1
Here's what I have working:
Question asked by Patrick Jeski - 5/1/2024 at 4:59 PM
Unanswered
The basic mail server and webmail
Automatic certificates
DKIM, DMARC
TLS/SSL on all mail protocols
MTA-STS (for incoming mail)
BIMI
HSTS (needs SmarterTools attention, they're on it)
Configured two IOS devices for secure IMAP/SMTP(Submission TLS)

All in all not bad for the first day of the beta and most of the above within the first three hours of setup.



5 Replies

Reply to Thread
0
Harland Adelaars Replied
Could you provide detailed insights into how you configured everything, particularly focusing on TLS/SSL protocols and MTA-STS?

2
Patrick Jeski Replied
Harland,

First a disclaimer: I am not an IT professional.

I assume you have automatic certificates working.
Setting up the secure protocols for the ports is pretty straight-forward. You simply choose the encryption (SSL/TLS) and it will change the port if needed. Either way, it uses the encryption method the server supports, hopefully TLS, SSL/TLS is really more of a distinction of the connection method. There's another thread on that. If you want, say, SMTP (TLS) and SMTP (SSL), you will need to add one of them.

DKIM and DMARC are straight-forward. Smartemail gives you the selector (name) and data for the DNS entry

MTA-STS is a little more complicated. There is only one place to put your policy file, you can't specify it. it has to be in wwwroot/.well-known, which you have to create. SmarterTools has not to my knowledge confirmed that .well-known is OK for us to use as we see fit, that they won't stomp on it at some point, but auto certs still worked when I was done. All of my domains have mx records to a single mx, not related to the domain name. So my policy file is simple. You can have multiple mx in the policy file, but I haven't tried multiple domains. Since my policy file is a different domain from any domain that uses it, I'm guessing it will be OK. 

It might be better to wait until SmarterTools officially adds the feature, and I would assume in a way that they synthesize a simple policy file for each domain. If you or anyone else wants me to go deeper into it, I can, but there is a lot of info out there. DM me if you want to discuss it further.

BIMI is easy, but really not all that meaningful without an expensive verified mark certificate. I just set it up so my smartermail accounts can see each other's BIMI images. The hardest part is creating the .svg image, but after that you just drop it in wwwroot, or any website that can host it and create a DNS record that points to it.
1
Patrick Jeski Replied
Just to update this thread:
I have two VMs running SmarterMail. One with SmarterMail’s web server, the other with nginx. These are very low volume, I have no good way to generate a lot of diverse traffic, so I’m focusing on setup and operation issues. 

The nginx machine has a small HMI issue that I think is resolved. That machine also runs rspamd despite my being admonished never to do that. While I don’t know how effective it is, it functions with no issues I’m aware of. 

I have SNI working on the nginx machine. I’m using Certify the Web on a “local” (in my DMZ) windows machine to update my certs. 

I’m optimistic for a good rollout of SmerterMail for Linux. But I know once it hits production, like always, bugs will surface. 
1
Zach Sylvester Replied
Employee Post
Hey Patrick, instead of using Certify the Web, you could just use Certbot to automate the renewals. This will also update your nginx config automatically.
Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
1
Patrick Jeski Replied
Thanks, Zach, I’m aware of that. I have a couple cloud servers I run certbot on. But I have certs with CTW already setup for the domains and it’s not hard to deploy them to the Linux boxes, and it was fun to figure out how to do it. I’ll probably run certbot when I’m fully converted, as I won’t have the windows machine to run CTW on. 

Reply to Thread