Sorry, I do not value($$$) your privacy. :^)

My email setup

NightmareMoon

OpenSMTPd config

pki minion.the-delta.net.eu.org cert "/srv/certs/minion.the-delta.net.eu.org_rsa.crt"
pki minion.the-delta.net.eu.org key  "/srv/certs/minion.the-delta.net.eu.org_rsa.key"

queue encryption [REDACTED]

smtp max-message-size 4M

listen on enp3s0 port 25  tls         pki minion.the-delta.net.eu.org hostname minion.the-delta.net.eu.org
listen on lo

table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
# Lines with <cloudsdale> are legacy because of libasr-1.0.2 under musl, now fixed
#table cloudsdale { 2a01:4f8:1c17:4b6d::1, 138.201.117.120 }

action "local" mbox alias <aliases>
action "relay"        relay helo minion.the-delta.net.eu.org host smtp+tls://cloudsdale.the-delta.net.eu.org
#action "relay"        relay helo minion.the-delta.net.eu.org tls no-verify
action "backup_relay" relay helo minion.the-delta.net.eu.org backup mx minion.the-delta.net.eu.org

match from local for local action "local"
match from local for any   action "relay"
#match from src <cloudsdale> for any action "relay"
match from any for domain <domains> action "backup_relay"

For now minion/NightmareMoon doesn’t store my emails but this is what is expected at some point, thus inverting backup and main too. It is configured to be a backup MX and to send internet emails to cloudsdale (because of the broken rDNS).

Cloudsdale

OpenSMTPd config

pki cloudsdale.the-delta.net.eu.org cert "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.crt"
pki cloudsdale.the-delta.net.eu.org key  "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.key"

queue encryption [REDACTED]

smtp max-message-size 4M

# internet
listen on eth0 port 25  tls         pki cloudsdale.the-delta.net.eu.org hostname cloudsdale.the-delta.net.eu.org tag IN no-dsn
listen on lo tag IN

# If you edit the file, you have to run "smtpctl update table aliases"
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains

action "deliver" maildir alias <aliases>
action "relay"   relay tls no-verify
# Legacy: libasr-1.0.2 tarball is broken with musl, use git
#action "relay"   relay host smtp+tls://hacktivis.me

match from any   for domain <domains> action "deliver"
match from local for local            action "deliver"
match from local for any              action "relay"

DNS Records

This is what I have in all my zones (I use a $INCLUDE, which supported by nsd):

@       86400   MX      1 cloudsdale.the-delta.net.eu.org.
@       86400   MX      10 minion.the-delta.net.eu.org.
@       86400   TXT     "v=spf1 a mx ?all"
_dmarc  86400   TXT     "v=DMARC1; p=none; rua=mailto:root+dmarc@hacktivis.me; ruf=mailto:root+dmarc@hacktivis.me; fo=s; adkim=r; aspf=s"
_smtp._tls 86400        TXT     "v=TLSRPTv1; rua=mailto:root+tlsrpt@hacktivis.me"

Choices

Fediverse post for comments

article only(plain XHTML)