This system was designed to be as simple as possible:
It was designed in a way that enables it to receive mail but it does not to need to send any mail:
  • There is no need of reverse DNS for the IP address.
  • We don't need to use DKIM.
  • It's easier to get the setup right and secure. We don't even need any authentication to receive the mail.
  • We don't need to make sure that the system cannot be abused to send arbitrary mail to arbitrary address by anyone as it's not supposed to send any mail in the first place.
If we want to send mail we would need to implement all that:
  • We would need to see with the FSF if they could handle us the control of the reverse DNS for the IP address we use.
  • For DKIM, we would need to look if Trisquel 8 has DKIM implementations (like dkimproxy) that are easy to integrate with OpenSMTPD.
  • We would need to make sure that the server configuration cannot be abused to send mails to arbitrary address by anyone else it would ended up being blacklisted by companies and project trying to fight SPAM.

We could also whitelist the servers used by the people receiving this mail through this system, through SPF, if we want people to send mail to the same address they received it from (which is probably not very important).

The DNS zones are configured to set the MX to the Replicant vm at the FSF.
For more details on how the DNS is hosted, see DNS.

For now this uses OpenSMTPD just because the person implementing that system initially (GNUtoo) already used OpenSMTPD at home, so it was faster as the configurations could be partially reused and the setup compared.

For consulting the mail we will use dovecot as the person willing to implement it (GNUtoo) already uses that at home too.

This will still need some authentication but as it's a separate part it also limit the risk of missconfiguration as for the ability to abuse the system to send mails.

Adding new people


First start by making sure that you have all the required information:
  • Make sure that the person knows that she will be publicly listed as a person that receives that contact email address
  • Ask the person for which lowercase username they wish to use
  • Ask the person to run the following command: doveadm pw -u <username> -s SHA512-CRYPT
To enable the person to receive mail you will need to:
  • Add the person to the list of people receiving the address at the Infrastructure wiki page in the main Replicant wiki.
  • Create an account inside the vm for the new person. This can be done with the following command:
    useradd -m <lowercase_username>
  • Add the lower_case_username to /etc/smtpd/aliases
  • run smtpctl update table aliases

Then to enable the person to retrieve the mail that are being received, you need to edit the /etc/dovecot/conf.d/secrets/server.passwd file and add a line that uses this format:


Then it's up to the person to configure her mail client with the following information
Username: The lower case username
Password: The secret password that was used to generate the password hash.
Port: 143
Protocol: TLSv1.3, imaps


Let's take a potentially fictional person named Yoko Tsuno that started contributing a lot to Replicant and that for some reasons needs to receive mails from the Replicant contact address (for instance for applying to some NLnet grants).

First we make sure that the person agrees to be listed on the Infrastructure wiki page as explained before.

Then the person comes up with a lowercase useranme (yokotsuno) and give us the following information
  • Username: yokotsuno
  • password hash:

We start by enabling Yoko Tsuno to receive mail:

# useradd -m yokotsuno
# vim /etc/smtpd/aliases

If we had something like that in /etc/smtpd/aliases

contact: gnutoo, putti

Then we make it become something like that:

contact: gnutoo, putti, yototsuno

Then we update the table alias

# smtpctl update table aliases

Then we enable Yoko Tsuno to actually retrieve the mail:

# gpasswd -a yokotsuno mail
# id yokotsuno
uid=1010(yokotsuno) gid=1010(yokotsuno) groups=8(mail),1010(yokotsuno)
# vim /etc/dovecot/conf.d/secrets/server.passwd

And add the following line:


Then Yoko Tsuno needs to setup a mail client to retrieve the mail with the following details:

Username: yokotsuno
Password: The secret password that was used to generate the password hash.
Port: 143
Protocol: TLSv1.3, imaps

Mail clients configurations


Example for the fdm mail fetch program:


account "" imaps server "" port 143
set lock-file "%h/.local/" 
action "user-maildir" maildir "%h/.local/Maildir" 
match all action "user-maildir" 
set proxy "socks5://" # Use Tor
set verify-certificates


machine login yokotsuno password theultrasecretpassphrase

Thunderbird and derivatives

Thunderbird currently doens't support this setup.

See the bug #2032 for more details.


  • The Maildir directory is created automatically when receiving the first mail
  • There is no need to setup a password for the account
  • I didn't look how much we can lock down the accounts and still make openstmtpd work.

Switching to more recent OpenSMTPD

The configuration format changed in newer OpenSMTPD.

We will probably have to migrate the configuration when switching to to Trisquel 9.

TODO: Document the format change.

Updated by Denis 'GNUtoo' Carikli almost 4 years ago · 23 revisions

Also available in: PDF HTML TXT