Introduction

Hosting your email server is the first step to secure your privacy
It saves you money if you own multiple domains

What You'll Need

[ ] Brand new VPS or any Linux Server (My recommended VPS provider is Linode)
[ ] Ubuntu 22.04 LTS is the latest supported version
[ ] SSH access with sudo privilege

Step 1: Create non-root user

To create a new user, please type the following:

adduser johndoe

Replace johndoe with your own username. Then follow the prompts to set the password and other details

We need to let the new user run commands with sudo when we need, so, to make that happen you'll need to run:

usermod -aG sudo johndoe

Then connect to the server using the new user.

ssh johndoe@YOUR-SERVER-IP

We have logged in using the password of our new user which is not secure. To prepare our future logins to use ssh keys instead of passwords, let's quickly do the following:

mkdir -p ~/.ssh    # to create .ssh folder
chmod 700 ~/.ssh   # set correct permissions
touch ~/.ssh/authorized_keys  # create file where we put our keys
chmod 600 ~/.ssh/authorized_keys # change file permissions

Let's open another terminal, if you don't have ssh keys in your computer and create new one by running:

ssh-keygen -t rsa -b 4096 -C youremail@example.com

Step 2: Setup and Secure Your Server

Before installing Mail-in-a-Box, it's crucial to properly secure your VPS. Let's lock down SSH access and configure the firewall to only allow necessary ports.

Disable Password Authentication for SSH

\==⚠️ Important: Ensure you've already set up SSH key authentication before disabling password login, or you'll lock yourself out of your server!==

Password-based SSH authentication is vulnerable to brute force attacks. Let's configure SSH to only accept key-based authentication:

# Edit the SSH configuration file
sudo nano /etc/ssh/sshd_config

Find and modify these settings (or add them if not present):

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Save the file and restart the SSH service:

sudo systemctl restart ssh

Configure Firewall to Allow Only Required Ports

Mail-in-a-Box needs specific ports open to function properly. Let's use UFW (Uncomplicated Firewall) to restrict access:

# install UFW if not already installed
sudo apt update && sudo apt install ufw -y

# set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# allow SSH (always do this first to avoid lockout)
sudo ufw allow 22/tcp

# allow essential Mail-in-a-Box ports
sudo ufw allow 25/tcp    # SMTP (mail delivery)
sudo ufw allow 587/tcp   # SMTP submission (outgoing mail)
sudo ufw allow 465/tcp   # SMTP over SSL (legacy secure mail)
sudo ufw allow 143/tcp   # IMAP
sudo ufw allow 993/tcp   # IMAP over SSL
sudo ufw allow 110/tcp   # POP3
sudo ufw allow 995/tcp   # POP3 over SSL
sudo ufw allow 80/tcp    # HTTP (for Let's Encrypt)
sudo ufw allow 443/tcp   # HTTPS (webmail and admin panel)

# Enable the firewall
sudo ufw enable

Verify your firewall configuration:

sudo ufw status verbose

You should see all the required ports listed as "ALLOW" in the output.

Step 2: Install Mail-in-a-Box

To install Mail-in-a-Box please run the following command:

curl -s https://mailinabox.email/setup.sh | sudo bash

Then follow the instructions shown in the instructions. You'll be asked to set your email. At first it will show us me@current-hostname so replace it with me@yourdomain.com, make sure to replace yourdomain.com with a domain name you control.

If you need to change later any of the answers you provided, you can run

sudo mailinabox

Step 3: Setup DNS & Domains

Go to your domain DNS dashboard, if you don't know how, please search "Godaddy DNS settings" replace with the name of Godaddy with the provider you use.

To find out what records to put in the DNS records. Go to box.yourdomain.com/admin then you'll see the rest of instructions by going to each menu and see places that have red error messages.

The most important places to check are the System, Mail & Users dropdown in the top nav-bar of the page.

Figer: 1

Some of the important subdomains you need to add in your domain name provider's DNS are the following:

Type	Hostname/Subdomain	Field: Value
NS Record	ns1.box.example.com	box.example.com
	ns2.box.example.com	box.example.com

MX Record	box.example.com	Preference: 10

The above TXT records are important to make your email messages legitimate, else they'll be rejected by spam filters and end up in Junk/Spam folder instead of the Inbox.

Under System dropdown click TLS (SSL) Certificates then click Provision button to generate those certificates. After this succeeds you'll see most of red warnings change to green.

Step 4: Add Email Users

To add a new domain you need to add the first email and this automatically saves the DNS records for the new domain name. Click on Mail and Users dropdown on the top nav-bar then click users. Fill the form.

Normal user can only login through the email portal which is box.example.com/mail but Administrator can login as email user and admin user in box.example.com/admin.

Testing Your Implementation

To find out if your email has an issue or is rejected by Gmail or Microsoft you'll receive rejected email notification to the email you have put in your DNS _dmarc record entry. If everything is working you'll be able to send emails to all providers.

To use your new emails in email apps use the Instructions menu under Mail & Users dropdown. That page lists all the ways you can use your emails on mobile and desktop apps.

Conclusion

We have created our self-hosted email service
We also secured our server
And added extra TXT DNS entries to make our emails legitimate and avoid them to end up in spam box.

Further Resources

Mail-in-a-Box Official Website
Mail-in-a-Box Github Repository

How to create your own email server using Main-in-a-Box

Table of contents