2023-07-22 22:53:56 +00:00
# Mail Server: Deployment
2023-08-11 19:22:29 +00:00
1. Create MX and TXT records. For example, here are example records defined in dnscontrol:
```Javascript
D('example.com', REG_NAMECHEAP, DnsProvider(DSP_NAMECHEAP),
A('mail', '10.87.129.99'),
MX('@', 10, 'mail.example.com.'),
TXT('_dmarc', 'v=DMARC1; p=none'),
TXT('@', 'v=spf1 mx ~all')
);
```
The `A` and `MX` records are required, while the `TXT` records are optional but recommended.
2023-07-22 22:53:56 +00:00
2024-01-16 23:37:10 +00:00
2. Configure your playbook's variables and run this playbook.
3. Configure credentials for the "hello" virtual inbox on the server. Use your favorite password manager to generate a passphrase and then run this to configure it:
2023-07-22 22:53:56 +00:00
```shell
2024-05-29 17:45:00 +00:00
sudo echo hello@example.com:$(doveadm pw -s BLF-CRYPT):$(id -u maildir):$(id -g maildir) >> /etc/dovecot/imap.passwd
2023-07-22 22:53:56 +00:00
```
2023-08-11 19:22:29 +00:00
Also, if you use `doas` rather than `sudo` , you need to permit your ansible_user to become opendkim in your `/etc/doas.conf` :
```
permit nopass blee as opendkim
```
2024-01-16 23:37:10 +00:00
4. configure some virtual aliases in /etc/postfix/virtual and run: `postmap virtual` (See `man 5 postconf` for details)
2023-07-22 22:53:56 +00:00
2023-08-21 16:20:49 +00:00
Validate your dns records: [mxtoolbox.com ](https://mxtoolbox.com/ )
2023-07-22 22:53:56 +00:00
2023-08-21 16:20:49 +00:00
## Optional: sending authenticated mail
2023-08-10 23:17:02 +00:00
2023-08-21 16:20:49 +00:00
* Create another TXT record for DKIM using the contents of /etc/dkimkeys/mail.txt
2023-07-22 22:53:56 +00:00
2023-08-11 19:22:29 +00:00
Here's an example line in dnscontrol:
2023-07-22 22:53:56 +00:00
2023-08-11 19:22:29 +00:00
```Javascript
TXT('mail._domainkey', 'v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANB...QIDAQAB')
```
* See [print-rdata.py ](examples/print-rdata.py ) for a (kind of bad) example of how to automatically parse mail.txt
2023-08-21 16:20:49 +00:00
* You can codify your records in a git repo using a tool like [dnscontrol ](https://dnscontrol.org/ ) as well as [octodns ](https://github.com/octodns/octodns-easydns )
2023-08-11 19:22:29 +00:00
2023-08-21 16:20:49 +00:00
* If you're really feeling adventurous, you could even set up a proper dmarc address to replace the original placeholder TXT record.
2023-08-11 19:22:29 +00:00
```Javascript
TXT('_dmarc', 'v=DMARC1; p=reject; rua=mailto:dmarc@satstack.cloud; fo=1')
```
2023-07-22 22:53:56 +00:00
2023-10-02 20:20:25 +00:00
After records propogate, verify outbound mail using [mail-tester ](https://www.mail-tester.com/ ) or [learndmarc ](https://www.learndmarc.com/ ). I can score 10/10 by sending an email with an html mime type (just copypasta something from chatgpt).
2023-07-22 22:53:56 +00:00