Leaving Google: Difference between revisions

← Older edit Newer edit →

VisualWikitext

Revision as of 01:02, 6 February 2023

2023-02-05

Postfix and Dovecot run on the VPS

Roundcube runs at home on Bellman. I need a better web mail client.

Thunderbird is installed on Murre. I will probably put it on Plover too.

I need a contact database.

2023-01-31 Unsubscribed. Wildsong.biz mail now gets forwarded through w6gkd.radio.

Google has evolved from being an email service for Wildsong.biz to being a "suite" of tools that I don't need or want. A few months ago they announced it would be a for-pay only service. All that's fair, but I am not motivated to pay for the service. I am sure accounts like mine are just a money sink for them anyway even when I pay.

I set up map46.com and w6gkd.radio domains for starters to test everything. At this point I am almost ready to flip wildsong.biz mail over. I still need to pull all my files and photos out. For now I am migrating to plain gmail accounts.

The steps, overall,

Set up new gmail accounts for each of my users. (done)
(On Google), forward from the existing wildsong accounts to new gmail accounts (2/3's done. Doing mine today. 1/1/23)
Set up email forwarder for wildsong.biz on my Tektonic VPS. (done)
Move devices (phones and tablets) to new addresses. (2/3 done, in the meantime I abandoned my smartphone for a Sunbeam F1 so done.)
Google Voice: I have try to initiate a transfer of the number over to Twilio. I have not heard back from Twilio yet. There is a $3 port out fee.

I have a VPS at Tektonic.net as the mail server. It's on the Internet all the time even when I trip and kick the wires out of the wall here at home.

As my SMTP server I will be using Postfix, along with its friends Postgrey, SpamAssassin and ClamAV.

Google accounts

Move mail from one gmail account to another

Google uses POP3 to transfer mail between accounts.

In the old account you have to allow "less secure" apps. You also have to disable two factor auth. Stupid, huh?

Then you have to set up POP3 in Accounts to tell the new account to do the import. It really did take 1-2 days for it to happen. Use your [/cdn-cgi/l/email-protection [email protected]] to log in to the old server, use the same login [/cdn-cgi/l/email-protection [email protected]] and the POP server of pop.gmail.com, port 995, TLS security ON.

The process is not documented by Google, it's described in a community posting.

Google's process to describe transferring mail is described by a user, not by Google.

Forward mail from old account to new one

Next you set the old account to forward all mail to the new one. If you do this before setting POP3 it will switch off mysteriously by itself. Do it after.

Copy files

The short term strategy to preserve content by moving to a new gmail account. The longer term strategy

Short term: Move Google Drive

Short term: Move Google Photos

Make the new account and the old one "partners" and "share everything."

Long term: Download

I am supposed to be able to copy all content in one go, but apparently I do not have the right sliver key to do that. Or maybe it's a vorpal sword? So, I am installing "grive" on Bellman. In a Docker.

cd docker/grive

VPS set up

Hostname "hostname -f" should show the FQDN, which is w6gkd.w6gkd.radio Set FQDN in /etc/hosts

Firewall? No. I am currently running fail2ban but have no firewall as such right now, which is fine for this server. I'd need to make sure port 25 is open.

System time. It is on UTC. Change it. Install NTP.

timedatectl set-timezone America/Los_Angeles
apt install ntp
systemctl status ntp

Syslog I think it is already set up. See /var/log/mail*

DNS is at Cloudflare. "dig w6gkd.radio MX" tells me it's pointed at the right place. The names "mail", "smtp", and "imap" should be CNAMEs fpr w6gkd.w6gkd.radio

The reverse needs a PTR record in place at the ISP. I did this via a ticket with Tektonic. It now returns w6gkd.w6gkd.radio

SMTP authentication - so I can forward mail from Google (and my own servers). https://www.bluehost.com/help/article/email-client-enable-smtp-authentication

My standard TXT record for email, V=SPF1 +A +MX -ALL

Server: mail.DOMAINNAME
Port: 465 with SSL

TLS Certificate

Install and configure Postfix

Out goes Exim4, in with Postfix. I tried putting it in Docker, sigh, maybe later for that.

apt remove exim4-base exim4-config exim4-daemon-light 
apt install postfix postgrey clamav spamassassin

The Book of Postfix

Configure in /etc/postfix especially main.cf

You need to make sure that the SPF, DKIM, DMARC and MX records are set up correctly in DNS (Cloudflare). Read this Google doc to learn more.

MX: Set DNS records

The MX record(s) tell a mail server where to direct mail, for example, I want wildsong.biz mail to be handled by my VPS so I set it to tell mail senders that mail for wildsong.biz should be sent to w6gkd.w6gkd.radio. Note there is also a reverse entry that has to be set up by the service provider for the VPS (Tektonic.net in my case) so that the sender can check to make sure the IP address points to the same place as the DNS name.

Currently there are about 6 MX records for wildsong.biz and they all point at various Google servers. When I am done there will be just one and it will point at w6gkd.w6gkd.radio.

SPF

Should be a TXT record for the domain (e.g. wildsong.biz) set to v=spf1 ip4:108.161.129.155 ip6:fe80::216:3eff:fea2:8358 -all

Google also made me add another TXT similar to "google-site-verification=-Y...."

DMARC

Should be a TXT record for "_dmarc" similar to this

v=DMARC1; p=quarantine; rua=mailto:[email protected]

DKIM

How does DKIM work? https://mailtrap.io/blog/dkim/

OpenDKIM runs as a service on my VPS. It listens on port 12301.There is a config file, /etc/opendkim.conf.

You can check /var/log/mail.log for messages to see it's working. I sent a message, and Google called back to make sure I am legit.

Jan 29 03:31:51 w6gkd opendkim[729097]: A8F6485D: mail-qk1-f201.google.com [209.85.222.201] not internal
Jan 29 03:31:51 w6gkd opendkim[729097]: A8F6485D: not authenticated
Jan 29 03:31:52 w6gkd opendkim[729097]: A8F6485D: DKIM verification successful
Jan 29 03:31:52 w6gkd opendkim[729097]: A8F6485D: s=20210112 d=google.com a=rsa-sha256 SSL

Install and configure OpenDKIM

apt install opendkim opendkim-tools

Help with Postfix: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy

I have to make keys for each domain supported. Currently that's hupi.org, map46.com, wildsong.biz, and w6gkd.radio

Keys go in /etc/opendkim/keys/ and there needs to be an entry for each domain in /etc/opendkim/KeyTable and SigningTable

Generate keys for each domain,

cd /etc/opendkim/keys/
mkdir wildsong.biz
cd wildsong.biz
opendkim-genkey -s mail -d wildsong.biz
chown opendkim:opendkim mail.private

The file "mail.txt" contains the text to put in the DNS DKIM record for mail._domainkey

Remember to restart opendkim and postfix.

Test it by sending mail to [/cdn-cgi/l/email-protection [email protected]] and also by sending mail to a gmail.com address and checking the "original message".

Testing

To send mail on the host, I want the address to have the domain not the hostname,

date | mail bwilson

should go to [/cdn-cgi/l/email-protection [email protected]] not [/cdn-cgi/l/email-protection [email protected]]

This is controlled by "mail" NOT postfix. So put this in /etc/mailutils.conf

address {
   email-domain w6gkd.radio;
}

Can I send from w6gkd.radio?
Can I send to [/cdn-cgi/l/email-protection [email protected]]?
Are the letsencrypt keys working?

/etc/cron.weekly runs /usr/local/sbin/renew_certs.sh

See /etc/letsencrypt/live to see what is set up

Filters

Postgrey -- https://postgrey.schweikert.ch/
Spamassassin -- https://spamassassin.apache.org/
ClamAV -- Antivirus / malware -- https://www.clamav.net/

IMAP - Dovecot

I am inclined to install dovecot, mysql, and elastic search in Docker containers Docker based installations are so clean and flexible.