Mail

From k-space wiki
Jump to: navigation, search

Following started off as gathering of private/personal e-mail enthusiasts at k-space.ee


Getting started

First obtain computer with a static public IP address:

  • Virtual machine at Digital Ocean
  • Pysical box at k-space.ee
  • Run a computer at home, ask ISP to open ports (free), order static address (6€/month), check port and port forward 25, 465, 993, etc to the mail server box

Obtain domain name (example.com, 7-20€ per year) and at the DNS registrar configure:

  • A record pointing to the IP address of the mail exchange machine (dig -t A smtp.example.com)
  • MX record for the domain that points to hostname of the mail exchange box (dig -t MX example.com)

Install mail transfer agent, this howto continues with Postfix, but there are many alternatives such as Exim, Sendmail, Microsoft Exchange, Lotus Domino, etc


Postfix configuration

Following is Postfix configuration for smtp.k-space.ee that on one side faces Internet and delivers mail to a machine that sits on an internal network mail.k-space.lan

 # The usual stuff
 smtpd_banner = $myhostname ESMTP $mail_name ding-dong
 biff = no
 append_dot_mydomain = no
 readme_directory = no
 myhostname = smtp.k-space.ee
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = ipv4
 
 # This will disable storing any mail in this machine and forward
 # mail destined to whoever@k-space.ee to mail.k-space.lan
 local_recipient_maps =
 local_transport = error: local main delivery disabled
 mailbox_size_limit = 512000000
 mydestination = 
 relayhost =
 virtual_mailbox_domains = k-space.ee
 transport_maps =  inline:{k-space.ee=smtp:mail.k-space.lan}
 
 # This will allow relaying mail from servers subnet (172.20.1.0/24) and
 # couple other services described by 185.158.x.x IP addresses 
 mynetworks = 127.0.0.0/8 172.20.1.0/24 185.158.177.136 185.158.177.144 185.158.177.145 185.158.177.141
 
 # If source IP is found in mynetworks the mail is relayed,
 # if sender hostname doesn't resolve or e-mail is invalid mail is rejected,
 # others are deferred meaning not delivered but not rejected either, see mailq for deferred mail
 smtpd_relay_restrictions =
   permit_mynetworks
   reject_invalid_hostname
   reject_non_fqdn_hostname
   reject_non_fqdn_recipient
   reject_unknown_sender_domain  
   defer_unauth_destination

Following is used on the internal mail.k-space.lan which can be accessed either via VPN+IMAP or Nextcloud:

 smtpd_banner = $myhostname ESMTP $mail_name king-kong
 biff = no
 append_dot_mydomain = no
 readme_directory = no
 myhostname = mail.k-space.lan
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = $myhostname, localhost, k-space.lan, k-space.ee
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = ipv4
 
 # Handle Kerberos PAC which may be transmitted along Kerberos authenticated IMAP
 line_length_limit = 8192
 
 # All mail submitted for delivery on this box is submitted for relay via smtp.k-space.lan
 relayhost = smtp.k-space.lan
 
 # Use Dovecot machinery to authenticate SMTP connections
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_auth_enable = yes
 home_mailbox = Maildir/
 
 # Allow only localhost or authenticated users to submit mail for delivery
 smtpd_relay_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated, 
   defer_unauth_destination
 
 # When mail is about to be saved on this machine check whether it is spam
 smtpd_recipient_restrictions =
   reject_non_fqdn_recipient
   reject_unlisted_recipient
   reject_unknown_recipient_domain
   reject_rbl_client sbl-xbl.spamhaus.org
   permit

Basic spam and phishing countermeasures

  • SPF check
  • Graylisting
  • Amavis


Configuring TLS certificates

Obtain certificates from Let's Encrypt and append to /etc/postfix/main.cf whilst adjusting filenames:

 # Concern receiving email start with smtpd_
 smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.k-space.ee/fullchain.pem
 smtpd_tls_key_file=/etc/letsencrypt/live/smtp.k-space.ee/privkey.pem
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 
 # Ones that concern sending email start with smtp_
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_security_level = may

At this point Gmail UI shouldn't show any warnings regarding the e-mails sent by your e-mail server. Enforcing TLS for every connection is not realistic because that will block you out from domains which are unable to deliver mail over TLS.

TODO: how to enforce TLS for particular domain names or previously over TLS seen domains.


Going extra mile

  • DKIM to sign outgoing e-mail
  • DMARC
  • DANE