Maddy: Difference between revisions
imported>Onny Add notes about DKIM record |
imported>Onny Better description of autodiscover DNS record |
||
| Line 137: | Line 137: | ||
</nowiki>}} | </nowiki>}} | ||
You need DNS SRV-record on <code>example.org</code> to get Outlook and Thunderbird working: | You need DNS SRV-record called <code>_autodiscover._tcp.example.org</code> on <code>example.org</code> to get Outlook and Thunderbird working: | ||
< | <syntaxhighlight lang="console"> | ||
_autodiscover._tcp IN SRV 0 0 443 autoconfig.example.org | # dig SRV _autodiscover._tcp.example.org | ||
</ | ;; ANSWER SECTION: | ||
_autodiscover._tcp.example.org 3600 IN SRV 0 0 443 autoconfig.example.org | |||
</syntaxhighlight> | |||
Of course autoconfig.example.org domain should point to your server running the service. | Of course autoconfig.example.org domain should point to your server running the SSL enabled web service. | ||
[[Category:Mail Server]] | [[Category:Mail Server]] | ||
Revision as of 13:18, 4 August 2022
Maddy is a composable, modern mail server written in Go. It includes everything required to manage users, inboxes, send and receive mails while supporting all important secure protocols and standards.
Installation
The following example enables the Maddy mail server listening on mail delivery SMTP/Submission ports (25, 587) and IMAP/IMAPS ports (143/993) for mail clients to connect to. The server is configured to send and receive mails for the primary domain example.org.
/etc/nixos/configuration.nix
services.maddy = {
enable = true;
openFirewall = true;
primaryDomain = "example.org";
tls = {
certPath = /var/lib/acme/example.org/example.org.crt;
keyPath = /var/lib/acme/example.org/example.org.key;
};
imap = {
port = 143;
tlsEnable = true;
tlsPort = 993;
};
};
TLS certificates can be obtained by using services like certbot or the acme service. Please reference their documentation on how to configure it to acquire the certificates.
Configuration
DNS records
Ensure that the domain you're going to use has MX DNS records probably configured. They should point to the correct public IP addresses of your server running Maddy.
# dig MX example.org
;; ANSWER SECTION:
example.org. 3364 IN MX 0 mx1.example.org.
# dig A mx1.example.org
;; ANSWER SECTION:
mx1.example.org. 3392 IN A 8.8.8.8
# dig AAAA mx1.example.org
;; ANSWER SECTION:
mx1.example.org. 3364 IN AAAA 2001:db8:85a3:8d3:1319:8a2e:370:7348
Consult your domain provider on how to configure these records.
An other record called SPF should also be present, telling that only servers in the MX are allowed to send mails for this domain
# dig TXT example.org
;; ANSWER SECTION:
example.org. 3600 IN TXT "v=spf1 mx ~all"
# dig TXT mx1.example.org
;; ANSWER SECTION:
mx1.example.org. 3600 IN TXT "v=spf1 mx ~all"
# dig TXT _dmarc.example.org
;; ANSWER SECTION:
_dmarc.example.org. 3600 IN TXT "v=DMARC1; p=quarantine; ruf=mailto:postmaster@example.org"
# dig TXT _mta-sts.example.org
;; ANSWER SECTION:
_mta-sts.example.org. TXT "v=STSv1; id=1"
# dig TXT _smtp._tls.example.org
;; ANSWER SECTION:
_smtp._tls.example.org. TXT "v=TLSRPTv1;rua=mailto:postmaster@example.org"
Using the DMARC record, we enforce a permissive policy and request reports about broken messages. The last to entries mark the domain MTA-STS compatible.
The last entry is used by the DKIM authentication mechanism which enables recipients to verify the authenticity of mails send by your server. Create the following DNS record by using the value of the file Maddy generated on first startup /var/lib/maddy/dkim_keys/example.org_default.dns.
# dig TXT default._domainkey.example.org
;; ANSWER SECTION:
default._domainkey.example.org. TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg="
Managing users and inboxes
Creating credentials and inboxes for a specific account. The first command creates the user postmaster@example.org and will prompt for a password.
# maddyctl creds create postmaster@example.org
# maddyctl imap-acct create postmaster@example.org
Spam filtering
You can enable and use rspamd spam filtering daemon
/etc/nixos/configuration.nix
services.rspamd.enable = true;
Add following check part to your Maddy configuration at the beginning of the section msgpipeline local_routing as referenced by the default config.
msgpipeline local_routing {
check {
rspamd
}
[...]
Autoconfig
You can run an additional web service which provides autoconfig files for various mail clients like Thunderbird, iOS Mail or Outlook, so you don't have to manually configure your server settings into these apps. In this example, we're going to tell the clients, that our mail server is running on the domain example.org and which IMAP/SMTP ports to use
/etc/nixos/configuration.nix
services.go-autoconfig = {
enable = true;
domain = "autoconfig.example.org";
imap = {
server = "example.org";
port = 993;
};
smtp = {
server = "example.org";
port = 587;
};
};
After that the autoconfig service based on program go-autoconfig will listen on http://localhost:1323 , serving the configuration informations used by the clients.
You can use your preferred web server, for example Caddy to proxy this service to an outside facing domain like https://autoconfig.example.org
/etc/nixos/configuration.nix
caddy = {
enable = true;
virtualHosts."autoconfig.example.org".extraConfig = ''
reverse_proxy http://localhost:1323
'';
};
You need DNS SRV-record called _autodiscover._tcp.example.org on example.org to get Outlook and Thunderbird working:
# dig SRV _autodiscover._tcp.example.org
;; ANSWER SECTION:
_autodiscover._tcp.example.org 3600 IN SRV 0 0 443 autoconfig.example.org
Of course autoconfig.example.org domain should point to your server running the SSL enabled web service.