How do I route outgoing email over WireGuard Tunnel?

Bob.Dig

@Popolou This video from Christian is a great explainer about WireGuard and pfSense in general. Hint: Don't use NAT.

Seeking Sense

@Popolou I am not sure that I am seeing that issue as I am NOT NATing traffic going out over the tunnel.

However it took me a minute to sort out SPF TXT records so that Google and others did not find my mail to be spammy.

Gertjan

@Seeking-Sense said in How do I route outgoing email over WireGuard Tunnel?:

sort out SPF TXT records

SPF ? Tht's just a DNS TXT records besides the A, AAA, NS, and MX.

The fun starts with DKIM.
DKIM & DMARC are not optional if you want your mails to be accepted by the biggest 5 free-mail services.
Get your mail server domain name certificate, the one you already use if you also have a web server. Go for web server. Go for the wild card version, or add you MX host name. Assign the certificate to postfix, and make postfix do TLS where ever possible.

Sep  8 07:41:36 ns311465 postfix/cleanup[4024]: 3372563E1BC8: message-id=<fe03b95169c2dac3d0047cf5057c8e85.squirrel@www.my-domain.tld>
Sep  8 07:41:36 ns311465 opendkim[6675]: 3372563E1BC8: DKIM-Signature field added (s=default, d=my-domain.tld)
Sep  8 07:41:36 ns311465 postfix/qmgr[18342]: 3372563E1BC8: from=<gertjan@my-domain.tld>, size=762, nrcpt=1 (queue active)
Sep  8 07:41:36 ns311465 return-from-amavis/smtpd[4031]: 8553F63E4DC6: client=localhost.localdomain[127.0.0.1]
Sep  8 07:41:36 ns311465 postfix/cleanup[4024]: 8553F63E4DC6: message-id=<fe03b95169c2dac3d0047cf5057c8e85.squirrel@www.my-domain.tld>
Sep  8 07:41:36 ns311465 postfix/qmgr[18342]: 8553F63E4DC6: from=<gertjan@my-domain.tld>, size=1619, nrcpt=1 (queue active)
Sep  8 07:41:36 ns311465 postfix/smtp[4025]: 3372563E1BC8: to=<gertjan@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.49, delays=0.2/0.03/0/0.26, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8553F63E4DC6)
Sep  8 07:41:36 ns311465 postfix/qmgr[18342]: 3372563E1BC8: removed
Sep  8 07:41:36 ns311465 postfix/smtp[4032]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c07::1b]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
Sep  8 07:41:37 ns311465 postfix/smtp[4032]: 8553F63E4DC6: to=<gertjan@gmail.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c07::1b]:25, delay=0.84, delays=0.04/0.03/0.33/0.44, dsn=2.0.0, status=sent (250 2.0.0 OK  1694151697 a18-20020a5d5712000000b00317c20ff0fbsi458053wrv.5 - gsmtp)
Sep  8 07:41:37 ns311465 postfix/qmgr[18342]: 8553F63E4DC6: removed

Mail gets injected by my web mail (squirrel mail) running on the same server.
DKIM gets added
I'll pass it through my own anti 'whatever' filter amvis (maybe I'm sending viruses ?)
It gets back in the queue from amavis
gmail is contacted : with a "Trusted TLS connection established" over IPv6 ( your reverse PTR IPv6 has to point to your MX host name) - IPv6 makes DKIM mandatory when playing with gmail )
The mail is relayed - TLSv1.3 1.0 is now forbidden, TLv1.1 and 1.2 are fading out fast.

The 'scan mail before sending' is of optional. Who sends bad stuff to others, after all ?

Note : DMARC comes into play when receiving mail.

On the gmail side :

All checks are passed :

Authentication-Results: mx.google.com;
       dkim=pass header.i=@my-domain.tld header.s=default header.b=YDoN8SvP;
       spf=pass (google.com: domain of gertjan@my-domain.tld.me designates 2001:41d0:2:beef::2 as permitted sender) smtp.mailfrom=gertjan@my-domain.tld;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=my-domain.tld

Bob.Dig

@Gertjan Don't forget DANE.

Gertjan

@Bob-Dig said in How do I route outgoing email over WireGuard Tunnel?:

@Gertjan Don't forget DANE.

Adding/mentioning DANE would be counter productive in the motivation process

DANE was invented for those who thought they were DONE.
It is reserved for those who want to be who they say they are in "mail-land" (and https land, and more).
It uses DNSSEC of course - well, I had that up and running already as I went down to low in the DNS rabbit hole.

DANE, at the end, will render any CA useless. That's an entire ($$$) business model going down to the drain. Not sure if it simplifies things.

Of course I use have DANE available and set up :

Bob.Dig

@Gertjan I am partly failing this test-site because I have my TLSA-record only on the domain which "carries" the actual mail-server and not on every domain with a mx-record...

Seeking Sense

@Gertjan the bad actors have created a lot of work for the rest of us. I guess for some this is job security.

@Gertjan said in How do I route outgoing email over WireGuard Tunnel?:

Get your mail server domain name certificate

Just to clarify is this for the mail server host that postfix is running and not the individual mail domains?

Can this be self signed and if not is Let's Encrypt adequate?

Gertjan

@Seeking-Sense said in How do I route outgoing email over WireGuard Tunnel?:

I guess for some this is job security.

You kidding ? I'm an financial accountant in a mid size hotel some where in France. I do change light bulbs, do reservations, and fool around with pfSense.
And yes, there are moment I have that feeling that I need to do something. Like understanding what this is, see subjects above, all about. I try to do things by doing them my selves. I've the Internet as documentation. Nothing you do isn't already done by some ine else.
So, go, and trial and error and learn and then you "do".

@Seeking-Sense said in How do I route outgoing email over WireGuard Tunnel?:

Just to clarify is this for the mail server host that postfix is running and not the individual mail domains?

Example : I've a dedicated server, some where in a big data centre.
Added a dozen or so IPv4 (back then they were close to free, now these cost a fortune), and a zillion IPv6.
10 or so domain names. Some are used professionally, others are just for me to play with.
Every domain names has it's own wild card certificate from LE.
Every domain name uses its own IPv4 and own Ipv6 /64. (so if one mail box / domain gets bad, it will not hurt other domains / boxes )

I use the certs for the web server of course (http is pretty dead these days)
But also for postfix, as postfix traffic is TLS these days (mail in the clear ois like http : that's not done anymore).
And why used self signed - self generated certs if you have the real ones for free, already on your server ? I have them, so I use them.

And yes : my main.cf and master.cf is pretty big, and still I use a MySQL database full with tables for all the domain names, mail boxes etc.

All this works pretty well for the last ... 20 years or so.

Bob.Dig

@Bob-Dig said in How do I route outgoing email over WireGuard Tunnel?:

@Gertjan I am partly failing this test-site

Looked at it again, it is just buggy. First mx succeed, second fails. Makes no sense.

@Gertjan said in How do I route outgoing email over WireGuard Tunnel?:

big data centre.

Impressive.
What is a data centre?

Bob.Dig

@Gertjan said in How do I route outgoing email over WireGuard Tunnel?:

Of course I use have DANE available and set up :

We both have the same TLSA Record (other than the domain name).
DANE and LE the easy way.

Bob.Dig

@Gertjan said in How do I route outgoing email over WireGuard Tunnel?:

Of course I use have DANE available and set up :

I just noticed I had to recreate the TLSA records, something with Let's Encrypt must have changed. I hope I am good now for some time...