Mail Server

From Briki
Jump to: navigation, search

General

See https://help.ubuntu.com/community/MailServer for an introduction to MTA/Spamassassin

MTA 
Mail Transport Agent (generally SMTP)
MDA 
Mail Delivery Agent
MUA 
Mail User Agent (generally POP3 or IMAP)

Briefly, the workflow for mail delivery is:

[Internet] -> postfix (MTA) -> SpamAssassin -> postfix (MTA) -> procmail (MDA) -> $HOME/Maildir

and for mail viewing:

$HOME/Maildir -> Courier (IMAP MUA) -> Thunderbird/Outlook

or

$HOME/Maildir -> Mutt/Pine

Switching from /var/mail/<user> to $HOME/Maildir

  • Add to /etc/procmailrc:
# Ensure mail files are owned by recipient
DROPPRIVS=yes

MAILDIR=$HOME/Maildir
DEFAULT="$MAILDIR/"
  • Change session optional pam_mail.so standard to session optional pam_mail.so standard dir=~/Maildir in /etc/pam.d/login (to set $MAIL and get new mail prompts in bash)
  • Change session optional pam_mail.so standard noenv # [1] to session optional pam_mail.so standard dir=~/Maildir # [1] in /etc/pam.d/ssh (to set $MAIL and get new mail prompts in bash)
  • Change session optional pam_mail.so nopen to session optional pam_mail.so nopen dir=~/Maildir in /etc/pam.d/su (to set $MAIL but suppress new mail prompts in bash for superuser)
  • Change MAIL_DIR /var/mail to MAIL_DIR Maildir/ in /etc/login.defs (this is only used for creating/deleting the mail folder when users are added or deleted; also, some reports suggest QMAIL_DIR Maildir/ is the correct setting, but this isn't mentioned in the login.defs man page)
  • Create ~/.muttrc with the contents:
set mbox_type=Maildir

# Set locations of the common folders
set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"

# Set up mailboxes by scanning for all subfolders in ~/Maildir
mailboxes `echo -n "+ "; find ~/Maildir -type d -name ".*" -printf "+'%f' "`

# Add macros to make the folder browser usable by always using the mailboxes setup above
macro index c "<change-folder>?<toggle-mailboxes>" "open a different folder"
macro pager c "<change-folder>?<toggle-mailboxes>" "open a different folder"

# Go straight to the folder browser when copying, moving and attaching mail
macro index C "<copy-message>?<toggle-mailboxes>" "copy a message to a mailbox"
macro index M "<save-message>?<toggle-mailboxes>" "move a message to a mailbox"
macro compose A "<attach-message>?<toggle-mailboxes>" "attach message(s) to this message"

NB: /usr/bin/mail will no longer work for viewing mails (it gives the error "/home/<user>/Maildir" is a directory). It's a pretty obtuse command for mail viewing anyway, however (and it will still work for sending mails from the cmd-line)

Postfix

Configuring SpamAssassin as a content filter

Adapted from: http://www.debuntu.org/postfix-and-pamassassin-how-to-filter-spam

Install and configure SpamAssassin

  • wajig install spamassassin spamc
  • Create a spamd user:
sudo adduser --system --group --home /var/lib/spamassassin userid
  • Create /var/run/spamassassin and /var/lib/spamassassin, owned by spamd:spamd
  • Add/change the following lines in /etc/default/spamassassin:
ENABLED=1
OPTIONS="--create-prefs --max-children 5 --port 1783 -s /var/log/spamassassin/spamd.log"
PIDFILE="/var/run/spamassassin/spamd.pid"
  • Edit /etc/init.d/spamassassin:
    • Add USER=spamd to the default variables block
    • Add --chuid $USER to the start and restart cmds

Configure postfix

  • Add to /etc/postfix/master.cf:
spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -e
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Again in /etc/postfix/master.cf, change the smtp content filters to:

smtp      inet  n       -       -       -       -       smtpd
        -o content_filter=spamassassin
  • Ensure postfix is set to deliver via procmail (see below)

Configure procmail

  • Create /etc/procmailrc:
SHELL=/bin/sh
LOGFILE=/var/log/procmail/$LOGNAME.log
LOGABSTRACT=all
VERBOSE=off
# Ensure mail files are owned by recipient
DROPPRIVS=yes

MAILDIR=$HOME/Maildir
DEFAULT="$MAILDIR/"
SPAM="$MAILDIR/.Spam/"

:0
* ^X-Spam-Status: Yes
$SPAM

Note: DROPPRIVS line is only needed for systems where /usr/bin/procmail is suid root

Configuring postfix delivery method

The following config should be placed within /etc/postfix/main.cf

To use postfix's builtin MDA with mbox format (/var/spool/mail/$USER)

# Use mbox mailboxes (the default)
home_mailbox = mbox

Ensure no mailbox_command is specified

To use postfix's builtin MDA with Maildir formar ($HOME/Maildir/*)

# Use Maildir style mailboxes
home_mailbox = Maildir/

Ensure no mailbox_command is specified

To use procmail as external MDA

# Use procmail
mailbox_command = /usr/bin/procmail

Ensure no home_mailbox is specified

Configuring mail for an unknown destination to route to a specific user

# Redirect unknown users to andrew
luser_relay = andrew
local_recipient_maps =

Hardening postfix

Add the following to /etc/postfix/main.cf:

## Restrictions
# Require a valid handshake, with the sender announcing its name
smtpd_helo_required = yes
# Require the sending server to have an A or MX record in DNS
#smtpd_sender_restrictions = hash:/etc/postfix/sender_access,reject_unknown_sender_domain
smtpd_sender_restrictions = reject_unknown_sender_domain
# Require the recipient to be a configured destination, unless from mynetworks (NB. This is default, anyway)
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Emptying deferred queue

To attempt redelivery:

sudo postfix flush

To simply delete all deferred mails:

sudo postsuper -d ALL

Testing postfix header_checks

postmap -q - regexp:/etc/postfix/header_checks < /tmp/testmessage

Fixing 'mail for <host> loops back to myself'

  • Ensure <host> is listed in mydestination in /etc/postfix/main.cf (you may need to add both the FDQN and the simple hostname)

SpamAssassin

Pyzor

Meaning of output like:

82.94.255.100:24441     (200, 'OK')     1206    0
82.94.255.100
24441
Pyzor server
(200, 'OK')
HTTP response from server
1206
Number of spam matches for tested message
0
Number of whitelist (definite non-spam) matches for tested message

Pyzor will return 0 (identifying the message as spam) only if number of spam matches > 0 and number of whitelist matches = 0.

Roundcube

Fixing blank screen on IMAPS login with "Call to undefined function mcrypt_module_open" error in /var/log/roundcube/errors

  • Install php-mcrypt

Dovecot

Fixing expired Let's Encrypt root certificate

https://apple.stackexchange.com/questions/428169/ios-marked-a-certificate-as-expired-even-though-the-certificate-is-still-activ