logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

My email setup.xhtml (5368B)

    

  1. <!--
  2. Copyright © 2014 Haelwenn (lanodan) Monnier
  3. SPDX-License-Identifier: LAL-1.3
  4. -->
  5. <article xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
  6. <a href="/articles/My%20email%20setup"><h1>My email setup</h1></a>
  7. <ul>
  8. 	<li>NightmareMoon: Desktop machine, plagged with broken rDNS</li>
  9. 	<li>minion: BananaPi Server (offline at the time of writing)</li>
  10. 	<li>cloudsdale: VPS at Hetzner</li>
  11. </ul>
  12. <h2>NightmareMoon</h2>
  13. <ul>
  14. 	<li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li>
  15. 	<li>libasr: 1.0.2 (with res_randomid patch)</li>
  16. 	<li>libc: GNU libc</li>
  17. </ul>
  18. <h3>OpenSMTPd config</h3>
  19. <code><pre>
  20. pki minion.the-delta.net.eu.org cert "/srv/certs/minion.the-delta.net.eu.org_rsa.crt"
  21. pki minion.the-delta.net.eu.org key  "/srv/certs/minion.the-delta.net.eu.org_rsa.key"
  23. queue encryption [REDACTED]
  25. smtp max-message-size 4M
  27. listen on enp3s0 port 25  tls         pki minion.the-delta.net.eu.org hostname minion.the-delta.net.eu.org
  28. listen on lo
  30. table aliases file:/etc/mail/aliases
  31. table domains file:/etc/mail/domains
  32. # Lines with &lt;cloudsdale&gt; are legacy because of libasr-1.0.2 under musl, now fixed
  33. #table cloudsdale { 2a01:4f8:1c17:4b6d::1, 138.201.117.120 }
  35. action "local" mbox alias &lt;aliases&gt;
  36. action "relay"        relay helo minion.the-delta.net.eu.org host smtp+tls://cloudsdale.the-delta.net.eu.org
  37. #action "relay"        relay helo minion.the-delta.net.eu.org tls no-verify
  38. action "backup_relay" relay helo minion.the-delta.net.eu.org backup mx minion.the-delta.net.eu.org
  40. match from local for local action "local"
  41. match from local for any   action "relay"
  42. #match from src &lt;cloudsdale&gt; for any action "relay"
  43. match from any for domain &lt;domains&gt; action "backup_relay"
  44. </pre></code>
  45. <p>For now minion/NightmareMoon doesn’t store my emails but this is what is expected at some point, thus inverting backup and main too. It is configured to be a backup MX and to send internet emails to cloudsdale (because of the broken rDNS).</p>
  46. <h2>Cloudsdale</h2>
  47. <ul>
  48. 	<li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li>
  49. 	<li>libasr: git (<a href="https://github.com/OpenSMTPD/libasr/tree/d7e6e51a17cca19bc3b4bc8826625ff545b84d6c"><code>d7e6e51a17cca19bc3b4bc8826625ff545b84d6c</code></a>)</li>
  50. 	<li>libc: musl libc</li>
  51. </ul>
  52. <h3>OpenSMTPd config</h3>
  53. <code><pre>
  54. pki cloudsdale.the-delta.net.eu.org cert "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.crt"
  55. pki cloudsdale.the-delta.net.eu.org key  "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.key"
  57. queue encryption [REDACTED]
  59. smtp max-message-size 4M
  61. # internet
  62. listen on eth0 port 25  tls         pki cloudsdale.the-delta.net.eu.org hostname cloudsdale.the-delta.net.eu.org tag IN no-dsn
  63. listen on lo tag IN
  65. # If you edit the file, you have to run "smtpctl update table aliases"
  66. table aliases file:/etc/mail/aliases
  67. table domains file:/etc/mail/domains
  69. action "deliver" maildir alias &lt;aliases&gt;
  70. action "relay"   relay tls no-verify
  71. # Legacy: libasr-1.0.2 tarball is broken with musl, use git
  72. #action "relay"   relay host smtp+tls://hacktivis.me
  74. match from any   for domain &lt;domains&gt; action "deliver"
  75. match from local for local            action "deliver"
  76. match from local for any              action "relay"
  77. </pre></code>
  78. <h2>DNS Records</h2>
  79. <p>This is what I have in all my zones (I use a <code>$INCLUDE</code>, which supported by nsd):</p>
  80. <code><pre>
  81. @       86400   MX      1 cloudsdale.the-delta.net.eu.org.
  82. @       86400   MX      10 minion.the-delta.net.eu.org.
  83. @       86400   TXT     "v=spf1 a mx ?all"
  84. _dmarc  86400   TXT     "v=DMARC1; p=none; rua=mailto:root+dmarc@hacktivis.me; ruf=mailto:root+dmarc@hacktivis.me; fo=s; adkim=r; aspf=s"
  85. _smtp._tls 86400        TXT     "v=TLSRPTv1; rua=mailto:root+tlsrpt@hacktivis.me"
  86. </pre></code>
  87. <h2>Choices</h2>
  88. <ul>
  89. 	<li>I picked OpenSMTPd because I know the configuration of it is very simple and people I know are using it and seems glad with it</li>
  90. 	<li>I’m not validating/signing emails with DKIM, thus simplifying the configuration and getting cleaner headers, see <a href="/articles/I%E2%80%99m%20removing%20defaults%20to%20eternal%20cryptographic%20signatures">I’m removing defaults to eternal cryptographic signatures</a> as to why I’m not putting it.</li>
  91. 	<li>There is no filtering yet, I don’t have much spam but adding rspamd is planned (hopefully OpenSMTPd will have <a href="https://poolp.org/posts/2018-12-19/more-on-opensmtpd-filters/">filters</a> then)</li>
  92. 	<li>I don’t require tls when receiving emails, I got about half with and without TLS, I also use the default config for the ciphers as it’s a good enough one (not PFS but no broken ciphers)</li>
  93. 	<li>I require TLS when sending emails but not a valid certificate (yet), this is quite something where self-hosting is required, I didn’t need to put exceptions yet</li>
  94. 	<li>There is no DANE/TLSA because I do not have DNSSEC and I’m not adding MTA-STS because it is a mess</li>
  95. 	<li>I do not use IMAP/POP, using Maildir with a remote mutt is perfect and I can still use ssh (sshfs and <code>set sendmail=ssh machine sendmail …</code>) if I need to have mutt locally (like for attachments), thus removing a large piece of software to maintain</li>
  96. </ul>
  97. <p><a href="https://queer.hacktivis.me/notice/9gcLDX7sw859lqKdvM">Fediverse post for comments</a></p>
  98. </article>