# choose MTA



## d3c0 (Apr 13, 2020)

good day,
I am new in Freebsd and want to use it in all my web projects.
Now I am in doubt about which MTA I should use, whether SendMail or Postfix.

please I need to know which is the most reliable to use.

Thank you.


----------



## tingo (Apr 13, 2020)

Both sendmail and postfix are very reliable. If you are unfamiliar with MTA configuring, postfix is easier to configure, IMHO.


----------



## ralphbsz (Apr 13, 2020)

In this day and age, few people  actually uses MTAs. That's because setting one up has become  hard, due to spam. Most mail forwarders and input hosts will not accept mail from arbitrary hosts, unless authentication has been arranged carefully. Most people just forward their mail to an external mail hosting provider. While sendmail (and presumably postfix) can be taught to do that, there are much simpler packages that can accomplish the same thing.


----------



## Lamia (Apr 14, 2020)

This is a million dollar question.
Given that you're just getting started, Sendmail might be a good start. Postfix is quite advanced. You can also take a look at OpenSMTPD.


----------



## hruodr (Apr 14, 2020)

It is a mythos that sendmail is (today) harder to configure than others. I have sendmail configured and gave up configuring other. Mail is a simple and old technik, but among usual servers MTA is the most difficult to configure. Better concentrate your efforts on sendmail instead of searching for alternatives.


----------



## hruodr (Apr 14, 2020)

ralphbsz said:


> Most mail forwarders and input hosts will not accept mail from arbitrary hosts, unless authentication has been arranged carefully.



Authentication is for receiving mail, that is very simple with sendmail. What he needs for relaying to other is more dependent from the DNS and not the MTA:






						Sender Policy Framework - Wikipedia
					






					en.wikipedia.org
				









						DomainKeys Identified Mail - Wikipedia
					






					en.wikipedia.org
				









						DMARC - Wikipedia
					






					en.wikipedia.org
				




(I never configured the last).


----------



## zirias@ (Apr 14, 2020)

For an MTA nowadays, I'd say just use the one you already know and feel comfortable with configuring. Many years ago, when Debian switched their default MTA from sendmail to exim, I followed that some time later, and found it a lot easier to understand exim's configuration. Since then, I never used any other MTA, mainly because I don't want to start learning all over 

But yes, what others wrote is important to consider: Setting up your own mail domain is a lot of work and hard to get correct nowadays. Back when I started, setting an MX to your home server (even on a dialup connection) worked pretty well and you could also send from there without issues -- these times are long gone. I now have a setup with an external mail gateway on a rented virtual machine that communicates with my home server through a VPN tunnel (of course, you could also have a public host only). Without at least configuring SPF and DKIM correctly, many receivers will still reject your mail, or at least sort it out as spam. You should also publish a DMARC policy in your DNS and register with dnswl.org. And of course, the first and most important thing to do is configuring your mail system so it's really secure. There must be no chance it's ever used as a relay (otherwise you'll be on all the RBLs in no time). And you have to always keep the host system secure and up to date -- spammers are also looking for security holes in mail systems to exploit, so they can abuse them for sending spam that correctly authenticates with SPF/DKIM. This happened to me once, fortunately only on a server about to be decomissioned, so I could take it down immediately and the "burned" IP address wasn't used for sending mail any more.

So, why run your own MTA at all? The advantage for me is, as often, being in control myself. I can keep my inboxes clean by running rspamd myself (which rejects currently ~80% of all incoming mail, and this doesn't count all the crap exim rejects before even asking the spam filter, because of failed sender verification). I also like having my mailboxes stored on my own hardware. But you should really think about whether this is worth all the work (setup and maintenance) that is necessary.


----------



## 20-100-2fe (Apr 14, 2020)

I have used Postfix + Dovecot for some time to self-host my mail and was quite happy with this combination.
It is very flexible, and I could easily share the same authentication base between email, web and XMPP servers.


----------



## zirias@ (Apr 14, 2020)

20-100-2fe said:


> I have used Postfix + Dovecot for some time to self-host my mail and was quite happy with this combination.
> It is very flexible, and I could easily share the same authentication base between email, web and XMPP servers.


Just for completeness, the same works with exim as well, I use the dovecot authentication service via a local socket from exim. Not sure about sendmail, never used that in a very long time.

That's why I think the choice of MTA should be based on whichever you feel most comfortable with. Postfix sure is a popular choice.

I guess for mail storage and IMAP access, Dovecot can be recommended. It also supports Sieve and Managesieve


----------



## rootbert (Apr 14, 2020)

I highly recommend postfix, cannot emphasize it enough!


----------



## Argentum (Apr 14, 2020)

20-100-2fe said:


> have used Postfix + Dovecot for some time to self-host my mail and was quite happy with this combination.



Same here. Also using cbl.abuseat.org for bocking most unwanted traffic in Postfix. 
For Dovecot using https://letsencrypt.org/ certificates.


----------



## hruodr (Apr 14, 2020)

Zirias said:


> Not sure about sendmail, never used that in a very long time.



Of course is no problem with sendmail. It uses cyrus sasl that can for example consult an ldap db. I have it running with cyrus imap.


----------



## Lamia (Apr 14, 2020)

Run a search on this forum. There are tonnes of guides in various threads that will help you. Purplehat is great - http://www.purplehat.org/?page_id=4.


----------



## hruodr (Apr 14, 2020)

Argentum said:


> Also using cbl.abuseat.org for bocking most unwanted traffic in Postfix.



The problem of these lists is, that with high probability your dinamic IP at home is listed, at least that is my experience, then you cannot send with smtp from your home to your server. Of course, you can install a web-mailer in your server and use it instead of smtp.


----------



## drhowarddrfine (Apr 14, 2020)

When I got the itch to see what postfix and other MTAs were about, I started reading the documentation and it all seemed the same as setting up sendmail. So I stuck with sendmail and I have no issues, including spam and getting flagged as spam. However, I'll note two caveats. One, I didn't try too hard to figure out postfix or the others and, two, it took me a while to figure out sendmail/spf/dkim/etc. for the same reason--I had and have too much going on to be able to concentrate on it.

Recently I read somewhere that sendmail is no longer actively worked on. Is that true?


----------



## Lamia (Apr 14, 2020)

drhowarddrfine said:


> When I got the itch to see what postfix and other MTAs were about, I started reading the documentation and it all seemed the same as setting up sendmail. So I stuck with sendmail and I have no issues, including spam and getting flagged as spam. However, I'll note two caveats. One, I didn't try too hard to figure out postfix or the others and, two, it took me a while to figure out sendmail/spf/dkim/etc. for the same reason--I had and have too much going on to be able to concentrate on it.
> 
> Recently I read somewhere that sendmail is no longer actively worked on. Is that true?


There is smtpd if memory serves me right. It does what Sendmail does and might have been doing it better - delivery emails. I think it also has milters for dkim, spf, etc


----------



## usdmatt (Apr 14, 2020)

I find Postfix *far* more user friendly and modern that Sendmail. I'm glad I no longer have to mess with that m4/cf stuff from the 1970's when just using a computer basically required programming skills.

For example, the below just makes sense without even really looking anything up. I wouldn't even know how to do some of this in Sendmail after using it for years - such as the ordered list of client restrictions. If I want to be able to block certain IP addresses from relaying, even after authenticating, I could just move my check_client_access rule before the permit_sasl_authenticated one.


```
mynetworks = 127.0.0.0/8, 192.168.100.0/24
smtpd_banner = mymailserver.email.com ESMTP hello!
disable_vrfy_command = yes
message_size_limit = 51200000
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:$config_directory/access, reject
```

Personally I've been championing removing Sendmail and replacing it with something simple like dma that just provides simple local delivery and submission services (with smtp-auth) to external smtp for years.


----------



## hruodr (Apr 14, 2020)

usdmatt said:


> Personally I've been championing removing Sendmail and replacing it with something simple like dma that just provides simple local delivery and submission services (with smtp-auth) to external smtp for years.



If you do not like it, do not use it. Why "championing" to impose you taste to others?


----------



## usdmatt (Apr 14, 2020)

hruodr said:


> If you do not like it, do not use it. Why "championing" to impose you taste to others?



1) It makes replacement more of a pain as you have all the existing sendmail cruft all over the place
2) It makes FreeBSD bigger than it needs to be, and increases risk of remotely exploitable flaws
3) Upgrading Sendmail requires either replacing it with a ports version or waiting for an OS upgrade
4) FreeBSD seems to include the .cf files by default rather than generate them on install, so I have had to manual merge changes to these files many times during upgrade.

Note that I didn't say replace it with Postfix, rather with something that purely handles the minimum local features required by default, which is exactly why DragonflyBSD wrote dma. Anyone that wants a real mail server, and likes Sendmail, can install it, just like anyone that wants a web server can install their choice of nginx or apache, or can install bind if they want authoritative dns. You get the benefit of your own choice, and can keep up to date much more simply with just a `pkg upgrade`.

There has been an extensive effort in recent years to remove large external codebases, such as BIND, for many of the same reasons above. I'm not quite sure how Sendmail managed to avoid this. It's an archaic lumbering beast that has not has serious development for half a decade and should not be part of a base install.


----------



## Lamia (Apr 14, 2020)

usdmatt said:


> 1) It makes replacement more of a pain as you have all the existing sendmail cruft all over the place
> 2) It makes FreeBSD bigger than it needs to be, and increases risk of remotely exploitable flaws
> 3) Upgrading Sendmail requires either replacing it with a ports version or waiting for an OS upgrade
> 4) FreeBSD seems to include the .cf files by default rather than generate them on install, so I have had to manual merge changes to these files many times during upgrade.
> ...


And now that you mention DNS, could anyone kindly make recommendations for a good replacement for Domain Name (Re-)sellers' Premium DNS Managers (e.g. GoDaddy, Namecheap, etc).? I am aware of some free DNS managers - Hurricane etc - and we already have Authoritative (NSD) & Recursive/Caching(Unbound/PowwrDNS/DNSDIST) DNS servers installed. 
My question again is could you please suggest a reliable TUI pkg/port that we can simply import our zone files (containing A,CNAME,PTR,MX,etc records) into it and stop paying for premium DNS managers?


----------



## SirDice (Apr 14, 2020)

Lamia said:


> My question again is could you please suggest a reliable TUI pkg/port that we can simply import our zone files (containing A,CNAME,PTR,MX,etc records) into it and stop paying for premium DNS managers?


Not aware of anything, most will probably just create something themselves. If you have a PowerDNS "supermaster" you can easily use an SQL database with it. Then it's relatively easy to create a simple PHP (or some other language) web interface for it.


----------



## rootbert (Apr 14, 2020)

DNS: good experience with https://www.ovh.com


----------



## Lamia (Apr 15, 2020)

Thanks SirDice,
I shall soon explore the supermaster mode.


----------



## Jose (Apr 17, 2020)

Another vote for Postfix / Dovecot. Switched over from Sendmail / UW-IMAP more than a decade ago, and never looked back.

It used to be you had to understand and debug m4 macro language scripts to generate sendmail.cf. That's right, the syntax was so complicated and unreadable that you have to use a (slightly more readable) programming language to generate it. This may have improved since I ditched Sendmail. I wouldn't know.

Look at this and make up your own mind:





						Postfix : Products and vulnerabilities
					

Postfix: List of all products, security vulnerabilities of products, cvss score reports, detailed graphical reports, vulnerabilities by years and metasploit modules related to products of this vendor.



					www.cvedetails.com
				








						Sendmail Sendmail : CVE security vulnerabilities, versions and detailed reports
					

Sendmail Sendmail security vulnerabilities, exploits, metasploit modules, vulnerability statistics and list of versions



					www.cvedetails.com
				




The point about a dynamic IP is a good one. I wouldn't try to run an MTA on a home connection. I run mine on a hosted virtual server.


----------



## ralphbsz (Apr 17, 2020)

Actually, the two statistics look remarkably similar. In the last 10 years, on average less than 1 vulnerability per year. I don't think I care what happened in the early 2000s, because I don't run a version from the early 2000s.

And actually, editing the sendmail.cf file is perfectly doable. I personally think that the M4 files are less readable, and you're better of using the m4 framework as a starting point, and then reading, understanding, and editing the .cf files instead. But clearly, sendmail is very hard to configure, because if relies heavily on the .cf language as an actual execution mechanism, not just a configuration mechanism. And that is what makes the .cf files so overwhelming, and complex looking: you're de-facto looking at the source code of sendmail here, and you can fine-tune it to ridiculous levels, which in today's world are just not practical. I mean, who would want to use the configuration for encapsulating uucp addresses over bitnet? While the .cf files are capable of doing that (BTDT), it is just not needed today.

Which leads me to my personal conclusion: I use neither postfix nor sendmail. I use a very simple MTA on my home server, namely ssmtp, which is minimally configured to send all mail to a real commercial mail host outside, done.


----------



## hruodr (Apr 17, 2020)

ralphbsz said:


> and you can fine-tune it to ridiculous levels, which in today's world are just not practical.



Yes, it have features for the past. Have you seen how big are the sources? Much more unpractical is to install bloat that do much less.


----------



## PMc (Apr 17, 2020)

rootbert said:


> DNS: good experience with https://www.ovh.com



Whats that? The only information I get on that page is that they want my money, and lots of it. They don't even bother to make up a reason why.


----------



## rootbert (Apr 17, 2020)

PMc said:


> Whats that? The only information I get on that page is that they want my money, and lots of it. They don't even bother to make up a reason why.


well ... the website of OVH. Its the largest hosting provider in Europe and owns the worlds largest datacenter surface area. I primarily did some testing with their infrastructure because they appeal to me and my idealism - they hosted wikileaks and are sponsoring letsencrypt. I was very satisfied with their performance, support and price ... and they have had a nice API before having an API was more or less standard.

concerning DNS: you can have a free account and use their DNS for free; upgrade to DNS anycast for 1€ per domain per year.


----------



## Lamia (Apr 17, 2020)

ralphbsz said:


> Actually, the two statistics look remarkably similar. In the last 10 years, on average less than 1 vulnerability per year. I don't think I care what happened in the early 2000s, because I don't run a version from the early 2000s.
> 
> And actually, editing the sendmail.cf file is perfectly doable. I personally think that the M4 files are less readable, and you're better of using the m4 framework as a starting point, and then reading, understanding, and editing the .cf files instead. But clearly, sendmail is very hard to configure, because if relies heavily on the .cf language as an actual execution mechanism, not just a configuration mechanism. And that is what makes the .cf files so overwhelming, and complex looking: you're de-facto looking at the source code of sendmail here, and you can fine-tune it to ridiculous levels, which in today's world are just not practical. I mean, who would want to use the configuration for encapsulating uucp addresses over bitnet? While the .cf files are capable of doing that (BTDT), it is just not needed today.
> 
> Which leads me to my personal conclusion: I use neither postfix nor sendmail. I use a very simple MTA on my home server, namely ssmtp, which is minimally configured to send all mail to a real commercial mail host outside, done.


Yes, ssmtp was what I meant when I wrote smtpd. It is a perfect drop-in replacement for Sendmail, not on par with Postfix though.


----------



## PMc (Apr 17, 2020)

Thanks for the explanation. 
I am actually quite bored about all those webpages that only tell you what kind of payment they want.



rootbert said:


> well ... the website of OVH.
> Its the largest hosting provider in Europe



Never heard of. But that's maybe because I have no use for hosting, neither would I have money to pay for such.



> you can have a free account and use their DNS for free



I happen to have my own DNS, and wouldn't like to have someone else run it, free or not free.
The only thing I would be interested to obtain is reverse-resolving static IPs. And that's a more difficult thing, and seems only available in package with hosting.


----------



## Lamia (Apr 18, 2020)

PMc said:


> Thanks for the explanation.
> I am actually quite bored about all those webpages that only tell you what kind of payment they want.
> 
> 
> ...


Your ISP can do that for you.

How do manage you DNS entries?


----------



## PMc (Apr 18, 2020)

Lamia said:


> Your ISP can do that for you.



Yes, they can, and that might actually work. But then at least they require a business account to do so, and probably a registered domain, so that should cost about 250€ extra per year. 
Getting a very small hosting entity that does not much else than run a vpn server to move that IP to a place where I can use it, might be in a similar cost range.
So that is a bit of money, and what I do not have is spare money. Also the issue is not imminent, as currently I happen to have a static IP, but v4 only, and it appears not to be a very good one, i.e. routing my default traffic via that and then doing web shopping can lead to my credit card being blocked.



> How do manage you DNS entries?



Currently not at all. Currently that DNS serves my intranet configurations and goes to the responsible servers for anything else. It is configured to do split-horizon, but currently there is no need to do so, and I use that only for some ad-blocking.


----------



## Lamia (Apr 18, 2020)

PMc said:


> Yes, they can, and that might actually work. But then at least they require a business account to do so, and probably a registered domain, so that should cost about 250€ extra per year.
> Getting a very small hosting entity that does not much else than run a vpn server to move that IP to a place where I can use it, might be in a similar cost range.
> So that is a bit of money, and what I do not have is spare money. Also the issue is not imminent, as currently I happen to have a static IP, but v4 only, and it appears not to be a very good one, i.e. routing my default traffic via that and then doing web shopping can lead to my credit card being blocked.
> 
> ...


Ok. Thanks. The closest I have got is setup a primary nameserver with NSD for a domain name outside GoDaddy's jurisdiction and a domain name seller wanting me to buy the Premium DNS manager like GoDaddy.

It worked well. I always had to go edit the text files and that itself can be tricky. Hence, I was hoping there is a TUI that auto-validate entries.


----------



## gpw928 (Apr 18, 2020)

PMc said:


> Yes, they can, and that might actually work. But then at least they require a business account to do so, and probably a registered domain, so that should cost about 250€ extra per year.


That cost seems excessive.

My ISP connects my Internet router to a private enclave (10.x.x.x) and from there NATs my traffic to the Internet.  I don't really have a choice, as my Internet connection options are somewhat limited (GPRS or Satellite).

I get a new IP address in the private enclave every time I have to re-dial the connection, and have no permanent presence on the Internet, but I can still get:

a domain name and DNS services from namesilo for ~US$10/annum; and
a cheap VPS with static IPv4 for ~US$30/annum (located in Sydney, which is the same city as the routers used by my ISP to connect to the Internet).
All I need for a permanent IPV4 presence on the Internet is to nail up a reverse ssh tunnel from my firewall to the VPS for each port I care to open (and open a port on the separate firewall provided with the VPS).

I have used Namesilo for domain and DNS services some years, and have zero complaints.

The VPS has only to carry network traffic, and can be sized accordingly.

I get all that for US$40 per annum.


----------



## Lamia (Apr 18, 2020)

gpw928 said:


> That cost seems excessive.
> 
> My ISP connects my Internet router to a private enclave (10.x.x.x) and from there NATs my traffic to the Internet.  I don't really have a choice, as my Internet connection options are somewhat limited (GPRS or Satellite).
> 
> ...


I think this implementation is limited to a few services (in-house web hosting, VPN, maybe email and enter&tame&me(-nt) services all bound to one static IP address).

If you need more than one IP, you will be paying $5 or so per each. An ISP would give you a block of 5 usable IPs for $10. And it doesn't ALWAYS  have to be a business account to be qualified for it.


----------



## Lamia (Apr 18, 2020)

Lamia said:


> This is a million dollar question.
> Given that you're just getting started, Sendmail might be a good start. Postfix is quite advanced. You can also take a look at OpenSMTPD.


I just found this -https://prefet.ch/blog/2020/email-server/.


----------



## PMc (Apr 18, 2020)

gpw928 said:


> That cost seems excessive.



Not really. Its a business account, so you get whatever features telco think a (small) business might need, probably also priority customer service and similar, and optionally the static IP - and it's a real static IP in place of the dynamic one, so full bandwidth and MTU and no VPN, and it will resolve forward and reverse. (At least that's what I would expect.)
And then, while the ordinary consumer tariff is at 35€ (for smallest bandwidth - 10Mbit), that one doesn't exist in smallest and then cost some 55€ (not sure if domain reservation is included).

That was easier maybe 15 years ago - then people who would know what a static IP is good for, might just have asked and got a bunch of them - as for the normal consumers a static IP was considered only more dangerous.



> a domain name and DNS services from namesilo for ~US$10/annum; and
> a cheap VPS with static IPv4 for ~US$30/annum (located in Sydney, which is the same city as the routers used by my ISP to connect to the Internet).


I understand. But the cardinal question is: to what does that IP resolve in reverse, i.e. `host nn.nn.nn.nn`?

As far as I understand: The 'namesilo' shop can make sure that your reserved domain will resolve to your IP, because they own the zonefile for the domain.
But to do it in reverse, from the IP to the domain, one would need to edit the zonefile for the IP-range.
And I have no real idea how the ownership of these reverse zonefiles is managed, and I doubt that it is easy to find somebody willing to edit them.
If anybody knows how that might work, I am really eager to hear.

In fact, for most things one may not need a correct reverse-resolution. And maybe it is possible to get one, and I just don't know.


----------



## gpw928 (Apr 18, 2020)

Lamia said:


> I think this implementation is limited to a few services (in-house web hosting, VPN, maybe email and enter&tame&me(-nt) services all bound to one static IP address).


Sure the VPS has one static IPV4 address, and as many services as you wish to attach to that address.


Lamia said:


> If you need more than one IP, you will be paying $5 or so per each. An ISP would give you a block of 5 usable IPs for $10. And it doesn't ALWAYS  have to be a business account to be qualified for it.


Additional IPV4 addresses are US$1.2/month each.  You pay the money, you get the address.  "Business" is not relevant.  [There is a limit of 8 IPV4s per VPS.]

I agree it would not be sensible to run a major Internet presence through reverse ssh tunnels.

My major point was that the DNS infrastructure can exist independently of everything else.


----------



## gpw928 (Apr 18, 2020)

PMc said:


> I understand. But the cardinal question is: to what does that IP resolve in reverse, i.e. `host nn.nn.nn.nn`?


I expect that he reverse lookup zone file would need to be with the VPS provider (which has free DNS services).
So I am obliged to modify my claim and observe that "most of the DNS infrastructure can exist independently of everything else".


----------



## PMc (Apr 18, 2020)

gpw928 said:


> I expect that he reverse lookup zone file would need to be with the VPS provider (which has free DNS services).
> So I am obliged to modify my claim and observe that "most of the DNS infrastructure can exist independently of everything else".



That actually doesn't answer my question, and I am agreeing that DNS should be considered an independent service, where TCP/IP is in no way dependent on (while other services may be dependent on both).
But my question simply was: can you configure that reverse lookup to reflect Your actual domain?


----------



## Lamia (Apr 18, 2020)

PMc said:


> That actually doesn't answer my question, and I am agreeing that DNS should be considered an independent service, where TCP/IP is in no way dependent on (while other services may be dependent on both).
> But my question simply was: can you configure that reverse lookup to reflect Your actual domain?


He would a dynamic dns service like noip2.


----------



## gpw928 (Apr 18, 2020)

PMc said:


> That actually doesn't answer my question, and I am agreeing that DNS should be considered an independent service, where TCP/IP is in no way dependent on (while other services may be dependent on both).
> But my question simply was: can you configure that reverse lookup to reflect Your actual domain?


The registered owner of the IP address block has control (delegation) of the reverse lookups for that "block", in the same way as the registered owner of a domain has control (delegation) of forward lookups for that domain.

How the reverse lookups are managed depends on the owner of the IP address "block".

If you have not got a reverse delegation (which puts you in complete control), then the most sensible approach is to get the ISP who owns the "block" to create the PTR record in the appropriate in-addr.arpa zone file.

I expect you may get some level of control over that (web edit interface), depending on your ISP, or it may be a helpdesk call.

I don't believe you can get a PTR record published unless you have a static address.  i.e. no-ip.com can't assist with this problem, and nor can third party DNS providers like namesilo (unless you got your IP address from them).


----------



## PMc (Apr 18, 2020)

Lamia said:


> He would a dynamic dns service like noip2.


Maybe - but that's quite certainly not what I want.

This is an example for what I do NOT want:

```
$ host forums.freebsd.org
forums.freebsd.org has address 204.109.59.195
$ host 204.109.59.195
Host 195.59.109.204.in-addr.arpa not found: 3(NXDOMAIN)
```

This is good for web servers (and most web hosts will show such or similar, because of the way they are hosted), but it is NOT good for mail. For mail it should look like this:


```
$ host mx1.freebsd.org
mx1.freebsd.org has address 96.47.72.80
host 96.47.72.80
80.72.47.96.in-addr.arpa domain name pointer mx1.freebsd.org.
```


----------



## zirias@ (Apr 18, 2020)

For setting up an email domain correctly, you need at least

a static IPv4 address
configurable reverse lookup for that address
a way to configure records (A, MX and TXT for SPF/DKIM) in your domain's zone
You get all this from your typical VPS hoster. In my case, I pay a little less than 100€ per year for it, but the server is capable enough to run some services as well, so I think that's fair.

I don't want to just forward TCP ports to my home server -- the connection could be interrupted for example. What I do is

my home server establishes a VPN tunnel to the VPS.
there's a complete mail system on my home server (with exim/dovecot).
the VPS acts as a mail gateway for SMTP and IMAP, again with exim (where "local" delivery is configured to use remote SMTP with a manual route to my home server plus recipient verification to know which users actually exist, and the home exim has a manual route to the VPS for everything outbound) and dovecot in proxy-mode.
To route everything correctly with SMTP, I use some overrides in /etc/hosts.
The VPS does spam scanning (with rspamd) and DKIM signing.
So, in case my internet connection at home will be broken, the gateway will just either temporarily reject mails (if the recipient isn't known) or enqueue the mails for valid recipients it has cached, until my home server is available again.

For services other than mail, it's much simpler -- I just do some DNS updates per script when the VPN tunnel comes up, basically creating my own simple "dynamic DNS" service.


----------



## drhowarddrfine (Apr 18, 2020)

ralphbsz said:


> Which leads me to my personal conclusion: I use neither postfix nor sendmail. I use a very simple MTA on my home server, namely ssmtp, which is minimally configured to send all mail to a real commercial mail host outside, done.


Well, then you're just not one of the cool kids.


----------



## obsigna (Apr 18, 2020)

I chose Postfix over Sendmail because it can be configured with plain text configuration files consisting of not too hard to understand keyword/value pairs. For me, M4 is already the show stopper of Sendmail. If it weren't, Postfix comes with lots of before-queue filter mechanisms which Sendmail does't seem to have, I see only some throttles, and so I would be forced to do spam fighting after queue - I would happily like to learn otherwise, though.

Before queue means, the mail message was not yet dropped into my camp of responsibility, and I may block it and are done. After queue means, the message has landed, and it is my responsibility to do the right thing about it, i.e. either of forwarding it to the destined receivers or return it to its origin. Therefore, after-queue mail filtering would quickly become a PITA, since I want to do it correctly. Blocking a mail after queue without anything further is only acceptable if the server's admin is the only valid receiver of the system. Already in SOHO installations after-queue filtering would be subject of privacy regulations, while before-queue filtering would usually not come near to this one of the most ugliest of Pandora's Boxes.

Finally, you want to read the opinions about the requirements of a static IP-Address, respective A, PTR records and an open outgoing port 25 only with having mail sending in mind.

While it is true that the SMTP sender's static IP should have valid A, PTR and in addition TXT-DKIM entries, it is not at all necessary that this all belongs to the DNS zone for which you provide your mail service. Huge parts of today's mail traffic goes via mail relays, and not directly from end to end. And this won't work under the requirement that the A and the PTR should belong to the DNS zone of the originating sender.

For receiving mails, all this is not needed. You need valid MX and TXT-SPF records in your DNS zone and the MX might even point to the dynamic IPv4 or IPv6 address of the SMTPd in your home. This is what I do, and for mail sending I use a plain mail package of the domain hoster as a mail relay. My Postfix installation passes outgoing mails on the submission port 587 to said relay, which then takes care of the final delivery. This works perfectly well.

Since many people are confused about the scope of the MX and TXT-SPF records, it is worth to emphasize it again, MX is for INCOMING mails, and TXT-SPF can be the only entry in your zone which tells something about OUTGOING mails.


----------



## Jose (Apr 18, 2020)

My hosting provider allows me to manage my own PTR record:





						Frequently Asked Questions (FAQ) - PrgmrWiki
					






					wiki.prgmr.com


----------



## PMc (Apr 18, 2020)

obsigna said:


> While it is true that the SMTP sender's static IP should have valid A, PTR and in addition TXT-DKIM entries, it is not at all necessary that this all belongs to the DNS zone for which you provide your mail service. Huge parts of today's mail traffic goes via mail relays, and not directly from end to end. And this won't work under the requirement that the A and the PTR should belong to the DNS zone of the originating sender.



You're right. If you send a mail to the internet, that sending interface does have an IP address. And then there should be a PTR record resolving that IP address to a hostname. And when then again looking up that hostname, one should get the same IP address.
This is usually even true for dynamic IPs, so one can in principal send mail from dynamic IPs, only one cannot easily receive.

For receiving, the host part of the address needs to be translated to an IP address. And while an ordinary A record should theoretically be enough to achieve that, it does not work in practice, because some mailers do look only for MX records (which is imho wrong, but definitely the case).

So, to receive mail one needs a static IP (I don't think a dyndns-MX does count along "best practice"), and to send mail one needs a PTR record (reverse resolution) on that IP. And ideally the latter would point back to something sensible.

Now I would like to thank all the participants here, because I learned a couple of new things. The last time I was involved in mailers, there was no SPF and DKIM and whatever, and when I heard of that, it appeared to be of concern mainy to contractual spam distributors (aka bulk mail senders).

Now looking a little bit closer into that, it appears to me there is no functional benefit in these, there may only be reputational benefit.
SPF seems to prohibit your employees from sending unauthorized mails from their machines, or other people from impersonating your shop. I'm not sure where the benefit would be for an individual - e.g. if somebody tries to impersonate me, it would probably be rather to their own detriment. 
And DKIM seems to establish message integrity on the server-to-server link. Now, traditionally, mail is sent in cleartext, and it can be read and tampered with while in transit. So if you don't like that, use an end-to-end encryption.

The problem here is with the reputational aspect, which means, if you have these features implemented, your sent mails might less likely end in the receiver's spam folder.

As it seems, I do currently have neither an idea about how the state of these things is with my sent emails, nor a means to easily configure it, so this might be one reason why my mails are often not reacted upon. (Another is that people nowadays quite openly state that they neither read nor answer their mails, as they have facebook.)

So, maybe, as I have now finished reinstalling my backup software (28 bugs identified in the port), I should setup a new mail system...

Thanks again, this was helpful.


----------



## zirias@ (Apr 19, 2020)

obsigna said:


> Before queue means, the mail message was not yet dropped into my camp of responsibility, and I may block it and are done. After queue means, the message has landed, and it is my responsibility to do the right thing about it, i.e. either of forwarding it to the destined receivers or return it to its origin. Therefore, after-queue mail filtering would quickly become a PITA, since I want to do it correctly. Blocking a mail after queue without anything further is only acceptable if the server's admin is the only valid receiver of the system. Already in SOHO installations after-queue filtering would be subject of privacy regulations, while before-queue filtering would usually not come near to this one of the most ugliest of Pandora's Boxes.


Completely agreed (except for I have no idea whether it can be done with sendmail in a sane way, having abandoned sendmail a *long* time ago).

I would still add a bit of explanation here, we're getting near the point where this thread becomes a complete mail-exchange FAQ 

Normally, an MTA will enqueue a mail as soon as it sends out the final "success" reponse to the sender after receiving the actual mail with DATA. So, correctly rejecting a mail after that would require sending out a bounce message. That's where the problem with spam mail starts, as the MAIL FROM address is typically forged, so your bounce would be sent to some unrelated party -- you would cause "backscatter". Therefore, the other option would be to violate RFCs and just silently drop the mail you already accepted. But then, in the case of some "false positive", the sender will never know his mail didn't arrive. As soon as you provide your mail service to users other than yourself, this is a problem as you could be held reliable for just dropping your users' mails.

Therefore, the only sane way to reject spam mails is to do it before actually accepting them. If sendmail really can't do this, it would be unusable today.


obsigna said:


> While it is true that the SMTP sender's static IP should have valid A, PTR and in addition TXT-DKIM entries, it is not at all necessary that this all belongs to the DNS zone for which you provide your mail service. Huge parts of today's mail traffic goes via mail relays, and not directly from end to end. And this won't work under the requirement that the A and the PTR should belong to the DNS zone of the originating sender.



Let's break this down a bit, so we're only talking about sending mail:

Valid A and PTR records are needed for the actual machine sending the mail to the receiver's MX. So, if you use a relay, it isn't your responsibility.
If you want to use SPF, you still need to create the TXT record for your sending domain (the one that is used in "MAIL FROM:"). You have to allow your sending relay there.
For DKIM, as far as I understand it (correct me if I'm wrong), you *could* leave that entirely to your relay. The relay will then sign the message using its own domain and key, which should be fine. But if you want to use DMARC as well, the DKIM signature domain must match your sending domain, so you would be required to do your own DKIM signing, which again includes publishing a TXT record on your domain.



obsigna said:


> For receiving mails, all this is not needed. You need valid MX and TXT-SPF records in your DNS zone and the MX might even point to the dynamic IPv4 or IPv6 address of the SMTPd in your home.


I don't see a need for an SPF record to *receive* mail. An MX pointing to a dynamic IP address will probably work quite well, but there are (minor) risks:

If your MX isn't reachable (either the line is down or the DNS update hasn't reached the sender yet), a sender can't connect to it. This should be treated as a temporary error and the sender should try again later, but I wouldn't count on every sender behaving correctly here. If it's treated as a permanent error instead, some mails might not arrive
Worse (and, of course, much less probable) would be a scenario where an SMTP service is actually reachable on the IP address you owned earlier, and this service accepts unencrypted connections, and the sender accepts that as well. In that case, a mail addressed for your domain could end up on an unrelated system.
Therefore I'd argue the best solution is using a server with static addresses for receiving as well -- this server *could* just act as a gateway, like in my setup


----------



## hruodr (Apr 19, 2020)

*obsigna*, *Zirias*,

see: 
	

	




						Milter - Wikipedia
					






					en.wikipedia.org
				






> An MTA that is milter-capable instead notifies filters to which it is connected about each phase of the delivery of a message, from initial client connection through completion of transmission.  At each phase of the SMTP session, the filter is given data about the arriving message and then has an opportunity to terminate acceptance of the message early when appropriate. For very large messages, this can have an enormous impact when a decision to reject can be made as early as possible.



Or here: http://www.postfix.org/MILTER_README.html



> Postfix implements support *for the Sendmail version 8 Milter (mail filter) protocol*. This protocol is used by applications that run outside the MTA to inspect SMTP events (CONNECT, DISCONNECT), SMTP commands (HELO, MAIL FROM, etc.) as well as mail content (headers and body).  All this happens before mail is queued.



Milters were introduced by sendmail, not by postfix or something else. And also something like "FEATURE(dnsbl, `zen.spamhaus.org')dnl" in the mc file causes rejection connection level.


----------



## zirias@ (Apr 19, 2020)

Well, if sendmail can do that, that's great I guess -- it means it's still viable for a complete mail-domain setup. Whether you _want_ to use it is a different question and mostly a matter of personal taste regarding how you configure it.

I never used milters, as exim doesn't support them (unless that changed recently, but I don't think so?). You might count this as a shortcoming of exim, as milters seem to be a very flexible mechanism allowing all sorts of complex setups.


----------



## hruodr (Apr 19, 2020)

Zirias said:


> it means it's still viable for a complete mail-domain setup



I do not understand from where come the doubts. From all those trying to make it bad?


----------



## zirias@ (Apr 19, 2020)

hruodr said:


> I do not understand from where come the doubts. From all those trying to make it bad?


For all those who moved away from it after realizing other MTAs can avoid the huge PITA sendmail configuration is, there's nothing to "make" bad. Yes, this is a matter of taste, and there's nothing wrong with actually liking the way sendmail is configured, just be aware many people don't like it  Then of course, if you stopped following sendmail's development, how should you know there are solutions for more recent issues like e.g. rejecting spam during SMTP dialog? As I said, it's of course a good thing this is possible with sendmail.


----------



## obsigna (Apr 19, 2020)

Zirias said:


> ...
> I don't see a need for an SPF record to *receive* mail.



Me neither. Perhaps it was not clear enough what I said, so I try again. The TXT-SPF record may be the only entry related to mail-sending in the DNS zone of our mail service. We could even omit this, however, I found out, that big mail providers like gmail use the TXT-SPF entry of your zone for sender validation. For example, I got a backup gmail account, and Test-E-mails to this one without SPF (Subject = Test, and body = Test) land directly into the spam box. Test-E-Mails without SPF and containing some expressive phrases have a bigger chance to go into the inbox, yet not 100 %. Mails with a SPF entry in my DNS zone come through by 100 %.

Now, chances are that one of your peers got a gmail account, and it is usually much quicker to set up the SPF for your zone compared to explain to all of your peers that gmail is evil and wait until they switched to another service (hopefully not hotmail). Your customers, the future girl friend, etc. won't respond in that way, but instead would respond to somebody else who is able to send mails to their gmail account.



Zirias said:


> An MX pointing to a dynamic IP address will probably work quite well, but there are (minor) risks:


Actually it works very well, and the benefits outweigh the risks.


Zirias said:


> If your MX isn't reachable (either the line is down or the DNS update hasn't reached the sender yet), a sender can't connect to it. This should be treated as a temporary error and the sender should try again later, but I wouldn't count on every sender behaving correctly here. If it's treated as a permanent error instead, some mails might not arrive



No higher risk than is imposed anyway to my mail service because of grey listing. My policy is, not to accept mails from misbehaving senders.



Zirias said:


> Worse (and, of course, much less probable) would be a scenario where an SMTP service is actually reachable on the IP address you owned earlier, and this service accepts unencrypted connections, and the sender accepts that as well. In that case, a mail addressed for your domain could end up on an unrelated system.
> Therefore I'd argue the best solution is using a server with static addresses for receiving as well -- this server *could* just act as a gateway, like in my setup



I thought about it, however my risk assessment told me that this one is negligible. My dynamic IP changes only on power outages for more than 15 min, which rarely happens. Nobody can count on this. If somebody else got by accident a mail service running  on a dynamic IP in my region, which is not secured against relaying arbitrary mails to local receivers, then he anyway won't find the message to me in the thousands of spam mails in his box. Or even worse, if that service is not secured against relaying to a wider audience in the internet, then the message would finally reach me 

The benefits are:

this is the most cost-effective way of hosting the own mail service that I can think of:
- the SMTP receiver (incoming mails) is listening on my home server and without extra costs on a connection which is payed anyway.
- the SMTP relay (outgoing mails) is part of the domain hosting package at quite a low cost.


its is quite easy to obtain a let's encrypt certificate for an IP of a server which is under your control and where you can run the certbot, e.g. no DNS fiddling before and after is necessary.


all local transactional mails (intra domain) are truly end-to-end encrypted even though only transport encryption is involved.


all mails are stored on your server in-house, and we may securely use IMAP instead of POP3+Removing mails from the server.


most incoming business e-mails are secured from eavesdropping as well, because bigger companies use their own outgoing mail services and these do contact directly my incoming mail service (I can see this in the server log).


In my case, the only point left of possible interception is the mail relay at the domain hosting service. I know this and I act accordingly.
In 2018, I wrote a BLog post about my setup with all the details, including webmail:

Home Mail Server with TLS and non-Plaintext Authentication


----------



## obsigna (Apr 19, 2020)

hruodr said:


> *obsigna*, *Zirias*,
> 
> see:
> 
> ...


OK, I appreciate that Sendmail is capable of filtering mails before-queue by the way of milters. With respect to Postfix, milters belong to the Sendmail compatibility layer, and Postfix users without Sendmail history don't need it. I acknowledge that milters are executables which we may choose from the now dead list (www.milter.org - mostly perl) or need to program ourselves using the milter API. Since p5 is right after m4 the second least language which I would choose for programming, I know from milters nothing more than these do exist.


----------



## zirias@ (Apr 19, 2020)

obsigna Maybe there's still a bit of misunderstanding as from the benefits you list, only the one about cost counts when compared to my solution 

The MTA on my VPS acts as a spam-scanning (inbound) and DKIM-signing (outbound) gateway only. I have a second MTA in house that handles all local mail without ever reaching out to the gateway, and mailboxes are stored locally as well. My local DNS will resolve the name of the mail machine to my local installation, but if you're outside, you can still access IMAP through the gateway (which also has a dovecot in proxy-mode), using the same DNS name.

Yes, you're right, the risks I talked about are very small  So, in a nutshell, receiving mail on a "dynamic" IP-address still works (as opposed to sending from, which didn't work any more for many years). Just saying it might not be the perfect approach


----------



## Jose (Apr 19, 2020)

PMc said:


> Now looking a little bit closer into that, it appears to me there is no functional benefit in these, there may only be reputational benefit.
> SPF seems to prohibit your employees from sending unauthorized mails from their machines, or other people from impersonating your shop. I'm not sure where the benefit would be for an individual - e.g. if somebody tries to impersonate me, it would probably be rather to their own detriment.


SPF records also help prevent the fun afternoon you'll have if a spammer with a list full of hundreds of thousands of stale email addresses decides to use one of your domains in a forged From: header.



PMc said:


> And DKIM seems to establish message integrity on the server-to-server link. Now, traditionally, mail is sent in cleartext, and it can be read and tampered with while in transit. So if you don't like that, use an end-to-end encryption.


FWIW, I ran with only an SPF record for years. I took it upon myself to implement DKIM on the fun afternoon when a spammer cracked one of my five users' password and used my little server to send 60K SPAM emails. Google started hating on me pretty hard after that. You're dead on when you say:



PMc said:


> The problem here is with the reputational aspect, which means, if you have these features implemented, your sent mails might less likely end in the receiver's spam folder.


Unfortunately, DKIM was not sufficient to restore my reputation. I had to be a good netizen for some weeks. Yahoo! didn't hate on me, for some reason. I've since implemented outgoing mail metering with Policyd2. I don't love it and wonder if it's actively maintained. Do tell if you've found a better alternative.

Edit: Typo


----------



## obsigna (Apr 19, 2020)

Zirias said:


> obsigna Maybe there's still a bit of misunderstanding as from the benefits you list, only the one about cost counts when compared to my solution
> ...


Of course, and without any doubts most benefits apply also to your setup. Perhaps we can agree on the following statement, which I wrote in my BLog post:

_ "A fixed IP address is not needed, but doesn't harm either."_


----------



## obsigna (Apr 19, 2020)

Jose said:


> ...
> FWIW, I ran with only an SPF record for years. I took it upon myself to implement DKIM on the fun afternoon when a spammer cracked one of my five users' password and used my little server to send 60K SPAM emails. Google started hating on me pretty hard after that.
> ...
> I've since implemented outgoing mail metering with Policyd2. I don't love it and wonder if it's actively maintained. Do tell if you've found a better alternative.



Perhaps not exactly an alternative, but this reduces the attack surface quite a lot. I set up my Postfix MTA to not allow SMTP authentication on port 25, but only on the submission ports 465 and 587, and on which I require TLS encryption while best practices on port 25 is still to only offer TLS. Since my users live in one country only, I also got geo-blocking in place for ports 465, 587, 993, 995 and others by the way of ipfw(8) employing my sysutils/ipdbtools, s. ipdbtools(1).

I frequently check Postfix's server log, and I see tons of authentication attempts on port 25, which are disconnected right away, but I didn't recognize yet any attack attempt on said submission ports.

PS:
I don't allow my users to choose their passwords. Strong passwords are generated by me and informed to the users.


----------



## Jose (Apr 19, 2020)

obsigna said:


> PS:
> I don't allow my users to choose their passwords. Strong passwords are generated by me and informed to the users.


Yeah, I was lax about that and paid the price. I'm still working on a way to let them change their own passwords, and implementing password complexity checks.


----------



## hruodr (Apr 19, 2020)

obsigna said:


> I acknowledge that milters are executables which we may choose from the now dead list (www.milter.org - mostly perl) or need to program ourselves using the milter API. Since p5 is right after m4 the second least language which I would choose for programming, I know from milters nothing more than these do exist.



If you google, you find a lot of milters. In the source of sendmail you find a description of the C api for writing your own milters. Perl is a well known and wide used language. Or should sendmail offer the API for the language(s) you like?


----------



## obsigna (Apr 19, 2020)

hruodr said:


> If you google, you find a lot of milters. In the source of sendmail you find a description of the C api for writing your own milters. Perl is a well known and wide used language. Or should sendmail offer the API for the language(s) you like?


I don't expect anything from Sendmail. I won't use it anyway.


----------



## dinoex@ (Apr 20, 2020)

Whatever you should use depends on your Requierements.
We have plenty of choices in the Ports.

I have used Sendmail for decades without any major issues.
Maybe I will write a up to date Tutorial for a full MTA setup with FreeBSD.

I was using Postfix only for a year, till I encounter loss of mail in 2006 when spool disk run full.
Modern Postfix should be better. But I did no stress tests on that.

Most milters are written in C, some in Perl, some in Ruby, some in Python.

There are a good number of milters available as ports.


```
mail/libmilter
mail/antivirus-milter
mail/archivesmtp
mail/batv-milter
mail/dcc-dccd
mail/dk-milter
mail/enma
mail/mimedefang
mail/milter-bogom
mail/milter-callback
mail/milter-greylist
mail/milter-manager
mail/milter-regex
mail/milter-skem
mail/mimedefang
mail/noattach
mail/opendkim
mail/opendmarc
mail/py-milter
mail/raysfilter
mail/rbl-milter
mail/rmilter
mail/scam-backscatter
mail/sentinel
mail/sid-milter
mail/smfsav
mail/smfsav-devel
mail/spamass-milter
mail/spamilter
mail/spfmilter
mail/vbsfilter
security/amavisd-milter
```


----------



## hruodr (Apr 20, 2020)

dinoex@ said:


> Most milters are written in C, some in Perl, some in Ruby, some in Python.



Support for a scripting language depends on if someone wrote an API for that language. Perhaps only a wrapper. I like tcl, googled and found:






						milter
					






					core.tcl-lang.org


----------



## Jose (Apr 21, 2020)

Lamia said:


> I just found this -https://prefet.ch/blog/2020/email-server/.


Make sure you use a very recent version of Opensmtpd!


> *021: SECURITY FIX: February 24, 2020* _All architectures_
> An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.








						OpenBSD 6.6 Errata
					

the OpenBSD errata page



					www.openbsd.org


----------



## Hakaba (Apr 23, 2020)

I try to use my own mail server few years ago.
But the concept is too over engeneering for me.
I really don not understand how this can be that hard.
A lot of concept in MTA/MUA exist in our favorite OS.
I do not see why no mail server use user OS for authentification, ssh for network auth and encryption, db for database, linking an output to a filter script is basically a |.
It seems like an old race to features that end with complexity...
I mean if you only want to use a mail server for 10 users in a «family» domain name, why proposed tools are multiplateform, multi configurable, multi... complex ?
I understood the need of complex things. But I do not find a light mail server that use OS features when the paradigm exist in OS.


----------



## hruodr (Apr 23, 2020)

Hakaba said:


> I try to use my own mail server few years ago.
> But the concept is too over engeneering for me.
> I really don not understand how this can be that hard.



Email is very old, older as internet and uucp, and it is something simple. I think the (not completely satisfactory) adaption to modern use makes it complicated. It is too late to invent a secure and viable alternative.

UW imap server, that was in the source of pine mail client and still is in the source of alpine client, ran out of the box and the authentication was the one of the system. Ideal for small installations. You had client and server for reading remote mail. Unfortunately the server is since years not anymore mantained. It would be nice to awake it.

The authentication in the MTA is for relaying mail, and who relays is normally not necessary a system user. sendmail uses cyrus sasl that offers many authorization mechanisms and may use plugins for getting the password, for example from pam or getpwent and hence the system. But yes, configuration of MTAs is not trivial, not out of the box. To understand sasl needs a little of study.


----------



## drhowarddrfine (Apr 23, 2020)

Setting up a mail server is fairly easy. Learning how to set one up can be hard. Even then, the most difficult parts are two things: handling spam and getting your mail accepted by other mail servers.

You can liken setting up a mail server to setting up any other server. You can get it to just work or you can get it to work properly. Some study and thinking and time will be involved but it shouldn't be to the point where one needs to never try or just throw in the towel.


----------



## Jose (Apr 23, 2020)

Dovecot uses system users quite happily. The following works nicely on Freebsd:

```
userdb {
  driver = passwd
}
passdb {
  driver = pam
}
```

Don't be confused by the "BSDAuth*" * password database. It's only needed for Openbsd. There are no scary suid binaries now that you can use LMTP for mail delivery.

I used UW-IMAP years ago, and it started having trouble once my mailbox grew to tens of thousands of messages. I suspect it was because of the mbox format it uses (used?) for mailbox storage. All your messages are stored in a single file. Every folder gets its own file, though.

I agree that running your own Mail Transfer Agent (MTA) is probably too complex for most people. You could take the approach Ralphbsz recommends upthread


ralphbsz said:


> I use a very simple MTA on my home server, namely ssmtp, which is minimally configured to send all mail to a real commercial mail host outside, done.



Here's the entire Jinja2 template I use to configure Dovecot on Freebsd, in case you're interested:

```
ssl = yes
ssl_cert = </usr/local/etc/ssl/mail.{{ domain_name }}.cert
ssl_key = </usr/local/etc/ssl/private/mail.{{ domain_name }}.key
mail_location = mdbox:~/mdbox
userdb {
  driver = passwd
}
passdb {
  driver = pam
}
auth_mechanisms = plain login
service auth {
  unix_listener /var/spool/postfix/private/auth {
    user = postfix
    group = postfix
    mode = 0660
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    user = postfix
    group = postfix
    mode = 0600
  }
}
protocol imap {
  mail_max_userip_connections = 100
}
protocol lmtp {
  postmaster_address = postmaster@{{ domain_name }}   # required
  auth_username_format = %Ln
}
```

You'll have to replace {{ domain_name }} with your domain, and make whatever changes are necessary for ssmtp(8).


----------



## Hakaba (Apr 24, 2020)

When I installed Dovecot, I do not want mysql or psql db installation, so I found a way to use a sqlite db instead..
But I miss this simple way to use the OS users (if a use has the same id in two jails, it is the same user, as I know. I will test that).
I have to experiment that and retry to have my own mail server ... (as I pay the domain with my familly name... )


----------



## hruodr (Apr 24, 2020)

Jose said:


> I used UW-IMAP years ago, and it started having trouble once my mailbox grew to tens of thousands of messages. I suspect it was because of the mbox format it uses (used?) for mailbox storage. All your messages are stored in a single file. Every folder gets its own file, though.



Out of the box it supported the mbox that you have in the system. But uw imap had support for many kinds of formats for storing email, including it own, it is perhaps the imap server that supported the most formats.


----------



## Jose (Apr 24, 2020)

You shouldn't have had to install any SQL database at all. The Freebsd package has no dependencies beyond base, AFAICT.


----------



## kr0m (Feb 22, 2022)

I know its an old thread but i have to say that i have installed Sendmail/Dovecot for my home mail server and i am happy with the result, the sendmail configuration can be tricky at first but it works.
I have used since years Postfix at work and the documentation is simply awful, different configuration parameters that seems to make the same functionality, you can be reading some parameter documentation for 30m and you dont know what is talking about, finally you have to search for an example in Google to figure out how it works, its so confusing and frustrating.

I have some articles about Postfix/Sendmail and milters in my webpage, but there are in spanish language, sorry.
https://alfaexploit.com/es/tags/smtp/


----------

