Repository files navigation

Fullstack, security focused mailserver based on OpenSMTPD for OpenBSD using ansible

Go through theinstallation overview on the website:https://excision.bsd.ac/install/

• All connections areTLS enforced, includingpop3s,imaps,smtps.
  • smtp andsieve areSTARTTLS with enforcedTLS escalation.
  • Insecure versions ofpop3 andimap are disabled for additional security.
• OpenPGP andGnuPGWeb Key Service andWeb Key Directory support for automatic publishing of public keys in a multi-domain server setting.
  • Server only contains public keys of user, so encrypted emails can only be decrypted by the user.
• mta-sts for fully encrypted email transfer channels.
• Email subsystem separate from base operating system and managed by non-privileged account.
  • Useful in case of a compromised user account.
• Spam classification and automatic learning usingRspamd.
• Multi-domain support for handling emails sent to more than one domain.
• Server side filtering support and filter management usingmanagesieve.
• Mozilla auto-configuration for thunderbird and other opensource clients.

• Daily report for system stats and email stats for server status checks.
• Email stored inmaildir format for easy server side management.
• Support for aliases using pseudo accounts in both sending and receiving emails.
• User management scripts for adding users and aliases.
• Automatic management and tag support foruser+tag@... in both sending and receiving emails.
  • Option to change separating tag to non-default options, such as.,- or_ for additional privacy.
• Automatic management of TLS certificates fromLets Encrypt.
  • HSTS enabled on httpd for enforcing secure connections.

• Optional hiddenAuthoritative DNS server usingknot for astealth master configuration using secondary DNS providers.
  • Handles complex DNS setup for publicizing all encryption options to senders.
  • Automatic configuration ofDNSSEC,DKIM,SPF,DMARC,SSHFP,CAA and other records.
• Optionalspamd(8) set up for highly effecient spam deferral and false email rejection.
• Optional antivirus usingClamav for additional security of users on Windows systems.

Excision Mail aims to use as much of the base OpenBSD system and as few dependancies from ports as possible for maximum security.

• OpenSMTPD
  The default OpenBSD mail transfer agent. Highly secure, fast and efficient.
• acme-client(1)
  Automatic certificate management for the system domains.

• Rspamd
  Efficient and configurable spam classifier.
• knot
  Make an autoritative nameserver for your domain.
• Dovecot
  Secureimaps,pop3s andsieve server to allow access from clients outside the server.
• ClamAV
  Open source antivirus tools to check email attachments.
• GnuPG
  Make aWeb Key Service andWeb Key Directory usinggpg-wks-server.
• nginx
  Hosting websites formta-sts and publishing public keys.

• Be replicable and stable to build and upgrade.
  There should be no differences between upgrading a previous install and starting an install from scratch, if using the same configurations for both pathways.

• Be well documented.Every part of the setup should be clear and explained.

Excision Mail tries to follow OpenBSD philosophy of being well documented and explaining all the choices that have been made.
If it does not have good documentation, then it is still buggy

OpenBSD 6.6 (may run on -current, but it will not be prioritized)
System requirements (good for about 50 users)

• 1 core
• 1GB RAM
• 2GB Swap

The primary mode of contact for reporting bugs and getting support is through GitHub.
Excision Mail has a matrix channel#excision-mail.