Home Mail Lab
Project Summary
| Field | Value |
|---|---|
PRJ ID |
PRJ-2026-04-domus-mail-lab |
Owner |
Evan Rosado |
Priority |
P2 |
Category |
Infrastructure / Learning Lab |
Status |
Draft — not started |
Type |
Deployment: Mail server lab (postfix + dovecot + authentication + SIEM + behavioral detection) |
Strategic Context |
Hands-on mail infrastructure knowledge to support CHLA Abnormal Security migration (Cisco ESA → Abnormal API) |
Deployment Status
| Phase | Description | Status | Notes |
|---|---|---|---|
0: Planning |
Architecture design, IP allocation, DNS plan, port matrix, firewall rules |
❌ Not started |
— |
1: VM Provision |
KVM VM on kvm-01.inside.domusdigitalis.dev, Rocky Linux 9, base config, BIND registration |
❌ Not started |
— |
2: Postfix MTA |
SMTP server — receive, relay, TLS via Vault PKI, submission port |
❌ Not started |
— |
3: Dovecot IMAP |
IMAP server — Maildir storage, TLS, authentication backend |
❌ Not started |
— |
4: DNS Records |
MX, SPF, DKIM, DMARC records in BIND via nsupdate |
❌ Not started |
— |
5: DKIM/DMARC/SPF |
OpenDKIM + OpenDMARC milters, SPF verification, header authentication |
❌ Not started |
— |
6: Wazuh Logging |
Postfix syslog → Wazuh, custom decoders/rules, mail security dashboard |
❌ Not started |
Maps to: ESA syslog → QRadar |
7: Behavioral Detection |
Python API-based detection — reads IMAP, scores headers, auto-remediates, forwards to Wazuh |
❌ Not started |
Maps to: Abnormal API-based post-delivery detection |
8: Validation |
End-to-end test matrix — clean mail, SPF fail, spoofed sender, DKIM tampered, milter removal |
❌ Not started |
Maps to: Abnormal pilot validation (Phase 4) |
Prerequisites Assessment
Already In Place
| Dependency | Details | Status |
|---|---|---|
DNS (BIND HA) |
10.50.1.90 primary, authoritative for inside.domusdigitalis.dev. nsupdate with TSIG keys operational. |
✅ Ready |
Active Directory |
home-dc01.inside.domusdigitalis.dev (10.50.1.50). User directory for mail authentication. |
✅ Ready |
Vault PKI |
vault-01.inside.domusdigitalis.dev (10.50.1.60). Issuing CA at |
✅ Ready |
Wazuh SIEM |
v4.14.3 on k3s (10.50.1.120). Agent-based monitoring with OpenSearch backend. |
✅ Ready |
VyOS Firewall |
HA pair (10.50.1.2/10.50.1.3), VIP 10.50.1.1. Zone-based rules. |
✅ Ready |
KVM Hypervisor |
kvm-01.inside.domusdigitalis.dev (10.50.1.100). Rocky Linux. 8+ VMs running. |
✅ Ready |
Synology NAS |
nas-01.inside.domusdigitalis.dev (10.50.1.70). NFS exports for backup/archive. |
✅ Ready |
Mail Client (aerc) |
Terminal MUA installed on workstation. IMAP/SMTP capable. |
✅ Ready |
Needs Provisioning
| Component | Action |
|---|---|
mail-01 VM |
|
Postfix |
MTA — SMTP receive/relay on ports 25/587 |
Dovecot |
MDA + IMAP server on port 993 |
OpenDKIM |
DKIM signing/verification milter |
OpenDMARC |
DMARC policy enforcement milter |
DNS Records |
MX, A, SPF TXT, DKIM TXT, DMARC TXT for inside.domusdigitalis.dev |
VyOS Rules |
Allow 25, 587, 993 to 10.50.1.91 |
Vault Certificate |
TLS cert: CN=mail-01.inside.domusdigitalis.dev, SANs for SMTP STARTTLS + IMAPS |
Risk
| Risk | Mitigation | Severity |
|---|---|---|
Open relay |
Restrict |
High |
DNS pollution |
Lab-only MX — inside.domusdigitalis.dev is internal, no internet mail routing |
Low |
Certificate expiry |
Vault auto-renewal via cron or cert-manager pattern |
Medium |
Metadata
| Field | Value |
|---|---|
PRJ ID |
PRJ-2026-04-domus-mail-lab |
Author |
Evan Rosado |
Created |
2026-04-09 |
Last Updated |
2026-04-09 |
Status |
Draft — Phase 0 not started |
Category |
Infrastructure / Learning Lab |
Priority |
P2 |
Platform |
KVM virtual machine on kvm-01.inside.domusdigitalis.dev |
Target OS |
Rocky Linux 9 (matches existing KVM hosts) |
Purpose |
Production-grade mail server lab — postfix, dovecot, DKIM/DMARC/SPF, Wazuh integration, behavioral detection. Directly supports Abnormal Security migration knowledge. |
Related |