1 3281ec97 2023-03-06 jrmu version=pmwiki-2.3.20 ordered=1 urlencoded=1
2 7968a68a 2023-10-09 jrmu agent=Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
3 7968a68a 2023-10-09 jrmu author=sylv1a
4 5127fd58 2021-12-17 jrmu charset=UTF-8
5 2ad9667a 2023-10-20 jrmu csum=Change so _dkimsign is used for /etc/mail/dkim. _dovecot never needs to access that folder.
6 5127fd58 2021-12-17 jrmu ctime=1621335466
7 2ad9667a 2023-10-20 jrmu host=2a0b:f4c2:2::56
8 5127fd58 2021-12-17 jrmu name=DNS.Mail
10 5127fd58 2021-12-17 jrmu targets=Nsd.Configure,Dns.Overview,Dns.FQDN,DNS.SOA,DNS.SPF,DNS.DMARC,DNS.DKIM,DNS.Dnswl
11 2ad9667a 2023-10-20 jrmu text=(:title DNS for Mail:)%0a%0aRunning a mail server requires a proper DNS records. %0a%0a!! Before you begin%0a%0aThis guide assumes that you have already set up a properly functioning name server using%0a[[nsd/configure|nsd]]. If you have not already, you will want to read up on [[dns/overview|basic DNS concepts]] and [[nsd/configure|set up your name server]].%0a%0a!! Adding to the zone file%0a%0aFor mail, you will need to add DNS records. Let's take a look at a sample zone file%0acontaining only what is needed to handle mail:%0a%0a$ORIGIN and Start of Authority (SOA) record:%0a%0a[@%0a$ORIGIN example.com.%0aexample.com. 3600 SOA ns1.example.com. admin.example.com. (%0a 2021050302 ; serial YYYYMMDDnn%0a 1800 ; refresh%0a 3600 ; retry%0a 86400 ; expire%0a 3600 ) ; minimum TTL%0a@]%0a%0aHere we define the $ORIGIN to be example.com. The $ORIGIN will be appended to every record to produce a [[Dns/FQDN|fully qualified domain name]]. Make sure to read up on [[Dns/FQDN|FQDN]] if you do not understand what that means.%0a%0aThe [[DNS/SOA|Start of Authority record]] says that the serial number was last updated on May 3rd, 2021; that the refresh interval is 1800 seconds, the retry interval is 3600 seconds, the record expires after 1 day, and the minimum time to live is 3600 seconds.%0a%0a[@%0a 3600 IN MX 10 mail%0a 3600 IN A 38.81.163.143%0a 3600 IN AAAA 2602:fccf:1:143::%0a 3600 IN NS ns1%0a 3600 IN NS ns2%0amail 3600 IN A 38.81.163.143%0a 3600 IN AAAA 2602:fccf:1:143::%0apop 3600 IN A 38.81.163.143%0a 3600 IN AAAA 2602:fccf:1:143::%0aimap 3600 IN A 38.81.163.143%0a 3600 IN AAAA 2602:fccf:1:143::%0asmtp 3600 IN A 38.81.163.143%0a 3600 IN AAAA 2602:fccf:1:143::%0a@]%0a%0aWhen there is no name for the record, it just takes on the value of $ORIGIN: example.com.%0a%0aLine 1 defines the mail exchange (MX) record for example.com. When another mail server sends your server mail, it will perform two DNS queries. First, it asks what your MX record is for example.com:%0a%0a[@%0a$ dig +short -t mx example.com%0a10 mail.example.com.%0a@]%0a%0aHere, the MX record for example.com is mail.example.com with a value of 10. This means%0athat mail.example.com is the actual mail server that will handle mail.%0a%0aOnce an MX record is returned, the mail server will find the A/AAAA record for that mail server:%0a%0a[@%0a$ dig +short -t a mail.example.com%0a38.81.163.143%0a@]%0a%0aNormally, a domain will have multiple MX records so that if one mail server goes offline, another can continue serving mail. Most mail servers will choose the MX record with the lowest value to deliver to first.%0a%0a!! [[DNS/SPF|SPF record]]%0a%0aYou'll want to add a TXT record in your domain's [[DNS/SPF|DNS zone for SPF]]:%0a%0a[@%0a 3600 IN TXT "v=spf1 mx -all"%0a@]%0a%0aThis simple SPF record allows any mail exchange (MX) server for the domain to send mail, but no others.%0a%0a!! [[DNS/DMARC|DMARC records]]%0a%0a[@%0a_dmarc 3600 IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"%0a@]%0a%0aThis record will provide you with reports for DKIM/SPF but will not filter any mail. It's useful for diagnosing problems with your configuration.%0a%0a!! DKIM records%0a%0aYou will need to follow the instructions for creating a proper [[DNS/DKIM|DKIM record]]:%0a%0aFirst, you will need to create a public and private DKIM key:%0a%0a[@%0a$ openssl genrsa -out private.key 1024%0a$ openssl rsa -in private.key -pubout -out public.key%0a$ chmod og-rwx private.key%0a$ chmod og-wx public.key%0a$ chmod u-w public.key private.key%0a$ doas mkdir -m 770 /etc/mail/dkim%0a$ doas mv private.key public.key /etc/mail/dkim/%0a$ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/%0a@]%0a%0aWe then create a DKIM record by taking the public key, removing the first and last%0aline, then joining all the lines together:%0a%0a[@%0a$ doas cat /etc/mail/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -%0a@]%0a%0aRunning this command on public.key should produce text like the following:%0a%0a[@%0aMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmseF9Dm8Dx1LtmLMD56d628JBNaQus8aEcdYYzvBVQ4rhetZzv/ZMafjTEf2RLoOQ+pb7pqL4G86lCZSF+Eeu2ODWQQGYqGVV0xUK5QJSnsGF5UKKscrxmTHSPPtoAQJt25fxNd3PtvH2ZonAGkZkntk+u6Wn5xxlI9hMOVxLUwIDAQAB%0a@]%0a%0aThis key should go into the DKIM DNS records to replace %3cpublic key>:%0a%0a[@%0a_adsp._domainkey 86400 IN TXT "dkim=discardable;"%0amail._domainkey 86400 IN TXT "k=rsa; t=s; p=%3cpublic key>"%0a@]%0a%0aThe final result should look like this:%0a%0a[@%0a_adsp._domainkey 86400 IN TXT "dkim=discardable;"%0amail._domainkey 86400 IN TXT "k=rsa; t=s; p=8AMIIBCgKCAQEAyBhtr90v64hQTfw1sUtFPg5bYXF/SxUTNMziGJMql81av47DG+cDEPmQW0XN8+Tb8yIwenh01hZ5Xh1gjWg1v8OIrnErf3482B8XRZykHJQUdjcALnZ9gGZ9CnzAhIC3TsAnTDSHdgk3c0oqJeilriW0EIAkV2+x1jWlPunGJgJT/bSc2rzZsZv2gZmrrR+2f4aK7xTamAyFUl+cSP/kcoHbEmvXEOtqTQZTTDhxM6BKELUO0xBBhlrsq8C3q92OqZtwflK+IbJDyQPndORMR7R4itIj6O+LMFlYziPitM4egw3KADLZSlycJuTLkhCG5b/3VHFy+uUn3kQc+/s17QIDAQAB"%0a@]%0a%0aNote: the @@_adsp@@ records come from [[RFC5617 -> https://www.rfc-editor.org/rfc/rfc5617]] which was [[marked as historic in 2013 -> https://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/]]. More testing is necessary to determine if these records are really needed.%0a%0a!! Whitelists%0a%0a[[DNS/dnswl|dnswl]] is a DNS whitelist that is free of charge, so you should sign up for it.%0a
12 2ad9667a 2023-10-20 jrmu time=1697742597
13 5127fd58 2021-12-17 jrmu title=DNS for Mail
14 2ad9667a 2023-10-20 jrmu author:1697742597=sylv1a
15 2ad9667a 2023-10-20 jrmu csum:1697742597=Change so _dkimsign is used for /etc/mail/dkim. _dovecot never needs to access that folder.
16 2ad9667a 2023-10-20 jrmu diff:1697742597:1696894866:=98c98%0a%3c $ doas mkdir -m 770 /etc/mail/dkim%0a---%0a> $ doas mkdir /etc/mail/dkim%0a100c100%0a%3c $ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/%0a---%0a> $ doas chown -R _smtpd:_dovecot /etc/mail/dkim/%0a
17 2ad9667a 2023-10-20 jrmu host:1697742597=2a0b:f4c2:2::56
18 174abb22 2023-10-10 jrmu author:1696894866=sylv1a
19 174abb22 2023-10-10 jrmu csum:1696894866=Remove unneeded `groupadd _dkimsign`, discussed with jrmu
20 174abb22 2023-10-10 jrmu diff:1696894866:1696797098:=92a93%0a> $ doas groupadd -v _dkimsign%0a
21 174abb22 2023-10-10 jrmu host:1696894866=2a0b:f4c2::20
22 7968a68a 2023-10-09 jrmu author:1696797098=sylv1a
23 7968a68a 2023-10-09 jrmu csum:1696797098=Update DKIM section to include note about RFC5617, discussed with jrmu
24 7968a68a 2023-10-09 jrmu diff:1696797098:1678133545:=130,131d129%0a%3c %0a%3c Note: the @@_adsp@@ records come from [[RFC5617 -> https://www.rfc-editor.org/rfc/rfc5617]] which was [[marked as historic in 2013 -> https://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/]]. More testing is necessary to determine if these records are really needed.%0a
25 7968a68a 2023-10-09 jrmu host:1696797098=2605:6400:40:fb4f:47b9:9112:a5e4:59e5
26 fc91d0f1 2023-03-07 jrmu author:1678133545=jrmu
27 fc91d0f1 2023-03-07 jrmu diff:1678133545:1678079585:=93d92%0a%3c $ doas groupadd -v _dkimsign%0a99,101c98,100%0a%3c $ doas mkdir /etc/mail/dkim%0a%3c $ doas mv private.key public.key /etc/mail/dkim/%0a%3c $ doas chown -R _smtpd:_dovecot /etc/mail/dkim/%0a---%0a> $ doas mkdir /etc/dkim%0a> $ doas mv private.key public.key /etc/dkim/%0a> $ doas chown -R _smtpd:_dovecot /etc/dkim/%0a108c107%0a%3c $ doas cat /etc/mail/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -%0a---%0a> $ doas cat /etc/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -%0a
28 fc91d0f1 2023-03-07 jrmu host:1678133545=38.87.162.154
29 fc91d0f1 2023-03-07 jrmu author:1678079585=jrmu
30 fc91d0f1 2023-03-07 jrmu csum:1678079585=remove unnecessary dkimsign user/group
31 fc91d0f1 2023-03-07 jrmu diff:1678079585:1678078240:=92a93,94%0a> $ doas groupadd -v _dkimsign%0a> $ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _smtpd _dkimsign%0a
32 fc91d0f1 2023-03-07 jrmu host:1678079585=38.87.162.154
33 3281ec97 2023-03-06 jrmu author:1678078240=jrmu
34 3281ec97 2023-03-06 jrmu csum:1678078240=Moved to /etc/dkim/ to fix permissions bugs
35 3281ec97 2023-03-06 jrmu diff:1678078240:1623943290:=100,102c100,102%0a%3c $ doas mkdir /etc/dkim%0a%3c $ doas mv private.key public.key /etc/dkim/%0a%3c $ doas chown -R _smtpd:_dovecot /etc/dkim/%0a---%0a> $ doas mkdir /etc/mail/dkim%0a> $ doas mv private.key public.key /etc/mail/dkim/%0a> $ doas chown -R _smtpd:_dovecot /etc/mail/dkim/%0a109c109%0a%3c $ doas cat /etc/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -%0a---%0a> $ doas cat /etc/mail/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -%0a
36 3281ec97 2023-03-06 jrmu host:1678078240=38.87.162.154
37 5127fd58 2021-12-17 jrmu author:1623943290=jrmu
38 5127fd58 2021-12-17 jrmu diff:1623943290:1622989290:=94c94%0a%3c $ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _smtpd _dkimsign%0a---%0a> $ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _mail _dkimsign%0a102c102%0a%3c $ doas chown -R _smtpd:_dovecot /etc/mail/dkim/%0a---%0a> $ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/%0a
39 5127fd58 2021-12-17 jrmu host:1623943290=38.81.163.143
40 5127fd58 2021-12-17 jrmu author:1622989290=jrmu
41 5127fd58 2021-12-17 jrmu diff:1622989290:1622989183:=88,125c88,89%0a%3c You will need to follow the instructions for creating a proper [[DNS/DKIM|DKIM record]]:%0a%3c %0a%3c First, you will need to create a public and private DKIM key:%0a%3c %0a%3c [@%0a%3c $ doas groupadd -v _dkimsign%0a%3c $ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _mail _dkimsign%0a%3c $ openssl genrsa -out private.key 1024%0a%3c $ openssl rsa -in private.key -pubout -out public.key%0a%3c $ chmod og-rwx private.key%0a%3c $ chmod og-wx public.key%0a%3c $ chmod u-w public.key private.key%0a%3c $ doas mkdir /etc/mail/dkim%0a%3c $ doas mv private.key public.key /etc/mail/dkim/%0a%3c $ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/%0a%3c @]%0a%3c %0a%3c We then create a DKIM record by taking the public key, removing the first and last%0a%3c line, then joining all the lines together:%0a%3c %0a%3c [@%0a%3c $ doas cat /etc/mail/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -%0a%3c @]%0a%3c %0a%3c Running this command on public.key should produce text like the following:%0a%3c %0a%3c [@%0a%3c MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmseF9Dm8Dx1LtmLMD56d628JBNaQus8aEcdYYzvBVQ4rhetZzv/ZMafjTEf2RLoOQ+pb7pqL4G86lCZSF+Eeu2ODWQQGYqGVV0xUK5QJSnsGF5UKKscrxmTHSPPtoAQJt25fxNd3PtvH2ZonAGkZkntk+u6Wn5xxlI9hMOVxLUwIDAQAB%0a%3c @]%0a%3c %0a%3c This key should go into the DKIM DNS records to replace %3cpublic key>:%0a%3c %0a%3c [@%0a%3c _adsp._domainkey 86400 IN TXT "dkim=discardable;"%0a%3c mail._domainkey 86400 IN TXT "k=rsa; t=s; p=%3cpublic key>"%0a%3c @]%0a%3c %0a%3c The final result should look like this:%0a---%0a> You will need to follow the instructions for creating a proper [[DNS/DKIM|DKIM record]].%0a> %0a
42 5127fd58 2021-12-17 jrmu host:1622989290=38.81.163.143
43 5127fd58 2021-12-17 jrmu author:1622989183=jrmu
44 5127fd58 2021-12-17 jrmu diff:1622989183:1622984571:=88,89c88,89%0a%3c You will need to follow the instructions for creating a proper [[DNS/DKIM|DKIM record]].%0a%3c %0a---%0a> [[DNS/DKIM|DKIM]]%0a> %0a91,92c91,94%0a%3c _adsp._domainkey 86400 IN TXT "dkim=discardable;"%0a%3c mail._domainkey 86400 IN TXT "k=rsa; t=s; p=8AMIIBCgKCAQEAyBhtr90v64hQTfw1sUtFPg5bYXF/SxUTNMziGJMql81av47DG+cDEPmQW0XN8+Tb8yIwenh01hZ5Xh1gjWg1v8OIrnErf3482B8XRZykHJQUdjcALnZ9gGZ9CnzAhIC3TsAnTDSHdgk3c0oqJeilriW0EIAkV2+x1jWlPunGJgJT/bSc2rzZsZv2gZmrrR+2f4aK7xTamAyFUl+cSP/kcoHbEmvXEOtqTQZTTDhxM6BKELUO0xBBhlrsq8C3q92OqZtwflK+IbJDyQPndORMR7R4itIj6O+LMFlYziPitM4egw3KADLZSlycJuTLkhCG5b/3VHFy+uUn3kQc+/s17QIDAQAB"%0a---%0a> $ORIGIN _domainkey.jrmu.coconut.ircnow.org.%0a> _adsp 86400 IN TXT "dkim=discardable;"%0a> ;mail 86400 IN TXT "k=rsa; t=s; p=v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ%0a> 8AMIIBCgKCAQEAyBhtr90v64hQTfw1sUtFPg5bYXF/SxUTNMziGJMql81av47DG+cDEPmQW0XN8+Tb8yIwenh01hZ5Xh1gjWg1v8OIrnErf3482B8XRZykHJQUdjcALnZ9gGZ9CnzAhIC3TsAnTDSHdgk3c0oqJeilriW0EIAkV2+x1jWlPunGJgJT/bSc2rzZsZv2gZmrrR+2f4aK7xTamAyFUl+cSP/kcoHbEmvXEOtqTQZTTDhxM6BKELUO0xBBhlrsq8C3q92OqZtwflK+IbJDyQPndORMR7R4itIj6O+LMFlYziPitM4egw3KADLZSlycJuTLkhCG5b/3VHFy+uUn3kQc+/s17QIDAQAB"%0a
45 5127fd58 2021-12-17 jrmu host:1622989183=38.81.163.143
46 5127fd58 2021-12-17 jrmu author:1622984571=jrmu
47 5127fd58 2021-12-17 jrmu diff:1622984571:1622805023:=81c81%0a%3c _dmarc 3600 IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"%0a---%0a> _dmarc 86400 IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"%0a83,84d82%0a%3c %0a%3c This record will provide you with reports for DKIM/SPF but will not filter any mail. It's useful for diagnosing problems with your configuration.%0a
48 5127fd58 2021-12-17 jrmu host:1622984571=38.81.163.143
49 5127fd58 2021-12-17 jrmu author:1622805023=jrmu
50 5127fd58 2021-12-17 jrmu diff:1622805023:1622793515:=94,97d93%0a%3c %0a%3c !! Whitelists%0a%3c %0a%3c [[DNS/dnswl|dnswl]] is a DNS whitelist that is free of charge, so you should sign up for it.%0a
51 5127fd58 2021-12-17 jrmu host:1622805023=38.81.163.143
52 5127fd58 2021-12-17 jrmu author:1622793515=jrmu
53 5127fd58 2021-12-17 jrmu diff:1622793515:1622721008:=68,71c68,71%0a%3c !! [[DNS/SPF|SPF record]]%0a%3c %0a%3c You'll want to add a TXT record in your domain's [[DNS/SPF|DNS zone for SPF]]:%0a%3c %0a---%0a> !! SPF record%0a> %0a> [[DNS/SPF|Sender Policy Framework]]%0a> %0a73c73%0a%3c 3600 IN TXT "v=spf1 mx -all"%0a---%0a> 3600 IN TXT "v=spf1 ip4:38.81.163.143 ip6:2602:fccf:1:143::/64 mx -all"%0a76,79c76,79%0a%3c This simple SPF record allows any mail exchange (MX) server for the domain to send mail, but no others.%0a%3c %0a%3c !! [[DNS/DMARC|DMARC records]]%0a%3c %0a---%0a> !! DMARC records%0a> %0a> [[DNS/DMARC|DMARC]]%0a> %0a81c81%0a%3c _dmarc 86400 IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"%0a---%0a> _dmarc 86400 IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@jrmu.coconut.ircnow.org;ruf=mailto:postmaster@jrmu.coconut.ircnow.org"%0a
54 5127fd58 2021-12-17 jrmu host:1622793515=38.81.163.143
55 5127fd58 2021-12-17 jrmu author:1622721008=jrmu
56 5127fd58 2021-12-17 jrmu diff:1622721008:1621339554:=53c53%0a%3c 10 mail.example.com.%0a---%0a> 38.81.163.143%0a63c63%0a%3c 38.81.163.143%0a---%0a> 10 mail.example.com.%0a
57 5127fd58 2021-12-17 jrmu host:1622721008=38.81.163.143
58 5127fd58 2021-12-17 jrmu author:1621339554=jrmu
59 5127fd58 2021-12-17 jrmu diff:1621339554:1621339245:=70,71c70,71%0a%3c [[DNS/SPF|Sender Policy Framework]]%0a%3c %0a---%0a> [[dns/spf|Sender Policy Framework]]%0a> %0a78,79c78,79%0a%3c [[DNS/DMARC|DMARC]]%0a%3c %0a---%0a> [[dns/dmarc|DMARC]]%0a> %0a86c86%0a%3c [[DNS/DKIM|DKIM]]%0a---%0a> [[dns/dkim|DKIM]]%0a
60 5127fd58 2021-12-17 jrmu host:1621339554=38.81.163.143
61 5127fd58 2021-12-17 jrmu author:1621339245=jrmu
62 5127fd58 2021-12-17 jrmu diff:1621339245:1621338881:=70,71d69%0a%3c [[dns/spf|Sender Policy Framework]]%0a%3c %0a78,79d75%0a%3c [[dns/dmarc|DMARC]]%0a%3c %0a85,86d80%0a%3c %0a%3c [[dns/dkim|DKIM]]%0a
63 5127fd58 2021-12-17 jrmu host:1621339245=38.81.163.143
64 5127fd58 2021-12-17 jrmu author:1621338881=jrmu
65 5127fd58 2021-12-17 jrmu diff:1621338881:1621338217:=27c27%0a%3c Here we define the $ORIGIN to be example.com. The $ORIGIN will be appended to every record to produce a [[Dns/FQDN|fully qualified domain name]]. Make sure to read up on [[Dns/FQDN|FQDN]] if you do not understand what that means.%0a---%0a> Here we define the $ORIGIN to be example.com. The $ORIGIN will be appended to every record to produce a [[DNS/fqdn|fully qualified domain name]]. Make sure to read up on [[DNS/fqdn|FQDN]] if you do not understand what that means.%0a
66 5127fd58 2021-12-17 jrmu host:1621338881=38.81.163.143
67 5127fd58 2021-12-17 jrmu author:1621338217=jrmu
68 5127fd58 2021-12-17 jrmu diff:1621338217:1621336000:=29,30c29,30%0a%3c The [[DNS/SOA|Start of Authority record]] says that the serial number was last updated on May 3rd, 2021; that the refresh interval is 1800 seconds, the retry interval is 3600 seconds, the record expires after 1 day, and the minimum time to live is 3600 seconds.%0a%3c %0a---%0a> %0a> %0a36a37,42%0a> 3600 IN TXT "v=spf1 ip4:38.81.163.143 ip6:2602:fccf:1:143::/64 mx -all"%0a> _dmarc 86400 IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@jrmu.coconut.ircnow.org;ruf=mailto:postmaster@jrmu.coconut.ircnow.org"%0a> $ORIGIN _domainkey.jrmu.coconut.ircnow.org.%0a> _adsp 86400 IN TXT "dkim=discardable;"%0a> ;mail 86400 IN TXT "k=rsa; t=s; p=v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ%0a> 8AMIIBCgKCAQEAyBhtr90v64hQTfw1sUtFPg5bYXF/SxUTNMziGJMql81av47DG+cDEPmQW0XN8+Tb8yIwenh01hZ5Xh1gjWg1v8OIrnErf3482B8XRZykHJQUdjcALnZ9gGZ9CnzAhIC3TsAnTDSHdgk3c0oqJeilriW0EIAkV2+x1jWlPunGJgJT/bSc2rzZsZv2gZmrrR+2f4aK7xTamAyFUl+cSP/kcoHbEmvXEOtqTQZTTDhxM6BKELUO0xBBhlrsq8C3q92OqZtwflK+IbJDyQPndORMR7R4itIj6O+LMFlYziPitM4egw3KADLZSlycJuTLkhCG5b/3VHFy+uUn3kQc+/s17QIDAQAB"%0a46,50d51%0a%3c %0a%3c When there is no name for the record, it just takes on the value of $ORIGIN: example.com.%0a%3c %0a%3c Line 1 defines the mail exchange (MX) record for example.com. When another mail server sends your server mail, it will perform two DNS queries. First, it asks what your MX record is for example.com:%0a%3c %0a52,70c53,64%0a%3c $ dig +short -t mx example.com%0a%3c 38.81.163.143%0a%3c @]%0a%3c %0a%3c Here, the MX record for example.com is mail.example.com with a value of 10. This means%0a%3c that mail.example.com is the actual mail server that will handle mail.%0a%3c %0a%3c Once an MX record is returned, the mail server will find the A/AAAA record for that mail server:%0a%3c %0a%3c [@%0a%3c $ dig +short -t a mail.example.com%0a%3c 10 mail.example.com.%0a%3c @]%0a%3c %0a%3c Normally, a domain will have multiple MX records so that if one mail server goes offline, another can continue serving mail. Most mail servers will choose the MX record with the lowest value to deliver to first.%0a%3c %0a%3c !! SPF record%0a%3c %0a%3c [@%0a---%0a> $ORIGIN jrmu.coconut.ircnow.org.%0a> jrmu.coconut.ircnow.org. 3600 SOA ns1.jrmu.coconut.ircnow.org. admin.jrmu.coconut.ircnow.org. (%0a> 2021050302 ; serial YYYYMMDDnn%0a> 1800 ; refresh%0a> 3600 ; retry%0a> 86400 ; expire%0a> 3600 ) ; minimum TTL%0a> 3600 IN MX 10 mail%0a> 3600 IN A 38.81.163.143%0a> 3600 IN AAAA 2602:fccf:1:143::%0a> 3600 IN NS ns1%0a> 3600 IN NS ns2%0a72,76d65%0a%3c @]%0a%3c %0a%3c !! DMARC records%0a%3c %0a%3c [@%0a78,82d66%0a%3c @]%0a%3c %0a%3c !! DKIM records%0a%3c %0a%3c [@%0a86a71,78%0a> mail 3600 IN A 38.81.163.143%0a> 3600 IN AAAA 2602:fccf:1:143::%0a> pop 3600 IN A 38.81.163.143%0a> 3600 IN AAAA 2602:fccf:1:143::%0a> imap 3600 IN A 38.81.163.143%0a> 3600 IN AAAA 2602:fccf:1:143::%0a> smtp 3600 IN A 38.81.163.143%0a> 3600 IN AAAA 2602:fccf:1:143::%0a
69 5127fd58 2021-12-17 jrmu host:1621338217=38.81.163.143
70 5127fd58 2021-12-17 jrmu author:1621336000=jrmu
71 5127fd58 2021-12-17 jrmu diff:1621336000:1621335616:=1,19c1,11%0a%3c (:title DNS for Mail:)%0a%3c %0a%3c Running a mail server requires a proper DNS records. %0a%3c %0a%3c !! Before you begin%0a%3c %0a%3c This guide assumes that you have already set up a properly functioning name server using%0a%3c [[nsd/configure|nsd]]. If you have not already, you will want to read up on [[dns/overview|basic DNS concepts]] and [[nsd/configure|set up your name server]].%0a%3c %0a%3c !! Adding to the zone file%0a%3c %0a%3c For mail, you will need to add DNS records. Let's take a look at a sample zone file%0a%3c containing only what is needed to handle mail:%0a%3c %0a%3c $ORIGIN and Start of Authority (SOA) record:%0a%3c %0a%3c [@%0a%3c $ORIGIN example.com.%0a%3c example.com. 3600 SOA ns1.example.com. admin.example.com. (%0a---%0a> !! DNS%0a> %0a> Running a mail server requires a proper DNS records. If you have not already, you will%0a> want to read up on [[dns/overview|DNS]] and [[nsd/configure|set up your name server]].%0a> %0a> You will need to [[DNS/Mail|add proper DNS records]] to your domain and make sure they work.%0a> %0a> For mail, you will need to add DNS records.%0a> %0a> $ORIGIN jrmu.coconut.ircnow.org.%0a> jrmu.coconut.ircnow.org. 3600 SOA ns1.jrmu.coconut.ircnow.org. admin.jrmu.coconut.ircnow.org. (%0a25,31d16%0a%3c @]%0a%3c %0a%3c Here we define the $ORIGIN to be example.com. The $ORIGIN will be appended to every record to produce a [[DNS/fqdn|fully qualified domain name]]. Make sure to read up on [[DNS/fqdn|FQDN]] if you do not understand what that means.%0a%3c %0a%3c %0a%3c %0a%3c [@%0a51,79d35%0a%3c @]%0a%3c [@%0a%3c $ORIGIN jrmu.coconut.ircnow.org.%0a%3c jrmu.coconut.ircnow.org. 3600 SOA ns1.jrmu.coconut.ircnow.org. admin.jrmu.coconut.ircnow.org. (%0a%3c 2021050302 ; serial YYYYMMDDnn%0a%3c 1800 ; refresh%0a%3c 3600 ; retry%0a%3c 86400 ; expire%0a%3c 3600 ) ; minimum TTL%0a%3c 3600 IN MX 10 mail%0a%3c 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a%3c 3600 IN NS ns1%0a%3c 3600 IN NS ns2%0a%3c 3600 IN TXT "v=spf1 ip4:38.81.163.143 ip6:2602:fccf:1:143::/64 mx -all"%0a%3c _dmarc 86400 IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@jrmu.coconut.ircnow.org;ruf=mailto:postmaster@jrmu.coconut.ircnow.org"%0a%3c $ORIGIN _domainkey.jrmu.coconut.ircnow.org.%0a%3c _adsp 86400 IN TXT "dkim=discardable;"%0a%3c ;mail 86400 IN TXT "k=rsa; t=s; p=v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ%0a%3c 8AMIIBCgKCAQEAyBhtr90v64hQTfw1sUtFPg5bYXF/SxUTNMziGJMql81av47DG+cDEPmQW0XN8+Tb8yIwenh01hZ5Xh1gjWg1v8OIrnErf3482B8XRZykHJQUdjcALnZ9gGZ9CnzAhIC3TsAnTDSHdgk3c0oqJeilriW0EIAkV2+x1jWlPunGJgJT/bSc2rzZsZv2gZmrrR+2f4aK7xTamAyFUl+cSP/kcoHbEmvXEOtqTQZTTDhxM6BKELUO0xBBhlrsq8C3q92OqZtwflK+IbJDyQPndORMR7R4itIj6O+LMFlYziPitM4egw3KADLZSlycJuTLkhCG5b/3VHFy+uUn3kQc+/s17QIDAQAB"%0a%3c mail 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a%3c pop 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a%3c imap 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a%3c smtp 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a%3c @]%0a
72 5127fd58 2021-12-17 jrmu host:1621336000=38.81.163.143
73 5127fd58 2021-12-17 jrmu author:1621335616=jrmu
74 5127fd58 2021-12-17 jrmu diff:1621335616:1621335466:=1,7d0%0a%3c !! DNS%0a%3c %0a%3c Running a mail server requires a proper DNS records. If you have not already, you will%0a%3c want to read up on [[dns/overview|DNS]] and [[nsd/configure|set up your name server]].%0a%3c %0a%3c You will need to [[DNS/Mail|add proper DNS records]] to your domain and make sure they work.%0a%3c %0a
75 5127fd58 2021-12-17 jrmu host:1621335616=38.81.163.143
76 5127fd58 2021-12-17 jrmu author:1621335466=jrmu
77 5127fd58 2021-12-17 jrmu diff:1621335466:1621335466:=1,28d0%0a%3c For mail, you will need to add DNS records.%0a%3c %0a%3c $ORIGIN jrmu.coconut.ircnow.org.%0a%3c jrmu.coconut.ircnow.org. 3600 SOA ns1.jrmu.coconut.ircnow.org. admin.jrmu.coconut.ircnow.org. (%0a%3c 2021050302 ; serial YYYYMMDDnn%0a%3c 1800 ; refresh%0a%3c 3600 ; retry%0a%3c 86400 ; expire%0a%3c 3600 ) ; minimum TTL%0a%3c 3600 IN MX 10 mail%0a%3c 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a%3c 3600 IN NS ns1%0a%3c 3600 IN NS ns2%0a%3c 3600 IN TXT "v=spf1 ip4:38.81.163.143 ip6:2602:fccf:1:143::/64 mx -all"%0a%3c _dmarc 86400 IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@jrmu.coconut.ircnow.org;ruf=mailto:postmaster@jrmu.coconut.ircnow.org"%0a%3c $ORIGIN _domainkey.jrmu.coconut.ircnow.org.%0a%3c _adsp 86400 IN TXT "dkim=discardable;"%0a%3c ;mail 86400 IN TXT "k=rsa; t=s; p=v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ%0a%3c 8AMIIBCgKCAQEAyBhtr90v64hQTfw1sUtFPg5bYXF/SxUTNMziGJMql81av47DG+cDEPmQW0XN8+Tb8yIwenh01hZ5Xh1gjWg1v8OIrnErf3482B8XRZykHJQUdjcALnZ9gGZ9CnzAhIC3TsAnTDSHdgk3c0oqJeilriW0EIAkV2+x1jWlPunGJgJT/bSc2rzZsZv2gZmrrR+2f4aK7xTamAyFUl+cSP/kcoHbEmvXEOtqTQZTTDhxM6BKELUO0xBBhlrsq8C3q92OqZtwflK+IbJDyQPndORMR7R4itIj6O+LMFlYziPitM4egw3KADLZSlycJuTLkhCG5b/3VHFy+uUn3kQc+/s17QIDAQAB"%0a%3c mail 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a%3c pop 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a%3c imap 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a%3c smtp 3600 IN A 38.81.163.143%0a%3c 3600 IN AAAA 2602:fccf:1:143::%0a
78 5127fd58 2021-12-17 jrmu host:1621335466=38.81.163.143
