My email setup

NightmareMoon: Desktop machine, plagged with broken rDNS
minion: BananaPi Server (offline at the time of writing)
cloudsdale: VPS at Hetzner

NightmareMoon

OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs
libasr: 1.0.2 (with res_randomid patch)
libc: GNU libc

OpenSMTPd config

pki minion.the-delta.net.eu.org cert "/srv/certs/minion.the-delta.net.eu.org_rsa.crt"
pki minion.the-delta.net.eu.org key  "/srv/certs/minion.the-delta.net.eu.org_rsa.key"

queue encryption [REDACTED]

smtp max-message-size 4M

listen on enp3s0 port 25  tls         pki minion.the-delta.net.eu.org hostname minion.the-delta.net.eu.org
listen on lo

table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
# Lines with <cloudsdale> are legacy because of libasr-1.0.2 under musl, now fixed
#table cloudsdale { 2a01:4f8:1c17:4b6d::1, 138.201.117.120 }

action "local" mbox alias <aliases>
action "relay"        relay helo minion.the-delta.net.eu.org host smtp+tls://cloudsdale.the-delta.net.eu.org
#action "relay"        relay helo minion.the-delta.net.eu.org tls no-verify
action "backup_relay" relay helo minion.the-delta.net.eu.org backup mx minion.the-delta.net.eu.org

match from local for local action "local"
match from local for any   action "relay"
#match from src <cloudsdale> for any action "relay"
match from any for domain <domains> action "backup_relay"

For now minion/NightmareMoon doesn’t store my emails but this is what is expected at some point, thus inverting backup and main too. It is configured to be a backup MX and to send internet emails to cloudsdale (because of the broken rDNS).

Cloudsdale

OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs
libasr: git (d7e6e51a17cca19bc3b4bc8826625ff545b84d6c)
libc: musl libc

OpenSMTPd config

pki cloudsdale.the-delta.net.eu.org cert "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.crt"
pki cloudsdale.the-delta.net.eu.org key  "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.key"

queue encryption [REDACTED]

smtp max-message-size 4M

# internet
listen on eth0 port 25  tls         pki cloudsdale.the-delta.net.eu.org hostname cloudsdale.the-delta.net.eu.org tag IN no-dsn
listen on lo tag IN

# If you edit the file, you have to run "smtpctl update table aliases"
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains

action "deliver" maildir alias <aliases>
action "relay"   relay tls no-verify
# Legacy: libasr-1.0.2 tarball is broken with musl, use git
#action "relay"   relay host smtp+tls://hacktivis.me

match from any   for domain <domains> action "deliver"
match from local for local            action "deliver"
match from local for any              action "relay"

DNS Records

This is what I have in all my zones (I use a $INCLUDE, which supported by nsd):

@       86400   MX      1 cloudsdale.the-delta.net.eu.org.
@       86400   MX      10 minion.the-delta.net.eu.org.
@       86400   TXT     "v=spf1 a mx ?all"
_dmarc  86400   TXT     "v=DMARC1; p=none; rua=mailto:root+dmarc@hacktivis.me; ruf=mailto:root+dmarc@hacktivis.me; fo=s; adkim=r; aspf=s"
_smtp._tls 86400        TXT     "v=TLSRPTv1; rua=mailto:root+tlsrpt@hacktivis.me"

Choices

I picked OpenSMTPd because I know the configuration of it is very simple and people I know are using it and seems glad with it
I’m not validating/signing emails with DKIM, thus simplifying the configuration and getting cleaner headers, see I’m removing defaults to eternal cryptographic signatures as to why I’m not putting it.
There is no filtering yet, I don’t have much spam but adding rspamd is planned (hopefully OpenSMTPd will have filters then)
I don’t require tls when receiving emails, I got about half with and without TLS, I also use the default config for the ciphers as it’s a good enough one (not PFS but no broken ciphers)
I require TLS when sending emails but not a valid certificate (yet), this is quite something where self-hosting is required, I didn’t need to put exceptions yet
There is no DANE/TLSA because I do not have DNSSEC and I’m not adding MTA-STS because it is a mess
I do not use IMAP/POP, using Maildir with a remote mutt is perfect and I can still use ssh (sshfs and set sendmail=ssh machine sendmail …) if I need to have mutt locally (like for attachments), thus removing a large piece of software to maintain

Fediverse post for comments