/munetakaJupyterHub/Computer/2024/MailServer/WildDuck-II/yushei.net-nameserver.txt.md

§2024-11-01
mail.yushei.net
alexlai@mail:~/build/WildDuck$ cat yushei.net-nameserver.txt
DEPLOY SETUP

1. Add your ssh key to /home/deploy/.ssh/authorized_keys

2. Clone application code
$ git clone deploy@mail.yushei.net:/var/opt/wildduck.git
$ git clone deploy@mail.yushei.net:/var/opt/zone-mta.git
$ git clone deploy@mail.yushei.net:/var/opt/wildduck-webmail.git
$ git clone deploy@mail.yushei.net:/var/opt/haraka-plugin-wildduck.git
$ git clone deploy@mail.yushei.net:/var/opt/zonemta-wildduck.git

3. After making a change in local copy deploy to server
$ git push origin master
(you might need to use -f when pushing first time)

NAMESERVER SETUP
================

MX
--
Add this MX record to the yushei.net DNS zone:

yushei.net. IN MX 5 mail.yushei.net.

SPF
---
Add this TXT record to the yushei.net DNS zone:

yushei.net. IN TXT "v=spf1 a:mail.yushei.net a:yushei.net ip4:210.242.152.235 ~all"

Or:
yushei.net. IN TXT "v=spf1 a:mail.yushei.net ip4:210.242.152.235 ~all"
yushei.net. IN TXT "v=spf1 ip4:210.242.152.235 ~all"

Some explanation:
SPF is basically a DNS entry (TXT), where you can define,
which server hosts (a:[HOSTNAME]) or ip address (ip4:[IP_ADDRESS])
are allowed to send emails.
So the receiver server (eg. gmail's server) can look up this entry
and decide if you(as a sender server) is allowed to send emails as
this email address.

If you are unsure, list more a:, ip4 entries, rather then fewer.

Example:
company website: awesome.com
company's email server: mail.awesome.com
company's reverse dns entry for this email server: mail.awesome.com -> 11.22.33.44

SPF record in this case would be:
awesome.com. IN TXT "v=spf1 a:mail.awesome.com a:awesome.com ip4:11.22.33.44 ~all"

The following servers can send emails for *@awesome.com email addresses:
awesome.com (company's website handling server)
mail.awesome.com (company's mail server)
11.22.33.44 (company's mail server's ip address)

Please note, that a:mail.awesome.com is the same as ip4:11.22.33.44, so it is
redundant. But better safe than sorry.
And in this example, the company's website handling server can also send
emails and in general it is an outbound only server.
If a website handles email sending (confirmation emails, contact form, etc).

DKIM
----
Add this TXT record to the yushei.net DNS zone:

sep2024._domainkey.yushei.net. IN TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV5l36RwIQYzNsiQvXsMnhZpnaltWluDkZcDSsViBQlaEROY5HiNB4AVY2I+F3c2vQ8CYtyPLecf7tQ3gcKcq1QdQk1nliUQogc660DNce5VuQQ4S2UoIr6C9VFbvsAURDNgc659Fzk166/DDxcf+NkexaCefcyMM46L0NefnoGQIDAQAB"

The DKIM .json text we added to wildduck server:
    curl -i -XPOST http://localhost:8080/dkim \
    -H 'Content-type: application/json' \
    -d '{"domain":"yushei.net","selector":"sep2024","description":"Default DKIM key for yushei.net","privateKey":"-----BEGIN PRIVATE KEY-----\nMIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANXmXfpHAhBjM2yJ\nC9ewyeFmmdqW1aW4ORlwNKxWIFCVoRE5jkeI0HgBVjYj4Xdza9DwJi3I8t5x/u1D\neBwpyrVB1CTWeWJRCiBzrrQM1x7lW5BDhLZSgivoL1UVu+wBREM2Bzrn0XOTXrr8\nMPFx/42R7FoJ59zIwzjovQ15+egZAgMBAAECgYEAqtqDnnIxl91lKgCd0P+Jgd1u\nb0ekB+cK1OLnb/CrhzK9oQCUQVdrDTAkKMKoSb2MFSx9kny8Yio0Mlh+DCDlpESI\nME5xUZ1OlQb6FZXPiwDSl0yvEwa8UQEVlV/zqxrth3acEnP3UUEU7TUrZJ+GXeEo\n30zibelSRdseqw/v2AECQQDys7H3pROQZ3NGJFdDxdunEmfDBcWIahewskkQwXrx\ndDhXgsVCw4Sb07LFhIlHWdY/mPb2JXkCVkrZG0g/ogJZAkEA4Z6sn1M4wKxyHUoP\ntsqkXSVXN9VOObHuPcFI3hDJDkildlXv9kPCrZIfJhoeNdJjMLmw3UC5H2jOdmyr\njPTbwQJBAM1zXHYc4cDeMfDwloaimVyG8htfaWYfGUrUwZFTl/WJwqAh7UalKD6Z\nKL6XgXZLEFjp7jVUZ2mZDudWdwSW6pECQEziYpbkqDlYSobanyI+SeaH/AHFyaN1\nk+ctf6RU+f7JGMGLpXs5OhUl70Fvsw3KRQzsqm2rSap/b6QBgjBFnMECQDNyjca/\nH/gI18Mgz1oyD9vjh7tfYt14W7EP3Bfms8xfTXNF5DYSBSyWrysCyVpV+1oJpHjS\noZ44Gw8+1ftx1GY=\n-----END PRIVATE KEY-----\n"}'


Please refer to the manual how to change/delete/update DKIM keys
via the REST api (with curl on localhost) for the newest version.

List DKIM keys:
    curl -i http://localhost:8080/dkim
Delete DKIM:
    curl -i -XDELETE http://localhost:8080/dkim/59ef21aef255ed1d9d790e81

Move DKIM keys to another machine:

Save the above curl command and dns entry.
Also copy the following two files too:
/opt/zone-mta/keys/[MAILDOMAIN]-dkim.cert
/opt/zone-mta/keys/[MAILDOMAIN]-dkim.pem

pem: private key (guard it well)
cert: public key

DMARC
---
Add this TXT record to the yushei.net DNS zone:

_dmarc.yushei.net. IN TXT "v=DMARC1; p=reject;"

PTR
---
Make sure that your public IP has a PTR record set to mail.yushei.net.
If your hosting provider does not allow you to set PTR records but has
assigned their own hostname, then edit /etc/zone-mta/pools.toml and replace
the hostname mail.yushei.net with the actual hostname of this server.


TL;DR
-----
Add the following DNS records to the yushei.net DNS zone:

yushei.net. IN MX 5 mail.yushei.net.
yushei.net. IN TXT "v=spf1 ip4:210.242.152.235 ~all"
sep2024._domainkey.yushei.net. IN TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV5l36RwIQYzNsiQvXsMnhZpnaltWluDkZcDSsViBQlaEROY5HiNB4AVY2I+F3c2vQ8CYtyPLecf7tQ3gcKcq1QdQk1nliUQogc660DNce5VuQQ4S2UoIr6C9VFbvsAURDNgc659Fzk166/DDxcf+NkexaCefcyMM46L0NefnoGQIDAQAB"
_dmarc.yushei.net. IN TXT "v=DMARC1; p=reject;"


(this text is also stored to /home/alexlai/build/WildDuck/yushei.net-nameserver.txt)