Set up a Mail server postfix/dovecot/roundcubemail Linux/Debian

Create a new user:

adduser user
usermod -aG sudo user

Install postfix/dovecot

apt install postfix dovecot-core dovecot-imapd

Install Cerbot and letsencrypt

apt install certbot
certbot certonly --standalone -d
postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/<your.domain>/fullchain.pem'
postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/<your.domain>/privkey.pem'

nano /etc/postfix/

uncomment the following lines:
submission inet n       -       n       -       -       smtpd

nano /etc/postfix/

add the following 
mydomain =
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname

nano /etc/dovecot/dovecot.conf

listen = *, ::

nano  /etc/dovecot/conf.d/10-auth.yconf
update the following line as below:
disable_plaintext_auth = no
auth_mechanisms = plain login

nano  /etc/dovecot/conf.d/10-master.conf
unix_listener /var/spool/postfix/private/auth {
  mode = 0666
  user = postfix
  group = postfix
 systemctl restart postfix
  systemctl restart dovecot.service 

Install PHP

apt install php php-cli php-gd php-intl php-fpm php-curl php-imagick 
php-mysql php-zip php-xml php-mbstring php-bcmath -y

Create database

mysql -u root -p 
create database roundcube_db;
grant all on roundcube_db.* to roundcube_user@localhost identified by  'roundcube_db_password';

Install Roundcubemail

cd /var/www/
tar -xvf roundcubemail-1.4.10-complete.tar.gz
rm roundcubemail-1.4.10-complete.tar.gz
mv roundcubemail-1.4.10/ roundcubemail
chown www-data:www-data -R /var/www/roundcubemail

Install Nginx

apt install nginx
server {
    listen 80;
    return 301 https://$host$request_uri;
root /var/www/html/roundcubemail;
server {
    listen 443 ssl http2;
    root /var/www/html/roundcubemail;
    index index.php index.htm index.html;
   ssl_certificate  /etc/letsencrypt/live/;
   ssl_certificate_key  /etc/letsencrypt/live/;
   location / {
        try_files $uri $uri/ /index.php?$args;
   location ~ \.php(?:$|/) {
   try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;
        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        fastcgi_intercept_errors on;
        fastcgi_buffers 4 256k;
        fastcgi_busy_buffers_size 256k;

Install Roundcube Open on web browser

then remove the installer folder rm -fr /var/www/roundcubemail/installer/

Harden Your Mail Configuration

SPF (Sender Policy Framework) You create an SPF record that identifies your mail servers via their IP addresses and then publish the SPF record to your domain’s overall DNS. TXT record - domain v=spf1 a mx ~all

DKIM (DomainKeys Identified Mail) DKIM involves adding a cryptographic key to your domain’s DNS. TXT record default._domainkey KEY Test key opendkim-testkey -d -s default -vvv

DMARC (Domain-based Message Authentication, Reporting and Conformance) s used along with SPF and/or DKIM. DMARC, like SPF and DKIM, involves adding a record to your DNS, indicating that you are using SPF and/or DKIM for authentication. TXT record - _dmarc v=DMARC1; p=reject; rua=mailto:dmarc@domain; ruf=mailto:dmarc@domain; pct=100; adkim=s; aspf=s;

Hardening Postfix Web link