1. 35
  1.  

  2. 5

    Thank you very much for the writeup, I might actually make the jump now, I was very hesitant to use all the docker all-in-one solutions.

    Unlike SPF and DKIM, DMARC doesn’t really do anything

    This is technically not true, as far as I know, as it changes the behaviour of DKIM and SPF if you have it enabled. For example, pure SPF will only check the sending envelope for a valid sender but ignore the <FROM:> header, which is actually what the user gets to see. With DMARC enabled, this behaviour is extended.

    https://media.ccc.de/v/36c3-10730-email_authentication_for_penetration_testers

    1. 2

      DMARC in fact does so much that mailing lists have to change their behavior.

      I still don’t fscking understand whether setting p=reject would be okay with (e.g. freebsd.org, freedesktop.org) mailing lists or whether that would send all mail forwarded from me by the mailing lists (in case of freebsd.org at least, with the list’s added “signature” and me in From) to trash/spam everywhere.

      1. 1

        Glad to hear that!

        And I’ll update the DMARC section, thanks.

      2. 4

        OpenSMTPD had two separate remote code execution security issues in 2020. Maybe that should get a mention in the section named Security.

        1. 1

          Thanks, I’ve added a paragraph to the end of the OpenSMTPD section mentioning that it must be kept up-to-date to fix potential vulnerabilities.

          I don’t believe that the alternatives are fundamentally better though, and I still definitely prefer OpenSMTPD’s manageable configuration syntax. And, to their, credit, those vulnerabilities were fixed quickly; I trust the OpenBSD project to take security seriously.

          1. 1

            When I set up my mail server a couple of months ago, I picked Postfix. It is a very mature project, a lot more popular than OpenSMTPD (which I hope can mean more eyeballs), and it also advertises itself as having a focus on security. As far as I have been able to find, it has never had a remote code execution hole: https://www.cvedetails.com/vulnerability-list/vendor_id-8450/product_id-14794/Postfix-Postfix.html

            Its configuration is not as nice as OpenSMTPD’s, and there is more documentation to be read, but I managed to set it up with no previous experience. I guess I should have written a blog post describing the process too!

        2. 2

          Great writeup!

          I recently made the jump from Postfix to OpenSMTPD and have been very happy. It was on my wishlist for years but I really needed filters to work. I loosely followed the blog post by Gilles himself: https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ although it is quite lengthy and aimed at absolute beginners.

          nitpick:

          disable_plaintext_auth = yes

          That’s the default so you could shorten the text with one explanation less ;-)

          1. 2

            Thanks! That blog post also helped me a lot, and I gave him a shoutout in the OpenSMTPD section.

            I think I’ll leave that Dovecot setting as-is, because I prefer to be explicit about such an important setting… even though the text could definitely use some shortening. ;-D

          2. 1

            I’ve moved my own setup from Cyrus to Dovecot a while ago, and never looked back. So much easier to setup and operate. Not to mention that migration was prompted by a long-standing but in Cyrus that caused message database corruption and went unfixed for over a year!

            1. 3

              I had a similar experience with Postfix and Exim versus OpenSMTPD… the first two are clearly much more flexible, but a nightmare to set up for a poor hobbyist like me. Then I found OpenSMTPD, whose documentation fits into a couple of manpages instead of an endless series of HTML pages, and I never looked back.

              1. 2

                Maybe I should look into it. I’m a sendmail survivor, so I don’t find Postfix all that hard to use (by comparison), but if it can be made simpler, I’m all for it.

                1. 3

                  For me, it’s quite important that I can write a config file from scratch using the available documentation; IMO just changing a few things in a template makes it hard to have a clear idea of what’s going on. I realize that’s a lot to ask from a program, but I think OpenSMTPD has nailed it whereas Postfix hasn’t… not to mention Exim.

                  1. 3

                    That’s exactly why I switched. When tools have endless configuration options I always get the feeling that I’ve missed something, or I haven’t done something right. I just can’t feel confident that my setup is secure and I haven’t made some rookie mistake.

            2. 1

              Great write up! Especially liked how you explained every nitty-gritty detail. I’m currently using docker-mailserver; it works for the most part, but Docker is so bloated. I might consider switching to your setup—I’ll just have to rework it for multiple users, across multiple domains.

              1. 2

                Thanks! Once I finished writing this post, I was shocked at how long it had turned out… Yes, I included a lot of details, but still: email is a horrible system that needs a lot of explaining.

                Adding more users and domains shouldn’t be too difficult, as long as there aren’t too many. Just™ update the user databases of OpenSMTPD and Dovecot, and add some domains in the former’s config file, and you should be good to go.