Oh man, what a mess it was. Over the Christmas break, I finally found time to migrate my server to a new host. Since I needed to set up a new machine, I took the opportunity to upgrade to the latest OpenBSD release and to improve some of the server configurations. Everything worked fine – almost at least – until earlier this week, when I realized outbound emails were no longer being sent. It took me a while to figure out what was going wrong. In the maillog, I noticed suspicious smtp-out messages referencing hosts in the domain inbound.protection.outlook.com. It turned out my provider had (somehow) enabled a firewall policy dropping all outbound traffic to SMTP-related ports. Fortunately, I could disable this easily in the admin console of my virtual machine.

While debugging, I discovered two more misconfigurations of my mail server that – luckily – didn’t turn into a disaster yet. (Perhaps because I haven’t yet decided on a DMARC policy and am still using none.)

1. The DKIM key files for signing outbound mail for my domains weren’t accessible to user _rspamd.
2. One of DNS TXT records containing a public key had a typo.

My bad – just simple human error (or laziness)!

The good news: everything is fixed and working properly now – as it should have been from the start. I really should check the DMARC reports from other domains more regularly – something I used to do before the move. I also found a DKIM verification add-on for Mozilla Thunderbird quite helpful in that regard.

So, my advise if you’re running a private (mail) server: regularly validate your server configuration! ;)

PS: Interested in running your own mail server? Let me recommend two excellent articles on poolp.org: one explains why Decentralized SMTP is for the greater good, and the other guides you through Setting up a mail server with OpenSMTPD, Dovecot and Rspamd.