Linux Mail Server Monitoring with Lightmeter (Debian, Ubuntu)

This article will be showing you how to set up Lightmeter, which is an open-source self-hosted mail server monitoring tool, so you can know what’s going on with your Linux mail server.

Lightmeter Features

• Easy-to-use web-based interface
• Mail server downtime monitoring
• RBL (Real-time Block Lists) monitoring
• Real-time detection of blocked emails by other SMTP servers like Gmail and Microsoft
• Instant warning notifications over Email and Slack
• Automatic protection against Botnet and brute-force attacks
• Supports local & remote logfiles

It’s basically an advanced version of pflogsumm with a web interface.

Requirements

It’s assumed that you have a mail server up and running. If not, please use the following tutorials to set up your mail server.

• How to Quickly Set up a Mail Server on Ubuntu 22.04 with Modoboa
• How to Quickly Set Up a Mail Server on Debian 10 Buster With Modoboa

Note that only the Postfix SMTP server is supported. Other SMTP server software like EXIM is not supported.

Step 1: Install Lightmeter Binary

Log into your Linux server via SSH. Then use wget to download the latest stable version of Lightmeter (1.9.1 at the time of writing). You can check its GitLab repository release page to find out the latest version.

wget https://gitlab.com/api/v4/projects/17017123/packages/generic/lightmeter/1.9.1/lightmeter-linux_amd64-1.9.1

Move it to /usr/local/bin/ directory.

sudo mv lightmeter-linux_amd64-1.9.1 /usr/local/bin/lightmeter

Add executable permission.

sudo chmod +x /usr/local/bin/lightmeter

Add a lightmeter user.

sudo useradd lightmeter --create-home --home-dir /var/lib/lightmeter_workspace --system

Run Lightmeter.

sudo -u lightmeter /usr/local/bin/lightmeter -watch_dir /var/log

Now you can visit the Lightmeter web interface.

http://your-server-ip:8080

You will be asked to create an admin account. Before doing that, let’s create a systemd service for Lightmeter and enable HTTPS.

Step 2: Create Systemd Service

Press Ctrl+C to stop the current Lightmeter process. Then create a systemd service unit for Lightmeter.

sudo nano /etc/systemd/system/lightmeter.service

Put the following text into the file.

[Unit]
Description=Mail Server Monitoring
After=network.target

[Service]
Type=simple
ExecStartPre=/bin/bash -c '/usr/bin/setfacl -R -m u:lightmeter:rx /var/log/mail*'
ExecStart=sudo -u lightmeter usr/local/bin/lightmeter -watch_dir /var/log/
ExecStop=sudo -u lightmeter /usr/bin/pkill /usr/local/bin/lightmeter
Restart=always
SyslogIdentifier=Lightmeter

[Install]
WantedBy=multi-user.target

Press Ctrl+O, then press Enter to save the file. Press Ctrl+X to exit. Then reload systemd.

sudo systemctl daemon-reload

Start Lightmeter.

sudo systemctl start lightmeter.service

Enable autostart.

sudo systemctl enable lightmeter.service

Check its status:

sudo systemctl status lightmeter.service

Sample output:

As you can see, it’s active (running).

Step 3: Set Up Reverse Proxy

To access the Lightmeter web interface via a domain name over the secure HTTPS protocol, we need to set up reverse proxy with Apache or Nginx.

Nginx

Nginx is a very popular web server and reverse proxy. If you prefer to use Nginx, run the following command to install it.

sudo apt install nginx

Then create a server block file for Lightmeter.

sudo nano /etc/nginx/conf.d/lightmeter.conf

Add the following content to this file. Replace lightmeter.example.com with your own preferred DNS name. You should also create DNS A record for this sub-domain. If you don’t have a real domain name, I recommend going to NameCheap to buy one. The price is low and they give whois privacy protection free for life.

server {
      listen 80;
      listen [::]:80;
      server_name lightmeter.example.com;

      access_log /var/log/nginx/lightmeter.access;
      error_log /var/log/nginx/lightmeter.error;

      location / {
          proxy_pass http://127.0.0.1:8080;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;

          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Protocol $scheme;
          proxy_set_header X-Forwarded-Host $http_host;
      }
}

Save and close this file. Then test Nginx configuration.

sudo nginx -t

If the test is successful, reload Nginx for the change to take effect.

sudo systemctl reload nginx

Now you can access Lightmeter media server via lightmeter.example.com.

Apache

If you prefer Apache over Nginx, then install Apache web server by using the following command.

sudo apt install apache2

To use Apache as a reverse proxy, we need to enable the proxy modules and the header module.

sudo a2enmod proxy proxy_http headers proxy_wstunnel

Then create a virtual host file for Lightmeter.

sudo nano /etc/apache2/sites-available/lightmeter.conf

Put the following configurations into the file. Replace lightmeter.example.com with your own preferred DNS name. Don’t forget to create DNS A record for this sub-domain. If you don’t have a real domain name, I recommend going to NameCheap to buy one. The price is low and they give whois privacy protection free for life.

<VirtualHost *:80>
   ServerName lightmeter.example.com
   ErrorDocument 404 /404.html

   #HTTP proxy
   ProxyPass / http://localhost:8080/
   ProxyPassReverse / http://localhost:8080/

</VirtualHost>

Save and close the file. Then enable this virtual host.

sudo a2ensite lightmeter.conf

Restart Apache

sudo systemctl restart apache2

Now you can access Lightmeter media server using the domain name lightmeter.example.com.

Step 4: How to Enable HTTPS

To encrypt the HTTP traffic, we can enable HTTPS by installing a free TLS certificate issued from Let’s Encrypt. Run the following command to install Let’s Encrypt client (certbot) on Ubuntu 22.04/20.04.

sudo apt install certbot

If you use Nginx, then you also need to install the Certbot Nginx plugin.

sudo apt install python3-certbot-nginx

Next, run the following command to obtain and install TLS certificate.

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d lightmeter.example.com

If you use Apache, then you need to install the Certbot Apache plugin.

sudo apt install python3-certbot-apache

Next, run the following command to obtain and install TLS certificate.

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d lightmeter.example.com

Where:

• --nginx: Use the nginx plugin.
• --apache: Use the Apache plugin.
• --agree-tos: Agree to terms of service.
• --redirect: Force HTTPS by 301 redirect.
• --hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
• --staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.

The certificate should now be obtained and automatically installed.

And you can access Lightmeter web interface via HTTPS: https://lightmeter.example.com.

Step 5: Configure LightMeter

Now you can go to the Lightmeter web interface to create an admin account. Lightmeter automatically analyzes the mail logs and gives you an overview of busiest domains, bounced domains, and deferred domains.

Then go to the Settings page and enable email notification, so Lightmeter can notify you when there are bounced emails, deferred emails, or your mail server IP address gets blacklisted.

Message Detective

Lightmeter allows you to check the delivery status of each email message. Click the magnifier icon in the upper-right corner. Then enter the sender and recipient email addresses.

As you can see, the messages were sent successfully. You can go to the Settings page and enable public access to the message detective page, so your mailbox users can also check email delivery status.

Wrapping Up

I hope this article helped you set up Lightmeter. As always, if you found this post useful, subscribe to our free newsletter to get more tips and tricks. Take care 🙂