Setting Up a Local Mail Server to Receive Wazuh Alerts

Published on January 24, 2025

---

This tutorial walks you through creating a dedicated mail server on a Linux VM to handle incoming Wazuh alert emails. We’ll install and configure Postfix (SMTP) and Dovecot (IMAP), create accounts, set up a local DNS server for name resolution, secure everything with a firewall (using both UFW and iptables), and finally connect Wazuh to send test alerts. These steps are meant to be approachable but thorough—feel free to adapt them as needed.

1. Choose the Operating System

First, pick an OS for your mail server. Ubuntu LTS (e.g., 22.04) or Debian Stable are great choices, thanks to their strong communities and frequent security updates. If you use a future Ubuntu LTS (like 24.x), the commands should be very similar.

2. Setting Up the Virtual Machine

1. Create the VM: Use VMware, VirtualBox, Proxmox, or any other hypervisor. Assign 1-2 vCPUs, 1-2 GB RAM, and around 10-20 GB of disk space. During installation, give it a static IP (for example, 192.168.1.10) and set a hostname (like mail.localdomain.lan).
2. Install & Update: After installing the OS, run:

   sudo apt update
   sudo apt upgrade -y

   This ensures your system has the latest security patches.
3. Optional Utilities: These can help with troubleshooting:

   sudo apt install vim net-tools telnet dnsutils curl -y

3. Installing and Configuring the Mail Server

We’ll use Postfix for SMTP (sending/receiving mail) and Dovecot for IMAP (retrieving mail). Both are reliable and work well together.

3.1 Installing Postfix and Dovecot

sudo apt install postfix dovecot-core dovecot-imapd -y

When Postfix asks for a configuration type, choose Internet Site, and set your mail name to something like mail.localdomain.lan or localdomain.lan.

3.2 Postfix Configuration

Postfix’s main settings are in /etc/postfix/main.cf. Below is an example:

myhostname = mail.localdomain.lan
mydomain = localdomain.lan
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8, 192.168.1.0/24
relay_domains = $mydestination
home_mailbox = Maildir/

The mynetworks line specifies which IP ranges can send mail without authentication. Make sure to restart Postfix after changes:

sudo systemctl restart postfix

3.3 Dovecot Configuration

Check your Dovecot config files, typically in /etc/dovecot/conf.d.

• Enable IMAP: In /etc/dovecot/conf.d/10-protocols.conf:

  protocols = imap

• Mail Location: In /etc/dovecot/conf.d/10-mail.conf:

  mail_location = maildir:~/Maildir

• Authentication: In /etc/dovecot/conf.d/10-auth.conf:

  disable_plaintext_auth = yes
  auth_mechanisms = plain login

Afterward, restart Dovecot:

sudo systemctl restart dovecot

Postfix should listen on port 25 (SMTP), and Dovecot on port 143 (IMAP). If you enable SSL/TLS, you’ll also have port 993 (IMAPS).

4. Creating Mail Accounts

You can let your server use Linux system users. Each new user automatically gets a ~/Maildir folder where incoming mail is stored.

sudo adduser alice

This will create /home/alice/Maildir once mail is delivered. Repeat for other users if needed.

5. Setting Up a Local DNS Server

Local DNS is incredibly helpful so you can refer to your server as mail.localdomain.lan instead of an IP. You have two main options:

5.1 Quick Approach: Host Entries

On each machine (including your Wazuh host), edit /etc/hosts and add:

192.168.1.10  mail.localdomain.lan mail

This works fine in a small lab but becomes a hassle if you have many devices.

5.2 Running Bind9 for Local DNS

A more robust approach is installing a DNS server (like Bind9) on a separate VM or even on the same mail server if resources are limited. Below is an example of setting up Bind9:

1. Install Bind9:

   sudo apt install bind9

2. Configure the zone: In /etc/bind/named.conf.local, add:

   zone "localdomain.lan" {
       type master;
       file "/etc/bind/db.localdomain.lan";
   };

3. Zone file: Create /etc/bind/db.localdomain.lan:

   $TTL  604800
   @     IN  SOA   dns.localdomain.lan. admin.localdomain.lan. (
         3       ; Serial
         604800  ; Refresh
         86400   ; Retry
         2419200 ; Expire
         604800) ; Negative Cache TTL
   
   @     IN  NS   dns.localdomain.lan.
   dns   IN  A    192.168.1.20
   mail  IN  A    192.168.1.10

   Here, dns.localdomain.lan points to 192.168.1.20 (the DNS server), while mail.localdomain.lan points to 192.168.1.10 (our mail server).
4. Restart Bind9:

   sudo systemctl restart bind9

5. Use the DNS: On other machines (e.g. the Wazuh server), edit /etc/resolv.conf or your DHCP settings to point to 192.168.1.20 as the DNS server. Now, when you type mail.localdomain.lan, it should resolve to 192.168.1.10.

6. Securing the Mail Server

It’s important to limit access to only what’s necessary, especially if you’re hosting sensitive logs or alerts.

6.1 Using UFW (Uncomplicated Firewall)

sudo ufw allow 25/tcp
sudo ufw allow 143/tcp
sudo ufw allow 993/tcp   # if using IMAPS
sudo ufw enable

These commands allow incoming SMTP (25) and IMAP (143/993). Everything else is denied by default once UFW is enabled, unless you specify other rules.

6.2 Using iptables

If you prefer iptables or want to understand what’s happening under the hood, here’s how you might do it:

# (Optional) Reset existing rules
sudo iptables -F

# Allow traffic on the loopback interface (essential)
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established and related connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming traffic for the mail server
sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT    # SMTP
sudo iptables -A INPUT -p tcp --dport 143 -j ACCEPT    # IMAP
sudo iptables -A INPUT -p tcp --dport 993 -j ACCEPT    # IMAPS

# Default policy: drop everything else
sudo iptables -P INPUT DROP

Keep in mind that you might need to allow SSH (port 22) or other needed services before setting the default policy to DROP. Save your rules so they persist after reboot (for example, with iptables-persistent on Debian/Ubuntu).

sudo apt-get install iptables-persistent
sudo netfilter-persistent save

6.3 TLS / SSL (Recommended)

Generating self-signed certificates or using an internal Certificate Authority can protect usernames, passwords, and mail content even on a local network. In Dovecot’s config, set up your SSL certificate paths (in 10-ssl.conf) so IMAP can be secured on port 993.

6.4 Other Points

Make sure your user passwords are strong, watch /var/log/mail.log for suspicious activity, and consider limiting mynetworks in Postfix if only local hosts should relay mail.

7. Connecting a Desktop (Thunderbird) Client

1. Add an account: In Thunderbird, choose to add a mail account. For “Email address,” use something like alice@localdomain.lan if alice is your Linux user.
2. IMAP settings: Server: mail.localdomain.lan, port 143 or 993 (if SSL).
3. SMTP settings: Server: mail.localdomain.lan, port 25 or 587 if you set it up for submission.
4. Authentication: Enter the same password you configured for alice. If you’re using self-signed certs, Thunderbird might ask you to accept them.
5. Send a test email: Check if it arrives in /home/alice/Maildir or in Thunderbird’s inbox.

8. Connecting Wazuh to the Mail Server

Let’s make Wazuh send alerts to your new mail server. On the Wazuh Manager, open /var/ossec/etc/ossec.conf (or use the Wazuh UI). Look for the <email_notification> section:

<email_notification>
  <email_notification>yes</email_notification>
  <email_to>alice@localdomain.lan</email_to>
  <email_smtp_server>192.168.1.10</email_smtp_server>
  <email_smtp_port>25</email_smtp_port>
  <email_from>wazuh-alerts@localdomain.lan</email_from>
  <email_maxperhour>999</email_maxperhour>
</email_notification>

Restart the Wazuh Manager to apply changes:

sudo systemctl restart wazuh-manager

Make sure your Wazuh VM can resolve mail.localdomain.lan. If DNS isn’t set, you can use the mail server’s IP directly.

9. Testing Email Alerts

1. Send a test email:

   echo "This is a test from Wazuh" | mail -s "Wazuh Test" alice@localdomain.lan

2. Watch mail logs:

   tail -f /var/log/mail.log

   You should see an entry about receiving mail for alice@localdomain.lan.
3. Check your inbox: Look in Thunderbird or run:

   ls /home/alice/Maildir/new

   If you see a file there, your test email has arrived!

Additional Tips

• Virtual Users: If you don’t want to create Linux system users for each mailbox, Postfix+Dovecot supports virtual mailboxes in a database. This is more complex but scales better for large deployments.
• Submission Port (587): Consider enabling a dedicated submission port for authenticated sending, instead of raw SMTP on 25.
• Advanced Email Security: If this server faces the internet, consider SPF, DKIM, and DMARC for domain reputation and email deliverability.
• Regular Backups: Mail is often critical. Make sure to regularly backup /etc, /var/mail, or user home directories if you store mail there.

Conclusion

You now have a dedicated mail server that can receive and store alerts from Wazuh. We covered spinning up the VM, installing Postfix and Dovecot, creating accounts, setting up either a local DNS or host file entries, handling firewall rules (with UFW or iptables), and connecting both Thunderbird and Wazuh to your new server. If anything goes wrong, the logs in /var/log/mail.log and careful checks of DNS resolution and firewall rules are your best friends. Good luck, and enjoy having real-time Wazuh alerts in your inbox!