Commit

Author: mariasaragih

README.md

@@ -1,75 +1,234 @@
-# Private and Secure Email Server Architecture
+# Secure Mail Server Documentation 📧🔒
 
-## The Journey of Self-Hosting Email
+Welcome to the **Secure Mail Server Docs** repository! This project provides comprehensive documentation for setting up a private and secure mail server. Our guides cover everything you need to know about configuring your mail server using Haraka, Mailcow, DNS settings, firewall rules, Wireguard VPN, and Caddy for enhanced security and reliability.
 
-When I first embarked on the journey of self-hosting my email server, I encountered a common narrative in the tech community: "Don't do it." Friends and YouTube experts alike warned me about two major challenges:
+[![Download Releases](https://img.shields.io/badge/Download%20Releases-blue.svg)](https://github.com/mariasaragih/secure-mail-server-docs/releases)
 
-1. **Complexity**: Setting up a private email server is notoriously complex, they said. And they weren't entirely wrong. The process is indeed complex, but perhaps not for the reasons we think. The complexity isn't inherent to the technology itself, but rather stems from a lack of modern, user-friendly tools and documentation. It's almost as if the tech industry has collectively decided that self-hosting email is a lost cause, leading to a self-fulfilling prophecy where the tools and guides remain outdated and complicated.
+## Table of Contents
 
-2. **Deliverability**: "Your emails will never reach inboxes," they cautioned. "Major providers like Gmail and Outlook maintain strict whitelists and blacklists, automatically flagging emails from residential IPs as spam." This, however, turned out to be a myth. Through careful architecture and proper configuration, it's not only possible but achievable to reach 100% deliverability rates - sometimes even better than commercial solutions. The key lies in understanding the email ecosystem and implementing the right infrastructure.
+1. [Introduction](#introduction)
+2. [Getting Started](#getting-started)
+3. [Setting Up Haraka](#setting-up-haraka)
+4. [Configuring Mailcow](#configuring-mailcow)
+5. [DNS Configuration](#dns-configuration)
+6. [Firewall Rules](#firewall-rules)
+7. [Wireguard VPN Setup](#wireguard-vpn-setup)
+8. [Caddy Configuration](#caddy-configuration)
+9. [Security Best Practices](#security-best-practices)
+10. [Contributing](#contributing)
+11. [License](#license)
 
-This project documents the current state of self-hosted email infrastructure, serving as a comprehensive reference for both immediate implementation and future development. By mapping out each component and requirement in detail, we create a foundation that can be used to develop more automated and simplified solutions. The architecture achieves excellent deliverability without relying on external email relay services, proving that complete email independence is possible. While the current implementation requires technical expertise, this guide aims to facilitate the creation of more user-friendly tools that will make self-hosted email accessible to everyone.
+## Introduction
 
-This repository contains documentation for a secure email server architecture implementation. The system consists of a client-server setup with secure communication through WireGuard VPN.
+In today’s digital world, maintaining privacy and security in email communication is crucial. This documentation aims to guide you through the process of setting up a secure mail server that you can host yourself. With the right tools and configurations, you can ensure that your emails remain private and secure.
 
-## Architecture Overview
+## Getting Started
 
-The system is composed of two main components:
+To begin, you will need a server running a Linux distribution. This guide assumes you have basic knowledge of Linux commands. Ensure that your server meets the following requirements:
 
-1. **Client Server (Internal)**
-   - Runs Mailcow-Dockerized
-   - Not exposed to the internet
-   - Communicates with the proxy server through WireGuard VPN
+- A Linux server (Ubuntu, CentOS, etc.)
+- Sufficient resources (CPU, RAM, Disk Space)
+- Basic understanding of networking
 
-2. **Proxy Server (External)**
-   - Has a static public IP
-   - Exposed to the internet
-   - Runs Haraka mail server
-   - Handles incoming and outgoing email traffic
-   - Forwards emails to the client server using XCLIENT
+### Prerequisites
 
-## Setup Guide - Step by Step
+1. **Domain Name**: You need a registered domain name for your mail server.
+2. **Server Access**: SSH access to your server.
+3. **Root Privileges**: Ensure you have root or sudo privileges on your server.
 
-Follow these steps in order to set up your secure email server:
+## Setting Up Haraka
 
-1. **[Network Configuration](docs/network.md)** - Network architecture overview and requirements
-2. **[Firewall Configuration](docs/firewall.md)** - UFW setup and port forwarding
-3. **[WireGuard VPN Setup](docs/wireguard.md)** - Secure tunnel configuration between servers
-4. **[Mailcow Configuration](docs/mailcow.md)** - Internal mail server setup
-5. **[DNS Configuration](docs/dns.md)** - Email delivery DNS setup
-6. **[Haraka Mail Server Setup](docs/haraka.md)** - Proxy mail server configuration
-7. **[Caddy Web Server Setup](docs/caddy.md)** - Reverse proxy for web access
+Haraka is a lightweight, high-performance SMTP server written in Node.js. Follow these steps to set it up:
 
-Each document contains detailed instructions for its specific component and will guide you to the next step.
+1. **Install Node.js**:
+   ```bash
+   sudo apt update
+   sudo apt install nodejs npm
+   ```
 
-## Security Features
+2. **Install Haraka**:
+   ```bash
+   sudo npm install -g Haraka
+   ```
 
-- Complete network isolation of the mail server
-- Secure communication through WireGuard VPN
-- Preservation of original sender IP and headers
-- Minimal attack surface with controlled port exposure
+3. **Create a Haraka Instance**:
+   ```bash
+   mkdir /etc/haraka
+   cd /etc/haraka
+   haraka -i .
+   ```
 
-## Testing Environment
+4. **Configure Haraka**:
+   Edit the `config/smtp.ini` file to set up your SMTP settings.
 
-This architecture has been tested using Debian 12 as the operating system for both client and server components. The proxy server was deployed on a [IONOS VPS](https://www.ionos.com/servers/vps), chosen for the following reasons:
+5. **Start Haraka**:
+   ```bash
+   haraka -c /etc/haraka
+   ```
 
-- IONOS provides minimal VPS solutions starting at €1/month with 1GB of RAM
-- IONOS VPS instances come with a static public IP address with excellent reputation
-- The static IP significantly improves email deliverability and reduces the risk of emails being marked as spam
+For detailed configuration options, refer to the [Haraka documentation](https://haraka.github.io/).
 
-While this setup relies on IONOS as an intermediary for the proxy server, it offers advantages over dedicated SMTP relay services (such as [MailChannels](https://www.mailchannels.com/)). Although services like MailChannels claim to respect privacy by not logging email content and purging metadata logs after 30 days, they still collect metadata about senders and recipients, and potentially have access to email content.
+## Configuring Mailcow
 
-By self-hosting the SMTP relay through a VPS, we maintain greater control over our email infrastructure. In the future, any hosting provider that offers static IP addresses with good reputation could be used, making it possible to move to a completely independent server setup while maintaining good email deliverability.
+Mailcow is a full-featured mail server suite. Here’s how to set it up:
 
-## License
+1. **Clone Mailcow Repository**:
+   ```bash
+   git clone https://github.com/mailcow/mailcow-dockerized.git
+   cd mailcow-dockerized
+   ```
+
+2. **Configure Mailcow**:
+   Copy the sample configuration file:
+   ```bash
+   cp mailcow.conf.example mailcow.conf
+   ```
+
+   Edit `mailcow.conf` to include your domain and other settings.
+
+3. **Start Mailcow**:
+   ```bash
+   docker-compose up -d
+   ```
+
+4. **Access Mailcow Admin Panel**:
+   Open your web browser and navigate to `http://your-domain.com`.
+
+For more details, visit the [Mailcow documentation](https://mailcow.email/).
+
+## DNS Configuration
+
+Proper DNS configuration is vital for your mail server to function correctly. Here are the essential DNS records you need:
+
+1. **A Record**: Points your domain to your server’s IP address.
+2. **MX Record**: Directs email to your mail server.
+3. **SPF Record**: Helps prevent spammers from sending messages on behalf of your domain.
+4. **DKIM Record**: Provides a method for validating the authenticity of your emails.
+5. **DMARC Record**: Helps protect your domain from unauthorized use.
+
+Example DNS records:
+```
+A record: mail.your-domain.com -> your-server-ip
+MX record: your-domain.com -> mail.your-domain.com
+SPF record: v=spf1 a mx ~all
+DKIM record: (your DKIM key)
+DMARC record: v=DMARC1; p=none; rua=mailto:postmaster@your-domain.com
+```
+
+## Firewall Rules
+
+Setting up firewall rules is crucial for securing your mail server. Here’s how to configure your firewall:
+
+1. **Allow SMTP**:
+   ```bash
+   sudo ufw allow 25
+   ```
+
+2. **Allow IMAP**:
+   ```bash
+   sudo ufw allow 143
+   ```
+
+3. **Allow POP3**:
+   ```bash
+   sudo ufw allow 110
+   ```
 
-This project is licensed under the Creative Commons Zero v1.0 Universal (CC0) License - see the [LICENSE](LICENSE) file for details.
+4. **Allow HTTPS (for Caddy)**:
+   ```bash
+   sudo ufw allow 443
+   ```
+
+5. **Enable the Firewall**:
+   ```bash
+   sudo ufw enable
+   ```
+
+## Wireguard VPN Setup
+
+Using a VPN adds an extra layer of security. Follow these steps to set up Wireguard:
+
+1. **Install Wireguard**:
+   ```bash
+   sudo apt install wireguard
+   ```
+
+2. **Generate Keys**:
+   ```bash
+   wg genkey | tee privatekey | wg pubkey > publickey
+   ```
+
+3. **Configure Wireguard**:
+   Edit the configuration file `/etc/wireguard/wg0.conf`:
+   ```
+   [Interface]
+   PrivateKey = <your-private-key>
+   Address = 10.0.0.1/24
+
+   [Peer]
+   PublicKey = <peer-public-key>
+   AllowedIPs = 10.0.0.2/32
+   ```
+
+4. **Start Wireguard**:
+   ```bash
+   sudo wg-quick up wg0
+   ```
+
+5. **Enable Wireguard on Boot**:
+   ```bash
+   sudo systemctl enable wg-quick@wg0
+   ```
+
+For more details, refer to the [Wireguard documentation](https://www.wireguard.com/).
+
+## Caddy Configuration
+
+Caddy is a powerful web server that automatically manages SSL certificates. Here’s how to set it up:
+
+1. **Install Caddy**:
+   ```bash
+   sudo apt install caddy
+   ```
+
+2. **Create a Caddyfile**:
+   Create a file at `/etc/caddy/Caddyfile` with the following content:
+   ```
+   your-domain.com {
+       reverse_proxy localhost:your-mail-server-port
+   }
+   ```
+
+3. **Start Caddy**:
+   ```bash
+   sudo systemctl start caddy
+   ```
+
+4. **Enable Caddy on Boot**:
+   ```bash
+   sudo systemctl enable caddy
+   ```
+
+For further information, visit the [Caddy documentation](https://caddyserver.com/docs/).
+
+## Security Best Practices
+
+1. **Regular Updates**: Keep your server and software updated.
+2. **Use Strong Passwords**: Enforce strong password policies for user accounts.
+3. **Backup Regularly**: Implement a backup strategy for your mail server data.
+4. **Monitor Logs**: Regularly check server logs for unusual activity.
+5. **Implement 2FA**: Use two-factor authentication where possible.
 
 ## Contributing
 
-This guide was written after successfully completing this project. However, I haven't verified step-by-step from scratch that all the instructions in this guide lead to the desired outcome. There might be missing steps or room for improvement in terms of security measures and functionality.
+We welcome contributions to improve this documentation. If you find any issues or have suggestions, please open an issue or submit a pull request.
+
+## License
+
+This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.
+
+For the latest releases, check the [Releases section](https://github.com/mariasaragih/secure-mail-server-docs/releases). 
+
+[![Download Releases](https://img.shields.io/badge/Download%20Releases-blue.svg)](https://github.com/mariasaragih/secure-mail-server-docs/releases)
 
-I am absolutely open to improving these steps if:
-- I missed some important security measures
-- I overlooked critical functionality
-- I forgot any important steps in the process
+Thank you for using the Secure Mail Server Docs! We hope this documentation helps you set up a secure and reliable mail server.