From 42e94ae6f5ba5f7af0ea273c6528c76aad9b6150 Mon Sep 17 00:00:00 2001
From: Jeffrey Serio <hyperreal@moonshadow.dev>
Date: Sun, 29 Sep 2024 02:31:39 -0500
Subject: [PATCH] Add lemmy.org

---
 lemmy.org | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 lemmy.org

diff --git a/lemmy.org b/lemmy.org
new file mode 100644
index 0000000..d55e31c
--- /dev/null
+++ b/lemmy.org
@@ -0,0 +1,53 @@
+#+TITLE: Lemmy
+
+** Configure SPF and DKIM for SMTP postfix-relay
+
+Source: [[https://github.com/wader/postfix-relay#spf]]
+
+- Add remote forwarding for rsyslog.
+- Make the DKIM keys persist indefinitely in a volume at ~./volumes/postfix-dkim:/etc/opendkim/keys~.
+- ~./volumes~ is relative to the parent directory of the ~docker-compose.yml~ file for the Lemmy instance. E.g. ~/docker/lemmy/volumes~.
+
+Edit ~docker-compose.yml~:
+
+#+BEGIN_SRC yaml
+postfix:
+  image: mwader/postfix-relay
+  environment:
+    - POSTFIX_myhostname=lemmy.hyperreal.coffee
+    - OPENDKIM_DOMAINS=lemmy.hyperreal.coffee
+    - RSYSLOG_TO_FILE=yes
+    - RSYSLOG_TIMESTAMP=yes
+    - RSYSLOG_REMOTE_HOST=<ip addr of remote logging server>
+    - RSYSLOG_REMOTE_PORT=514
+    - RSYSLOG_REMOTE_TEMPLATE=RSYSLOG_ForwardFormat
+  volumes:
+    - ./volumes/postfix-dkim:/etc/opendkim/keys
+    - ./volumes/logs:/var/log
+  restart: "always"
+  logging: *default-logging
+#+END_SRC
+
+#+BEGIN_SRC shell
+docker-compose up -d
+#+END_SRC
+
+On domain registrar, add the following TXT records:
+
+| Type | Name                  | Content                                      |
+|------+-----------------------+----------------------------------------------|
+| TXT  | lemmy                 | "v=spf1 a max ipv4:<ip addr of server> -all" |
+| TXT  | mail._domainkey.lemmy | "v=DKIM1; h=sha256; k=rsa; p=<pubkey>"       |
+
+The content of ~mail._domainkey.lemmy~ is obtained from the log output of the wader/postfix-relay Docker container.
+
+#+BEGIN_SRC shell
+docker logs lemmy-postfix-1
+#+END_SRC
+
+To test this, allow a few hours for the DNS changes to propagate, then log out of the Lemmy instance and send a password reset request. If the reset confirmation email doesn't go to the spam folder, it works. The email service provider will be able to determine the email is from an authentic email address.
+
+*** Resources
+- [[https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail][DomainKeys Identified Mail - Wikipedia]]
+- [[https://en.wikipedia.org/wiki/Sender_Policy_Framework][Sender Policy Framework - Wikipedia]]
+- [[https://en.wikipedia.org/wiki/DMARC][DMARC]]