Maddy: Difference between revisions
imported>Onny Update autoconfig DNS record example |
imported>Onny Add instructions how to setup DANE |
||
Line 66: | Line 66: | ||
Now that your server also runs a DNS daemon besides the mail server, you have to configure it as the external nameserver of your domain <code>example.org</code>. Please consult your domain provider on how to do that. | Now that your server also runs a DNS daemon besides the mail server, you have to configure it as the external nameserver of your domain <code>example.org</code>. Please consult your domain provider on how to do that. | ||
=== MTA-STS === | === MTA-STS & DANE === | ||
MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can [[Category:Web_Servers use others too]]. | MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server [[Caddy]] to do this but of course you can [[Category:Web_Servers use others too]]. | ||
Line 92: | Line 92: | ||
Replace the domain <code>mta-sts.example.org</code> and the domain <code>mx1.example.org</code> with the ones you're using. | Replace the domain <code>mta-sts.example.org</code> and the domain <code>mx1.example.org</code> with the ones you're using. | ||
Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. You can generate the key using following command | |||
<syntaxhighlight lang="console"> | |||
nix shell nixpkgs#hash-slinger --command tlsa --create faecherstadt-consulting.de | |||
</syntaxhighlight> | |||
Your nameserver needs DNSSEC support for it. Add the key to a new TLSA record in your nameserver | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
services.nsd.zones."example.org.".data = '' | |||
[...] | |||
_25._tcp.mx1.example.org. TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96e3498238 | |||
''; | |||
</nowiki>}} | |||
=== Managing users and inboxes === | === Managing users and inboxes === |
Revision as of 17:52, 16 August 2022
Maddy is a composable, modern mail server written in Go. It includes everything required to manage users, inboxes, send and receive mails while supporting all important secure protocols and standards.
Installation
The following example enables the Maddy mail server listening on mail delivery SMTP/Submission ports (25, 587
) and IMAP/IMAPS ports (143/993
) for mail clients to connect to. The server is configured to send and receive mails for the primary domain example.org
.
/etc/nixos/configuration.nix
services.maddy = {
enable = true;
openFirewall = true;
primaryDomain = "example.org";
tls = {
certPath = /var/lib/acme/example.org/example.org.crt;
keyPath = /var/lib/acme/example.org/example.org.key;
};
imap = {
port = 143;
tlsEnable = true;
tlsPort = 993;
};
};
TLS certificates can be obtained by using services like certbot or the acme service. Please reference their documentation on how to configure them to acquire the certificates.
Configuration
DNS records
It is possibly easier to configure our own authoritative-only DNS server, which provides important setup information to other mail servers and clients. For details about the meaning of the specific DNS records or manual setup instructions see the Maddy setup tutorial.
/etc/nixos/configuration.nix
services.nsd = {
enable = true;
interfaces = [
"0.0.0.0"
"::"
];
zones."example.org.".data = let
domainkey = ''
v=DKIM1; k=rsa; p=${
lib.fileContents( /var/lib/maddy/dkim_keys/example.org_default.dns )}'';
segments = ((lib.stringLength domainkey) / 255);
domainkeySplitted = map (x: lib.substring (x*255) 255 domainkey) (lib.range 0 segments);
in ''
@ SOA ns.example.org noc.example.org 666 7200 3600 1209600 3600
@ A 1.2.3.4
@ AAAA abcd::eeff
@ MX 10 mx1
mx1 A 1.2.3.4
mx1 AAAA abcd::eeff
@ TXT "v=spf1 mx ~all"
mx1 TXT "v=spf1 mx ~all"
_dmarc TXT "v=DMARC1; p=quarantine; ruf=mailto:postmaster@example.org
_mta-sts TXT "v=STSv1; id=1"
_smtp._tls TXT "v=TLSRPTv1;rua=mailto:postmaster@example.org"
default._domainkey TXT "${lib.concatStringsSep "\" \"" domainkeySplitted}"
'';
};
Update the IPv4 and IPv6 addresses after A
and AAAA
to the one which points to the publc IP addresses of your mail server. The last entry is used by the DKIM
authentication mechanism which enables recipients to verify the authenticity of mails send by your server. They key is read from the file generated by Maddy on the first startup at /var/lib/maddy/dkim_keys/example.org_default.dns
and spitted in segments of 255 chars length to fulfill the DNS record requirements.
Now that your server also runs a DNS daemon besides the mail server, you have to configure it as the external nameserver of your domain example.org
. Please consult your domain provider on how to do that.
MTA-STS & DANE
MTA-STS enforces secure TLS configuration for servers which support this standard. We already advertised this feature in the DNS records above, but we also have to serve a static configuration file using a web server. We use the web server Caddy to do this but of course you can .
/etc/nixos/configuration.nix
caddy = {
enable = true;
virtualHosts."mta-sts.example.org".extraConfig = ''
encode gzip
file_server
root * ${
pkgs.runCommand "testdir" {} ''
mkdir -p "$out/.well-known"
echo "
version: STSv1
mode: enforce
max_age: 604800
mx: mx1.example.org
" > "$out/.well-known/mta-sts.txt"
''
}
'';
};
Replace the domain mta-sts.example.org
and the domain mx1.example.org
with the ones you're using.
Using a TLSA (DANE) record is recommended to bind TLS-certificates to a server. You can generate the key using following command
nix shell nixpkgs#hash-slinger --command tlsa --create faecherstadt-consulting.de
Your nameserver needs DNSSEC support for it. Add the key to a new TLSA record in your nameserver
/etc/nixos/configuration.nix
services.nsd.zones."example.org.".data = ''
[...]
_25._tcp.mx1.example.org. TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96e3498238
'';
Managing users and inboxes
Creating credentials and inboxes for a specific account. The first command creates the user postmaster@example.org
and will prompt for a password.
# maddyctl creds create postmaster@example.org
# maddyctl imap-acct create postmaster@example.org
Spam filtering
You can enable and use rspamd spam filtering daemon
/etc/nixos/configuration.nix
services.rspamd.enable = true;
Add following check
part to your Maddy configuration at the beginning of the section msgpipeline local_routing
as referenced by the default config.
msgpipeline local_routing {
check {
rspamd
}
[...]
Autoconfig
Since Maddy does not support this feature yet, you can run an additional web service which provides autoconfig or autodiscover files for various mail clients like Thunderbird, iOS Mail or Outlook, so you don't have to manually configure your server settings into these apps. In this example, we're going to tell the clients, that our mail server is running on the domain example.org
and which IMAP/SMTP ports to use
/etc/nixos/configuration.nix
services.go-autoconfig = {
enable = true;
domain = "autoconfig.example.org";
imap = {
server = "example.org";
port = 993;
};
smtp = {
server = "example.org";
port = 587;
};
};
After that the autoconfig service based on program go-autoconfig will listen on http://localhost:1323 , serving the configuration informations used by the clients.
You can use your preferred web server, for example Caddy to proxy this service to an outside facing domain like https://autoconfig.example.org
/etc/nixos/configuration.nix
caddy = {
enable = true;
virtualHosts."autoconfig.example.org".extraConfig = ''
reverse_proxy http://localhost:1323
'';
};
Further we need to add an additional DNS record to the nsd
service to get Outlook and Thunderbird working:
/etc/nixos/configuration.nix
services.nsd.zones."example.org.".data = ''
[...]
_autodiscover._tcp SRV 0 0 443 autoconfig
'';
Of course autoconfig.example.org domain should point to your server running the SSL enabled web service.