traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: update Netgrimoire/Services/MailCow/mxroute_mailcow

Browse source
This commit is contained in:
Administrator 2026-02-25 17:18:16 +00:00 committed by John Smith
parent d5dc6e436d
commit 7810845c33
1 changed files with 185 additions and 310 deletions
Download patch file Download diff file Expand all files Collapse all files

495
Netgrimoire/Services/MailCow/mxroute_mailcow.md
View file

@ -2,398 +2,273 @@
title: Recieving Mail thru MXRoute title: Recieving Mail thru MXRoute
description: Trusted receiver description: Trusted receiver
published: true published: true
date: 2026-02-15T02:33:37.376Z date: 2026-02-25T17:18:07.245Z
tags: tags:
editor: markdown editor: markdown
dateCreated: 2026-02-15T01:44:15.683Z dateCreated: 2026-02-15T01:44:15.683Z
--- ---
# MXroute Incoming Mail to Mailcow # Mail Setup — nucking-futz.com
## Overview ## Overview
Configuration guide for using MXroute to receive incoming mail for your domains and forward to your Mailcow server.
This guide covers complete mail setup for `nucking-futz.com` using MXRoute as the inbound gateway and Mailcow as the mailbox host. MXRoute receives all inbound mail from the internet (solving residential IP filtering issues with banks and financial institutions) and forwards to Mailcow for storage and retrieval. Mailcow handles outbound mail via the MXRoute SMTP relay.
**Architecture:**
```
Inbound: Internet → MXRoute (commercial IP) → Mailcow (192.168.5.16)
Outbound: Mailcow → MXRoute SMTP relay → Internet
```
--- ---
## Architecture ## Prerequisites
``` - MXRoute account active with DirectAdmin access
Incoming: Internet → MXroute → Mailcow subdomain → Alias → Mailbox - Mailcow running at 192.168.5.16
Outgoing: Mailbox → Mailcow → MXroute relay → Internet - DNS management access for nucking-futz.com
``` - MXRoute inbound server hostname (e.g. `arrow.mxroute.com`) — confirm in your MXRoute welcome email
This setup allows MXroute to handle incoming mail filtering, spam protection, and then forward clean mail to your Mailcow server. Users send and receive using clean `@yourdomain.com` addresses.
### Address Structure Explained
**What users see (clean addresses):**
- `john@yourdomain.com`
- `jane@yourdomain.com`
**What happens behind the scenes:**
- Mailboxes actually exist as `john@mail.yourdomain.com`
- Aliases in Mailcow map `john@yourdomain.com``john@mail.yourdomain.com`
- MXroute forwards to `john@mail.yourdomain.com`
- Users send FROM `john@yourdomain.com` (configured as default sender)
- **Users login with `john@yourdomain.com`** (Dovecot auth configured to accept aliases)
**Benefits:**
- **100% transparent to users** - they only ever see/use `@yourdomain.com`
- Clean, professional email addresses
- Easier for users to remember and communicate
- No confusion about which address to use
--- ---
## MXroute Configuration ## Step 1 — DNS Records
### 1. Add Domain to MXroute Create the following records at your DNS registrar before configuring either service. MXRoute and Mailcow will both need DNS to validate correctly.
1. Log into MXroute DirectAdmin panel ### Required DNS Records
2. Navigate to **Email Accounts** → **Email Domains**
3. Add your domain (e.g., `yourdomain.com`)
### 2. Create Catch-All Forwarder | Type | Host | Value | TTL | Notes |
|------|------|-------|-----|-------|
| A | `mail` | `YOUR_ATT_MAIL_IP` | 300 | Points to your Mailcow static IP |
| MX | `@` | `arrow.mxroute.com` | 300 | Primary inbound — confirm hostname with MXRoute |
| MX | `@` | `arrow2.mxroute.com` | 300 | Secondary inbound — confirm hostname with MXRoute |
| CNAME | `imap` | `mail.nucking-futz.com` | 300 | Client autoconfiguration |
| CNAME | `smtp` | `mail.nucking-futz.com` | 300 | Client autoconfiguration |
| CNAME | `webmail` | `mail.nucking-futz.com` | 300 | Roundcube access |
| CNAME | `autodiscover` | `mail.nucking-futz.com` | 300 | Outlook autodiscover |
| CNAME | `autoconfig` | `mail.nucking-futz.com` | 300 | Thunderbird autoconfig |
| TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | 300 | SPF — authorize both Mailcow direct and MXRoute relay |
| TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | 300 | DMARC enforcement |
1. Navigate to **Email Accounts** → **Forwarders** > **Note:** Leave TTL at 300 during initial setup. Raise to 3600 once everything is confirmed working.
2. Create catch-all forwarder:
- **Email Address:** `*@yourdomain.com`
- **Forward To:** `@mail.yourdomain.com`
3. This forwards all mail to your Mailcow server, preserving the username
**How it works:** > **Note:** The DKIM TXT records (two selectors) are added in Steps 2 and 3 after generating keys — you need Mailcow and MXRoute configured first.
- Mail to `john@yourdomain.com` → forwarded to `john@mail.yourdomain.com`
- Mail to `jane@yourdomain.com` → forwarded to `jane@mail.yourdomain.com`
--- ---
## DNS Configuration ## Step 2 — Mailcow Configuration
### Update MX Records ### 2.1 Add Domain
Point your domain's MX records to MXroute servers: 1. Log into Mailcow admin UI → **Mail Setup → Domains**
2. Click **Add domain**
3. Set **Domain:** `nucking-futz.com`
4. Set **Max mailboxes:** as needed (or leave unlimited)
5. Set **Max aliases:** as needed
6. Leave relay settings as default (outbound relay is configured at the transport level)
7. Click **Add domain**
### 2.2 Generate DKIM Key
1. Go to **Configuration → Configuration & Diagnostics → Configuration**
2. Click **ARC/DKIM Keys** tab
3. Select domain `nucking-futz.com`
4. Set **Selector:** `mailcow`
5. Set **Key length:** 2048
6. Click **Generate**
7. Copy the full TXT record value displayed — you will need this for DNS
### 2.3 Add DKIM DNS Record
Back in your DNS registrar, add:
| Type | Host | Value |
|------|------|-------|
| TXT | `mailcow._domainkey` | *(paste the full key string from Mailcow — begins with `v=DKIM1;`)* |
### 2.4 Add MXRoute to Trusted Networks
This prevents Mailcow from applying spam penalties to forwarded mail arriving from MXRoute's IPs.
1. Go to **Configuration → Configuration & Diagnostics → Configuration**
2. Click **Extra Postfix configuration** tab
3. Add to `extra.cf`:
``` ```
yourdomain.com → MX 10 arrow.mxroute.com # Trust MXRoute forwarding IPs
yourdomain.com → MX 20 eagle.mxroute.com mynetworks = 127.0.0.1/8 [::1]/128 192.168.5.0/24 69.167.160.0/19 198.54.120.0/22
``` ```
**Note:** Check your MXroute account for the correct server hostnames (arrow, eagle, hermes, etc.) > **Note:** Verify current MXRoute IP ranges in your MXRoute account or welcome documentation — ranges may change.
### SPF Record 4. Click **Save**
5. Click **Restart affected containers**
Update SPF to allow MXroute to send on your behalf: ### 2.5 Create Mailbox
``` 1. Go to **Mail Setup → Mailboxes**
v=spf1 include:mxroute.com -all 2. Click **Add mailbox**
``` 3. Set **Username:** `graymutt`
4. Set **Domain:** `nucking-futz.com`
5. Set a strong password
6. Set quota as needed
7. Click **Add**
If you also send from Mailcow directly: The mailbox `graymutt@nucking-futz.com` is now created and active.
```
v=spf1 ip4:192.168.5.16 include:mxroute.com -all
```
### DKIM Records
1. Generate DKIM key in MXroute DirectAdmin:
- Navigate to **Email Authentication** → **DKIM Keys**
- Generate key for your domain
- Copy the DNS record
2. Add DKIM TXT record to your DNS:
```
default._domainkey.yourdomain.com → [MXroute DKIM public key]
```
### DMARC Record
```
_dmarc.yourdomain.com → v=DMARC1; p=quarantine; rua=mailto:admin@yourdomain.com
```
**Note:** Start with `p=quarantine` for testing, then move to `p=reject` once confirmed working.
--- ---
## Mailcow Configuration ## Step 3 — MXRoute Configuration
### 1. Add Domain ### 3.1 Add Domain in DirectAdmin
Add `mail.yourdomain.com` as a domain in Mailcow: 1. Log into MXRoute DirectAdmin
2. Go to **Account Manager → Domain Setup** (or **User Level → Create/Delete Domains**)
3. Add domain: `nucking-futz.com`
4. Complete the domain wizard
1. Navigate to Mailcow admin → **Configuration****Mail setup** → **Domains** ### 3.2 Configure Email Routing (Remote MX)
2. Add domain: `mail.yourdomain.com`
3. Configure as needed
### 2. Create Mailboxes This tells MXRoute to forward all inbound mail to your Mailcow server rather than delivering locally.
Create mailboxes using the subdomain: 1. In DirectAdmin go to **Email Manager → MX Records** for `nucking-futz.com`
2. Set routing to **Remote Mail Exchanger** (exact label varies by DirectAdmin version)
3. Enter remote host: `mail.nucking-futz.com`
4. Save
1. Navigate to **Mailboxes** > **Note:** If DirectAdmin does not have a domain-level Remote MX option, you must create individual forwarders per address (see Known Gotchas below).
2. Create mailbox: `john@mail.yourdomain.com`
3. Set password and quota
4. Repeat for each user
### 3. Create Aliases for Clean Addresses ### 3.3 Get MXRoute DKIM Key
For each mailbox, create an alias so users can use clean `@yourdomain.com` addresses: 1. In DirectAdmin go to **Email Manager → DKIM Keys** for `nucking-futz.com`
2. Generate a DKIM key with selector `mxroute` (or whatever selector MXRoute assigns)
3. Copy the full TXT record value
1. Navigate to **Configuration****Mail setup** → **Aliases** ### 3.4 Add MXRoute DKIM DNS Record
2. Create alias:
- **Alias:** `john@yourdomain.com`
- **Destination:** `john@mail.yourdomain.com`
3. Repeat for each user
**Alternative: Alias Domain (Easier for Multiple Users)** Back in your DNS registrar, add:
1. Navigate to **Configuration****Mail setup** → **Alias Domains** | Type | Host | Value |
2. Add alias domain: `yourdomain.com` → aliases to → `mail.yourdomain.com` |------|------|-------|
3. This automatically creates aliases for ALL mailboxes: | TXT | `mxroute._domainkey` *(or the selector MXRoute assigned)* | *(paste the full key string)* |
- `john@yourdomain.com``john@mail.yourdomain.com`
- `jane@yourdomain.com``jane@mail.yourdomain.com`
### 4. Configure Default Sender Address ### 3.5 Configure Outbound Relay in Mailcow
Set users to send FROM their clean address by default: Mailcow needs to send outbound mail through MXRoute for best deliverability.
**Method 1: Per-Mailbox Settings** 1. In Mailcow go to **Configuration → Routing → Sender-Dependent Transports**
1. Edit each mailbox in Mailcow 2. Click **Add transport**
2. Under **Sender addresses**, add `john@yourdomain.com` 3. Set **Domain:** `nucking-futz.com`
3. Set as default sender address 4. Set **Relay host:** `[smtp.mxroute.com]:587`
5. Set **Username:** your MXRoute relay username (e.g. `relay@nucking-futz.com`)
**Method 2: SOGo Webmail** 6. Set **Password:** your MXRoute relay password
Users can configure in SOGo: 7. Click **Add**
1. Log into webmail
2. Settings → Mail → Accounts
3. Set "From" address to `john@yourdomain.com`
**Method 3: Email Client**
Configure email client (Thunderbird, Outlook, etc.):
- Identity name: `john@yourdomain.com`
- Reply-to: `john@yourdomain.com`
- SMTP still authenticates as `john@mail.yourdomain.com`
### 5. Enable Login with Alias Addresses (Make Transparent to Users)
Allow users to login with `john@yourdomain.com` instead of `john@mail.yourdomain.com`:
1. SSH into your Mailcow server
2. Edit the Dovecot configuration:
```bash
cd /opt/mailcow-dockerized
nano data/conf/dovecot/extra.cf
```
3. Add the following line:
```
auth_username_format = %Ln@%Ld
```
4. Restart Dovecot:
```bash
docker-compose restart dovecot-mailcow
```
**Alternative method - Edit via Mailcow UI:**
1. Navigate to **System****Configuration** → **Configuration & Details**
2. Under **Dovecot**, add custom config
3. Add: `auth_username_format = %Ln@%Ld`
**Result:** Users can now login with EITHER address:
- `john@yourdomain.com`
- `john@mail.yourdomain.com`
Both will work for IMAP, SMTP, and webmail authentication.
### 6. Allow MXroute IP Addresses
Add MXroute server IPs to Mailcow's trusted networks to skip spam filtering:
1. Navigate to **Configuration****Configuration & Details** → **Options**
2. Under **mynetworks**, add MXroute IPs
3. Or edit via command line in `data/conf/postfix/extra.cf`:
```
mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/16 [MXroute IPs]
```
### 7. Disable Greylisting for MXroute (Optional)
If you experience delays:
1. Navigate to **Configuration** → **Configuration & Details**
2. Find your domain
3. Under **Greylisting**, add MXroute IPs to whitelist
--- ---
## Testing ## Step 4 — Verify DNS Propagation
### 1. Test Mail Flow Once DNS has propagated (usually a few minutes at TTL 300), verify all records:
Send test email from external provider (Gmail, Outlook):
```
From: test@gmail.com
To: john@yourdomain.com
```
**Expected Flow:**
1. Mail arrives at MXroute for `john@yourdomain.com`
2. MXroute forwards to `john@mail.yourdomain.com`
3. Mailcow receives at `john@mail.yourdomain.com`
4. Mailcow alias delivers to `john@mail.yourdomain.com` mailbox
5. Mail appears in John's inbox
### 2. Test Reply
Have John reply to a message:
**Expected behavior:**
- Reply FROM: `john@yourdomain.com` (clean address)
- Reply goes through Mailcow → MXroute relay → Internet
### 3. Check Headers
Review email headers in Mailcow to verify:
- `Received:` headers show MXroute server
- `To:` shows `john@yourdomain.com`
- `Delivered-To:` shows `john@mail.yourdomain.com`
- SPF, DKIM, DMARC all pass
- No spam flags
### 3. Monitor Logs
**MXroute Logs:**
- Check DirectAdmin → Email Logs
- Verify forwarding is occurring
**Mailcow Logs:**
```bash ```bash
docker-compose logs -f postfix-mailcow # MX records
dig MX nucking-futz.com +short
# SPF
dig TXT nucking-futz.com +short
# DMARC
dig TXT _dmarc.nucking-futz.com +short
# Mailcow DKIM
dig TXT mailcow._domainkey.nucking-futz.com +short
# MXRoute DKIM
dig TXT mxroute._domainkey.nucking-futz.com +short
# A record for mail subdomain
dig A mail.nucking-futz.com +short
``` ```
Look for incoming connections from MXroute IPs. Run a full check at [https://mxtoolbox.com](https://mxtoolbox.com) → Email Health for `nucking-futz.com`.
--- ---
## Example Configuration: gnarlypandaproductions.com ## Step 5 — Test Mail Flow
### Mailcow Setup ### Inbound Test
**Domain:** `mail.gnarlypandaproductions.com`
**Mailboxes:** Send a test email to `graymutt@nucking-futz.com` from an external Gmail or Outlook account. Verify:
- `admin@mail.gnarlypandaproductions.com`
- `contact@mail.gnarlypandaproductions.com`
- `info@mail.gnarlypandaproductions.com`
**Alias Domain:** - Mail arrives in the Mailcow mailbox
`gnarlypandaproductions.com` → aliases to → `mail.gnarlypandaproductions.com` - Headers show the MXRoute → Mailcow forwarding path
- No spam flagging
This automatically creates: Check headers in Mailcow Roundcube: open the test message → **More → View Source**. You should see two `Received:` hops — one from MXRoute receiving from the internet, one from MXRoute delivering to your Mailcow.
- `admin@gnarlypandaproductions.com``admin@mail.gnarlypandaproductions.com`
- `contact@gnarlypandaproductions.com``contact@mail.gnarlypandaproductions.com`
- `info@gnarlypandaproductions.com``info@mail.gnarlypandaproductions.com`
### MXroute Setup ### Outbound Test
**Catch-all Forwarder:**
```
*@gnarlypandaproductions.com → @mail.gnarlypandaproductions.com
```
### DNS Records Send a test email from `graymutt@nucking-futz.com` to an external Gmail address. Verify:
| Record Type | Name | Value |
|-------------|------|-------|
| MX | @ | 10 arrow.mxroute.com |
| MX | @ | 20 eagle.mxroute.com |
| A | mail | 192.168.5.16 |
| TXT | @ | v=spf1 ip4:192.168.5.16 include:mxroute.com -all |
| TXT | _dmarc | v=DMARC1; p=reject; rua=mailto:admin@gnarlypandaproductions.com |
| TXT | default._domainkey | [MXroute DKIM key] |
### User Experience - Mail arrives in the recipient's inbox (not spam)
**Users use clean addresses for EVERYTHING (completely transparent):** - Check headers show the MXRoute relay in the sending path
- Send FROM: `admin@gnarlypandaproductions.com` - Run the test email through [https://mail-tester.com](https://mail-tester.com) for a full score
- Receive AT: `admin@gnarlypandaproductions.com`
- Login with: `admin@gnarlypandaproductions.com` (and password)
- SMTP/IMAP Server: `mail.gnarlypandaproductions.com`
**Users never need to know about the `mail.` subdomain!** ### DKIM/SPF/DMARC Test
Send a test to `check-auth@verifier.port25.com` — you will receive an automated reply showing pass/fail for SPF, DKIM, and DMARC.
--- ---
## Troubleshooting ## Email Client Settings
### Mail Not Being Forwarded Configure email clients for `graymutt@nucking-futz.com` as follows:
1. **Check MXroute forwarder configuration** | Setting | Value |
- Verify forwarder exists in DirectAdmin |---------|-------|
- Check destination address is correct | Email address | `graymutt@nucking-futz.com` |
- Review MXroute email logs | IMAP server | `mail.nucking-futz.com` |
| IMAP port | `993` (SSL/TLS) |
2. **Verify DNS propagation** | SMTP server | `mail.nucking-futz.com` |
```bash | SMTP port | `465` (SSL/TLS) |
dig MX yourdomain.com | Username | `graymutt@nucking-futz.com` |
dig TXT yourdomain.com | Password | *(mailbox password set in Step 2.5)* |
```
3. **Check Mailcow firewall**
- Ensure port 25 is open
- Verify MXroute IPs aren't blocked
### SPF/DKIM Failures
1. **SPF not passing**
- Verify `include:mxroute.com` in SPF record
- Check for typos in SPF syntax
- Use SPF checker: https://mxtoolbox.com/spf.aspx
2. **DKIM not passing**
- Confirm DKIM record published in DNS
- Verify selector matches (usually `default`)
- Check DKIM record format (no spaces in key)
### Mail Delayed or Bouncing
1. **Greylisting delays**
- Disable greylisting in Mailcow for MXroute IPs
- Or wait 5-15 minutes for retry
2. **Mailbox full**
- Check quota in Mailcow
- Increase quota or clean mailbox
3. **Spam filtering**
- Check Mailcow spam folder
- Whitelist MXroute IPs in Rspamd
--- ---
## MXroute Server Information ## Credentials Reference
### Common MXroute Mail Servers | Service | Account | Password |
- arrow.mxroute.com |---------|---------|----------|
- eagle.mxroute.com | Mailcow mailbox | `graymutt@nucking-futz.com` | *(set during mailbox creation)* |
- hermes.mxroute.com | MXRoute relay | `relay@nucking-futz.com` | *(from MXRoute account)* |
- zen.mxroute.com | MXRoute DirectAdmin | *(MXRoute login)* | *(from MXRoute account)* |
**Your assigned server:** Check MXroute DirectAdmin welcome email or DNS settings
### MXroute IP Ranges
Consult MXroute documentation for current IP ranges to whitelist in Mailcow.
--- ---
## Advantages of This Setup ## Known Gotchas
- **Spam filtering:** MXroute handles initial spam filtering **MXRoute DirectAdmin may not have a domain-level Remote MX option.** If you cannot find a Remote Mail Exchanger or Email Routing setting, you must create individual forwarders for each address. For `graymutt@nucking-futz.com`:
- **DDoS protection:** MXroute absorbs mail-based attacks
- **Reliability:** If Mailcow is down, mail queues at MXroute 1. Go to **Email Manager → Forwarders**
- **Deliverability:** MXroute IPs have good reputation 2. Create forwarder: `graymutt@nucking-futz.com``graymutt@nucking-futz.com`
- **Offload processing:** Reduces load on your Mailcow server 3. In the destination field, set the **mail server** to `mail.nucking-futz.com`
This means every new mailbox requires a matching forwarder in MXRoute. This is the fallback if domain-level routing is unavailable.
**Two DKIM selectors are required.** Both `mailcow._domainkey` and `mxroute._domainkey` (or whatever MXRoute's selector is) must be in DNS. Mail sent directly by Mailcow uses the `mailcow` selector. Mail relayed through MXRoute outbound uses the `mxroute` selector. Both must be present for DMARC to pass on all paths.
**SPF includes both IPs.** The SPF record authorizes `ip4:YOUR_ATT_MAIL_IP` for direct Mailcow sends and `include:mxroute.com` for the relay path. If either is missing, DMARC alignment fails intermittently depending on send path.
**Forwarded mail and SPF.** When MXRoute forwards inbound mail to Mailcow, the envelope sender is rewritten by MXRoute (SRS — Sender Rewriting Scheme). This is normal and prevents Mailcow from rejecting it. The MXRoute trusted network entry in `extra.cf` (Step 2.4) is essential for this to work without spam scoring penalties.
**Test with a bank or financial institution.** Once everything is running, send a test from a bank email address to `graymutt@nucking-futz.com`. This is the primary reason MXRoute is used for inbound — residential AT&T IPs are blocked by financial institution filters regardless of PTR/SPF/DKIM correctness.
--- ---
## References ## Related Documentation
- [MXroute Documentation](https://mxroutedocs.com/) - [MailCow Configuration](./mailcow)
- [Mailcow Documentation](https://docs.mailcow.email/) - [MXRoute Outbound Relay Setup](./mxroute-outbound-relay)
- [Email Forwarding Best Practices](https://www.rfc-editor.org/rfc/rfc5321) - [OPNsense Firewall](./opnsense-firewall) — static IP allocation for ATT_Mail