traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Netgrimoire/Keystone-Grimoire/Mail/Domain-Setup.md
traveler cc574f8aed New Grimoire
2026-04-12 09:53:51 -05:00

15 KiB
Raw Blame History

title description published date tags editor dateCreated
Sample Domain Setup Graymutt@nucking-futz.com true 2026-03-16T00:34:08.387Z markdown 2026-02-25T22:02:27.719Z

Mail Setup — nucking-futz.com

Part 0 — OPNsense: Configure ATT_Mail Secondary IP

Before configuring DNS or Mailcow, the secondary AT&T static IP must be configured in OPNsense as a virtual IP on the WAN interface and NAT rules must be set so only raw SMTP traffic (ports 25, 465, 587, 993, 143) uses this address. Webmail, the Mailcow admin UI, and all other traffic continue to use the primary WAN IP (107.133.34.145).

Address Purpose
107.133.34.145 Primary WAN — web, admin, everything else
107.133.34.146 ATT_Mail — SMTP/IMAP inbound and outbound only

Step 0.1 — Add Virtual IP

  1. Go to Interfaces → Virtual IPs → Settings
  2. Click + Add
  3. Set the following:
Field Value
Mode IP Alias
Interface WAN (igc1)
Network / Address 107.133.34.146 / 28
Description ATT_Mail
  1. Click Save, then Apply changes

The /28 subnet mask matches the AT&T block (107.133.34.144/28). All 5 static IPs in the block share this mask.

Step 0.2 — Outbound NAT for SMTP Traffic

This ensures Mailcow's outbound SMTP connections leave through the ATT_Mail IP rather than the primary WAN IP. OPNsense must be in Hybrid or Manual outbound NAT mode.

  1. Go to Firewall → NAT → Outbound
  2. Confirm mode is set to Hybrid Outbound NAT (or Manual — either works)
  3. Click Add to create a new rule

Rule for outbound SMTP (port 587 relay to MXRoute):

Field Value
Interface WAN
TCP/IP Version IPv4
Protocol TCP
Source 192.168.5.16 / 32 (Mailcow host)
Source Port any
Destination any
Destination Port 587
Translation / Target 107.133.34.146 (ATT_Mail)
Description Mailcow outbound relay via ATT_Mail
  1. Repeat for port 25 (direct outbound SMTP, if used) and port 465 (SMTPS)
  2. Click Save and Apply changes

Step 0.3 — Inbound NAT (Port Forwards) for Mail Ports

Route inbound connections on mail ports to Mailcow using the ATT_Mail IP as the external address.

  1. Go to Firewall → NAT → Port Forward
  2. Create rules for each mail port:
External IP Port(s) Forward to Description
107.133.34.146 25 192.168.5.16:25 SMTP inbound
107.133.34.146 465 192.168.5.16:465 SMTPS inbound
107.133.34.146 587 192.168.5.16:587 Submission inbound
107.133.34.146 993 192.168.5.16:993 IMAPS
107.133.34.146 143 192.168.5.16:143 IMAP (if needed)

Do not add port forwards for 80, 443, or 3443 (Mailcow admin/webmail ports) on this IP. Those remain on the primary WAN IP via Caddy.

  1. Click Save and Apply changes

Step 0.4 — Firewall Rules

Ensure the WAN firewall rules permit inbound traffic on the mail ports to the ATT_Mail IP. If you have a default deny-all WAN rule (recommended), add explicit pass rules:

  1. Go to Firewall → Rules → WAN
  2. Add pass rules for each port in the table above with destination 107.133.34.146

Step 0.5 — Verify

# From outside your network, confirm the mail IP is live
telnet 107.133.34.146 25
# Should see: 220 hermes.netgrimoire.com ESMTP

# Confirm primary WAN IP does NOT respond on port 25
telnet 107.133.34.145 25
# Should time out or be refused

# Check that Mailcow outbound connections leave from the ATT_Mail IP
# Send a test to check-auth@verifier.port25.com and inspect the Return-Path
# or check the Received: header — the sending IP should be 107.133.34.146

⚠ If the verify step shows port 25 still responding on 107.133.34.145, check that no leftover port forward rules exist on the primary WAN IP for mail ports.

Overview

This guide covers complete mail setup for nucking-futz.com using MXRoute as the inbound gateway and Mailcow as the mailbox host. MXRoute receives all inbound mail from the internet (solving residential IP filtering issues with banks and financial institutions) and forwards to Mailcow for storage and retrieval. Mailcow handles outbound mail via the MXRoute SMTP relay.

Architecture:

Inbound:  Internet → MXRoute (commercial IP) → Mailcow (192.168.5.16)
Outbound: Mailcow → MXRoute SMTP relay → Internet

Why two domains in Mailcow: MXRoute forwarders require a valid destination email address. You cannot forward graymutt@nucking-futz.com back to graymutt@nucking-futz.com — that loops. The solution is to have Mailcow own a subdomain (mail.nucking-futz.com) with its own MX record pointing directly to your server. MXRoute forwards to graymutt@mail.nucking-futz.com, Mailcow delivers locally, and an alias domain maps nucking-futz.com back so users only ever see and use graymutt@nucking-futz.com.

Prerequisites

  • MXRoute account active with DirectAdmin access
  • Mailcow running at 192.168.5.16
  • DNS management access for nucking-futz.com
  • Your MXRoute server hostname from your MXRoute welcome email (e.g. arrow.mxrouting.net)

Step 1 — DNS Records

Create all DNS records before configuring either service. Keep TTL at 300 during setup — raise to 3600 once confirmed working.

image.png

arec.png

txt.png

Required DNS Records

Type Host Value Notes
A mail YOUR_ATT_MAIL_IP Points to Mailcow — MXRoute forwards to this server
MX @ heracles.mxrouting.net (Priority 10) Check MXRoute welcome email for exact hostname
MX @ heracles-relay.mxrouting.net (Priority 20) (priority 20) Secondary MXRoute server from welcome email
MX mail mail.nucking-futz.com (priority 10) Mailcow handles this subdomain directly
CNAME imap mail.nucking-futz.com Client autoconfiguration
CNAME smtp mail.nucking-futz.com Client autoconfiguration
CNAME webmail mail.nucking-futz.com Roundcube access
CNAME autodiscover mail.nucking-futz.com Outlook autodiscover
CNAME autoconfig mail.nucking-futz.com Thunderbird autoconfig
TXT @ v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all SPF — authorizes both Mailcow direct and MXRoute relay
TXT mail v=spf1 ip4:YOUR_ATT_MAIL_IP -all SPF for subdomain — Mailcow sends directly from here
TXT _dmarc v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com DMARC enforcement

DKIM TXT records (two selectors) are added in Steps 2 and 3 after generating keys in Mailcow and MXRoute.

Step 2 — Mailcow Configuration

2.1 Add the Subdomain as Primary Domain

Mailcow owns mail.nucking-futz.com as its active mail domain. Mailboxes live internally on this subdomain.

  1. Log into Mailcow admin UI → Mail Setup → Domains
  2. Click Add domain
  3. Set Domain: mail.nucking-futz.com
  4. Leave all other settings as default
  5. Click Add domain

2.2 Add the Alias Domain

This makes Mailcow accept mail addressed to @nucking-futz.com and deliver it to the matching @mail.nucking-futz.com mailbox. Users send and receive as @nucking-futz.com — the subdomain is invisible to them.

  1. Go to Mail Setup → Alias Domains
  2. Click Add alias domain
  3. Set Alias Domain: nucking-futz.com
  4. Set Target Domain: mail.nucking-futz.com
  5. Click Add

2.3 Create Mailbox

  1. Go to Mail Setup → Mailboxes
  2. Click Add mailbox
  3. Set Username: graymutt
  4. Set Domain: mail.nucking-futz.com
  5. Set a strong password
  6. Set quota as needed
  7. Click Add

The mailbox is internally graymutt@mail.nucking-futz.com. The alias domain from Step 2.2 means Mailcow also accepts and delivers mail for graymutt@nucking-futz.com to this same mailbox.

2.4 Generate DKIM Key

  1. Go to Configuration → Configuration & Diagnostics → Configuration
  2. Click ARC/DKIM Keys tab
  3. Select domain mail.nucking-futz.com
  4. Set Selector: mailcow
  5. Set Key length: 2048
  6. Click Generate
  7. Copy the full TXT record value — needed for DNS

2.5 Add Mailcow DKIM DNS Record

Type Host Value
TXT mailcow._domainkey.mail (full key string from Mailcow — begins with v=DKIM1;)

2.6 Add MXRoute to Trusted Networks

Prevents Mailcow from applying spam scoring to forwarded mail arriving from MXRoute's IPs.

  1. Go to Configuration → Configuration & Diagnostics → Configuration
  2. Click Extra Postfix configuration tab
  3. Add to extra.cf:
# Trust MXRoute forwarding IPs
mynetworks = 127.0.0.1/8 [::1]/128 192.168.5.0/24 69.167.160.0/19 198.54.120.0/22

Verify current MXRoute IP ranges in your MXRoute account documentation — these may change.

  1. Click Save
  2. Click Restart affected containers

2.7 Configure Outbound Relay

Routes outbound mail through MXRoute for best deliverability.

  1. Go to Configuration → Routing → Sender-Dependent Transports
  2. Click Add transport
  3. Set Domain: nucking-futz.com
  4. Set Relay host: [smtp.mxroute.com]:587 (confirm SMTP hostname from MXRoute welcome email)
  5. Set Username: your MXRoute relay username
  6. Set Password: your MXRoute relay password
  7. Click Add
  8. Repeat for domain mail.nucking-futz.com using the same relay credentials

Step 3 — MXRoute Configuration

3.1 Add Domain in DirectAdmin

  1. Log into MXRoute DirectAdmin
  2. Go to Account Manager → Domain Setup
  3. Add domain: nucking-futz.com
  4. Complete the domain wizard

3.2 Create Forwarder

MXRoute does not support domain-level remote MX routing — forwarders must be created per address. The destination must be on a domain whose MX resolves to Mailcow, not back to MXRoute.

  1. Go to Forwarders in the MXRoute control panel
  2. Click Create New Forwarder
  3. Set Forwarder Name: graymutt (the @nucking-futz.com part is shown automatically)
  4. Set Destination Type: Forward to Email(s)
  5. Set Recipients: graymutt@mail.nucking-futz.com
  6. Click Create Forwarder

Every new mailbox requires a matching forwarder entry. The pattern is always user@nucking-futz.comuser@mail.nucking-futz.com. See the Adding a New Mailbox section below.

3.3 Get MXRoute DKIM Key

  1. Go to Email Manager → DKIM Keys for nucking-futz.com
  2. Generate or view the DKIM key — note the selector name assigned (often x)
  3. Copy the full TXT record value

3.4 Add MXRoute DKIM DNS Record

Type Host Value
TXT x._domainkey (replace x with MXRoute's actual selector) (full key string from MXRoute DirectAdmin)

Step 4 — Verify DNS

Once DNS has propagated, verify all records:

# MX for main domain — should show MXRoute servers
dig MX nucking-futz.com +short

# MX for subdomain — should show mail.nucking-futz.com
dig MX mail.nucking-futz.com +short

# A record — should show your ATT IP
dig A mail.nucking-futz.com +short

# SPF
dig TXT nucking-futz.com +short
dig TXT mail.nucking-futz.com +short

# DMARC
dig TXT _dmarc.nucking-futz.com +short

# DKIM — Mailcow
dig TXT mailcow._domainkey.mail.nucking-futz.com +short

# DKIM — MXRoute (replace x with your selector)
dig TXT x._domainkey.nucking-futz.com +short

Run a full check at https://mxtoolbox.com → Email Health for nucking-futz.com.

Step 5 — Test Mail Flow

Inbound Test

Send a test email to graymutt@nucking-futz.com from an external Gmail or Outlook account. Verify:

  • Mail arrives in the Mailcow mailbox
  • Headers show the MXRoute → Mailcow forwarding path (two Received: hops)
  • No spam flagging

In Roundcube open the test message → More → View Source and check the Received: chain.

Outbound Test

Send from graymutt@nucking-futz.com to an external Gmail address. Run through https://mail-tester.com for a full delivery score.

DKIM/SPF/DMARC Test

Send a test to check-auth@verifier.port25.com — you will receive an automated reply confirming pass/fail for SPF, DKIM, and DMARC.

Bank/Financial Test

Send from a bank address to graymutt@nucking-futz.com and confirm delivery. This is the primary goal — banks see MXRoute's commercial IPs in the MX record, not your residential AT&T IP.

Email Client Settings

Setting Value
Email address graymutt@nucking-futz.com
IMAP server mail.nucking-futz.com
IMAP port 993 (SSL/TLS)
SMTP server mail.nucking-futz.com
SMTP port 465 (SSL/TLS)
Username graymutt@nucking-futz.com
Password (mailbox password set in Step 2.3)

Users log in and send as graymutt@nucking-futz.com. Mailcow resolves this to the internal mail.nucking-futz.com mailbox transparently via the alias domain.

Adding a New Mailbox

Every new address on nucking-futz.com requires entries in both Mailcow and MXRoute.

In Mailcow:

  1. Mail Setup → Mailboxes → Add mailbox
  2. Username: newuser, Domain: mail.nucking-futz.com

In MXRoute control panel:

  1. Forwarders → Create New Forwarder
  2. Forwarder Name: newuser, Destination Type: Forward to Email(s), Recipients: newuser@mail.nucking-futz.com

Credentials Reference

Service Account Password
Mailcow mailbox graymutt@mail.nucking-futz.com (set during mailbox creation)
MXRoute relay (from MXRoute welcome email) (from MXRoute welcome email)
MXRoute DirectAdmin (from MXRoute welcome email) (from MXRoute welcome email)

Known Gotchas

Forwarder destination must not loop. Never set the MXRoute forwarder destination to an address on the same domain that has MXRoute as its MX. graymutt@nucking-futz.comgraymutt@nucking-futz.com will loop. Always forward to @mail.nucking-futz.com which has its own MX resolving directly to Mailcow.

Two DKIM selectors required. mailcow._domainkey.mail.nucking-futz.com covers mail Mailcow sends directly from the subdomain. x._domainkey.nucking-futz.com (MXRoute selector) covers outbound mail relayed through MXRoute. Both must exist for DMARC to pass on all paths.

New mailboxes need matching MXRoute forwarders. MXRoute has no catch-all forwarding to remote servers. Every address that needs to receive mail must have an explicit forwarder in DirectAdmin. Add the MXRoute forwarder step to your mailbox creation checklist.

Alias domain vs. alias mailbox. The alias domain in Step 2.2 maps the entire nucking-futz.com domain to mail.nucking-futz.com. Do not also create individual alias mailboxes for the same addresses — this creates duplicate delivery and may cause unexpected behavior.

SPF differs between the two domains. The main domain SPF includes include:mxroute.com because MXRoute relay sends outbound from there. The subdomain SPF (mail.nucking-futz.com) only needs your ATT IP — Mailcow sends directly from that domain without going through MXRoute. Two different records for two different send paths.

Related Documentation