Client Area

Deploy a Secure Email Server on a Hong Kong VPS — Step‑by‑Step Tutorial

Running your own email infrastructure on a virtual private server offers full control, higher privacy, and the flexibility to meet corporate policies. This guide walks through deploying a robust, secure email server on a Hong Kong VPS with practical, technical steps, configuration snippets, and operational recommendations targeted at webmasters, enterprises, and developers. It also contrasts the Hong Kong Server choice with US VPS/US Server deployments and gives concrete buying suggestions.

Why host your own mail server?

Hosting an email server on a VPS gives you full data sovereignty, fine-grained security controls, and the ability to integrate custom spam filtering, archival, and compliance tooling. Compared with relying purely on third-party SaaS email providers, a self-hosted solution can reduce long-term costs and allow for tailored workflows. For organizations serving Hong Kong, APAC, or nearby regions, choosing a Hong Kong Server can also reduce latency for local users and simplify compliance with regional regulations.

High-level architecture and components

An email stack typically consists of several cooperating components. A standard, secure setup includes:

  • MTA (Mail Transfer Agent): Postfix or Exim to receive and send SMTP traffic.
  • MDA (Mail Delivery Agent) / IMAP server: Dovecot to provide mail access (IMAP/POP3) and local delivery (Maildir).
  • Anti-spam and antivirus: SpamAssassin, rspamd, ClamAV or other filters.
  • DKIM signing: OpenDKIM to sign outgoing messages.
  • TLS: Let’s Encrypt certificates automated via Certbot for SMTP/TLS and webmail HTTPS.
  • Authentication / user backend: system users, LDAP, or SQL (MariaDB/Postgres).
  • Webmail / Management: Roundcube, RainLoop, or SOGo for web access; admin UI such as iRedAdmin or a custom panel.

Recommended ports and services

  • 25 — SMTP (incoming/outbound). Use strict firewall rules and rate-limiting.
  • 465 — SMTPS (submission over TLS) or 587 — SMTP submission (STARTTLS).
  • 110 / 995 — POP3 / POP3S (legacy).
  • 143 / 993 — IMAP / IMAPS (use 993 for secure IMAP).
  • 80 / 443 — HTTP / HTTPS for webmail and ACME challenges.

Step-by-step deployment (Ubuntu 22.04 example)

The following commands are examples; replace domain.com with your domain and adjust usernames accordingly. Assume root or a user with sudo.

1. Provision VPS and secure baseline

  • Choose a Hong Kong VPS with IPv4 (and IPv6 if needed). Allocate at least 2 CPU cores, 4 GB RAM, and 40 GB SSD for a small team; increase for larger mail volume.
  • Initial system hardening:
    • Update packages: sudo apt update && sudo apt upgrade -y
    • Create a non-root admin user and disable password root login in /etc/ssh/sshd_config.
    • Install basic tools: sudo apt install ufw fail2ban postfix dovecot-core dovecot-imapd certbot -y
  • UFW firewall example:
    • sudo ufw allow OpenSSH
    • sudo ufw allow 25/tcp
    • sudo ufw allow 587/tcp
    • sudo ufw allow 993/tcp
    • sudo ufw enable

2. Install and configure Postfix (MTA)

During Postfix installation choose “Internet Site” and set the system mail name to domain.com. Key configuration snippets in /etc/postfix/main.cf:

  • myhostname = mail.domain.com
  • myorigin = /etc/mailname
  • mydestination = localhost, localhost.localdomain, domain.com, mail.domain.com
  • inet_interfaces = all
  • smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.com/fullchain.pem
  • smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.com/privkey.pem
  • smtpd_tls_security_level = may
  • smtpd_tls_auth_only = yes
  • smtp_tls_security_level = may
  • smtpd_sasl_type = dovecot
  • smtpd_sasl_path = private/auth
  • smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023

3. Dovecot for IMAP/POP3 and SASL

Configure Dovecot to provide authentication for Postfix and serve Maildir. Example additions:

  • /etc/dovecot/conf.d/10-mail.conf:
    • mail_location = maildir:~/Maildir
  • /etc/dovecot/conf.d/10-auth.conf:
    • disable_plaintext_auth = yes
    • auth_mechanisms = plain login
    • !include auth-system.conf.ext
  • /etc/dovecot/conf.d/10-master.conf: configure private/auth socket for Postfix SASL:

    • unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
      }

4. TLS with Let’s Encrypt

Obtain certs and set up auto-renewal:

  • sudo certbot certonly --standalone -d mail.domain.com -m admin@domain.com --agree-tos
  • Reload Postfix and Dovecot after cert issuance: sudo systemctl reload postfix dovecot

5. DKIM, SPF, and DMARC

These are critical to pass receiving servers’ spam checks.

  • Install OpenDKIM: sudo apt install opendkim opendkim-tools -y
  • Generate keys and configure OpenDKIM to sign outgoing messages, then add selector._domainkey.domain.com TXT record with the public key.
  • SPF example DNS TXT record:
    • v=spf1 mx ip4: -all
  • DMARC example:
    • _dmarc.domain.com TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:postmaster@domain.com"

6. Anti-spam and rate limiting

  • Install rspamd or SpamAssassin and integrate with Postfix via a policy service. Rspamd is faster and recommended for high-throughput environments.
  • Configure fail2ban for SMTP and Dovecot to ban brute-force attempts:
  • Use Postfix restrictions and postscreen to limit connection rates and greylist suspicious senders if needed.

7. Monitoring, backups, and logging

  • Centralize logs (rsyslog or syslog-ng) and configure log rotation for /var/log/mail.log.
  • Implement regular full and incremental backups of Maildir and configuration files. Use offsite storage or snapshots.
  • Monitor queue size (postqueue -p), bounce rates, and blacklists (e.g., via mxtoolbox). Use Prometheus + Grafana for metrics if required.

Application scenarios and best practices

Typical use cases include company internal email, transactional mail for applications, or private group communications. Best practices include:

  • Use separate hosts or containers for high-volume transactional mail to avoid reputation impact on corporate mail.
  • Implement dedicated subdomains (mail.domain.com, smtp.domain.com) and multiple MX records for redundancy.
  • Isolate administrative interfaces behind VPN or IP allowlists.
  • Use encryption at rest for mail storage if necessary for compliance.

Advantages of deploying on a Hong Kong VPS vs US VPS / US Server

Choosing a Hong Kong Server location has several tangible benefits for businesses operating in the Asia-Pacific:

  • Lower latency to regional users: Faster delivery and IMAP responsiveness for users in HK, Macau, and nearby regions compared to a US VPS.
  • Data locality and compliance: Easier adherence to local data handling expectations and corporate policies for APAC clients.
  • Network peering and reliability: Some Hong Kong providers offer better direct peering to regional carriers, improving deliverability to local ISPs and mobile networks.
  • However, US Server deployments still make sense if your user base is predominantly in North America, or if you need specific integrations with US-based services or compliance frameworks.

Deliverability considerations

Regardless of location, outbound deliverability depends heavily on IP reputation. Newly provisioned VPS IPs can be in pooled ranges; always check whether the supplier provides dedicated clean IPv4 addresses, rDNS support, and whether the IP has a history of spam. A Hong Kong VPS from a reputable host often provides quicker remediation for regional blacklists and better customer support for rDNS and abuse handling.

Capacity planning and purchase suggestions

When selecting a VPS, consider the following:

  • For SMBs or small teams: 2 CPU, 4–8 GB RAM, 40–80 GB SSD is adequate for tens to a few hundred mailboxes.
  • For larger organizations or high-volume transactional email: scale CPU cores and RAM (8+ cores, 16+ GB), use NVMe SSDs, and consider horizontal scaling with multiple MX hosts and load balancing.
  • Ensure the provider allows sending mail (some cloud providers block port 25 by default). Confirm ability to set rDNS and to obtain a dedicated IP.
  • Consider backup and snapshot options, and whether the Hong Kong Server network offers DDoS protection if you expect targeted attacks.

Operational tips and security checklist

  • Always run Postfix and Dovecot with the latest security patches.
  • Enforce STARTTLS and require TLS for authenticated submission.
  • Harden SSH (key-based auth, non-standard port, fail2ban). Do not expose admin ports publicly.
  • Regularly rotate DKIM keys and monitor DMARC reports (aggregate reports via rua) to detect abuse.
  • Test deliverability using external services and check that SPF, DKIM, and DMARC are correctly published and passing.

Deploying a secure, production-ready mail server requires attention to configuration details, reputation management, and ongoing operations. A Hong Kong VPS can be an excellent platform for APAC-focused services, while US VPS / US Server options remain relevant for North American audiences. Regardless of region, prioritize TLS, DKIM/SPF/DMARC, monitoring, and backups to maintain uptime and deliverability.

For hosting options and to compare instance sizes suitable for mail workloads, see the Hong Kong VPS offerings at https://server.hk/vps/. If you need colocated or regional choices, consider both Hong Kong Server and US Server alternatives to match your user footprint and compliance needs.

Tags: