Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Help about MediaWiki
FUTO
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
(section)
Main Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= Self Managed Email with Mailcow & Postmark = Up to this point, we have only set up mailcow for contacts & calendar syncing. '''This is as far as you should go.''' Self managed email is not for the faint of heart. If you are a beginner, do not pass go, do not collect $200, and skip on to the next section. '''Choosing to do self managed email is like most of my relationship decisions:''' # Just because you can doesn’t mean you should # It’s messy, complicated, high maintenance. # You’ll regret it later. That being said, if you wish to continue… <span id="why-do-i-need-smtp-relay"></span> == Why do I need SMTP relay? == You need an SMTP relay server if you want people to actually see your email. No man is an island, and none of your mail is going to go anywhere without an SMTP relay. Gmail, etc., everyone will ''“lol''” at you if they see you sending email from your home email server. As a society, we have chosen being spam-free over email sovereignty. You’re welcome to ''try'' running an email server on your residential internet account, but your mail is not going to get anywhere. I’m not suggesting your email will end up in spam. It will be rejected by the server before its spam filter even sees it. 99% of the time that a major email server receives mail from a server on a residential internet connection, it’s from someone who got hacked & is now unknowingly spamming half of the internet. We traded freedom to be rid of spam. Whether or not you think this is fair is irrelevant; it’s how the world is. If you want your email to make it to most of your intended recipients, you need an SMTP relay. SMTP relay sends your mail through postmark’s trusted server. Using postmark, icloud/gmail will let your mail through, rather than assume some schmuck running windows xp service pack 1 with his banking password post-it-noted to his monitor is part of a spam botnet. Think of it like doing business in NYC. You are paying a troll toll for the ability to send email. But Postmark are nice people, so you’ll enjoy it. I hope they don’t cancel my services on account of me comparing them to [https://www.youtube.com/watch?v=qFVwQCFhKSE&list=PLkVbIsAWN2lvzWirQsz6haGEjJ2b2e6Ho&index=2 New York City government]. I’m sorry, postmark; that was uncalled for. :’( <span id="step-1-setting-up-postmark-as-an-smtp-relay"></span> == Step 1: Setting Up Postmark as an SMTP Relay == <span id="create-a-postmark-account"></span> ==== 1.1 Create a Postmark Account ==== * Go to: [https://postmarkapp.com postmarkapp.com] * Sign up: Click on the '''Start free trial''' button at the top right-hand corner of the page. ** This is a paid service and you are going to pay, one way or another. If you don’t want to deal with forgetting you signed up for a trial, you can use [https://privacy.com privacy.com] to create a temporary credit card that is authorized for $50, then delete it the second you put it into Postmark. But if you choose to go the self-hosted email route, you will be paying; keep that in mind. * Complete the registration: Enter the required details (email, password, etc.) and confirm your account through email verification. '''Talk to Postmark; they need to know you are not a spammer.''' * Postmark isn’t going to let you send email using their servers without taking them to dinner first. You need to get to know them & they need to get to know you. They don’t let just ANYONE use their servers. * This will take a day, or a few days, for them to verify that you are not a known spammer/scammer. This might require gentle nudging customer service if they do not get back to you quickly, but they usually do because Postmark is staffed by awesome people. * They may ask for info about you. '''This is normal; no reputable SMTP relay wants to be responsible for helping deliver spam!''' This may seem inconvenient, but it’s for the greater good of a spam free internet. If you don’t like that this is a thing, make sure to berate ''(verbally, of course)'' the next spammer you encounter. These people never refer to themselves by their proper name; they’re not ''“spammers,”'' they’re ''“email marketers.”'' '''If you check two of these three boxes, you are very likely a spammer, and have contributed to the amount of annoyance, aggravation, & irritation that good people experience:''' Are you responsible for sending me email that: # utilizes templates # includes in-line images # has an “UNSUBSCRIBE” button If you are, '''gargle my balls.''' <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_2dbf5b37.png File:lu55028jxdmy_tmp_1b2ce54b.png </gallery> <span id="create-a-new-server"></span> ==== 1.2 Create a New Server ==== # Navigate to the '''Servers''' page: #* After logging in, go to https://account.postmarkapp.com/servers or find the “Servers” tab in the top navigation bar. # Create a new server: #* Click on the '''Create Server''' button on the “Servers” page. #* '''Name your server''': Enter a name for your pretty new SMTP relay server. #* Click '''Save''' to create the server. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_b5a39c43.png </gallery> <span id="configure-message-streams"></span> ==== 1.3 Configure Message Streams ==== # Navigate to the server you just set up by clicking on its name. # Choose '''Default transaction stream''' from the three message streams it shows you. <blockquote>'''Note:''' <code>Transactional</code> is for messages that are low volume but meant to be sent fast to an individual user, <code>broadcast</code> are for messages sent out to lots of users (aka spam) that are not time sensitive. </blockquote> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_50cffcf2.png </gallery> <span id="get-smtp-relay-credentials"></span> ==== 1.4. Get SMTP Relay Credentials ==== # Navigate to the '''Setup Instructions''' page after clicking onto your message stream. # If you forgot how to do this, you click '''Servers → Default Transactional stream → Setup Instructions'''. # After configuring the outbound stream, go to the '''Setup Instructions''' page for the '''Transactional Outbound Stream'''. # You will be overwhelmed with options under '''Pick the library or integration''' – no need to fear, we are picking '''SMTP'''. '''SMTP details:''' <ul> <li><p>'''Server''': <code>smtp.postmarkapp.com</code></p></li> <li><p>'''Ports''': 25, 2525, or 587. ''We will be using 587 with STARTTLS. You do not need to pick anything or configure anything here; this is just a page showing you your credentials you will put into Mailcow later. Save them securely. Pretend this is your bank password & treat it accordingly.''</p></li> <li><p>'''Authentication''': Postmark supports Plain Text, CRAM-MD5, or TLS.</p></li> <li><p>'''Username''': This is your Postmark server token. It will look like a long string of characters (e.g., <code>1788dd83-9917-46e1-b90a-3b9a89c10bd7</code>).</p></li> <li><p>'''Password''': The same value as the username (Postmark uses the server token as both the username and password).</p></li> <li><blockquote><p>'''Note:''' As I go throughout this video, I will be using MY credentials as an example. THESE WILL NOT BE THE SAME AS YOURS. USE YOUR OWN CREDENTIALS.</p></blockquote></li></ul> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_5a1ef5db.png File:lu55028jxdmy_tmp_e265caf6.png File:lu55028jxdmy_tmp_22cccc55.png </gallery> <span id="step-2-configuring-mailcow-to-use-postmark-as-smtp-relay"></span> == Step 2: Configuring Mailcow to use Postmark as SMTP relay == <span id="access-mailcow-admin-interface"></span> ==== 2.1. Access Mailcow Admin Interface ==== # '''Login to Mailcow''': # Navigate to your Mailcow instance by going to the admin interface URL (e.g., https://192.168.5.3/admin) or https://mailserver.home.arpa/admin. # Use your administrator credentials to log in. <span id="find-smtp-relay-section"></span> ==== 2.2. Find SMTP relay section ==== # From the main Mailcow admin dashboard, click '''System''' at the top and then click '''Configuration'''. # Click onto the '''routing''' tab. # Note the '''“add sender-dependent transport”''' section. This is where we will be placing our Postmark credentials. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_e2f517bd.png File:lu55028jxdmy_tmp_d0f1df1f.png File:lu55028jxdmy_tmp_7f812343.png File:lu55028jxdmy_tmp_259c85b9.png File:lu55028jxdmy_tmp_85086323.png </gallery> <span id="enter-postmark-smtp-details"></span> ==== 2.3 Enter Postmark SMTP Details ==== # Use the credentials provided by Postmark in the prior step, which have a screenshot included. #* '''SMTP Server''': Set the SMTP server to Postmark’s SMTP, which at the time of writing for me was <code>smtp.postmarkapp.com:587</code>. #* '''Ports''': If Postmark is still using port 587 for TLS and offering it at the time of this writing, use port 587. #* '''Username & Password''': Enter your Postmark server token (the token provided by Postmark when you created your server). This token serves as both the username and password. This is what you see on the '''servers —> default transactional stream —> setup instructions —> SMTP''' page under ''“Authenticate with a server token and specify stream with a header”'' #* '''Example''': #** '''Username''': <code>1788dd83-9917-46e1-b90a-3b9a89c10bd7</code> (replace with your actual token). #** '''Password''': Same as the username (server token). # Click '''Add'''. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_c2bfd8f9.png File:lu55028jxdmy_tmp_146d196d.png File:lu55028jxdmy_tmp_93c26e5c.png </gallery> <span id="step-3-adding-a-domain-name-mailbox-to-mailcow"></span> == Step 3: Adding a Domain Name & Mailbox to Mailcow == <span id="add-a-domain-1"></span> ==== 3.1. Add a Domain ==== # Go to '''Email → Configuration''' on the top menu. # Go to the '''Domains''' tab. # In the '''Domains''' tab, click '''Add domain''' # Enter your domain name (in my case, stevesavers.com). # Set any desired options (quota, aliases, etc.). # Make sure DKIM key length is at least 2048. # Click '''Add domain and restart SOGo'''. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_74c2130f.png File:lu55028jxdmy_tmp_d74edddb.png File:lu55028jxdmy_tmp_1aa99468.png File:lu55028jxdmy_tmp_30fff2e9.png File:lu55028jxdmy_tmp_6eaf338a.png </gallery> <span id="set-postmark-as-the-relay"></span> ==== 3.2 Set Postmark as the Relay ==== '''IF YOU DO NOT DO THIS, NONE OF YOUR EMAIL WILL SEND!''' * Click '''Edit''' on the domain name you just created. * Now you will see a NEW option: '''sender-dependent transports'''. * In the domain settings, find the option labeled '''sender-dependent transports''' and select the newly created Postmark relay (e.g., <code>smtp:postmarkapp.com</code>). Set this to the Postmark SMTP relay server you set up in the prior step. Sometimes this is already checked for you, but it is safe to '''''inspect what you expect''''' so you don’t get screwed! <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_e994614f.png File:lu55028jxdmy_tmp_6e65b29c.png File:lu55028jxdmy_tmp_10bee612.png File:lu55028jxdmy_tmp_42594faf.png File:lu55028jxdmy_tmp_aa150a6e.png </gallery> <span id="add-an-email-account-1"></span> ==== 3.3. Add an Email Account ==== * Go to'''Email → Configuration → Mailboxes'''. * In the '''Mailboxes''' tab, click '''Add mailbox'''. * Enter the username (the part before @ in the email address). * Choose the domain name (e.g., <code>louis@yourdomain.com</code>). * Set a password for the mailbox. * Configure any additional options as you want. * Click '''Add mailbox'''. <span id="save-changes-and-apply"></span> ==== 3.4 Save Changes and Apply ==== * After choosing the <code>smtp.postmarkapp.com:587</code> SMTP relay, click '''Save Changes''' to apply the settings. <span id="accessing-sogo-webmailcalendarcontacts"></span> ==== 3.5 Accessing SoGo Webmail/calendar/contacts ==== # Go to https://mailserver.home.arpa, or in this case, https://192.168.5.3/SoGo. # Log in with your credentials. # Click on '''Apps''' in the top right corner. <blockquote>'''Note''': When logging in, make sure to use your full email address. This is necessary because Mailcow supports multiple domains, so the full email address is required to identify the correct account. </blockquote> You can also set up your email client or mobile device using the configuration details provided in the Mailcow interface. <span id="step-4-setting-up-dns-records-in-your-domain-registrar"></span> == Step 4: Setting up DNS Records in your domain registrar == <span id="introduction-to-domain-registrars"></span> === Introduction to domain registrars === <span id="what-is-a-domain-registrar"></span> ==== What is a domain registrar? ==== This is who you buy your website name from. If you don’t know what this is… for the love of god skip the self-hosted email section. <span id="namecheap.com-as-an-example"></span> ==== Namecheap.com as an example ==== Namecheap is a cheap & easy way to register a domain name. I will use them as an example. Their interface for DNS configuration is similar to 99% of the available providers out there. If you have any trouble setting up these records, contact the support staff of your domain name provider who will happily provide you tech support commensurate with the fifteen dollars per year you pay them. No really, you’re on your own here… do you ''really'' want to do this?? I would love to show you how to do this on every provider, but at this time this manual is 605 pages, the video is 12+ hours, and I would like to return to my life. You will be able to find similar settings, menus, and fields in your DNS registrar if your provider isn’t horrible. <span id="configuring-dns-records-in-namecheap"></span> === Configuring DNS records in Namecheap === <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_2c3c94e.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_703091b1.png </gallery> </div> <span id="find-the-dkim-thing-for-your-domain"></span> ==== 4.1. Find the DKIM thing for your domain ==== # Go to '''Email → Configuration''' on the top menu. # Go to the '''Domains''' tab. # In the '''Domains''' tab, click '''edit''' on the domain you created (in my case, stevesavers.com). # Scroll down to the DKIM section. Keep this tab open for now; we will come back to it later. # We’re not changing anything here, so there’s no need to save changes or make any changes. We just want that DKIM thing. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_ffbba2cb.png </gallery> <span id="configure-dns-records-in-namecheap"></span> ==== 4.2 Configure DNS records in Namecheap ==== # Log into your Namecheap.com account. # Go to Domain List and click '''Manage''' next to your domain. # Navigate to the '''Advanced DNS''' tab. # Here are the DNS records I added: you will fill them according to your specific setup. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_39fbaebb.png </gallery> <span id="cname-record"></span> ===== CNAME Record ===== * '''Host''': <code>pm-bounces</code> (Keep this exactly the same) * '''Value''': <code>pm.mtasv.net.</code> (Keep this exactly the same) * '''TTL''': Automatic (Keep this the same unless your DNS provider requires a different TTL setting) This CNAME record is used by Postmark for handling email bounces. When an email bounces, it will be sent to <code>pm-bounces.[yourdomain]</code>, which forwards the bounce to Postmark’s servers. No changes are needed unless you are using a different bounce-handling service. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_22a6cdb4.png </gallery> <span id="dmarc-record-txt"></span> ===== DMARC Record (TXT) ===== * '''Host''': <code>_dmarc</code> (Keep this exactly the same) * '''Value''': <code>v=DMARC1; p=none; rua=mailto:dmarc@stevesavers.com</code> ''(Change only the email address after <code>rua=mailto:</code> to your own)'' Here’s what stays the same and what changes: * <code>v=DMARC1</code>: (Keep this exactly the same) * <code>p=none</code>: (Keep this exactly the same for monitoring; change to <code>p=quarantine</code> or <code>p=reject</code> once you’re ready to enforce DMARC) * <code>rua=mailto:</code> [mailto:dmarc@stevesavers.com '''dmarc@stevesavers.com''']: Change <code>stevesavers.com</code> to your own domain and use an email where you want to receive DMARC reports. This DMARC record helps protect your domain from email spoofing. For now, it’s in monitoring mode, so keep <code>p=none</code> if you want to monitor. If you’re ready to enforce policy, change <code>p=none</code> to <code>p=quarantine</code> or <code>p=reject</code>. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_aa66e26f.png File:lu55028jxdmy_tmp_257280e5.png File:lu55028jxdmy_tmp_edea6316.png File:lu55028jxdmy_tmp_65dc145a.png File:lu55028jxdmy_tmp_7c22f73c.png File:lu55028jxdmy_tmp_93ecca45.png File:lu55028jxdmy_tmp_62fd886c.png File:lu55028jxdmy_tmp_2a58b7ee.png </gallery> <span id="postmark-dkim-record-txt"></span> ===== Postmark DKIM Record (TXT) ===== This you are going to get by doing as follows: # Go to postmark.com and log in # Go to your domain interface, go to '''Sender Signatures''', click '''Add Domain or Signature''', then '''Add Sender Signature'''. # Once you’re done it’ll present you with a DKIM record and a return path. I’ll show you what we’re doing with these below & in the attached pictures: <blockquote>'''Note:''' When adding your domain, choose to send from any email address on the domain, not just a single one. </blockquote> * '''Host''': <code>20241012215824pm._domainkey</code> (Postmark generates this value, so keep it exactly as provided by Postmark) * '''Value''': <code>k=rsa; p=MIGfMA0GCSq...</code> (You will replace the long key string <code>p=</code> with the public key provided by Postmark) <blockquote>'''IMPORTANT:''' The Host (<code>20241012215824pm._domainkey</code>) and <code>k=rsa</code> are specific to Postmark and should stay the same. You need to copy and paste this key exactly as Postmark provides it '''FROM POSTMARK, NOT FROM THIS GUIDE!''' </blockquote> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_ab1378ba.png File:lu55028jxdmy_tmp_ba775df9.png File:lu55028jxdmy_tmp_3ba69113.png File:lu55028jxdmy_tmp_d073948d.png File:lu55028jxdmy_tmp_72c9d18.png File:lu55028jxdmy_tmp_ccb1f143.png File:lu55028jxdmy_tmp_d4f449eb.png </gallery> <span id="dkim-record-for-your-domain-txt"></span> ===== DKIM Record for Your Domain (TXT) ===== # Log into mailcow’s administration interface. # Go to '''Email → Configuration''' on the top menu. # Go to the '''Domains''' tab. # In the '''Domains''' tab, click '''edit''' on the domain you created (in my case, stevesavers.com). # Scroll down to the DKIM section. # Insert the record as follows: #* '''Host''': <code>dkim._domainkey</code> (Keep this exactly the same unless mailcow email provider tells you to use a different prefix) #* '''Value''': <code>v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANB...</code> (Replace this with the figure) <blockquote>The Host should be <code>dkim._domainkey</code> unless your email provider asks for a different format. For the Value, keep <code>v=DKIM1; k=rsa; t=s; s=email</code> exactly the same. The part you need to change is the long public key string after <code>p=</code>, which will be provided by your email provider or mail server (like Mailcow). Copy and paste it carefully. </blockquote> <span id="spf-record-txt"></span> ===== SPF Record (TXT) ===== * '''Host''': <code>@</code> (Keep this exactly the same) * '''Value''': <code>v=spf1 mx a include:spf.mtasv.net ~all</code> (Enter this as it is: change the include value if using a different SMTP service than postmark or if [https://postmarkapp.com/glossary/sender-policy-framework postmark changes this in the future]) Here’s what stays the same and what you need to change: * '''Host''': Always use <code>@</code> for your main domain. * '''Value''': ** <code>v=spf1 mx a</code>: Keep this exactly the same; it tells servers to check your MX and A records. * <code>include:spf.mtasv.net</code>: You will need to change this if you’re using a different mail service than Postmark. Replace <code>spf.mtasv.net</code> with the SPF record provided by your SMTP service (e.g., if using a different relay like SendGrid or Amazon SES, they will give you a different include value). * <code>~all</code>: Keep this the same unless you want stricter enforcement. You can replace <code>~all</code> with <code>-all</code> for stricter failure rules. <span id="mail-cname-record"></span> ===== Mail CNAME Record ===== * '''Host''': mail (Keep this exactly the same) * '''Value''': <code>louishomeserver.chickenkiller.com.</code> (Change this to the domain or subdomain that hosts your mail server, '''this is what you set when you created a dynamic DNS domain at freedns!''') <blockquote>The Host mail stays the same. What you will change is the value after <code>Value:</code>, which should point to the domain or subdomain that hosts your mail server. Replace <code>louishomeserver.chickenkiller.com</code> with your actual mail server’s domain or subdomain. </blockquote> <span id="email-client-configuration-cname-records"></span> ===== Email Client Configuration CNAME Records ===== * '''Host''': autoconfig (Keep this exactly the same) * '''Value''': <code>mail.stevesavers.com.</code> (Change this to the domain of your mail server) * '''Host''': autodiscover (Keep this exactly the same) * '''Value''': <code>mail.stevesavers.com.</code> (Change this to the domain of your mail server) <blockquote>Both Host fields (autoconfig and autodiscover) stay the same, as they are used for automatic email client configuration. You will change the Value to point to your mail server’s domain or subdomain (in this case, <code>mail.stevesavers.com</code>). Replace this with your own mail server domain. </blockquote> <span id="mx-record"></span> ===== MX Record ===== * '''Host''': @ (Keep this exactly the same) * '''Value''': <code>mail.stevesavers.com.</code> (Change this to the domain of your mail server) * '''TTL''': Automatic (Keep this the same unless your DNS provider requires a specific TTL) The Host @ stays the same to apply to your root domain. What you need to change is the value after <code>Value:</code>, which should point to the domain that handles incoming mail for your domain. Replace <code>mail.stevesavers.com</code> with your own mail server domain. These DNS records set up email services for your domain. For the third time, here’s what stays the same and what needs changing: * '''SPF, DKIM, and DMARC''': Most parts of these records remain the same, but you’ll need to customize the DKIM public keys and the domain-specific parts (like email addresses for DMARC reports or SPF includes). * '''MX and CNAME records''': The basic structure stays the same, but you’ll need to update the domain values to point to your own mail server. By carefully adjusting the fields noted for customization, you can provide the DNS setup matches your unique mail and web infrastructure. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_3e7d5187.png File:lu55028jxdmy_tmp_841a3e85.png File:lu55028jxdmy_tmp_6d09e55d.png File:lu55028jxdmy_tmp_3abfd2ad.png </gallery> <span id="go-back-to-postmark-verify-your-dns-records."></span> ==== 4.3 Go back to Postmark & verify your DNS records. ==== # Go to postmark.com and log in. # Go to your domain interface, go to '''Sender Signatures'''. # Click onto the ones you just created. # Click '''VERIFY''' next to both '''DKIM''' and '''Return Path.''' # If it doesn’t work yet, no big deal, DNS changes can take time to propagate. <span id="step-5-pfsense-firewall-introduction"></span> == Step 5: pfSense firewall introduction == So you have a basic idea on how to use '''pfSense''' as a basic router, but we haven’t dealt with '''''port forwarding''''' or messing with the firewall yet. Let’s get into that. Before we move on to making the necessary firewall rules to allow us to receive email, let’s discuss aliases. What makes firewall rules easy to manage are '''aliases.''' <span id="lesson-1-aliases-in-pfsense"></span> === Lesson 1: Aliases in pfSense === <span id="what-are-aliases-in-pfsense"></span> ===== What are Aliases in pfSense? ===== Aliases in '''pfSense''' are placeholders that can represent: * IP addresses * Networks * Ports * URLs For example, instead of having to make a separate NAT & firewall rule to open port 993 for 8.8.8.8, 9.9.9.9, 10.10.10.10, etc., I can make ONE firewall rule and enter the “alias” I created into the field where I would usually put an IP. I’d create an alias for those three IPs. The cool part about this is if I ever want to add or remove one of those IPs, I don’t have to change firewall rules or delete/add firewall rules. I just change my alias. <span id="practical-example"></span> ===== Practical example: ===== <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_942c4249.png </gallery> * If you’re using a service like Freshdesk (CRM system): * Freshdesk needs to connect to your mail server * You don’t want to give Freshdesk VPN access * Freshdesk doesn’t have VPN access anyway * Here’s how you can handle this situation: * Add their IPs to your alias * Only those IPs will see your mail server * Everyone else gets blocked before even seeing the service * Using aliases this way means: * Your mail server is invisible to random internet traffic * Only trusted IPs can even attempt connection * Much more secure than opening ports to everyone <blockquote>'''IMPORTANT:''' While port 25 needs to be open to the world for receiving email, other mail-related ports (587, 993, etc.) should only be open to trusted IPs or VPN users.Let’s say I am making firewall rules to allow Freshdesk customer service software to access my email system. Can you imagine making a firewall rule for EACH of these individually </blockquote> Can you imagine having to add all of those IPs as its own separate rule, or having to update them all each time freshdesk’s IPs changed? That would be a nightmare! Aliases allow us to add all of these IP addresses to a single thing called ''“freshdesk IP addresses”'' – then, all we have to do is make a firewall rule with ''“freshdesk IP addresses”'' as the source or destination, rather than a bunch of rules for each individual IP. <span id="benefits-of-using-aliases"></span> ===== Benefits of Using Aliases ===== # '''Simplification''': Instead of entering “192.168.5.3” into a firewall rule, if I make an alias, I can just enter “mailserver”, once I have set up a “mailserver” alias that directs to the mailserver. # '''I can add to it!''' Let’s say I have 1 smart television in my house. I want to block it from going onto the internet to ''anything'' besides a single Netflix IP address, so I add a firewall rule to block it from going online to anything besides the Netflix IP address. Let’s say my family buys 3 more smart TVs… I don’t want to set up a new set of firewall rules each time. Aliases allow me to add '''''multiple IP addresses to a single alias!''''' Instead of having to make 5 new sets of rules, I can keep my existing firewall rules as they are, and simply add the new IP addresses to the alias. # '''Maintainability''': When you need to update multiple firewall rules, you can just update the alias instead of each individual rule. # '''Readability''': Aliases make firewall rules more understandable by using descriptive names instead of raw IP addresses or port numbers. <span id="wtf-openvpn-was-set-up-so-we-dont-open-ports-why-are-we-talking-about-opening-ports"></span> ===== WTF? OpenVPN was set up so we DON’T open ports; why are we talking about opening ports? ===== If you are accessing your mailserver using OpenVPN (AS YOU SHOULD), this doesn’t matter. You will be opening port 25 to the world so you can receive email, but for the rest of the ports, these are ONLY NECESSARY IF YOU WANT CLIENTS WHO ARE NOT CONNECTING TO YOUR VPN TO BE ABLE TO LOG INTO AN EMAIL ACCOUNT AND READ THEIR MAIL AND SEND MAIL ON YOUR MAILSERVER!!! Plus, the self-hosted phone system is going to require we allow some external IPs belonging to our SIP trunking provider (the thing that lets you receive & send calls to other phones outside your house) to access our server anyway, so you might as well learn about aliases now. <span id="how-to-set-up-aliases-in-pfsense"></span> ==== How to Set Up Aliases in pfSense ==== <span id="accessing-the-aliases-page"></span> ===== 5.1.1 Accessing the Aliases Page ===== # Log into the '''pfSense''' web interface. # Navigate to '''Firewall > Aliases'''. # Click '''Add''' <span id="creating-an-alias"></span> ===== 5.1.2 Creating an Alias ===== # In the Name field, enter a descriptive name for your alias (e.g., “WebServers” or “BlockedIPs”). # Select the Type of alias you want to create: #* Host: For single IP addresses #* Network: For subnets #* Port: For port numbers #* URL: For lists of IPs or networks from a URL # In the Description field, enter a brief explanation of the alias’s purpose. Here, I would enter <code>mailserver</code>. # In the Content box, enter the values for your alias: #* For IP aliases: Enter IP addresses, one per line, such as our mailserver at <code>192.168.5.2</code>. <span id="using-aliases-in-firewall-rules"></span> ===== 5.1.3 Using Aliases in Firewall Rules ===== # Go to '''Firewall > NAT'''. # Add a new rule or edit an existing one. # In the source or destination fields, you can now select your alias from the drop-down menu. # For port fields, you can select port aliases. Example rule using aliases: * '''Action''': Pass * '''Interface''': WAN * '''Source''': Any * '''Destination''': WebServers (alias) * '''Destination Port''': WebPorts (alias) This rule allows incoming traffic to the IP addresses defined in the <code>WebServers</code> alias on the ports defined in the <code>WebPorts</code> alias. <span id="using-aliases-for-secure-access"></span> === Using Aliases for Secure Access === If you want external access to your mail server ''without'' requiring VPN, you’ll need to set up aliases for trusted IPs; or open your server to the entire world, which is a poor idea. <span id="lesson-2-setting-up-pfsense-firewall-rules-for-a-mail-server"></span> === Lesson 2: Setting Up pfSense Firewall Rules for a Mail Server === <span id="understanding-nat-vs.-firewall-rules"></span> ===== Understanding NAT vs. Firewall Rules ===== Let’s understand the two types of rules you need to set up in '''pfSense''': <span id="nat-network-address-translation"></span> ===== NAT (Network Address Translation) ===== NAT determines ''where'' traffic goes. Here’s why it matters: * Your network has one public IP that the world sees * But you might have 200+ computers internally * When someone sends you an email, NAT tells the router ''“traffic on port 25 goes to the mail server, port 80 goes to the web server”'' etc. Think of NAT like a restaurant host - they decide which table gets which customers. <span id="firewall-rules"></span> ===== Firewall Rules ===== Firewall rules determine if traffic is ''allowed'' to pass. After NAT directs traffic to a computer, firewall rules decide if it gets through. Think of firewall rules like the bouncer - they decide if you get in at all. <span id="practical-application"></span> ===== Practical Application ===== '''NAT port forward''' is when the router sees an email coming in on port 25 to my spectrum internet address, and sends that email to our mail server on port 25. Once NAT has sent that email to my mailserver on port 25, the '''firewall rule''' is what '''allows''' that traffic to access port 25 on our mailserver. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_1f1b2c6a.png File:lu55028jxdmy_tmp_31037c49.png File:lu55028jxdmy_tmp_8d77cc05.png File:lu55028jxdmy_tmp_54c8a9f1.png File:lu55028jxdmy_tmp_17e7dded.png File:lu55028jxdmy_tmp_cc025f84.png </gallery> <span id="setting-up-mail-server-port-forwarding-so-you-receive-emails"></span> ==== Setting Up Mail Server Port Forwarding so you Receive emails: ==== A “mail client” is a program you use to read & send your email from the mail server (the mailcow machine we are setting up). Examples are k9 mail, Microsoft Outlook, Mozilla Thunderbird, etc., or just using the web interface. If you are going to use the mail server while connected to the VPN, '''''THIS IS THE ONLY RULE YOU NEED TO ADD!''''' This is for '''receiving email.''' This port '''''must''''' be opened to the public. <span id="create-nat-rule"></span> ===== Create NAT Rule ===== # Access '''pfSense''' at <code>https://192.168.5.1</code> # Go to '''Firewall → NAT''' # Under the '''Port Forward''' tab, click '''Add''' # Configure the following: #* '''Interface''': WAN (incoming traffic) #* '''Protocol''': TCP #* '''Source''': Any ''(you can’t predict which mail servers will email you)'' #* '''Destination''': WAN address #* '''Destination Port Range''': 25 #* '''Redirect Target IP''': Your mail server IP (here in our example it’s <code>192.168.5.3</code>) #* '''Redirect Target Port''': 25 #* '''Description''': “Receive Emails” # '''Important''': Check “Add associated filter rule” # Click '''Save''' # Click '''Apply Changes''' '''Critical Note''': Port 25 MUST be open or you’ll never receive email. This is non-negotiable for a mail server. <blockquote>'''NOTE:''' When setting up port forwarding for a mail server, make sure that your ISP isn’t blocking it to stop spam. Yours might. It’s not unheard of with residential internet providers. You are paying for a residential connection, not a business one, and they’ll [https://www.youtube.com/watch?v=izXnCkrfjO0 remind you of it way they can](actually, they’ll do that even when you pay $409.99/mo for the business one). </blockquote> <span id="step-6-add-pfsense-firewall-rules-for-real"></span> == Step 6: Add pfSense Firewall Rules (for real) == You don’t need to add ALL these rules below. If you are okay with being connected to your VPN, or on your local network, to receive & send email, the only rule you need to add is rule #1 so you can receive mail which you just did. If you want to allow IP addresses that are NOT connecting to your server via VPN into your mail server, you would create an alias with those IPs using the steps in Lesson 1 above, and then use that alias (called <code>mailserver_trusted_clients</code> in this case) for everything. One instance would be if you use a service like '''Freshdesk''' for customer service & opt to use your own mail server. In this case, you would have to [https://support.freshdesk.com/support/solutions/articles/50000005619-allowlist-nat-ips '''allow their IP addresses to access your server'''] so that Freshdesk can read your customer service inbox, and send emails as your customer service email. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_1f1b2c6a.png File:lu55028jxdmy_tmp_31037c49.png File:lu55028jxdmy_tmp_8d77cc05.png File:lu55028jxdmy_tmp_54c8a9f1.png File:lu55028jxdmy_tmp_17e7dded.png File:lu55028jxdmy_tmp_cc025f84.png </gallery> <span id="rule-1-forwarding-smtp-port-25-the-only-rule-you-need-if-you-are-using-openvpn-to-connect-to-your-mailserver"></span> === Rule 1: Forwarding SMTP (Port 25) – the ONLY rule you need if you are using OpenVPN to connect to your mailserver! === * '''Protocol''': IPv4 TCP * '''Source''': Any * '''Destination''': 192.168.5.3 * '''Port''': 25 (SMTP) * '''Description''': NAT Forward Postfix SMTP to Mailcow '''What this rule does:''' * This rule forwards unsecured SMTP traffic on port 25 to the Mailcow server at 192.168.5.3. * SMTP on port 25 is traditionally used for sending emails between email servers. However, it’s not encrypted by default, meaning the data can be sent in plain text. * '''Why this is ALWAYS needed''': Although not as secure as SMTPS, port 25 is required for email delivery between servers on the internet. When your Mailcow server sends or receives emails from other email servers, it typically uses SMTP on port 25. This rule makes sure that your Mailcow server can communicate with other email servers to handle incoming and outgoing email traffic. Keeping port 25 closed means saying goodbye to receiving email. If you’re like me, this might be step 1 to solving a lot of life’s problems… <span id="rule-2-forwarding-smtps-port-465"></span> === Rule 2: Forwarding SMTPS (Port 465) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 465 (SMTP/S) * '''Description''': NAT Forward Postfix SMTPS to Mailcow <blockquote>'''What this rule does''': - This rule allows secure SMTP (SMTPS) traffic on port 465 from the clients defined in the <code>mailserver_trusted_clients</code> alias to be forwarded to the Mailcow server running on 192.168.5.3. For instance, if you are integrating self-hosted-email with a service like [https://support.freshdesk.com/support/solutions/articles/195170-using-custom-email-servers-to-set-up-support-emails freshdesk], you would want to open this port so their app can send emails using your server. However, you would not want to open it to the entire world, just for the clients you want. In the case of freshdesk, you might make a <code>mailserver_trusted_clients</code> alias with all of [https://support.freshdesk.com/support/solutions/articles/50000005619-allowlist-nat-ips freshdesk’s IP addresses] so they make it through on port 465, but nobody else does. - SMTP (Simple Mail Transfer Protocol) is the protocol used for sending emails. The S at the end of SMTPS indicates that this is a secure version of SMTP, meaning the communication is encrypted using SSL/TLS. - '''When this is needed''': This rule allows email clients that are NOT connected to your server via VPN to send emails using encryption. If this port is closed, they will not be able to connect to your mail server to send mail. - '''When this NOT needed''': This rule is unnecessary if you are sending mail by connecting to your mailserver via VPN, or locally on your home network. It is unnecessary if you do not have external services such as freshdesk that you integrate with your mailserver. </blockquote> <span id="rule-3-forwarding-submission-port-587"></span> === Rule 3: Forwarding Submission (Port 587) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 587 (SUBMISSION) * '''Description''': NAT Forward Postfix Submission to Mailcow <blockquote>'''What this rule does''': - This rule forwards traffic on port 587 to your Mailcow server at 192.168.5.3. </blockquote> * Port 587 is used for email submission by clients (i.e., when you’re sending an email through an email client like Outlook or Thunderbird). This port requires authentication and typically uses STARTTLS to secure the connection. * '''Why this is needed''': Unlike port 25 (which is often used for server-to-server email transmission), port 587 is specifically used for sending emails from a client to the server. When you configure an email client to send messages, you often use port 587 with authentication. This rule makes sure that clients (in this case, the trusted clients defined in <code>mailserver_trusted_clients</code>) can securely submit their emails for sending through Mailcow. * '''When this NOT needed''': This rule is unnecessary if you are sending mail by connecting to your mailserver via VPN, or locally on your home network. It is unnecessary if you do not have external services such as freshdesk that you integrate with your mailserver <span id="rule-4-forwarding-imap-port-143"></span> === Rule 4: Forwarding IMAP (Port 143) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 143 (IMAP) * '''Description''': NAT Forward Dovecot IMAP to Mailcow <span id="what-this-rule-does"></span> ==== What this rule does: ==== * This rule forwards IMAP traffic on port 143 to the Mailcow server at 192.168.5.3. * IMAP (Internet Message Access Protocol) is used by email clients to retrieve emails from the mail server. IMAP allows users to keep their emails on the server and access them from multiple devices. * '''Why this is needed''': This rule allows clients to access their emails using the non-encrypted version of IMAP on port 143. It allows clients to view and manage their emails stored on the server without downloading them to their devices. * '''When this NOT needed''': This rule is unnecessary if you are receiving mail by connecting to your mailserver via VPN, or locally on your home network. It is unnecessary if you do not have external services such as freshdesk that you integrate with your mailserver <span id="rule-5-forwarding-imaps-port-993"></span> === Rule 5: Forwarding IMAPS (Port 993) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 993 (IMAP/S) * '''Description''': NAT Forward Dovecot IMAPS to Mailcow <span id="what-this-rule-does-1"></span> ==== What this rule does: ==== * This rule forwards secure IMAP traffic (IMAPS) on port 993 to the Mailcow server. * IMAPS is the encrypted version of IMAP. It uses SSL/TLS to secure communication between the email client and the server. * '''Why this is needed''': This rule allows users to securely access their emails stored on the server using IMAP. This is the preferred method for most modern email clients, as it encrypts the communication, making sure that sensitive information like email contents and credentials are protected while being retrieved by the client. * '''When this NOT needed''': This rule is unnecessary if you are receiving mail by connecting to your mailserver via VPN, or locally on your home network. It is unnecessary if you do not have external services such as freshdesk that you integrate with your mailserver <span id="rule-6-forwarding-pop3-port-110"></span> === Rule 6: Forwarding POP3 (Port 110) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 110 (POP3) * '''Description''': NAT Forward Dovecot POP3 to Mailcow <span id="what-this-rule-does-2"></span> ==== What this rule does: ==== * This rule forwards POP3 traffic on port 110 to the Mailcow server. * POP3 (Post Office Protocol version 3) is another protocol used to retrieve emails from the server. Unlike IMAP, POP3 typically downloads emails to the local device and removes them from the server. * '''Why this is needed''': This rule allows clients to retrieve emails using POP3. Some users or legacy email clients may prefer to use POP3 if they want to download and store emails locally rather than keeping them on the server. * '''When this NOT needed''': This rule is unnecessary if you are receiving mail by connecting to your mailserver via VPN, or locally on your home network. Also, why are you even thinking of using POP3? Don’t do this. <span id="rule-7-forwarding-pop3s-port-995"></span> === Rule 7: Forwarding POP3S (Port 995) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 995 (POP3/S) * '''Description''': NAT Forward Dovecot POP3S to Mailcow <span id="what-this-rule-does-3"></span> ==== What this rule does: ==== * This rule forwards secure POP3 (POP3S) traffic on port 995 to the Mailcow server. * POP3S is the encrypted version of POP3, using SSL/TLS for secure communication. * '''Why this is needed''': This rule enables users to securely retrieve their emails using POP3S. This is preferred over regular POP3 because it makes sure that the email contents and credentials are transmitted securely. * '''When this NOT needed''': This rule is unnecessary if you are receiving mail by connecting to your mailserver via VPN, or locally on your home network. Also why are you even thinking of using POP3? Don’t do this. Use IMAP, POP3 in 2024 is pure insanity. <span id="rule-8-forwarding-managesieve-port-4190"></span> === Rule 8: Forwarding ManageSieve (Port 4190) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 4190 * '''Description''': NAT Forward Dovecot ManageSieve to Mailcow <span id="what-this-rule-does-4"></span> ==== What this rule does: ==== * This rule forwards ManageSieve traffic on port 4190 to the Mailcow server. * ManageSieve is a protocol used to manage server-side email filtering rules (such as automated sorting of emails into folders, marking emails as spam, etc.). This is done on the server side rather than through a client-side rule. * '''Why this is needed''': This rule allows trusted clients to create and manage email filtering rules on the server. For example, users can create rules to automatically move incoming emails from a certain sender into a specific folder. It’s useful for managing email organization and automating tasks at the server level. I don’t bother with this, but you can if you want to. <span id="tldr-of-self-hosted-email-firewall-rules"></span> == TL;DR of self-hosted email firewall rules: == <span id="using-openvpn-to-connect-to-your-mailserver"></span> === Using OpenVPN to connect to your mailserver? === Port 25 is all you have to open to the public so you receive mail from other servers. <span id="need-clients-outside-lan-that-dont-have-vpn-access-to-connect-to-your-mailserver"></span> === Need clients outside LAN that don’t have VPN access to connect to your mailserver? === Then you gotta make an alias with their IPs & make all of the rules I provided above. Let’s say you want ANY IP from ANYWHERE IN THE WORLD to connect to your mailserver; which is a horrible idea; instead of an alias, you’d specify “any” in the “source” section. This is a bad idea, IMO, on par with the bad idea of being a newbie & doing self-hosted mail. <blockquote>'''What you should do:''' Just stick to using a VPN to access your inbox, install OpenVPN & K9 Mail on your Android phone and be done with it. Connecting to your VPN on a laptop as well is very easy, it’s one click or one command in the terminal & you should be doing that so you can access all of your other services anyway.** </blockquote> <span id="port-25-smtp"></span> === Port 25 (SMTP) === * '''Why it is open to everyone''': Port 25 is used for server-to-server email transmission, which means email servers from around the world need to be able to reach your Mailcow server to deliver incoming mail. Since this is a very important function for your mail server, it makes sense to allow traffic on port 25 from any source. * '''Security concerns''': Since port 25 is open to the world, it can be targeted by spammers or malicious actors trying to exploit the service. However, this is mitigated by using tools such as <code>fail2ban</code>, <code>rspamd</code>, and strong SMTP authentication policies to detect and block abuse. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_d4378b80.png File:lu55028jxdmy_tmp_7ea57844.png File:lu55028jxdmy_tmp_9d6a661d.png File:lu55028jxdmy_tmp_279c986f.png File:lu55028jxdmy_tmp_84524b73.png File:lu55028jxdmy_tmp_6660b4ba.png File:lu55028jxdmy_tmp_9116781d.png File:lu55028jxdmy_tmp_a783a2bb.png File:lu55028jxdmy_tmp_e9001ea9.png File:lu55028jxdmy_tmp_690c5265.png File:lu55028jxdmy_tmp_a8761f8d.png </gallery> <span id="step-7-verify-smtp-relay-setup"></span> == Step 7: Verify SMTP Relay Setup == # '''Test Email Delivery''': # Once the configuration is saved, send a test email to ensure Mailcow is using Postmark to relay emails successfully. I would suggest sending your test email to four addresses: #* Email to yourself (same email in Mailcow you are sending from). #* Email to another mailbox on Mailcow. #* Email to a “friendly” server, i.e., something not hosted by the main mega providers (another person who hosts their own email). #* A Gmail/iCloud/Microsoft email address. Each one tests a portion of the chain. * If 1 doesn’t work, you’re hopelessly screwed. * If 2 works but not 3, perhaps a network problem. * If 1, 2, & 3 work but not 4, you’ve likely screwed up something in the SMTP relay or DNS records process, but the networking configuration and Mailcow setup in general is mostly working. It’s also possible that you did everything right, but Google/Apple/Microsoft still hate you. It’s ok. You can’t hate them back though. As my first studio employer told me, ''“Louis, you hate nothing, you intensely dislike it!”'' If all 4 work, great! If you get something like this in your email when sending, you made a stupid typo when setting up SMTP relay. Can you find mine? <pre> > This is the mail system at host mail.louishomeserver.chickenkiller.com. > I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. > The mail system > <rossmanngroup@gmail.com>: Host or domain name not found. Name service error for name=smtp.postmark.com type=A: Host not found > <louis@rossmanngroup.com>: Host or domain name not found. Name service error for name=smtp.postmark.com type=A: Host not found</pre> This concludes the guide on setting up Postmark as an SMTP relay for your Mailcow server, configuring DNS records, and setting up firewall rules. Remember to double-check all your configurations and test thoroughly to provide everything is working as expected. Or, don’t & give up. The latter is recommended. <span id="step-8-spam-controls"></span> == Step 8 – Spam controls == <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_e4a0e1aa.png File:lu55028jxdmy_tmp_4909c297.png File:lu55028jxdmy_tmp_83cfe68f.png File:lu55028jxdmy_tmp_a210ae1a.png </gallery> <span id="accessing-the-rspamd-interface"></span> ==== Accessing the Rspamd Interface ==== To access the Rspamd web interface, you need to be logged in as an administrator on Mailcow. Here’s how you do it: # Go to <code>http://your-mailcow-address/admin</code> # Enter your admin password # Navigate to '''System > Configuration > Actions > Rspamd''' # Set your password for Rspamd Once you’re in, you can train the system manually and upload things for it to learn from. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_3a6b6ed2.png File:lu55028jxdmy_tmp_bd3e5f50.png File:lu55028jxdmy_tmp_5792c482.png </gallery> <span id="accessing-your-inboxs-spam-controls"></span> ==== Accessing YOUR inbox’s spam controls ==== # Log into the Mailcow interface with your EMAIL USERNAME & PASSWORD, NOT AS ADMIN # Go to '''Email → Spam Filter''' # Slide the slidy thingy & have fun :) To set the spam controls for your specific account, log in as your USER to the web interface, not an admin. <span id="pfblockerng-for-spam-prevention"></span> ==== pfBlockerNG for spam prevention ==== Remember when we set up '''pfBlockerNG''' in our '''pfSense''' router? '''pfBlockerNG''' has IPv4 blocklists like Lashback that are great for reducing spam from known bad actors, such as people who explicitly send email to addresses that they know are on ''“unsubscribe”'' lists. If you use '''pfBlockerNG''' with these lists, when servers with IPs on these blocklists try to send you mail on port 25, they will be blocked ''at the router level'' before these known bad actors even make their way to your <code>mailcow</code> server or spam filter. Take a look at these lists. They are incredibly useful! <span id="dont-do-this"></span> == Don’t do this == '''Warning:''' Self-hosting email is a high-maintenance, complicated task. Just because you can do it doesn’t mean you should. It’s a decision you might regret later. <span id="home-assistant-to-control-your-air-conditioners-full-smarthome-control"></span>
Summary:
Please note that all contributions to FUTO may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
FUTO:Copyrights
for details).
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)