Memory: Mail Server (Dovecot on gravlax)

Architecture Decision

Dovecot only — no Postfix. No external mail routing from this server.• Inbound from internet: still via popit3 fetching from Live.com POP3 (unchanged)• Outbound to internet: still via Brevo SMTP relay (envoy replies) or Swisscom (John's own mail)• This server is a private mailbox store for IMAP clients (phone, laptop) and envoy• No PTR record needed; no port 25 involved

Mailboxes

Three virtual users (passwd-file auth, SHA512-CRYPT):• john — John's personal mailbox• envoy — Envoy agent mailbox• hermes — Claude Code assistant mailbox

Hostname

Permanent name: mail.critchley.biz (CNAME → gravlax.critchley.biz).Use this name everywhere (certs, client config, netrc) so the server can move to a different host without reconfiguring clients.

ZoneEdit CNAME to add (no API — must be done manually in ZoneEdit control panel):

Ansible Playbook

File: ~/ansible/setup_mail.yml

Prerequisites before running:• CNAME mail.critchley.biz added in ZoneEdit and propagated• secrets.yml contains three pre-hashed passwords (generate with doveadm pw -s SHA512-CRYPT):

Playbook tags: install, vmail, config, users, certs, ports

Key Config Details

• IMAPS on port 993 (TLS required)• LMTP unix socket: /var/run/dovecot/lmtp (mode 0660, owner vmail:vmail)• Maildir storage: /var/mail/vhosts/{user}/• TLS: Let's Encrypt for mail.critchley.biz via Apache webroot on gravlax• Cert renewal hook auto-reloads Dovecot

Client Config Changes Needed After Setup

stunnel on pomelo currently tunnels port 143 → cv.critchley.biz:993. Update to mail.critchley.biz:993 (or leave as-is since cv.critchley.biz is a DNS alias for gravlax anyway).netrc entry machine imap already has login envoy — password will need updating to the new dovecot password.

Outstanding: popit3 Delivery

popit3 currently writes directly to local Maildir on pomelo. Once the mail server is on gravlax, popit3 needs to deliver remotely. Options:• Submit via LMTP over TCP to gravlax (requires small change to process_emails.py)• Move popit3 to run on gravlaxThis is not yet done — popit3 delivery path is the main remaining work item.

Status (2026-06-08)

Playbook written, not yet run. CNAME not yet added in ZoneEdit. gravlax is clean (Debian 12, no Dovecot installed).

version 1  ·  created 2026-06-08  ·  updated 2026-06-08