Difference between revisions of "Mail Server"

From Briki
Jump to: navigation, search
 
 
(18 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 +
== General ==
 +
See https://help.ubuntu.com/community/MailServer for an introduction to MTA/Spamassassin
 +
 +
; MTA : Mail Transport Agent (generally SMTP)
 +
; MDA : Mail Delivery Agent
 +
; MUA : Mail User Agent (generally POP3 or IMAP)
 +
 +
Briefly, the workflow for mail delivery is:
 +
 +
'''[Internet] -> postfix (MTA) ->  SpamAssassin -> postfix (MTA) -> procmail (MDA) -> $HOME/Maildir'''
 +
 +
and for mail viewing:
 +
 +
'''$HOME/Maildir -> Courier (IMAP MUA) -> Thunderbird/Outlook'''
 +
 +
or
 +
 +
'''$HOME/Maildir -> Mutt/Pine'''
 +
 +
== Switching from /var/mail/<user> to $HOME/Maildir ==
 +
* Add to /etc/procmailrc:
 +
<pre>
 +
# Ensure mail files are owned by recipient
 +
DROPPRIVS=yes
 +
 +
MAILDIR=$HOME/Maildir
 +
DEFAULT="$MAILDIR/"
 +
</pre>
 +
* Change '''session    optional  pam_mail.so standard''' to  '''session    optional  pam_mail.so standard dir=~/Maildir''' in ''/etc/pam.d/login'' (to set $MAIL and get new mail prompts in bash)
 +
* Change '''session    optional  pam_mail.so standard noenv # [1]''' to  '''session    optional  pam_mail.so standard dir=~/Maildir # [1]''' in ''/etc/pam.d/ssh'' (to set $MAIL and get new mail prompts in bash)
 +
* Change '''session    optional  pam_mail.so nopen''' to  '''session    optional  pam_mail.so nopen dir=~/Maildir''' in ''/etc/pam.d/su'' (to set $MAIL but suppress new mail prompts in bash for superuser)
 +
 +
* Change '''MAIL_DIR      /var/mail''' to '''MAIL_DIR      Maildir/''' in ''/etc/login.defs'' (this is only used for creating/deleting the mail folder when users are added or deleted; also, some reports suggest '''QMAIL_DIR      Maildir/''' is the correct setting, but this isn't mentioned in the login.defs man page)
 +
 +
* Create ''~/.muttrc'' with the contents:
 +
<pre>
 +
set mbox_type=Maildir
 +
 +
# Set locations of the common folders
 +
set folder="~/Maildir"
 +
set mask="!^\\.[^.]"
 +
set mbox="~/Maildir"
 +
set record="+.Sent"
 +
set postponed="+.Drafts"
 +
set spoolfile="~/Maildir"
 +
 +
# Set up mailboxes by scanning for all subfolders in ~/Maildir
 +
mailboxes `echo -n "+ "; find ~/Maildir -type d -name ".*" -printf "+'%f' "`
 +
 +
# Add macros to make the folder browser usable by always using the mailboxes setup above
 +
macro index c "<change-folder>?<toggle-mailboxes>" "open a different folder"
 +
macro pager c "<change-folder>?<toggle-mailboxes>" "open a different folder"
 +
 +
# Go straight to the folder browser when copying, moving and attaching mail
 +
macro index C "<copy-message>?<toggle-mailboxes>" "copy a message to a mailbox"
 +
macro index M "<save-message>?<toggle-mailboxes>" "move a message to a mailbox"
 +
macro compose A "<attach-message>?<toggle-mailboxes>" "attach message(s) to this message"
 +
</pre>
 +
 +
NB: ''/usr/bin/mail'' will no longer work for viewing mails (it gives the error "/home/<user>/Maildir" is a directory). It's a pretty obtuse command for mail viewing anyway, however (and it will still work for sending mails from the cmd-line)
 +
 
== Postfix ==
 
== Postfix ==
 +
=== Configuring SpamAssassin as a content filter ===
 +
Adapted from: http://www.debuntu.org/postfix-and-pamassassin-how-to-filter-spam
 +
 +
==== Install and configure SpamAssassin ====
 +
 +
* <pre>wajig install spamassassin spamc</pre>
 +
 +
* Create a ''spamd'' user:
 +
<pre>
 +
sudo adduser --system --group --home /var/lib/spamassassin userid
 +
</pre>
 +
 +
* Create ''/var/run/spamassassin'' and ''/var/lib/spamassassin'', owned by '''spamd:spamd'''
 +
 +
* Add/change the following lines in /etc/default/spamassassin:
 +
<pre>
 +
ENABLED=1
 +
OPTIONS="--create-prefs --max-children 5 --port 1783 -s /var/log/spamassassin/spamd.log"
 +
PIDFILE="/var/run/spamassassin/spamd.pid"
 +
</pre>
 +
 +
* Edit '''/etc/init.d/spamassassin''':
 +
** Add ''USER=spamd'' to the default variables block
 +
** Add ''--chuid $USER'' to the start and restart cmds
 +
 +
==== Configure postfix ====
 +
 +
* Add to /etc/postfix/master.cf:
 +
<pre>
 +
spamassassin unix -    n      n      -      -      pipe
 +
  user=spamd argv=/usr/bin/spamc -e
 +
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}
 +
</pre>
 +
Again in /etc/postfix/master.cf, change the smtp content filters to:
 +
<pre>
 +
smtp      inet  n      -      -      -      -      smtpd
 +
        -o content_filter=spamassassin
 +
</pre>
 +
 +
* Ensure postfix is set to deliver via procmail (see below)
 +
 +
==== Configure procmail ====
 +
* Create '''/etc/procmailrc''':
 +
<pre>
 +
SHELL=/bin/sh
 +
LOGFILE=/var/log/procmail/$LOGNAME.log
 +
LOGABSTRACT=all
 +
VERBOSE=off
 +
# Ensure mail files are owned by recipient
 +
DROPPRIVS=yes
 +
 +
MAILDIR=$HOME/Maildir
 +
DEFAULT="$MAILDIR/"
 +
SPAM="$MAILDIR/.Spam/"
 +
 +
:0
 +
* ^X-Spam-Status: Yes
 +
$SPAM
 +
</pre>
 +
Note: DROPPRIVS line is only needed for systems where /usr/bin/procmail is suid root
 +
 +
=== Configuring postfix delivery method ===
 +
The following config should be placed within /etc/postfix/main.cf
 +
==== To use postfix's builtin MDA with mbox format (/var/spool/mail/$USER) ====
 +
<pre>
 +
# Use mbox mailboxes (the default)
 +
home_mailbox = mbox
 +
</pre>
 +
Ensure no '''mailbox_command''' is specified
 +
 +
==== To use postfix's builtin MDA with Maildir formar ($HOME/Maildir/*) ====
 +
<pre>
 +
# Use Maildir style mailboxes
 +
home_mailbox = Maildir/
 +
</pre>
 +
Ensure no '''mailbox_command''' is specified
 +
 +
==== To use procmail as external MDA ====
 +
<pre>
 +
# Use procmail
 +
mailbox_command = /usr/bin/procmail
 +
</pre>
 +
Ensure no '''home_mailbox''' is specified
 +
 +
=== Configuring mail for an unknown destination to route to a specific user ===
 +
<pre>
 +
# Redirect unknown users to andrew
 +
luser_relay = andrew
 +
local_recipient_maps =
 +
</pre>
 +
 +
=== Hardening postfix ===
 +
Add the following to /etc/postfix/main.cf:
 +
<pre>
 +
## Restrictions
 +
# Require a valid handshake, with the sender announcing its name
 +
smtpd_helo_required = yes
 +
# Require the sending server to have an A or MX record in DNS
 +
#smtpd_sender_restrictions = hash:/etc/postfix/sender_access,reject_unknown_sender_domain
 +
smtpd_sender_restrictions = reject_unknown_sender_domain
 +
# Require the recipient to be a configured destination, unless from mynetworks (NB. This is default, anyway)
 +
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
 +
</pre>
 +
 
=== Emptying deferred queue ===
 
=== Emptying deferred queue ===
 
To attempt redelivery:  
 
To attempt redelivery:  
Line 9: Line 174:
 
sudo postsuper -d ALL
 
sudo postsuper -d ALL
 
</pre>
 
</pre>
 +
 +
=== Testing postfix header_checks ===
 +
<pre>
 +
postmap -q - regexp:/etc/postfix/header_checks < /tmp/testmessage
 +
</pre>
 +
 +
=== Fixing 'mail for <host> loops back to myself' ===
 +
* Ensure <host> is listed in '''mydestination''' in ''/etc/postfix/main.cf'' (you may need to add both the FDQN and the simple hostname)
  
 
== SpamAssassin ==
 
== SpamAssassin ==
Line 25: Line 198:
 
:Number of whitelist (definite non-spam) matches for tested message
 
:Number of whitelist (definite non-spam) matches for tested message
 
Pyzor will return '''0''' (identifying the message as spam) only if number of spam matches > 0 and number of whitelist matches = 0.
 
Pyzor will return '''0''' (identifying the message as spam) only if number of spam matches > 0 and number of whitelist matches = 0.
 +
 +
== Roundcube ==
 +
=== Fixing blank screen on IMAPS login with "Call to undefined function mcrypt_module_open" error in ''/var/log/roundcube/errors'' ===
 +
* Install ''php-mcrypt''
 +
 +
== Dovecot ==
 +
=== Fixing expired Let's Encrypt root certificate ===
 +
https://apple.stackexchange.com/questions/428169/ios-marked-a-certificate-as-expired-even-though-the-certificate-is-still-activ

Latest revision as of 13:44, 14 December 2021

General

See https://help.ubuntu.com/community/MailServer for an introduction to MTA/Spamassassin

MTA 
Mail Transport Agent (generally SMTP)
MDA 
Mail Delivery Agent
MUA 
Mail User Agent (generally POP3 or IMAP)

Briefly, the workflow for mail delivery is:

[Internet] -> postfix (MTA) -> SpamAssassin -> postfix (MTA) -> procmail (MDA) -> $HOME/Maildir

and for mail viewing:

$HOME/Maildir -> Courier (IMAP MUA) -> Thunderbird/Outlook

or

$HOME/Maildir -> Mutt/Pine

Switching from /var/mail/<user> to $HOME/Maildir

  • Add to /etc/procmailrc:
# Ensure mail files are owned by recipient
DROPPRIVS=yes

MAILDIR=$HOME/Maildir
DEFAULT="$MAILDIR/"
  • Change session optional pam_mail.so standard to session optional pam_mail.so standard dir=~/Maildir in /etc/pam.d/login (to set $MAIL and get new mail prompts in bash)
  • Change session optional pam_mail.so standard noenv # [1] to session optional pam_mail.so standard dir=~/Maildir # [1] in /etc/pam.d/ssh (to set $MAIL and get new mail prompts in bash)
  • Change session optional pam_mail.so nopen to session optional pam_mail.so nopen dir=~/Maildir in /etc/pam.d/su (to set $MAIL but suppress new mail prompts in bash for superuser)
  • Change MAIL_DIR /var/mail to MAIL_DIR Maildir/ in /etc/login.defs (this is only used for creating/deleting the mail folder when users are added or deleted; also, some reports suggest QMAIL_DIR Maildir/ is the correct setting, but this isn't mentioned in the login.defs man page)
  • Create ~/.muttrc with the contents:
set mbox_type=Maildir

# Set locations of the common folders
set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"

# Set up mailboxes by scanning for all subfolders in ~/Maildir
mailboxes `echo -n "+ "; find ~/Maildir -type d -name ".*" -printf "+'%f' "`

# Add macros to make the folder browser usable by always using the mailboxes setup above
macro index c "<change-folder>?<toggle-mailboxes>" "open a different folder"
macro pager c "<change-folder>?<toggle-mailboxes>" "open a different folder"

# Go straight to the folder browser when copying, moving and attaching mail
macro index C "<copy-message>?<toggle-mailboxes>" "copy a message to a mailbox"
macro index M "<save-message>?<toggle-mailboxes>" "move a message to a mailbox"
macro compose A "<attach-message>?<toggle-mailboxes>" "attach message(s) to this message"

NB: /usr/bin/mail will no longer work for viewing mails (it gives the error "/home/<user>/Maildir" is a directory). It's a pretty obtuse command for mail viewing anyway, however (and it will still work for sending mails from the cmd-line)

Postfix

Configuring SpamAssassin as a content filter

Adapted from: http://www.debuntu.org/postfix-and-pamassassin-how-to-filter-spam

Install and configure SpamAssassin

  • wajig install spamassassin spamc
  • Create a spamd user:
sudo adduser --system --group --home /var/lib/spamassassin userid
  • Create /var/run/spamassassin and /var/lib/spamassassin, owned by spamd:spamd
  • Add/change the following lines in /etc/default/spamassassin:
ENABLED=1
OPTIONS="--create-prefs --max-children 5 --port 1783 -s /var/log/spamassassin/spamd.log"
PIDFILE="/var/run/spamassassin/spamd.pid"
  • Edit /etc/init.d/spamassassin:
    • Add USER=spamd to the default variables block
    • Add --chuid $USER to the start and restart cmds

Configure postfix

  • Add to /etc/postfix/master.cf:
spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -e
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Again in /etc/postfix/master.cf, change the smtp content filters to: 

smtp      inet  n       -       -       -       -       smtpd
        -o content_filter=spamassassin
  • Ensure postfix is set to deliver via procmail (see below)

Configure procmail

  • Create /etc/procmailrc:
SHELL=/bin/sh
LOGFILE=/var/log/procmail/$LOGNAME.log
LOGABSTRACT=all
VERBOSE=off
# Ensure mail files are owned by recipient
DROPPRIVS=yes

MAILDIR=$HOME/Maildir
DEFAULT="$MAILDIR/"
SPAM="$MAILDIR/.Spam/"

:0
* ^X-Spam-Status: Yes
$SPAM

Note: DROPPRIVS line is only needed for systems where /usr/bin/procmail is suid root

Configuring postfix delivery method

The following config should be placed within /etc/postfix/main.cf

To use postfix's builtin MDA with mbox format (/var/spool/mail/$USER)

# Use mbox mailboxes (the default)
home_mailbox = mbox

Ensure no mailbox_command is specified

To use postfix's builtin MDA with Maildir formar ($HOME/Maildir/*)

# Use Maildir style mailboxes
home_mailbox = Maildir/

Ensure no mailbox_command is specified

To use procmail as external MDA

# Use procmail
mailbox_command = /usr/bin/procmail

Ensure no home_mailbox is specified

Configuring mail for an unknown destination to route to a specific user

# Redirect unknown users to andrew
luser_relay = andrew
local_recipient_maps =

Hardening postfix

Add the following to /etc/postfix/main.cf: 

## Restrictions
# Require a valid handshake, with the sender announcing its name
smtpd_helo_required = yes
# Require the sending server to have an A or MX record in DNS
#smtpd_sender_restrictions = hash:/etc/postfix/sender_access,reject_unknown_sender_domain
smtpd_sender_restrictions = reject_unknown_sender_domain
# Require the recipient to be a configured destination, unless from mynetworks (NB. This is default, anyway)
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Emptying deferred queue

To attempt redelivery: 

sudo postfix flush

To simply delete all deferred mails: 

sudo postsuper -d ALL

Testing postfix header_checks

postmap -q - regexp:/etc/postfix/header_checks < /tmp/testmessage

Fixing 'mail for <host> loops back to myself'

  • Ensure <host> is listed in mydestination in /etc/postfix/main.cf (you may need to add both the FDQN and the simple hostname)

SpamAssassin

Pyzor

Meaning of output like: 

82.94.255.100:24441     (200, 'OK')     1206    0
82.94.255.100
24441
Pyzor server
(200, 'OK')
HTTP response from server
1206
Number of spam matches for tested message
0
Number of whitelist (definite non-spam) matches for tested message

Pyzor will return 0 (identifying the message as spam) only if number of spam matches > 0 and number of whitelist matches = 0.

Roundcube

Fixing blank screen on IMAPS login with "Call to undefined function mcrypt_module_open" error in /var/log/roundcube/errors

  • Install php-mcrypt

Dovecot

Fixing expired Let's Encrypt root certificate

https://apple.stackexchange.com/questions/428169/ios-marked-a-certificate-as-expired-even-though-the-certificate-is-still-activ

Retrieved from "https://wiki.bretts.org/index.php?title=Mail_Server&oldid=8494"