The answer is provided by Alexander on postfix mailing list.

SMTP-DANE

Outgoing:
# validate DANE
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane   # or dane-only (https://www.postfix.org/TLS_README.html)

Incoming:
 – setup DNSSEC for your domain (out of scope here on the postfix list)
 – publish TLSA records
e.g. https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-postfix (not everything there is endorsed by several people on this list, specially not the TLS settings in part IV (interoperability vs. “do you really know what you are doing”), what you have to do depends on what you need to protect against (or which checkboxes you have to tick in a report), I provide this link as it gives a good overview about what is involved, not about the particular settings (e.g. you may want to skip large parts of part IV), you may want to use letsencrypt or similar instead of a self-signed cert, you may want to use the PKI cert in the TLSA record (or not), …).

MTA-STS

Incoming (out of scope for the postfix list):
 – setup of webserver which serves the MTA-STS file
 – DNS records
e.g. https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04 (info: there exist online services and local tools to investigate TLSA reports)

Outgoing:
Postfix doesn’t come with support for this out of the box. There is https://github.com/Snawoot/postfix-mta-sts-resolver but it has drawbacks (pointed out in the docu).

I have roundcube 1.6.7 installed, with the default skin “elastic”.

I have several options changed in “config.inc.php” — the configuration file for roundcube. The are listed as follows.

# how roundcube talks to mailserver, here for smtp/imap we use SSL only
$config['imap_host'] = 'ssl://mail.sample.com:993';
$config['smtp_host'] = 'ssl://mail.sample.com:465';

# managesieve plugin is enabled for filters
$config['plugins'] = ['managesieve'];

# don't let roundcube auto-detect user language, use en_US by default
$config['language'] = 'en_US';

# webmail session timeout (one day)
$config['session_lifetime'] = 1440;

# logo and favicon
$config['skin_logo'] = 'https://sample.com/logo.png';

# disable users to edit their identities
$config['identities_level'] = 3;

With these customized options I have got an acceptable webmail system, which works fine on either PC or mobile.

I have a lot of email accounts in different providers. Each email has its own unique characteristics, some focus on office work, some focus on storage, some focus on privacy, and so on. If you care about privacy and security, I suggest the following email accounts.

• Riseup – free to use, collects nothing on personal info, has smtp/imap, and comes with free VPN. Also riseup has free smtp server for your domain email. But you need an invitation code to register with them.
• Disroot – the same as Riseup, but no free VPN.
• Autistici – similar to Riseup, but provides more friendly support.
• Vivaldi – besides its email, it has the active community, such as this blog.
• TLS Mail – fast access, records no personal info, free smtp/imap.

As far as I know, none of the above email addresses have an expiration date, and some can still be used even after I haven’t logged in for several years.

Though I am the old user of Proton, but I don’t like their email service. They lack smtp/imap, and webmail is heavy and slow.

I took the following steps to make my email system more secure and robust.

• close port 587 and 143, use port 993 and 465 with SSL instead (reference).
• disable SASL auth on port 25 (reference).
• use policyd-rate-limit to limit sending rate (reference).
• use postscreen for anti-bot and RBL scoring (reference).
• use policyd-spf to check sender IP’s SPF and reject the failed one (reference).
• use OpenDMARC to check sender domain’s DMARC and reject the failed one (reference).
• OpenDKIM is also deployed for either incoming messages (check signatures) or outgoing messages (add signatures) (reference).
• have reject_unknown_client_hostname, reject_unknown_sender_domain options for smtpd_sender_restrictions (reference).
• stop sasl user use any email account as envelope address (reference).
• rspamd for email content security (reference).

With those steps, it can reduce spam and reduce the chance of abuse of the mail system.

If you have interests in my mail system, please check this site.

The last day I launched a VM in Azure, with ubuntu 20.04 installed.

The official sources can’t be used at all, any command executed by ‘apt’ will fail.

So I have to use ubuntu’s sources list rather than MS’s. The following are my items in “/etc/apt/sources.list”.

deb http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse

deb http://archive.canonical.com/ubuntu focal partner
deb-src http://archive.canonical.com/ubuntu focal partner

After then I run ‘apt update && apt upgrade’ to update the system. Now everything works fine.

This VM has a IPv4 assigned. I found that it can not set a reverse DNS (PTR) for this IP in Azure dashboard. Once it was possible to have PTR set in dashboard. But for now you have to make it done in AZ cloud shell by providing the following commands.

az network public-ip update --resource-group tls-mail_group --name tls-mail-ip --reverse-fqdn tls-mail.westus2.cloudapp.azure.com.  --dns-name tls-mail

This is the first setup for PTR, which has 4 arguments required.

• –resource-group: resource group you created for the application
• –name: name of IPv4, not the address itself
• –reverse-fqdn: the reverse DNS (PTR record)
• –dns-name: the regular DNS (A record)

After then you get a domain name for this IP, which is “tls-mail.westus2.cloudapp.azure.com”. And reverse DNS hostname for the IP is also “tls-mail.westus2.cloudapp.azure.com”. This is good. If you run a mail server on the VM, generally it requires A RR and PTR RR are matched.

How to update the reverse DNS? Just run the following command.

az network public-ip update --resource-group tls-mail_group --name tls-mail-ip --reverse-fqdn tls-mail.westus2.cloudapp.azure.com.

To check the reverse DNS for an IP, just run:

az network public-ip show --name tls-mail-ip --resource-group tls-mail_group