Difference between revisions of "Email"
(GeoIP spamfiltering plugin - info and reference added) |
|||
Line 5: | Line 5: | ||
A. Sending and receiving email are separate functions. You need to investigate each individually. | A. Sending and receiving email are separate functions. You need to investigate each individually. | ||
− | |||
− | |||
====Sending==== | ====Sending==== |
Revision as of 06:46, 6 March 2009
Troubleshooting
Q. I am having trouble getting sme to send and receive email.
A. Sending and receiving email are separate functions. You need to investigate each individually.
Sending
If SME server does not send mail, you need to examine the qmail logs to see what happens when it tries. Most commonly problems can be solved by sending via your ISP's mail server, possibly using encryption and/or authentication. Read the manual.
Recieving
If SME server does not receive mail, then you need to ensure that SMTP connections reach your SME server (DNS settings, router configuration, ISP port blocks) and then you need to examine qpsmtpd logs to determine what SME server does with the incoming connections. Most problems are DNS, router or ISP issues, and have nothing to do with SME server operation or configuration.
Spam
Spamassassin
Set spamassassin for automatically delete junkmail. You can change the "days" that spamassassin sets to automatically delete junkmail, to delete after two months
db configuration setprop spamassassin MessageRetentionTime 60 signal-event email-update
The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom.
- Open server-manager.
- Click e-mail in the navigation pane (left-hand side).
- Click Change e-mail filtering settings.
- Change "Spam sensitivity" to custom and adjust the settings to your liking.
This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first.
X-Spam-Level Header in Email Messages
SME does not create an X-Spam-Level header in processed email messages by default.
To enable this capability:
/usr/bin/yum install --enablerepo=smecontribs smeserver-qpsmtpd-spamassassinlevelstars signal-event email-update
(Based on Bugzilla:3505)
Custom Rule Scores
You can customize the score assigned by a specific Spamassassin rule (SARE_ADULT2 in this case) as follows:
mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf echo "score SARE_ADULT2 20.000" >> 20localscores signal-event email-update
You can now add additional tests and custom scores by editing the newly-created template fragment 20localscores and adding new custom scores using:
pico -w /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores signal-event email-update
Each custom score goes on its own line. If you enter a score surrounded by parentheses, the "custom" score will be added to the default score for the specified test (use score TEST_NAME (-1) to reduce the score for 'TEST_NAME' by 1)
You can remove these customizations using:
rm -f /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores signal-event email-update
References:
- http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options
- http://spamassassin.apache.org/tests_3_2_x.html
- http://www.rulesemporium.com/
Real-time Blackhole List (RBL)
Enabling RBL's
RBL's are disabled by default to allow maximum accommodation (your ISP may be on a RBL & you may not know it). You can enable RBL's by:
config setprop qpsmtpd DNSBL enabled RHSBL enabled signal-event email-update
You can see your RBL's by:
config show qpsmtpd
You can add to your RBL's by:
config setprop qpsmtpd RBLList <rbl-list-name> signal-event email-update
Many will argue what's best but most would agree that you can set best-practice recommended settings by:
config setprop qpsmtpd RBLList zen.spamhaus.org:whois.rfc-ignorant.org:dnsbl.njabl.org signal-event email-update
Note: More information on this topic can be found here: [1] [2]
Server Only
Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address.
Unfortunately, many admins believe that port-forwarding SMTP provides additional security. It doesn't, it limits the SMESERVER's ability to apply some rules.
I want to enable GreyListing
GreyListing support is under the covers and can easily be enabled for those who know what they are doing. However, many experienced users found that they spent more time looking after the greylisting configuration than they received in benefit.
Setup Blacklists & Bayesian Autolearning
(Much of what follows has been shamelessly copied from the Sonoracomm howto)
The default SME settings (as you can see here) do not include DNSBL filtering, spam rejection, or (which is not obvious from the above) bayesian filtering in spamassassin to allow spamassassin to learn from received email and improve over time.
The following command will enable the default blacklists, enable the bayesian learning filter and set thresholds for the bayesian filter.
config setprop spamassassin UseBayes 1 config setprop spamassassin BayesAutoLearnThresholdSpam 4.00 config setprop spamassassin BayesAutoLearnThresholdNonspam 0.10 expand-template /etc/mail/spamassassin/local.cf sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_* chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex chmod 640 /var/spool/spamd/.spamassassin/bayes_* config setprop qpsmtpd DNSBL enabled config setprop qpsmtpd RHSBL enabled config setprop spamassassin status enabled config setprop spamassassin RejectLevel 12 config setprop spamassassin TagLevel 4 config setprop spamassassin Sensitivity custom signal-event email-update
These commands will:
- enable spamassassin
- configure spamassassin to reject any email with a score above 12
- tag spam scored between 4 and 12 in the email header
- enable bayesian filter
- 'autolearn' as SPAM any email with a score above 4.00
- 'autolearn' as HAM any email with a score below 0.10
- enable RHSBL using the default SBLList. Note that rhsbl checking has been known to place a heavy burden on SME servers.
- enable DNSBL using the default RBLList
The Sonora Communications "Spam Filter Configuration for SME 7" howto
http://www.sonoracomm.com/support/19-inet-support/49-spam-filter-configuration-for-sme-7
GeoIP: spam blocking based on geographical information
The GeoIP plugin for Spamassasin lets us know where our mail server is receiving mail from. If we're receiving too much spam from a particular location, this will help track it down. We can then use that info to reject connections from that place taking the load off our server.
You can find information how to install and use it on the GeoIP page.
Anti Virus
The SME Server used the Clam AntiVirus (www.clamav.net) as the default and build-in anti virus engine. By default this system will automatically get virus signatures updates from the clamav database. Other people and organizations has developed additional signatures which can be used with ClamAV.
- Sane Security (http://www.sanesecurity.com/clamav/) - who maintains two signatures databases (Phishing and Scam)
- MSRBL (http://www.msrbl.com/) - Realtime Black Lists who maintains two databases (Images and Spam)
- Malware Block List (http://www.malware.com.br/) - who maintains a database for Malware
In order to use these addition database with your Clam AV installation you need to download the databases. I have modified a script from San Security to work with SME 7.x which can be used to obtain the databases from Sane Security, MSRBL and the Malware Block List. The addition of these 5 new databases provides ~75.000 new signatures for clam to work with.
Installation
cd /etc/cron.daily wget http://sme.swerts-knudsen.com/downloads/update_sanesecurity chmod +x update_sanesecurity
You can now run it the first with debug enabled to see that all is OK.
./update_sanesecurity -d
Your output should look something like this (even though yours will hopefully be updated).
update_sanesecurity: [debug] Debug mode is ON update_sanesecurity: [debug] Starting. update_sanesecurity: [debug] Created temporary directory: '/tmp/update_sanesecurity.uwlP7014' update_sanesecurity: [debug] Checking for ClamAV database directory... update_sanesecurity: [debug] Found ClamAV database directory: /var/clamav update_sanesecurity: [debug] PHISH_SIGS : http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz update_sanesecurity: [debug] SCAM_SIGS : http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz update_sanesecurity: [debug] SPAM_SIGS : rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb update_sanesecurity: [debug] IMAGE_SIGS : rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb update_sanesecurity: [debug] VX_SIGS : http://clamav.securiteinfo.com/vx.hdb.gz update_sanesecurity: [debug] SECURITEINFO_SIGS : http://clamav.securiteinfo.com/securiteinfo.hdb.gz update_sanesecurity: [debug] HONEYNET_SIGS : http://clamav.securiteinfo.com/honeynet.hdb.gz update_sanesecurity: [debug] ANTISPAM_SIGS : http://clamav.securiteinfo.com/antispam.ndb.gz update_sanesecurity: [debug] MALWARE_SIGS : http://www.malware.com.br/cgi/submit?action=list_clamav update_sanesecurity: [debug] ClamScan : /usr/bin/clamscan update_sanesecurity: [debug] CURL : /usr/bin/curl update_sanesecurity: [debug] GunZip : /bin/gunzip update_sanesecurity: [debug] RSync : /usr/bin/rsync update_sanesecurity: [debug] ClamAV db dir : /var/clamav update_sanesecurity: [debug] temp dir : /tmp/update_sanesecurity.uwlP7014 update_sanesecurity: [debug] Created temporary directory: '/tmp/update_sanesecurity.XTJi7125' update_sanesecurity: [debug] Checking for ClamAV database directory... update_sanesecurity: [debug] Found ClamAV database directory: /var/clamav update_sanesecurity: [debug] Checking for newer version of '/var/clamav/scam.ndb.gz' update_sanesecurity: [info] '/var/clamav/scam.ndb.gz' was updated update_sanesecurity: [info] '/var/clamav/scam.ndb' was updated update_sanesecurity: [debug] Checking for newer version of '/var/clamav/phish.ndb.gz' update_sanesecurity: [info] '/var/clamav/phish.ndb.gz' was NOT updated update_sanesecurity: [info] '/var/clamav/phish.ndb' was NOT updated update_sanesecurity: [debug] Checking for newer version of '/var/clamav/MSRBL-SPAM.ndb' update_sanesecurity: [info] '/var/clamav/MSRBL-SPAM.ndb' was NOT updated update_sanesecurity: [debug] Checking for newer version of '/var/clamav/MSRBL-Images.hdb' update_sanesecurity: [info] '/var/clamav/MSRBL-Images.hdb' was updated update_sanesecurity: [debug] Checking for newer version of '/var/clamav/vx.hdb.gz' update_sanesecurity: [info] '/var/clamav/vx.hdb.gz' was NOT updated update_sanesecurity: [info] '/var/clamav/vx.hdb' was NOT updated update_sanesecurity: [debug] Checking for newer version of '/var/clamav/securiteinfo.hdb.gz' update_sanesecurity: [info] '/var/clamav/securiteinfo.hdb.gz' was NOT updated update_sanesecurity: [info] '/var/clamav/securiteinfo.hdb' was NOT updated update_sanesecurity: [debug] Checking for newer version of '/var/clamav/honeynet.hdb.gz' update_sanesecurity: [info] '/var/clamav/honeynet.hdb.gz' was NOT updated update_sanesecurity: [info] '/var/clamav/honeynet.hdb' was NOT updated update_sanesecurity: [debug] Checking for newer version of '/var/clamav/antispam.ndb.gz' update_sanesecurity: [info] '/var/clamav/antispam.ndb.gz' was NOT updated update_sanesecurity: [info] '/var/clamav/antispam.ndb' was NOT updated update_sanesecurity: [debug] '/var/clamav/mbl.db.gz' does not exist, so doing initial download update_sanesecurity: [info] '/var/clamav/mbl.db.gz' was updated update_sanesecurity: [info] '/var/clamav/mbl.db' was updated update_sanesecurity: [debug] Exiting.
ClamAV will by default reload its databases every 1800 secs (30mins) but you can force a reload with:
signal-event email-update
Email Clients
"concurrency limit reached" when using IMAP
Sometime shows as Thunderbird giving this error message, This Mail-server is not a imap4 mail-server
To workaround thunderbirds limitations change, this thunderbird setting to false
- Preferences, Advanced, Config editor (aka about:config): filter on tls.
- set security.enable_tls to false
You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure)
config setprop imap ConcurrencyLimitPerIP 20 config setprop imaps ConcurrencyLimitPerIP 20 signal-event post-upgrade; signal-event reboot
check
config show imap tail -f /var/log/imap/current | tai64nlocal
More detail can be found here.
Mail server is not an IMAP4 mail server
This is a bug in Thunderbird, the previous tips may help
The Bat
The gives this error message, but they are wrong.
"This server uses TLS v3.0 which is considered to be obsolete and insecure.
The server must use TLS v3.1 or above."
Outlook/Outlook Express give error 10060/0x800CCC90
Most likely OUTLOOK (EXPRESS) isn't configured correctly.
-open OUTLOOK -click TOOLS > ACCOUNTS -click CHANGE (on the right-hand side) -find INCOMING MAIL SERVER & OUTGOING MAIL SERVER (on right-hand side) -type: mail.yourdomain.tld (in both places) -click MORE SETTINGS (on bottom-right) -click OUTGOING SERVER tab (at the top) -checkmark "MY OUTGOING SERVER REQUIRES AUTHENTICATION" -bullet "USE SAME SETTINGS AS INCOMING MAIL SERVER" -click ADVANCED tab (at the top) -find OUTGOING SERVER -checkmark "THIS SERVER REQUIRES A SECURE CONNECTION" (under outgoing server) -change 25 to 465 -[possibly required, secure IMAP is 993] -click OK > NEXT > FINISHED -you're finished, your email should work now
Outlook test message doesn't come through
You clicked the TEST ACCOUNT SETTINGS in OUTLOOK didn't you? This is a bug in OUTLOOK. The test message sends a test email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. To test, send an actual message from OUTLOOK.
If you want, you can try THUNDERBIRD. It's like OUTLOOK but made by a different company. It's completely free and works very well at home and at the office.
I can't receive/send email from my application (ACT!, vTiger, MS Outlook, etc)
Most likely, this is a bug the application you're using and not a problem with the SMESERVER. The application sends an email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected.
As a workaround you can disable the check for the 'Date header'. To disable this check on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local echo "# 17check_basicheaders disabled by custom template" > \ 17check_basicheaders signal-event email-update
To disable this check for the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0 cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0 echo "# 17check_basicheaders disabled by custom template" > \ 17check_basicheaders signal-event email-update
After I upgrade my SME Server, my email folders have disappeared when using IMAP
After upgrade, if there are missing IMAP folders, the client may need to re-subscribe to folders. This may affect either webmail users or users who use an IMAP email client.
Entourage: Using SME's Self-Signed Certificate for SSL Connections from Entourage on OS X 10.4
The main problem here is that Entourage will only support trusted, PEM Base-64 Encoded certificates. To use IMAPS or SMTPS from Entourage with your SME server, you will need to:
1. Login to your Mac as a user with administrative privileges 2. Open Safari and browse to https://smeserver/server-manager. When you receive the warning about your certificate: - click on "Show Certificate" - click and drag the gold-rimmed image of a certificate to your desktop. You will now have myserver.mydomain.tld.cer on your desktop. 3. Locate and open the Microsoft Cert Manager - "Import" the certificate you downloaded in step 2. 4. Highlight the imported certificate and "Export" it. - Select the "PEM..." format - add "pem." to the beginning of the filename - export it to your Desktop 5. Double-click on the new pem.myserver.mydomain.tld.cer - Apple's Keychain Access application will open. - Select the X509Anchors Keychain and click "OK" 6. While still in Apple's Keychain Access, select the "Certificates" category - Drag pem.myserver.mydomain.tld.cer into the certificates window.
You should now be able to connect to your SME from your Entourage using IMAPS.
If you are accessing your SME server using a different name than the one encoded in the certificate you will still receive a security warning from Entourage, but "OK" will now grant access to your folders.
Notes:
- Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html
- I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.
- Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.
How do I get my e-mail to show the correct From Address
The From address on an e-mail is not supplied by the server. It is supplied by the e-mail client.
- Configure your Account in your e-mail client with the correct FROM address.
- You can change the FROM address in webmail with the following:
- Login to webmail as the user, go to options-personal information and change the identity to have the correct FROM address. You can have multiple identities with a single user.
Some system generated email is created by the server, some contribs may send mail externally, in these cases you need a valid domain name for the server, buy one or use a free provider like dyndns.org
Server Settings
Double bounce messages
To stop admin receiving double bounce messages
config setprop qmail DoubleBounceTo someoneuser signal-event email-update
Or just delete them. You risk losing legitimate double bounces (which are rare, but you want to look at them when they do occur)
config setprop qmail DoubleBounceTo devnull signal-event email-update
see a longer explaination here
Keep a copy of all emails
You may need to keep a copy of all emails sent to or from your email server. This may be for legal, or other reasons.
The following instructions will create a new user account (maillog) and forward every email that goes through your SME server to it.
First, log onto the server-manager and create the user maillog
Go to the SME Command Line (logon as root) and issue the following commands:
config setprop qpsmtpd Bcc enabled signal-event email-update
Optionally make the forwarding of the emails invisible to the end user. Without it, there will be an X-Copied-To: header in each email. Run this command before the signal-event
config setprop qpsmtpd BccMode bcc
If you want to view the emails, point your email client at the SME and log on as maillog.
Set max email size
There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server.
Subsystem | Function | Default Limit | Command to change size | Notes |
---|---|---|---|---|
qmail | Delivers email to local mailboxes and to remote servers | 15000000 | config setprop qmail MaxMessageSize xx000000 | Value is in BYTES. 15000000 equals approximately 15MB |
clamav | Used to scan emails and attachments | 15M | config setprop clamav MaxFileSize 15M | value includes human-readable abbreviations. "15M" equlas 15 MegaBytes. |
qpsmtpd | The clamav plugin to qpsmtpd is called with a specified size limit. | 25000000 | config setprop qpsmtpd MaxScannerSize xx000000 | Value is in BYTES. Question: does this value override the setting of 'MaxFileSize', or will the smaller value prevail? |
php | The php maximum file upload size will determine the largest file you can attach to an email message using horde (or any other php email client) | 10M | config setprop php UploadMaxFilesize 10M |
A note about clamav:
ClamAV includes settings to prevent the scanning of archives that could cause problems if fully expanded; if an attachment cannot be scanned, it will be rejected.
These attributes could result in the rejection of a compressed attachment on a SME server:
- ArchiveMaxCompressionRatio (default 300)
- MaxFiles (default 1500)
- MaxRecursion (default 8)
Add the admin user as an administrator for Horde
config setprop horde Administration enabled signal-event email-update
Large attachments not displaying in webmail
Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also bugzilla:3990). The following entries are related to the error and can be found in the log files:
/var/log/messages
Mar 13 00:00:12 box1 httpd: PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 154 bytes) in /home/httpd/html/horde/imp/lib/MIME/Contents.php on line 173
/var/log/httpd/error_log
Allowed memory size of 33554432 bytes exhausted (tried to allocate 0 bytes)
The default MemoryLimit setting in PHP is set to 32M the value can be changed using the commands below replacing XX with the value you desire.
db configuration setprop php MemoryLimit XXM expand-template /etc/php.ini sv t httpd-e-smith
Disable mail to a user from an external network
Can be either a user, pseudonym or group
db accounts setprop groupname/username Visible internal signal-event email-update
I can't receive mail at: user@mail.domain.tld
Add mail.domain.tld as a virtualdomain.
-login to SERVER-MANAGER -click DOMAINS (on the left) -click ADD -type: mail.domain.tld
How do I find out who is logged into webmail and what IP number.
This is logged is in /var/log/messages.
How do I enable smtp authentication for users on the internal network
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local . signal-event email-update
(note the "." at the end of the 3rd line)
Authentication for the local network will now follow the setting of config::qpsmtpd::Authentication
ie do
config setprop qpsmtpd Authentication enabled signal-event email-update
How do I disable SMTP relay for unauthenticated LAN clients
http://forums.contribs.org/index.php?topic=38797.msg176490#msg176490
- Enable smtp authentication as shown above
- Disable un-authenticated smtp relay for the local network(s)using:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients echo "# SMTP Relay from local network denied by custom template" >\ /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork signal-event email-update
- Configure your email clients to use smtps with authentication:
- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server
Internet provider's port 25 is blocked: How to set an alternative port for the SMTP server
If your provider is blocking smtp port 25 on your internet connection but your hosting provider is offering an alternative port (or when using some relay service) you can simply set this alternative port by adding it to the 'Address of Internet provider's mail server' value in the 'E-mail delivery settings' screen of the server-manager like this:
<internet providers mail server name or ip-address>:<alternative port>
For example: mail.mydomain.com:587
How do I enable and configure a disclaimer in email messages
A disclaimer message can be added to the footer of all outgoing email messages.
The message can be the same for all domains or it can be different for all domains.
This functionality is part of sme7.2 release so make sure you have upgraded before doing this.
To create a general disclaimer for all domains on your sme server
config setprop smtpd disclaimer enabled pico -w /service/qpsmtpd/config/disclaimer
Enter the required disclaimer text
To save & exit
Ctrl o Ctrl x
To make the changes take effect
signal-event email-update
To create domain specific disclaimers, create seperate domain based disclaimer text files
Delete the general (all domains) disclaimer file if you have already created it
rm /service/qpsmtpd/config/disclaimer config setprop smtpd disclaimer enabled pico -w /service/qpsmtpd/config/disclaimer_domain1.com.au pico -w /service/qpsmtpd/config/disclaimer_domain2.com pico -w /service/qpsmtpd/config/disclaimer_domain3.org
Enter the required text in each disclaimer file
To save & exit
Ctrl o Ctrl x
After making any changes remember to do
signal-event email-update
Note if you only wish to have a disclaimer for some domains, then only create a disclaimer text file for those domains
Note also the criteria for when a disclaimer is attached
(see http://bugs.contribs.org/show_bug.cgi?id=2648)
eg a disclaimer is added to internal to external messages but not internal to internal messages.
There are also various switches that can be applied
(see http://bugs.contribs.org/show_bug.cgi?id=2648).
To disable the disclaimer function for all domains on your sme server
config setprop smtpd disclaimer disabled signal-event email-update
Email WBL server manager panel
There is a server-manager contrib to allow GUI control of email white and black lists, detailed in the wiki article: Email_Whitelist-Blacklist_Control.
The panel allows easy configuration of functionality that is built into qmail, qpsmtpd and spamassassin. For more information google for qmail & qpsmtpd, read the spamassassin section in this wiki article and see Email#Default_Plugin_Configuration default qpsmtpd plugin confguration).
There are two main sections, Blacklist and Whitelist, where you can control settings.
Blacklist - Black lists are used for rejecting e-mail traffic
DNSBL status - DNSBL is an abbreviation for "DNS blacklist". It is a list of IP addresses known to be spammers. RHSBL status - RHSBL is an abbreviation for "Right Hand Side Blacklist". It is a list of domain names known to be spammers. qpsmtpd badhelo - Check a HELO message delivered from a connecting host. Reject any that appear in badhelo during the 'helo' stage. qmail badmailfrom - Check envelope sender addresses. Reject any that appear (@host or user@host) in badmailfrom during the 'mail' stage.
Whitelists - White lists are used for accepting e-mail traffic
Whitelists status - White Lists: ACCEPT qpsmtpd whitelisthosts - Any IP address listed in whitelisthosts will be exempted from any further validation during the 'connect' stage. qpsmtpd whitelisthelo - Any host that issues a HELO matching an entry in whitelisthelo will be exempted from further validation during the 'helo' stage. qpsmtpd whitelistsenders - Any envelope sender of a mail (@host or user@host) matching an entry in whitelistsenders will be exempted from further validation during the 'mail' stage. spamassassin whitelist_from - Any envelope sender of a mail (*@host or user@host) matching an entry in whitelist_from will be exempted from spamassassin rejection.
External Access
Allow external IMAP mail access
There was a deliberate decision to remove non-SSL protected username/password services from the external interface.
to allow unsecure IMAP access
config setprop imap access public signal-event email-update
But before you do this try to use secure IMAP
fixme: explain how
POP3 & webmail HTTP
I want to set my SMESERVER to allow POP3 (or webmail HTTP) but it's not an option, I only see POP3S (or webmail HTTPS).
The SMESERVER is secure by design. POP3 (or webmail HTTP) is viewed as inadequate security and removed as an option from a standard installation to encourage unknowing administrators to select the 'best practice' option -a secure connection with POP3S, IMAPS, or HTTPS.
You can still set your SMESERVER to allow POP3 settings by:
config setprop pop3 access public signal-event email-update
Allow external pop3 access
Email settings > POP3 server access in SME 7.1 server-manager allows only pop3s protocol for clients outside the LAN. Some email clients (eg The Bat! v3.98.4) won't allow pop3s connections to SME 7.1 because of ssl version conflict. Until this is sorted out, a workaround is to hack SME to allow regular pop3 on the external interface using the following commands.
config setprop pop3 access public signal-event email-update svc -t /service/pop3s
more information bugzilla:2620
Imap
Folders with a dot in name
Email folder names that have a period ('.') in the folder name, will be split into sub-folders. e.g. folder name 'www.contribs.org' is created as
www contribs org
qpsmtpd
SME uses the qpsmtpd smtp daemon.
Official Description
qpsmtpd is a flexible smtpd daemon written in Perl. Apart from the core SMTP features, all functionality is implemented in small "extension plugins" using the easy to use object oriented plugin API.
qpsmtpd was originally written as a drop-in qmail-smtpd replacement, but now it also includes smtp forward, postfix, exim and maildir "backends".
qpsmtpd wiki: http://wiki.qpsmtpd.org
Default Plugin Configuration
SME uses the following qpsmtpd plugins to evaluate each incoming email.
SME maintains 2 distinct configurations: one for the 'local' networks (as defined in server-manager::Security::Local networks) and another for 'remote' networks (everyone else).
The default configuration of each plugin is indicated in the 'Default Status' column.
Plugin | Purpose | Default Status |
---|---|---|
hosts_allow | Prohibit more than "InstancesPerIP" connections from any single host (change with 'config setprop smtp InstancesPerIP'). Allow or deny connections according to the contents of /var/service/qpsmtpd/config/hosts_allow. See hosts_allow SVN code for more details. | enabled |
peers | Allow different plugin configuration based on the sending computer's IP address. By default SME maintains different configurations for the local networks (in /var/service/qpsmtpd/config/peers/local) and for everyone else (in /var/service/qpsmtpd/config/peers/0) | enabled |
logging/logterse | Allow greater logging detail using smaller log files. Optionally supports qplogsumm.pl to compile qpsmtpd statistics. | enabled |
auth/auth_cvm_unix_local | Allow authenticated smtp relay | enabled (remote) disabled (local) |
check_earlytalker | reject email from servers that talk out of turn | enabled (remote) disabled (local) |
count_unrecognized_commands | reject email from servers that issue X invalid commands | enabled (remote) disabled (local) |
bcc | bcc all email to a specific address for archiving | disabled |
check_relay | Check to see if relaying is allowed (in case the recipient is not listed in one of SME's local domains) | enabled |
check_norelay | Check to see if the sending server is specifically forbidden to relay through us. | enabled |
require_resolvable_fromhost | Check that the domain listed in the sender's email address is resolvable | enabled (remote) disabled (local) |
check_basicheaders | reject email that lacks either a From: or Date: header | enabled |
rhsbl | Reject email if the sender's email domain has a reputation for disregarding smtp RFCs. | disabled (always disabled for local connections) |
dnsbl | Reject email from hosts listed in your configured dnsbl servers | disabled |
check_badmailfrom | Reject email where the sender address is listed in /var/service/qpsmtpd/config/badmailfrom | enabled |
check_badrcptto_patterns | Reject email addressed to any address matching an expression listed in /var/service/qpsmtpd/config/badrcptto_patterns | enabled |
check_badrcptto | Reject email addressed to any address listed in /var/service/qpsmtpd/config/badrcptto | enabled |
check_spamhelo | Reject email from hosts that say 'helo ...' using a value in /var/service/qpsmtpd/config/badhelo | enabled |
check_smtp_forward | If config show DelegateMailServer or db domains show <domainname> MailServer is set (telling SME to deliver email for all domains or just <domainname> to another server), check_smtp_forward will connect to the specified server and will reject the message outright if the internal mail server would also reject it. | disabled unless an internal mail server is configured. |
check_goodrcptto | Accept email only if the recipient address matches an entry in /var/service/qpsmtpd/config/goodrcptto. For domains that are configured to use an internal mail server, the entire domain name will be added to .../goodrcptto. | enabled |
rcpt_ok | Return 'OK' if none of the other host checks has returned 'DENY' (??) | enabled |
pattern_filter | Reject email according to content patterns (??) | disabled |
tnef2mime | Convert MS TNEF (winmail.dat) and uuencoded attachments to MIME | enabled |
disclaimer | Add a configurable disclaimer to email messages | disabled |
spamassassin | Check email using spamassassin, and optionally reject it completely if the score exceeds a configurable value. | disabled (always disabled for local connections) |
virus/clamav | Scan incoming email with ClamAV | enabled |
queue/qmail-queue | Deliver the incoming message to qmail for delivery. | enabled |
Other QPSMTPD Plugins
The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default.
Plugin | Purpose | Default Status |
---|---|---|
connection_time | Track the total time for each qpsmtpd connection from 'Accepted connection' through 'click, disconnecting', and output the results to the qpsmtpd log file. | not installed |
GeoIP | Track the geographic origin of incoming email and optionally reject email from specified countries | not installed |
Internal Mail Servers
SME can be configured as a spam and antivirus filter for one or more "Internal" mail servers on a domain-by-domain basis. The mail server specified does not have to be on the same local network as your SME server.
Deliver ALL email to a single internal mail server
You can deliver all email for all domains on your SME server to a single internal mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server.
Deliver email for one domain to an internal mail server
You can also configure only a single domain to use an internal mail server, or you can configure different domains to use different internal mail servers.
First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain.
Then, (assuming your domain is called test.com and the actual mail server is at a.b.c.d issue the following commands:
db domains setprop test.com MailServer a.b.c.d signal-event email-update
Secondary/Backup Mail Server Considerations
Many people misunderstand the issues of using a secondary or backup mail server (backup MX) to hold your mail before it gets delivered to your SME Server. If you consider putting a backup mail server in place because you are concerned about lost mail because your internet connection may occasionally drop out, think again and consider the issues discussed below.
What is Backup MX
A backup MX is a system whereby through your DNS records you tell other servers on the internet that in order to deliver mail to your domain they first need to try the primary MX record and if they fail to connect they can try to connect to one or more of your listed backup or secondary mail servers. See also http://en.wikipedia.org/wiki/MX_record
The process of delivering email to your SME Server
So lets look at how mail gets delivered without and with a backup mx when your Internet link, ISP or server is down.
Without a backup MX
- The sending mail server cannot connect to your server.
- The sending mail server MUST queue the mail and try again later.
- The mail stays on the sender's server.
- The sender's server resends the mail at a later date.
The requirement to re-queue is a fundamental part of the SMTP protocol - it is not optional. So, if your server is offline due to a link or ISP outage, the mail just stays at the sender's server until you are once again reachable.
With a backup MX
- The sending mail server cannot contact your server.
- The sending mail server sends the mail to your secondary MX.
- The secondary MX queues the mail until your link/server is up.
- The mail is queued on an untrusted third-party mail server (think about confidential mail between your company and some business partner).
- The sending mail server's administrator thinks it has been delivered, according to their logs.
- You have no, or little, visibility over the queued mail.
- When your link comes up, the secondary MX sends the mail on to your server.
- You have added more hops, more systems and more delay to the process.
If you think that a backup MX will protect against broken mail servers which don't re-queue, you can't. Those servers will drop mail on the floor at random times, for example when their Internet link is down.
Those servers are also highly likely to never try your backup MX.
Thankfully those servers are mostly gone from the Internet, but adding a secondary MX doesn't really improve the chances that they won't drop mail destined for your server on the floor.
Backup MX and SPAM Filtering
On top of the issue, indicated above, there is another issue to consider and that is what happens with SPAM due to the use of a Backup MX.
Your SME Server takes care of filtering a lot of SPAM by checking on the full username & domain at the time it is received.
For example if your server hosts example.com and someone sends mail to joeuser@example.com, the server will only accept the mail if joeuser is a local user/alias/group/pseudonym on the server. Otherwise, the mail is rejected during the SMTP transaction.
A backup mail server however, generally does not have a full list of users against which it can check if it should accept the mail for the given domain. Hence it will accept mail for invalid users.
So:
- If you trust the secondary MX, you will accept a lot of SPAM when the link comes up.
- If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.
- Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.
The SPAM backscatter can only be stopped if the secondary MX has a full list of users for your domain to allow filtering to occur.
But:
- You need to be able to configure this secondary MX with such user/domain lists
- You need to maintain these secondary configurations when users are added/deleted from your primary server configuration
- You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.
Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find out they are misconfigured is when you go to use them, and then you find that the backup MX has changed configuration and bounced all of your mail.
Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you.
- If you bounce mail at your server, you have logs to show what's wrong.
- If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.
Summary
In summary, if your server/Internet connection is available most (let's say >90%) of the time, you are generally better off without a secondary MX.
If your server/link is down more than this (e.g. dialup), you should not be delivering mail directly to your server.
If you still want to consider setting up a seconday MX, ensure that:
- you have fully control of the configuration of each of the email gateways for your domain
- each gateway can make decisions on whether to accept/reject mail for the users at the domain
User accounts
Multiple users with the same name on different domains
SME only supports one name set, so you cannot have multiple user accounts for the same user (eg joe) at different domains, you can only have one user account for joe which applies to all domains.
The workaround is to create user accounts with different names to those desired to be used as email addresses.
eg.
- create user account joe1
- create user account joe2
- create user account joe3
DO NOT create a user account for joe
- create pseudonym for joe@domain1 which forwards to user account joe1
- create pseudonym for joe@domain2 which forwards to user account joe2
- create pseudonym for joe@domain3 which forwards to user account joe3
joe1 logs in using joe1 but advertises their email address as joe@domain1
Your main or primary domain is created during initial setup in the admin console, Configure this server. Your additional domains are created using the Domains panel, and are called Virtual domains, but they function virtually identically to the main domain. In the Domains panel, you select an ibay for the content that will apply to virtual domain web sites.
The mail server accepts mail for all valid domains (either the main or virtual), and delivers the mail to end user accounts or pseudonym addresses.
Note, you do not need to use pseudonyms.
You can just do the following.
- create user account joe1 with effective email address of joe1@domain1
- create user account joe2 with effective email address of joe2@domain2
- create user account joe3 with effective email address of joe3@domain3
This arrangement will work fine, but note that if email is inadvertantly sent to joe2@domain1 then joe2@domain2 will still receive that email (rather than joe1@domain1). External users would not really be sending to joe2@domain1 as that address has never been advised to anyone as being active.