Introduction

After years of relying on cloud-based mail forwarding services like NOIP, I decided to take full control of my corporate email infrastructure by migrating to a self-hosted email server. This move offers enhanced privacy, customizability, and cost savings in the long run. In this guide, I’ll walk through the complete migration process, from setting up Postfix as the MTA to integrating Dovecot for IMAP/POP3, securing the server with Let’s Encrypt SSL certificates, and hardening it with Fail2ban and SpamAssassin.

Why Self-Host Email?

Cloud mail forwarding services are convenient but often come with limitations: restricted storage, lack of control over spam filtering, and potential privacy concerns. Self-hosting gives you full ownership of your email data, the ability to configure custom rules, and the freedom to scale as needed. For a corporate environment, this can be a game-changer.

Prerequisites

Before diving in, ensure you have:

  • A Linux server (Ubuntu 20.04+ recommended) with root access.
  • A registered domain name (e.g., example.com).
  • DNS control to set MX, A, and TXT records.
  • Basic familiarity with the command line.

Step 1: Install and Configure Postfix

Postfix will handle outgoing mail (SMTP). Install it with:

sudo apt update
sudo apt install postfix

During installation, select ‘Internet Site’ and enter your domain. Then edit /etc/postfix/main.cf:

myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/

Restart Postfix: sudo systemctl restart postfix

Step 2: Install Dovecot for IMAP/POP3

Dovecot provides email retrieval. Install it:

sudo apt install dovecot-imapd dovecot-pop3d

Configure /etc/dovecot/dovecot.conf:

protocols = imap pop3
mail_location = maildir:~/Maildir

Enable SSL in /etc/dovecot/conf.d/10-ssl.conf:

ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

Restart Dovecot: sudo systemctl restart dovecot

Step 3: Secure with Let’s Encrypt SSL

Install Certbot:

sudo apt install certbot python3-certbot-apache

Obtain a certificate for mail.example.com:

sudo certbot certonly --standalone -d mail.example.com

Certbot will place certificates in /etc/letsencrypt/live/mail.example.com/. Auto-renewal is handled by a systemd timer.

Step 4: Harden with Fail2ban

Fail2ban protects against brute-force attacks. Install it:

sudo apt install fail2ban

Create a local jail file /etc/fail2ban/jail.local:

[postfix]
enabled = true
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.log
maxretry = 3
bantime = 3600

[dovecot]
enabled = true
port = pop3,imap
filter = dovecot
logpath = /var/log/mail.log
maxretry = 3
bantime = 3600

Restart Fail2ban: sudo systemctl restart fail2ban

Step 5: Add SpamAssassin

SpamAssassin filters spam. Install it:

sudo apt install spamassassin spamc

Enable the service and start it:

sudo systemctl enable spamassassin
sudo systemctl start spamassassin

Integrate with Postfix by editing /etc/postfix/master.cf:

smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
...
spamassassin unix -       n       n       -       -       pipe
  flags=R user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Restart Postfix: sudo systemctl restart postfix

Step 6: DNS Configuration

Set up DNS records for your domain:

  • MX record: example.commail.example.com (priority 10)
  • A record: mail.example.com → your server IP
  • SPF record: v=spf1 mx ~all (TXT record)
  • DKIM (optional): Generate keys and add a TXT record.

Wait for DNS propagation (up to 48 hours).

Step 7: Migrate Existing Emails

If you have emails from the forwarding service, use imapsync to transfer them. Install it:

sudo apt install imapsync

Run:

imapsync --host1 oldserver --user1 user@example.com --password1 oldpass \
         --host2 localhost --user2 user@example.com --password2 newpass \
         --ssl1 --ssl2

Testing and Verification

Send a test email from an external account to your new server. Check logs:

tail -f /var/log/mail.log

Verify IMAP access with an email client (e.g., Thunderbird) using mail.example.com, port 993 (IMAP SSL) or 587 (SMTP submission).

Conclusion

Migrating from a mail forwarding service to a self-hosted server is a rewarding process that gives you complete control over your email infrastructure. With Postfix, Dovecot, Let’s Encrypt, Fail2ban, and SpamAssassin, you have a robust, secure, and scalable solution. While the initial setup requires careful attention, the long-term benefits far outweigh the effort.