Setting Up mail.wasson.io

My wife is a huge fan of Hey for her email platform; the screen-out-by default aspect, the organization tools, and the separation from work tooling are things she points out - but wait until her blog post on it for actual reasons why.¹

However, we have an Enterprise Office365 domain set up for our household; giving access to my PA, having all the Office applications, and Microsoft being the most likely of the good email providers to still exist 20 years from now² means that it gives us a lot of flexibility and staying power… At least most of the time. It turns out O365 has deprecated vanilla SMTP AUTH now and it’s difficult to get Hey to use it as a sender. So what better time to set up our own SMTP mail server for outgoing mail.

I went straight for a DigitalOcean droplet deployed using my Terraform repository - all of my infrastructure is managed by Terraform so that it’s reproducible, and I hate web consoles. I gave the droplet a floating IP address so that I can move it in the future and immediately wet to Spamhaus‘s blocklist removal page to check the status of the IP address. Getting removed can take a while so it’s better to start that as soon as possible. Sure enough the DO IP address was on the blocklist so I opened a ticket with:

Hello! I was just assigned this IP address by my cloud provider and am planning on using it for a new mail server. I was assigned the IP address at <time that terraform run finished>

Note that I included the time that I was assigned the IP address! It’s one of the questions they ask but don’t provide it in the introductory documentation, this ticket was resolved in one message because I included that time.

Then it was off to configure the new Debian 12 machine. I installed postfix for the SMTP server and dovecot-imap via apt. I wasn’t planning on using IMAP but needed it for SASL authentication for my users to log in.

From there it was:

# Install postfix and dovecot
apt install postfix dovecot-imap
# Install certbot for TLS certificates
apt install certbot
# Provision certificate
certbot certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d mail.wasson.io

Then to edit Postfix configuration, the additions I made to /etc/postfix/main.cf were:

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.wasson.io/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.wasson.io/privkey.pem
smtpd_tls_auth_only = yes

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
maillog_file = /var/log/postfix.log

I also needed to enable the smtpd listener in /etc/postfix/master.cf by uncommenting the smtpd and submission lines.

I had to tweak /etc/doveot/conf.d/10-master.conf to have the service auth configuration of:

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}

Then simply add the new users via adduser and set them big long passwords. Postfix was ready to go.

I updated our two³ domain names to include a:mail.wasson.io in the SPF record via Terraform and used swaks to send a test email:

swaks --to chip@wasson.io --server mail.wasson.io:587 --auth LOGIN --tls --from chip@mail.wasson.io

Sure enough, looking in /var/log/postfix.log I see O365 rejecting the email for being on the Spamhaus block list. But, at least that meant the systems were working ok.

I left the stuff overnight and Spamhaus was able to remove the block overnight.

After sending another swaks test and seeing it accepted via the postfix log. We hopped into Lizzie’s Hey configuration and added the SMTP sender. Everything worked fine after that!

Overall the process has been pretty painless so far and we’ll see how much of a pain deliverability is in the future. The HN crowd always seems to be debating whether or not it’s possible to maintain deliverability in 2023. Soon I’ll have my own IPv4 address space though and that should make things easier. I should also be able to deprecate the email forwarding service I pay for and just have this postfix instance do it in the future.