TARDIS Project

User Tools

Site Tools

Trace:
hosts:virtual_machines:web:mail

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
hosts:virtual_machines:web:mail [2023/02/21 01:32] – removed - external edit (Unknown date) 127.0.0.1hosts:virtual_machines:web:mail [2023/08/30 17:55] (current) – [Configuration locations] tcmal
Line 1: Line 1:
 +[[meta:autogen:start|​]]
 +===== Mail =====
 +^ Name | Mail |
 +^ Ports | 993, 587, 143, 465, 25 (tcp) |
 +^  | [[https://netbox.tardisproject.uk/ipam/services/10/|View in NetBox.]] |
 +[[meta:autogen:end|​]]
  
 +Sends and receives email.
 +
 +If not used to the jumble of services used for mail, [[https://workaround.org/ispmail|ISPMail]] is a good explanation, although we use a slightly different setup outlined below.
 +
 +When receiving:
 +
 +  - Postfix receives an incoming SMTP connection
 +  - Postfix queries [[hosts:virtual_machines:enclave:ldap|LDAP]] to find the user/alias for the address.
 +  - Postfix checks it with rspamd
 +  - If rspamd decides we should deliver it, we pass it to dovecot through LMTP
 +  - Dovecot queries [[hosts:virtual_machines:enclave:ldap|LDAP]] again and places it in the user's mailbox
 +  - The user then uses their MUA to access their mailbox through dovecot (over IMAP)
 +
 +When sending:
 +
 +  - Postfix receives an SMTP connection on port 587
 +  - The user authenticates, which postfix asks dovecot for help with
 +    - Dovecot uses bind authentication against our [[hosts:virtual_machines:enclave:ldap|LDAP]]
 +  - Postfix cleans up the headers and passes it to OpenDKIM to do signing
 +  - Postfix sends the signed message to wherever it needs to go
 +
 +===== Data directories =====
 +
 +  * ''/var/lib/mail'', which is ceph share ''maildirs'' mounted over NFS.
 +
 +===== Configuration locations =====
 +
 +Managed declaratively using [[https://git.tardisproject.uk/tardis/nix/-/tree/main/profiles/email|Nix]].
 +
 +===== Adding a custom domain =====
 +
 +==== Receiving ====
 +
 +  - Set the MX of the domain to ''mail.tardisproject.uk''
 +  - Add the new domain to the ''virtual_mailbox_domains'' list [[https://git.tardisproject.uk/tardis/nix/-/blob/main/profiles/services/email/postfix.nix#L45|here]] and redeploy
 +  - Add ''mail'' attributes to the user that wants to use them. Please have at least postmaster, abuse, and admin @ your domain.
 +  - Send a test email to one of the new emails. You should see a directory created in ''/var/lib/mail/<domain>''
 +  - This folder needs its permissions fixed, so run ''chown 5000:65534 /var/lib/mail/<domain>'' and ''chmod 00771 /var/lib/mail/<domain>''
 +    * This happens because dovecot creates the initial directory as belonging to whatever user first received mail, which will break as soon as any other user tries to use it, including dovecot's internal users
 +  - Login to IMAP or Webmail using your new email address (with domain), and your regular Tardis password.
 +
 +==== Sending ====
 +
 +  - Do everything for receiving above
 +  - Add an SPF record: A TXT Record at root with value''v=spf1 a:mail.tardisproject.uk -all''
 +  - Add a DKIM record: A TXT Record at ''dkim2._domainkey'' with value ''v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdBQ6Y4RwXECU1dQy/LUHDmPPPDjbSPDWdxP+CQDLnQQGLQMNehkBqdHhuBzknJHlvj5CJ7NWFGxO0mcGZo7ojPgDZ718m0W7sBgPyDRq8PU0WCVXD1PBJFfe7+IssTm1s84ba9iHzlUFXVmixMIQPhJaj63gia367xDrr98IFYwIDAQAB''
 +  - Add a DMARC record: A TXT Record at ''_dmarc'' with value ''v=DMARC1; p=none; rua=mailto:dmarc@tardisproject.uk; aspf=s;''
 +  - Add your domain to the opendkim domains list [[https://git.tardisproject.uk/tardis/nix/-/blob/main/profiles/services/email/opendkim.nix#L13|here]] and redeploy.
 +  - [[https://www.mail-tester.com/|Test it]]. This is meant for newsletters so it will mention some irrelevant stuff, but both SPF and DKIM should pass.
 +
 +
 +==== Extra Stuff ====
 +
 +If you'd like to have setting autodiscovery work in clients like Outlook and Thunderbird, you can customise this XML and serve it from ''DOMAIN/.well-known/autoconfig/mail/config-v1.1.xml'':
 +
 +<code>
 +<?xml version="1.0"?>
 +<clientConfig version="1.1">
 +  <emailProvider id="YOUR_DOMAIN">
 +    <domain>YOUR DOMAIN</domain>
 +    <displayName>Tardis Project</displayName>
 +    <displayShortName>Tardis</displayShortName>
 +    <incomingServer type="imap">
 +      <hostname>mail.tardisproject.uk</hostname>
 +      <port>143</port>
 +      <socketType>STARTTLS</socketType>
 +      <authentication>password-cleartext</authentication>
 +      <username>%EMAILADDRESS%</username>
 +    </incomingServer>
 +    <outgoingServer type="smtp">
 +      <hostname>mail.tardisproject.uk</hostname>
 +      <port>587</port>
 +      <socketType>STARTTLS</socketType>
 +      <authentication>password-cleartext</authentication>
 +      <username>%EMAILADDRESS%</username>
 +    </outgoingServer>
 +  </emailProvider>
 +</clientConfig>
 +</code>