My little blog can’t be this cute!

My email setup.xhtml (5281B)

      1 <article xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
      2 <a href="/articles/My%20email%20setup"><h1>My email setup</h1></a>
      3 <ul>
      4 	<li>NightmareMoon: Desktop machine, plagged with broken rDNS</li>
      5 	<li>minion: BananaPi Server (offline at the time of writing)</li>
      6 	<li>cloudsdale: VPS at Hetzner</li>
      7 </ul>
      8 <h2>NightmareMoon</h2>
      9 <ul>
     10 	<li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li>
     11 	<li>libasr: 1.0.2 (with res_randomid patch)</li>
     12 	<li>libc: GNU libc</li>
     13 </ul>
     14 <h3>OpenSMTPd config</h3>
     15 <code><pre>
     16 pki minion.the-delta.net.eu.org cert "/srv/certs/minion.the-delta.net.eu.org_rsa.crt"
     17 pki minion.the-delta.net.eu.org key  "/srv/certs/minion.the-delta.net.eu.org_rsa.key"
     19 queue encryption [REDACTED]
     21 smtp max-message-size 4M
     23 listen on enp3s0 port 25  tls         pki minion.the-delta.net.eu.org hostname minion.the-delta.net.eu.org
     24 listen on lo
     26 table aliases file:/etc/mail/aliases
     27 table domains file:/etc/mail/domains
     28 # Lines with &lt;cloudsdale&gt; are legacy because of libasr-1.0.2 under musl, now fixed
     29 #table cloudsdale { 2a01:4f8:1c17:4b6d::1, }
     31 action "local" mbox alias &lt;aliases&gt;
     32 action "relay"        relay helo minion.the-delta.net.eu.org host smtp+tls://cloudsdale.the-delta.net.eu.org
     33 #action "relay"        relay helo minion.the-delta.net.eu.org tls no-verify
     34 action "backup_relay" relay helo minion.the-delta.net.eu.org backup mx minion.the-delta.net.eu.org
     36 match from local for local action "local"
     37 match from local for any   action "relay"
     38 #match from src &lt;cloudsdale&gt; for any action "relay"
     39 match from any for domain &lt;domains&gt; action "backup_relay"
     40 </pre></code>
     41 <p>For now minion/NightmareMoon doesn’t store my emails but this is what is expected at some point, thus inverting backup and main too. It is configured to be a backup MX and to send internet emails to cloudsdale (because of the broken rDNS).</p>
     42 <h2>Cloudsdale</h2>
     43 <ul>
     44 	<li>OpenSMTPd: 6.4.1_p2, patched to accept non-root owned certs</li>
     45 	<li>libasr: git (<a href="https://github.com/OpenSMTPD/libasr/tree/d7e6e51a17cca19bc3b4bc8826625ff545b84d6c"><code>d7e6e51a17cca19bc3b4bc8826625ff545b84d6c</code></a>)</li>
     46 	<li>libc: musl libc</li>
     47 </ul>
     48 <h3>OpenSMTPd config</h3>
     49 <code><pre>
     50 pki cloudsdale.the-delta.net.eu.org cert "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.crt"
     51 pki cloudsdale.the-delta.net.eu.org key  "/srv/certs/cloudsdale.the-delta.net.eu.org_rsa.key"
     53 queue encryption [REDACTED]
     55 smtp max-message-size 4M
     57 # internet
     58 listen on eth0 port 25  tls         pki cloudsdale.the-delta.net.eu.org hostname cloudsdale.the-delta.net.eu.org tag IN no-dsn
     59 listen on lo tag IN
     61 # If you edit the file, you have to run "smtpctl update table aliases"
     62 table aliases file:/etc/mail/aliases
     63 table domains file:/etc/mail/domains
     65 action "deliver" maildir alias &lt;aliases&gt;
     66 action "relay"   relay tls no-verify
     67 # Legacy: libasr-1.0.2 tarball is broken with musl, use git
     68 #action "relay"   relay host smtp+tls://hacktivis.me
     70 match from any   for domain &lt;domains&gt; action "deliver"
     71 match from local for local            action "deliver"
     72 match from local for any              action "relay"
     73 </pre></code>
     74 <h2>DNS Records</h2>
     75 <p>This is what I have in all my zones (I use a <code>$INCLUDE</code>, which supported by nsd):</p>
     76 <code><pre>
     77 @       86400   MX      1 cloudsdale.the-delta.net.eu.org.
     78 @       86400   MX      10 minion.the-delta.net.eu.org.
     79 @       86400   TXT     "v=spf1 a mx ?all"
     80 _dmarc  86400   TXT     "v=DMARC1; p=none; rua=mailto:root+dmarc@hacktivis.me; ruf=mailto:root+dmarc@hacktivis.me; fo=s; adkim=r; aspf=s"
     81 _smtp._tls 86400        TXT     "v=TLSRPTv1; rua=mailto:root+tlsrpt@hacktivis.me"
     82 </pre></code>
     83 <h2>Choices</h2>
     84 <ul>
     85 	<li>I picked OpenSMTPd because I know the configuration of it is very simple and people I know are using it and seems glad with it</li>
     86 	<li>I’m not validating/signing emails with DKIM, thus simplifying the configuration and getting cleaner headers, see <a href="/articles/I%E2%80%99m%20removing%20defaults%20to%20eternal%20cryptographic%20signatures">I’m removing defaults to eternal cryptographic signatures</a> as to why I’m not putting it.</li>
     87 	<li>There is no filtering yet, I don’t have much spam but adding rspamd is planned (hopefully OpenSMTPd will have <a href="https://poolp.org/posts/2018-12-19/more-on-opensmtpd-filters/">filters</a> then)</li>
     88 	<li>I don’t require tls when receiving emails, I got about half with and without TLS, I also use the default config for the ciphers as it’s a good enough one (not PFS but no broken ciphers)</li>
     89 	<li>I require TLS when sending emails but not a valid certificate (yet), this is quite something where self-hosting is required, I didn’t need to put exceptions yet</li>
     90 	<li>There is no DANE/TLSA because I do not have DNSSEC and I’m not adding MTA-STS because it is a mess</li>
     91 	<li>I do not use IMAP/POP, using Maildir with a remote mutt is perfect and I can still use ssh (sshfs and <code>set sendmail=ssh machine sendmail …</code>) if I need to have mutt locally (like for attachments), thus removing a large piece of software to maintain</li>
     92 </ul>
     93 <p><a href="https://queer.hacktivis.me/notice/9gcLDX7sw859lqKdvM">Fediverse post for comments</a></p>
     94 </article>