logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

My email setup.xhtml (5281B)


  1. <article xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
  2. <a href="/articles/My%20email%20setup"><h1>My email setup</h1></a>
  3. <ul>
  4. <li>NightmareMoon: Desktop machine, plagged with broken rDNS</li>
  5. <li>minion: BananaPi Server (offline at the time of writing)</li>
  6. <li>cloudsdale: VPS at Hetzner</li>
  7. </ul>
  8. <h2>NightmareMoon</h2>
  9. <ul>
  10. <li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li>
  11. <li>libasr: 1.0.2 (with res_randomid patch)</li>
  12. <li>libc: GNU libc</li>
  13. </ul>
  14. <h3>OpenSMTPd config</h3>
  15. <code><pre>
  16. pki minion.the-delta.net.eu.org cert "/srv/certs/minion.the-delta.net.eu.org_rsa.crt"
  17. pki minion.the-delta.net.eu.org key "/srv/certs/minion.the-delta.net.eu.org_rsa.key"
  18. queue encryption [REDACTED]
  19. smtp max-message-size 4M
  20. listen on enp3s0 port 25 tls pki minion.the-delta.net.eu.org hostname minion.the-delta.net.eu.org
  21. listen on lo
  22. table aliases file:/etc/mail/aliases
  23. table domains file:/etc/mail/domains
  24. # Lines with &lt;cloudsdale&gt; are legacy because of libasr-1.0.2 under musl, now fixed
  25. #table cloudsdale { 2a01:4f8:1c17:4b6d::1, 138.201.117.120 }
  26. action "local" mbox alias &lt;aliases&gt;
  27. action "relay" relay helo minion.the-delta.net.eu.org host smtp+tls://cloudsdale.the-delta.net.eu.org
  28. #action "relay" relay helo minion.the-delta.net.eu.org tls no-verify
  29. action "backup_relay" relay helo minion.the-delta.net.eu.org backup mx minion.the-delta.net.eu.org
  30. match from local for local action "local"
  31. match from local for any action "relay"
  32. #match from src &lt;cloudsdale&gt; for any action "relay"
  33. match from any for domain &lt;domains&gt; action "backup_relay"
  34. </pre></code>
  35. <p>For now minion/NightmareMoon doesn’t store my emails but this is what is expected at some point, thus inverting backup and main too. It is configured to be a backup MX and to send internet emails to cloudsdale (because of the broken rDNS).</p>
  36. <h2>Cloudsdale</h2>
  37. <ul>
  38. <li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li>
  39. <li>libasr: git (<a href="https://github.com/OpenSMTPD/libasr/tree/d7e6e51a17cca19bc3b4bc8826625ff545b84d6c"><code>d7e6e51a17cca19bc3b4bc8826625ff545b84d6c</code></a>)</li>
  40. <li>libc: musl libc</li>
  41. </ul>
  42. <h3>OpenSMTPd config</h3>
  43. <code><pre>
  44. pki cloudsdale.the-delta.net.eu.org cert "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.crt"
  45. pki cloudsdale.the-delta.net.eu.org key "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.key"
  46. queue encryption [REDACTED]
  47. smtp max-message-size 4M
  48. # internet
  49. listen on eth0 port 25 tls pki cloudsdale.the-delta.net.eu.org hostname cloudsdale.the-delta.net.eu.org tag IN no-dsn
  50. listen on lo tag IN
  51. # If you edit the file, you have to run "smtpctl update table aliases"
  52. table aliases file:/etc/mail/aliases
  53. table domains file:/etc/mail/domains
  54. action "deliver" maildir alias &lt;aliases&gt;
  55. action "relay" relay tls no-verify
  56. # Legacy: libasr-1.0.2 tarball is broken with musl, use git
  57. #action "relay" relay host smtp+tls://hacktivis.me
  58. match from any for domain &lt;domains&gt; action "deliver"
  59. match from local for local action "deliver"
  60. match from local for any action "relay"
  61. </pre></code>
  62. <h2>DNS Records</h2>
  63. <p>This is what I have in all my zones (I use a <code>$INCLUDE</code>, which supported by nsd):</p>
  64. <code><pre>
  65. @ 86400 MX 1 cloudsdale.the-delta.net.eu.org.
  66. @ 86400 MX 10 minion.the-delta.net.eu.org.
  67. @ 86400 TXT "v=spf1 a mx ?all"
  68. _dmarc 86400 TXT "v=DMARC1; p=none; rua=mailto:root+dmarc@hacktivis.me; ruf=mailto:root+dmarc@hacktivis.me; fo=s; adkim=r; aspf=s"
  69. _smtp._tls 86400 TXT "v=TLSRPTv1; rua=mailto:root+tlsrpt@hacktivis.me"
  70. </pre></code>
  71. <h2>Choices</h2>
  72. <ul>
  73. <li>I picked OpenSMTPd because I know the configuration of it is very simple and people I know are using it and seems glad with it</li>
  74. <li>I’m not validating/signing emails with DKIM, thus simplifying the configuration and getting cleaner headers, see <a href="/articles/I%E2%80%99m%20removing%20defaults%20to%20eternal%20cryptographic%20signatures">I’m removing defaults to eternal cryptographic signatures</a> as to why I’m not putting it.</li>
  75. <li>There is no filtering yet, I don’t have much spam but adding rspamd is planned (hopefully OpenSMTPd will have <a href="https://poolp.org/posts/2018-12-19/more-on-opensmtpd-filters/">filters</a> then)</li>
  76. <li>I don’t require tls when receiving emails, I got about half with and without TLS, I also use the default config for the ciphers as it’s a good enough one (not PFS but no broken ciphers)</li>
  77. <li>I require TLS when sending emails but not a valid certificate (yet), this is quite something where self-hosting is required, I didn’t need to put exceptions yet</li>
  78. <li>There is no DANE/TLSA because I do not have DNSSEC and I’m not adding MTA-STS because it is a mess</li>
  79. <li>I do not use IMAP/POP, using Maildir with a remote mutt is perfect and I can still use ssh (sshfs and <code>set sendmail=ssh machine sendmail …</code>) if I need to have mutt locally (like for attachments), thus removing a large piece of software to maintain</li>
  80. </ul>
  81. <p><a href="https://queer.hacktivis.me/notice/9gcLDX7sw859lqKdvM">Fediverse post for comments</a></p>
  82. </article>