Maddy: Difference between revisions

(56 intermediate revisions by 4 users not shown)

Line 3:

== Installation ==

~~{{Note|Following~~ example ~~describes~~ the ~~usage of an experimental module which is still being reviewed as an open PR~~ and ~~might not be ready~~ for ~~production~~.}}

The following example enables the Maddy mail server on localhost, listening on mail delivery SMTP/Submission ports (<code>25, 587</code>) and IMAP port (<code>143</code>) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet.

The following example ~~enables~~ the ~~Maddy~~ mail server ~~listening on mail delivery SMTP/Submission ports (~~<code>~~25, 587~~</code>) and IMAP~~/IMAPS ports (~~<code>~~143/~~993</code>~~) for mail clients to connect to. The server is configured to send~~ and ~~receive mails for the primary domain~~ <code>~~example.org~~</code>.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

services.maddy = {

enable = true;

primaryDomain = "localhost";

ensureAccounts = [

"user1@example.org"

"postmaster@example.org"

];

ensureCredentials = {

# Do not use this in production. This will make passwords world-readable

# in the Nix store

"user1@example.org".passwordFile = "${pkgs.writeText "postmaster" "test"}";

"postmaster@example.org".passwordFile = "${pkgs.writeText "postmaster" "test"}";

};

</nowiki>}}

This local test setup doesn't provide secure TLS connections and should be used only for testing purpose.

== Configuration ==

=== TLS ===

The following example changes the hostname for the mail server to the public domain <code>example.org</code>. TLS certificates are obtained using using the ACME dns-01 challenge. This requires API access to your domain provider. See [https://maddy.email/reference/tls-acme/ upstream documentation] for a list on supported providers and how to configure them.

Further the TLS connection is enabled on IMAP port <code>993</code> and Submission port <code>465</code>.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

Line 13:

Line 38:

primaryDomain = "example.org";

tls = {

~~certPath~~ = ~~/var/lib/~~acme~~/example.org/example.org.crt~~;

loader = "acme";

~~keyPath~~ = ~~/var/lib/acme/~~example.org~~/example~~.~~org~~.~~key;~~

extraConfig = ''

};

email put-your-email-here@example.org

~~imap =~~ {

agreed # indicate your agreement with Let's Encrypt ToS

~~port = 143;~~

host ${config.services.maddy.primaryDomain}

~~tlsEnable = true;~~

challenge dns-01

~~tlsPort = 993~~;

dns gandi {

api_token "{env:GANDI_API_KEY}"

}

'';

};

# Enable TLS listeners. Configuring this via the module is not yet

# implemented, see https://github.com/NixOS/nixpkgs/pull/153372

config = builtins.replaceStrings [

"imap tcp://0.0.0.0:143"

"submission tcp://0.0.0.0:587"

] [

"imap tls://0.0.0.0:993 tcp://0.0.0.0:143"

"submission tls://0.0.0.0:465 tcp://0.0.0.0:587"

] options.services.maddy.config.default;

# Reading secrets from a file. Do not use this example in production

# since it stores the keys world-readable in the Nix store.

secrets = [ "${pkgs.writeText "secrets" ''

GANDI_API_KEY=1234

''}" ];

};

# Opening ports for additional TLS listeners. This is not yet

# implemented in the module.

networking.firewall.allowedTCPPorts = [ 993 465 ];

</nowiki>}}

~~TLS~~ certificates can be ~~obtained by~~ using ~~services like~~ [[~~certbot~~]] or ~~the~~ [[~~acme~~]] ~~service~~. ~~Please reference their documentation on how to configure them to acquire the certificates.~~

Alternativley certificates can be manually loaded with setting <code>tls.loader = "file";</code> and manually specifiying key and certificates file paths using the <code>tls.certificates = [];</code> option. In this case, more ACME protocols and providers are available when using the native NixOS [[ACME]] module or manual client tools like [[Certbot]].

~~== Configuration ==~~

=== DNS records ===

Line 39:

Line 83:

"::"

];

zones."example.org.".data = ''

zones."example.org.".data = let

domainkey = ''

v=DKIM1; k=rsa; p=${

lib.fileContents( /var/lib/maddy/dkim_keys/example.org_default.dns )}'';

segments = ((lib.stringLength domainkey) / 255);

domainkeySplitted = map (x: lib.substring (x*255) 255 domainkey) (lib.range 0 segments);

in ''

@ SOA ns.example.org noc.example.org 666 7200 3600 1209600 3600

@ A 1.2.3.4

Line 51:

Line 101:

_mta-sts TXT "v=STSv1; id=1"

_smtp._tls TXT "v=TLSRPTv1;rua=mailto:postmaster@example.org"

default._domainkey TXT "~~v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg=~~"

default._domainkey TXT "${lib.concatStringsSep "\" \"" domainkeySplitted}"

'';

};

</nowiki>}}

Update the IPv4 and IPv6 addresses after <code>A</code> and <code>AAAA</code> to the one which points to the publc IP addresses of your mail server. The last entry is used by the <code>DKIM</code> authentication mechanism which enables recipients to verify the authenticity of mails send by your server. ~~Create~~ the ~~following DNS record~~ by ~~using the value of the file~~ Maddy ~~generated~~ on first startup <code>/var/lib/maddy/dkim_keys/example.org_default.dns</code>.

Update the IPv4 and IPv6 addresses after <code>A</code> and <code>AAAA</code> to the one which points to the publc IP addresses of your mail server. The last entry is used by the <code>DKIM</code> authentication mechanism which enables recipients to verify the authenticity of mails send by your server. They key is read from the file generated by Maddy on the first startup at <code>/var/lib/maddy/dkim_keys/example.org_default.dns</code> and spitted in segments of 255 chars length to fulfill the DNS record requirements.

Now that your server also runs a DNS daemon besides the mail server, you have to configure it as the external nameserver of your domain <code>example.org</code>. Please consult your domain provider on how to do that.

=== rDNS ===

It is important that the public facing IP of your mail server resolves to the MX domain name. This is something you would normally configure on your server provider site. You can check if it's resolving correctly by running this command

# nix shell nixpkgs#bind --command dig -x 1.2.3.4

[...]

;; ANSWER SECTION:

1.2.3.4.in-addr.arpa. 6244 IN PTR mx1.example.org.

</syntaxhighlight>

Replace the IP <code>1.2.3.4</code> with the IP of your mail server.

=== MTA-STS ===

MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can ~~[[Category:Web_Servers use others~~ too]].

MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can other Web Servers too.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

Line 72:

Line 134:

root * ${

pkgs.runCommand "testdir" {} ''

mkdir "$out/.well-known"

mkdir -p "$out/.well-known"

echo "

version: STSv1

Line 87:

Line 149:

Replace the domain <code>mta-sts.example.org</code> and the domain <code>mx1.example.org</code> with the ones you're using.

=== ~~Managing users~~ and inboxes ===

=== TLSA (DANE) ===

Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. Your nameserver needs DNSSEC support for it. You can generate the key using following command

# nix shell nixpkgs#hash-slinger --command tlsa --create --selector 1 --protocol tcp -p 25 --create mx1.example.org

</syntaxhighlight>

Or you can generate it directly from the TLS-certificate that you are using with maddy:<syntaxhighlight lang="console">

# openssl x509 -in cert.pem -pubkey -noout | openssl ec -pubin -outform der | sha256sum

</syntaxhighlight>Add the key to a new TLSA record in your nameserver

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

services.nsd.zones."example.org.".data = ''

[...]

_25._tcp.mx1.example.org. TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96e3498238

'';

</nowiki>}}

To verify if the record is set correctly

# nix shell nixpkgs#dnsutils --command dig _25._tcp.mx1.example.org TLSA +short

3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96 e3498238

</syntaxhighlight>

Check if DNSSEC is working correctly for your new TLSA record

# nix shell nixpkgs#dnsutils --command delv _25._tcp.mx1.example.org TLSA @1.1.1.1

; fully validated

_25._tcp.mx1.example.org. 10800 IN TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96 e3498238

_25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==

</syntaxhighlight>

To verify that the TLSA record matches the TLS certificate of the mail server, issue following openssl command

# openssl s_client -connect mx1.example.org:25 -starttls smtp -dane_tlsa_domain mx1.example.org -dane_tlsa_rrdata "3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96"

[...]

Verify return code: 0 (ok)

[...]

</syntaxhighlight>

Replace the hostnames and the TLSA hash according to your configuration.

=== Users and inboxes ===

Creating credentials and inboxes for a specific account. The first command creates the user <code>postmaster@example.org</code> and will prompt for a password.

Line 94:

Line 202:

# maddyctl creds create postmaster@example.org

# maddyctl imap-acct create postmaster@example.org

</syntaxhighlight>

Change password of an existing account

# maddyctl creds password postmaster@example.org

</syntaxhighlight>

=== Spam filtering ===

You can enable and use [[rspamd]] spam filtering daemon

You can enable and use [[rspamd]] spam filtering daemon like this

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

{ options, lib, ... }: {

services.maddy.config = builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing {

check {

rspamd {

api_path http://localhost:11334

}

}''] options.services.maddy.config.default;

services.rspamd = {

enable = true;

locals."dkim_signing.conf".text = ''

selector = "default";

domain = "project-insanity.org";

path = "/var/lib/maddy/dkim_keys/$domain_$selector.key";

'';

};

systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];

[...]

</nowiki>}}

The second part in this example replaces a part in the default config of the Maddy module and inserts the rspamd check to the message pipeline as described in the [https://maddy.email/reference/checks/rspamd upstream documentation].

The [[rspamd]] article also has some notes on how to achieve training for spam/ham mails using an additional helper script.

=== Mail attachement size ===

The default max mail attachement size is set to 32MB, for a higher value (in this case 64MB) change the default configuration via this workaround

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

{ options, lib, ... }: {

services.maddy.config = builtins.replaceStrings [

"dmarc yes"

] [

''dmarc yes

max_message_size 64M''] options.services.maddy.config.default;

[...]

</nowiki>}}

=== Alias addresses ===

The following example will add an alias <code>mailA@example.org</code> for the local mail address <code>mailB@example.org</code> meaning that every mail send to <code>mailA</code> will get delivered to <code>mailB</code>.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

services.~~rspamd~~.~~enable~~ = ~~true~~;

{ options, lib, ... }: {

services.maddy.config = builtins.replaceStrings [

"optional_step file /etc/maddy/aliases"

] [

"optional_step static {

entry mailA@example.org mailB@example.org

}"] options.services.maddy.config.default;

[...]

</nowiki>}}

~~Add following <code>check</code> part to your Maddy configuration at the beginning of the section <code>msgpipeline local_routing</code> as referenced by the default config.~~

== Tips & tricks ==

~~<syntaxhighlight lang~~=~~"json">~~

=== Test mail server ===

~~msgpipeline local_routing {~~

~~check {~~

You can use several online tools to test your mail server configuration:

~~rspamd~~

}

[...]

* [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security.

</~~syntaxhighlight~~>

* [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server.

* Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds.

=== Autoconfig ===

Line 123:

Line 292:

services.go-autoconfig = {

enable = true;

domain = "autoconfig.example.org";

settings = {

imap = {

service_addr = ":1323";

server = "example.org";

domain = "autoconfig.example.org";

port = 993;

imap = {

};

server = "example.org";

smtp = {

port = 993;

server = "example.org";

};

port = 587;

smtp = {

server = "example.org";

port = 587;

};

Line 148:

Line 320:

</nowiki>}}

~~You~~ need DNS ~~SRV-~~record ~~called~~ <code>~~_autodiscover._tcp.example.org</code> on <code>example.org~~</code> to get Outlook and Thunderbird working:

Further we need to add an additional DNS record to the <code>nsd</code> service to get Outlook and Thunderbird working:

<~~syntaxhighlight lang="console"~~>

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

~~# dig SRV _autodiscover~~.~~_tcp~~.example.org

services.nsd.zones."example.org.".data = ''

~~;; ANSWER SECTION:~~

[...]

_autodiscover._tcp~~.example.org 3600 IN~~ SRV 0 0 443 autoconfig~~.example.org~~

_autodiscover._tcp SRV 0 0 443 autoconfig

</~~syntaxhighlight~~>

'';

</nowiki>}}

Of course autoconfig.example.org domain should point to your server running the SSL enabled web service.

== Troubleshooting ==

=== TLS it not available or unauthenticated but required ===

This error occurs if the receiving mail server has a invalid or none TLS configuration. The default configuration of Maddy enforces a valid TLS connection to the remote server for delivery. If you want to disable this default policy, apply following configuration hack

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

{ options, lib, ... }: {

services.maddy.config = builtins.replaceStrings [

"min_tls_level encrypted"

] [

"min_tls_level none"] options.services.maddy.config.default;

[...]

</nowiki>}}

== See also ==

* [https://maddy.email Maddy homepage and documentation]

* [[Stalwart]], an open-source, all-in-one mail server solution that supports JMAP, IMAP4, and SMTP protocols

* [https://nixos-mailserver.readthedocs.io/en/latest Simple NixOS Mailserver]

* [[Imapsync]], useful tool to migrate mailboxes to a new server

[[Category:Mail Server]]

[[Category:Server]]

@@ Line 3: / Line 3: @@
 == Installation ==
-{{Note|Following example describes the usage of an experimental module which is still being reviewed as an open PR and might not be ready for production.}}
+The following example enables the Maddy mail server on localhost, listening on mail delivery SMTP/Submission ports (<code>25,  587</code>) and IMAP port (<code>143</code>) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet.
-The following example enables the Maddy mail server listening on mail delivery SMTP/Submission ports (<code>25,  587</code>) and IMAP/IMAPS ports (<code>143/993</code>) for mail clients to connect to. The server is configured to send and receive mails for the primary domain <code>example.org</code>.
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+services.maddy = {
+  enable = true;
+  primaryDomain = "localhost";
+  ensureAccounts = [
+    "user1@example.org"
+    "postmaster@example.org"
+  ];
+  ensureCredentials = {
+    # Do not use this in production. This will make passwords world-readable
+    # in the Nix store
+    "user1@example.org".passwordFile = "${pkgs.writeText "postmaster" "test"}";
+    "postmaster@example.org".passwordFile = "${pkgs.writeText "postmaster" "test"}";
+  };
+};
+</nowiki>}}
+This local test setup doesn't provide secure TLS connections and should be used only for testing purpose.
+== Configuration ==
+=== TLS ===
+The following example changes the hostname for the mail server to the public domain <code>example.org</code>. TLS certificates are obtained using using the ACME dns-01 challenge. This requires API access to your domain provider. See [https://maddy.email/reference/tls-acme/ upstream documentation] for a list on supported providers and how to configure them.
+Further the TLS connection is enabled on IMAP port <code>993</code> and Submission port <code>465</code>.
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
@@ Line 13: / Line 38: @@
    primaryDomain = "example.org";
    tls = {
-     certPath = /var/lib/acme/example.org/example.org.crt;
+     loader = "acme";
-     keyPath = /var/lib/acme/example.org/example.org.key;
+     extraConfig = ''
-  };
+      email put-your-email-here@example.org
-  imap = {
+      agreed # indicate your agreement with Let's Encrypt ToS
-    port = 143;
+      host ${config.services.maddy.primaryDomain}
-    tlsEnable = true;
+      challenge dns-01
-     tlsPort = 993;
+      dns gandi {
+        api_token "{env:GANDI_API_KEY}"
+      }
+     '';
    };
+  # Enable TLS listeners. Configuring this via the module is not yet
+  # implemented, see https://github.com/NixOS/nixpkgs/pull/153372
+  config = builtins.replaceStrings [
+    "imap tcp://0.0.0.0:143"
+    "submission tcp://0.0.0.0:587"
+  ] [
+    "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
+    "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
+  ] options.services.maddy.config.default;
+  # Reading secrets from a file. Do not use this example in production
+  # since it stores the keys world-readable in the Nix store.
+  secrets = [ "${pkgs.writeText "secrets" ''
+    GANDI_API_KEY=1234
+  ''}" ];
 };
+# Opening ports for additional TLS listeners. This is not yet
+# implemented in the module.
+networking.firewall.allowedTCPPorts = [ 993 465 ];
 </nowiki>}}
-TLS certificates can be obtained by using services like [[certbot]] or the [[acme]] service. Please reference their documentation on how to configure them to acquire the certificates.
+Alternativley certificates can be manually loaded with setting <code>tls.loader = "file";</code> and manually specifiying key and certificates file paths using the <code>tls.certificates = [];</code> option. In this case, more ACME protocols and providers are available when using the native NixOS [[ACME]] module or manual client tools like [[Certbot]].
-== Configuration ==
 === DNS records ===
@@ Line 39: / Line 83: @@
      "::"
    ];
-   zones."example.org.".data = ''
+   zones."example.org.".data = let
+    domainkey = ''
+      v=DKIM1; k=rsa; p=${
+        lib.fileContents( /var/lib/maddy/dkim_keys/example.org_default.dns )}'';
+    segments = ((lib.stringLength domainkey) / 255);
+    domainkeySplitted = map (x: lib.substring (x*255) 255 domainkey) (lib.range 0 segments);
+  in ''
      @ SOA ns.example.org noc.example.org 666 7200 3600 1209600 3600
      @ A 1.2.3.4
@@ Line 51: / Line 101: @@
      _mta-sts TXT "v=STSv1; id=1"
      _smtp._tls TXT "v=TLSRPTv1;rua=mailto:postmaster@example.org"
-     default._domainkey TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg="
+     default._domainkey TXT "${lib.concatStringsSep "\" \"" domainkeySplitted}"
    '';
 };
 </nowiki>}}
-Update the IPv4 and IPv6 addresses after <code>A</code> and <code>AAAA</code> to the one which points to the publc IP addresses of your mail server. The last entry is used by the <code>DKIM</code> authentication mechanism which enables recipients to verify the authenticity of mails send by your server. Create the following DNS record by using the value of the file Maddy generated on first startup <code>/var/lib/maddy/dkim_keys/example.org_default.dns</code>.
+Update the IPv4 and IPv6 addresses after <code>A</code> and <code>AAAA</code> to the one which points to the publc IP addresses of your mail server. The last entry is used by the <code>DKIM</code> authentication mechanism which enables recipients to verify the authenticity of mails send by your server. They key is read from the file generated by Maddy on the first startup at <code>/var/lib/maddy/dkim_keys/example.org_default.dns</code> and spitted in segments of 255 chars length to fulfill the DNS record requirements.
 Now that your server also runs a DNS daemon besides the mail server, you have to configure it as the external nameserver of your domain <code>example.org</code>. Please consult your domain provider on how to do that.
+=== rDNS ===
+It is important that the public facing IP of your mail server resolves to the MX domain name. This is something you would normally configure on your server provider site. You can check if it's resolving correctly by running this command
+<syntaxhighlight lang="console">
+# nix shell nixpkgs#bind --command dig -x 1.2.3.4
+[...]
+;; ANSWER SECTION:
+.2.3.4.in-addr.arpa. 6244	IN	PTR	mx1.example.org.
+</syntaxhighlight>
+Replace the IP <code>1.2.3.4</code> with the IP of your mail server.
 === MTA-STS ===
-MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can [[Category:Web_Servers use others too]].
+MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can other Web Servers too.
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
@@ Line 72: / Line 134: @@
      root * ${
        pkgs.runCommand "testdir" {} ''
-         mkdir "$out/.well-known"
+         mkdir -p "$out/.well-known"
          echo "
            version: STSv1
@@ Line 87: / Line 149: @@
 Replace the domain <code>mta-sts.example.org</code> and  the domain <code>mx1.example.org</code> with the ones you're using.
-=== Managing users and inboxes ===
+=== TLSA (DANE) ===
+Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. Your nameserver needs DNSSEC support for it. You can generate the key using following command
+<syntaxhighlight lang="console">
+# nix shell nixpkgs#hash-slinger --command tlsa  --create --selector 1 --protocol tcp -p 25 --create mx1.example.org
+</syntaxhighlight>
+Or you can generate it directly from the TLS-certificate that you are using with maddy:<syntaxhighlight lang="console">
+# openssl x509 -in cert.pem -pubkey -noout | openssl ec -pubin -outform der | sha256sum
+</syntaxhighlight>Add the key to a new TLSA record in your nameserver
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+services.nsd.zones."example.org.".data = ''
+  [...]
+  _25._tcp.mx1.example.org. TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96e3498238
+'';
+</nowiki>}}
+To verify if the record is set correctly
+<syntaxhighlight lang="console">
+# nix shell nixpkgs#dnsutils --command dig _25._tcp.mx1.example.org TLSA +short
+1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96 e3498238
+</syntaxhighlight>
+Check if DNSSEC is working correctly for your new TLSA record
+<syntaxhighlight lang="console">
+# nix shell nixpkgs#dnsutils --command delv _25._tcp.mx1.example.org TLSA @1.1.1.1
+; fully validated
+_25._tcp.mx1.example.org. 10800 IN TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96 e3498238
+_25._tcp.mx1.example.org. 10800 IN RRSIG	TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==
+</syntaxhighlight>
+To verify that the TLSA record matches the TLS certificate of the mail server, issue following openssl command
+<syntaxhighlight lang="console">
+# openssl s_client -connect mx1.example.org:25 -starttls smtp -dane_tlsa_domain mx1.example.org -dane_tlsa_rrdata "3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96"
+[...]
+Verify return code: 0 (ok)
+[...]
+</syntaxhighlight>
+Replace the hostnames and the TLSA hash according to your configuration.
+=== Users and inboxes ===
 Creating credentials and inboxes for a specific account. The first command creates the user <code>postmaster@example.org</code> and will prompt for a password.
@@ Line 94: / Line 202: @@
 # maddyctl creds create postmaster@example.org
 # maddyctl imap-acct create postmaster@example.org
+</syntaxhighlight>
+Change password of an existing account
+<syntaxhighlight lang="console">
+# maddyctl creds password postmaster@example.org
 </syntaxhighlight>
 === Spam filtering ===
-You can enable and use [[rspamd]] spam filtering daemon
+You can enable and use [[rspamd]] spam filtering daemon like this
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+{ options, lib, ... }: {
+services.maddy.config = builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing {
+  check {
+    rspamd {
+      api_path http://localhost:11334
+    }
+  }''] options.services.maddy.config.default;
+services.rspamd = {
+  enable = true;
+  locals."dkim_signing.conf".text = ''
+    selector = "default";
+    domain = "project-insanity.org";
+    path = "/var/lib/maddy/dkim_keys/$domain_$selector.key";
+  '';
+};
+systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
+[...]
+</nowiki>}}
+The second part in this example replaces a part in the default config of the Maddy module and inserts the rspamd check to the message pipeline as described in the [https://maddy.email/reference/checks/rspamd upstream documentation].
+The [[rspamd]] article also has some notes on how to achieve training for spam/ham mails using an additional helper script.
+=== Mail attachement size ===
+The default max mail attachement size is set to 32MB, for a higher value (in this case 64MB) change the default configuration via this workaround
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+{ options, lib, ... }: {
+services.maddy.config = builtins.replaceStrings [
+  "dmarc yes"
+] [
+  ''dmarc yes
+   max_message_size 64M''] options.services.maddy.config.default;
+[...]
+</nowiki>}}
+=== Alias addresses ===
+The following example will add an alias <code>mailA@example.org</code> for the local mail address <code>mailB@example.org</code> meaning that every mail send to <code>mailA</code> will get delivered to <code>mailB</code>.
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
-services.rspamd.enable = true;
+{ options, lib, ... }: {
+services.maddy.config = builtins.replaceStrings [
+  "optional_step file /etc/maddy/aliases"
+] [
+  "optional_step static {
+     entry mailA@example.org mailB@example.org
+   }"] options.services.maddy.config.default;
+[...]
 </nowiki>}}
-Add following <code>check</code> part to your Maddy configuration at the beginning of the section <code>msgpipeline local_routing</code> as referenced by the default config.
+== Tips & tricks ==
-<syntaxhighlight lang="json">
+=== Test mail server ===
-msgpipeline local_routing {
-  check {
+You can use several online tools to test your mail server configuration:
-    rspamd
-  }
-  [...]
+* [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security.
-</syntaxhighlight>
+* [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server.
+* Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds.
 === Autoconfig ===
@@ Line 123: / Line 292: @@
 services.go-autoconfig = {
    enable = true;
-   domain = "autoconfig.example.org";
+   settings = {
-  imap = {
+    service_addr = ":1323";
-    server = "example.org";
+    domain = "autoconfig.example.org";
-    port = 993;
+    imap = {
-  };
+      server = "example.org";
-  smtp = {
+      port = 993;
-    server = "example.org";
+    };
-    port = 587;
+    smtp = {
+      server = "example.org";
+      port = 587;
+    };
    };
 };
@@ Line 148: / Line 320: @@
 </nowiki>}}
-You need DNS SRV-record called <code>_autodiscover._tcp.example.org</code> on <code>example.org</code> to get Outlook and Thunderbird working:
+Further we need to add an additional DNS record to the <code>nsd</code> service to get Outlook and Thunderbird working:
-<syntaxhighlight lang="console">
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
-# dig SRV _autodiscover._tcp.example.org
+services.nsd.zones."example.org.".data = ''
-;; ANSWER SECTION:
+  [...]
-_autodiscover._tcp.example.org 3600 IN SRV 0 0 443 autoconfig.example.org
+  _autodiscover._tcp SRV 0 0 443 autoconfig
-</syntaxhighlight>
+'';
+</nowiki>}}
 Of course autoconfig.example.org domain should point to your server running the SSL enabled web service.
+== Troubleshooting ==
+=== TLS it not available or unauthenticated but required ===
+This error occurs if the receiving mail server has a invalid or none TLS configuration. The default configuration of Maddy enforces a valid TLS connection to the remote server for delivery. If you want to disable this default policy, apply following configuration hack
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+{ options, lib, ... }: {
+services.maddy.config = builtins.replaceStrings [
+  "min_tls_level encrypted"
+] [
+  "min_tls_level none"] options.services.maddy.config.default;
+[...]
+</nowiki>}}
+== See also ==
+* [https://maddy.email Maddy homepage and documentation]
+* [[Stalwart]], an open-source, all-in-one mail server solution that supports JMAP, IMAP4, and SMTP protocols
+* [https://nixos-mailserver.readthedocs.io/en/latest Simple NixOS Mailserver]
+* [[Imapsync]], useful tool to migrate mailboxes to a new server
 [[Category:Mail Server]]
+[[Category:Server]]