SMTP Relays

SMTP Relays are third-party services that can deliver email on your behalf. They can be useful when, for example, port 25 is blocked, the cloud provider/ISP doesn't provide Reverse DNS, or the IP address has a low reputation, among other situations where deliverablity isn't great.

These services are governed by their own terms and as such limits can be imposed in the usage of those services.

Here, you can configure an authenticated SMTP relay and authorize it's associated servers to send mail for you.

SMTP Relay Configuration

If you've already set up a relay before on this box, you can leave this field blank if you don't want to change it's password.

Authorized Servers

The relay service should specify the servers where the email will be sent from, please add them below. These will probably be published in the form of a SPF record. Failure to do so will potentially have your email sent to spam or even rejected altogether by recipients.

You can use the button below to attempt to localize the SPF record associated with the service you're using.


Add your SPF configuration/authorized servers here

You can separate multiple servers with commas or spaces. You can also add IP addresses or subnets using 10.20.30.40 or 10.0.0.0/8. You can "import" SPF records using spf:example.com. If your provider gave you an SPF record to add to your DNS, you can also paste it here.

DKIM Configuration

DKIM allows receivers to verify that the email was sent by the relay you configured (this is, somebody you trust). If your relay provider does not provide you with this information, it's probably safe to skip this step.

Paste the DKIM key here:

After configuration

By that time you should be good to go. If your relay provider provides their own custom DNS verification methods (including custom DMARC configurations), feel free to publish them on DNS.

mail.cfpandp.com

Welcome to your Power Mail-in-a-Box control panel.

System Status Checks

Backup Status

The box makes an incremental backup each night. By default the backup is stored on the machine itself, but you can also store it on S3-compatible services like Amazon Web Services (AWS).

Configuration

Backups are stored on this machine’s own hard disk. You are responsible for periodically using SFTP (FTP over SSH) to copy the backup files from to a safe location. These files are encrypted, so they are safe to store anywhere.

Separately copy the encryption password from to a safe and secure location. You will need this file to decrypt backup files.

Backups synced to a remote machine using rsync over SSH, with local copies in . These files are encrypted, so they are safe to store anywhere.

Separately copy the encryption password from to a safe and secure location. You will need this file to decrypt backup files.

Copy the Public SSH Key above, and paste it within the ~/.ssh/authorized_keys of target user on the backup server specified above. That way you'll enable secure and passwordless authentication from your mail-in-a-box server and your backup server.

Backups are stored in an S3-compatible bucket. You must have an AWS or other S3 service account already.

You MUST manually copy the encryption password from to a safe and secure location. You will need this file to decrypt backup files. It is NOT stored in your S3 bucket.

Backups are stored in a Backblaze B2 bucket. You must have a Backblaze account already.

You MUST manually copy the encryption password from to a safe and secure location. You will need this file to decrypt backup files. It is NOT stored in your Backblaze B2 bucket.


This is the minimum time backup data is kept for. The box makes an incremental backup most nights, which requires that previous backups back to the most recent full backup be preserved, so backup data is often kept much longer than this setting. Full backups are made periodically when the incremental backup data size exceeds a limit.

Available backups

The backup location currently contains the backups listed below. The total size of the backups is currently .

When Type Size Deleted in...

External DNS

This is an advanced configuration page.

Although your box is configured to serve its own DNS, it is possible to host your DNS elsewhere — such as in the DNS control panel provided by your domain name registrar or virtual cloud provider — by copying the DNS zone information shown in the table below into your external DNS server’s control panel.

If you do so, you are responsible for keeping your DNS entries up to date! If you previously enabled DNSSEC on your domain name by setting a DS record at your registrar, you will likely have to turn it off before changing nameservers.

Download zonefile

You can download your zonefiles here or use the table of records below.

Records

QName Type Value

Custom DNS

This is an advanced configuration page.

It is possible to set custom DNS records on domains hosted here.

Set custom DNS records

You can set additional DNS records, such as if you have a website running on another server, to add DKIM records for external mail providers, or for various confirmation-of-ownership tests.

Leave the left field blank to set a record on the chosen domain name, or enter a subdomain.
Sort by: Domain name | Created

Using a secondary nameserver

If your TLD requires you to have two separate nameservers, you can either set up external DNS and ignore the DNS server on this box entirely, or use the DNS server on this box but add a secondary (aka “slave”) nameserver.

If you choose to use a secondary nameserver, you must find a secondary nameserver service provider. Your domain name registrar or virtual cloud provider may provide this service for you. Once you set up the secondary nameserver service, enter the hostname (not the IP address) of their secondary nameserver in the box below.

Multiple secondary servers can be separated with commas or spaces (i.e., ns2.hostingcompany.com ns3.hostingcompany.com). To enable zone transfers to additional servers without listing them as secondary nameservers, add an IP address or subnet using xfr:10.20.30.40 or xfr:10.0.0.0/8.

Custom DNS API

Use your box’s DNS API to set custom DNS records on domains hosted here. For instance, you can create your own dynamic DNS service.

Usage:

curl -X VERB [-d "value"] --user {email}:{password} https://mail.cfpandp.com/admin/dns/custom[/qname[/rtype]]

(Brackets denote an optional argument.)

Verbs

Verb Usage
GET Returns matching custom DNS records as a JSON array of objects. Each object has the keys qname, rtype, and value. The optional qname and rtype parameters in the request URL filter the records returned in the response. The request body (-d "...") must be omitted.
PUT Sets a custom DNS record replacing any existing records with the same qname and rtype. Use PUT (instead of POST) when you only have one value for a qname and rtype, such as typical A records (without round-robin).
POST Adds a new custom DNS record. Use POST when you have multiple TXT records or round-robin A records. (PUT would delete previously added records.)
DELETE Deletes custom DNS records. If the request body (-d "...") is empty or omitted, deletes all records matching the qname and rtype. If the request body is present, deletes only the record matching the qname, rtype and value.

Parameters

Parameter Value
email The email address of any administrative user here.
password That user’s password.
qname The fully qualified domain name for the record you are trying to set. It must be one of the domain names or a subdomain of one of the domain names hosted on this box. (Add mail users or aliases to add new domains.)
rtype The resource type. Defaults to A if omitted. Possible values: A (an IPv4 address), AAAA (an IPv6 address), TXT (a text string), CNAME (an alias, which is a fully qualified domain name — don’t forget the final period), MX, SRV, SSHFP, CAA or NS.
value For PUT, POST, and DELETE, the record’s value. If the rtype is A or AAAA and value is empty or omitted, the IPv4 or IPv6 address of the remote host is used (be sure to use the -4 or -6 options to curl). This is handy for dynamic DNS!

Strict SPF and DMARC records will be added to all custom domains unless you override them.

Examples:

Try these examples. For simplicity the examples omit the --user me@mydomain.com:yourpassword command line argument which you must fill in with your email address and password.

# sets laptop.mydomain.com to point to the IP address of the machine you are executing curl on
curl -X PUT https://mail.cfpandp.com/admin/dns/custom/laptop.mydomain.com

# deletes that record and all A records for that domain name
curl -X DELETE https://mail.cfpandp.com/admin/dns/custom/laptop.mydomain.com

# sets a CNAME alias
curl -X PUT -d "bar.mydomain.com." https://mail.cfpandp.com/admin/dns/custom/foo.mydomain.com/cname

# deletes that CNAME and all CNAME records for that domain name
curl -X DELETE https://mail.cfpandp.com/admin/dns/custom/foo.mydomain.com/cname

# adds a TXT record using POST to preserve any previous TXT records
curl -X POST -d "some text here" https://mail.cfpandp.com/admin/dns/custom/foo.mydomain.com/txt

# deletes that one TXT record while preserving other TXT records
curl -X DELETE -d "some text here" https://mail.cfpandp.com/admin/dns/custom/foo.mydomain.com/txt

PGP Keyring Management

Daemon's Private Key

Imported Public Keys

Import Key

You can upload your public key/keychain here. Keys must be submitted in ASCII-armored format.
If you're using gpg, you can export your public key by following this example:

# Get all the keys in the ring
$ gpg --list-keys
/home/you/.gnupg/pubring.kbx
----------------------------
pub   rsa4096 1970-01-01 [SC]
    247C3553B4B36107BA0490C3CAFCCF3B4965761A
uid           [  full  ] Someone That I Used to Know <someone@example.com>
sub   rsa2048 2020-01-01 [E] [expires: 2069-12-31]

pub   rsa4096 1970-01-01 [SC] [expires: 2069-12-31]
    52661092E5CD9EEFD7796B19E85F540C9318B69F
uid           [ultimate] Me, Myself and I <me@example.net>
sub   rsa2048 2020-05-24 [E] [expires: 2069-12-31]

# Let's export the key "Me, Myself and I"
$ gpg --export --armor 52661092E5CD9EEFD7796B19E85F540C9318B69F
-----BEGIN PGP PUBLIC KEY BLOCK-----

copy and paste this block in the area below
-----END PGP PUBLIC KEY BLOCK-----
        

WKD Management

WKD (Web Key Directory) is an experimental feature that allows users to authoratively publish their public PGP keys on the web, via HTTPS.

Unlike other solutions (like public keyservers), WKD has the advantage that the owner of the domain has some degree of control over what keys are published and as such there is more certainity that the key actually belongs to it's owner.

As of this version, there is no support for WKS - This may or may not change in the future.

Hosting somewhere else

If you have a separate server to host WKD, you can still use it instead of this box on a per-domain basis.
This box uses the Advanced Method to serve the keys. For example, to host your @some.example.com keys, you can add a A, AAAA or CNAME record for openpgpkey.some.example.com. It will override the box's records.

There's not a way to "disable" WKD at the moment - but if you don't want to publish keys, or if you want to use the Direct method somewhere else, you can always set the records to an unreachable destination (for example, an A record to 0.0.0.0)

Emails hosted by this box

This box can serve keys to any email address hosted by this box, be it an user or an alias, granted that the key has one or more user id's with matching emails.
You can add keys on the PGP Keyring Management menu.
Email Address

Manage Password

Here you can change your account password. The new password is then valid for both this panel and your email.

If you have client emails configured, you'll then need to update the configuration with the new password. See the Mail Guide for more information about this.

After changing your password, you'll be logged out from the account and will need to log in again.

Two-Factor Authentication

When two-factor authentication is enabled, you will be prompted to enter a six digit code from an authenticator app (usually on your phone) when you log into this control panel.

Enabling two-factor authentication does not protect access to your email
Enabling two-factor authentication on this page only limits access to this control panel. Remember that most websites allow you to reset your password by checking your email, so anyone with access to your email can typically take over your other accounts. Additionally, if your email address or any alias that forwards to your email address is a typical domain control validation address (e.g admin@, administrator@, postmaster@, hostmaster@, webmaster@, abuse@), extra care should be taken to protect the account. Always use a strong password, and ensure every administrator account for this control panel does the same.
Loading...

Setup Instructions

1. Install FreeOTP or any other two-factor authentication app that supports TOTP.

2. Scan the QR code in the app or directly enter the secret into the app:

When you click Enable Two-Factor Authentication, you will be logged out of the control panel and will have to log in again, now using your two-factor authentication app.

Two-factor authentication is active for your account on device .

You will have to log into the admin panel again after disabling two-factor authentication.

mail.cfpandp.com

Log in here for your Mail-in-a-Box control panel.

Checking and Sending Mail

Webmail

Webmail lets you check your email from any web browser. Your webmail site is:

https://mail.cfpandp.com/mail

Your username is your whole email address.

Mobile/desktop apps

Automatic configuration

iOS and OS X only: Open this configuration link on your iOS device or on your Mac desktop to easily set up mail (IMAP/SMTP), Contacts, and Calendar. Your username is your whole email address.

Manual configuration

Use the following settings when you set up your email on your phone, desktop, or other device:

Option Value
Protocol/Method IMAP
Mail server mail.cfpandp.com
IMAP Port 993
IMAP Security SSL or TLS
SMTP Port 465
SMTP Security SSL or TLS
Username: Your whole email address.
Password: Your mail password.

In addition to setting up your email, you’ll also need to set up contacts and calendar synchronization separately.

As an alternative to IMAP you can also use the POP protocol: choose POP as the protocol, port 995, and SSL or TLS security in your mail client. The SMTP settings and usernames and passwords remain the same. However, we recommend you use IMAP instead.

Exchange/ActiveSync settings

On iOS devices, devices on this compatibility list, or using Outlook 2007 or later on Windows 7 and later, you may set up your mail as an Exchange or ActiveSync server. However, we’ve found this to be more buggy than using IMAP as described above. If you encounter any problems, please use the manual settings above.

Server mail.cfpandp.com
Options Secure Connection

Your device should also provide a contacts list and calendar that syncs to this box when you use this method.

Other information about mail on your box

Greylisting

Your box uses a technique called greylisting to cut down on spam. Greylisting works by initially rejecting mail from people you haven’t received mail from before. Legitimate mail servers will attempt redelivery shortly afterwards, but the vast majority of spam gets tricked by this. If you are waiting for an email from someone new, such as if you are registering on a new website and are waiting for an email confirmation, please be aware there will be a minimum of 3 minutes delay, depending how soon the remote server attempts redelivery.

+tag addresses

Every incoming email address also receives mail for +tag addresses. If your email address is you@yourdomain.com, you’ll also automatically get mail sent to you+anythinghere@yourdomain.com. Use this as a fast way to segment incoming mail for your own filtering rules without having to create aliases in this control panel.

Use only this box to send as you

Your box sets strict email sending policies for your domain names to make it harder for spam and other fraudulent mail to claim to be you. Only this machine is authorized to send email on behalf of your domain names. If you use any other service to send email as you, it will likely get spam filtered by recipients.

Users

Add a mail user

Add an email address to this system. This will create a new login username/password.

  • Passwords must be at least eight characters. If you're out of ideas, you can generate a random password.
  • Use aliases to create email addresses that forward to existing accounts.
  • Administrators get access to this control panel.
  • User accounts cannot contain any international (non-ASCII) characters, but aliases can.
  • Quotas may not contain any spaces, commas or decimal points. Suffixes of G (gigabytes) and M (megabytes) are allowed. For unlimited storage enter 0 (zero)

Existing mail users

Email Address Messages Size Used Quota Actions
set quota | set password | archive account
To restore account, create a new account with this email address. Or to permanently delete the mailbox, delete the directory on the machine.

Mail user API (advanced)

Use your box’s mail user API to add/change/remove users from the command-line or custom services you build.

Usage:

curl -X VERB [-d "parameters"] --user {email}:{password} https://mail.cfpandp.com/admin/mail/users[action]

Brackets denote an optional argument. Please note that the POST body parameters must be URL-encoded.

The email and password given to the --user option must be an administrative user on this system.

Verbs

Verb Action
GET (none) Returns a list of existing mail users. Adding ?format=json to the URL will give JSON-encoded results.
POST /add Adds a new mail user. Required POST-body parameters are email and password. Optional parameters: privilege=admin and quota
POST /remove Removes a mail user. Required POST-by parameter is email.
POST /privileges/add Used to make a mail user an admin. Required POST-body parameters are email and privilege=admin.
POST /privileges/remove Used to remove the admin privilege from a mail user. Required POST-body parameter is email.
GET /quota Get the quota for a mail user. Required POST-body parameters are email and will return JSON result
POST /quota Set the quota for a mail user. Required POST-body parameters are email and quota.

Examples:

Try these examples. For simplicity the examples omit the --user me@mydomain.com:yourpassword command line argument which you must fill in with your administrative email address and password.

# Gives a JSON-encoded list of all mail users
curl -X GET https://mail.cfpandp.com/admin/mail/users?format=json

# Adds a new email user
curl -X POST -d "email=new_user@mydomail.com" -d "password=s3curE_pa5Sw0rD" https://mail.cfpandp.com/admin/mail/users/add

# Removes a email user
curl -X POST -d "email=new_user@mydomail.com" https://mail.cfpandp.com/admin/mail/users/remove

# Adds admin privilege to an email user
curl -X POST -d "email=new_user@mydomail.com" -d "privilege=admin" https://mail.cfpandp.com/admin/mail/users/privileges/add

# Removes admin privilege from an email user
curl -X POST -d "email=new_user@mydomail.com" https://mail.cfpandp.com/admin/mail/users/privileges/remove

Aliases

Add a mail alias

Aliases are email forwarders. An alias can forward email to a mail user or to any email address.

To use an alias or any address besides your own login username in outbound mail, the sending user must be included as a permitted sender for the alias.

Enter just the part of an email address starting with the @-sign. You may use international (non-ASCII) characters for the domain part of the email address only.
Enter just the part of an email address starting with the @-sign. Only forward mail to addresses handled by this Mail-in-a-Box, since mail forwarded by aliases to other domains may be rejected or filtered by the receiver. To forward mail to other domains, create a mail user and then log into webmail for the user and create a filter rule to forward mail.

Permitted Senders

Existing mail aliases

Alias
Forwards To Permitted Senders

hostmaster@, postmaster@, admin@ and abuse@ email addresses are required on some domains.

Mail aliases API (advanced)

Use your box’s mail aliases API to add and remove mail aliases from the command-line or custom services you build.

Usage:

curl -X VERB [-d "parameters"] --user {email}:{password} https://mail.cfpandp.com/admin/mail/aliases[action]

Brackets denote an optional argument. Please note that the POST body parameters must be URL-encoded.

The email and password given to the --user option must be an administrative user on this system.

Verbs

Verb Action
GET (none) Returns a list of existing mail aliases. Adding ?format=json to the URL will give JSON-encoded results.
POST /add Adds a new mail alias. Required POST-body parameters are address and forwards_to.
POST /remove Removes a mail alias. Required POST-body parameter is address.

Examples:

Try these examples. For simplicity the examples omit the --user me@mydomain.com:yourpassword command line argument which you must fill in with your email address and password.

# Gives a JSON-encoded list of all mail aliases
curl -X GET https://mail.cfpandp.com/admin/mail/aliases?format=json

# Adds a new alias
curl -X POST -d "address=new_alias@mydomail.com" -d "forwards_to=my_email@mydomain.com" https://mail.cfpandp.com/admin/mail/aliases/add

# Removes an alias
curl -X POST -d "address=new_alias@mydomail.com" https://mail.cfpandp.com/admin/mail/aliases/remove

Contacts & Calendar Synchronization

This box can hold your contacts and calendar, just like it holds your email.


In your browser

You can edit your contacts and calendar from your web browser.

For... Visit this URL
Contacts https://mail.cfpandp.com/cloud/contacts
Calendar https://mail.cfpandp.com/cloud/calendar

Log in settings are the same as with mail: your complete email address and your mail password.

On your mobile device

If you set up your mail using Exchange/ActiveSync, your contacts and calendar may already appear on your device.

Otherwise, here are some apps that can synchronize your contacts and calendar to your Android phone.

For... Use...
Contacts and Calendar DAVx⁵ ($5.99; free here)
Only Contacts CardDAV-Sync free (free)
Only Calendar CalDAV-Sync ($2.99)

Use the following settings:

Account Type CardDAV or CalDAV
Server Name mail.cfpandp.com
Use SSL Yes
Username Your complete email address.
Password Your mail password.

Static Web Hosting

This machine is serving a simple, static website at https://mail.cfpandp.com and at all domain names that you set up an email user or alias for.

Uploading web files

You can replace the default website with your own HTML pages and other static files. This control panel won’t help you design a website, but once you have .html files you can upload them following these instructions:

  1. Ensure that any domains you are publishing a website for have no problems on the Status Checks page.
  2. On your personal computer, install an SSH file transfer program such as FileZilla or scp.
  3. Log in to this machine with the file transfer program. The server is mail.cfpandp.com, the protocol is SSH or SFTP, and use the SSH login credentials that you used when you originally created this machine at your cloud host provider. This is not what you use to log in either for email or this control panel. Your SSH credentials probably involves a private key file.
  4. Upload your .html or other files to the directory /home/user-data/www/default on this machine. They will appear directly and immediately on the web.
  5. The websites set up on this machine are listed in the table below with where to put the files for each website.
  6. Site Directory for Files

    To add a domain to this table, create a dummy mail user or alias on the domain first and see the setup guide for adding nameserver records to the new domain at your registrar (but not glue records).

TLS (SSL) Certificates

A TLS (formerly called SSL) certificate is a cryptographic file that proves to anyone connecting to a web address that the connection is secure between you and the owner of that address.

You need a TLS certificate for this box’s hostname (mail.cfpandp.com) and every other domain name and subdomain that this box is hosting a website for (see the list below).

Provision certificates

Certificate status

Certificates expire after a period of time. All certificates will be automatically renewed through Let’s Encrypt 14 days prior to expiration.

Install certificate

If you don't want to use our automatic Let's Encrypt integration, you can give any other certificate provider a try. You can generate the needed CSR below.

A multi-domain or wildcard certificate will be automatically applied to any domains it is valid for besides the one you choose above.

This is required by some TLS certificate providers. You may just pick any if you know your TLS certificate provider doesn't require it.

Munin Monitoring

Opening munin in a new tab... You may need to allow pop-ups for this site.