# Limristem eMail Architecture

Limristem eMail targets Debian 13+ and combines standard mail components with a small REST control plane.

## Components

- **Postfix**: SMTP ingress/egress, virtual mailbox lookups through MariaDB, LMTP delivery to Dovecot, Rspamd milter integration, optional SRS canonical maps through `postsrsd`.
- **Dovecot**: IMAP/POP3/LMTP, SQL auth, Maildir storage, quota enforcement from `quota_mb`.
- **Rspamd + Redis**: spam scoring, DKIM signing, ARC, greylisting, Bayes, and runtime caching.
- **MariaDB**: domains, accounts, aliases, redirects, reputation and related metadata.
- **PostSRSd**: envelope sender rewriting to preserve SPF better on forwarded mail.
- **FastAPI control plane**: CRUD over domains/accounts/aliases/redirects/reputation plus DKIM rotation, per-domain DNS provider integration, and health endpoints.
- **Nginx**: HTTPS reverse proxy for the API.
- **MTA-STS policy serving**: optional static policy for the configured primary domain.

## Main flow

1. External SMTP arrives at Postfix.
2. Postfix hands the message to Rspamd milter for SPF/DKIM/DMARC/ARC/spam analysis.
3. Accepted mail is delivered via LMTP to Dovecot.
4. Dovecot stores mail in Maildir and enforces mailbox quota.
5. For external forwards, Postfix can use `postsrsd` to rewrite the envelope sender.

## Data model

MariaDB tables:
- `domains`
- `accounts`
- `aliases`
- `redirects`
- `reputations`
- `greylist`
- `spam_traps`
- `trusted_replies`
- `blocklists_cache`

The API ORM matches the schema. Domain and mailbox inputs are validated before insert/update.
The `domains` table also carries optional DNS provider metadata. Only Cloudflare is implemented currently; API tokens are write-only from the external API perspective and are never serialized in domain responses.

## Security posture

- API service runs as dedicated `limristem-mail` system user.
- API is meant to be accessed via HTTPS through Nginx.
- Admin API password is stored as hash in `<BASE_DIR>/config/limristem-mail.env`.
- DKIM keys are stored under `LIMRISTEM_MAIL_DKIM_KEYS_DIR` with a shared `mailkeys` group for `limristem-mail` and Rspamd.
- Cloudflare DNS updates require a per-domain API token scoped to DNS edit access for that zone.
- Postfix milter default action is `tempfail`, so a broken antispam pipeline does not silently accept mail.

## Operational tooling

- `scripts/backup.sh` + `limristem-mail-backup.timer`
- `scripts/restore.sh`
- `scripts/performance-report.sh`
- `scripts/sync-postsrsd-domains.sh` + timer

## Remaining external dependencies

The repository can provision the stack, but these still depend on the deployed environment:
- public DNS and reverse DNS
- public certificate trust
- IP reputation
- end-to-end SMTP/IMAP acceptance tests from the target host