Table of Contents
|Ports||993, 587, 143, 465, 25 (tcp)|
|View in NetBox.|
Sends and receives email.
If not used to the jumble of services used for mail, ISPMail is a good explanation, although we use a slightly different setup outlined below.
- Postfix receives an incoming SMTP connection
- Postfix queries LDAP to find the user/alias for the address.
- Postfix checks it with rspamd
- If rspamd decides we should deliver it, we pass it to dovecot through LMTP
- Dovecot queries LDAP again and places it in the user's mailbox
- The user then uses their MUA to access their mailbox through dovecot (over IMAP)
- Postfix receives an SMTP connection on port 587
- The user authenticates, which postfix asks dovecot for help with
- Dovecot uses bind authentication against our LDAP
- Postfix cleans up the headers and passes it to OpenDKIM to do signing
- Postfix sends the signed message to wherever it needs to go
/var/lib/mail, which is ceph share
maildirsmounted over NFS.
Managed declaratively using Nix.
Adding a custom domain
- Set the MX of the domain to
- Add the new domain to the
virtual_mailbox_domainslist here and redeploy
- Send a test email to one of the new emails. You should see a directory created in
- This folder needs its permissions fixed, so run
chown 5000:65534 /var/lib/mail/<domain>and
chmod 00771 /var/lib/mail/<domain>
- This happens because dovecot creates the initial directory as belonging to whatever user first received mail, which will break as soon as any other user tries to use it, including dovecot's internal users
- Login to IMAP or Webmail using your new email address (with domain), and your regular Tardis password.
- Do everything for receiving above
- Add an SPF record: A TXT Record at root with value
v=spf1 a:mail.tardisproject.uk -all
- Add a DKIM record: A TXT Record at
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdBQ6Y4RwXECU1dQy/LUHDmPPPDjbSPDWdxP+CQDLnQQGLQMNehkBqdHhuBzknJHlvj5CJ7NWFGxO0mcGZo7ojPgDZ718m0W7sBgPyDRq8PU0WCVXD1PBJFfe7+IssTm1s84ba9iHzlUFXVmixMIQPhJaj63gia367xDrr98IFYwIDAQAB
- Add a DMARC record: A TXT Record at
v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org; aspf=s;
- Add your domain to the opendkim domains list here and redeploy.
- Test it. This is meant for newsletters so it will mention some irrelevant stuff, but both SPF and DKIM should pass.
If you'd like to have setting autodiscovery work in clients like Outlook and Thunderbird, you can customise this XML and serve it from
<?xml version="1.0"?> <clientConfig version="1.1"> <emailProvider id="YOUR_DOMAIN"> <domain>YOUR DOMAIN</domain> <displayName>Tardis Project</displayName> <displayShortName>Tardis</displayShortName> <incomingServer type="imap"> <hostname>mail.tardisproject.uk</hostname> <port>143</port> <socketType>STARTTLS</socketType> <authentication>password-cleartext</authentication> <username>%EMAILADDRESS%</username> </incomingServer> <outgoingServer type="smtp"> <hostname>mail.tardisproject.uk</hostname> <port>587</port> <socketType>STARTTLS</socketType> <authentication>password-cleartext</authentication> <username>%EMAILADDRESS%</username> </outgoingServer> </emailProvider> </clientConfig>
hosts/virtual_machines/web/mail.txt · Last modified: 2023/02/23 01:44 by netbox