Leaving Google
2023-01-31 Unsubscribed. Wildsong.biz mail now gets forwarded through w6gkd.radio.
Google has evolved from being an email service for Wildsong.biz to being a "suite" of tools that I don't need or want. A few months ago they announced it would be a for-pay only service. All that's fair, but I am not motivated to pay for the service. I am sure accounts like mine are just a money sink for them anyway even when I pay.
I set up map46.com and w6gkd.radio domains for starters to test everything. At this point I am almost ready to flip wildsong.biz mail over. I still need to pull all my files and photos out. For now I am migrating to plain gmail accounts.
The steps, overall,
- Set up new gmail accounts for each of my users. (done)
- (On Google), forward from the existing wildsong accounts to new gmail accounts (2/3's done. Doing mine today. 1/1/23)
- Set up email forwarder for wildsong.biz on my Tektonic VPS. (done)
- Move devices (phones and tablets) to new addresses. (2/3 done, in the meantime I abandoned my smartphone for a Sunbeam F1 so done.)
- Google Voice: I have try to initiate a transfer of the number over to Twilio. I have not heard back from Twilio yet. There is a $3 port out fee.
I have a VPS at Tektonic.net as the mail server. It's on the Internet all the time even when I trip and kick the wires out of the wall here at home.
As my SMTP server I will be using Postfix, along with its friends Postgrey, SpamAssassin and ClamAV.
Google accounts
Move mail from one gmail account to another
Google uses POP3 to transfer mail between accounts.
In the old account you have to allow "less secure" apps. You also have to disable two factor auth. Stupid, huh?
Then you have to set up POP3 in Accounts to tell the new account to do the import. It really did take 1-2 days for it to happen. Use your [/cdn-cgi/l/email-protection [email protected]] to log in to the old server, use the same login [/cdn-cgi/l/email-protection [email protected]] and the POP server of pop.gmail.com, port 995, TLS security ON.
The process is not documented by Google, it's described in a community posting.
Google's process to describe transferring mail is described by a user, not by Google.
Forward mail from old account to new one
Next you set the old account to forward all mail to the new one. If you do this before setting POP3 it will switch off mysteriously by itself. Do it after.
Copy files
The short term strategy to preserve content by moving to a new gmail account. The longer term strategy
Short term: Move Google Drive
Short term: Move Google Photos
Make the new account and the old one "partners" and "share everything."
Long term: Download
I am supposed to be able to copy all content in one go, but apparently I do not have the right sliver key to do that. Or maybe it's a vorpal sword? So, I am installing "grive" on Bellman. In a Docker.
cd docker/grive
VPS set up
Hostname "hostname -f" should show the FQDN, which is w6gkd.w6gkd.radio Set FQDN in /etc/hosts
Firewall? No. I am currently running fail2ban but have no firewall as such right now, which is fine for this server. I'd need to make sure port 25 is open.
System time. It is on UTC. Change it. Install NTP.
timedatectl set-timezone America/Los_Angeles apt install ntp systemctl status ntp
Syslog I think it is already set up. See /var/log/mail*
DNS is at Cloudflare. "dig w6gkd.radio MX" tells me it's pointed at the right place. The names "mail", "smtp", and "imap" should be CNAMEs fpr w6gkd.w6gkd.radio
The reverse needs a PTR record in place at the ISP. I did this via a ticket with Tektonic. It now returns w6gkd.w6gkd.radio
SMTP authentication - so I can forward mail from Google (and my own servers). https://www.bluehost.com/help/article/email-client-enable-smtp-authentication
My standard TXT record for email, V=SPF1 +A +MX -ALL
Server: mail.DOMAINNAME Port: 465 with SSL
TLS Certificate
Install and configure Postfix
Out goes Exim4, in with Postfix. I tried putting it in Docker, sigh, maybe later for that.
apt remove exim4-base exim4-config exim4-daemon-light apt install postfix postgrey clamav spamassassin
Configure in /etc/postfix especially main.cf
You need to make sure that the SPF, DKIM, DMARC and MX records are set up correctly in DNS (Cloudflare). Read this Google doc to learn more.
MX: Set DNS records
The MX record(s) tell a mail server where to direct mail, for example, I want wildsong.biz mail to be handled by my VPS so I set it to tell mail senders that mail for wildsong.biz should be sent to w6gkd.w6gkd.radio. Note there is also a reverse entry that has to be set up by the service provider for the VPS (Tektonic.net in my case) so that the sender can check to make sure the IP address points to the same place as the DNS name.
Currently there are about 6 MX records for wildsong.biz and they all point at various Google servers. When I am done there will be just one and it will point at w6gkd.w6gkd.radio.
SPF
Should be a TXT record for the domain (e.g. wildsong.biz) set to v=spf1 ip4:108.161.129.155 ip6:fe80::216:3eff:fea2:8358 -all
Google also made me add another TXT similar to "google-site-verification=-Y...."
DMARC
Should be a TXT record for "_dmarc" similar to this
v=DMARC1; p=quarantine; rua=mailto:[email protected]
DKIM
How does DKIM work? https://mailtrap.io/blog/dkim/
OpenDKIM runs as a service on my VPS. It listens on port 12301.There is a config file, /etc/opendkim.conf.
You can check /var/log/mail.log for messages to see it's working. I sent a message, and Google called back to make sure I am legit.
Jan 29 03:31:51 w6gkd opendkim[729097]: A8F6485D: mail-qk1-f201.google.com [209.85.222.201] not internal Jan 29 03:31:51 w6gkd opendkim[729097]: A8F6485D: not authenticated Jan 29 03:31:52 w6gkd opendkim[729097]: A8F6485D: DKIM verification successful Jan 29 03:31:52 w6gkd opendkim[729097]: A8F6485D: s=20210112 d=google.com a=rsa-sha256 SSL
Install and configure OpenDKIM
apt install opendkim opendkim-tools
Help with Postfix: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
I have to make keys for each domain supported. Currently that's hupi.org, map46.com, wildsong.biz, and w6gkd.radio
Keys go in /etc/opendkim/keys/ and there needs to be an entry for each domain in /etc/opendkim/KeyTable and SigningTable
Generate keys for each domain,
cd /etc/opendkim/keys/ mkdir wildsong.biz cd wildsong.biz opendkim-genkey -s mail -d wildsong.biz chown opendkim:opendkim mail.private
The file "mail.txt" contains the text to put in the DNS DKIM record for mail._domainkey
Remember to restart opendkim and postfix.
Test it by sending mail to [/cdn-cgi/l/email-protection [email protected]] and also by sending mail to a gmail.com address and checking the "original message".
Testing
To send mail on the host, I want the address to have the domain not the hostname,
date | mail bwilson
should go to [/cdn-cgi/l/email-protection [email protected]] not [/cdn-cgi/l/email-protection [email protected]]
This is controlled by "mail" NOT postfix. So put this in /etc/mailutils.conf
address { email-domain w6gkd.radio; }
- Can I send from w6gkd.radio?
- Can I send to [/cdn-cgi/l/email-protection [email protected]]?
- Are the letsencrypt keys working?
/etc/cron.weekly runs /usr/local/sbin/renew_certs.sh
See /etc/letsencrypt/live to see what is set up
Filters
- Postgrey -- https://postgrey.schweikert.ch/
- Spamassassin -- https://spamassassin.apache.org/
- ClamAV -- Antivirus / malware -- https://www.clamav.net/
IMAP - Dovecot
I am inclined to install dovecot, mysql, and elastic search in Docker containers Docker based installations are so clean and flexible.