Setting up a mail server with OpenSMTPD and Dovecot without Rspamd

August 2, 2022

Yet in March 2022 I moved my mail server from a FreeBSD VPS hosted on Contabo to my own OrangePI Nano 3, running Armbian. Technically, Contabo is great, but in the beginning of 2022 they started collecting 20% VAT in favor of putin and you might guess what those funds are for.

This blog post summarizes my experience in installing OpenSMTPD and Dovecot in a LXC container on a tiny OrangePI Nano 3 SBC running Armbian. Actually, this is my second installation of mail server since March, when I had no time to write down any notes. And I no longer use Rspamd because it seems to be broken on Linux and I had to find a replacement for DKIM signing.

Mailboxes

References

Installing LXC

LXC was created with the following command:

lxc-create -n mailserver -t debian -- -r bullseye

I used privileged container initially but then moved to unprivileged one. In the container install necessary packages:

apt install less nano psutils rsync apt-utils iputils-tracepath inetutils-ping \
            dnsutils nftables curl gnupg2 ca-certificates lsb-release debian-archive-keyring
apt install --no-install-recommends rsyslog logrotate cron
apt install opensmtpd dovecot-core dovecot-imapd dovecot-lmtpd python3-pip

The first two commands install minimal usable system, you can revise that list by your taste.

OpenSMTPD

During installation, opensmtpd asks for local domain, offering `localdomain` as the default name. In the previous installation I left it as is and this did not cause any problems until I tried to post to some mailing list.

However, this time OpenSMTPD installation did not complete for some reason. The domain I entered was not written to /etc/mailname. And it did not even create the basic /etc/mail directory. I had to do that by myself. Things get worse over time and OpenSMTPD installation script looks broken even more since March. Yes, this world is rolling to hell.

As I already have all existing configuration files in /etc/mail, I simply copied them from the previous installation.

Rspamd

As I already said, problems with Rspamd started yet on FreeBSD installation. Rspamd failed to sign messages for subdomains and I was unable to fix that in reasonable time.

Later on I got troubles with sending PDF attachments.

Finally, on Linux, it failed completely (or that was me who failed using it?) It crashed even on DKIM signing. Again, I felt myself wasting my time trying to turn everything but DKIM off in its configuration files. No luck, and I went to find a replacement.

Basically, I don't filter out spam. Nowadays, email spammers seem to be old farts and their customers are same old farts. I don't get any spam for my new mailboxes and the only spam (approx. 500 messages for last year) was sent to my very old mailbox in a 25-years old domain I resurrected a couple of years ago. Given that I have much, much more storage space than holy gmail offers, I simply store all messages without reading them. Soon I'll write a script to detect if someone is really knocking.

The only thing I needed from Rspamd was DKIM signing and there aren't too many alternatives out there and all them look like old shit. For example, opendkim was last released in 2015. Debian has a package but it does not work with OpenSMTPD. Another one, dkimproxy, is even older, last release is dated 2011.

Finally I have found the solution: https://palant.info/2020/11/09/adding-dkim-support-to-opensmtpd-with-custom-filters/, https://gist.github.com/palant/c6ad869a1dd2cd79506898e4e8401438. Here's what we do:

pip install dkimpy

The above command installs dkimsign and dkimverify, but they seem to be outdated and do not accept -c option. That's why we need Palant's scripts. Put them to /usr/local/bin and make executable.

Make changes to /etc/smtpd.conf:

filter dkimverify proc-exec "/usr/local/bin/dkimverify.py example.com"
filter dkimsign proc-exec "/usr/local/bin/dkimsign.py -c /etc/mail/dkim/dkimsign.conf"

listen on eth0 port 25 tls pki mail.declassed.art filter dkimverify
listen on eth0 mask-src port 587 tls-require pki mail.declassed.art auth <passwd> filter dkimsign

Entries in /etc/mail/dkim/dkimsign.conf look like this:

declassed.art:20210603:/etc/mail/dkim/declassed.art.20210603

Dovecot

This time I only created vmail user and copied all the configuration and mailboxes from the previous installation. Nothing new.