From 4c8a9eb15ad1e0a1a5d27ec7793584a8bf3a73d0 Mon Sep 17 00:00:00 2001 From: Robin Raymond Date: Mon, 13 Nov 2017 14:59:25 +0100 Subject: [PATCH] add mail server guide --- README.md | 247 +++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 199 insertions(+), 48 deletions(-) diff --git a/README.md b/README.md index be26b02..7a0911f 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ None so far. * rename domain to fqdn, seperate fqdn from domains * multi domain support -### How to Deploy +### Quick Start ```nix { config, pkgs, ... }: @@ -88,7 +88,204 @@ None so far. For a complete list of options, see `default.nix`. -### How to Test + +## How to Set Up a 10/10 Mail Server Guide +Mail servers can be a tricky thing to set up. This guide is supposed to run you +through the most important steps to achieve a 10/10 score on `mail-tester.com`. + +What you need: + + * A server with a public IP (referred to as `server-IP`) + * A Fully Qualified Domain Name (`FQDN`) where your server is reachable. Note + so that other servers can find yours. Common FQDN include `mx.example.com` + (where `example.com` is a domain you own) or `mail.example.com`. The domain + is referred to as `server-domain` (`example.com` in the above example) and + the `FQDN` is referred to by `server-FQDN` (`mx.example.com` above). + * A list of domains you want to your email server to serve. (Note that this + does not have to include `server-domain`, but may of course). These will be + referred to as `domains`. As an example, `domains = [ example1.com, + example2.com ]`. + +### A) Setup server + +The following describes a server setup that is fairly complete. Even though +there are more possible options (see `default.nix`), these should be the most +common ones. + +```nix +{ config, pkgs, ... }: +{ + imports = [ + (builtins.fetchTarball "https://github.com/r-raymond/nixos-mailserver/releases/tag/v2.0-rc1") + ]; + + mailserver = { + enable = true; + fqdn = ; + domains = [ ]; + + # A list of all login accounts. To create the password hashes, use + # mkpasswd -m sha-512 "super secret password" + loginAccounts = { + "user1@example.com" = { + hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/"; + }; + + "user2@example.com" = { ... }; + }; + + # Virtual aliases. These are email addresses that are forwarded to + # loginAccounts addresses. + virtualAliases = { + # address = forward address; + "info@example.com" = "user1@example.com"; + "postmaster@example.com" = "user1@example.com"; + "abuse@example.com" = "user1@example.com"; + "user1@example2.com" = "user1@example.com"; + }; + }; + + # User Let's Encrypt certificates + certificateScheme = 3; + + # Enable IMAP and POP3 + enableImap = true; + enablePop3 = true; + enableImapSsl = true; + enablePop3Ssl = true; + + # whether to scan inbound emails for viruses (note that this requires at least + # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) + virusScanning = false; +} +``` + +After a `nixos-rebuild switch --upgrade` your sever should be good to go. If +you want to use `nixops` to deploy the server, look in the subfolder `nixops` +for some inspiration. + + +### B) Setup everything else + +#### Step 1: Set DNS entry for server + +Add a DNS record to the domain `server-domain` with the following entries + +| Name (Subdomain) | TTL | Type | Priority | Value | +| ---------------- | ----- | ---- | -------- | ----------------- | +| `server-FQDN` | 10800 | A | | `server-IP` | + +This resolved DNS equries for `server-FQDN` to `server-IP`. You can test if your +setting is correct by + +``` +ping +64 bytes from (): icmp_seq=1 ttl=46 time=21.3 ms +... +``` + +Note that it can take a while until a DNS entry is propagated. + +#### Step 2: Set rDNS (reverse DNS) entry for server +Wherever you have rented your server, you should be able to set reverse DNS +entries for the IP's you own. Add an entry resolving `server-IP` to +`server-FQDN` + +You can test if your setting is correct by + +``` +host +.in-addr.arpa domain name pointer . +``` + +Note that it can take a while until a DNS entry is propagated. + +#### Step 3: Set `MX` Records + +For all `domain` in `domains` do: + * Add a `MX` record to the domain `domain` + + | Name (Subdomain) | TTL | Type | Priority | Value | + | ---------------- | ----- | ---- | -------- | ----------------- | + | `domain` | | MX | 10 | `server-FQDN` | + +You can test this via +``` +dig -t TXT + +... +;; ANSWER SECTION: + 10800 IN MX 10 +... +``` + +Note that it can take a while until a DNS entry is propagated. + +#### Step 4: Set `SPF` Records + +For all `domain` in `domains` do: + * Add a `SPF` record to the domain `domain` + + | Name (Subdomain) | TTL | Type | Priority | Value | + | ---------------- | ----- | ---- | -------- | ----------------- | + | `domain` | 10800 | TXT | | `v=spf1 ip4: -all` | + +You can check this with `dig -t TXT ` similar to the last section. + +Note that it can take a while until a DNS entry is propagated. If you want to +use multiple servers for your email handling, don't forget to add all server +IP's to this list. + +#### Step 5: Set `DKIM` signature + +For all `domain` in `domains` do: + * Go to your server and navigate to the dkim key directory (by default + `/var/dkim`. There you will find a public key for any domain in the + `domain.txt` file. It will look like + ``` + mail._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=" ; ----- DKIM default for domain.tld + ``` + * Add a `DKIM` record to the domain `domain` + + | Name (Subdomain) | TTL | Type | Priority | Value | + | ---------------- | ----- | ---- | -------- | ----------------- | + | mail._domainkey.`domain` | 10800 | TXT | | `v=DKIM1; p=` | + + +You can check this with `dig -t TXT ` similar to the last section. + +Note that it can take a while until a DNS entry is propagated. + + +### C) Test your Setup + +Write an email to your aunt (who has been waiting for your reply far too long), +and sign up for some of the finest newsletters the Internet has. + +Besides that, you can send an email to `mail-tester.com` and see how you score, +and let `http://mxtoolbox.com/` take a look at your setup, but if you followed +the steps closely then everything should be awesome! + + +## How to Backup + +This is really easy. First off you should have a backup of your +`configuration.nix` file where you have the server config (but that is already +in a git repository right?) + +Next you need to backup `/var/vmail` or whatever you have specified for the +option `mailDirectory`. This is where all the mails reside. Good options are a +cron job with `rsync` or `scp`. But really anything works, as it is simply a +folder with plenty of files in it. If your backup solution does not preserve the +owner of the files don't forget to `chown` them to `virtualMail:virtualMail` if you copy +them back (or whatever you specified as `vmailUserName`, and `vmailGoupName`). + +Finally you can (optionally) make a backup of `/var/dkim` (or whatever you +specified as `dkimKeyDirectory`). If you should lose those don't worry, new ones +will be created on the fly. But you will need to repeat step `B)5` and correct +all the `dkim` keys. + +## How to Test for Development You can test the setup via `nixops`. After installation, do @@ -111,52 +308,6 @@ openssl s_client -host mail.example.com -port 143 -starttls imap ``` -## How to Set Up a 10/10 Mail Server -Mail servers can be a tricky thing to set up. This guide is supposed to run you -through the most important steps to achieve a 10/10 score on `mail-tester.com`. - -### Fully Qualified Domain Name -No matter how many domains you want to serve on your mail server, you need to -settle on a _Fully Qualified Domain Name_ (FQDN) where your server is reachable, -so that other servers can find yours. Common FQDN include `mx.example.com` -(where `example.com` is a domain you own) or `mail.example.com`. - -After you settled on a FQDN (we will assume `mx.example.com` henceforth) you -need to - * Set a DNS entry on your domain to point to the IP of the server. For this - add a DNS record such as - - | Name (Subdomain) | TTL | Type | Priority | Value | - | ---------------- | ----- | ---- | -------- | ----------------- | - | mx.example.com | 10800 | A | | `xxx.xxx.xxx.xxx` | - - to your domain, where `xxx.xxx.xxx.xxx` is the IP of your server. - - * Set a `rDNS` (reverse DNS) entry for your FQDN. You need to do so wherever - you have rented your server. Make sure that `xxx.xxx.xxx.xxx` resolves to - `mx.example.com`. - - -### MX Record - -| Name (Subdomain) | TTL | Type | Priority | Value | -| ---------------- | ----- | ---- | -------- | ----------------- | -| domain1.com | | MX | 10 | mx.exmaple.com | - -### Spf record - -| Name (Subdomain) | TTL | Type | Priority | Value | -| ---------------- | ----- | ---- | -------- | ----------------- | -| domain1.com | 10800 | TXT | | `v=spf1 ip4:xxx.xxx.xxx.xxx -all` | - -### DKIM signature - -| Name (Subdomain) | TTL | Type | Priority | Value | -| ---------------- | ----- | ---- | -------- | ----------------- | -| dkim._domainkey.domain1.com | 10800 | TXT | | `v=DKIM1; p=yyyyyyyyyyyy` | - -where `yyyyyyyyyyyy` is the `DKIM` signature - ## A Complete Mail Server Without Moving Parts ### Used Technologies