logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git

My email setup.xhtml (5281B)

    

  1. <article xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
  2. <a href="/articles/My%20email%20setup"><h1>My email setup</h1></a>
  3. <ul>
  4. 	<li>NightmareMoon: Desktop machine, plagged with broken rDNS</li>
  5. 	<li>minion: BananaPi Server (offline at the time of writing)</li>
  6. 	<li>cloudsdale: VPS at Hetzner</li>
  7. </ul>
  8. <h2>NightmareMoon</h2>
  9. <ul>
  10. 	<li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li>
  11. 	<li>libasr: 1.0.2 (with res_randomid patch)</li>
  12. 	<li>libc: GNU libc</li>
  13. </ul>
  14. <h3>OpenSMTPd config</h3>
  15. <code><pre>
  16. pki minion.the-delta.net.eu.org cert "/srv/certs/minion.the-delta.net.eu.org_rsa.crt"
  17. pki minion.the-delta.net.eu.org key  "/srv/certs/minion.the-delta.net.eu.org_rsa.key"
  19. queue encryption [REDACTED]
  21. smtp max-message-size 4M
  23. listen on enp3s0 port 25  tls         pki minion.the-delta.net.eu.org hostname minion.the-delta.net.eu.org
  24. listen on lo
  26. table aliases file:/etc/mail/aliases
  27. table domains file:/etc/mail/domains
  28. # Lines with &lt;cloudsdale&gt; are legacy because of libasr-1.0.2 under musl, now fixed
  29. #table cloudsdale { 2a01:4f8:1c17:4b6d::1, 138.201.117.120 }
  31. action "local" mbox alias &lt;aliases&gt;
  32. action "relay"        relay helo minion.the-delta.net.eu.org host smtp+tls://cloudsdale.the-delta.net.eu.org
  33. #action "relay"        relay helo minion.the-delta.net.eu.org tls no-verify
  34. action "backup_relay" relay helo minion.the-delta.net.eu.org backup mx minion.the-delta.net.eu.org
  36. match from local for local action "local"
  37. match from local for any   action "relay"
  38. #match from src &lt;cloudsdale&gt; for any action "relay"
  39. match from any for domain &lt;domains&gt; action "backup_relay"
  40. </pre></code>
  41. <p>For now minion/NightmareMoon doesn’t store my emails but this is what is expected at some point, thus inverting backup and main too. It is configured to be a backup MX and to send internet emails to cloudsdale (because of the broken rDNS).</p>
  42. <h2>Cloudsdale</h2>
  43. <ul>
  44. 	<li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li>
  45. 	<li>libasr: git (<a href="https://github.com/OpenSMTPD/libasr/tree/d7e6e51a17cca19bc3b4bc8826625ff545b84d6c"><code>d7e6e51a17cca19bc3b4bc8826625ff545b84d6c</code></a>)</li>
  46. 	<li>libc: musl libc</li>
  47. </ul>
  48. <h3>OpenSMTPd config</h3>
  49. <code><pre>
  50. pki cloudsdale.the-delta.net.eu.org cert "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.crt"
  51. pki cloudsdale.the-delta.net.eu.org key  "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.key"
  53. queue encryption [REDACTED]
  55. smtp max-message-size 4M
  57. # internet
  58. listen on eth0 port 25  tls         pki cloudsdale.the-delta.net.eu.org hostname cloudsdale.the-delta.net.eu.org tag IN no-dsn
  59. listen on lo tag IN
  61. # If you edit the file, you have to run "smtpctl update table aliases"
  62. table aliases file:/etc/mail/aliases
  63. table domains file:/etc/mail/domains
  65. action "deliver" maildir alias &lt;aliases&gt;
  66. action "relay"   relay tls no-verify
  67. # Legacy: libasr-1.0.2 tarball is broken with musl, use git
  68. #action "relay"   relay host smtp+tls://hacktivis.me
  70. match from any   for domain &lt;domains&gt; action "deliver"
  71. match from local for local            action "deliver"
  72. match from local for any              action "relay"
  73. </pre></code>
  74. <h2>DNS Records</h2>
  75. <p>This is what I have in all my zones (I use a <code>$INCLUDE</code>, which supported by nsd):</p>
  76. <code><pre>
  77. @       86400   MX      1 cloudsdale.the-delta.net.eu.org.
  78. @       86400   MX      10 minion.the-delta.net.eu.org.
  79. @       86400   TXT     "v=spf1 a mx ?all"
  80. _dmarc  86400   TXT     "v=DMARC1; p=none; rua=mailto:root+dmarc@hacktivis.me; ruf=mailto:root+dmarc@hacktivis.me; fo=s; adkim=r; aspf=s"
  81. _smtp._tls 86400        TXT     "v=TLSRPTv1; rua=mailto:root+tlsrpt@hacktivis.me"
  82. </pre></code>
  83. <h2>Choices</h2>
  84. <ul>
  85. 	<li>I picked OpenSMTPd because I know the configuration of it is very simple and people I know are using it and seems glad with it</li>
  86. 	<li>I’m not validating/signing emails with DKIM, thus simplifying the configuration and getting cleaner headers, see <a href="/articles/I%E2%80%99m%20removing%20defaults%20to%20eternal%20cryptographic%20signatures">I’m removing defaults to eternal cryptographic signatures</a> as to why I’m not putting it.</li>
  87. 	<li>There is no filtering yet, I don’t have much spam but adding rspamd is planned (hopefully OpenSMTPd will have <a href="https://poolp.org/posts/2018-12-19/more-on-opensmtpd-filters/">filters</a> then)</li>
  88. 	<li>I don’t require tls when receiving emails, I got about half with and without TLS, I also use the default config for the ciphers as it’s a good enough one (not PFS but no broken ciphers)</li>
  89. 	<li>I require TLS when sending emails but not a valid certificate (yet), this is quite something where self-hosting is required, I didn’t need to put exceptions yet</li>
  90. 	<li>There is no DANE/TLSA because I do not have DNSSEC and I’m not adding MTA-STS because it is a mess</li>
  91. 	<li>I do not use IMAP/POP, using Maildir with a remote mutt is perfect and I can still use ssh (sshfs and <code>set sendmail=ssh machine sendmail …</code>) if I need to have mutt locally (like for attachments), thus removing a large piece of software to maintain</li>
  92. </ul>
  93. <p><a href="https://queer.hacktivis.me/notice/9gcLDX7sw859lqKdvM">Fediverse post for comments</a></p>
  94. </article>