Phase 0: Planning

Establish the architecture before touching a single package. Every decision here prevents a class of mistakes in Phases 1-8.

Architecture Overview

Single VM deployment on kvm-01.inside.domusdigitalis.dev:

Component	Value
Hostname	mail-01.inside.domusdigitalis.dev
IP	10.50.1.91
OS	Rocky Linux 9
vCPU	2
RAM	2 GB
Disk	20 GB (thin provisioned)
VLAN	Management (10.50.1.0/24)
Hypervisor	kvm-01.inside.domusdigitalis.dev (10.50.1.100)

Component

Value

Hostname

mail-01.inside.domusdigitalis.dev

10.50.1.91

Rocky Linux 9

vCPU

RAM

2 GB

Disk

20 GB (thin provisioned)

VLAN

Management (10.50.1.0/24)

Hypervisor

kvm-01.inside.domusdigitalis.dev (10.50.1.100)

Service Port Matrix

Port	Protocol	Purpose
25	SMTP	Inbound mail reception (MTA-to-MTA)
587	Submission	Authenticated client submission (STARTTLS required)
993	IMAPS	IMAP over TLS (client retrieval — aerc, notmuch)
22	SSH	Administration (Vault SSH cert)

Port

Protocol

Purpose

SMTP

Inbound mail reception (MTA-to-MTA)

587

Submission

Authenticated client submission (STARTTLS required)

993

IMAPS

IMAP over TLS (client retrieval — aerc, notmuch)

SSH

Administration (Vault SSH cert)

DNS Records Plan

Records to create in BIND (10.50.1.90) via nsupdate:

Type Name Value

Type	Name	Value
A	mail-01.inside.domusdigitalis.dev	10.50.1.91
PTR	91.1.50.10.in-addr.arpa	mail-01.inside.domusdigitalis.dev
MX	inside.domusdigitalis.dev	10 mail-01.inside.domusdigitalis.dev
TXT (SPF)	inside.domusdigitalis.dev	`v=spf1 ip4:10.50.1.91 ~all`
TXT (DKIM)	`default._domainkey.inside.domusdigitalis.dev`	Public key — generated in Phase 5
TXT (DMARC)	`_dmarc.inside.domusdigitalis.dev`	`v=DMARC1; p=quarantine; rua=mailto:postmaster@inside.domusdigitalis.dev`

mail-01.inside.domusdigitalis.dev

10.50.1.91

PTR

91.1.50.10.in-addr.arpa

mail-01.inside.domusdigitalis.dev

inside.domusdigitalis.dev

10 mail-01.inside.domusdigitalis.dev

TXT (SPF)

inside.domusdigitalis.dev

v=spf1 ip4:10.50.1.91 ~all

TXT (DKIM)

default._domainkey.inside.domusdigitalis.dev

Public key — generated in Phase 5

TXT (DMARC)

_dmarc.inside.domusdigitalis.dev

v=DMARC1; p=quarantine; rua=mailto:postmaster@inside.domusdigitalis.dev

VyOS Firewall Rules

Rules to add on vyos-01.inside.domusdigitalis.dev:

# Allow SMTP to mail-01
set firewall name INSIDE-to-INSIDE rule 60 action accept
set firewall name INSIDE-to-INSIDE rule 60 destination address 10.50.1.91
set firewall name INSIDE-to-INSIDE rule 60 destination port 25,587,993
set firewall name INSIDE-to-INSIDE rule 60 protocol tcp
set firewall name INSIDE-to-INSIDE rule 60 description 'Allow mail traffic to mail-01'

Vault Certificate Plan

Request from pki_int:

Field	Value
Common Name	mail-01.inside.domusdigitalis.dev
SANs	mail-01.inside.domusdigitalis.dev, mail-01
TTL	8760h (1 year — lab, not production)
Key Usage	TLS Server Authentication
Used By	Postfix (STARTTLS), Dovecot (IMAPS)

Field

Value

Common Name

mail-01.inside.domusdigitalis.dev

SANs

mail-01.inside.domusdigitalis.dev, mail-01

TTL

8760h (1 year — lab, not production)

Key Usage

TLS Server Authentication

Used By

Postfix (STARTTLS), Dovecot (IMAPS)

Decisions

Decision	Rationale	Alternative Considered
Rocky Linux 9	Matches kvm-01/kvm-02 pattern, RHEL-compatible (RHCSA prep), SELinux enforcing by default	Arch Linux (familiar but no SELinux)
Maildir format	aerc/notmuch compatible, one-file-per-message, concurrent-safe	mbox (simpler but locking issues)
Local users first	Faster to lab; AD integration (sssd) as Phase 3 stretch goal	AD-only (adds complexity before mail works)
Single VM	Sufficient for learning; HA is out of scope for a lab	Separate MTA/MDA VMs (production pattern, overkill here)

Decision

Rationale

Alternative Considered

Rocky Linux 9

Matches kvm-01/kvm-02 pattern, RHEL-compatible (RHCSA prep), SELinux enforcing by default

Arch Linux (familiar but no SELinux)

Maildir format

aerc/notmuch compatible, one-file-per-message, concurrent-safe

mbox (simpler but locking issues)

Local users first

Faster to lab; AD integration (sssd) as Phase 3 stretch goal

AD-only (adds complexity before mail works)

Single VM

Sufficient for learning; HA is out of scope for a lab

Separate MTA/MDA VMs (production pattern, overkill here)