>The YOUREMAIL.YOUREMAILDOMAIN. part must be replaced by your own email. For example, my email address: ian.miell@gmail.com becomes ianmiell.gmail.com.. Note also that the dot between first and last name is dropped. email ignores those anyway!
Isn't that only the case for gmail (and maybe some others)?
As an aside I'm surprised someone setting up their own dns-server would still be using gmail. I've found running my own email-server to be very useful and satisfying. (0-configuration throwaway addresses, automatic sorting with sieve, personal and professional mail on the same account, etc. etc.)
Looks useful. I'm not sure how the catch-all address works for your service, maybe it's the same maybe it's different from what I have.
My problem with a catch-all was that there is a lot of spam that gets send to various common email addresses such as "admin". Do you maintain a blacklist for your users?
I have a regular expression set as a username in my database of email addresses. (spoilers: it's just somesalt.*."2 or 3 characters" so for example secretsalt.ycombinator.com@mydomain.tld). So I can sign up to any random website by just entering salt.thatwebsite.tld@me as my email. That's the zero-configuration part. Honestly, this is worth paying $9/year for imho :P
The personal and and professional mail together is simply internally forwarding my professional mail to the same imap instance but a different folder :P. It's mostly future-proofing on my part. If I were to get/manage a different domain-name (say a gaming guild or business venture) I could merge those too and not have to set-up 27 different accounts in my email client.
How do you handle SPF records? That was the main reason I switched to Fastmail for my domains even though they all still filter into Gmail - they have a rewrite source address function
Yes. Email providers are free to create that kind of rules, and this one looks very specific to gmail.
> As an aside I'm surprised someone setting up their own dns-server would still be using gmail.
Well, be wary of getting contacts about your DNS in an email that depends on your DNS. This is the one place to use a gmail address, not one you control.
I've spent years tweaking my mail server setup (Postfix, Dovecot, RSPAMD, LDAP...) and did a full writeup a few months ago. I've used other guides online but found most of the rest lacking on details.
Thanks a lot for that! I've been running a similar stack (ldap took me a while to grasp) but without rspamd which I wanted to add. Your writeup is the perfect excuse to finally start with it.
Thanks from me too, this looks great. I also knew immediately why the SVG looks wrong on Firefox because I had the same problem before - The text is 'live' text and not stroked to paths. It's a pain to do if you have a lot of text content, but if you can click on text in an SVG and discover it is still editable, it won't render correctly for many viewers. Once you are sure there are no typos, stroke all text to paths and it will look perfect on any browser.
Thanks. I was just complaining last week to my friends that all howtos about postfix and spam protection seem to be a decade old. Now you fixed it and I wlil add rspamd (which I did not know about). My previous plan was to add some kind of Right Hand Spam Filter, do you have any opinion on that?
Hope you find it helpful! Not sure what you mean by Right Hand Spam Filter, but Rspamd has been great. It integrates with postfix as a milter so there's very little configuration to get it working with your existing setup.
The daunting part is just how many options/features the project has - which is what I tried to clear up in my guide.
I know its basically the standard but its a pain to configure and modify. I recently started to work with Haraka and its so much more of a plessure (even thought i am no JS fan, i prefer JS to cryptic/ancient config files)
Just curious if you went through a evaluation process
I don't feel like I "settled" for Postfix. The configuration is quite simple, the documentation is great, and it's been battle-tested for decades.
I have basically no experience with Javascript or web stuff, and the last thing I want to do is figure out some leftpad-style NPM package dependency while my mail server is down. Maybe I'm just an old-school Unix guy at heart though - running a JavaScript interpreter on a privileged port just doesn't sit right with me.
I don't agree. Sendmail definitely has the weirder config file syntax, but (having set both up multiple times) both have the exact same setup technique—reading through the manual looking at the config options and copying/pasting the lines into the config.
There's not really any extra layers of weirdness unless you're digging down into the nasty .cf files (which you probably never ever need to do). The m4 is just a detail (so you end up commenting with "dnl").
The relative complexity of the files is about the same—my postfix server config is roughly the same number of lines as my sendmail server config. And each line is just a single conf thing. Sendmail isn't really more complicated at all. It's just ugly.
If you want something a little hands off, I use Mail-in-a-box (https://mailinabox.email/) which does all the setup on the server for you automatically. I switched over to running my own email server several months ago and it's been working without any issues.
Hmm, I can't seem to find the tutorial I followed. I thought it was on DigitalOcean or Linode but I can't seem to find it. It was one of the big vps providers though...
This one[1] is similar however, although it's a bit less detailed. Basically: I use postfix with mysql for a user database as my MTA (the postman so to speak) and dovecot for the IMAP client (a smart mailbox equivalent).
edit: it's slightly different from what perlgod wrote (rspamd+ldap vs spamassassin+mysql) but the idea is the same.
Now the tutorial will give you a basic set-up, with spamassassin as a spamfilter. Which already "just-worked(tm)" for me. In addition to what's listed I added the following steps over time:
- First check your ip address on mxtoolbox.com for any blacklists. If you're on any, you could get removed if you ask them or you could ask your hosting provider to give you a different ip.
- get a certificate from let's-encrypt and encrypt all outgoing mail. Rejecting unencrypted mail is not a good idea even if it would be in an ideal world.
- add a blacklist MySQL table and a regex addres to the users table. Postfix has an option for parsing regex IIRC, so you can just set the email-adress to be a regex in the table as you would any other email. Then set the MySQL query in postfix to something like "user in table users AND NOT in table blacklist". This way you can use a unique email for each website you sign up to (say: somesalt.domain.tld@yourdomain.tld) and if you ever get any spam, you will know what website got hacked/sold your info ;P. I have only one website on my blacklist so far, and that was because their unsubscribe link didn't work.
- Install Sieve, this let's you add a sorting-script to your imap, letting you automatically sort incoming mail into different folders using all kinds of regexp. I have for example "personal, work, work/personal (directly to me and not a list), anonymous (throwaway adresses for each website I sign up to), admin (postmaster, cron, etc.), purchases (regex match to anything containing order, shipment, etc. which gets put into a folder which is backed up for longer), Uni, git notifications, and Twitch (because they send a ton of short-lived notifications. Messages in this folder get purged after 2h).
- Set up a r-dns pointer (you said you wanted to try more obscure dns features :D). this is an ip->domain mapping. For me this meant sending a message to my vps provider asking them to do so. p.s. vpsdime has insanely good/fast support. Took them literally less than a minute.
and finally:
- Set up DMARC (DKIM+SPF). Spf is pretty simple. It's simply a dns record which says which ip-adresses are allowed to send mail on your behalf. DKIM is a bit more complicated: It use public-private key encryption (with the public-key in the dns records) to digitally sign various fields (to,from, content, cc, etc. can all be signed separately) of your email to make sure they haven't been tampered with. The daemon set-up is quite easy, but it's easy to mess up the settings.
If you're sending sensitive business emails I would set it up (my bank has it for example) but for personal email, I would only set it to sign the bare minimum such as the 'from' field, or nothing at all. Even if you don't sign any fields, having it set up will almost surely prevent you from being put into spam folders by the big providers.
I haven't had any issues so far, except for an overly strict DKIM set-up. Once marking email send to my work's mailing lists as spam when forwarded to gmail. (i.e. me->work list -> someone@work.tld -> someone@gmail.com) which in an ideal world wouldn't cause issues, but my work's mail server was misconfigured causing them to modify the email's envelope without respecting the DKIM signatures.
The other time was when my university email forwarded messages from @intel.com, which has strict security settings too. This was actually an issue when I forwarded from my uni to my gmail before too, but I never noticed because gmail was (as per Intel's configuration) silently discarding any emails I got. I only noticed the problem when I looked at my mail server logs for any rejections. I now have Intel.com whitelisted. (my uni said they'd fix it... 1.5 years ago...).
Having written all this out I noticed two things:
1. Okay, maybe setting up an email server is a bit of work after all... Mine grew organically over a few weekends so I never noticed.
2. When I finally start that blog I've been meaning to do, I should do a clean email-server install and write it up.
spamassassin, that's all really. I'm not a huge fan because I still have trouble figuring out how to configure it, but the default seems to work haha. I haven't had much spam yet that didn't get put into the spam folder or auto-deleted. The little bits that I did get also showed up in my gmail before (think parents/grandparents + virus spam).
I do have some publicly harvestable emails (on github and such), but I've never been spammed on those yet. Only on my personal address which I only give out IRL or occasionally reply with.
The catch-all emails are probably the best anti-spam you can have. The moment I get spam addresed to ycombinator.com@mydomain.tld (which matches a regex), I just blacklist it and move on with my life.
Isn't that only the case for gmail (and maybe some others)?
As an aside I'm surprised someone setting up their own dns-server would still be using gmail. I've found running my own email-server to be very useful and satisfying. (0-configuration throwaway addresses, automatic sorting with sieve, personal and professional mail on the same account, etc. etc.)