In category: ← Communication / Email / Complete Solutions

About Excision Mail

Fullstack, security focused mailserver based on OpenSMTPD for OpenBSD using ansible.

Github stats:

Commits: N/A
N/A
N/A
Latest commit: N/A

Deploy this app to Linode with a free $100 credit!

Languages/Platforms/Technologies:

Lincenses:

More about Excision Mail

Excision Mail

Fullstack, security focused mailserver based on OpenSMTPD for OpenBSD using ansible

Installation

Go through the installation overview on the website: https://excision.bsd.ac/install/

Functionality highlights

Full featured email server with modern encryption standards enforced

All connections are TLS enforced, including pop3s, imaps, smtps.
smtp and sieve are STARTTLS with enforced TLS escalation.
Insecure versions of pop3 and imap are disabled for additional security.
OpenPGP and GnuPG Web Key Service and Web Key Directory support for automatic publishing of public keys in a multi-domain server setting.
Server only contains public keys of user, so encrypted emails can only be decrypted by the user.
mta-sts for fully encrypted email transfer channels.
Email subsystem separate from base operating system and managed by non-privileged account.
Useful in case of a compromised user account.
Spam classification and automatic learning using Rspamd.
Multi-domain support for handling emails sent to more than one domain.
Server side filtering support and filter management using managesieve.
Mozilla auto-configuration for thunderbird and other opensource clients.

Flexible server and user management system

Daily report for system stats and email stats for server status checks.
Email stored in maildir format for easy server side management.
Support for aliases using pseudo accounts in both sending and receiving emails.
User management scripts for adding users and aliases.
Automatic management and tag support for user+tag@... in both sending and receiving emails.
Option to change separating tag to non-default options, such as ., - or _ for additional privacy.
Automatic management of TLS certificates from Lets Encrypt.
HSTS enabled on httpd for enforcing secure connections.

Optional email features

Optional hidden Authoritative DNS server using knot for a stealth master configuration using secondary DNS providers.
Handles complex DNS setup for publicizing all encryption options to senders.
Automatic configuration of DNSSEC,DKIM, SPF, DMARC, SSHFP, CAA and other records.
Optional spamd(8) set up for highly effecient spam deferral and false email rejection.
Optional antivirus using Clamav for additional security of users on Windows systems.

Architecture Goals

Excision Mail aims to use as much of the base OpenBSD system and as few dependancies from ports as possible for maximum security.

Base system

OpenSMTPD
The default OpenBSD mail transfer agent. Highly secure, fast and efficient.
acme-client(1)
Automatic certificate management for the system domains.

Ports

Rspamd
Efficient and configurable spam classifier.
knot
Make an autoritative nameserver for your domain.
Dovecot
Secure imaps, pop3s and sieve server to allow access from clients outside the server.
ClamAV
Open source antivirus tools to check email attachments.
GnuPG
Make a Web Key Service and Web Key Directory using gpg-wks-server.
nginx
Hosting websites for mta-sts and publishing public keys.

Design goals

Be replicable and stable to build and upgrade.
There should be no differences between upgrading a previous install and starting an install from scratch, if using the same configurations for both pathways.
Be well documented. Every part of the setup should be clear and explained.

Excision Mail tries to follow OpenBSD philosophy of being well documented and explaining all the choices that have been made.
If it does not have good documentation, then it is still buggy