On Sat, Oct 23, 2021 at 06:15:35PM +0200, Jens John <li...@2ion.de> wrote:
> On Sat, 23 Oct 2021, at 16:21, Bastian wrote: > > The stack I use is exim, spamassassin, dovecot on debian > > stable since ~2006. > > If somebody would set something up new today, I would recommend the following > 3-piece software stack: > > 1. postfix as the SMTP server and Let's Encrypt for a proper validated host > SSL certificate > > 2. dovecot as the IMAP mailbox server > > 3. rspamd as the "policy engine". It can validate incoming SPF, > DKIM, DMARC and ARCs which are all current best practice among the > commercial email hosts, and it also can apply DKIM signatures and > ARC seals to outgoing mail in a standards compliant way. The usual > spam learning techniques are all implemented in rspamd, and it can > interface with spamassassin, clamav etc as well. rspamd is very useful > to prevent the piling up of different milters in postfix which work > all differently. Thanks. I didn't realise that rspamd did all that. For anyone using Let's Encrypt / certbot for their mail server certificate, I'd like to throw in a shameless plug for a little program I wrote that makes it easy to properly implement DANE (DNS-Based Authentication of Named Entities), which is supported by both Postfix and Exim. It's at https://github.com/raforg/danectl DANE makes it possible for a mail server administrator to let other mail servers know in advance, not only that encryption is supported, but also precisely which key will be used, thus making it possible to eliminate man-in-the-middle attacks between mail servers (as long as the other mail servers are DANE-aware). It's like MTA-STS except that it's good. You do need DNSSEC for your domain as a prerequisite, but that has become incredibly easy these days (e.g., one extra line of Bind9 config in Debian stable, or a checkbox in Google's Cloud DNS service). Even if you don't have DNSSEC or want this for your own mail server, I'd recommend running a local DNSSEC-validating DNS resolver on your mail server (e.g., Bind9, Unbound), and enabling the client-side of DANE-awareness in your mail server. You'd need /etc/resolve.conf to look like this: nameserver 127.0.0.1 options trust-ad For Postfix, you'd need this in main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane For Exim, you'd need: dns_dnssec_ok = 1 remote_smtp: hosts_try_dane = * cheers, raf
