iRedMail-Home

iRedMail Server as a Switch

revised: 05-Sep-2023

Mail Switch: The Schema

The writer is of the view that all mail should ultimately be in possession of the the user as opposed to be solely on a cloud service whatever the provider. This view is mainly based on the growing liability of such accounts being hacked into and data altered or destoryed. To minimize such consequences, the following schema is proposed.

Of the email offerings – Yahoo!, Gmail.com etc, the well-known Outlook.com has been found to be flexible with considerable storage and functionally. The ability to use Outlook as backup with an email-client such as Mozilla Thunderbird provides the best of both worlds of Cloud and PC-based environments. Thunderbird, via the POP functionally of Outlook, can grab all the mail from the Outlook account as well as to send mail via its SMTP: outlook.office365.com . Thunderbird further extends the email environment with its own functionally as well as offering means to backup all mail, contacts and calender events – a very powerful combination.

Given this combination, a National/Region Office can make use of its domain: eg. bahai.xx such that all agencies have their respective email addresses linked to this domain. A virtual server hosting an iRedmail-structured mail-server, the Roundcube mail webclient can be used as a kind of "switch" which sents a message-copy all mail to their respective Outlook addresses: for example all mail going to secretariat@bahai.xx (set in iRedmail) can automatically be backed up to XXBahai@outlook.com via a Roundcube filter setting - and so forth will all other agency mailboxes. Thus in the unlikely event that XXBahai@outlook.com is compromised, another Outlook or email address can quickly be replaced without the need to inform the public about such change.

Moreover, all incoming mail to secretariat@bahai.xx would not only be message-copied to XXBahai@outlook.com but could also be second-copied to to another special mail box called archive@bahai.xx [which then would be set to forward mail to say, XXbahai@outlook.com]. Similarly, all outgoing mail (via Thunderbird) would make a blind-copied to XXBahai@outlook.com with a possibly archive@bahai.xx thus ensuring backups of all out-going and incoming messages .

Here below is the schema on the flow of emails by this setup:

Mail Schema
Note: Currently, Microsoft has a very attractive offering which enables any non-profit or religious organisation to benefit freely a limited number of its services up to 25 users (a minimum 10yr scope). For the Africa continent, one would check out Techsoup-Global for one's particular country (Criteria and Credit Card to be supplied).

The Mail Switch - The Steps

Part:A Setting the Filters in Roundcube

Prequisite: a functioning iRedmail application

Step#01: Create a user mail address
Via the iRedmail admin cpanel eg. https://[example.com]/iredadmin or https://[YourIP]/iredadmin , create users under the main or other domains which have be configured to the application. For example: user01@example.com As mail can accumulate if one does not logon for awhile, it is recommended to give each account at least 50 - 100Mb storage. Consider high traffic accounts to have at least 200Mb but one may wish to consider the limitations of the Linode server over all mail storage.

Step#02: Open the Roundcube webclient and prepare to set filters for the user eg. user01@example.com
Via the browser, go to https://[example.com]/mail and enter the user (eg. user01@example.com) and the user's password. Upon entering the user's Roundcube account, go and click on the "Settings" button in the left-hand column. Then to under the "Settings" column, go and click on the "Filters" button.

Step#03 Set the filters to message-copy mail to the Outlook account
At the top of the “Filters” page, click on the Create “+” icon and do these four settings:

Hereafter all mail will sent through the Roundcube account ( mail will delivered and collected via "POP3" to the Thunderbird client) and all mail will now be copied/backed up to the user's Gmail account.

Tip#01 Should one wish to copy to two or more addresses, create addition filter instructions prior to “Stop Evaluating Rules” rule. Note: Any filter instructions after the “Stop Evaluating Rules” rule will render that filter ineffective.
Tip#02 Creating separate filters for each message-copy, allows one to switch any particular on or off with the filter disable button. Caution: don't forget the last filter is the “Stop Evaluating Rules” rule.

Part: B Setup the Account in Thunderbird

The POP3 setup choice in Thunderbird, unlike IMAP which keeps mail on the server, draws a full copy of email messages to one's PC while a copy is sent and remains with the corresponding Outlook account as a cloud-based backup.

To setup the account, this critical information is required in the Thunderbird the "Mail Account Setup":

For a good description of setting a POP account in Thunderbird see:Thunderbird-pop-configuration by iRedmail

With the above successfully completed, one can be sending and receiving mail via Thunderbird, all under the home domain address -eg. user01@example.com

Part: C Using the MTA-STS Protocol

-- for an overview, see Configure MTA-STS for your domain

Large email providers (Gmail etc.) prefer receiving mail from servers using the MTA-STS Protocol -- otherwise mail risks to be put in the receiver's spambox.

The following are the steps for a Nginx - iRedmail server (Debian10)

Step 1: Create, via iredadmin, the email: tls-reports@example.com

Step 2: Adding these Records to your DNS
This is done via "Domains" in Linode or "Networking" in Ocean-- replace example.com with one's own domain-name throughout all these steps.

Step 3: Create the text file: mta-sts.txt with this content:

version: STSv1
mode: testing
mx: mail.example.com
max_age: 86401

Step 4: Using PuTTY, logon to the server with user: sammy (in his home directory) and enter these commands:

sammy@imega:$ mkdir mta-sts.example.com
sammy@imega:$ mkdir mta-sts.example.com/.well-known
sammy@imega:$ nano mta-sts.example.com/.well-known/mta-sts.txt // copy and paste contents
sammy@imega:$ chmod +r mta-sts.example.com/.well-known/mta-sts.txt //make the file 'readable'
sammy@imega:$ chown -R sammy:www-data mta-sts.example.com
sammy@imega:$ sudo ln -s /home/sammy/mta-sts.example.com /var/www/mta-sts.example.com //make the directory part of the webserver group

Step 5: Create a Virtual Host on Nginx

Via Webmin -> Servers -> Nginx; click on 'Create Virtual Host' and enter the following content:

server {
listen 80;
server_name mta-sts.example.com;
return 301 https://mta-sts.example.com$request_uri;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name mta-sts.example.com;
root /var/www/mta-sts.example.com;

# TLS session cache (type:name:size)
ssl_session_cache shared:mta-sts.example.com:10m;

location ^~ /.well-known/mta-sts.txt {
try_files $uri @mta-sts;
}
}

End Result:
-- When testing the link: mta-sts.example.com one should get the '403'Forbidden error.
-- Emails should arrive at the mailbox: tls-reports@example.com which when read with a text editor should indicate successful deliveries.

Final two adjustments to mta-sts.txt by changing:
mode: testing to mode: enforce *
max_age: 86401 to max_age: 604800
*WARNING: Changing mode to enforce without getting successful tls-reports will cause your mail to be blocked on Gmail.

Note: the domain: mta-sts.example.com needs to be included when making a SSL certificate -- see SSL Certificate(s) for Websites
For further details, see DigitalOcean Configuring MTA-STS

iRedMail-Home iRedMail-Extras
iRedMail-Backup iRedMail-Switch