diff --git a/docs/architecture/mailserver-visual.html b/docs/architecture/mailserver-visual.html deleted file mode 100644 index 8d45627e..00000000 --- a/docs/architecture/mailserver-visual.html +++ /dev/null @@ -1,665 +0,0 @@ - - - - - - -Mail Server Architecture โ€” viktorbarzin.me - - - - - - - - -
- - -
-
Operational
-

Mail Server Architecture

-

Self-hosted email infrastructure for viktorbarzin.me on Kubernetes with CrowdSec protection

-
- docker-mailserver 15.0.0 - | - Updated 2026-04-12 -
-
- - -
-
-
9
-
DNS Records
-
-
-
10m
-
Probe Interval
-
-
-
30m
-
Alert Threshold
-
-
-
5
-
Security Layers
-
-
-
Local
-
Traffic Policy
-
-
- - -
-
Inbound Mail Flow
-
-
-
-
๐Ÿ“ง
-
Sender MTA
-
MX lookup
-
-
:25
-
-
๐ŸŒ
-
mail.viktorbarzin.me
-
176.12.22.76
-
-
NAT
-
-
๐Ÿ›ก
-
pfSense
-
port 25 fwd
-
-
10.0.20.202
-
-
โš–
-
MetalLB
-
ETP: Local
-
-
-
-
๐Ÿ“ฌ
-
Postfix
-
+ CrowdSec
-
-
-
-
๐Ÿ”
-
Rspamd
-
spam/DKIM/DMARC
-
-
-
-
๐Ÿ“ฅ
-
Dovecot
-
IMAP :993
-
-
-
-
- - -
-
Outbound Mail Flow
-
-
-
-
๐Ÿ“ฌ
-
Postfix
-
relayhost
-
-
SASL+TLS :587
-
-
๐Ÿš€
-
Mailgun EU
-
smtp.eu.mailgun.org
-
-
-
-
๐Ÿ“ง
-
Recipient
-
IP reputation handled
-
-
-
-
- - -
-
DNS Records
- - - - - - - - - - - - - - - -
TypeNameValueStatus
MXviktorbarzin.memail.viktorbarzin.me (pri 1)OK
Amail.viktorbarzin.me176.12.22.76 (DNS-only)OK
AAAAmail.viktorbarzin.me2001:470:6e:43d::2OK
SPFviktorbarzin.mev=spf1 include:mailgun.org -allHard Fail
DKIMs1._domainkeyRSA 1024-bit (Mailgun outbound)OK
DKIMmail._domainkeyRSA 2048-bit (Rspamd signing)OK
DMARC_dmarcp=quarantine; pct=100OK
MTA-STS_mta-stsv=STSv1; id=20260412OK
TLSRPT_smtp._tlsrua=mailto:postmaster@viktorbarzin.meOK
- -
-
โš 
-
PTR Mismatch: Reverse DNS returns 176-12-22-76.pon.spectrumnet.bg (ISP-assigned) instead of mail.viktorbarzin.me. ISP-controlled, cannot fix. Minimal impact โ€” Gmail/Outlook rely on SPF/DKIM/DMARC.
-
-
- - -
-
Security Layers
-
-
-

๐Ÿ›ก CrowdSec

-
    -
  • crowdsecurity/postfix + dovecot collections
    • -
  • Real client IPs via ETP: Local on 10.0.20.202
    • -
  • Automatic brute-force detection & ban
    • -
-
-
-

๐Ÿ” Rspamd

-
    -
  • Spam filtering + phishing detection
    • -
  • DKIM signing (selector: mail, 2048-bit)
    • -
  • DMARC verification on inbound
    • -
  • Auto-learns from Junk folder
    • -
-
-
-

๐Ÿšฆ Postfix Rate Limiting

-
    -
  • 10 connections/min per client
    • -
  • 30 messages/min per client
    • -
  • Now effective with real IPs (ETP: Local)
    • -
-
-
-

๐Ÿ”’ TLS Enforcement

-
    -
  • Let's Encrypt wildcard cert
    • -
  • MTA-STS enforces TLS for inbound
    • -
  • TLSRPT for failure reporting
    • -
  • STARTTLS on SMTP, SSL on IMAP
    • -
-
-
-
- - -
-
Monitoring & Alerts
-
-
-
๐Ÿ“Š
-
-
MailServerDown
-
No replicas for 5m
-
-
-
-
๐Ÿ“ง
-
-
EmailRoundtripFailing
-
Probe failing for 30m
-
-
-
-
โฑ
-
-
EmailRoundtripStale
-
No success in >40m
-
-
-
-
โ“
-
-
EmailRoundtripNeverRun
-
Metric absent for 40m
-
-
-
-
- - - - - - - -
MonitorTypeTargetInterval
E2E Roundtrip ProbeCronJobMailgun API โ†’ MX โ†’ IMAP*/10 * * * *
SMTP ExternalUptime Kuma176.12.22.76:2560s
Dovecot ExporterPrometheus:9166/metricsscrape
-
-
- - -
-
Terraform Stacks
- - - - - - - - -
StackPathResources
Mailserverstacks/mailserver/Namespace, Deployment, Service, CronJob, PVCs
DNSstacks/cloudflared/MX, SPF, DKIM x2, DMARC, MTA-STS, TLSRPT
Monitoringstacks/monitoring/Prometheus alert rules
CrowdSecstacks/crowdsec/postfix + dovecot collections, log acquisition
-
- - - -
- - - - - diff --git a/docs/architecture/mailserver.md b/docs/architecture/mailserver.md index 1c70c087..5cd46f08 100644 --- a/docs/architecture/mailserver.md +++ b/docs/architecture/mailserver.md @@ -41,7 +41,7 @@ graph TB end subgraph "Monitoring" - PROBE[E2E Roundtrip Probe
CronJob every 10m] -->|Mailgun API| SENDER + PROBE[E2E Roundtrip Probe
CronJob every 20m] -->|Mailgun API| SENDER PROBE -->|IMAP check| DOVECOT PROBE --> PUSH[Pushgateway + Uptime Kuma] DEXP[Dovecot Exporter
:9166] --> PROM[Prometheus]