From k-space wiki
Jump to: navigation, search

Following started off as gathering of private/personal e-mail enthusiasts at

Getting started

First obtain computer with a static public IP address:

  • Virtual machine at Digital Ocean
  • Pysical box at
  • Run a computer at home, ask ISP to open ports (free), order static address (6€/month), check port and port forward 25, 465, 993, etc to the mail server box

Obtain domain name (, 7-20€ per year) and at the DNS registrar configure:

  • A record pointing to the IP address of the mail exchange machine (dig -t A
  • MX record for the domain that points to hostname of the mail exchange box (dig -t MX

Install mail transfer agent, this howto continues with Postfix, but there are many alternatives such as Exim, Sendmail, Microsoft Exchange, Lotus Domino, etc

Postfix configuration

Following is Postfix configuration for that on one side faces Internet and delivers mail to a machine that sits on an internal network mail.k-space.lan

 # The usual stuff
 smtpd_banner = $myhostname ESMTP $mail_name ding-dong
 biff = no
 append_dot_mydomain = no
 readme_directory = no
 myhostname =
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = ipv4
 # This will disable storing any mail in this machine and forward
 # mail destined to to mail.k-space.lan
 local_recipient_maps =
 local_transport = error: local main delivery disabled
 mailbox_size_limit = 512000000
 mydestination = 
 relayhost =
 virtual_mailbox_domains =
 transport_maps =  inline:{}
 # This will allow relaying mail from servers subnet ( and
 # couple other services described by 185.158.x.x IP addresses 
 mynetworks =
 # If source IP is found in mynetworks the mail is relayed,
 # if sender hostname doesn't resolve or e-mail is invalid mail is rejected,
 # others are deferred meaning not delivered but not rejected either, see mailq for deferred mail
 smtpd_relay_restrictions =

Following is used on the internal mail.k-space.lan which can be accessed either via VPN+IMAP or Nextcloud:

 smtpd_banner = $myhostname ESMTP $mail_name king-kong
 biff = no
 append_dot_mydomain = no
 readme_directory = no
 myhostname = mail.k-space.lan
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = $myhostname, localhost, k-space.lan,
 mynetworks = [::ffff:]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = ipv4
 # Handle Kerberos PAC which may be transmitted along Kerberos authenticated IMAP
 line_length_limit = 8192
 # All mail submitted for delivery on this box is submitted for relay via smtp.k-space.lan
 relayhost = smtp.k-space.lan
 # Use Dovecot machinery to authenticate SMTP connections
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_auth_enable = yes
 home_mailbox = Maildir/
 # Allow only localhost or authenticated users to submit mail for delivery
 smtpd_relay_restrictions =
 # When mail is about to be saved on this machine check whether it is spam
 smtpd_recipient_restrictions =

Basic spam and phishing countermeasures

  • SPF check
  • Graylisting
  • Amavis

Configuring TLS certificates

Obtain certificates from Let's Encrypt and append to /etc/postfix/ whilst adjusting filenames:

 # Concern receiving email start with smtpd_
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 # Ones that concern sending email start with smtp_
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_security_level = may

At this point Gmail UI shouldn't show any warnings regarding the e-mails sent by your e-mail server. Enforcing TLS for every connection is not realistic because that will block you out from domains which are unable to deliver mail over TLS.

TODO: how to enforce TLS for particular domain names or previously over TLS seen domains.

Going extra mile

  • DKIM to sign outgoing e-mail
  • DANE