Installing Modoboa, Let’s Encrypt & Ubuntu 16.04

Over the past month or so I’ve been trying out running my own email server. This has come about due to warnings from Mailchimp giving warnings about our newsletter emails potentially being marked as spam because we used a Gmail account and they could not verify the domain or identity of our email address. Thus the desire to try one of these self-hosted solutions that I could potentially use for friends and family needing email. Obviously I could have gone with a hosted solution and just setup my DNS per Mailchimps requirements, but what is the fun of that.

My first choice was using mailinabox.email which runs well and is fairly easy to setup.  It consists of Postfix, Dovecot, Z-Push, Roundcube, ownCloud, Spamassassin, PostgreyNginx and runs on Ubuntu 14.04. I opted to run this on Digital Ocean. The server handles all DNS for the domain you specify as the root domain to handle your email. It allows you to also setup many domains on the server with unlimited users, issuing of Let’s Encrypt certificates, etc. For me a couple of things were lacking in regards to user management. Mailinabox website recommended two other platforms that had a little more advanced feature set so I checked them both out. I chose Modoboa I honestly liked the admin and user interface and management a little bit better as well as the statistics for traffic and spam.

Modoboa runs the same similar setup as Mailinabox.email but uses Amavis (with SpamAssasin and ClamAV) and uses uWSGI. I initially installed Modoboa on Ubuntu 14.04 and it operated well, but one feature that Modoboa is currently lacking is the ability to use Let’s Encrypt which recently has been released for public use. When trying to implement Let’s Encrypt independently it was failing at issuing a cert and my best guess was that because I was trying to do it with a Python application, python was to old to work with Let’s Encrypt. I chose to re-image my server with Ubuntu 16.04 which had a newer version of python and allowed me to install a distro based Let’s Encrypt package.

The Install:

After your server is set up with the OS and you are logged in via the console or SSH, it’s pretty easy to install Modoboa. This tutorial is assuming you are using the default Nginx install. Simply issue these three commands:

However, I made sure I had a few things installed first. Using the installation instructions I installed first:

RRDTool Binding packages for Python (according to the instructions all major distro’s have these available). Here is Debian/Ubuntu’s.

This application uses virtualen to run Modoboa. Run the following command to install the dependencies it needs.

From here, I ran the above three commands to get the installer from git, change directory, and then run the installer. The process then takes between 5 and 15 minutes or so to install the required components. If you then have DNS setup you can log into your mail server to configure domains and users.

Installing Let’s Encrypt

Modoboa uses a self-signed certificate at the time of install to encrypt connections to the login page. Ideally this is not the best and would recommend getting a signed certificate from NameCheap or GoDaddy. You can also use Let’s Encrypt to issue a free certificate that is renewed every 90 days or so. At this point, I used a tutorial provided by Digital Ocean that made it quite simple to set up.

To get started, run the following command after logging into the console or SSH on the server you just setup Modoboa.

This will install the necessary packages needed to get certificates.

Next, edit your site config file in nginx:

In the SSL Server block add these lines:

Take notice of your document root in the file. My setup of Modoboa is located at: /srv/modoboa/instance. You will then need to make the folder for .well-know in the document root folder. Do the following:

Then run and restart nginx as long as there are no errors:

You should be able to obtain certificates now for your server. Run:

The server will process the request and you will be presented with to windows:

Enter an email to get notices.

le-email

Then accept the ToS.

le-agreement

Your certificate should be created. Now we need to insert it into our nginx site-available file that we edited earlier.

For more security, you can also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

Just below the lines for the .well-known path, add the following, you’ll notice we update the cert and key paths to the letsencrypt cert and define the cert for the Diffie-Hellman at the very bottom:

As you will notice, I commented out the lines that were placed in there by default. I am using the suggested security settings from Cipherli.st nginx server. Test and restart your nginx config:

At this point, your certificates should be working and you can test them at ssllabs.com to verify. Next we will want to enable auto-renwal of our certificates. Edit your crontab to do so.

And add the following lines at the bottom of the file.

This will check every Monday at 2:30 to see if the certificate needs to be renewed, and then restarts the web service.

Further information you should consult:

Leave a Reply

2 Comments on "Installing Modoboa, Let’s Encrypt & Ubuntu 16.04"

Notify of
avatar
Sort by:   newest | oldest | most voted
sparrowhawk
Guest
sparrowhawk

Hi, Is your Modoboa install still running on Ubuntu 16.04? I’m about to follow your instructions, so would appreciate any comments.

wpDiscuz
%d bloggers like this: