diff options
Diffstat (limited to 'source/blog/2022')
-rw-r--r-- | source/blog/2022/email-server-revisited/index.md | 302 | ||||
-rw-r--r-- | source/blog/2022/email-server-revisited/microsoft-bounce.png | bin | 0 -> 24184 bytes | |||
-rw-r--r-- | source/blog/2022/things-i-use/index.md | 156 |
3 files changed, 458 insertions, 0 deletions
diff --git a/source/blog/2022/email-server-revisited/index.md b/source/blog/2022/email-server-revisited/index.md new file mode 100644 index 0000000..4519bae --- /dev/null +++ b/source/blog/2022/email-server-revisited/index.md @@ -0,0 +1,302 @@ +--- +title: "Revisiting my email server in 2022" +date: 2022-09-12 +layout: "blog" +toc: true +--- + +More than two years have passed since my first post about +[setting up an email server in 2020 with OpenSMTPD and Dovecot](/blog/2020/email-server/) +and [its sequel](/blog/2020/email-server-extras/). +Since then, my server been going strong, with a few minor hiccups along the way. +In this post, I'll explain some of the changes I made. + +This assumes you've followed the preceding guides: +the configuration snippets given here +should be interpreted as modifications to those guides, +*not* as complete setups! + +Last updated on 2022-09-12. + + + +## More about DMARC + +When I wrote my original guide, +I didn't properly understand how DMARC works: +I misinterpreted it as an optional wrapper around SPF and DKIM. +But oh God, I was wrong. +Simon Andrews' article "[I figured out how DMARC works, and it almost broke me](https://simonandrews.ca/articles/how-to-set-up-spf-dkim-dmarc)" +showed me the ugly truth, +and I highly recommend reading it. +Briefly, DMARC does two arguably unrelated things. + +Firstly, DMARC provides a way to diagnose issues with your SPF and DKIM configurations, +in the form of reports that get sent to the `ruf=` and/or `rua=` email address(es) +you put in the DNS record. +Without this, there's no way of knowing why +your emails are getting marked as spam. + +Secondly, it improves the trustworthiness of SPF and DKIM by enforcing *alignment*. +This means something slightly different for SPF and DKIM, +and boils down to fixing a glaring issue: + +* For some reason, in vanilla SMTP, it turns out that the email's `From:` header + doesn't need to agree with the address in the SMTP `MAIL FROM` command; + in other words, the server can claim a different sender than what's written in the message's header. + SPF only verifies the former (i.e. it takes the domain in `MAIL FROM`), + so one SMTP server can impersonate another. +* An email's DKIM signature header states the domain of the signing server with the `d=` tag, + but, once again, that doesn't need to agree with the `From:` header's domain. + DKIM doesn't look at the latter, so an SMTP server can validly sign impersonated messages. + +DMARC's alignment refers to checking whether the domains match up for SPF and DKIM, +thus ensuring that an SMTP server can't pretend to be someone else. +It sounds obvious, but nope, apparently it wasn't before DMARC was made. + + + +## DKIMproxy + +To add DKIM signatures to my messages, +I switched from Rspamd to [DKIMproxy](http://dkimproxy.sourceforge.net/). + + + +### Motivation + +To sign outgoing emails for DKIM, my original guide used Rspamd --- +an unusual choice, since it's a spam filter designed to act on *incoming* messages. +Later, in the [sequel](/blog/2020/email-server-extras/) to that guide, +I needed some ugly workarounds to compensate for Rspamd's "smartness" +when I tried to play around with authentication schemes in OpenSMTPD. +Clearly, this wasn't ideal. + +However, the reason I cut my losses and switched to another DKIM signer +was actually a bug in +MXToolBox' [deliverability tool](https://mxtoolbox.com/deliverability). +It appears that no matter what you do, +this tool claims that your email's signature fails validation. +I'm not the first to notice this issue: +see e.g. [this question](https://serverfault.com/questions/1005818/dkim-validating-but-mxtoolbox-reports-as-dkim-signature-not-verified) on Server Fault. +Other tools like the [DKIM validator](https://dkimvalidator.com/) +say that my DKIM signatures are correct. + +There aren't many open-source alternatives out there for DKIM signing: +the only ones I know of are [OpenDKIM](http://www.opendkim.org/) +and DKIMproxy. +The former is a so-called "milter", +meaning it can only interact with MTAs via the milter API, +which is only supported by [Sendmail](https://www.proofpoint.com/us/products/email-protection/open-source-email-solution) +and [Postfix](https://www.postfix.org/). +Since we're using OpenSMTPD, +our only option is DKIMproxy, +which consists of two daemons: +`dkimproxy.out` to sign outgoing mail, +and `dkimproxy.in` to verify incoming mail. +We just need the former; +Rspamd is still convenient for handling the latter's functionality. + + + +### DKIM settings + +Let's start by disabling Rspamd's DKIM signer +in `/etc/rspamd/local.d/dkim_signing.conf`: +```sh +enabled = false; +``` +Then configure `dkimproxy.out` as follows +in `/etc/dkimproxy/dkimproxy_out.conf`. +If you placed your DKIM public key +in a TXT DNS record for `<selector>._domainkey.example.com.`, +and stored your private key in `/path/to/dkim/private.key`, +then: +```sh +# Receive emails on 10027, sign them, and forward them to 10028 +listen 127.0.0.1:10027 +relay 127.0.0.1:10028 + +# Settings for email signing +domain example.com +signature dkim(c=relaxed/relaxed,a=rsa-sha256) +keyfile /path/to/dkim/private.key +selector <selector> +``` +Here, `rsa-sha256` is the signature algorithm +(this is the best available, because DKIM is ancient), +and `relaxed/relaxed` is the so-called *canonicalization* method, +which is applied before signing and verification, +to prevents failures if e.g. the email's whitespace gets changed in transit. + + + +### OpenSMTPD settings + +OpenSMTPD needs to send all outbound mail through `dkimproxy.out`. +In `/etc/smtpd/smtpd.conf`, we tell it that all emails coming from the MUA +must be relayed through `localhost:10027`, and then, after DKIM signing, +picked up again on `localhost:10028`: +```sh +# Outbound +listen on eth0 port 465 smtps pki "example.com" auth <passwds> tag "TRUSTED" +listen on eth0 port 587 tls-require pki "example.com" auth <passwds> tag "TRUSTED" +action "SIGN" relay host "localhost:10027" +match from any tag "TRUSTED" for any action "SIGN" + +listen on lo port 10028 tag "SIGNED" +action "SEND" relay srs +match from any tag "SIGNED" for any action "SEND" +``` +The tag name `TRUSTED` reflects that only messages from trusted +(i.e. authenticated) MUAs should be signed. +After signing, emails get the tag `SIGNED`, +and are sent to their destination as usual. + + + +## SMTP relay + +Instead of sending my emails directly to their destinations, +I now send them to an SMTP relay server, +which then passes them on to their actual destinations. + + + +### Motivation + +Large email providers such as Google, Microsoft and Yahoo +manage many user accounts, so for them it makes sense +to keep track of IP-based sender reputations. +For example, if a number of low-quality emails are sent from a single IP +to many of the accounts they manage, +it's cheaper to simply blacklist that IP entirely at the MTA level, +rather than passing each message through a computationally-intensive spam filter. + +But, as usual, Microsoft has to ruin everything with their draconic policies. +In a stroke of genius, +someone there decided to blindly ban IPs, +seemingly in blocks belonging to VPS providers. +One day, I tried to send an email to an Outlook-based account, +and OpenSMTPD reported it had been unable to make the delivery, +because Microsoft had thrown an error: + +<a href="microsoft-bounce.png"> +<img src="microsoft-bounce.png" class="darkinv" style="width:100%"> +</a> + +To their credit, they seem to be offering a way out. +This approach is reasonable: preventively ban high-risk IP ranges, +and allow "trustworthy" servers at the owner's request. +I got error 5.7.511, asking me to send an email to a support address. +If you're lucky, you may have a different error, +and get the opportunity to use the slick [delist portal](https://sender.office.com/) instead. +The URL in the bounce message links to [this list](https://go.microsoft.com/fwlink/?LinkId=526653) of error codes. + +I confess, I never actually bothered to forward the message to the provided address: +my initial email was time-sensitive, +so I couldn't afford to wait for Microsoft's response. +Also, their customer support's stellar reputation precedes them, +so I chose to use my time more wisely. +Even if they would've resolved it nicely, +there's nothing preventing Microsoft (or any other provider) +from breaking my deliverability again in the future. +Instead, I opted for a compromise. + +As a result of providers' IP reputation systems, +a whole new business has appeared: SMTP relays. +They offer to take the issue out of your hands: +you send your emails through their servers, +and they do their best to deliver them to large providers. +SMTP relays are mostly used for sending marketing emails in bulk, +but are also useful to avoid small-scale problems as described above. +There are many SMTP relay services to choose from, at various prices. + +Using an SMTP relay results in more reliable delivery of your messages to large providers, +but an obvious concern is privacy: +the relay server can read all your outgoing emails (but not incoming), +so you'll have to trust the service you choose. +But it's no worse than using a major provider, +and if you're sending sensitive material, why use email in the first place? +Personally, I use [SMTP2GO](https://www.smtp2go.com/), +but I can't say how good they are; do your own research. + + + +### OpenSMTPD settings + +Once you've chosen an SMTP relay service, let's say `relay.com`, +and set up your account, +they'll let you create credentials to use their SMTP servers. +Suppose these credentials are `<username>` and `<password>`, +create a file `/etc/smtpd/relaypw` with contents: + +```sh +<label> <username>:<password> +``` + +Where `<label>` is a string of your choice. +Note that `<password>` must be plaintext, +because it needs to be provided to the relay server. +To tell OpenSMTPD to use the relay, +edit `/etc/smtpd/smtpd.conf` as follows, +i.e. register the `relaypw` table and modify the `SEND` action: + +```sh +table relaypw "/etc/smtpd/relaypw" + +#action "SEND" relay srs ### Replace this line with the following: +action "SEND" relay host "smtps://<label>@relay.com:465" auth <relaypw> pki "example.com" srs +``` + +With `<label>` replaced by the label you chose earlier, +and `relay.com:465` replaced by the host/port combination +given in the relay service's documentation. +Depending on what they support, you may also need to change the protocol `smtps://` (SMTP over TLS) +to `smtp://` (SMTP with optional STARTTLS) or `smtp+tls://` (SMTP with mandatory STARTTLS). +I recommend SMTPS. + + + +### DNS records + +If you've been paying attention so far, you have a burning question: +what about SPF and stuff? +Wasn't the point to prevent SMTP servers from sending emails on others' behalf? +Well, yes, so you'll need to add some DNS records for the relay to work. +The details depend on which service you choose, +so they'll tell you what to do when you're setting up your account. +As an example, based on my experience with SMTP2GO, +you may need to add two CNAME records like: + +```sh +emXXXXXX.example.com. CNAME return.relay.com. +sXXXXXX._domainkey.example.com. CNAME dkim.relay.com. +``` + +Which, roughly speaking, respectively enable SPF and DKIM. +Here, `XXXXXX` is an ID that the service will provide to you, +since the DNS addresses must be unique. + +Technically, those two DNS records should be enough for SPF and DKIM, +but in practice, it seems that different email providers/tools have slightly +different interpretations of these standards, +and can get confused when an email passes through multiple unaffiliated SMTP servers. +Therefore, I recommend explicitly adding the relay to your SPF policy: + +```sh +example.com TXT "v=spf1 mx include:spf.relay.com -all" +``` + +Your relay service might not publicly document their version of `spf.relay.com`, +but you can find it by looking up your CNAME `emXXXXXX.example.com` (or equivalent) +in MXToolBox' [ SPF tool](https://mxtoolbox.com/spf.aspx). + +I also recommend relaxing your DMARC domain policy for SPF and DKIM, +such that your CNAME subdomains still pass the alignment checks: +```sh +_dmarc.example.com. TXT "v=DMARC1; aspf=r; adkim=r; ..." +``` + +Be sure to check that it's set up correctly +using the website "[Learn and test DMARC](https://www.learndmarc.com/)". diff --git a/source/blog/2022/email-server-revisited/microsoft-bounce.png b/source/blog/2022/email-server-revisited/microsoft-bounce.png Binary files differnew file mode 100644 index 0000000..2d8a2e6 --- /dev/null +++ b/source/blog/2022/email-server-revisited/microsoft-bounce.png diff --git a/source/blog/2022/things-i-use/index.md b/source/blog/2022/things-i-use/index.md new file mode 100644 index 0000000..2f4a2bc --- /dev/null +++ b/source/blog/2022/things-i-use/index.md @@ -0,0 +1,156 @@ +--- +title: "Things I use and recommend" +date: 2022-09-28 +layout: "blog" +toc: true +--- + +I use a lot of software, most of it free and open-source. +I've tried to use much more, but it didn't always go so well, +so I've made a list of the programs I like enough to recommend. +Such a list has been on my website for a long time already; +this is its official publication. + +Last updated on 2022-09-28. + + +## General +* [Neovim](https://neovim.io/): + A modernized fork of the venerable [Vim](https://www.vim.org/) text editor. +* [restic](https://restic.net/): + Good command-line backup program. + You'll need to provide your own storage. +* [Syncthing](https://syncthing.net/): + Synchronizes folders across devices. Decentralized and easy to set up. + + +## Desktop +* [Arch Linux](https://www.archlinux.org/): + The distribution that, for me, delivers the best cost-benefit ratio. + I'm not a big fan of [systemd](https://freedesktop.org/wiki/Software/systemd/) + or [glibc](https://www.gnu.org/software/libc/), + but the fantastic package manager and the huge repositories + make Arch Linux unbeatable for working techies' day-to-day computing. +* [i3](https://i3wm.org/) and [Sway](https://swaywm.org/): + Lightweight window managers. + Once you go tiling, you can never go back. +* [Firefox](https://www.mozilla.org/en-US/firefox/): + Web browsers suck. + This ones sucks the least, and is developed by Mozilla, + who still seem to care about privacy and security, and + who created the [Rust](https://www.rust-lang.org/) language. + Firefox has all the necessary modern features, + and provides an excellent curated set of add-ons. + + [uBlock Origin](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/): + The best adblocker out there. It's free *and* open-source! + + [HTTPS Everywhere](https://www.eff.org/https-everywhere): + In today's world, this should be included in all browsers. + The fact that it's rule-based is unfortunate, but hey, it works. +* [Thunderbird](https://www.thunderbird.net/): + Email clients suck, just like email itself. + This one just sucks less, since it's also made by Mozilla. +* [Alacritty](https://github.com/alacritty/alacritty): + Simple, lightning-fast terminal emulator with + extra goodies like 24-bit colours + and live configuration reloading. +* [pass](https://www.passwordstore.org/): + Password manager for techies. + It's simple, secure, and extensible. + However, I don't think I'll ever understand how to properly manage [GnuPG](https://gnupg.org/) keys, + so I gave up and switched to KeePassXC instead. +* [KeePassXC](https://keepassxc.org/): + User-friendly open-source password manager. + It stores everything in a local encrypted database file, + which is your responsibility to back up and sync. +* [EasyEffects](https://github.com/wwmm/easyeffects): + Real-time audio effects on Linux. + I use it to tweak my headphones' response according to the awesome + [AutoEQ](https://github.com/jaakkopasanen/AutoEq) project's data. +* [Anki](https://ankiweb.net/about): + Flashcard studying software, + with a big [library](https://ankiweb.net/shared/decks/) of community-made decks. + Frankly it's not very user-friendly, but it does the job. +* [Veusz](https://veusz.github.io/): + Fantastic plotting software, + and one of the most underrated open-source tools that I know of. + It gives beautiful plots, can handle *huge* data files, and, + because its files are just plain Python, + you can automatically generate plots with a bit of scripting. +* [KLayout](https://klayout.de/): + Open-source chip layout editor, with advanced scripting functionality. + I would've liked some more keyboard shortcuts by default, + but at least I can make my own. + + +## Server +* [Alpine Linux](https://alpinelinux.org/): + Minimalist distribution powered by + [BusyBox](https://www.busybox.net/) and [musl](https://musl.libc.org/). + It has a large-enough selection of both cutting-edge + and stable packages to be practical. +* [nginx](https://nginx.org/): + Fast, secure and popular HTTP server, + and a breeze to set up. +* [OpenSMTPD](https://opensmtpd.org/): + Email SMTP server by the venerable [OpenBSD](https://www.openbsd.org/) project, + and the only one of its kind that nails the setup experience. +* [Dovecot](https://dovecot.org/): + One of the, if not *the* most popular email IMAP server. + And for good reason: it's fast, secure, and a pleasure to set up. +* [Rspamd](https://www.rspamd.com/): + Spam filter for email. + To be honest, I haven't looked into this one much. + It has lots of advanced features that I barely understand, + but still seems to be the most modern and usable spam filter out there. +* [Zola](https://www.getzola.org/): + Straightforward static site generator written in Rust. + The only thing it's missing is some kind of LaTeX formula support, + which is why I migrated to Hugo. +* [Hugo](https://gohugo.io/): + Another good static site generator, although not quite as nice as Zola in my opinion, + since Hugo's template language is a bit messed up. It still works well though. +* [cgit](https://git.zx2c4.com/cgit/about/): + JavaScript-free online Git frontend, + perfect for private setups. + If you need something more advanced like user accounts, + [Gitea](https://gitea.io) is a good choice too. +* [acme.sh](https://github.com/acmesh-official/acme.sh): + Straightforward tool to manage TLS certificates + issued by [Let's Encrypt](https://letsencrypt.org/). + + +## Android +* [LineageOS](https://lineageos.org/): + Had enough of vendor-specific crap in Android? + This open-source distribution has good hardware support + and enough momentum to be the *de facto* standard version + of Android for tinkerers. +* [microG](https://microg.org/): + Takes the Google out of Android + by reimplementing proprietary libraries. + It works very well; the only problem I've experienced is + that push notifications take longer to arrive than usual. + Installation is tricky, but they offer + a [custom LineageOS](https://lineage.microg.org/) to make it easy. +* [AdAway](https://adaway.org/): + Effective system-wide adblocker + that should work for all your apps. +* [Aegis](https://getaegis.app/): + Secure open-source 2FA authenticator app. +* [Insular](https://f-droid.org/en/packages/com.oasisfeng.island.fdroid/): + Isolates untrusted apps in an Android Work Profile. +* [AnkiDroid](https://f-droid.org/en/packages/com.ichi2.anki/): + Good mobile frontend for [Anki](https://ankiweb.net/about). + + +## Services +* [Gandi](https://www.gandi.net/): + European domain registrar with the motto + "No bullshit since 1999". They provide an honest, + high-quality service at a competitive price. + This statement is not sponsored. +* [Let's Encrypt](https://letsencrypt.org/): + Provides free TLS encryption certificates + to anybody who asks politely, thereby making + online security more accessible for small sites like this one. + |