Setup Guide¶
Mail servers can be a tricky thing to set up. This guide is supposed to
run you through the most important steps to achieve a 10/10 score on
mail-tester.com
.
What you need:
- A server with a public IP (referred to as
server-IP
) - A Fully Qualified Domain Name (
FQDN
) where your server is reachable, so that other servers can find yours. Common FQDN includemx.example.com
(whereexample.com
is a domain you own) ormail.example.com
. The domain is referred to asserver-domain
(example.com
in the above example) and theFQDN
is referred to byserver-FQDN
(mx.example.com
above). - A list of domains you want to your email server to serve. (Note that
this does not have to include
server-domain
, but may of course). These will be referred to asdomains
. As an example,domains = [ example1.com, example2.com ]
.
Setup server¶
The following describes a server setup that is fairly complete. Even
though there are more possible options (see default.nix
), these
should be the most common ones.
{ config, pkgs, ... }:
{
imports = [
(builtins.fetchTarball {
# Pick a commit from the branch you are interested in
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/A-COMMIT-ID/nixos-mailserver-A-COMMIT-ID.tar.gz";
# And set its hash
sha256 = "0000000000000000000000000000000000000000000000000000";
})
];
mailserver = {
enable = true;
fqdn = <server-FQDN>;
domains = [ <domains> ];
# A list of all login accounts. To create the password hashes, use
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
loginAccounts = {
"user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
aliases = [
"postmaster@example.com"
"postmaster@example2.com"
];
# Make this user the catchAll address for domains example.com and
# example2.com
catchAll = [
"example.com"
"example2.com"
];
};
"user2@example.com" = { ... };
};
# Extra virtual aliases. These are email addresses that are forwarded to
# loginAccounts addresses.
extraVirtualAliases = {
# address = forward address;
"abuse@example.com" = "user1@example.com";
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = 3;
# Enable IMAP and POP3
enableImap = true;
enablePop3 = true;
enableImapSsl = true;
enablePop3Ssl = true;
# Enable the ManageSieve protocol
enableManageSieve = true;
# whether to scan inbound emails for viruses (note that this requires at least
# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
virusScanning = false;
};
}
After a nixos-rebuild switch --upgrade
your server should be good to
go. If you want to use nixops
to deploy the server, look in the
subfolder nixops
for some inspiration.
If you’re using flakes, you can use
the following minimal flake.nix
as an example:
{
description = "NixOS configuration";
inputs.simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
outputs = { self, nixpkgs, simple-nixos-mailserver }: {
nixosConfigurations = {
hostname = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
simple-nixos-mailserver.nixosModule
{
mailserver = {
enable = true;
# ...
};
}
];
};
};
};
}
Setup everything else¶
Step 1: Set DNS entry for server¶
Add a DNS record to the domain server-domain
with the following
entries
Name (Subdomain) | TTL | Type | Priority | Value |
---|---|---|---|---|
server-FQDN |
10800 | A | server-IP |
This resolves DNS queries for server-FQDN
to server-IP
. You can
test if your setting is correct by
ping <server-FQDN>
Expected output:
64 bytes from <server-FQDN> (<server-IP>): icmp_seq=1 ttl=46 time=21.3 ms
...
Note that it can take a while until a DNS entry is propagated.
Step 2: Set rDNS (reverse DNS) entry for server¶
Wherever you have rented your server, you should be able to set reverse
DNS entries for the IP’s you own. Add an entry resolving server-IP
to server-FQDN
You can test if your setting is correct by
host <server-IP>
Expected output:
<server-IP-octets-reversed>.in-addr.arpa domain name pointer <server-FQDN>.
Note that it can take a while until a DNS entry is propagated.
Step 3: Set MX
Records¶
For every domain
in domains
do: * Add a MX
record to the
domain domain
| Name (Subdomain) | TTL | Type | Priority | Value |
| ---------------- | ----- | ---- | -------- | ----------------- |
| `domain` | | MX | 10 | `server-FQDN` |
You can test this via
dig -t MX <domain>
Expected output:
...
;; ANSWER SECTION:
<domain> 10800 IN MX 10 <server-FQDN>
...
Note that it can take a while until a DNS entry is propagated.
Step 4: Set SPF
Records¶
For every domain
in domains
do: * Add a SPF
record to the
domain domain
| Name (Subdomain) | TTL | Type | Priority | Value |
| ---------------- | ----- | ---- | -------- | ----------------- |
| `domain` | 10800 | TXT | | `v=spf1 ip4:<server-IP> -all` |
You can check this with dig -t TXT <domain>
similar to the last
section. Note that SPF
records are set as TXT
records since
RFC1035.
Note that it can take a while until a DNS entry is propagated. If you want to use multiple servers for your email handling, don’t forget to add all server IP’s to this list.
Step 5: Set DKIM
signature¶
In this section we assume that your dkimSelector
is set to mail
.
If you have a different selector, replace all mail
’s below
accordingly.
For every domain
in domains
do: * Go to your server and
navigate to the dkim key directory (by default /var/dkim
). There you
will find a public key for any domain in the domain.txt
file. It
will look like
mail._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=<really-long-key>" ; ----- DKIM mail for domain.tld
* Add a DKIM
record to the domain domain
| Name (Subdomain) | TTL | Type | Priority | Value |
| ---------------- | ----- | ---- | -------- | ----------------- |
| mail._domainkey.`domain` | 10800 | TXT | | `v=DKIM1; p=<really-long-key>` |
You can check this with dig -t TXT mail._domainkey.<domain>
similar
to the last section.
Note that it can take a while until a DNS entry is propagated.
Step 6: Set DMARC
record¶
For every domain
in domains
do:
Add a
DMARC
record to the domaindomain
Name (Subdomain) TTL Type Priority Value _dmarc. domain
10800 TXT v=DMARC1; p=none
You can check this with dig -t TXT _dmarc.<domain>
similar to the
last section.
Note that it can take a while until a DNS entry is propagated.
Test your Setup¶
Write an email to your aunt (who has been waiting for your reply far too long), and sign up for some of the finest newsletters the Internet has. Maybe you want to sign up for the SNM Announcement List?
Besides that, you can send an email to mail-tester.com and see how you score, and let mxtoolbox.com take a look at your setup, but if you followed the steps closely then everything should be awesome!