Tomlab FAQ

Mail server


vmail users

doas groupadd vmail
doas useradd -f vmail vmail
doas mkdir /home/vmail
doas chown vmail:vmail /home/vmail

DNS: MX record

Setup DNS A/MX record

mail.tomlab.jp A 160.251.6.214
tomlab.jp. MX 0 mail.tomlab.jp.
;;tomlab.jp. MX 10 mail-backup.tomlab.jp.

verify the settings by host(1) and dig(1)

host mail.tomlab.jp
dig -t MX tomlab.jp +short

rDNS
- Making myself look all fine

A large nuber of the hosts spamming the world do not have rDNS, do not have FCrDNS, or have an rDNS that matches a dynamically allocated IP pattern.

setup rDNS from provider's control panel.

Verify the records.

host 160.251.6.214
host mail.tomlab.jp

If they match both ways then everything's fine.

DNS:SPF record
- Advertise which machines are allocated to send mail on behalf of my domain


SPF は業界標準のメール認証方式である。
ドメインをなりすましから保護し、送信メールが迷惑メールに分類されないようにする。 SPFの仕様は、 RFC7208で規定されている。

SPF を使用して、ドメインに代わってメールを送信できるメールサーバーを指定する。
ドメインに設定できる SPF レコードは 1 つだけであるが、レコード中にはドメインに代わってメールを送信できるサーバーを複数指定できる。

受信側のメールサーバーは SPF を使用して、受信メールの送信元とされるドメインが偽装されたものではなく、承認済みのサーバーから送信されたことを確認する。

SPFレコード設定例

tomlab.jp. IN TXT "v=spf1 mx -all"

References:

DNS:DKIM record
- criptographically sign mails emitted by your mail server

Lack of DKIM has a very negative impact on the reputation of a domain.

2048 bits RSA public keys do not fit in a DNS TXT record and must be truncated into two records.

doas mkdir /etc/mail/dkim
doas openssl genrsa -out /etc/mail/dkim/tomlab.jp.key 1024
doas openssl rsa -in /etc/mail/dkim/tomlab.jp.key  \
            -pubout                           \
            -out /etc/mail/dkim/tomlab.jp.pub
cat /etc/mail/dkim/tomlab.jp.pub

DNS TXT record

;; <selector>._domainkey.<domain>.
;; selector: whatever you choose, normally date
20221124._domainkey.tomlab.jp. IN TXT "v=DKIM1;k=rsa;
p=PASTED PUBKEYSTRINGS.........."
References:

DNS:DMARC record
- Instructing hosts what to do with SPF and DKIM failures with DMARC

RFC7489

_dmarc.tomlab.jp. IN TXT "v=DMARC1;pct=100;rua=mailto:postmaster@tomlab.jp;"
References:

Get TLS certificate

acme-client(1) acme-client.conf(5) ssl(8)
doas openssl genrsa -out /etc/ssl/private/tomlab.jp.key 4096
doas openssl req -new -x509 -key /etc/ssl/private/tomlab.jp.key \
  -out /etc/ssl/tomlab.jp.crt -days 365
doas chmod 0600 /etc/ssl/private/tomlab.jp.key
doas chmod 0600 /etc/ssl/tomlab.jp.fullchain.pem
doas cp /etc/examples/httpd.conf /etc/httpd.conf
doas cp /etc/examples/acme-client.conf /etc/acme-client.conf

/etc/httpd.conf

server "mail.tomlab.jp" {
  listen on * port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location * {
    block return 302 "https://$HTTP_HOST$REQUEST_URI"
	}
}
  doas rcctl -f start httpd

/etc/acme-client.conf

domain mail.tomlab.jp {
  domain key "/etc/ssl/private/mail.tomlab.jp"
  domain full chain certificate "/etc/ssl/mail.tomlab.jp.fullchain.pem"
  sign with letsencrypt
}
  doas acme-client -v mail.tomlab.jp
References:

Configuring Rspamd

Rspamd provides spam filtering methods, antivirus integration, and dkim signing.

Redis is used to store Rspamd statistics and greylisting state.

filter-rspamd allows OpenSMTPD to work with Rspamd.

  doas pkg_add rspamd redis opensmtpd-filter-rspamd

Rspamd to handle my DKIM signing

doas mkdir /etc/rspamd/local.d
doas cat << EOF > /etc/rspamd/local.d/dkim_signing.conf

allow_username_mismatch = true;

domain {
  tomlab.jp {
    path = "/etc/mail/dkim/tomlab.key";
    selector = "20221124";
  }
}
EOF

doas rcctl enable redis rspamd
doas rcctl start redis rspamd

Configuring OpenSMTPD

/etc/mail/virtuals

@ vmail

/etc/mail/credentials (root:_smtpd 0640)

smtpctl encrypt PASSWD
tom OUTPUT_OF_ABOVE_CMD
table virtuals file:/etc/mail/virtuals
table credentials file:/etc/mail/credentials

pki tomgena.com cert "/etc/ssl/tomgena.com.fullchain.pem"
pki tomgena.com key  "/etc/ssl/private/tomgena.com.key"

filter "rdns" phase connect \
  match !rdns \
  disconnect "550 DNS error"

filter "fcrdns" phase connect \
  match !fcrdns \
  disconnect "550 DNS error"
filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"

listen on all         \
  port 25             \
  tls pki tomgena.com \
  filter { "rdns", "fcrdns", "rspamd" }

listen on all                 \
  port 587                    \
  tls-require pki tomgena.com \
  auth <credentials>          \
  filter "rspamd"

action "RECV" lmtp "/var/dovecot/lmtp" rcpt-to virtual <virtuals>
action "SEND" relay helo tomgena.com

match from any for domain "tomgena.com" action "RECV"
match from any auth for any             action "SEND"

Configuring Dovecot

/etc/login.conf

dovecot:\
  :openfiles-cur=1024:\
  :openfiles-max=2048:\
  :tc=daemon:

Remove all files

doas rm -rf /etc/dovecot/*

First, make an user file.

smtpctl encrypt PASSWD

format is user:password:uid:gid::homedir
In this guide, vmail user is used for all acounts, so leave the uid, gid and homedir fields blank as below.

/etc/dovecot/users (root:_dovecot 0640)

tom:OUTPUT_OF_ABOVE_CMD::::

/etc/dovecot/dovecot.conf

ssl = required
ssl_cert = </etc/ssl/tomgena.com.fullchain.pem
ssl_key = </etc/ssl/private/tomgena.com.key

ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes

disable_plaintext_auth = yes

protocols = lmtp imap

service lmtp {
  unix_listener lmtp {
    user = vmail
    group = vmail
  }
}

service imap-login {
  inet_listener imaps {
    port = 993
  }
}

passdb {
  driver = passwd-file
  args = scheme=BLF-CRYPT username_format=%n /etc/dovecot/users
}

userdb {
  driver = passwd-file
  args = username_format=%n /etc/dovecot/users
  override_fields = uid=vmail gid=vmail home=/home/vmail/%n
}

mail_location = maildir:~/Maildir
dovecot -n
rcctl enable dovecot
rcctl start dovecot

Tests

References