Mail server setup

I have decided to set up my mail server based on postfix and dovecot. However, for future setups, exim was recommended to me; apparently would've saved me a bunch of pain.

Online tutorials

My pride initially dictated me to try and figure everything out on my own, and that actually went okay for a while. However, at some point even I had to admit that it's actually more reasonable to just find a good online tutorial and Here's the one I ended up using for my dovecot setup, it's pretty good: Build Your Own Email Server on Ubuntu

Relevant DNS entries

There are some DNS entries that aren't strictly necessary for sending/receiving emails they're still highly relevant; unless you enjoy having your emails go straight to the junk folder instead of the inbox. Most of them are pretty straight forward to set yourself; just create a bunch of TXT type DNS entries via your domain registrar's website. The syntax is a bit obscure, but the logic for creating the most relevant DNS entries is pretty simple:

• SPF: @ IN TXT "v=spf1 mx a ~all"
• DMARC: _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@max-moser.dev; ruf=mailto:postmaster@max-moser.dev; pct=50"
• DKIM: default._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bZxmVehtb/Ye8MhcHO0EjXAlEuOsPJPT07sYsoyfMqNuVZYdr72QTFpj8/xkuc/C8bnL5EURrg9MiERW7Km+A9MVuBVtfzoiv2CbFezSNrbdkvvFrcx/NdvTHvTLyMwpzEHu2Uu4AmtKoFs+C8rpFJelSSmLKpcld8Z3E2uMlqmu06Yk5hIc5DRXqRKfkTGs5aghRsDXu4aT5KDaDbc3jRW2FfeBeEzawpL3QrPB4+XM+cI43XxEFoXmJARwwiYax/gi/3B3zwYi1g8mUjJiqAgBUsWO4qElzuKmnGKKjxR+F9Is3I2kQWvsgmjkZN6/IIQCT1w9LpyOLckjtqCJwIDAQAB"

Hint: Find the actual entries for SPF, DMARC, and DKIM on the very useful MxToolbox! Note: The DKIM record is only one part of the DKIM setup; you also need to tell postfix to verify and sign DKIM, e.g. by setting OpenDKIM as a milter.

Reverse lookup entry

The only entry that you likely cannot create yourself is the PTR entry for reverse DNS lookups. To have that one set, you'll need to contact your ISP (not registrar) to associate your static public IP address with your domain name.

DNSSEC

Let's not talk about DNSSEC. I've looked very briefly at it, and decided to not do it. I don't give myself enough treats to actually go through that pain.

What makes it so hard?

As stated above, getting a basic local mail setup running that's not an open relay is actually pretty straight-forward. As soon as you want to allow non-local mail clients to connect to the server (via POP3, IMAP, SMTP) however, you need to use something like dovecot with LMTP, and the difficulty gets cranked up significantly. You'll need to deal with...

All the moving parts

First off, the full-fledged mail server setup consists of so. many. moving parts. There are mail (1), sendmail (1), procmail (1), local (8), postconf (5), and a few more. While their man pages go into great detail about each tool individually, they don't really give you an overview of the bigger picture. It's surprisingly hard to figure out the tools' interactions, and the implications of swapping out the individual parts.

The configuration...

The similars

There are a trillion different configuration options, and half of them differ in name by only one letter, making them very easy to get mixed up; e.g. smtp_tls_protocols vs. smtpd_tls_protocols. Even the configuration files are named very similarly: main.cf and master.cf! It took me much longer than I'd like to admit to realize I was just editing the wrong file... I just kept wondering wondering why none of my changes seemed to have any effect, and also why the online examples looked so different from my config file, even though the config options were basically the same... Also, wtf is that master.cf syntax?!

Obscure precedences

Half of the options also override each other via a sort of precedence system, and it's absolutely non-trivial to find out which settings do that and how... You better be very patient and methodical about reading the docs. An example here is the mail_spool_directory which does nothing if you've changed the home_mailbox or the mailbox_command. As part of setting up dovecot, I just set mailbox_transport = lmtp:unix:private/dovecot-lmtp and don't want to invest any more energy into checking out any of the other options.

Sane defaults? Not here!

Also, if you're a fan of sensible defaults, then you should better go elsewhere. There are (almost) no sensible presets for grouped configs.

So many protocols and ports

For receiving emails, we have two protocols; the older POP3 and the more modern IMAP alternative. Sending emails looks a bit simpler on the surface, since here we only have SMTP. Unfortunately however, we have three different choices how to use this protocol: simply as plain-text (bad idea), encrypted via TLS (SMTPS; good idea), or a bit of both via StartTLS. It certainly does not help that both basic options have different standard ports (SMTP including StartTLS on 587, SMTPS on 465). But there's also a distinction to be made between SMTP for clients to send emails (ports 465 and 587), as opposed to SMTP from servers to route emails around (port 25). Futher, IANA decided to revoke its assignment of port 465 for SMTPS and give this port away to another protocol... But about every mail client in existence still assumes that as the standard port for SMTPS and gets mildly confused if you claim something different.

Ports overview

If that port jungle made your head spin, here's a condensed overview (see also Wikipedia):

• 25: SMTP (only for incoming email from other servers)
• 110: POP3
• 143: IMAP
• 465: SMTPS (for clients)
• 587: SMTP (for clients)
• 993: IMAPS
• 995: POP3S