Maddy: Difference between revisions
imported>Onny Add info about MTA-STS record |
imported>Onny Add notes about DKIM record |
||
Line 67: | Line 67: | ||
Using the <code>DMARC</code> record, we enforce a permissive policy and request reports about broken messages. The last to entries mark the domain <code>MTA-STS</code> compatible. | Using the <code>DMARC</code> record, we enforce a permissive policy and request reports about broken messages. The last to entries mark the domain <code>MTA-STS</code> compatible. | ||
The last entry is used by the <code>DKIM</code> authentication mechanism which enables recipients to verify the authenticity of mails send by your server. Create the following DNS record by using the value of the file Maddy generated on first startup <code>/var/lib/maddy/dkim_keys/example.org_default.dns</code>. | |||
<syntaxhighlight lang="console"> | |||
# dig TXT default._domainkey.example.org | |||
;; ANSWER SECTION: | |||
default._domainkey.example.org. TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg=" | |||
</syntaxhighlight> | |||
=== Managing users and inboxes === | === Managing users and inboxes === |
Revision as of 13:10, 4 August 2022
Maddy is a composable, modern mail server written in Go. It includes everything required to manage users, inboxes, send and receive mails while supporting all important secure protocols and standards.
Installation
The following example enables the Maddy mail server listening on mail delivery SMTP/Submission ports (25, 587
) and IMAP/IMAPS ports (143/993
) for mail clients to connect to. The server is configured to send and receive mails for the primary domain example.org
.
/etc/nixos/configuration.nix
services.maddy = {
enable = true;
openFirewall = true;
primaryDomain = "example.org";
tls = {
certPath = /var/lib/acme/example.org/example.org.crt;
keyPath = /var/lib/acme/example.org/example.org.key;
};
imap = {
port = 143;
tlsEnable = true;
tlsPort = 993;
};
};
TLS certificates can be obtained by using services like certbot or the acme service. Please reference their documentation on how to configure it to acquire the certificates.
Configuration
DNS records
Ensure that the domain you're going to use has MX
DNS records probably configured. They should point to the correct public IP addresses of your server running Maddy.
# dig MX example.org
;; ANSWER SECTION:
example.org. 3364 IN MX 0 mx1.example.org.
# dig A mx1.example.org
;; ANSWER SECTION:
mx1.example.org. 3392 IN A 8.8.8.8
# dig AAAA mx1.example.org
;; ANSWER SECTION:
mx1.example.org. 3364 IN AAAA 2001:db8:85a3:8d3:1319:8a2e:370:7348
Consult your domain provider on how to configure these records.
An other record called SPF
should also be present, telling that only servers in the MX
are allowed to send mails for this domain
# dig TXT example.org
;; ANSWER SECTION:
example.org. 3600 IN TXT "v=spf1 mx ~all"
# dig TXT mx1.example.org
;; ANSWER SECTION:
mx1.example.org. 3600 IN TXT "v=spf1 mx ~all"
# dig TXT _dmarc.example.org
;; ANSWER SECTION:
_dmarc.example.org. 3600 IN TXT "v=DMARC1; p=quarantine; ruf=mailto:postmaster@example.org"
# dig TXT _mta-sts.example.org
;; ANSWER SECTION:
_mta-sts.example.org. TXT "v=STSv1; id=1"
# dig TXT _smtp._tls.example.org
;; ANSWER SECTION:
_smtp._tls.example.org. TXT "v=TLSRPTv1;rua=mailto:postmaster@example.org"
Using the DMARC
record, we enforce a permissive policy and request reports about broken messages. The last to entries mark the domain MTA-STS
compatible.
The last entry is used by the DKIM
authentication mechanism which enables recipients to verify the authenticity of mails send by your server. Create the following DNS record by using the value of the file Maddy generated on first startup /var/lib/maddy/dkim_keys/example.org_default.dns
.
# dig TXT default._domainkey.example.org
;; ANSWER SECTION:
default._domainkey.example.org. TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg="
Managing users and inboxes
Creating credentials and inboxes for a specific account. The first command creates the user postmaster@example.org
and will prompt for a password.
# maddyctl creds create postmaster@example.org
# maddyctl imap-acct create postmaster@example.org
Spam filtering
You can enable and use rspamd spam filtering daemon
/etc/nixos/configuration.nix
services.rspamd.enable = true;
Add following check
part to your Maddy configuration at the beginning of the section msgpipeline local_routing
as referenced by the default config.
msgpipeline local_routing {
check {
rspamd
}
[...]
Autoconfig
You can run an additional web service which provides autoconfig files for various mail clients like Thunderbird, iOS Mail or Outlook, so you don't have to manually configure your server settings into these apps. In this example, we're going to tell the clients, that our mail server is running on the domain example.org
and which IMAP/SMTP ports to use
/etc/nixos/configuration.nix
services.go-autoconfig = {
enable = true;
domain = "autoconfig.example.org";
imap = {
server = "example.org";
port = 993;
};
smtp = {
server = "example.org";
port = 587;
};
};
After that the autoconfig service based on program go-autoconfig will listen on http://localhost:1323 , serving the configuration informations used by the clients.
You can use your preferred web server, for example Caddy to proxy this service to an outside facing domain like https://autoconfig.example.org
/etc/nixos/configuration.nix
caddy = {
enable = true;
virtualHosts."autoconfig.example.org".extraConfig = ''
reverse_proxy http://localhost:1323
'';
};
You need DNS SRV-record on example.org
to get Outlook and Thunderbird working:
_autodiscover._tcp IN SRV 0 0 443 autoconfig.example.org.
Of course autoconfig.example.org domain should point to your server running the service.