# How can I build a webmail on FreeBSD??



## rtsiresy (Mar 6, 2019)

Hello guys,
so my question is : how can I build a mailserver, in freeBSD, which serves webmail interface (that I made upon php & html) and is public; and by public I mean that the webmail interface can be accessed from anywhere in the world and and the mailserver is able to send and receive mails to/from other mail service like gmail or yahoo ...
to be clear I just need to know the steps I have to go through with examples of programs that can be used in each step ...

I d be thankful for any help ...


----------



## tommiie (Mar 6, 2019)

A tutorial which really explains all the different steps and pieces involved is: https://workaround.org/ispmail. Although it uses Debian you can adapt it for FreeBSD. If not at least you'll know what a daunting task you're up against.


----------



## rtsiresy (Mar 6, 2019)

Okay thanks ... I ll be looking at it ...


----------



## obsigna (Mar 6, 2019)

Just another guide on setting up a mail server including webmail on FreeBSD:





						Home Mail Server with TLS and non-Plaintext Authentication
					






					obsigna.com


----------



## SirDice (Mar 6, 2019)

rtsiresy said:


> which serves webmail interface (that I made upon php & html) and is public;


Why do I have the feeling this is an accident waiting to happen? Note that your website can and will get attacked the very minute you put it out on the internet. Judging by your other questions I very much doubt your website is coded securely enough and is likely to get ransacked within a couple of days. 

I'm not trying to put you down, you just need to be acutely aware that this isn't something you can whip up in a couple of nights. I would strongly suggest using an existing webmail frontend. Frontends like Roundcube and Squirrelmail have been around for years and even those have regular security issues.


----------



## olli@ (Mar 6, 2019)

There's one important thing to keep in mind: Many ISPs block port 25. You'd better make sure that your ISP doesn't, otherwise you'll have a hard time setting up a mail server.


----------



## drhowarddrfine (Mar 7, 2019)

Chapter 28: Electronic Mail
As always, you can find a lot of information in the Handbook. Not specific to everything you want to do, though, but it gives you some information to start.


----------



## rtsiresy (Mar 7, 2019)

okay guys ... just for you to know, this is for learning purposes ... I'm not going to create my own domain ... I'm just testing a little env for study ... so don' t worry about me guys I' m fine ...


----------



## rtsiresy (Mar 7, 2019)

And thanks a lot guys ... was really tough talk ...
special thanks to *Obsigna* , the article was just perfect


----------



## rootbert (Mar 7, 2019)

I suggest you try mailpile.is, roundcube or rainloop as webmail, with roundcube probably the most common and with the most extensions


----------



## ucomp (Mar 7, 2019)

olli@ said:


> ..... Many ISPs block port 25. You'd better make sure that your ISP doesn't...



this is called the Outgoing Relay , which you setup in your MTA.
To say it simpler:
You cannot send mail e.g. to  Google from your non authorised  host,
if your MTA is not setup to send from an authorised ISP which acts as your Outgoing relay.
just try it out: boot up your "naked" MTA , send mail to google and receive your your message, that you're rejected.
---edit: --
don`t do that so often, you won't like that your ip will be publicly blacklisted as spam attacker ;-) 
--


----------



## SirDice (Mar 7, 2019)

That's Google using an RBL or some other form of verification. That has nothing to do with ISPs blocking incoming or outgoing traffic on port 25 . When an ISP blocks port 25 you just get time-outs. This is to prevent malware from spreading as a lot of malware uses its own SMTP connections to connect to the receiving mail domain directly. _Incoming_ connections to port 25 are often blocked too as it's easy to set up a mail server as an open relay (which then gets abused to send truckloads of spam).


----------



## ucomp (Mar 7, 2019)

SirDice said:


> That's Google using an RBL ...


absolutely true  :


rtsiresy said:


> ......and the mailserver is able to send and receive mails to/from other mail service like gmail or yahoo ...




---edit:--
... or in  other words :
If your MTA/AuthorisedOutgoingRelay is setup correctly , gmail won't block or blacklist your ip .


----------



## SirDice (Mar 7, 2019)

Different kind of setup. If your own mailserver _delivers_ mail to gmail (because the recipient is a gmail address) then Google isn't going to block it. If you have your own mail domain and want to use Google as a smarthost then yes, you need to be authorized.


----------



## ucomp (Mar 7, 2019)

SirDice said:


> ....If your own mailserver _delivers_ mail to gmail (because the recipient is a gmail address) then Google isn't going to block it. .....


sorry, but this time not absolutely exactly true 
It depends  to the setup of your MTA and to your ip, whether gmail will block or not.
At least that's my experience
--
the reject - message from gmail looks like so,as far as i remember:
"Your ip is not authorised  to deliver mail to gmail....", I don't remember the exact text


----------



## SirDice (Mar 7, 2019)

My mail server isn't anything special and Gmail happily accepts my mail as long as it's destined for Gmail addresses. I don't use Gmail to relay though.

I've had many discussions with brain-dead mail admins that insist _outgoing_ mail servers require an MX record and block you if this isn't the case. Which is stupid, lots of large installations have incoming and outgoing mail split up. The MX records are for _incoming_ mailservers only, so my _outgoing_ mailservers don't require one.


----------



## ucomp (Mar 7, 2019)

SirDice said:


> I don't use Gmail to relay though.


nearly absolutely correct this time again 
you don't use gmail to relay through - but I assume you relay through an authorised ip...
so that`s what I said :
without correctly setup Outgoing Relay ( not necessarily gmail) they will block .
---- edit :----
one more thing to pay attention: the PTA ( Reverse Record),
 depends on ISPs , whether they check it or not ..
---


----------



## SirDice (Mar 7, 2019)

ucomp said:


> but I assume you relay through an authorised ip...


There is NO relay involved. My mail server _delivers_ mail to Gmail. Nothing more, nothing less. This doesn't require _any_ authorization whatsoever. If this would require authorization nobody would be able to send email to Gmail addresses.

My own mail server does require authentication for sending mail or else anyone would be able to abuse my server. However _incoming_ deliveries (mail destined for my domain) don't require any authorization either (or else nobody would be able to send mail to my domain).


----------



## ucomp (Mar 7, 2019)

SirDice said:


> There is NO relay involved. My mail server delivers mail to Gmail.



This proves that your  following statement is clearly wrong : -) ( .. just kidding)  :


SirDice said:


> My mail server isn't anything special.....


It`s very special: your ip is not blocked by google and you don't host an Open Relay, , very good setup !

well, why did I discuss the relay-thing?
The TO`s server is sitting in his office and I smell, that its ip could be blocked by gmail.
I could swore, that SirDice`s MTA is in cloud or is co-located elsewhere ;-)

...  as always an interesting discussion with you


----------



## olli@ (Mar 7, 2019)

SirDice is correct. I'm also running my own mail server (MTA) for my own domain (I'm also running my own DNS). I can send mail to gmail users without problems. I'm not using my ISP's mail server or anything. My ISP _only_ provides bandwidth, nothing else. All other things I implement myself.

Google (and many others) only blocks IPs that are on common RBLs, or that are otherwise “known bad” (such as dynamic IP ranges from DSL and cable providers). My own mail server also uses several RBLs, of course.


----------



## ucomp (Mar 7, 2019)

olli@ said:


> “known bad” (such as dynamic IP ranges from DSL and cable providers). ....


exactly that's what I wanted to say to the TO because  :


rtsiresy said:


> ....the server is at my workplace ... .


 ( from his other thread)

--- edit: ---
even  static IPs from cable providers  ( which could be  in fact from "dynamic ranges") could be blocked
---edit:---
In other words, if Olli and SirDice get their perfectly managed servers from the data center and put them in an office whose ip is known to be bad or unknown ( no matter whether static or dynamic), they might need to re-administer, e.g. with an OutgoingRelay .....


----------



## ucomp (Mar 7, 2019)

here is the  case :
......     :
--
[203.0.113.2] The IP you're using to send mail is not authorized to 550-5.7.1 send email directly *to* our servers.* Please use the SMTP relay at your* 550-5.7.1 *service provider* instead. Learn more at 550 5.7.1 https://support.google.com/mail/?p=NotAuthorizedError h1si7104782plt.44 - gsmtp (in reply to end of DATA command))
---






						'The IP you're using to send email is not authorized...' - Gmail Help
					

Troubleshoot delivery issues with Postmaster Tools Gmail Postmaster Tools provides senders with metrics on parameters such as reputation, spam rate, feedback loop, etc. It can help you prevent your em



					support.google.com
				



.. exactly that ;-)


----------



## roper (Mar 7, 2019)

> [203.0.113.2]


  They're not going accept mail from bogon space. Administering a flaky mail server running under Windows was what brought me to FreeBSD back in the early 2000's. It worked for me but the learning curve is steep and the way is fraught with peril.


----------



## obsigna (Mar 8, 2019)

For successfully operating a home mail server on a dynamic IP, with webmal interface, the following 3 essential requisites must be met:

Your ISP must not block TCP in ports 25, 443, 993, 995, and TCP in/out port 587.
You need at least one outgoing SMTP relay service on a static IP address, which accepts your outgoing mail after SMTP authentication on port 587 for relaying it to the destination.
(I got 2. One is provided by the domain hosting service which I use, and another one, I setup myself on an AWS-EC2 instance running Postfix on FreeBSD 12)
You should have setup dynamic DNS services which point to your dynamic home IP address, and which must allow to specify the MX (your home server) and ideally also a TXT record. The latter is for SPF - which Google Mail does honor quite a lot when it comes to the decision whether to accept mail for their end users or not, and whether to mark it as spam or not.
It is worth to emphasize that we want TCP *in* 25, and that in case the ISP does not block TCP out 25, we may want to block it ourselves at the firewall. All our mail only would go out on TCP 587 directly to our external mail relay, which then does the rest of the job.


----------



## ucomp (Mar 8, 2019)

roper said:


> .... Administering a flaky mail server running under Windows was what brought me to FreeBSD back in the early 2000's. .....


lol  , that were times , my MS IIS- experiment in the early 2000`s on home-ip was shut down inside 5 minutes by root-attack from friends 




obsigna said:


> For successfully operating a home mail server on a dynamic IP,......


your good explanation is even valid for successfully operating a home mail server on a
*static* ip (depends on provider of course)....


----------



## SirDice (Mar 8, 2019)

ucomp said:


> ```
> [203.0.113.2] The IP you're using to send mail is not authorized to
> 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your
> 550-5.7.1 service provider instead. Learn more at
> ...





> In order to prevent spam, Gmail refuses mail from IP addresses that are not authorized to send mail. *The determination of whether or not an IP address is authorized to send mail is made by the ISP that provides you with the IP address.* This list typically contains consumer IP ranges offered for dialup, DSL, or other broadband access.


So it's your ISP that told Gmail to refuse email from your IP. My ISP has clearly not done this:

```
dice@maelcum:~ % nc alt1.gmail-smtp-in.l.google.com 25
220 mx.google.com ESMTP t18si6888565pgh.89 - gsmtp
EHLO sirdice.nl
250-mx.google.com at your service, [2001:XXXX:XXXX:XXXX::1]
250-SIZE 157286400
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
MAIL FROM: <admin@sirdice.nl>
250 2.1.0 OK t18si6888565pgh.89 - gsmtp
RCPT TO: <sirdice@gmail.com>
250 2.1.5 OK t18si6888565pgh.89 - gsmtp
DATA
354  Go ahead t18si6888565pgh.89 - gsmtp
subject: some test
hello world
```
(This is a test from my home connection)


----------



## ucomp (Mar 8, 2019)

SirDice said:


> So it's your ISP that told Gmail to refuse email from your IP.


that's not my personal ip(my MTAs are all in working state , on bare metal next to me , in the cloud or elsewhere) ... its an example for all who want to setup their own MTAs .
so you're absolutely right again   :
we got the main message now :
the configuration of an MTA depends on the server`s environment and on the ISP`s environment .
And : Yes we can ! ( setup  own MTAs mostly even in suboptimal environments),
e.g nicely described by user obsigna ..
--- edit:---
The other side of the coin is:
The administration of "own" mailserver (whatever means "own") in a production environment is only for professionals(whatever this means). you cannot say:" Hey friends, come all to my new OWN mailserver, I've setup with the help of FreeBSD-forum."
the risk is too high, that you`ll lose all your friends the next days..."


----------

