We'll see here how to setup a lightweight mail server ( hMailServer ), with public access. We'll see the networking and DNS setup, with a special focus over IPv6. I'm installing the hMailServer on a Windows Server 2008 R2, but hMailServer works with any Windows OS ( Client or Server ).
Here is the network map :
hMailServer can't provide both IPv4 and IPv6 service. So here, we'll only see an IPv6 setup.
hMailServer doesn't support starttls, but it does support SSL/TLS. As we don't want to use and plain-text logging ( no encryption of password exchange, no encryption of mail exchanges ) which is totally insecure, we'll use SSL/TLS.
Previous post is about Creating a Self Signed SSL certificate, it takes just 15 minutes to install the software and generate the couple Certificate/Private Key : How to create a self-signed SSL certificate
We'll be using a self-signed certificate, so we'll have to use temporary or permanent exceptions when there are Thunderbird or Antivirus warnings.
hmail server installation and setup
hMailServer is very easy to install, leaving the default options. A password is created to access the management interface.
once installed, we login into the management interface, and first add a domain :
we add the domain example.com
( the Names tab is optionnal, it creates an alias for dual internal/external domain and loging, like example.net/example.com network design. we can add name example.net here :
We then add e.mail accounts :
( accounts : add )
We have to setup the Server IP/port servicing :
SMTP 2001:db8:4b17:1::200 port : 465
POP3 2001:db8:4b17:1::200 port : 995
We set the hMailServer own IP ( ::1 ) :
We next have to change the allowed client IP address range, to allow IPv6 :
( This is a allow all, so the Mail Server is accessible by anybody on the Internet. To limit the Mail Server use to our /48 subnet hosts only, we can narrow it down to 2001:db8:4b17:2:0:0:0:0 2001:db8:4b17:ffff:ffff:ffff:ffff:ffff :
we allow logging ( usefull at the beginning, for troubleshooting ) :
We finally copy our SSL Private Key / Public Certificate in the folder :
C:\Program Files (x86)\hMailServer\Externals\CA\
and add these certificates in hMailServer management interface :
We're done to the hMailServer Setup for now. We'll see the SPAM-prevention further down this post
Windows OS and Network Routers Firewall settings
We have to create two incoming rules in our Windows OS Firewall, using the Advanced Firewall :
We have to create too the same incoming rules in our Internet Gateway IPv6 Firewall :
The :: is a 'allow-all'.
Mail Clients setup
Using Thunderbird, the clients configuration is very easy and straightforward.
We just add a new account using this settings :
The username has to be the full firstname.lastname@example.org, for the logging to work. Here are the POP3 and SMTP settings for reference :
And we're done with the Email Client setup
For our hMailServer to be accessible from the outside, we need to have it registered in the Internet DNS.
We have to create a two AAAA records :
We too have to create a MX record ( Mail Exchange record ) pointing to our smtp server :
why do we need a MX record ? Because someone mailing to email@example.com doesn't know what is is Mail Server FQDN or IP address. So he first queries the example.com domain for a MX record, which returns smtp.example.com.
He can then make a DNS querry to smtp.example.com to get its IP.
So we have to make these three DNS records, at our registrar's level :
( for why we do it at the registrar's level, see this posts on this blog : post1 post2 post3 )
we have to wait for the DNS changes to propagate, checking out :
until we get the right answer ( ie 2001:db8:4b17:1::200 here )
Reverse DNS for inter-domain mail exchanges
If we want to have our hMailServer able to exchange mails with Mail Servers from other domains ( ISPs webmails, etc ...) we need to have a working reverse DNS to smtp.example.com : this is a security feature.
for this, we have to make a PTR record ( ie a Reverse DNS record ) at the ISP / Tunnel Broker level. Not all ISPs allow to do this, or to have the reverse DNS delegated. The Network / DNS map looks like this then :
to test the good working reverse DNS, type :
you should get smtp.example.com as answer
please make sure to read the last part of this post, about SPAM prevention settings, for a working inter-domains mails exchange, with example.com e.mails being accepted by other domains mail servers
SPAM prevention settings
We want our hMailServer to be protected from outside SPAM, and we want other domains Mail Servers to accept our e.mails as legitimate. Here is how we do this :
To prevent out hMailServer to receive SPAM, we can tick the ' Use SPF ' and ' Check that senders has DNS-MX records' :
This provides a basic SPAM prevention.
To have other domains Mail Servers to accept our e.mails as legitimate, we need :
. a DNS-MX record
. a working reverse DNS of our Server IPv6 address pointing to smtp.example.com
. a DNS-SPF record.
The first two have been explained higher on this post, so we just have the DNS-SPF record left to see.
SPF ( SPAM Prevention Framework ) is a DNS record, aimed at avoiding the use of spoofed domain names by SPAMs.
It is registered at the domain name DNS ( example.com in this case ) and clarifies which Mail Servers have to be considered as validly acting in the name of this domain name ( example.com here ).
Let's say our hMailServer received an e.mail written by firstname.lastname@example.org and sent to email@example.com
example.com Mail Server contacts example.org Mail Server
example.org Mail Server checks for any example.com SPF record in the Internet DNS
if a SPF record is found, example.org Mail server checks if there is a valid entry for Example.com Mail Server IP address in the SPF record
if so, Example.com Mail Server is considered valid, and the e.mail is accepted by example.org Mail Server
here are some basics SPF records here :
record : example.com in spf "v=spf1 -all"
effect : no mail should be accepted by other domains Name Servers
record : example.com in spf "v=spf1 ip6:2001:db8:4b17:1::200/128 -all"
effect : only mail originating from IP address 2001:db8:4b17:1::200 should be accepted by other
domains Mail Servers
here is the the network / DNS map using the second example :
a few more notes about the SPF records :
1. historically, a TXT record was used before a SPF record was specified and RFCed. Some Mail Servers still check for TXT 'SPF' records, so the best practice is to register both a TXT and a SPF record. ex :
example.com in txt "v=spf1 ip6:2001:db8:4b17:1::200/128 -all"
example.com in spf "v=spf1 ip6:2001:db8:4b17:1::200/128 -all"
2. the SPF record syntax is quite subtle. Please see www.openspf.org/SPF_Record_Syntax for complete details.
As an example : the SPF record can refer to FQDNs or MX records instead of plain IP addresses for more flexibility, they'll get resolved to IP addresses.
Or you can explicit a looser policy.
3. registering the TXT ' SPF ' and the SPF records prevents our domain name to be spoofed, and thus considered dubious and blacklisted by other domains Mail Servers.
4. There are some scripted SPF records generation tools on the Internet. Microsoft's one is interesting. Just google ' Sender ID framework SPF Recor wizard '
e.mail folder location :
C:\Program Files (x86)\hMailServer\Data
client mail messages deletion :
if thunderbird settings are right, deleted messages are deleted at the next pop3/smtp request
to clear all messages of an account in the server :
hMailServer Manager ) account ) advanced ) empty account
to screen a particular port communication using Wireshark, type in the filter box :
tcp.port eq 995 filters tcp port 995
tcp.port eq 465 filters tcp port 465