# Limristem eMail Live Deployment

Use this flow after the stack has been installed on the real Debian host.

## 1. Prepare the environment

Set at least:

```bash
export LIMRISTEM_MAIL_HOSTNAME=mail.example.com
export LIMRISTEM_MAIL_PRIMARY_DOMAIN=example.com
export LIMRISTEM_MAIL_PUBLIC_IP=203.0.113.10
export LIMRISTEM_MAIL_PUBLIC_IPV6=
export LIMRISTEM_MAIL_DKIM_SELECTOR=default
export LIMRISTEM_MAIL_SSL_MODE=letsencrypt
export LIMRISTEM_MAIL_ENABLE_MTA_STS=yes
export LIMRISTEM_MAIL_ENABLE_TLS_RPT=yes
```

Run the installer, then export the live bundle:

```bash
sudo ./install.sh
sudo /opt/limristem-mail/bin/export-live-bundle.sh
```

The default output directory is `/var/lib/limristem-mail/live-deployment`.

## 2. Publish the public records

Use the generated files:

- `dns-zone-<domain>.txt`
- `rdns-request.txt`
- `firewall-ports.txt`

Minimum public records:

- `A` / `AAAA` for the mail host
- `MX` for the primary domain
- `SPF`
- `DKIM`
- `DMARC`
- optional `MTA-STS` / `TLS-RPT`
- `PTR/rDNS` via the network provider

## 3. Verify certificates and policy endpoints

For production deliverability, use a publicly trusted certificate:

```bash
sudo certbot certificates
curl -I https://mail.example.com/health
curl -I https://mta-sts.example.com/.well-known/mta-sts.txt
```

## 4. Run public checks

```bash
sudo /opt/limristem-mail/bin/deliverability-check.sh example.com mail.example.com 203.0.113.10 default
sudo /opt/limristem-mail/bin/deliverability-report.sh example.com mail.example.com 203.0.113.10 default
```

If enabled, `limristem-mail-deliverability-report.timer` keeps producing timestamped reports under `/var/lib/limristem-mail/live-deployment/reports`.

## 5. Warm up the sender reputation

- start with low traffic
- monitor `postqueue -p`, `journalctl -u postfix -u rspamd -u dovecot`
- watch for SPF/DKIM/DMARC alignment failures
- send test messages to major providers before ramping up volume