Host my own email and vpn servers for my sole personal use

First of all, a quick introduction: I am new to Qubes, but have been using Linux since it’s inception in 1991. My use has mainly been for C++ development and Postgres, with the odd foray into shell scripts and awk, but not much in the way of networking or detailed configuration.

So I have successfully installed qubes on a laptop, I was hoping to use it for email and vpn as the title of this post says. Note I am not interested in 3rd party providers, I would like full control over my own server. I would like to be able to access the server remotely with say ssh from my main laptop, and also from my iPhone 13.

Now I have done a bit of investigation with ChatGPT, but I am a little reluctant to blindly follow what is says, because getting the full story relies entirely on the exact questions being asked, and it is only a LLM after all. It does seem to have some good ideas though:

ChatGPT says:
Qubes actually makes running an email server cleaner because you can isolate each function:

• Mail Gateway Qube (SMTP in/out) → e.g. mail-gateway
• IMAP Server Qube (local mailboxes) → e.g. mail-storage
• Client Qubes connect via LAN (or localhost) to the IMAP service.
• Optional: a separate DNS qube if you want to handle MX records locally.

Some details: I have a 4 port router modem provided by the ISP, along with a decent fibre optic network connection. The router forms part of a LAN with the Qubes laptop server which is based on fedora, and a smart TV and game console, and possibly wifi connections whenever I have guests. I may need to add an 8 port switch in the future to increase the size of the LAN. Obviously all this needs to be separate from the email and vpn servers. My main laptop also uses fedora, I will upgrade that to fedora 43 once I get the fibre optic connection next week. I will be getting a domain name if I decide to go ahead with this, and a UPS.

ChatGPT mentioned using this software, I wonder what people think of this idea?

If your goal is to avoid heavy, bloated groupware, you can:

• Use Postfix for SMTP → very lightweight and built into Fedora/Debian templates.
• Use Dovecot for IMAP → standard, simple to configure for local delivery.
• Store mail in Maildir format in your home directory.
• Use your iPhone or Thunderbird in another machine to connect over LAN.

Thanks in advance for any help, and I am happy to provide more details. Cheers

I should also point out that I have spent quite a bit of time reading the Qubes documentation, before posting :+D

Hi AlsoKnownAsAKA, welcome to Qubes.

There’s a fair amount to dig in to in your post, and I’m not sure that
ChatGPT is particularly helpful here.

Use of, and setting up a VPN is relatively well covered - what VPN will
you use, and what protocols?

As you are not used to service configuration, and are new to Qubes, I
would start with a much simpler set up, experiment, and then add in more
complexity. I often find that new users start with a complicated roadmap
find it difficult to implement, and then get downhearted at how
difficult Qubes is to use.

You dont say what mail client you like to use, and that’s an important
factor.
You haven’t said if you want to have separate identities on the mail
system, with distinct addresses and domains.

Postfix is a good choice for SMTP server. It’s relatively easy to set
up and administer. You can deliver mail to local mailboxes, and use
filters like spamassassin.
A simple set up would be to ssh in to the postfix qube to read and
process mail on the mail qube, using an email client like mutt.

For these services you will need to open an external port on sys-net
and tunnel traffic to the server qube. This is well documented.

Once you are happy with that set up, you can start to add in complexity.
You could separate out SMTP receipt and send. You can, but need not,
have a separate IMAP server. You can separate out the mail access qube
from the mail storage qube, and mail sending qube. (eg collect new
mail in a disposable, have an offline qube for mail storage, and
a disposable for sending mail.) This isn’t particularly hard to do, but
it can be hard to do for a beginner to Qubes. Get used to the basics,
and add in complexity afterwards.

I hope this is somewhat useful. If you want help on specific details,
ask.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Hi unman, thanks for your reply :+D

Use of, and setting up a VPN is relatively well covered - what VPN will
you use, and what protocols?

I was hoping not to use an external VPN provider, my understanding is that it possible for Linux to host it’s own VPN server. Is OpenVPN an example of that, or that another external VPN service? I have a vague memory of seeing instructions somewhere, maybe I should dig around to find them again.

You dont say what mail client you like to use, and that’s an important
factor.

I would use Thunderbird on my main laptop, and also connect with my iPhone13.

As you are not used to service configuration, and are new to Qubes, I
would start with a much simpler set up, experiment, and then add in more
complexity.

Ok. I guess the main problem is understanding the output from various shell commands, especially when things are not quite right, which happens with ChatGPT often. I guess it gets tedious having to ask all the time. However I am not a complete newbie to the shell. For example I prefer to use dnf from the shell rather than the GUI program. I have often edited configuration files over the years using vim, or even vi sometimes. I guess the other aspect is testing things, and knowing what bad looks like, and what to do about it.

You haven’t said if you want to have separate identities on the mail
system, with distinct addresses and domains.

The mail system will be for my sole and private personal use. I haven’t yet converted my main laptop to Qubes, but if I do, I will need access to work emails; and continued access to my current personal email for decent period of time until I am confident everything is working well. I do have a work laptop to access work emails, so that should still work regardless. Although it would be convenient to use Thunderbird on my work laptop to access my personal email server, but not the end of the world if I can’t; sometimes I have cramped quarters at work, it can be a pain to have to set up another laptop.

Postfix is a good choice for SMTP server. It’s relatively easy to set
up and administer.You can deliver mail to local mailboxes, and use
filters like spamassassin.
A simple set up would be to ssh in to the postfix qube to read and
process mail on the mail qube, using an email client like mutt.

Ok that sounds great. I would like some help with that.

Get used to the basics,
and add in complexity afterwards.

That is excellent advice. Thank you, now I have found out that it is all possible, and doesn’t fly in the face of what qubes is all about, I feel more confident in continuing. There are expenses involved with this, a UPS, domain name.

So I guessing the things I need to do now:

1. Obtain a domain name - maybe this can be left until live testing stage? ;
2. Create a qube to put the server in;
3. Install postfix software;
4. Read up about the external port on sys-net, tunnel to server qube.

Thanks again, I hope the force is with you!

Could be of interest to you. I host my email server and private vpn server (among many others things)

Thanks neowutran for your reply.

This looks like a fabulous resource for one experienced with Qubes OS, and it could be of great use to me and many others in the future. However, I have only been using Qubes for a few days now, so I am following advice from unman and keeping things simple to start with.

Thanks again for the awesome resource :+D cheers !

Ok an update on my progress so far, which isn’t much …

I have created a mail-server qube, and given it network access via sys-firewall. Even with this there is a question: ChatGPT mentioned setting up the Qube as standalone, to avoid losing configuration changes. Is this a good idea? Just that if I am to start again, it would be good to know now … :+)

I have installed postfix, using dnf. I haven’t edited any of the configuration files yet, I thought it prudent to review the official documentation. There is a fairly simple looking guide on ChatGPT, but I am reluctant to trust it.

I also thought it prudent to get things working on the LAN first, before exposing the whole thing to the internet. I also realise it may be some time before fully using this mail server in a realistic sense, so I am happy to take my time to configure things, so that I have I have confidence when comes to live deployment. So I have 2 machines on the LAN, I was thinking to get the ping command working in both directions. Then ssh, then basic mail using mail, and try mutt as suggested by unman. So ping works outbound from qubes, but not inbound; I guess this is by design from qubes, I am not sure how to fix that, or whether I need to. ssh works both ways, I just need to set it up properly with the keys, I am fairly sure I know how to do that.

I have acquired a domain name, and the installation of the fibre internet connection is happening on Wednesday 2025-10-15T00:00:00Z. Should I be asking the ISP for a static ip address, or is that unnecessary?

Other thoughts for the future: I was going to buy a UPS, but I have a concern about the ability of the UPS to restart the server given that it requires the LUKS password, and the user password. I am often away for extended periods of time. I asked ChatGPT: it seems to think it is possible:

1. Remote LUKS Unlock (Secure, Requires Network Reachability in Initramfs)

You can configure dropbear (SSH) in the initramfs so that you can remotely SSH into the machine during the early boot stage (before Qubes itself starts) and enter the LUKS passphrase over SSH.

Related to this is the idea of using an app called notify (ntfy) One can find it on the web: ntfy.sh It can be used from the shell, so I find this really useful for lots of things: I can get it to send a message to my phone when system updates start and finish, stating whether they were successful or not; Use it conjunction with pam to notify whenever someone attempts to ssh into the server; send update information on a regular basis. It is rather useful as part of a cron job. So I could get a ntfy message to say that the UPS has shutdown the server, and another when it restarts; that is when I could remotely specify the LUKS password. What do you all think of this? ChatGPT also said that Qubes was designed to have a human present, and not to be run as a headless server, but ChatGPT is not always correct, right?

Ok, so I have learnt that tools such as OpenVPN or wireguard are what one uses to host their own VPN server. Apparently wireguard is better, it’s newer for a start, and that’s what neowutran uses, so hooray !!

Some more progress, kind of:

I have managed to use ssh via a tunnel to connect from my personal laptop (PL) (the other computer on the LAN) to a qube and vice versa. I have also used mail in both directions with this tunnel. So this took most of the day using ChatGPT with lots of problems. I have now discovered a thing called port forwarding and there is an article about it entitled " Port forwarding to a qube from the outside world", in the Firewall section, is that what I should have been doing? I guess so. I was told not use use ChatGPT though, so it’s my fault really. Never mind; tomorrow is another day.

I’d suggest to use a KVM (for example, piKVM) to remotely manage your Qubes OS to be able to recover from some cases where an access to the GRUB or BIOS is required.