User Tools

Site Tools



Name Mail
Ports 993, 587, 143, 465, 25 (tcp)
View in NetBox.

Sends and receives email.

If not used to the jumble of services used for mail, ISPMail is a good explanation, although we use a slightly different setup outlined below.

When receiving:

  1. Postfix receives an incoming SMTP connection
  2. Postfix queries LDAP to find the user/alias for the address.
  3. Postfix checks it with rspamd
  4. If rspamd decides we should deliver it, we pass it to dovecot through LMTP
  5. Dovecot queries LDAP again and places it in the user's mailbox
  6. The user then uses their MUA to access their mailbox through dovecot (over IMAP)

When sending:

  1. Postfix receives an SMTP connection on port 587
  2. The user authenticates, which postfix asks dovecot for help with
    1. Dovecot uses bind authentication against our LDAP
  3. Postfix cleans up the headers and passes it to OpenDKIM to do signing
  4. Postfix sends the signed message to wherever it needs to go

Data directories

  • /var/lib/mail, which is ceph share maildirs mounted over NFS.

Configuration locations

Managed declaratively using Nix.

Adding a custom domain


  1. Set the MX of the domain to
  2. Add the new domain to the virtual_mailbox_domains list here and redeploy
  3. Add mail attributes to the user that wants to use them. Please have at least postmaster, abuse, and admin @ your domain.
  4. Send a test email to one of the new emails. You should see a directory created in /var/lib/mail/<domain>
  5. This folder needs its permissions fixed, so run chown 5000:65534 /var/lib/mail/<domain> and chmod 00771 /var/lib/mail/<domain>
    • This happens because dovecot creates the initial directory as belonging to whatever user first received mail, which will break as soon as any other user tries to use it, including dovecot's internal users
  6. Login to IMAP or Webmail using your new email address (with domain), and your regular Tardis password.


  1. Do everything for receiving above
  2. Add an SPF record: A TXT Record at root with valuev=spf1 -all
  3. Add a DKIM record: A TXT Record at dkim2._domainkey with value v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdBQ6Y4RwXECU1dQy/LUHDmPPPDjbSPDWdxP+CQDLnQQGLQMNehkBqdHhuBzknJHlvj5CJ7NWFGxO0mcGZo7ojPgDZ718m0W7sBgPyDRq8PU0WCVXD1PBJFfe7+IssTm1s84ba9iHzlUFXVmixMIQPhJaj63gia367xDrr98IFYwIDAQAB
  4. Add a DMARC record: A TXT Record at _dmarc with value v=DMARC1; p=none;; aspf=s;
  5. Add your domain to the opendkim domains list here and redeploy.
  6. Test it. This is meant for newsletters so it will mention some irrelevant stuff, but both SPF and DKIM should pass.

Extra Stuff

If you'd like to have setting autodiscovery work in clients like Outlook and Thunderbird, you can customise this XML and serve it from DOMAIN/.well-known/autoconfig/mail/config-v1.1.xml:

<?xml version="1.0"?>
<clientConfig version="1.1">
  <emailProvider id="YOUR_DOMAIN">
    <domain>YOUR DOMAIN</domain>
    <displayName>Tardis Project</displayName>
    <incomingServer type="imap">
    <outgoingServer type="smtp">
hosts/virtual_machines/web/mail.txt · Last modified: 2023/08/30 17:55 by tcmal