logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git
commit: 7a1d47b4ca172ba427341682810ce84ceb0d3179
parent 73ca4d974f8ec2683485d8865723d3f9d268a828
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Sun, 10 Mar 2019 05:53:55 +0100

articles/My email setup: New article

Diffstat:

Aarticles/My email setup.shtml15+++++++++++++++
Aarticles/My email setup.xhtml94+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Mfeed.atom13++++++++++++-
Mhome.shtml1+
4 files changed, 122 insertions(+), 1 deletion(-)

diff --git a/articles/My email setup.shtml b/articles/My email setup.shtml @@ -0,0 +1,15 @@ +<!DOCTYPE html> +<html lang="en"> + <head> +<!--#include file="/templates/head.shtml" --> + <meta property="og:type" content="article"/> + <meta property="og:title" content="My email setup"/> + <title>My email setup — Cyber-home of lanodan</title> + </head> + <body> +<!--#include file="/templates/en/nav.shtml" --> +<!--#include file="/articles/My email setup.xhtml"--> + <a href="/articles/My%20email%20setup.xhtml">article only(plain XHTML)</a> +<!--#include file="/templates/en/footer.html" --> + </body> +</html> diff --git a/articles/My email setup.xhtml b/articles/My email setup.xhtml @@ -0,0 +1,94 @@ +<article xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry"> +<a href="/articles/My%20email%20setup"><h1>My email setup</h1></a> +<ul> + <li>NightmareMoon: Desktop machine, plagged with broken rDNS</li> + <li>minion: BananaPi Server (offline at the time of writing)</li> + <li>cloudsdale: VPS at Hetzner</li> +</ul> +<h2>NightmareMoon</h2> +<ul> + <li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li> + <li>libasr: 1.0.2 (with res_randomid patch)</li> + <li>libc: GNU libc</li> +</ul> +<h3>OpenSMTPd config</h3> +<code><pre> +pki minion.the-delta.net.eu.org cert "/srv/certs/minion.the-delta.net.eu.org_rsa.crt" +pki minion.the-delta.net.eu.org key "/srv/certs/minion.the-delta.net.eu.org_rsa.key" + +queue encryption [REDACTED] + +smtp max-message-size 4M + +listen on enp3s0 port 25 tls pki minion.the-delta.net.eu.org hostname minion.the-delta.net.eu.org +listen on lo + +table aliases file:/etc/mail/aliases +table domains file:/etc/mail/domains +# Lines with &lt;cloudsdale&gt; are legacy because of libasr-1.0.2 under musl, now fixed +#table cloudsdale { 2a01:4f8:1c17:4b6d::1, 138.201.117.120 } + +action "local" mbox alias &lt;aliases&gt; +action "relay" relay helo minion.the-delta.net.eu.org host smtp+tls://cloudsdale.the-delta.net.eu.org +#action "relay" relay helo minion.the-delta.net.eu.org tls no-verify +action "backup_relay" relay helo minion.the-delta.net.eu.org backup mx minion.the-delta.net.eu.org + +match from local for local action "local" +match from local for any action "relay" +#match from src &lt;cloudsdale&gt; for any action "relay" +match from any for domain &lt;domains&gt; action "backup_relay" +</pre></code> +<p>For now minion/NightmareMoon doesn’t store my emails but this is what is expected at some point, thus inverting backup and main too. It is configured to be a backup MX and to send internet emails to cloudsdale (because of the broken rDNS).</p> +<h2>Cloudsdale</h2> +<ul> + <li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li> + <li>libasr: git (<a href="https://github.com/OpenSMTPD/libasr/tree/d7e6e51a17cca19bc3b4bc8826625ff545b84d6c"><code>d7e6e51a17cca19bc3b4bc8826625ff545b84d6c</code></a>)</li> + <li>libc: musl libc</li> +</ul> +<h3>OpenSMTPd config</h3> +<code><pre> +pki cloudsdale.the-delta.net.eu.org cert "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.crt" +pki cloudsdale.the-delta.net.eu.org key "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.key" + +queue encryption [REDACTED] + +smtp max-message-size 4M + +# internet +listen on eth0 port 25 tls pki cloudsdale.the-delta.net.eu.org hostname cloudsdale.the-delta.net.eu.org tag IN no-dsn +listen on lo tag IN + +# If you edit the file, you have to run "smtpctl update table aliases" +table aliases file:/etc/mail/aliases +table domains file:/etc/mail/domains + +action "deliver" maildir alias &lt;aliases&gt; +action "relay" relay tls no-verify +# Legacy: libasr-1.0.2 tarball is broken with musl, use git +#action "relay" relay host smtp+tls://hacktivis.me + +match from any for domain &lt;domains&gt; action "deliver" +match from local for local action "deliver" +match from local for any action "relay" +</pre></code> +<h2>DNS Records</h2> +<p>This is what I have in all my zones (I use a <code>$INCLUDE</code>, which supported by nsd):</p> +<code><pre> +@ 86400 MX 1 cloudsdale.the-delta.net.eu.org. +@ 86400 MX 10 minion.the-delta.net.eu.org. +@ 86400 TXT "v=spf1 a mx ?all" +_dmarc 86400 TXT "v=DMARC1; p=none; rua=mailto:root+dmarc@hacktivis.me; ruf=mailto:root+dmarc@hacktivis.me; fo=s; adkim=r; aspf=s" +_smtp._tls 86400 TXT "v=TLSRPTv1; rua=mailto:root+tlsrpt@hacktivis.me" +</pre></code> +<h2>Choices</h2> +<ul> + <li>I picked OpenSMTPd because I know the configuration of it is very simple and people I know are using it and seems glad with it</li> + <li>I’m not validating/signing emails with DKIM, thus simplifying the configuration and getting cleaner headers, see <a href="/articles/I%E2%80%99m%20removing%20defaults%20to%20eternal%20cryptographic%20signatures">I’m removing defaults to eternal cryptographic signatures</a> as to why I’m not putting it.</li> + <li>There is no filtering yet, I don’t have much spam but adding rspamd is planned (hopefully OpenSMTPd will have <a href="https://poolp.org/posts/2018-12-19/more-on-opensmtpd-filters/">filters</a> then)</li> + <li>I don’t require tls when receiving emails, I got about half with and without TLS, I also use the default config for the ciphers as it’s a good enough one (not PFS but no broken ciphers)</li> + <li>I require TLS when sending emails but not a valid certificate (yet), this is quite something where self-hosting is required, I didn’t need to put exceptions yet</li> + <li>There is no DANE/TLSA because I do not have DNSSEC and I’m not adding MTA-STS because it is a mess</li> + <li>I do not use IMAP/POP, using Maildir with a remote mutt is perfect and I can still use ssh (sshfs and <code>set sendmail=ssh machine sendmail …</code>) if I need to have mutt locally (like for attachments), thus removing a large piece of software to maintain</li> +</ul> +<!--<p><a href="">Fediverse post for comments</a></p>--> +</article> diff --git a/feed.atom b/feed.atom @@ -10,11 +10,22 @@ </author> <entry> + <title>My email setup</title> + <link rel="alternate" type="text/html" href="/articles/My%20email%20setup"/> + <id>https://hacktivis.me/articles/My%20email%20setup</id> + <published>2019-03-10T04:51:04Z</published> + <updated>2019-03-10T04:51:04Z</updated> + <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> +<!--#include file="/articles/My email setup.xhtml"--> + </div></content> + </entry> + + <entry> <title>Pretty Bad Privacy</title> <link rel="alternate" type="text/html" href="/articles/Pretty%20Bad%20Privacy"/> <id>https://hacktivis.me/articles/Pretty%20Bad%20Privacy</id> <published>2019-03-07T01:00:04Z</published> - <updated>2019-03-07T05:23:43Z</updated> + <updated>2019-03-07T07:32:00Z</updated> <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <!--#include file="/articles/Pretty Bad Privacy.xhtml"--> </div></content> diff --git a/home.shtml b/home.shtml @@ -6,6 +6,7 @@ </head> <body> <!--#set var="transPageUrl" value='accueil' --><!--#set var="feedURL" value='/feed.atom'--><!--#include file="templates/en/nav.shtml" --> +<!--#include file="/articles/My email setup.xhtml"--> <!--#include file="/articles/Pretty Bad Privacy.xhtml"--> <!--#include file="/articles/AtASSian.xhtml"--> <!--#include file="/articles/I’m removing defaults to eternal cryptographic signatures.xhtml"-->