I have roundcube 1.6.7 installed, with the default skin “elastic”.

I have several options changed in “config.inc.php” — the configuration file for roundcube. The are listed as follows.

# how roundcube talks to mailserver, here for smtp/imap we use SSL only
$config['imap_host'] = 'ssl://mail.sample.com:993';
$config['smtp_host'] = 'ssl://mail.sample.com:465';

# managesieve plugin is enabled for filters
$config['plugins'] = ['managesieve'];

# don't let roundcube auto-detect user language, use en_US by default
$config['language'] = 'en_US';

# webmail session timeout (one day)
$config['session_lifetime'] = 1440;

# logo and favicon
$config['skin_logo'] = 'https://sample.com/logo.png';

# disable users to edit their identities
$config['identities_level'] = 3;

With these customized options I have got an acceptable webmail system, which works fine on either PC or mobile.

I have a lot of email accounts in different providers. Each email has its own unique characteristics, some focus on office work, some focus on storage, some focus on privacy, and so on. If you care about privacy and security, I suggest the following email accounts.

• Riseup – free to use, collects nothing on personal info, has smtp/imap, and comes with free VPN. Also riseup has free smtp server for your domain email. But you need an invitation code to register with them.
• Disroot – the same as Riseup, but no free VPN.
• Autistici – similar to Riseup, but provides more friendly support.
• Vivaldi – besides its email, it has the active community, such as this blog.
• TLS Mail – fast access, records no personal info, free smtp/imap.

As far as I know, none of the above email addresses have an expiration date, and some can still be used even after I haven’t logged in for several years.

Though I am the old user of Proton, but I don’t like their email service. They lack smtp/imap, and webmail is heavy and slow.

I took the following steps to make my email system more secure and robust.

• close port 587 and 143, use port 993 and 465 with SSL instead (reference).
• disable SASL auth on port 25 (reference).
• use policyd-rate-limit to limit sending rate (reference).
• use postscreen for anti-bot and RBL scoring (reference).
• use policyd-spf to check sender IP’s SPF and reject the failed one (reference).
• use OpenDMARC to check sender domain’s DMARC and reject the failed one (reference).
• OpenDKIM is also deployed for either incoming messages (check signatures) or outgoing messages (add signatures) (reference).
• have reject_unknown_client_hostname, reject_unknown_sender_domain options for smtpd_sender_restrictions (reference).
• stop sasl user use any email account as envelope address (reference).
• rspamd for email content security (reference).

With those steps, it can reduce spam and reduce the chance of abuse of the mail system.

If you have interests in my mail system, please check this site.

The last day I launched a VM in Azure, with ubuntu 20.04 installed.

The official sources can’t be used at all, any command executed by ‘apt’ will fail.

So I have to use ubuntu’s sources list rather than MS’s. The following are my items in “/etc/apt/sources.list”.

deb http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse

deb http://archive.canonical.com/ubuntu focal partner
deb-src http://archive.canonical.com/ubuntu focal partner

After then I run ‘apt update && apt upgrade’ to update the system. Now everything works fine.

This VM has a IPv4 assigned. I found that it can not set a reverse DNS (PTR) for this IP in Azure dashboard. Once it was possible to have PTR set in dashboard. But for now you have to make it done in AZ cloud shell by providing the following commands.

az network public-ip update --resource-group tls-mail_group --name tls-mail-ip --reverse-fqdn tls-mail.westus2.cloudapp.azure.com.  --dns-name tls-mail

This is the first setup for PTR, which has 4 arguments required.

• –resource-group: resource group you created for the application
• –name: name of IPv4, not the address itself
• –reverse-fqdn: the reverse DNS (PTR record)
• –dns-name: the regular DNS (A record)

After then you get a domain name for this IP, which is “tls-mail.westus2.cloudapp.azure.com”. And reverse DNS hostname for the IP is also “tls-mail.westus2.cloudapp.azure.com”. This is good. If you run a mail server on the VM, generally it requires A RR and PTR RR are matched.

How to update the reverse DNS? Just run the following command.

az network public-ip update --resource-group tls-mail_group --name tls-mail-ip --reverse-fqdn tls-mail.westus2.cloudapp.azure.com.

To check the reverse DNS for an IP, just run:

az network public-ip show --name tls-mail-ip --resource-group tls-mail_group

Some privacy email providers, including Autistici, Disroot, Dismail, Vivaldi, have DMARC policy setup to “reject”. As you see follows.

_dmarc.autistici.org.	2998	IN	TXT	"v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:[email protected]"

_dmarc.disroot.org.	3143	IN	TXT	"v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:[email protected]; ruf=mailto:[email protected];"

_dmarc.dismail.de.	14400	IN	TXT	"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:[email protected]"

_dmarc.vivaldi.net.	300	IN	TXT	"v=DMARC1; p=reject; rua=mailto:[email protected]"

They all have “p=reject” in their DMARC records.

I was thinking this setting is not good for a mailing list user. For instance, when you use one of the addresses to subscribe to mailing lists, you will have the delivery issues.

This is because, mailing list service generally rewrites the sender address (SRS) to the list address, thus SPF verification will have no help to DMARC authentication of your domain. And most list servers add signatures at the footer of messages. Then DKIM will fail for the original message sent from your server.

Since both SPF and DKIM have no help to your sender domain, DMARC validation fails, the message will be rejected by other MTAs following the DMARC setting above.

So I was thinking it’s better not set up a “p=reject” in DMARC for those providers. They are privacy oriented providers, use open source mostly. Many tech people are using the services above. As a comparison, Riseup has the better setting as the following.

_dmarc.riseup.net.	600	IN	TXT	"v=DMARC1;p=none;adkim=r;aspf=r;rua=mailto:[email protected]"

As you see above, their policy is “p=none” which is good for mailing lists delivery.