OT: "domain-level" email hosting services?
raf
mutt at raf.org
Sun Oct 24 00:31:33 UTC 2021
On Sat, Oct 23, 2021 at 06:15:35PM +0200, Jens John <lists at 2ion.de> wrote:
> On Sat, 23 Oct 2021, at 16:21, Bastian wrote:
> > The stack I use is exim, spamassassin, dovecot on debian
> > stable since ~2006.
>
> If somebody would set something up new today, I would recommend the following 3-piece software stack:
>
> 1. postfix as the SMTP server and Let's Encrypt for a proper validated host SSL certificate
>
> 2. dovecot as the IMAP mailbox server
>
> 3. rspamd as the "policy engine". It can validate incoming SPF,
> DKIM, DMARC and ARCs which are all current best practice among the
> commercial email hosts, and it also can apply DKIM signatures and
> ARC seals to outgoing mail in a standards compliant way. The usual
> spam learning techniques are all implemented in rspamd, and it can
> interface with spamassassin, clamav etc as well. rspamd is very useful
> to prevent the piling up of different milters in postfix which work
> all differently.
Thanks. I didn't realise that rspamd did all that.
For anyone using Let's Encrypt / certbot for their mail
server certificate, I'd like to throw in a shameless
plug for a little program I wrote that makes it easy to
properly implement DANE (DNS-Based Authentication of
Named Entities), which is supported by both Postfix and
Exim.
It's at https://github.com/raforg/danectl
DANE makes it possible for a mail server administrator
to let other mail servers know in advance, not only
that encryption is supported, but also precisely which
key will be used, thus making it possible to eliminate
man-in-the-middle attacks between mail servers (as
long as the other mail servers are DANE-aware). It's
like MTA-STS except that it's good.
You do need DNSSEC for your domain as a prerequisite,
but that has become incredibly easy these days (e.g.,
one extra line of Bind9 config in Debian stable, or
a checkbox in Google's Cloud DNS service).
Even if you don't have DNSSEC or want this for your own
mail server, I'd recommend running a local
DNSSEC-validating DNS resolver on your mail server
(e.g., Bind9, Unbound), and enabling the client-side of
DANE-awareness in your mail server.
You'd need /etc/resolve.conf to look like this:
nameserver 127.0.0.1
options trust-ad
For Postfix, you'd need this in main.cf:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
For Exim, you'd need:
dns_dnssec_ok = 1
remote_smtp:
hosts_try_dane = *
cheers,
raf
More information about the Mutt-users
mailing list