Skip to content

CyBeRoni/mi-poop-mail

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

mi-poop-mail

This is a machine image for an e-mail server based on Exim, Dovecot, Clamav and Spamassassin. It is suitable mostly for low to medium-volume use, such as for personal use or a small business.

Please refer to https://github.com/joyent/mibe for use of this repo.

Use with base-64 image from Joyent; tested with 15.4.0.

Metadata

The following customer_metadata is used:

  • dovecot:qualify_domain - Domain to use as the authentication realm if the client presents none (default: none)
  • dovecot:primary_hostname - Hostname to use for TLS (default: system hostname)
  • exim:qualify_domain: - Domain to append to addresses when only a local_part is given
  • system:ssh_disabled - Whether or not to disable the ssh daemon (default: false)
  • system:timezone - What timezone to use
  • backup:increments: How many daily backup increments before a new full backup is made (default: 28)
  • backup:retain: How long backups are retained, in weeks (default: '8)
  • backup:openssl_key: aes-128-cbc key to encrypt backup tarballs with before uploading (128-bit hex)
  • backup:openssl_iv: see above, but iv
  • backup🪣 what bucket to use (example: gs://my-mail-backup)
  • boto:gs_oauth2_refresh_token: the "gs_oauth2_refresh_token" setting from boto.cfg to access google cloud storage
  • boto:default_project_id: the "default_project_id" setting from boto.cfg to specify what GCS project to use

Services

When running, the following services are exposed to the network on both IPv4 and IPv6:

  • 25, 587: SMTP (tls required for authentication)
  • 143, 993: IMAP (tls required)
  • 4190: ManageSieve (tls required)
  • 22: SSH (if not disabled)
  • 80: web (briefly, when requesting Let's Encrypt certificates only.)

Data

This image requires a delegated dataset. It will be mounted at /srv/mail and will store user mailboxes. Also on this dataset is the user information:

  • /srv/mail/passwd/<domain>: users per domain, formatted as user:passwd where passwd can be had using 'doveadm pw'
  • /srv/mail/aliases/<domain>: aliases per domain, formatted as user:destination

TLS certificates from Let's Encrypt are used. They are stored on the delegated dataset in /srv/mail/ssl/acme. Acmetool is used to request them. By default the dovecot primary_hostname and system hostname are requested in a single cert. To request more certificates, use acmetool want.

Exim keeps its spool in /srv/mail/exim/spool so it is preserved upon reprovision. Also there are some configuration lists in /srv/mail/exim/conf:

  • global_aliases: aliases that exist in all handled domains. Suggested use is for a 'postmaster' alias.
  • rewrite_domains: domains to rewrite to another domain, as domain: newdomain
  • relay_from_hosts: hosts to relay for without authentication
  • relay_to_domains: domains to be a secondary mx for, or otherwise relay to without authentication
  • senderverify_exceptions: e-mail addresses to accept (on 'MAIL FROM:') without doing a verification callout
  • dkim_required: domains (wildcard-matched) for which a valid DKIM signature is required to accept e-mail

Dovecot allows local configuration in /srv/mail/dovecot/conf/local.conf. This can be used for example to add an imapc config to migrate mail from another server.

A script is run nightly to create incremental tar-based backups and upload them to Google Cloud Storage. This should be adaptable to S3-based storage with minimal effort if necessary. It encrypts the tar files using openssl aes-128-cbc before uploading them, and saves the most recent tar in /srv/mail/backups for immediate use. If any of the required metadata keys (key, iv, bucket) are not set, the script will not run.

Example JSON

{
  "brand": "joyent",
  "image_uuid": "",
  "alias": "poopmail",
  "hostname": "poopmail",
  "dns_domain": "poop.nl",
  "max_physical_memory": 1536,
  "cpu_shares": 100,
  "quota": 100,
  "delegate_dataset": "true",
  "nics": [
    {
      "nic_tag": "admin",
      "ips": ["1.2.3.4/24", "2001::1/64"],
      "gateways": ["1.2.3.1"],
      "primary": "true"
    }
  ],
  "resolvers": [
    "8.8.8.8",
    "8.8.4.4"
  ],
  "customer_metadata": {
    "system:ssh_disabled": "true",
    "system:timezone": "Europe/Amsterdam",
    "dovecot:qualify_domain": "cyberhq.nl",
    "dovecot:primary_hostname": "mail.poop.nl"
  }
}

About

SmartOS machine image builder for a mail server

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages