Domains & Routing¶
Under Domains, all email domains that nmg should accept or relay mail for are managed.
Adding a Domain¶
Click + Add Domain to open the domain form. Each domain has the following fields:
Basic Settings¶
| Field | Description |
|---|---|
| Domain | Email domain (e.g. example.com) |
| Active | Enable/disable the domain without deleting it |
| Direction | inbound or outbound (see below) |
Direction: Inbound (Default)¶
Postfix accepts mail for this domain (as MX). Mail is filtered by rspamd and then forwarded to the transport host.
| Field | Description |
|---|---|
| Transport Host | Internal mail server to forward to (e.g. exchange.internal:25) |
| Transport Port | Destination port (default: 25) |
| IMAP Auth | SASL authentication via the domain's IMAP server (for outbound submission) |
| Backup MX | nmg acts as secondary MX (lower priority) and spools mail when the primary MX is unavailable |
| Sandbox Enabled | Enable YARA sandbox for inbound mail of this domain |
| Force Action | Override filter decision: allow (pass everything) or reject (reject everything) — for testing |
Direction: Outbound¶
nmg accepts mail from internal clients (port 587, SMTP auth required) and relays it to the internet.
| Field | Description |
|---|---|
| DKIM Sign | Sign outbound mail with this domain's DKIM key |
| SMTP Auth Relay | Allow SMTP authentication for senders of this domain |
DKIM Keys¶
In the domain form under the DKIM tab, keys can be generated, rotated, and the DNS TXT record displayed. Recommended: 2048-bit RSA or Ed25519.
Bayes Override¶
Allows overriding the global Bayes thresholds for individual domains (e.g. less strict for a test domain).
SaaS Billing (Metered)¶
For SaaS deployments, a domain can be marked as metered. Metered domains require a maintained mailbox list that forms the basis for monthly billing.
| Field | Description |
|---|---|
| Metered | Enable the domain for SaaS billing |
| Mailbox list | List of active mailboxes for this domain (CRUD directly in the domain form) |
Behaviour when metered=true:
- Postfix recipient and sender whitelists are automatically generated from the mailbox list — mails to/from addresses not on the list are rejected.
- Daily snapshot counts are reported to the billing API.
- Self-hosted installations ignore the metered flag entirely.
Mailbox CRUD in the domain form
Mailboxes are managed directly in the domain form under the Mailboxes tab (add, edit, delete). There is no separate mailbox management page.
DNS Recommendations¶
For each inbound domain, the following DNS records should be set:
example.com. IN MX 10 mail.example.com.
mail.example.com. IN A <IP of nmg server>
; SPF
example.com. IN TXT "v=spf1 mx ~all"
; DMARC
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
; DKIM (after key generation in the UI)
nmg._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=<publickey>"
24-Hour Traffic Chip¶
In the domain list, each row shows a small traffic chip with values from the last 24 hours (delivered / spam / rejected). The chip aggregates data from all cluster nodes.