Goal

Make sure the OS and all iRedMail components (Postfix, Dovecot, iRedAdmin, Roundcube, SOGo) are fully updated, paying attention to recent iRedAdmin vulnerabilities like CVE‑2024‑47227.linode​

Apply common iRedMail hardening steps: lock down admin URLs, restrict access to iRedAdmin/MySQL/phpMyAdmin to admin IPs/VPN, clean up default aliases/paths, enforce strong TLS configs and disable weak ciphers.iredmail​

Configure and verify SPF, DKIM, and DMARC for your domains; start with p=none for DMARC and move to p=reject once aligned, following current best practices (aligned DKIM domain, 2048‑bit keys, proper rua reporting).mailforge

Monitor deliverability and abuse: log review, fail2ban rules, rate limiting, and regular checks for blacklisting are essential if you want to rely on this box for external mail, even if you initially use it mostly for monitoring and archiving.powerdmarc​

SOGo integrates cleanly with iRedMail and exposes CalDAV/CardDAV endpoints suitable for macOS/iOS/Thunderbird, giving you mail + calendar + address book on standard protocols without a proprietary suite.tribalchicken​

Follow the iRedMail/SOGo docs for DAV URLs (/SOGo/dav/your-full-email) and SSL‑only access, then test with macOS Contacts/Calendar and Thunderbird as your primary DAV clients.iredmail

Network/SSL: Only 443/993/587 (and 25 as needed) exposed; A/AAAA, PTR, MX, and TLS are clean; ACME renewal is automatic.bjoern-hagedorn

Access separation:

• Public: mail (IMAP/SMTP/submission), SOGo webmail/DAV.

• Admin: iRedAdmin, DB admin, metrics only via VPN or management VLAN/IP allowlist.vocal

Backup/restore: Regular tested backups of maildirs, SQL/LDAP backends, and SOGo config; documented restore path so you can recover the service quickly.timothy-quinn