• "A lot" of email travels over TLS post-2013
• email servers are supposed to attempt deliveries for up to 4-5 days unless they get a bounce.
• Postfix its an MTA: accepts e-mail and forwards it or places it in a mailbox.
• EncFS was used to encrypt e-mail "at rest." (2020: but don't; because security folk don't like encfs anymore.)
• `doveadm pw` hashes passwords for use in configuration files.
• MySQL was used to hold virtual domain/virtual user info (but you can also just use plain files for this.)
• Dovecot accepts TLS certificates for IMAP and stuff (2020: let's encrypt works fine.)
• Postfix also accepts TLS certificates (2020: let's encrypt works fine.)
• Set dovecot to reject plain-text logins (it will only let you log in via TLS)
• Set up unix sockets in dovecot, put the sockets in postfix' spool directory.
• Tell postfix to put incoming mail in the unix socket; LMTP and such.
• Set up dspam to process mail (2020: dspam is kill.)
• Set up sieve to put spam in a spam mailbox.
• z-push if you want exchange activesync support
• You can set up solr for inbox searching (2020: probably better options; dovecot has text search, mu4e, notmuch, ...)

• Coding Horror on setting up e-mail servers

DKIM (with OpenDKIM)

• Generate keys with opendkim-genkey
• Configure opendkim to trust localhost and sign stuff when localhost asks
• Embed public key in DNS record
• Embed private key somewhere postfix+opendkim can read it
• Set postfix to sign messages with the daemon

To generate the keys:

opendkim-genkey -r -h sha256 -d awesomebox.sealedabstract.com -s mail