This is the first post in a series about setting up an in-house outbound SMTP server with DKIM signing and smart host forwarding. Here you will find the steps to install the Haraka SMTP server, configure it to accept outbound mail, and run it as a system service.
Requirement: Node.js
You will need the npm command to install Haraka, and I found it was not available by default. To read the official instructions for this step, reference this page:
This is how I did it:
curl -fsSL https://deb.nodesource.com/setup_current.x | sudo -E bash -
apt install nodejsThe Haraka Application
With the prerequisites met, it’s as simple as this:
npm install -g HarakaI will mention that several warnings and security issues were displayed about various dependencies. These are specific to Haraka and it’s safe to ignore most of them. If you are prompted about updating Node.js itself, go ahead and get the latest version.
Next, you need to choose a path for the server data. In this example, it’s /etc/haraka
Issue this command to create the default configuration:
haraka -i /etc/harakaFor an outbound SMTP server, the recommended port number is 587, so we need to edit the /etc/haraka/config/smtp.ini and change line 3 to the correct address for the server.
; address to listen on
listen=192.168.0.128:587Also, we need to un-comment the nodes setting on line 25 to avoid nuisance status messages. Just set that to 1 for now.
nodes=1The application isn’t fully configured yet, but you can run it to see if it’s working.
haraka -c /etc/harakaUser Credentials
To send outbound mail, it is recommended that you have a server certificate and a private key saved to PEM files that we will use in the configuration.
Let’s customize the file named /etc/haraka/config/plugins
- The first un-commented default plugin is the
dnsblblock list and you can safely disable it if server will be listening to the local network only. - The
tlsplugin needs to be un-commented to enable user logins. - The
auth/flat_fileplugin needs to be enabled to use a password list. - The
queue/smtp_forwardplugin is not needed on outbound mail servers.
Now create the file /etc/haraka/config/tls.ini and point it to your certificate like so:
key=/etc/ssl/private/mykey.pem
cert=/etc/ssl/certs/mycert.pemFinally, create the file /etc/haraka/config/auth_flat_file.ini with the new user credentials.
[core]
methods=PLAIN,LOGIN,CRAM-MD5
[users]
username1=passwordgoeshereWhen everything goes well, you should be able to start the application and connect to it with your mail client. At this point, you might need to double check that the certificate authority is listed in your email client’s root trust list to avoid connection warnings.
The System Service
Eventually, you will want to automate everything. It’s not quite ready to do that out of the box, but you can grab this customizable service file to get ready:
At line 18 of that file, where it says /usr/bin/haraka you would substitute the correct path, which is likely /usr/local/bin/haraka and you can check that with the whereis command. Where it says /path/to/your/config you would substitute /etc/haraka or appropriate value.
Copy the file to /etc/systemd/system/haraka.service as descried in the comments. The file also shows the commands needed to enable and start the service when you’re ready to run it in the background.
File Permissions
With the Haraka server up and running, please note the default file permissions will allow all Ubuntu users to read the config directory, including the email user credentials. Here is my suggestion for setting the permissions.
chmod -R 770 /etc/harakaThis eliminates the default global read permission, but might need to be adjusted for your environment.