Installing Haraka in Ubuntu 20.04

This is the first post in a series about setting up an in-house outbound SMTP server with DKIM signing and smart host forwarding. Here you will find the steps to install the Haraka SMTP server, configure it to accept outbound mail, and run it as a system service.

Requirement: Node.js

You will need the npm command to install Haraka, and I found it was not available by default. To read the official instructions for this step, reference this page:

Node.js Binary Distributions

This is how I did it:

curl -fsSL https://deb.nodesource.com/setup_current.x | sudo -E bash -

apt install nodejs

The Haraka Application

With the prerequisites met, it’s as simple as this:

npm install -g Haraka

I will mention that several warnings and security issues were displayed about various dependencies. These are specific to Haraka and it’s safe to ignore most of them. If you are prompted about updating Node.js itself, go ahead and get the latest version.

Next, you need to choose a path for the server data. In this example, it’s /etc/haraka

Issue this command to create the default configuration:

haraka -i /etc/haraka

For an outbound SMTP server, the recommended port number is 587, so we need to edit the /etc/haraka/config/smtp.ini and change line 3 to the correct address for the server.

; address to listen on
listen=192.168.0.128:587

Also, we need to un-comment the nodes setting on line 25 to avoid nuisance status messages. Just set that to 1 for now.

nodes=1

The application isn’t fully configured yet, but you can run it to see if it’s working.

haraka -c /etc/haraka

User Credentials

To send outbound mail, it is recommended that you have a server certificate and a private key saved to PEM files that we will use in the configuration.

Let’s customize the file named /etc/haraka/config/plugins

  • The first un-commented default plugin is the dnsbl block list and you can safely disable it if server will be listening to the local network only.
  • The tls plugin needs to be un-commented to enable user logins.
  • The auth/flat_file plugin needs to be enabled to use a password list.
  • The queue/smtp_forward plugin is not needed on outbound mail servers.

Now create the file /etc/haraka/config/tls.ini and point it to your certificate like so:

key=/etc/ssl/private/mykey.pem
cert=/etc/ssl/certs/mycert.pem

Finally, create the file /etc/haraka/config/auth_flat_file.ini with the new user credentials.

[core]
methods=PLAIN,LOGIN,CRAM-MD5

[users]
username1=passwordgoeshere

When everything goes well, you should be able to start the application and connect to it with your mail client. At this point, you might need to double check that the certificate authority is listed in your email client’s root trust list to avoid connection warnings.

The System Service

Eventually, you will want to automate everything. It’s not quite ready to do that out of the box, but you can grab this customizable service file to get ready:

Haraka systemd Unit File

At line 18 of that file, where it says /path/to/your/config you would substitute /etc/haraka or appropriate value. Copy the file to /etc/systemd/system/haraka.service as descried in the comments. The file also shows the commands needed to enable and start the service when you’re ready to run it in the background.

Leave a Reply

Your email address will not be published.