From 7f785d9b13605183cf627c396e8a899eb0eb8e85 Mon Sep 17 00:00:00 2001 From: Administrator Date: Wed, 25 Feb 2026 19:22:45 +0000 Subject: [PATCH] docs: create Netgrimoire/Services/MailCow/MXRoute_Integration --- .../Services/MailCow/MXRoute_Integration.md | 430 ++++++++++++++++++ 1 file changed, 430 insertions(+) create mode 100644 Netgrimoire/Services/MailCow/MXRoute_Integration.md diff --git a/Netgrimoire/Services/MailCow/MXRoute_Integration.md b/Netgrimoire/Services/MailCow/MXRoute_Integration.md new file mode 100644 index 0000000..7dc24df --- /dev/null +++ b/Netgrimoire/Services/MailCow/MXRoute_Integration.md @@ -0,0 +1,430 @@ +--- +title: INtegrating MXRoute with MailCow +description: +published: true +date: 2026-02-25T19:22:31.514Z +tags: +editor: markdown +dateCreated: 2026-02-25T19:22:31.514Z +--- + +# MXRoute — Master Configuration Reference + +## Overview + +MXRoute serves two roles in Netgrimoire mail infrastructure: + +- **Inbound gateway** — MX records for all domains point to MXRoute's commercial IPs, solving residential AT&T IP filtering by banks and financial institutions. MXRoute receives mail and forwards to Mailcow via per-address forwarders. +- **Outbound relay** — Mailcow sends all outbound mail through MXRoute via sender-dependent transports for improved deliverability. + +**Mail flow:** + +``` +Inbound: Internet → MXRoute (commercial IP) → Mailcow (192.168.5.16) +Outbound: Mailcow (192.168.5.16) → MXRoute SMTP relay → Internet +``` + +**Mailcow host:** 192.168.5.16 +**MXRoute control panel:** confirm server hostname from MXRoute welcome email (e.g. `arrow.mxrouting.net`) +**MXRoute SMTP relay:** confirm from welcome email (e.g. `smtp.mxroute.com:587`) + +--- + +## Architecture — Why Two Domains Per Hosted Domain + +MXRoute forwarders require a valid destination email address. Forwarding `user@domain.com` back to `user@domain.com` creates a mail loop because MXRoute would look up the MX for `domain.com` and find itself. The solution is a `mail.domain.com` subdomain with its own MX record pointing directly to Mailcow. MXRoute forwards to `user@mail.domain.com`, Mailcow accepts and delivers, and an alias domain maps `@domain.com` back so users only ever see `@domain.com`. + +``` +domain.com MX → MXRoute (public-facing, receives from internet) +mail.domain.com MX → 192.168.5.16 (internal, MXRoute forwards here) +``` + +--- + +## MXRoute Control Panel + +**Login:** confirm URL from MXRoute welcome email +**Interface:** MXRoute 4.0 (new UI — not old DirectAdmin) + +### Creating a Forwarder + +1. Go to **Forwarders** +2. Click **Create New Forwarder** +3. Set **Forwarder Name:** `username` (domain shown automatically) +4. Set **Destination Type:** `Forward to Email(s)` +5. Set **Recipients:** `username@mail.domain.com` +6. Click **Create Forwarder** + +> Recipients field accepts multiple addresses comma or newline separated. + +--- + +## Mailcow Configuration + +### Adding a New Domain (One-Time Per Domain) + +1. **Mail Setup → Domains → Add domain** + - Domain: `mail.domain.com` (the subdomain Mailcow owns) + - Leave relay settings as default + +2. **Mail Setup → Alias Domains → Add alias domain** + - Alias Domain: `domain.com` + - Target Domain: `mail.domain.com` + - This makes Mailcow accept and deliver mail for `@domain.com` to `@mail.domain.com` mailboxes + +3. **Configuration → ARC/DKIM Keys** + - Select domain `mail.domain.com` + - Selector: `mailcow` + - Key length: 2048 + - Generate and copy TXT record for DNS + +4. **Configuration → Extra Postfix configuration → extra.cf** + +``` +# Trust MXRoute forwarding IPs — prevents SPF scoring on forwarded mail +mynetworks = 127.0.0.1/8 [::1]/128 192.168.5.0/24 69.167.160.0/19 198.54.120.0/22 +``` + +Restart affected containers after saving. + +### Adding a New Mailbox + +1. **Mail Setup → Mailboxes → Add mailbox** + - Username: `user` + - Domain: `mail.domain.com` + +2. **MXRoute control panel → Forwarders → Create New Forwarder** + - Forwarder: `user@domain.com` + - Destination: `user@mail.domain.com` + +### Outbound Relay — Sender-Dependent Transports + +One transport entry per domain. **Configuration → Routing → Sender-Dependent Transports** + +| Domain | Relay Host | Username | Password | +|--------|-----------|----------|----------| +| pncharris.com | `[smtp.mxroute.com]:587` | relay@pncharris.com | H@rv3yD)G123 | +| wasted-bandwidth.net | `[smtp.mxroute.com]:587` | relay@wasted-bandwidth.net | dZ4yLYznVvgSJtqWZJFA | +| netgrimoire.com | `[smtp.mxroute.com]:587` | relay@netgrimoire.com | TVGCnJp9SxRbWU8EhkMw | +| florosafd.org | `[smtp.mxroute.com]:587` | relay@florosafd.org | 2Fe8XMyaeh6Z5dvdHYdq | +| gnarlypandaproductions.com | `[smtp.mxroute.com]:587` | relay@gnarlypandaproductions.com | vG5ZsUQhRWD2UyzLPsqA | + +> Confirm SMTP relay hostname from MXRoute welcome email — substitute actual hostname for `smtp.mxroute.com` if different. + +### Email Client Settings (All Domains) + +| Setting | Value | +|---------|-------| +| IMAP server | `mail.domain.com` | +| IMAP port | `993` (SSL/TLS) | +| SMTP server | `mail.domain.com` | +| SMTP port | `465` (SSL/TLS) | +| Username | `user@domain.com` | + +> Users log in with `@domain.com`. Mailcow resolves to the internal `@mail.domain.com` mailbox via alias domain — transparent to the user. + +--- + +## DNS Reference — All Domains + +### DNS Pattern (Apply to Every Domain) + +Two sets of MX records are required — one for the public domain (pointing to MXRoute) and one for the mail subdomain (pointing directly to Mailcow). + +| Type | Host | Value | Notes | +|------|------|-------|-------| +| A | `mail` | `YOUR_ATT_MAIL_IP` | Mailcow server — MXRoute forwards here | +| MX | `@` | MXRoute primary (priority 10) | From MXRoute welcome email | +| MX | `@` | MXRoute secondary (priority 20) | From MXRoute welcome email | +| MX | `mail` | `mail.domain.com` (priority 10) | Mailcow handles subdomain directly | +| CNAME | `imap` | `mail.domain.com` | Client autoconfiguration | +| CNAME | `smtp` | `mail.domain.com` | Client autoconfiguration | +| CNAME | `webmail` | `mail.domain.com` | Roundcube access | +| CNAME | `autodiscover` | `mail.domain.com` | Outlook autodiscover | +| CNAME | `autoconfig` | `mail.domain.com` | Thunderbird autoconfig | +| TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | SPF — both Mailcow direct and MXRoute relay | +| TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | SPF for subdomain — Mailcow direct only | +| TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | DMARC enforcement | +| TXT | `mailcow._domainkey.mail` | *(generated in Mailcow ARC/DKIM Keys)* | Mailcow DKIM selector | +| TXT | `x._domainkey` | *(from MXRoute control panel)* | MXRoute DKIM selector — confirm actual selector name | + +--- + +### pncharris.com + +| Type | Host | Value | +|------|------|-------| +| A | `mail` | YOUR_ATT_MAIL_IP | +| MX | `@` | MXRoute primary (priority 10) | +| MX | `@` | MXRoute secondary (priority 20) | +| MX | `mail` | `mail.pncharris.com` (priority 10) | +| CNAME | `imap` | `mail.pncharris.com` | +| CNAME | `smtp` | `mail.pncharris.com` | +| CNAME | `webmail` | `mail.pncharris.com` | +| CNAME | `autodiscover` | `mail.pncharris.com` | +| CNAME | `autoconfig` | `mail.pncharris.com` | +| TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | +| TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | +| TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | +| TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.pncharris.com)* | +| TXT | `x._domainkey` | *(from MXRoute control panel)* | + +**Mailcow domains:** `mail.pncharris.com` (primary), `pncharris.com` (alias domain → mail.pncharris.com) + +**Relay credentials:** + +| Account | Password | Notes | +|---------|----------|-------| +| relay@pncharris.com | H@rv3yD)G123 | Current relay account | +| forwarder@pncharris.com | *(see password history below)* | Legacy account | +| passer@pncharris.com | bBJtPhrGkHvvhxhukkae | Current | +| kylr pncharris | -,68,incTeR | | +| G4@rlyf1ng3r | *(Feb 14)* | | + +**passer@pncharris.com password history** (most recent last): +- !5!,_\*zDyLEhhR4 +- sh7dXWnTPqbkDGsTcwtn +- MY3V8p69b2HYksygxhXX +- RS6U2GU6rcYe3THKKgYx +- yzqNysrd73yzWptVEZ5H (current) + +--- + +### wasted-bandwidth.net + +| Type | Host | Value | +|------|------|-------| +| A | `mail` | YOUR_ATT_MAIL_IP | +| MX | `@` | MXRoute primary (priority 10) | +| MX | `@` | MXRoute secondary (priority 20) | +| MX | `mail` | `mail.wasted-bandwidth.net` (priority 10) | +| CNAME | `imap` | `mail.wasted-bandwidth.net` | +| CNAME | `smtp` | `mail.wasted-bandwidth.net` | +| CNAME | `webmail` | `mail.wasted-bandwidth.net` | +| CNAME | `autodiscover` | `mail.wasted-bandwidth.net` | +| CNAME | `autoconfig` | `mail.wasted-bandwidth.net` | +| TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | +| TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | +| TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | +| TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.wasted-bandwidth.net)* | +| TXT | `x._domainkey` | *(from MXRoute control panel)* | + +**Mailcow domains:** `mail.wasted-bandwidth.net` (primary), `wasted-bandwidth.net` (alias domain) + +**Relay credentials:** + +| Account | Password | +|---------|----------| +| relay@wasted-bandwidth.net | dZ4yLYznVvgSJtqWZJFA | + +--- + +### netgrimoire.com + +| Type | Host | Value | +|------|------|-------| +| A | `mail` | YOUR_ATT_MAIL_IP | +| MX | `@` | MXRoute primary (priority 10) | +| MX | `@` | MXRoute secondary (priority 20) | +| MX | `mail` | `mail.netgrimoire.com` (priority 10) | +| CNAME | `imap` | `mail.netgrimoire.com` | +| CNAME | `smtp` | `mail.netgrimoire.com` | +| CNAME | `webmail` | `mail.netgrimoire.com` | +| CNAME | `autodiscover` | `mail.netgrimoire.com` | +| CNAME | `autoconfig` | `mail.netgrimoire.com` | +| TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | +| TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | +| TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | +| TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.netgrimoire.com)* | +| TXT | `x._domainkey` | *(from MXRoute control panel)* | + +**Mailcow domains:** `mail.netgrimoire.com` (primary), `netgrimoire.com` (alias domain) + +**Relay credentials:** + +| Account | Password | +|---------|----------| +| relay@netgrimoire.com | TVGCnJp9SxRbWU8EhkMw | + +--- + +### florosafd.org + +| Type | Host | Value | +|------|------|-------| +| A | `mail` | YOUR_ATT_MAIL_IP | +| MX | `@` | MXRoute primary (priority 10) | +| MX | `@` | MXRoute secondary (priority 20) | +| MX | `mail` | `mail.florosafd.org` (priority 10) | +| CNAME | `imap` | `mail.florosafd.org` | +| CNAME | `smtp` | `mail.florosafd.org` | +| CNAME | `webmail` | `mail.florosafd.org` | +| CNAME | `autodiscover` | `mail.florosafd.org` | +| CNAME | `autoconfig` | `mail.florosafd.org` | +| TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | +| TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | +| TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | +| TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.florosafd.org)* | +| TXT | `x._domainkey` | *(from MXRoute control panel)* | + +**Mailcow domains:** `mail.florosafd.org` (primary), `florosafd.org` (alias domain) + +**Relay credentials:** + +| Account | Password | +|---------|----------| +| relay@florosafd.org | 2Fe8XMyaeh6Z5dvdHYdq | + +--- + +### gnarlypandaproductions.com + +| Type | Host | Value | +|------|------|-------| +| A | `mail` | YOUR_ATT_MAIL_IP | +| MX | `@` | MXRoute primary (priority 10) | +| MX | `@` | MXRoute secondary (priority 20) | +| MX | `mail` | `mail.gnarlypandaproductions.com` (priority 10) | +| CNAME | `imap` | `mail.gnarlypandaproductions.com` | +| CNAME | `smtp` | `mail.gnarlypandaproductions.com` | +| CNAME | `webmail` | `mail.gnarlypandaproductions.com` | +| CNAME | `roundcube` | `roundcube.netgrimoire.com` | +| CNAME | `autodiscover` | `mail.gnarlypandaproductions.com` | +| CNAME | `autoconfig` | `mail.gnarlypandaproductions.com` | +| TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | +| TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | +| TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@gnarlypandaproductions.com` | +| TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.gnarlypandaproductions.com)* | +| TXT | `default._domainkey` | `v=DKIM1; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3D3vyPoBHB4eMSMq8HygVWHzYbketRX4yjk9wV4bdaar0/c89dK230FMOW6zVXEsY1sXKFk1kBxerHVw0wY8qnQyooHgINEQcEXrtB/x93Sl/cqBQXk+PHOIOymQwgni8WCUhCSnvunxXK8qX5f9J56qzd0/wpY2WSEHho+XrnQjc+c7HMvkcC3+nKJe59ZNgvQW/Y9B/L6zFDjAp+QOUYp9wwX4L+j1T4fQSygYxAJZ0aIoR8FsbOuXc38pht99HyUnYwH08HoK7xv3DL2BrVo3KVZ7xMe2S4YMxd1HkJz2evbV/ziNsJcKW/le3fFS7mza09yJXDLDcLOKLXbYUQIDAQAB` | +| TXT | `x._domainkey` | *(from MXRoute control panel — confirm actual selector)* | + +**Mailcow domains:** `mail.gnarlypandaproductions.com` (primary), `gnarlypandaproductions.com` (alias domain) + +**Relay credentials:** + +| Account | Password | +|---------|----------| +| relay@gnarlypandaproductions.com | vG5ZsUQhRWD2UyzLPsqA | + +--- + +### nucking-futz.com + +New domain — see [Mail Setup — nucking-futz.com](./mail-setup-nucking-futz) for full setup guide. + +| Type | Host | Value | +|------|------|-------| +| A | `mail` | YOUR_ATT_MAIL_IP | +| MX | `@` | MXRoute primary (priority 10) | +| MX | `@` | MXRoute secondary (priority 20) | +| MX | `mail` | `mail.nucking-futz.com` (priority 10) | +| CNAME | `imap` | `mail.nucking-futz.com` | +| CNAME | `smtp` | `mail.nucking-futz.com` | +| CNAME | `webmail` | `mail.nucking-futz.com` | +| CNAME | `autodiscover` | `mail.nucking-futz.com` | +| CNAME | `autoconfig` | `mail.nucking-futz.com` | +| TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | +| TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | +| TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | +| TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.nucking-futz.com)* | +| TXT | `x._domainkey` | *(from MXRoute control panel)* | + +**Mailcow domains:** `mail.nucking-futz.com` (primary), `nucking-futz.com` (alias domain) + +**Relay credentials:** + +| Account | Password | +|---------|----------| +| relay@nucking-futz.com | *(set during MXRoute domain creation)* | + +--- + +## Adding a New Domain — Checklist + +Use this checklist every time a new domain is added to the stack. + +**DNS (at registrar):** +- [ ] A record: `mail.newdomain.com` → YOUR_ATT_MAIL_IP +- [ ] MX records: `@` → MXRoute servers +- [ ] MX record: `mail` → `mail.newdomain.com` +- [ ] CNAME records: imap, smtp, webmail, autodiscover, autoconfig +- [ ] SPF TXT: `@` — includes both ATT IP and `include:mxroute.com` +- [ ] SPF TXT: `mail` — ATT IP only +- [ ] DMARC TXT: `_dmarc` +- [ ] DKIM TXT: `mailcow._domainkey.mail` — after generating in Mailcow +- [ ] DKIM TXT: `x._domainkey` — after retrieving from MXRoute + +**Mailcow:** +- [ ] Add domain: `mail.newdomain.com` +- [ ] Add alias domain: `newdomain.com` → `mail.newdomain.com` +- [ ] Generate DKIM key (selector: `mailcow`) for `mail.newdomain.com` +- [ ] Add sender-dependent transport for `newdomain.com` +- [ ] Add sender-dependent transport for `mail.newdomain.com` +- [ ] Create mailboxes as `user@mail.newdomain.com` + +**MXRoute:** +- [ ] Add domain in control panel +- [ ] Create forwarder for each mailbox: `user@newdomain.com` → `user@mail.newdomain.com` +- [ ] Retrieve DKIM key for DNS + +--- + +## Troubleshooting + +### Mail not delivering inbound (not reaching Mailcow) + +- Check MX records for `@` point to MXRoute servers: `dig MX domain.com +short` +- Check MX record for `mail` subdomain points to Mailcow: `dig MX mail.domain.com +short` +- Verify MXRoute forwarder exists for the address in the control panel +- Check Mailcow logs: **Logs → Postfix** — look for the delivery attempt and any rejection reason +- Verify MXRoute IP ranges are in Mailcow `extra.cf` trusted networks + +### Mail not delivering inbound (banks / financial institutions) + +- This is the residential AT&T IP problem — confirm MX records point to MXRoute, not directly to your IP +- Run `dig MX domain.com +short` — should show MXRoute servers, not your IP +- If MX still points to your ATT IP, update DNS and wait for propagation + +### Outbound mail rejected or going to spam + +- Verify sender-dependent transport is configured for the domain in Mailcow +- Check relay credentials are current in the transport entry +- Run an SPF check: `dig TXT domain.com +short` — confirm `include:mxroute.com` is present +- Send test to check-auth@verifier.port25.com for full SPF/DKIM/DMARC report +- Run through https://mail-tester.com for a deliverability score + +### DKIM verification failing + +- Confirm both selectors are published in DNS: + - `dig TXT mailcow._domainkey.mail.domain.com +short` + - `dig TXT x._domainkey.domain.com +short` (substitute actual MXRoute selector) +- Allow up to 48 hours for DNS propagation after adding records +- Verify selector names match exactly what Mailcow and MXRoute are using to sign + +### DMARC failures + +- SPF and DKIM must both pass and align with the From: domain +- Check DMARC reports sent to `admin@netgrimoire.com` — use [Postmark DMARC](https://dmarc.postmarkapp.com/) or [dmarcian.com](https://dmarcian.com) to parse raw XML reports +- Common cause: outbound mail going through MXRoute but `include:mxroute.com` missing from SPF + +### Forwarded mail getting spam-scored + +- Confirm MXRoute IP ranges are in Mailcow `extra.cf` mynetworks +- Check that Mailcow trusted networks were saved and containers restarted +- Verify SRS is working: in Roundcube open a forwarded message → More → View Source → `Return-Path` should begin with `SRS0=` + +### New mailbox not receiving mail + +- Two steps are required — confirm both were done: + 1. Mailbox created in Mailcow as `user@mail.domain.com` + 2. Forwarder created in MXRoute as `user@domain.com` → `user@mail.domain.com` +- If the MXRoute forwarder is missing, inbound mail silently goes nowhere + +--- + +## Related Documentation + +- [MailCow Configuration](./mailcow) +- [MailCow Security Hardening](./mailcow-security-hardening) +- [Mail Setup — nucking-futz.com](./mail-setup-nucking-futz) +- [OPNsense Firewall](./opnsense-firewall) — ATT_Mail static IP allocation