- About the Email Server
- Configuring the Email Server
- Using the Email Server
- Advanced Features
- Providing user feedback
- Technical info and discussion
- External links
available since: STILL UNDER CONSTRUCTION! (APP DISABLED BY DEFAULT)
About the Email Server
Once enabled, FreedomBox Email Server can be currently used via IMAP clients and provides spam filtering features. Spam learning is not yet implemented and antivirus is currently on hold, though. This is just the beginning. More e-mail related features and utilities are planned.
Ease of Use
The interfaces for admin and non-admin users are very simple for an email server. Unlike other apps in FreedomBox, this custom application integrates many Debian packages with quite a lot of glue code to make them all work together for a user-friendly, complete, secure, maintainable solution.
If RoundCube web client is installed in FreedomBox, it will be automatically re-configured it to work through the FreedomBox Email Server. This is convenient but intrusive and requires a bit of tweaking to avoid overriding existing RoundCube setups.
- If a Let's Encrypt certificate is available, it will be used to encrypt IMAP and SMTP connections.
After proper configuration, you'll be able to interoperate with popular email providers, but be aware that your privacy depends on the business practices of those providers.
Privacy is a practice, not a statistic. Its meaning varies in terms of one's situation, habits, emergency preparedness. Only if the user understands what assets, adversaries, attack vectors are in their threat model can they make effective use of privacy-enhancing technologies. Generally a threat model answers the following questions:
- What do you want to protect?
- Who are your adversaries?
- In what ways can your personal information get shared, sold, or stolen?
- What is your contingency plan? How are you preventing yourself from messing up?
- What happens if your threat model fails? What are some ways to mitigate the impact?
In this section we provide some examples of a threat model. We then introduce the practices and software features applicable for each threat model.
I don't want spam in my primary inbox
Asset: the name part of my primary email address
Adversaries: websites that display my email address publicly, companies that collect my email address for any purpose
Attack vectors: (to name a few)
- Public mailing lists display my email address, which spammers can scrape.
- My email appears in Git commits.
- My email is shared when I sign in with OAuth.
- In exchange for a discount offer (e.g. loyalty cards) I provided my email, and the merchant sold it to data brokers.
- To communicate with a company I provided my email which may be shared with their business partners.
Use a dedicated email alias for one-time communications.
- Use an email alias that is not similar to my primary email address.
- Refuse offers that require the collection of identifying information. No loyalty cards, and don't email me the receipt.
- Memorize a few email aliases by heart. Think about how to use them in different situations.
I don't like the fact that big companies are scanning my emails to my friends
Asset: the human-readable content and the computer-readable metadata of my emails
Adversaries: a third-party email host I want to avoid, a spam filtering service which may have access to email metadata
- Any single email host in the To/Cc lines will see the entire conversation.
- Some emails look self-hosted but are just forwarding addresses to a large provider.
- Should I trust the email clients my friends use?
- If using IMAP or POP3, some providers (like Gmail) log the client's IP address in the Received header. Is this something I want to prevent?
- Rspamd's ASN module uploads the delivering server's IP address. Is this something I want to prevent?
- Inspect email headers to get an idea of the sender's mail provider and software.
Offer your friends an e-mail account in your FreedomBox so they can communicate with each other in a secure environment maintained by you.
Make sure my users can access the RoundCube webmail interface.
- Test that I do not block VPNs or Tor exits, if my users prefer using a VPN or Tor.
- Maybe disable the ASN module.
More advanced threat models require an even higher level of communication secrecy: Alice and Bob may not trust the email providers nor the network connecting both providers. End-to-end encryption can be achieved with GnuPG (see Free Software Foundation, Email Self-Defense Guide) or S/MIME. These methods alone however do not provide forward secrecy nor future secrecy. If forward and future secrecy is needed by your threat model, consider using XMPP OMEMO in place of emails.
First of all you need to go to the Apps menu.
If already installed, the Email Server will be shown above the Disabled line. This is likely not your case, but if it is, that means that the Email Server is already installed, so this chapter isn't for you and you ought to jump to the next one.
If the Email Server is shown among the icons below the Disabled line, it is either not yet installed or it is currently disabled. This is the usual starting status.
Select the Email Server app. You are presented with the Email Server app page. If not installed yet you'll be shown the Install button. Click on it!
Due to a known bug you might get this error
- Error installing application: Error during installation E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.
Despite the message suggesting held packages, another usual cause is that there's already another email server installed in the system, usually exim4 in Debian systems. Usually it is there by default but you don't need it so you can just uninstall it. This can be done accessing your FreedomBox via SSH and running
sudo apt remove exim4-config exim4-daemon-light
Then you can try again
This will trigger the installation process.
After installing all needed software packages, configuring them, etc FreedomBox will tell you that the installation is successful and the app page will show additional content like the port information and several feature configuration forms organized by means of tabs.
Next time you go to the Apps Menu it will show the Email Server enabled (above the disabled line).
Configuring the Email Server
Log into FreedomBox web interface as an admin. Server configuration forms are hidden to regular users.
Go to Email Server app. Problems with the service are listed in the Service Alert section.
- Resolve all service problems.
Now as admin you can:
Add new users to your FreedomBox. Make sure they belong to the users group. Email users need a home folder. Due to a known bug FreedomBox doesn't create a home directory automatically for new users, so they need to be created manually.
Override user-defined email aliases by specifying them in /etc/aliases (don't forget to run sudo newaliases after editing the file)
Additional configurations in your FreedomBox and in your domain name registry are needed to meet current security standards.
For the moment USE THIS SERVER ONLY FOR INTERNAL EMAILS (among FreedomBox users within the same machine) or in controlled testing environments. Attempts of sending e-mail to regular services may get your IP address blacklisted due to unmet security measures.
Using the Email Server
This app is still under construction. USE THIS SERVER ONLY FOR INTERNAL EMAILS (among FreedomBox users within the same machine) or in controlled testing environments. Attempts of sending e-mail to regular services may get your FreedomBox blacklisted due to unmet security measures.
As a user you can:
- Create a home folder from the web interface to start receiving emails.
- Once you have created a home folder, start sending and getting email within your local network using IMAP-enabled email clients.
Create and/or manage your email aliases in the Aliases tab of the Email Server app page in FreedomBox web interface.
Once an admin has set up RoundCube configuration for it to work with the FreedomBox Email server you can log into RoundCube and start sending emails to your fellow FreedomBox users without the need for other email clients.
With FreedomBox Webmail Client (RoundCube)
RoundCube email client is provided by FreedomBox as an optional app. If RoundCube has been installed before the email server, setup will tell RoundCube to use the FreedomBox email service. Once both apps are installed, you have a complete webmail setup for you and your friends.
Open Thunderbird. Go to hamburger menu → New → Existing Mail Account. Enter a display name, your FreedomBox email address, and your FreedomBox password. Click continue.
FreedomBox implements the Automatic Account Configuration endpoint which Thunderbird will make use of.
Tell your email client to use these parameters:
Username: your FreedomBox login name (without the @domain part)
Incoming mail: IMAPS, port 993, forced SSL, normal password authentication
Outgoing mail: SMTPS, port 465, forced SSL, normal password authentication
STARTTLS on the SMTP submission port is also supported.
Email aliases are very useful for privacy. Now as FreedomBox email user (don't even need to be an admin) you can have temporary throw-away and specific email addresses under your control. You can create, modify, and delete email aliases from the My Aliases tab of the Email Server page in FreedomBox web interface.
Mails to non-existent users, non-existent aliases, or system users will be rejected at the SMTP connection level. Disabled aliases work like a "no reply" address: mails to those aliases will be dropped; the sender will not receive a failure code or bounce notification.
Having multiple email domains
Configuration at the Domains tab is needed.
- Log into the Plinth web interface as an admin.
Go to Email Server → Domains page. You will see a form like the snapshot below.
Edit $mydestination (make sure all of your email domains are listed in the variable)
Recommended domain settings:
The automatically appended domain part for locally submitted mails. Setting it to localhost should be okay.
- A fully-qualified domain name for your email addresses. It is the domain after the @ sign.
Typically hostname.$mydomain or just $mydomain - the internet hostname of this mail system. NOTE: Provide a reachable domain name to avoid email bouncing. If you don't have a domain name, use localhost
The list of accepted domains for inbound mails. It must contain the values of $mydomain and $mydestination (dollar sign notation may be used). If you mess up this variable, Postfix may try to relay internal mails to the public internet which will be dangerous.
How to debug an action script failure? How to access the system log?
Open a secure shell connection to your FreedomBox. Type sudo journalctl -b -o short-monotonic --no-pager
-b show journal entries since boot
-o short-monotonic use short timestamp format
--no-pager make it easier to copy and paste
Why does the server say "relay access denied"?
This is because Postfix was not aware of the email domain. To fix that,
Ensure FreedomBox is aware of your internet domain name. If you don't have a domain name, skip to step 2.
- Log into the Plinth web interface as an admin.
Go to System → Name Services
- Add a domain name if you haven't done so.
- Repair the email server's configurations.
- Log into the Plinth web interface as an admin.
Go to Email Server app → Home.
Find the Service Alert section.
Click Repair next to the failed Postfix domain diagnosis.
If problem persists or you could not find the Service Alert section,
- Log into the Plinth web interface as an admin
Go to Email Server → Domains
Edit $mydestination (make sure your email domain is listed in the variable; dollar sign notation is supported)
Cannot send anything from Roundcube. It says "SMTP Error (250): Authentication failed".
Root cause: Roundcube tried to submit your email from an unencrypted connection, but ports 465 and 587 required SSL and STARTTLS encryption, respectively.
For RoundCube, edit the /etc/roundcube/config.inc.php file to make it use port 25 (unencrypted). Fix these settings:
$config['smtp_server'] = 'smtp://localhost'; $config['smtp_port'] = 25;
Access your FreedomBox via SSH.
You can edit the file with nano text editor. The file is restricted, so you need to access it as superuser: sudo nano /etc/roundcube/config.inc.php.
If using another email client like Thunderbird, enforce SSL or STARTTLS usage by the email client.
Providing user feedback
Please provide your feedback on usage on this forum thread.
Technical info and discussion
This salsa issue is driving the implementation. Feel free to join discussions and provide technical ideas.
Next call: Sunday, September 26 at 17:00 UTC
This page is copyright its contributors and is licensed under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.