
sudo yum install epel-release
sudo yum install certbot
- Obtain a Certificate: Run Certbot to obtain a certificate for your domain:
sudo certbot certonly --standalone -d yourdomain.com
- Configure Postfix to Use Let’s Encrypt Certificates: Open the main configuration file for Postfix:
sudo nano /etc/postfix/main.cf
- Update Postfix Configuration: Add the following lines to enable TLS using Let’s Encrypt certificates:
smtpd_tls_cert_file = /etc/letsencrypt/live/yourdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/yourdomain.com/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/yourdomain.com/chain.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
- Restart Postfix: Apply the changes by restarting Postfix:
sudo systemctl restart postfix
Step 7: Enable SASL Authentication
To prevent unauthorized users from sending emails through your server, enable SASL authentication:
- Install Cyrus SASL: If not already installed, install Cyrus SASL:
sudo yum install cyrus-sasl-plain
- Edit the Postfix Configuration File: Open the main configuration file for Postfix:
sudo nano /etc/postfix/main.cf
- Update the Configuration: Add the following lines to enable SASL authentication:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
- Restart Postfix: Apply the changes by restarting Postfix:
sudo systemctl restart postfix
Step 8: Configure Firewall Rules
Ensure your firewall rules are configured to allow only necessary ports:
- Open Required Ports: Use
firewalldto allow necessary ports (25 for incoming, 587 for outgoing, 465 if using SMTPS):
sudo firewall-cmd --zone=public --add-port=25/tcp --permanent
sudo firewall-cmd --zone=public --add-port=587/tcp --permanent
sudo firewall-cmd --zone=public --add-port=465/tcp --permanent
sudo firewall-cmd --reload
Step 9: Configure Spam and Malware Protection
To protect your email server from spam and malware, use tools like SpamAssassin and ClamAV:
- Install SpamAssassin and ClamAV:
sudo yum install spamassassin clamav
- Enable and Start SpamAssassin:
sudo systemctl enable spamassassin
sudo systemctl start spamassassin
- Enable and Start ClamAV:
sudo systemctl enable clamd@scan
sudo systemctl start clamd@scan
Step 10: Regularly Update Your System
Keep your system and software up to date to protect against vulnerabilities:
- Update System Packages:
sudo yum update -y
Step 11: Monitor Server Logs
Regularly monitor your server logs to detect and respond to suspicious activity:
- Check Mail Logs:
sudo tail -f /var/log/mail.log
Step 12: Set Up a Cron Job for Certificate Renewal
Let’s Encrypt certificates are valid for 90 days, so you need to set up a cron job to renew them automatically:
- Edit the Crontab: Open the crontab file:
crontab -e
- Add a Renewal Command: Add the following line to renew the certificate automatically:
0 3 * * * /usr/bin/certbot renew --quiet
- Save and Exit: Save the crontab file and exit the editor.
By following these steps, you can configure, secure, and use Let’s Encrypt certificates for your AlmaLinux VPS email server, ensuring that your email communications are encrypted and protected.
Want to install a web console to manage Postfix ? Read this article
