My email setup
- NightmareMoon: Desktop machine, plagged with broken rDNS
- minion: BananaPi Server (offline at the time of writing)
- cloudsdale: VPS at Hetzner
NightmareMoon
- OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs
- libasr: 1.0.2 (with res_randomid patch)
- libc: GNU libc
OpenSMTPd config
pki minion.the-delta.net.eu.org cert "/srv/certs/minion.the-delta.net.eu.org_rsa.crt"
pki minion.the-delta.net.eu.org key "/srv/certs/minion.the-delta.net.eu.org_rsa.key"
queue encryption [REDACTED]
smtp max-message-size 4M
listen on enp3s0 port 25 tls pki minion.the-delta.net.eu.org hostname minion.the-delta.net.eu.org
listen on lo
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
# Lines with <cloudsdale> are legacy because of libasr-1.0.2 under musl, now fixed
#table cloudsdale { 2a01:4f8:1c17:4b6d::1, 138.201.117.120 }
action "local" mbox alias <aliases>
action "relay" relay helo minion.the-delta.net.eu.org host smtp+tls://cloudsdale.the-delta.net.eu.org
#action "relay" relay helo minion.the-delta.net.eu.org tls no-verify
action "backup_relay" relay helo minion.the-delta.net.eu.org backup mx minion.the-delta.net.eu.org
match from local for local action "local"
match from local for any action "relay"
#match from src <cloudsdale> for any action "relay"
match from any for domain <domains> action "backup_relay"
For now minion/NightmareMoon doesn’t store my emails but this is what is expected at some point, thus inverting backup and main too. It is configured to be a backup MX and to send internet emails to cloudsdale (because of the broken rDNS).
Cloudsdale
- OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs
- libasr: git (
d7e6e51a17cca19bc3b4bc8826625ff545b84d6c) - libc: musl libc
OpenSMTPd config
pki cloudsdale.the-delta.net.eu.org cert "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.crt"
pki cloudsdale.the-delta.net.eu.org key "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.key"
queue encryption [REDACTED]
smtp max-message-size 4M
# internet
listen on eth0 port 25 tls pki cloudsdale.the-delta.net.eu.org hostname cloudsdale.the-delta.net.eu.org tag IN no-dsn
listen on lo tag IN
# If you edit the file, you have to run "smtpctl update table aliases"
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
action "deliver" maildir alias <aliases>
action "relay" relay tls no-verify
# Legacy: libasr-1.0.2 tarball is broken with musl, use git
#action "relay" relay host smtp+tls://hacktivis.me
match from any for domain <domains> action "deliver"
match from local for local action "deliver"
match from local for any action "relay"
DNS Records
This is what I have in all my zones (I use a $INCLUDE, which supported by nsd):
@ 86400 MX 1 cloudsdale.the-delta.net.eu.org.
@ 86400 MX 10 minion.the-delta.net.eu.org.
@ 86400 TXT "v=spf1 a mx ?all"
_dmarc 86400 TXT "v=DMARC1; p=none; rua=mailto:root+dmarc@hacktivis.me; ruf=mailto:root+dmarc@hacktivis.me; fo=s; adkim=r; aspf=s"
_smtp._tls 86400 TXT "v=TLSRPTv1; rua=mailto:root+tlsrpt@hacktivis.me"
Choices
- I picked OpenSMTPd because I know the configuration of it is very simple and people I know are using it and seems glad with it
- I’m not validating/signing emails with DKIM, thus simplifying the configuration and getting cleaner headers, see I’m removing defaults to eternal cryptographic signatures as to why I’m not putting it.
- There is no filtering yet, I don’t have much spam but adding rspamd is planned (hopefully OpenSMTPd will have filters then)
- I don’t require tls when receiving emails, I got about half with and without TLS, I also use the default config for the ciphers as it’s a good enough one (not PFS but no broken ciphers)
- I require TLS when sending emails but not a valid certificate (yet), this is quite something where self-hosting is required, I didn’t need to put exceptions yet
- There is no DANE/TLSA because I do not have DNSSEC and I’m not adding MTA-STS because it is a mess
- I do not use IMAP/POP, using Maildir with a remote mutt is perfect and I can still use ssh (sshfs and
set sendmail=ssh machine sendmail …) if I need to have mutt locally (like for attachments), thus removing a large piece of software to maintain