Email

The most important service on kasad.com is the mail server. It is actually made up of multiple services that handle different aspects of the email process.

These parts are listed in the following table. Each service name links to its respective page.

Service	Protocol	Description
Postfix	SMTP	Handles sending mail from kasad.com and receiving mail to kasad.com from other servers
Dovecot	IMAP	Handles storage of emails on the kasad.com server and provides access to those emails to email clients
dkimpy-milter	DKIM	Signs outgoing emails so the recipient's email server can verify the legitimacy. Can also verify the signatures on incoming mail.

In addition to these services, some DNS records are required to ensure functionality of the email server.

Domain names

The mail server for the kasad.com domain is mail.kasad.com. However, both of these domains point to the same server. The hostname of the server, as far as Postfix is concerned, is mail.kasad.com, as that's what clients will expect to be connected to. However, we still want to send/receive mail to/from <user>@kasad.com.

We'll refer to kasad.com as our domain and mail.kasad.com as our mail server's hostname.

DNS Records

Mail servers use multiple DNS records to provide information about their functionality:

Name	DNS record type	Purpose
MX	`MX`	Defines the address of the mail server for its domain. Used by other MTAs to find the mail server for mail addressed to `kasad.com`.
A	`A`	Specifies the IPv4 address for the given hostname.
AAAA	`AAAA`	Same as `A`, but for IPv6.
SPF	`TXT`	Defines a list of rules about what IP addresses are allowed to send mail for the record's domain. Used to prevent forged sender addresses.
DKIM	`TXT`	Lists the public key used for DKIM signing of outgoing mail.
DMARC	`TXT`	Sets rules for recipient MTAs to follow regarding DKIM/SPF policy failures. Also lists instructions for recipient MTAs to follow to notify of DKIM/SPF failures.

A/AAAA records

These are the simplest type of record. They simply define the IP address that a given hostname corresponds to.

We define an A and an AAAA record for kasad.com that points to our server. Instead of defining a second A/AAAA record for mail.kasad.com, we use a CNAME record that points to kasad.com.

MX records

The MX record specifies the mail server for a given domain. Other MTAs use this when trying to send mail to our domain. Mail addressed to anything ending in @kasad.com will be sent to the mail server listed in the MX record for kasad.com.

We define an MX record for kasad.com with the value mail.kasad.com. This makes mail.kasad.com the mail server for the kasad.com domain.

SPF records

Sender Policy Framework (SPF) is a simple mechanism to help prevent sender address forgery. It accomplishes this by specifying a list of IP addresses that are allowed to send mail for the given domain. SPF, on its own, only checks the envelope from address. This means the From: header can still be spoofed. Enable DMARC to protect against this.

SPF records are just TXT records with specific content. The SPF rules can be customized to your liking. The rules listed below are the ones I've decided to use.

We define a TXT record for kasad.com with the following content:

v=spf1 +mx +a:kasad.com +a:mail.kasad.com -all

v=spf1: Specifies the SPF version
+mx: Allow IP addresses pointed to by the MX record for our domain to send mail for the kasad.com domain
+a:kasad.com: Allow IP addresses pointed to by the A record for kasad.com to send mail for the kasad.com domain
+a:mail.kasad.com: Allow IP addresses pointed to by the A record for mail.kasad.com to send mail for the kasad.com domain
-all: Reject mail sent from all other IP addresses. This must be the last parameter.

Both +a: rules are likely redundant, as the MX record already points to our mail server and is allowed in a previous rule. That being said, better safe than sorry.

DKIM records

The DKIM record holds the public key that corresponds to our DKIM signing key. MTAs that receive mail from us will retrieve our public key from the DKIM DNS record and use it to verify the mail's DKIM signature. It is important that this record is kept up to date with our DKIM configuration, otherwise recipient MTAs may mark our messages as being forged or as spam.

We generated the value for this record when setting up our DKIM service. See here for details. The DNS record content will be saved in the <keyname>.dns file.

DKIM records are just TXT records. However, the record name must be <selector>._domainkey.<domain>, where <selector> is the selector we chose in our DKIM configuration and <domain> is our domain.

We define a TXT record for mail._domainkey.kasad.com with the following content:

v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxOlorHTT/rsI5WWobgA0/+XRWAav1F5As1YoUVEUknIPbIJDuMIbEbV468XdHsp63PvwF2uz9A3iEefaGIMOpcJrgIcb3X5el0/x89kxK/zDDruiAzpcLwdy6urEmQhdRfoi1stdOhDlo8dNQj5vRORceJ2v5fUJ3VUV9eWd7cGOjhladUWedYgdIdiYqsbR6CeYIhpKK1v414 UmtB1sKcxHgxbROm+yjM6iJaSQbF9iLUlBEHOBfRc1vVuw0N+LQpRDNaaHSom0SusrMnXnjb33ANNCFMITwL9fZm9mR+sR+m+2QGvhLyODJMsxRCBKSSZhrjP2Csa80ZnOtNX91QIDAQAB

There must not be any whitespace in the value of the p= key. Do not insert spaces or line breaks.

DMARC records

DMARC records are used to tell other MTAs how to handle SPF and DKIM failures, as well as how to report these failures (and non-failures, if wanted). DMARC records can be a little complex. The DMARC record we use is explained below, but the alternative options are not. To learn more, see learndmarc.com for an interactive DMARC demonstration. To make it easier to create your own DMARC record, see Scott Kitterman's DMARC Record Assistant.

Like SPF and DKIM, DMARC records are also implemented using DNS TXT records. The DMARC TXT record must be made for _dmarc.<domain>, where <domain> is our domain.

We define a TXT record for _dmarc.kasad.com with the following content:

v=DMARC1; p=none; rua=mailto:dmarc+aggregate@kasad.com; ruf=mailto:dmarc+failures@kasad.com; fo=1; rf=afrf; sp=none

v=DMARC1: Specify DMARC version 1 is in use.
p=none: Don't do anything for mail that fails SPF and DKIM.
sp=none: Same as p= parameter, but for subdomains only.
rua=mailto:dmarc+aggregate@kasad.com: Send aggregate data reports to dmarc+aggregate@kasad.com. These reports are typically sent daily by recipient MYAs.
ruf=mailto:dmarc+failures@kasad.com: Report DKIM/SPF policy failures to dmarc+failures@kasad.com.
fo=1: Send a failure report if either SPF or DKIM fails. Normally a report is sent only when both fail.
rf=afrf: Specify AFRF report format. This is the only supported format currently.

Web App Overview

Automatic Start-up with systemd

Sending Emails from Web Apps

Permissions for Persistent Storage Volumes

Secure Web Application Gateway

Authentik - Identity & SSO Provider

Guacamole - Remote Access

BookStack - Personal wiki

Portainer - Container Manager

Bitwarden - Password Manager

Jellyfin - Media Streaming

VPN

Syncthing

SSH

Email

Postfix

Dovecot

DKIM Milter

[Superseded] Authelia - Authentication & SSO

Heimdall - App Launcher

Vikunja - Task Manager & To-Do List

Paperless - Document Management

Send - Temporary File Sharing

Email

Domain names

DNS Records

A/AAAA records

MX records

SPF records

DKIM records

DMARC records

No Comments