traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: update Netgrimoire/Services/MailCow/mxroute_mailcow

Browse source
This commit is contained in:
Administrator 2026-02-25 17:18:16 +00:00 committed by John Smith
parent d5dc6e436d
commit 7810845c33
1 changed files with 185 additions and 310 deletions
Download patch file Download diff file Expand all files Collapse all files

491
Netgrimoire/Services/MailCow/mxroute_mailcow.md
View file

@ -2,398 +2,273 @@
title: Recieving Mail thru MXRoute
description: Trusted receiver
published: true
date: 2026-02-15T02:33:37.376Z
date: 2026-02-25T17:18:07.245Z
tags:
editor: markdown
dateCreated: 2026-02-15T01:44:15.683Z
---
# MXroute Incoming Mail to Mailcow
# Mail Setup — nucking-futz.com
## Overview
Configuration guide for using MXroute to receive incoming mail for your domains and forward to your Mailcow server.
This guide covers complete mail setup for `nucking-futz.com` using MXRoute as the inbound gateway and Mailcow as the mailbox host. MXRoute receives all inbound mail from the internet (solving residential IP filtering issues with banks and financial institutions) and forwards to Mailcow for storage and retrieval. Mailcow handles outbound mail via the MXRoute SMTP relay.
**Architecture:**
```
Inbound: Internet → MXRoute (commercial IP) → Mailcow (192.168.5.16)
Outbound: Mailcow → MXRoute SMTP relay → Internet
```
---
## Architecture
## Prerequisites
```
Incoming: Internet → MXroute → Mailcow subdomain → Alias → Mailbox
Outgoing: Mailbox → Mailcow → MXroute relay → Internet
```
This setup allows MXroute to handle incoming mail filtering, spam protection, and then forward clean mail to your Mailcow server. Users send and receive using clean `@yourdomain.com` addresses.
### Address Structure Explained
**What users see (clean addresses):**
- `john@yourdomain.com`
- `jane@yourdomain.com`
**What happens behind the scenes:**
- Mailboxes actually exist as `john@mail.yourdomain.com`
- Aliases in Mailcow map `john@yourdomain.com``john@mail.yourdomain.com`
- MXroute forwards to `john@mail.yourdomain.com`
- Users send FROM `john@yourdomain.com` (configured as default sender)
- **Users login with `john@yourdomain.com`** (Dovecot auth configured to accept aliases)
**Benefits:**
- **100% transparent to users** - they only ever see/use `@yourdomain.com`
- Clean, professional email addresses
- Easier for users to remember and communicate
- No confusion about which address to use
- MXRoute account active with DirectAdmin access
- Mailcow running at 192.168.5.16
- DNS management access for nucking-futz.com
- MXRoute inbound server hostname (e.g. `arrow.mxroute.com`) — confirm in your MXRoute welcome email
---
## MXroute Configuration
## Step 1 — DNS Records
### 1. Add Domain to MXroute
Create the following records at your DNS registrar before configuring either service. MXRoute and Mailcow will both need DNS to validate correctly.
1. Log into MXroute DirectAdmin panel
2. Navigate to **Email Accounts** → **Email Domains**
3. Add your domain (e.g., `yourdomain.com`)
### Required DNS Records
### 2. Create Catch-All Forwarder
| Type | Host | Value | TTL | Notes |
|------|------|-------|-----|-------|
| A | `mail` | `YOUR_ATT_MAIL_IP` | 300 | Points to your Mailcow static IP |
| MX | `@` | `arrow.mxroute.com` | 300 | Primary inbound — confirm hostname with MXRoute |
| MX | `@` | `arrow2.mxroute.com` | 300 | Secondary inbound — confirm hostname with MXRoute |
| CNAME | `imap` | `mail.nucking-futz.com` | 300 | Client autoconfiguration |
| CNAME | `smtp` | `mail.nucking-futz.com` | 300 | Client autoconfiguration |
| CNAME | `webmail` | `mail.nucking-futz.com` | 300 | Roundcube access |
| CNAME | `autodiscover` | `mail.nucking-futz.com` | 300 | Outlook autodiscover |
| CNAME | `autoconfig` | `mail.nucking-futz.com` | 300 | Thunderbird autoconfig |
| TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | 300 | SPF — authorize both Mailcow direct and MXRoute relay |
| TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | 300 | DMARC enforcement |
1. Navigate to **Email Accounts** → **Forwarders**
2. Create catch-all forwarder:
- **Email Address:** `*@yourdomain.com`
- **Forward To:** `@mail.yourdomain.com`
3. This forwards all mail to your Mailcow server, preserving the username
> **Note:** Leave TTL at 300 during initial setup. Raise to 3600 once everything is confirmed working.
**How it works:**
- Mail to `john@yourdomain.com` → forwarded to `john@mail.yourdomain.com`
- Mail to `jane@yourdomain.com` → forwarded to `jane@mail.yourdomain.com`
> **Note:** The DKIM TXT records (two selectors) are added in Steps 2 and 3 after generating keys — you need Mailcow and MXRoute configured first.
---
## DNS Configuration
## Step 2 — Mailcow Configuration
### Update MX Records
### 2.1 Add Domain
Point your domain's MX records to MXroute servers:
1. Log into Mailcow admin UI → **Mail Setup → Domains**
2. Click **Add domain**
3. Set **Domain:** `nucking-futz.com`
4. Set **Max mailboxes:** as needed (or leave unlimited)
5. Set **Max aliases:** as needed
6. Leave relay settings as default (outbound relay is configured at the transport level)
7. Click **Add domain**
### 2.2 Generate DKIM Key
1. Go to **Configuration → Configuration & Diagnostics → Configuration**
2. Click **ARC/DKIM Keys** tab
3. Select domain `nucking-futz.com`
4. Set **Selector:** `mailcow`
5. Set **Key length:** 2048
6. Click **Generate**
7. Copy the full TXT record value displayed — you will need this for DNS
### 2.3 Add DKIM DNS Record
Back in your DNS registrar, add:
| Type | Host | Value |
|------|------|-------|
| TXT | `mailcow._domainkey` | *(paste the full key string from Mailcow — begins with `v=DKIM1;`)* |
### 2.4 Add MXRoute to Trusted Networks
This prevents Mailcow from applying spam penalties to forwarded mail arriving from MXRoute's IPs.
1. Go to **Configuration → Configuration & Diagnostics → Configuration**
2. Click **Extra Postfix configuration** tab
3. Add to `extra.cf`:
```
yourdomain.com → MX 10 arrow.mxroute.com
yourdomain.com → MX 20 eagle.mxroute.com
# Trust MXRoute forwarding IPs
mynetworks = 127.0.0.1/8 [::1]/128 192.168.5.0/24 69.167.160.0/19 198.54.120.0/22
```
**Note:** Check your MXroute account for the correct server hostnames (arrow, eagle, hermes, etc.)
> **Note:** Verify current MXRoute IP ranges in your MXRoute account or welcome documentation — ranges may change.
### SPF Record
4. Click **Save**
5. Click **Restart affected containers**
Update SPF to allow MXroute to send on your behalf:
### 2.5 Create Mailbox
```
v=spf1 include:mxroute.com -all
```
1. Go to **Mail Setup → Mailboxes**
2. Click **Add mailbox**
3. Set **Username:** `graymutt`
4. Set **Domain:** `nucking-futz.com`
5. Set a strong password
6. Set quota as needed
7. Click **Add**
If you also send from Mailcow directly:
```
v=spf1 ip4:192.168.5.16 include:mxroute.com -all
```
### DKIM Records
1. Generate DKIM key in MXroute DirectAdmin:
- Navigate to **Email Authentication** → **DKIM Keys**
- Generate key for your domain
- Copy the DNS record
2. Add DKIM TXT record to your DNS:
```
default._domainkey.yourdomain.com → [MXroute DKIM public key]
```
### DMARC Record
```
_dmarc.yourdomain.com → v=DMARC1; p=quarantine; rua=mailto:admin@yourdomain.com
```
**Note:** Start with `p=quarantine` for testing, then move to `p=reject` once confirmed working.
The mailbox `graymutt@nucking-futz.com` is now created and active.
---
## Mailcow Configuration
## Step 3 — MXRoute Configuration
### 1. Add Domain
### 3.1 Add Domain in DirectAdmin
Add `mail.yourdomain.com` as a domain in Mailcow:
1. Log into MXRoute DirectAdmin
2. Go to **Account Manager → Domain Setup** (or **User Level → Create/Delete Domains**)
3. Add domain: `nucking-futz.com`
4. Complete the domain wizard
1. Navigate to Mailcow admin → **Configuration****Mail setup** → **Domains**
2. Add domain: `mail.yourdomain.com`
3. Configure as needed
### 3.2 Configure Email Routing (Remote MX)
### 2. Create Mailboxes
This tells MXRoute to forward all inbound mail to your Mailcow server rather than delivering locally.
Create mailboxes using the subdomain:
1. In DirectAdmin go to **Email Manager → MX Records** for `nucking-futz.com`
2. Set routing to **Remote Mail Exchanger** (exact label varies by DirectAdmin version)
3. Enter remote host: `mail.nucking-futz.com`
4. Save
1. Navigate to **Mailboxes**
2. Create mailbox: `john@mail.yourdomain.com`
3. Set password and quota
4. Repeat for each user
> **Note:** If DirectAdmin does not have a domain-level Remote MX option, you must create individual forwarders per address (see Known Gotchas below).
### 3. Create Aliases for Clean Addresses
### 3.3 Get MXRoute DKIM Key
For each mailbox, create an alias so users can use clean `@yourdomain.com` addresses:
1. In DirectAdmin go to **Email Manager → DKIM Keys** for `nucking-futz.com`
2. Generate a DKIM key with selector `mxroute` (or whatever selector MXRoute assigns)
3. Copy the full TXT record value
1. Navigate to **Configuration****Mail setup** → **Aliases**
2. Create alias:
- **Alias:** `john@yourdomain.com`
- **Destination:** `john@mail.yourdomain.com`
3. Repeat for each user
### 3.4 Add MXRoute DKIM DNS Record
**Alternative: Alias Domain (Easier for Multiple Users)**
Back in your DNS registrar, add:
1. Navigate to **Configuration****Mail setup** → **Alias Domains**
2. Add alias domain: `yourdomain.com` → aliases to → `mail.yourdomain.com`
3. This automatically creates aliases for ALL mailboxes:
- `john@yourdomain.com``john@mail.yourdomain.com`
- `jane@yourdomain.com``jane@mail.yourdomain.com`
| Type | Host | Value |
|------|------|-------|
| TXT | `mxroute._domainkey` *(or the selector MXRoute assigned)* | *(paste the full key string)* |
### 4. Configure Default Sender Address
### 3.5 Configure Outbound Relay in Mailcow
Set users to send FROM their clean address by default:
Mailcow needs to send outbound mail through MXRoute for best deliverability.
**Method 1: Per-Mailbox Settings**
1. Edit each mailbox in Mailcow
2. Under **Sender addresses**, add `john@yourdomain.com`
3. Set as default sender address
1. In Mailcow go to **Configuration → Routing → Sender-Dependent Transports**
2. Click **Add transport**
3. Set **Domain:** `nucking-futz.com`
4. Set **Relay host:** `[smtp.mxroute.com]:587`
5. Set **Username:** your MXRoute relay username (e.g. `relay@nucking-futz.com`)
6. Set **Password:** your MXRoute relay password
7. Click **Add**
**Method 2: SOGo Webmail**
Users can configure in SOGo:
1. Log into webmail
2. Settings → Mail → Accounts
3. Set "From" address to `john@yourdomain.com`
---
**Method 3: Email Client**
Configure email client (Thunderbird, Outlook, etc.):
- Identity name: `john@yourdomain.com`
- Reply-to: `john@yourdomain.com`
- SMTP still authenticates as `john@mail.yourdomain.com`
## Step 4 — Verify DNS Propagation
### 5. Enable Login with Alias Addresses (Make Transparent to Users)
Once DNS has propagated (usually a few minutes at TTL 300), verify all records:
Allow users to login with `john@yourdomain.com` instead of `john@mail.yourdomain.com`:
1. SSH into your Mailcow server
2. Edit the Dovecot configuration:
```bash
cd /opt/mailcow-dockerized
nano data/conf/dovecot/extra.cf
# MX records
dig MX nucking-futz.com +short
# SPF
dig TXT nucking-futz.com +short
# DMARC
dig TXT _dmarc.nucking-futz.com +short
# Mailcow DKIM
dig TXT mailcow._domainkey.nucking-futz.com +short
# MXRoute DKIM
dig TXT mxroute._domainkey.nucking-futz.com +short
# A record for mail subdomain
dig A mail.nucking-futz.com +short
```
3. Add the following line:
```
auth_username_format = %Ln@%Ld
```
4. Restart Dovecot:
```bash
docker-compose restart dovecot-mailcow
```
**Alternative method - Edit via Mailcow UI:**
1. Navigate to **System****Configuration** → **Configuration & Details**
2. Under **Dovecot**, add custom config
3. Add: `auth_username_format = %Ln@%Ld`
**Result:** Users can now login with EITHER address:
- `john@yourdomain.com`
- `john@mail.yourdomain.com`
Both will work for IMAP, SMTP, and webmail authentication.
### 6. Allow MXroute IP Addresses
Add MXroute server IPs to Mailcow's trusted networks to skip spam filtering:
1. Navigate to **Configuration****Configuration & Details** → **Options**
2. Under **mynetworks**, add MXroute IPs
3. Or edit via command line in `data/conf/postfix/extra.cf`:
```
mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/16 [MXroute IPs]
```
### 7. Disable Greylisting for MXroute (Optional)
If you experience delays:
1. Navigate to **Configuration** → **Configuration & Details**
2. Find your domain
3. Under **Greylisting**, add MXroute IPs to whitelist
Run a full check at [https://mxtoolbox.com](https://mxtoolbox.com) → Email Health for `nucking-futz.com`.
---
## Testing
## Step 5 — Test Mail Flow
### 1. Test Mail Flow
### Inbound Test
Send test email from external provider (Gmail, Outlook):
```
From: test@gmail.com
To: john@yourdomain.com
```
Send a test email to `graymutt@nucking-futz.com` from an external Gmail or Outlook account. Verify:
**Expected Flow:**
1. Mail arrives at MXroute for `john@yourdomain.com`
2. MXroute forwards to `john@mail.yourdomain.com`
3. Mailcow receives at `john@mail.yourdomain.com`
4. Mailcow alias delivers to `john@mail.yourdomain.com` mailbox
5. Mail appears in John's inbox
- Mail arrives in the Mailcow mailbox
- Headers show the MXRoute → Mailcow forwarding path
- No spam flagging
### 2. Test Reply
Check headers in Mailcow Roundcube: open the test message → **More → View Source**. You should see two `Received:` hops — one from MXRoute receiving from the internet, one from MXRoute delivering to your Mailcow.
Have John reply to a message:
### Outbound Test
**Expected behavior:**
- Reply FROM: `john@yourdomain.com` (clean address)
- Reply goes through Mailcow → MXroute relay → Internet
Send a test email from `graymutt@nucking-futz.com` to an external Gmail address. Verify:
### 3. Check Headers
- Mail arrives in the recipient's inbox (not spam)
- Check headers show the MXRoute relay in the sending path
- Run the test email through [https://mail-tester.com](https://mail-tester.com) for a full score
Review email headers in Mailcow to verify:
- `Received:` headers show MXroute server
- `To:` shows `john@yourdomain.com`
- `Delivered-To:` shows `john@mail.yourdomain.com`
- SPF, DKIM, DMARC all pass
- No spam flags
### DKIM/SPF/DMARC Test
### 3. Monitor Logs
**MXroute Logs:**
- Check DirectAdmin → Email Logs
- Verify forwarding is occurring
**Mailcow Logs:**
```bash
docker-compose logs -f postfix-mailcow
```
Look for incoming connections from MXroute IPs.
Send a test to `check-auth@verifier.port25.com` — you will receive an automated reply showing pass/fail for SPF, DKIM, and DMARC.
---
## Example Configuration: gnarlypandaproductions.com
## Email Client Settings
### Mailcow Setup
**Domain:** `mail.gnarlypandaproductions.com`
Configure email clients for `graymutt@nucking-futz.com` as follows:
**Mailboxes:**
- `admin@mail.gnarlypandaproductions.com`
- `contact@mail.gnarlypandaproductions.com`
- `info@mail.gnarlypandaproductions.com`
**Alias Domain:**
`gnarlypandaproductions.com` → aliases to → `mail.gnarlypandaproductions.com`
This automatically creates:
- `admin@gnarlypandaproductions.com``admin@mail.gnarlypandaproductions.com`
- `contact@gnarlypandaproductions.com``contact@mail.gnarlypandaproductions.com`
- `info@gnarlypandaproductions.com``info@mail.gnarlypandaproductions.com`
### MXroute Setup
**Catch-all Forwarder:**
```
*@gnarlypandaproductions.com → @mail.gnarlypandaproductions.com
```
### DNS Records
| Record Type | Name | Value |
|-------------|------|-------|
| MX | @ | 10 arrow.mxroute.com |
| MX | @ | 20 eagle.mxroute.com |
| A | mail | 192.168.5.16 |
| TXT | @ | v=spf1 ip4:192.168.5.16 include:mxroute.com -all |
| TXT | _dmarc | v=DMARC1; p=reject; rua=mailto:admin@gnarlypandaproductions.com |
| TXT | default._domainkey | [MXroute DKIM key] |
### User Experience
**Users use clean addresses for EVERYTHING (completely transparent):**
- Send FROM: `admin@gnarlypandaproductions.com`
- Receive AT: `admin@gnarlypandaproductions.com`
- Login with: `admin@gnarlypandaproductions.com` (and password)
- SMTP/IMAP Server: `mail.gnarlypandaproductions.com`
**Users never need to know about the `mail.` subdomain!**
| Setting | Value |
|---------|-------|
| Email address | `graymutt@nucking-futz.com` |
| IMAP server | `mail.nucking-futz.com` |
| IMAP port | `993` (SSL/TLS) |
| SMTP server | `mail.nucking-futz.com` |
| SMTP port | `465` (SSL/TLS) |
| Username | `graymutt@nucking-futz.com` |
| Password | *(mailbox password set in Step 2.5)* |
---
## Troubleshooting
## Credentials Reference
### Mail Not Being Forwarded
1. **Check MXroute forwarder configuration**
- Verify forwarder exists in DirectAdmin
- Check destination address is correct
- Review MXroute email logs
2. **Verify DNS propagation**
```bash
dig MX yourdomain.com
dig TXT yourdomain.com
```
3. **Check Mailcow firewall**
- Ensure port 25 is open
- Verify MXroute IPs aren't blocked
### SPF/DKIM Failures
1. **SPF not passing**
- Verify `include:mxroute.com` in SPF record
- Check for typos in SPF syntax
- Use SPF checker: https://mxtoolbox.com/spf.aspx
2. **DKIM not passing**
- Confirm DKIM record published in DNS
- Verify selector matches (usually `default`)
- Check DKIM record format (no spaces in key)
### Mail Delayed or Bouncing
1. **Greylisting delays**
- Disable greylisting in Mailcow for MXroute IPs
- Or wait 5-15 minutes for retry
2. **Mailbox full**
- Check quota in Mailcow
- Increase quota or clean mailbox
3. **Spam filtering**
- Check Mailcow spam folder
- Whitelist MXroute IPs in Rspamd
| Service | Account | Password |
|---------|---------|----------|
| Mailcow mailbox | `graymutt@nucking-futz.com` | *(set during mailbox creation)* |
| MXRoute relay | `relay@nucking-futz.com` | *(from MXRoute account)* |
| MXRoute DirectAdmin | *(MXRoute login)* | *(from MXRoute account)* |
---
## MXroute Server Information
## Known Gotchas
### Common MXroute Mail Servers
- arrow.mxroute.com
- eagle.mxroute.com
- hermes.mxroute.com
- zen.mxroute.com
**MXRoute DirectAdmin may not have a domain-level Remote MX option.** If you cannot find a Remote Mail Exchanger or Email Routing setting, you must create individual forwarders for each address. For `graymutt@nucking-futz.com`:
**Your assigned server:** Check MXroute DirectAdmin welcome email or DNS settings
1. Go to **Email Manager → Forwarders**
2. Create forwarder: `graymutt@nucking-futz.com``graymutt@nucking-futz.com`
3. In the destination field, set the **mail server** to `mail.nucking-futz.com`
### MXroute IP Ranges
Consult MXroute documentation for current IP ranges to whitelist in Mailcow.
This means every new mailbox requires a matching forwarder in MXRoute. This is the fallback if domain-level routing is unavailable.
**Two DKIM selectors are required.** Both `mailcow._domainkey` and `mxroute._domainkey` (or whatever MXRoute's selector is) must be in DNS. Mail sent directly by Mailcow uses the `mailcow` selector. Mail relayed through MXRoute outbound uses the `mxroute` selector. Both must be present for DMARC to pass on all paths.
**SPF includes both IPs.** The SPF record authorizes `ip4:YOUR_ATT_MAIL_IP` for direct Mailcow sends and `include:mxroute.com` for the relay path. If either is missing, DMARC alignment fails intermittently depending on send path.
**Forwarded mail and SPF.** When MXRoute forwards inbound mail to Mailcow, the envelope sender is rewritten by MXRoute (SRS — Sender Rewriting Scheme). This is normal and prevents Mailcow from rejecting it. The MXRoute trusted network entry in `extra.cf` (Step 2.4) is essential for this to work without spam scoring penalties.
**Test with a bank or financial institution.** Once everything is running, send a test from a bank email address to `graymutt@nucking-futz.com`. This is the primary reason MXRoute is used for inbound — residential AT&T IPs are blocked by financial institution filters regardless of PTR/SPF/DKIM correctness.
---
## Advantages of This Setup
## Related Documentation
- **Spam filtering:** MXroute handles initial spam filtering
- **DDoS protection:** MXroute absorbs mail-based attacks
- **Reliability:** If Mailcow is down, mail queues at MXroute
- **Deliverability:** MXroute IPs have good reputation
- **Offload processing:** Reduces load on your Mailcow server
---
## References
- [MXroute Documentation](https://mxroutedocs.com/)
- [Mailcow Documentation](https://docs.mailcow.email/)
- [Email Forwarding Best Practices](https://www.rfc-editor.org/rfc/rfc5321)
- [MailCow Configuration](./mailcow)
- [MXRoute Outbound Relay Setup](./mxroute-outbound-relay)
- [OPNsense Firewall](./opnsense-firewall) — static IP allocation for ATT_Mail