Master Manuscript — APPENDICES (Final Section)
A reference guide for readers, including technical and conceptual terms used throughout the book.
DNS records pointing a domain to an IPv4 address.
The process by which a receiving mail server verifies the authenticity of the sending system (SPF, DKIM, DMARC).
A backup that stores only the changes since the last backup, reducing storage and bandwidth usage.
Rebuilding a system entirely from backups after complete hardware loss.
An organisation that issues TLS certificates. Your system uses DNSSEC + DANE to remove excessive reliance on CAs.
PBS stores data in deduplicated “chunks.” Only new or changed chunks are saved, improving efficiency.
Identity proven using cryptographic methods rather than trust in intermediaries; includes DNSSEC, DANE, DKIM, and TLSA.
A system binding TLS certificates to DNSSEC-protected DNS records.
A cryptographic signature used to prove that an email genuinely comes from the domain it claims.
A policy that instructs receiving mail servers how to handle failures of SPF and DKIM, and checks alignment.
The internet’s addressing system, converting names to IP addresses.
A protocol that digitally signs DNS records to prevent tampering.
A popular, secure IMAP/POP mail storage server.
A mail transfer agent used by WHM/cPanel. Limited compared to Postfix in advanced identity and SNI bridging.
A system that controls traffic flows based on rules. In your system: nftables and PVE firewall layers.
Protocol enabling lightweight, remote access to mail stored on a server.
Regular changing of cryptographic keys to mitigate long-term compromise risk.
A certificate client used to automate TLS certificate issuance via DNS challenges.
A robust email storage format used by Dovecot.
DNS records that specify which mail server accepts mail for a domain.
Modern Linux firewall system, replacing iptables.
A backup and deduplication system used for VM-level backups.
Your mail-filtering gateway performing antispam, antivirus, and policy checks.
A widely used mail transfer agent responsible for SMTP transport.
Reverse DNS records, mapping IP addresses to hostnames.
A webmail client connected to Dovecot.
Authentication layer used by Postfix for validating SMTP submission.
TLS extension allowing servers to present different certificates based on hostname. Used extensively in your system.
DNS record specifying which servers may send mail for a domain.
Protocol securing communication over the internet.
DNS record binding your server’s TLS certificate to a DNSSEC-protected fingerprint.
Virtual Private Network, optional for PBS-to-PBS traffic if required.
(Presented in ASCII/text form for portability and clarity.)
+-----------------------+
| The Internet |
+----------+------------+
|
v
+---------------+
| PMG |
| (Mail Gateway)|
+-------+-------+
|
---------------------------------
|
v
+---------------+
| Postfix |
| (Transport MTA)|
+-------+-------+
|
v
+---------------+
| Dovecot |
| (Mail Storage)|
+-------+-------+
|
IMAP/POP/SMTP Submission +-----------------------+
| The Internet |
+----------+------------+
|
v
+---------------+
| PMG |
| (Mail Gateway)|
+-------+-------+
|
---------------------------------
|
v
+---------------+
| Postfix |
| (Transport MTA)|
+-------+-------+
|
v
+---------------+
| Dovecot |
| (Mail Storage)|
+-------+-------+
|
IMAP/POP/SMTP Submission WAN
|
[ Public Firewall ]
|
+-------+-------+
| PMG |
+-------+-------+
|
NAT
|
+-------+-------+
| Mailbox |
| (Internal LAN)|
+-------+-------+
|
+-----------+-----------+
| |
[Web1 VM] [PBS-local] WAN
|
[ Public Firewall ]
|
+-------+-------+
| PMG |
+-------+-------+
|
NAT
|
+-------+-------+
| Mailbox |
| (Internal LAN)|
+-------+-------+
|
+-----------+-----------+
| |
[Web1 VM] [PBS-local]DNSSEC -> DANE -> TLSA -> Certificate -> Dovecot/Postfix SNI -> User Clients
DNSSEC -> DANE -> TLSA -> Certificate -> Dovecot/Postfix SNI -> User Clients +------------------+
| PBS-local |
| (Fast Increment) |
+--------+---------+
|
Replication
|
+--------+---------+
| PBS-remote |
| (Disaster Vault) |
+------------------+ +------------------+
| PBS-local |
| (Fast Increment) |
+--------+---------+
|
Replication
|
+--------+---------+
| PBS-remote |
| (Disaster Vault) |
+------------------+(Not literal system configs — patterns and principles, portable across environments.)
smtp_tls_security_level = dane smtpd_tls_security_level = may smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtpd_tls_security_level = may
smtp_dns_support_level = dnsseclocal_name mail.example.com {
ssl_cert = </etc/ssl/example.com/cert.pem
ssl_key = </etc/ssl/example.com/key.pem
}local_name mail.example.com {
ssl_cert = </etc/ssl/example.com/cert.pem
ssl_key = </etc/ssl/example.com/key.pem
}Datacentre → Storage → Add → Proxmox Backup Server: ID: PBS_Remote Server: 192.0.2.10 Fingerprint: (paste exact SHA-256) Datastore: backups Namespace: (leave empty)
Datacentre → Storage → Add → Proxmox Backup Server:
ID: PBS_Remote
Server: 192.0.2.10
Fingerprint: (paste exact SHA-256)
Datastore: backups
Namespace: (leave empty)opendkim-genkey -s 2025 -d example.com publish 2025._domainkey.example.com in DNS reload Postfix/PMG
opendkim-genkey -s 2025 -d example.com
publish 2025._domainkey.example.com in DNS
reload Postfix/PMGopenssl x509 -in cert.pem -noout -pubkey | \ openssl pkey -pubin -outform DER | \ openssl dgst -sha256 | \ sed 's/^.* //'
openssl x509 -in cert.pem -noout -pubkey | \
openssl pkey -pubin -outform DER | \
openssl dgst -sha256 | \
sed 's/^.* //'A non-exhaustive list of the most relevant RFCs and standards underpinning your system.
The following table shows typical risks and how your system mitigates them.
Risk: Catastrophic loss of hardware.
Mitigation: PBS-remote in a different country ensures full system recoverability.
Risk: Encrypted mail storage.
Mitigation: PBS-local + PBS-remote hold immutable snapshots.
Risk: Identity theft by attackers.
Mitigation: Per-domain certs + DNSSEC + TLSA prevent impersonation.
Risk: Redirected mail to attacker servers.
Mitigation: DNSSEC signed zones prevent forged responses.
Risk: Overload of MTA.
Mitigation: PMG filtering absorbs all malicious inbound SMTP.
Risk: Email down externally.
Mitigation: DNS and mail standards ensure retries for days; PBS-remote unaffected.
Risk: Accidental deletion or misconfiguration.
Mitigation: VM-level rollback via PBS-local.
Risk: Loss of identity alignment.
Mitigation: Automated Lego renewals + TLSA regeneration + scripts.
Risk: Loss of hypervisor.
Mitigation: PVE + PBS restore process handles bare-metal rebuild.
The entire book is now assembled in complete, anglicised Markdown.
We can now generate your:
All in a single run.