1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
|
+++
title = "Setting up an email server in 2020 with Dovecot and OpenSMTPD: extras"
+++
#
This sequel to my earlier [guide](/blog/2020/email-server/) discusses
extra tips and tricks to extend your email setup.
This page will be updated continuously as I come up with ideas.
Last updated 2020-04-29.
## General
### Multiple domains
You can generalize your setup to handle multiple domains
with very little effort. In the following,
I'll assume that your two domains are called `foo.com` and `bar.com`.
#### DNS records
There should be MX, SPF, DKIM and DMARC records for both domains,
as explained in the previous guide. Fortunately, these records
can have identical contents for both domains!
However, it remains essential that the mail server's mailname
and reverse DNS domain name match up exactly,
so you should create MX records with that in mind.
Therefore, if the email server for both domains has `mx1.foo.com`
as reverse DNS name, the MX records should look like this:
```sh
foo.com. MX 42 mx1.foo.com.
bar.com. MX 42 mx1.foo.com.
```
This is perfectly valid: the only thing that matters is that
what your SMTP server calls itself agrees with what reverse DNS
says that the server is actually called.
#### Dovecot
To make Dovecot aware of multiple domains,
you only need to update the `/etc/dovecot/users` file
to add accounts for both domains.
However, in the original guide, I said to only write `user`
in the file, without the `@foo.com`, for an address `user@foo.com`.
Unsurprisingly, that isn't an option for multiple domains,
so you must put the full address in `/etc/dovecot/users`.
Then update `/etc/dovecot/dovecot.conf` to reflect that,
by changing `%n` to `%u` in `username_format`:
```sh
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users
override_fields = uid=vmail gid=vmail home=/home/vmail/%d/%n
}
```
Also note the change in the `home` setting:
the inbox of a user `user@foo.com` will now be stored
in `/home/vmail/foo.com/user`.
That's all you need to change.
#### OpenSMTPD
To inform OpenSMTPD of all the domains,
create a new file `/etc/smtpd/domains`,
and in there put all desired names on their own line:
```sh
foo.com
bar.com
```
And as I mentioned when discussing the DNS records,
you should check that `/etc/smtpd/mailname` agrees
with your server's reverse DNS.
Then, in the main configuration file, tell OpenSMTPD to
use the new domains file when deciding whether to accept an message,
by declaring a new table and changing the `match` line for inbound mail:
```sh
table domains "/etc/smtpd/domains"
# ...
match from any for domain <domains> action "RECV"
```
#### Rspamd
The last thing to do is to inform Rspamd of the multiple domains.
It's really easy: simply add multiple domain blocks:
```c
domain {
foo.com {
path = "/path/to/dkim/private.key";
selector = "hello";
}
}
domain {
bar.com {
path = "/path/to/dkim/private.key";
selector = "world";
}
}
```
## Dovecot
### Catchall inbox
In Dovecot, you can create a catch-all inbox that will accept all
emails sent to your domain that don't match anyone in `/etc/dovecot/users`.
Just add another `userdb` block *after* the first:
```sh
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/catchall allow_all_users=yes
}
```
The `static` driver means there is no table file:
all configuration is directly within this `userdb` block.
If we don't specify `allow_all_users=yes`, then Dovecot
will check whether users exist using the `passdb` table,
and will conclude that the recipient is invalid.
## OpenSMTPD
### Client certificates (in addition to passwords)
You can configure OpenSMTPD to request a client certificate
for sending emails, as a second factor for authentication.
#### Creating certificates
We need to start with some cryptography to create and verify certificates.
I recommend that you do all of this on your trusted *client* device,
and only copy the necessary files to the server later.
DISCLAIMER:
All the keys and certificates that we'll generate in this section are
for **private use** only, to handle a small number of trusted clients.
I'm not a cryptography expert, so you should **not** listen to me
for large-scale systems that may involve untrusted devices.
The first step is to set up a private Certificate Authority (CA),
which issues the client certificates and can be used to verify them.
Start by generating an RSA private key,
which you should store in a safe place and not share with anyone:
```sh
$ openssl genrsa -out mailca.key 2048
```
Extract a public certificate from this key as follows.
Because we're lazy, we give it a lifetime of 36500 days:
```sh
$ openssl req -new -x509 -days 36500 -key mailca.key -out mailca.crt
```
When running this command, OpenSSL will ask you some questions
about who this certificate is intended for.
Since this is for personal use, your answers don't matter,
so just use the defaults.
Some fields (I think only *Country Name* and *Organization Name*)
cannot be empty, but the others can.
Moving on to the client, once again generate an RSA private key:
```sh
$ openssl genrsa -out mailclient.key 2048
```
From this private key, create a Certificate Signing Request (CSR)
as follows, where you'll be asked the same questions as before:
```sh
$ openssl req -new -key mailclient.key -out mailclient.csr
```
By feeding this CSR to the CA, we can create a signed client certificate
that can be verified using the CA's public certificate.
```sh
$ openssl x509 -req -in mailclient.csr -out mailclient.crt \
-days 36499 -CA mailca.crt -CAkey mailca.key
```
If you want to multiple client certificates,
just repeat the last few steps for each one.
#### Server configuration
OpenSMTPD needs to verify the validity of client certificates
using the CA's public certificate, so you should copy that
to somewhere on the server, e.g. `/etc/smtpd/mailca.crt`,
and declare it to OpenSMTPD by adding this near
the top of `/etc/smtpd/smtpd.conf`:
```sh
ca "mailca" cert "/etc/smtpd/mailca.crt"
```
Then replace the entire configuration for outbound mail as follows.
Note that this removes SMTPS support, leaving only STARTTLS:
```sh
# Outbound
listen on eth0 port 587 tls-require verify pki "example.com" ca "mailca" auth <passwds> filter "rspamd"
action "SEND" relay srs
match from any auth for any action "SEND"
```
The magic word here is "`verify`", which tells OpenSMTPD
to ask for a client certificate and to verify it using the given CA.
#### Client configuration
Now you won't be able to send emails if your client doesn't
present its certificate to the server!
Unfortunately, not all mail clients support this; personally
I use [Thunderbird](https://www.thunderbird.net/) with success.
I won't include any client-specific configuration here,
but I will say this:
For some clients (like Thunderbird), you'll have an easier time
importing your client certificate if you encode it in the
[PKCS #12](https://en.wikipedia.org/wiki/PKCS_12) storage format:
```sh
$ openssl pkcs12 -export -in mailclient.crt -inkey mailclient.key \
-certfile mailca.crt -out mailclient.pfx
```
OpenSSL will ask you to set a password, which you'll need to
enter again when importing the certificate into the client.
### Client certificates (instead of passwords)
If you really want to, you can use the client certificates
as a substitute for passwords. This is especially useful
if you set up a catchall inbox in Dovecot,
because this will allow you to send emails
from arbitrary addresses from your domain.
To do this, follow the same procedure as in the previous section,
but with a slightly different OpenSMTPD configuration:
```sh
listen on eth0 port 587 tls-require verify pki "example.com" ca "mailca" filter "rspamd" tag "VALID"
action "SEND" relay srs
match from any tag "VALID" for any action "SEND"
```
All incoming connections that present a good certificate
will be tagged as being `VALID`, and their mail will be relayed.
Unfortunately, we're not quite done yet here,
because Rspamd is now very confused...
#### Rspamd
When OpenSMTPD passes a message through Rspamd, it also includes
some metadata, most notably whether the sender has authenticated
successfully with OpenSMTPD... which is now no longer the case
for submissions, because we've removed the `auth` directive!
Rspamd therefore starts regarding these outgoing emails
as *incoming* emails, because they don't seem
to come from a trusted user. So instead of signing them with DKIM
and handing them back to OpenSMTPD, it will do a full spam scan.
If they get a high spam score (which is likely for short test emails),
*your* spam filter, running on *your* server,
will be flagging *your* messages as spam!
The solution is to whitelist your domain(s) in Rspamd,
so it won't scan them. To do this, create a new file
`/etc/rspamd/local.d/settings.conf` with these contents,
where `foo.com` and `bar.com` are the domains to whitelist:
```c
outbound {
priority = high;
from = "@foo.com";
from = "@bar.com";
apply {
actions {
add_header = 1000;
}
}
}
```
Setting `priority` to `high` ensures that Rspamd checks
this rule before doing anything else.
You can add any number of `from` directives;
this rule will be applied if any of them match.
It only sets the threshold for the action `add_header` to `1000`.
That is, if the email doesn't get a spam score of at least 1000
(the default is 6) Rspamd will not add any spam tags.
Because Rspamd is still regarding your emails as inbound,
you also need to change the global settings of
the DKIM signer in `/etc/rspamd/local.d/dkim_signing.conf`,
such that they include the following:
```c
sign_inbound = true;
allow_hdrfrom_mismatch = true;
allow_username_mismatch = true;
```
This tells Rspamd to add DKIM signatures to incoming emails,
which in this case includes yours.
Allowing these mismatches ensures that the messages still get signed,
even if you're sending from an arbitrary address.
|