Line 1: |
Line 1: |
− | ===Email=== | + | {{usefulnote}} |
− | ====Spam==== | + | {{Languages}} |
− | =====Spamassassin===== | + | Information on the email subsystem used in SME Server covering sending/recieving, spam filtering, virus checking, webmail, domains and users. |
| + | |
| + | ==Troubleshooting== |
| + | I am having trouble getting sme to send and receive email. |
| + | |
| + | Sending and receiving email are separate functions. You need to investigate each individually. |
| + | |
| + | ===Sending=== |
| + | If SME server does not send mail, you need to examine the /var/log/qmail/current logs to see what happens when it tries. Most commonly problems can be solved by sending via your ISP's mail server, possibly using encryption and/or authentication. Read the manual. |
| + | |
| + | ===Receiving=== |
| + | If SME server does not receive mail, then you need to ensure that SMTP connections reach your SME server (DNS settings, router configuration, ISP port blocks) and then you need to examine /var/log/qpsmtpd/current logs to determine what SME server does with the incoming connections. Most problems are DNS, router or ISP issues, and have nothing to do with SME server operation or configuration. |
| + | |
| + | ====qpsmtpd "Connection Timed Out" errors==== |
| + | See [[Bugzilla:6888]] and [[Bugzilla:2360]] |
| + | |
| + | A qpsmtpd timeout error may arise, this is not an issue that is caused by SME server directly, however it can become an issue depending on hardware and configuration settings that are contained in and around other enviroments. |
| + | |
| + | It is discussed under various names |
| + | |
| + | *Path MTU Discovery Blackhole http://www.phildev.net/mss/mss-talk.pdf |
| + | *Path MTU Discovery Failures http://www.wand.net.nz/~mluckie/pubs/debugging-pmtud.imc2005.pdf |
| + | *TCP Problems with Path MTU Discovery http://www.ietf.org/rfc/rfc2923.txt |
| + | |
| + | As discussed in [[Bugzilla:6888]] a workaround was found that may help in mitigating the issue. |
| + | |
| + | The [http://linux.die.net/man/8/tracepath tracepath] utility (included with SME 8.0 and SME 7.6) can be used to locate non-standard MTU values between your SME server and any remote host. |
| + | |
| + | You can discover the smallest MTU between you and google.com (for example) by running this command, then locating the smallest value of "pmtu" in the results: |
| + | tracepath google.com |
| + | |
| + | If tracepath returns any value below 1500 between your SME server and a mail server that you need to receive email from, you may need to reset the MTU on the SME server to match the smallest value returned. |
| + | |
| + | For example, if tracepath returns 1492 (typical for internet connections using PPPoE), you would need to set the MTU on your SME server to the same value (1492) using the following: |
| + | |
| + | config setprop InternalInterface MTU 1492 |
| + | signal-event post-upgrade; signal-event reboot |
| + | |
| + | ===Webmail broken after upgrade=== |
| + | After the usual post-upgrade and reboot, webmail is broken with messages like the following in the messages log: |
| + | |
| + | Apr 20 17:29:53 mail [4614]: PHP Fatal error: Call to a member function on a non-object in /home/httpd/html/horde/imp/lib/Block/tree_folders.php on line 65 |
| + | Apr 20 17:29:53 mail [4614]: PHP Warning: Unknown(): Unable to call () - function does not exist in Unknown on line 0 |
| + | |
| + | As workaround, logout of Horde, close the browser, reopen, log in to Horde, Webmail should now be fully functional. (Based on suggested fix in [[Bugzilla:5177]]) |
| + | |
| + | ==Spam== |
| + | ===Spamassassin=== |
| + | ====Spam filter with Server-Manager==== |
| + | Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults. |
| + | |
| + | *Virus scanning Enabled |
| + | *Spam filtering Enabled |
| + | *Spam sensitivity Custom |
| + | *Custom spam tagging level 4 |
| + | *Custom spam rejection level 12 |
| + | *Sort spam into junkmail folder Enabled |
| + | *Modify subject of spam messages Enabled |
| + | |
| + | I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two). |
| + | |
| + | Click Save. |
| + | ====How It Works==== |
| + | |
| + | When receiving an incoming message, the server first tests for RBL and DNSBL listings, if enabled. If the sender is blacklisted, the messages are blocked outright and Spamassassin never sees it. |
| + | |
| + | With this configuration, the spammiest messages, those marked as 12 or above, will be rejected at the SMTP level. Those spam messages marked between 4 and 12, will be routed to the users' (IMAP) junkmail folder. This is done so the users can check for false-positives...valid messages that were classified as spam by SpamAssassin. |
| + | |
| + | Users may check their junkmail folders for false-positives via webmail, or, if they are using an IMAP mail client, by simply checking the junkmail folder exposed by their mail client. |
| + | |
| + | https://servername/webmail |
| + | |
| + | ====Enable/Disable Filtering Per-User==== |
| + | |
| + | This procedure doesn't really disable the spam filtering, it just stopps the spam from being routed to the 'junkmail' folder. |
| + | |
| + | Per-user filtering is enabled by default. Disable filtering with the following command, as root: |
| + | |
| + | db accounts setprop USERNAME SortSpam disabled |
| + | db accounts show USERNAME # only displays settings |
| + | signal-event user-modify USERNAME |
| + | |
| + | |
| + | ====Use the Junkmail folder==== |
| + | The Default spamassassin behaviour put spams in the inbox which is very convenient for users in case of false positive, but it is not practical for learning, and especially it does not facilitate the life of the user (setting is available via the manager). If you want to put directly spams in the junkmail folder issue the command above. |
| + | |
| + | config setprop spamassassin SortSpam enabled |
| + | signal-event email-update |
| + | |
| + | ====Message Retention Time==== |
| Set spamassassin for automatically delete junkmail. | | Set spamassassin for automatically delete junkmail. |
| You can change the "days" that spamassassin sets to automatically delete junkmail, to delete after two months | | You can change the "days" that spamassassin sets to automatically delete junkmail, to delete after two months |
Line 8: |
Line 97: |
| signal-event email-update | | signal-event email-update |
| | | |
− | | + | ====Spam score Level and Spam score rejection==== |
| The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom. | | The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom. |
− | 1. Open server-manager.
| + | <ol><li>Open server-manager. |
− | 2. Click e-mail in the navigation pane (left-hand side).
| + | </li><li>Click e-mail in the navigation pane (left-hand side). |
− | 3. Click Change e-mail filtering settings.
| + | </li><li>Click Change e-mail filtering settings. |
− | 4. Change "Spam sensitivity" to custom and adjust the settings to your liking.
| + | </li><li>Change "Spam sensitivity" to custom and adjust the settings to your liking. |
| + | </li></ol> |
| | | |
| This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first. | | This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first. |
− | ======Custom Rule Scores====== | + | |
| + | As a reference, the following setting will have the following behaviours : |
| + | |
| + | {| class="wikitable" |
| + | |- |
| + | !Sensitivity!!Spam tagging level!!Spam rejection level |
| + | |- |
| + | |Custom||TagLevel value <br>(Custom spam tagging level)||RejectLevel value <br>(Custom spam rejection level) |
| + | |- |
| + | |veryhigh||2||No rejection |
| + | |- |
| + | |high||3||No rejection |
| + | |- |
| + | |medium||5||No rejection |
| + | |- |
| + | |low||7||No rejection |
| + | |- |
| + | |verylow||9||No rejection |
| + | |} |
| + | |
| + | ====X-Spam-Level Header in Email Messages==== |
| + | SME does not create an X-Spam-Level header in processed email messages by default. |
| + | |
| + | To enable this capability: |
| + | /usr/bin/yum install --enablerepo=smecontribs smeserver-qpsmtpd-spamassassinlevelstars |
| + | signal-event email-update |
| + | |
| + | (Based on [[Bugzilla:3505]]) |
| + | {{note box| as SME8 this functionality seems to be included --[[User:Unnilennium|Unnilennium]] ([[User talk:Unnilennium|talk]]) 09:05, 3 February 2014 (MST)}} |
| + | |
| + | ====spamassassin qpsmtpd's plugins email size limit==== |
| + | This db configuration setting sets the maximum email size above which spamassassin will not apply the spam filtering rules as have been set. |
| + | |
| + | The default setting is 500kb, to increase the maximum size, apply the following commands from a root terminal |
| + | |
| + | db configuration setprop spamassassin MaxMessageSize 2000000 |
| + | increases message size to 2mb, apply the change with |
| + | signal-event email-update |
| + | |
| + | (Based on [[Bugzilla:7606]]) |
| + | |
| + | ====Custom Rule Scores==== |
| You can customize the score assigned by a specific Spamassassin rule (SARE_ADULT2 in this case) as follows: | | You can customize the score assigned by a specific Spamassassin rule (SARE_ADULT2 in this case) as follows: |
| mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf | | mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf |
Line 24: |
Line 155: |
| | | |
| You can now add additional tests and custom scores by editing the newly-created template fragment ''20localscores'' and adding new custom scores using: | | You can now add additional tests and custom scores by editing the newly-created template fragment ''20localscores'' and adding new custom scores using: |
− | pico -w /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores | + | nano -w /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores |
| signal-event email-update | | signal-event email-update |
| Each custom score goes on its own line. If you enter a score surrounded by parentheses, the "custom" score will be added to the default score for the specified test (use ''score TEST_NAME (-1)'' to reduce the score for 'TEST_NAME' by 1) | | Each custom score goes on its own line. If you enter a score surrounded by parentheses, the "custom" score will be added to the default score for the specified test (use ''score TEST_NAME (-1)'' to reduce the score for 'TEST_NAME' by 1) |
Line 33: |
Line 164: |
| | | |
| References: | | References: |
− | * http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options
| |
− | * http://spamassassin.apache.org/tests_3_2_x.html
| |
− | * http://www.rulesemporium.com/
| |
| | | |
− | =====Real-time Blackhole List (RBL)===== | + | *http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options |
| + | *http://spamassassin.apache.org/tests_3_2_x.html |
| + | *http://www.rulesemporium.com/ |
| + | |
| + | ====SPF mail rejection/flagging policy==== |
| + | {{Warning box|Please note that these instructions do not apply to SME9.2 where the version of qpsmtpd (0.96) does all this out of the box. Indeed if |
| + | the custom template below is applied (or left in?) to an SME9.2 system, then you may find that emails are denied when they ought to be accepted!}} |
| + | |
| + | SME server can protect based of SPF records using spamassassin and the 'sender_permitted_from' plugin. The following lines will enable the plugin. |
| + | mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/ |
| + | cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/ |
| + | echo sender_permitted_from spf_deny 1 > 30spf |
| + | /sbin/e-smith/expand-template /var/service/qpsmtpd/config/peers/0 |
| + | |
| + | Then set your custom rule scores using the [[#Custom_Rule_Scores|Custom Rule Scores]] section of this page. You should base these scores on your settings in server-manager > Configuration > Email > Change e-mail filtering settings or via db config commands for those with that skillset |
| + | echo "score SPF_SOFTFAIL 6.000" >> 20localscores |
| + | echo "score SPF_FAIL 14.000" >> 20localscores |
| + | signal-event email-update |
| + | |
| + | In our testing an email that doesn't match SPF records and the sender domain owner has defined a soft fail, if is attributed 6 points and sorted to junkmail folder. If the sender domain owner has defined a hard fail the email attibuted 14 points and is subsequently rejected. |
| + | <br> |
| + | References (but instructions changed to meet new qmail structure): |
| + | |
| + | *http://forums.contribs.org/index.php?topic=21631.0 |
| + | |
| + | ====Pyzor Timeout==== |
| + | |
| + | See [[Bugzilla: 5973]] |
| + | {{Warning box|SME server 7.# users be aware of an issue that can appear in the /var/log/spamd/current logs |
| + | " pyzor: [5281] error: TERMINATED, signal 15 (000f)".}} |
| + | |
| + | This can be mitigated by the adding of a template fragment. |
| + | |
| + | Template fragment to set a pyzor_timeout based on a value in the config db. |
| + | If no value is set, there is no output (so pyzor uses it's internal default). |
| + | |
| + | mkdir -p /etc/e-smith/templates/etc/mail/spamassassin/local.cf/50pyzor_timeout |
| + | cd /etc/e-smith/templates/etc/mail/spamassassin/local.cf/50pyzor_timeout |
| + | nano 50pyzor_timeout |
| + | |
| + | Contents of 50pyzor_timeout |
| + | |
| + | { |
| + | my $pyzor_timeout = ($spamassassin{PyzorTimeout} || 0); |
| + | if ($pyzor_timeout ne '0') |
| + | { |
| + | return "pyzor_timeout " . ($pyzor_timeout); |
| + | } |
| + | } |
| + | |
| + | Then a value can be set using: |
| + | |
| + | config setprop spamassassin PyzorTimeout 15 |
| + | signal-event email-update |
| + | |
| + | ====Whitelist and Blacklist==== |
| + | If mail comes in and it is misclassified as spam by Spamasassin, you can add the sender to the Spamassassin whitelist so that future messages coming in from that sender are not filtered. |
| + | Conversely, you can add a spammer to the Spamassassin blacklist so you never see their spam again. |
| + | Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root): |
| + | |
| + | db spamassassin setprop wbl.global *@vonage.com White |
| + | db spamassassin setprop wbl.global *domain2.com White |
| + | db spamassassin setprop wbl.global user@domain3.com White |
| + | db spamassassin setprop wbl.global spammer@spamdomain.com Black |
| + | |
| + | you can block an entire TLD but please be aware that you might be denying a legitimate email in the future. |
| + | db spamassassin setprop wbl.global *@*.xyz Black |
| + | db spamassassin setprop wbl.global *@*.link Black |
| + | |
| + | expland template and save the configuration to the database |
| + | signal-event email-update |
| + | |
| + | You can view the lists with this command: |
| + | db spamassassin show |
| + | |
| + | These lists can be also controlled by the server-manager with the wbl contrib http://wiki.contribs.org/Email_Whitelist-Blacklist_Control |
| + | |
| + | ====Testing==== |
| + | |
| + | You can check the auto-learning statistics with this command. You will be able to note the accumulation of the spam tokens (or not). Note that the Bayesian filtering must receive 200 spam messages before it starts to function, so don't expect instantaneous results. |
| + | |
| + | sa-learn --dump magic |
| + | |
| + | You can check the spam filter log with this command: |
| + | |
| + | tail -50 /var/log/spamd/current | tai64nlocal |
| + | |
| + | Check spamassassin configuration like this: |
| + | |
| + | spamassassin -D --lint |
| + | |
| + | If you ever see an error such as: |
| + | |
| + | warn: bayes: cannot open bayes databases /etc/mail/spamassassin/bayes_* R/W: tie failed: Permission denied |
| + | |
| + | Try adjusting some permissions with these commands: |
| + | |
| + | chown :spamd /var/spool/spamd/.spamassassin/* |
| + | chmod g+rw /var/spool/spamd/.spamassassin/* |
| + | |
| + | ===Real-time Blackhole List (RBL)=== |
| Enabling RBL's <br> | | Enabling RBL's <br> |
| RBL's are disabled by default to allow maximum accommodation (your ISP may be on a RBL & you may not know it). You can enable RBL's by: | | RBL's are disabled by default to allow maximum accommodation (your ISP may be on a RBL & you may not know it). You can enable RBL's by: |
Line 50: |
Line 278: |
| signal-event email-update | | signal-event email-update |
| | | |
− | Many will argue what's best but most would agree that you can set best-practice recommended settings by: | + | Many will argue what's best, some say the SME defaults are too aggressive and affect some popular free webmail accounts, but most would agree that you can set stable, conservative and non aggressive settings by: |
− | config setprop qpsmtpd RBLList zen.spamhaus.org:whois.rfc-ignorant.org:dnsbl.njabl.org | + | config setprop qpsmtpd RBLList zen.spamhaus.org |
| + | signal-event email-update |
| + | |
| + | A conservative setting for the associated DNSBL SBLList is: |
| + | config setprop qpsmtpd SBLList dbl.spamhaus.org |
| signal-event email-update | | signal-event email-update |
| + | |
| | | |
| Note: More information on this topic can be found here: | | Note: More information on this topic can be found here: |
Line 58: |
Line 291: |
| [http://wiki.contribs.org/Updating_to_SME_7.2#DNSBL_Servers] | | [http://wiki.contribs.org/Updating_to_SME_7.2#DNSBL_Servers] |
| | | |
− | =====Server Only===== | + | ====Possible issues with RBL==== |
| + | When an external dns provider is set in the console menu, it may interfere with some blacklists activated here (RHSBL and DNSBL). The black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case |
| + | |
| + | *Remove the black.uribl.com of your SBLList |
| + | |
| + | config setprop qpsmtpd SBLList multi.surbl.org:rhsbl.sorbs.net:dbl.spamhaus.org |
| + | signal-event email-update |
| + | |
| + | *Let the SME Server being the only dns resolver by removing the dns provider/forwarder in the console menu. |
| + | |
| + | See http://uribl.com/about.shtml#abuse for more information about this issue with black.uribl.com |
| + | |
| + | ====Obsolete lists==== |
| + | These lists can not be used with smeserver. A migrate fragment will remove them from your settings each time you reconfigure your server. |
| + | |
| + | *RBLList |
| + | |
| + | combined.njabl.org |
| + | list.dsbl.org |
| + | multihop.dsbl.org |
| + | dnsbl.ahbl.org |
| + | |
| + | *SBLLIST |
| + | |
| + | blackhole.securitysage.com |
| + | bulk.rhs.mailpolice.com |
| + | fraud.rhs.mailpolice.com |
| + | porn.rhs.mailpolice.com |
| + | adult.rhs.mailpolice.com |
| + | bogusmx.rfc-ignorant.org |
| + | ex.dnsbl.org |
| + | |
| + | ===Server Only=== |
| Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address. | | Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address. |
| | | |
Line 64: |
Line 329: |
| | | |
| | | |
− | =====I want to enable GreyListing=====
| + | ===I want to enable GreyListing=== |
| GreyListing support is under the covers and can easily be enabled for those who know what they are doing. However, many experienced users found that they spent more time looking after the greylisting configuration than they received in benefit. | | GreyListing support is under the covers and can easily be enabled for those who know what they are doing. However, many experienced users found that they spent more time looking after the greylisting configuration than they received in benefit. |
| + | see [[Greylisting]] |
| + | |
| + | ===Bayesian Filtering=== |
| + | From [[wikipedia:Naive_Bayes_spam_filtering|Wikipedia]]: |
| + | <blockquote>Naive Bayes classifiers work by correlating the use of tokens (typically words, or sometimes other things), with spam and non-spam e-mails and then using Bayes' theorem to calculate a probability that an email is or is not spam.</blockquote> |
| + | |
| + | SME server supports bayesian filtering, but does not have it enabled by default. |
| + | |
| + | Enabling bayesian filtering, autolearning, and spam/ham training allows spamassassin to learn from received email and improve spam filter performance. [[Bugzilla: 6822]] |
| | | |
− | ====Email Clients==== | + | ====Bayesian Autolearning==== |
− | ====="concurrency limit reached" when using IMAP===== | + | The following command will enable the bayesian learning filter and set thresholds for the bayesian filter. |
| + | config setprop spamassassin UseBayes 1 |
| + | config setprop spamassassin BayesAutoLearnThresholdSpam 6.00 |
| + | config setprop spamassassin BayesAutoLearnThresholdNonspam 0.10 |
| + | config setprop spamassassin UseBayesAutoLearn 1 |
| + | expand-template /etc/mail/spamassassin/local.cf |
| + | sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd |
| + | chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_* |
| + | chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex |
| + | chmod 640 /var/spool/spamd/.spamassassin/bayes_* |
| + | config setprop spamassassin status enabled |
| + | config setprop spamassassin RejectLevel 12 |
| + | config setprop spamassassin TagLevel 4 |
| + | config setprop spamassassin Sensitivity custom |
| + | config setprop spamd SpamLearning enabled |
| + | signal-event email-update |
| + | |
| + | These commands will: |
| + | |
| + | *enable spamassassin |
| + | *configure spamassassin to reject any email with a score above 12 |
| + | *tag spam scored between 4 and 12 in the email header |
| + | *enable bayesian filter |
| + | *'autolearn' as SPAM any email with a score above 6.00 |
| + | |
| + | Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body |
| + | to auto-learn as spam. |
| + | Therefore, the minimum working value for this option is 6, to be changed in increments of 3, |
| + | 12 considered to be a good working value.. |
| + | |
| + | *'autolearn' as HAM any email with a score below 0.10 |
| + | |
| + | Check the bayes stats with the command: |
| + | sa-learn --dump magic |
| + | |
| + | The database is located in /var/spool/spamd/.spamassassin/bayes |
| + | |
| + | ====LearnAsSpam / LearnAsHam (spam/ham training)==== |
| + | |
| + | LearnAsSpam & LearnAsHam are scripts that can be installed on your server to allow users to manually "train" the bayes database. Training is done by users moving Spam from their Inbox to the "LearnAsSpam" folder, and by COPYING real email that was delivered to junkmail into the "LearnAsHam" folder. All messages in both LearnAsSpam and LearnAsHam are deleted once they have been processed and their tokens have been added to the bayes database. |
| + | |
| + | To install: |
| + | |
| + | * Enable bayes database as described in [[Email#Bayesian_Autolearning | Bayesian Autolearning]] (not the best approach, prefer manual learn by user), or |
| + | * Install smeserver-learn as per wiki page [[Learn]](and keep auto-learning off), then |
| + | * Instruct your users to move any SPAM they find from their Inbox to their LearnAsSpam folder, and to COPY any non-spam (ham) they find in their junkmail folder into their LearnAsHam folder. |
| + | |
| + | This is a really efficient way to reduce impact of SPAM to your particular installation. Do not fear to run again files that are tagged as SPAM, as they will either get ignored if all their patterns are known, or the Bayes might catch one more pattern that could help you to get ride of the next incoming SPAM to even get accepted. |
| + | |
| + | If you want, the code below counts how many e-mail are in LearnAsSpam and LearnAsHam directories (of all users). It's useful to know if your users are using those folders. However Learn will send you a report after each pass. If you are interested on the number of emails lefts in the junkmail directory without any attention, you could install [[mailstats | smeserver-mailstats]] and activate the option to account for them |
| + | <pre> |
| + | #!/bin/bash |
| + | # ContaLearn.sh |
| + | |
| + | #for compatibility with older versions without rpm, testing |
| + | [ `/sbin/e-smith/db configuration getprop LearnAsSpam dir` ] && |
| + | LearnAsSpam=`/sbin/e-smith/db configuration getprop LearnAsSpam dir` || LearnAsSpam='LearnAsSpam'; |
| + | [ `/sbin/e-smith/db configuration getprop LearnAsHam dir` ] && |
| + | LearnAsHam=`/sbin/e-smith/db configuration getprop LearnAsHam dir` || LearnAsHam='LearnAsSpam'; |
| + | JunkMail='junkmail'; |
| + | |
| + | echo |
| + | date |
| + | declare -i tspam |
| + | declare -i tham |
| + | declare -i tleft |
| + | declare -i tnseen |
| + | |
| + | printf "%-25s %-11s %-11s %-11s %-11s \n" "User" "LearnAsSpam" "LearnAsHam" "JunkMail" "NotSeen" |
| + | pushd /home/e-smith/files/users/ >>/dev/nul |
| + | for u in `ls ` #| grep -v admin` |
| + | do |
| + | [ "$u" = "admin" ] && mailpath="/home/e-smith/" || mailpath="/home/e-smith/files/users/$u" ; |
| + | spam=`ls -1 $mailpath/Maildir/.$LearnAsSpam/cur |wc -l` |
| + | ham=`ls -1 $mailpath/Maildir/.$LearnAsHam/cur |wc -l` |
| + | left=`ls -1 $mailpath/Maildir/.$JunkMail/cur |wc -l` |
| + | nseen=`ls -1 $mailpath/Maildir/.$JunkMail/new |wc -l` |
| + | if [[ $spam > 0 ]] || [[ $ham > 0 ]] || [[ $left > 0 ]] || [[ $nseen > 0 ]]; then |
| + | printf "%-25s %-11d %-11d %-11d %-11d \n" $u $spam $ham $left $nseen |
| + | fi |
| + | tspam=$tspam+$spam |
| + | tham=$tham+$ham |
| + | tleft=$tleft+$left |
| + | tnseen=$tnseen+$nseen |
| + | done |
| + | echo "----------------------------------------------------------------------" |
| + | printf "%-25s %-11d %-11d %-11d %-11d \n" "Total:" $tspam $tham $tleft $tnseen |
| + | echo |
| + | popd >>/dev/nul |
| + | |
| + | </pre> |
| + | |
| + | ====Learn Contrib==== |
| + | The [[Learn]] contrib is intended to install and configure the bayes training tools LearnAsSpam & LearnAsHam. |
| + | |
| + | ====Reset the Bayes Database==== |
| + | Based on this forum post http://forums.contribs.org/index.php/topic,50712.msg258844.html#msg258844 it may be advantageous to remove the bayes database every few years & recreate it, in order to improve spam filtering performance. |
| + | |
| + | Follow these instructions to turn bayes OFF, delete the database, create an empty database, and turn bayes back on: |
| + | |
| + | config setprop spamassassin UseBayes 0 |
| + | signal-event email-update |
| + | 'rm' /var/spool/spamd/.spamassassin/bayes* |
| + | |
| + | config setprop spamassassin UseBayes 1 |
| + | expand-template /etc/mail/spamassassin/local.cf |
| + | sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd |
| + | chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_* |
| + | chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex |
| + | chmod 640 /var/spool/spamd/.spamassassin/bayes_* |
| + | signal-event email-update |
| + | |
| + | Updates to smeserver-spamassasin now require two new config db settings to have bayesian autolearning enabled. See forum post https://forums.contribs.org/index.php/topic,54320.msg284208.html#msg284208 |
| + | |
| + | ===The Sonora Communications "Spam Filter Configuration for SME 7" howto=== |
| + | |
| + | http://www.sonoracomm.com/support/19-inet-support/49-spam-filter-configuration-for-sme-7 |
| + | |
| + | ===GeoIP: spam blocking based on geographical information=== |
| + | |
| + | The GeoIP plugin for Spamassasin lets us know where our mail server is receiving mail from. If we're receiving too much spam from a particular location, this will help track it down. We can then use that info to reject connections from that place taking the load off our server. |
| + | |
| + | {{Note box | This can be a crude way of blocking spam and potentially also block legitimate users!}} |
| + | |
| + | You can find information how to install and use it on the [[GeoIP]] page. |
| + | |
| + | ==Anti Virus== |
| + | SME Server uses Clam AntiVirus (http://www.clamav.net) as the default and built-in anti virus engine. |
| + | |
| + | ===Signatures=== |
| + | By default SME Server will automatically get virus signature database updates from ClamAV. |
| + | |
| + | Other people and organizations have developed additional signatures which can also be used with ClamAV to provide extra protection. Databases of these signatures can be downloaded and installed on SME Server, and used by ClamAV |
| + | |
| + | In order to automate the download and installation of the additional databases, as well as control which databases you use, follow the instruction in the [[Virus:Additional_Signatures|Virus:Additional Signatures]] Howto |
| + | |
| + | ===Heuristic Scan=== |
| + | HeuristicScanPrecedence is a new option in clamav 0.94. |
| + | |
| + | When enabled, if a heuristic scan (such as phishingScam) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. |
| + | |
| + | To enable this feature: |
| + | config setprop clamav HeuristicScanPrecedence yes |
| + | expand-template /etc/clamd.conf |
| + | sv t clamd |
| + | |
| + | Default is disabled. |
| + | |
| + | ===Attachment Filtering=== |
| + | The functionality to block possible executable and virus files attached to emails has been incorporated into SME Server v7.x. See the [[SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Filtering|Email]] panel in server manager. |
| + | |
| + | Additional file signature patterns can be added to the SME defaults. See the [[Virus:Email_Attachment_Blocking|Virus:Email Attachment Blocking]] Howto for further information |
| + | |
| + | ==Email Clients== |
| + | ==="concurrency limit reached" when using IMAP=== |
| Sometime shows as Thunderbird giving this error message, | | Sometime shows as Thunderbird giving this error message, |
| ''This Mail-server is not a imap4 mail-server'' | | ''This Mail-server is not a imap4 mail-server'' |
| | | |
| To workaround thunderbirds limitations change, this thunderbird setting to false | | To workaround thunderbirds limitations change, this thunderbird setting to false |
− | * Preferences, Advanced, Config editor (aka about:config): filter on tls. | + | |
− | * set security.enable_tls to false | + | *Preferences, Advanced, Config editor (aka about:config): filter on tls. |
| + | *set security.enable_tls to false |
| + | |
| + | If the total concurrency limit is reached, it'll look like this in /var/log/dovecot/current: |
| + | |
| + | @400000005a1c2c1f19c9381c master: Warning: service(imap): process_limit (2) reached, client connections are being dropped |
| + | |
| + | @400000005a1c2c291a4712dc imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?) |
| + | |
| + | @400000005a1c2c291a471aac imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?) |
| + | |
| + | |
| + | For the per IP concurrency limit, it'll be like this: |
| + | |
| + | @400000005a1c2c6214542b94 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<abcdefgh> |
| + | |
| + | @400000005a1c2c6233f1bcb4 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<ijklmnop> |
| + | |
| + | The following commands will give your the current value: |
| + | db configuration getprop imap ConcurrencyLimit || echo 400 |
| + | db configuration getprop imap ConcurrencyLimitPerIP || echo 12 |
| | | |
| You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure) | | You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure) |
Line 80: |
Line 528: |
| config setprop imaps ConcurrencyLimitPerIP 20 | | config setprop imaps ConcurrencyLimitPerIP 20 |
| signal-event post-upgrade; signal-event reboot | | signal-event post-upgrade; signal-event reboot |
| + | {{Note box| for sme9, only the key imap has properties ConcurrencyLimitPerIP,checkConcurrencyLimit,ProcessMemoryLimit. If you set these properties to the key imaps, a migrate fragment will remove them automatically.}} |
| + | To see configuration: |
| + | config show imap |
| + | |
| + | tail -f /var/log/dovecot/current | tai64nlocal #out of date |
| + | |
| + | More detail can be found [http://forums.contribs.org/index.php?topic=33124.0 here] or [https://forums.contribs.org/index.php/topic,51872.0 here]. |
| | | |
− | check
| + | {{Tip box|You can see if you are running out of the number of available connections in your log file /var/log/imaps/current and look for messages like the log extract below where the ConcurrencyLimitPerIP was set to 20. A 21st connection was attempted and was denied. |
− | config show imap
| |
− | tail -f /var/log/imap/current | tai64nlocal
| |
| | | |
− | More detail can be found [http://forums.contribs.org/index.php?topic=33124.0 here].
| + | tcpsvd: info: pid 30693 from 10.1.0.104 |
| + | tcpsvd: info: concurrency 30693 10.1.0.104 21/20 |
| + | tcpsvd: info: deny 30693 0:10.1.0.21 ::10.1.0.104:49332 ./peers/10.1.0 |
| + | }} |
| + | {{Tip box|Mobile devices have a tendency to frequently disconnect and connect from the network. When this disconnect happens, the sessions on the server are not always immediately cleaned up (they get cleaned up after a time out of some minutes). When the email client reconnects, they create new network connections and you get into the situation that these new connections get denied because of the concurrency limit. On the mobile device this may be noted as a "Unable to connect to server" message.}} |
| + | {{Tip box|Some email clients use a separate connection per imap folder, so the concurrency limits may occur for users that have many imap folders.}} |
| | | |
− | =====Mail server is not an IMAP4 mail server=====
| + | ===Mail server is not an IMAP4 mail server=== |
− | This is a bug in Thunderbird, the previous tips may help | + | This is a bug in Thunderbird, the previous tips may help. |
| | | |
− | =====The Bat=====
| + | ===The Bat=== |
| The gives this error message, but they are wrong.<br> | | The gives this error message, but they are wrong.<br> |
| "This server uses TLS v3.0 which is considered to be obsolete and insecure. | | "This server uses TLS v3.0 which is considered to be obsolete and insecure. |
Line 96: |
Line 554: |
| | | |
| | | |
− | =====Outlook/Outlook Express give error 10060/0x800CCC90=====
| + | ===Outlook/Outlook Express give error 10060/0x800CCC90=== |
| Most likely OUTLOOK (EXPRESS) isn't configured correctly. | | Most likely OUTLOOK (EXPRESS) isn't configured correctly. |
| | | |
Line 116: |
Line 574: |
| -you're finished, your email should work now | | -you're finished, your email should work now |
| | | |
− | =====Outlook test message doesn't come through===== | + | ===Outlook 2013 on Windows 10 gives "An unknown error occurred, error code 0x8004011c" when attempting an IMAP connection for a DOMAIN user=== |
| + | This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: [http://bugs.contribs.org/show_bug.cgi?id=9618 Bug 9618]). |
| + | |
| + | The following registry key resolves the issue: |
| + | To work around this problem, set the value of the ProtectionPolicy registry entry to 1 to enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey: |
| + | |
| + | [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb] |
| + | "ProtectionPolicy"=dword:00000001 |
| + | |
| + | The PortectionPolicy entry may need to be created |
| + | |
| + | ===Outlook 2013 on Windows 8.1 gives error 0x800CCC1A when sending over SMTP port 465=== |
| + | This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: [http://bugs.contribs.org/show_bug.cgi?id=8854 Bug 8854]). |
| + | |
| + | The following client-side workaround has been suggested on the [http://www.dovecot.org/list/dovecot/2014-May/096029.html dovecot mailinglist]: |
| + | |
| + | Disable TLS1.2 on the Windows 8.1 client, using a registry entry: |
| + | |
| + | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.2\Client] |
| + | "DisabledByDefault"=dword:00000001 |
| + | "Enabled"=dword:00000000 |
| + | |
| + | If the registry entry above does not exist on your system, you will have to create it manually. |
| + | |
| + | Whether this is OpenSSL or Microsoft's "fault" is currently not answered. |
| + | |
| + | ===Outlook test message doesn't come through=== |
| You clicked the TEST ACCOUNT SETTINGS in OUTLOOK didn't you? This is a bug in OUTLOOK. The test message sends a test email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. To test, send an actual message from OUTLOOK. | | You clicked the TEST ACCOUNT SETTINGS in OUTLOOK didn't you? This is a bug in OUTLOOK. The test message sends a test email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. To test, send an actual message from OUTLOOK. |
| | | |
| If you want, you can try THUNDERBIRD. It's like OUTLOOK but made by a different company. It's completely free and works very well at home and at the office. | | If you want, you can try THUNDERBIRD. It's like OUTLOOK but made by a different company. It's completely free and works very well at home and at the office. |
| | | |
− | =====I can't receive/send email from my application (ACT!, vTiger, MS Outlook, etc)=====
| + | ===I can't receive/send email from my application (ACT!, vTiger, MS Outlook, etc)=== |
| Most likely, this is a bug the application you're using and not a problem with the SMESERVER. The application sends an email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. | | Most likely, this is a bug the application you're using and not a problem with the SMESERVER. The application sends an email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. |
| | | |
Line 139: |
Line 623: |
| signal-event email-update | | signal-event email-update |
| | | |
− | =====After I upgrade my SMESERVER, my email folders have disappeared when using IMAP=====
| + | ===After I upgrade my SME Server, my email folders have disappeared when using IMAP=== |
| After upgrade, if there are missing IMAP folders, the client may need to re-subscribe to folders. This may affect either webmail users or users who use an IMAP email client. | | After upgrade, if there are missing IMAP folders, the client may need to re-subscribe to folders. This may affect either webmail users or users who use an IMAP email client. |
| | | |
− | =====Entourage: Using SME's Self-Signed Certificate for SSL Connections from Entourage on OS X 10.4=====
| + | ===Entourage: Using SME's Self-Signed Certificate for SSL Connections from Entourage on OS X 10.4=== |
− | The main problem here is that Microsoft has decided that Entourage will only support trusted, PEM Base-64 Encoded certificates. To use IMAPS or SMTPS from Entourage with your SME server, you will need to: | + | The main problem here is that Entourage will only support trusted, PEM Base-64 Encoded certificates. To use IMAPS or SMTPS from Entourage with your SME server, you will need to: |
| 1. Login to your Mac as a user with administrative privileges | | 1. Login to your Mac as a user with administrative privileges |
| | | |
Line 172: |
Line 656: |
| | | |
| Notes: | | Notes: |
− | * Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html
| |
− | * I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.
| |
− | * Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.
| |
| | | |
− | ====Server Settings==== | + | *Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html |
− | =====Delete double bounce===== | + | *I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue. |
− | To stop getting double bounce messages | + | *Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again. |
| + | |
| + | ===How do I get my e-mail to show the correct From Address=== |
| + | |
| + | The From address on an e-mail is not supplied by the server. It is supplied by the e-mail client. |
| + | |
| + | *Configure your Account in your e-mail client with the correct FROM address. |
| + | *You can change the FROM address in webmail with the following: |
| + | **Login to webmail as the user, go to ''options-personal information'' and change the ''identity'' to have the correct FROM address. You can have multiple identities with a single user. |
| + | |
| + | Some system generated email is created by the server, some contribs may send mail externally, in these cases you need a valid domain name for the server, buy one or use a free provider like dyndns.org |
| + | |
| + | ===Outlook 365 / Outlook 2019 IMAP Configuration=== |
| + | |
| + | Microsoft has disabled the ability to enter the IMAP/SMTP username in the account setup wizard in Outlook 365 / 2019 for Windows. The wizard used within Outlook requires that the IMAP/SMTP username be the full email address. |
| + | |
| + | To work around this issue, setup the account using "Mail (Microsoft Outlook 2016)" in the Windows control panel: |
| + | [[File:Screen Shot 2019-12-04 at 6.44.18 AM.png|450px]] |
| + | |
| + | ==Server Settings== |
| + | ===qmail ConcurrencyLocal=== |
| + | The default value for /var/qmail/control/concurrencylocal is 20. This setting controls the maximum amount of simultaneous local deliveries. |
| + | |
| + | There is a optional database property (does not show unless changed from the default setting) called ConcurrencyLocal for qmail in the config database. The ConcurrencyLocal property changes the value stored in /var/qmail/control/concurrencylocal. |
| + | |
| + | It can be set, for example to decrease the local concurrency limit |
| + | config setprop qmail ConcurrencyLocal 6 |
| + | signal-event email-update |
| + | |
| + | ===qmail ConcurrencyRemote=== |
| + | The default value for /var/qmail/control/concurrencyremote is 20. This setting controls the maximum amount of simultaneous remote deliveries. |
| + | |
| + | There is a optional database property (does not show unless changed from the default setting) called ConcurrencyRemote for qmail in the config database. The ConcurrencyRemote property changes the value stored in /var/qmail/control/concurrencyremote. |
| + | |
| + | It can be set, for example to decrease the remote concurrency limit |
| + | config setprop qmail ConcurrencyRemote 10 |
| + | signal-event email-update |
| + | |
| + | Refer also this comment by CB |
| + | |
| + | http://forums.contribs.org/index.php/topic,50091.msg251320.html#msg251320 |
| + | |
| + | ===How long retry before return e-mail as undeliverable=== |
| + | To configure how long SME server will try to delivery a message before return a permanent error |
| + | |
| + | mkdir -p /etc/e-smith/templates-custom/var/qmail/control |
| + | echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime |
| + | expand-template /var/qmail/control/queuelifetime |
| + | sv t qmail |
| + | |
| + | The default value is 604800 seconds, or one week.<br> |
| + | The example above shows 172800 seconds, or two days (a weekend for infra upgrade!) |
| + | |
| + | source: http://forums.contribs.org/index.php/topic,47471.0.html |
| + | |
| + | |
| + | ===Double bounce messages=== |
| + | To stop admin receiving double bounce messages |
| + | |
| + | config setprop qmail DoubleBounceTo someoneuser |
| + | signal-event email-update |
| + | |
| + | Or just delete them. You risk losing legitimate double bounces (which are |
| + | rare, but you want to look at them when they do occur) |
| | | |
| config setprop qmail DoubleBounceTo devnull | | config setprop qmail DoubleBounceTo devnull |
Line 185: |
Line 729: |
| see a longer explaination [[Email_delete_double-bounce_messages | here]] | | see a longer explaination [[Email_delete_double-bounce_messages | here]] |
| | | |
− | =====Keep a copy of all emails=====
| + | ===Keep a copy of all emails=== |
| You may need to keep a copy of all emails sent to or from your email server. | | You may need to keep a copy of all emails sent to or from your email server. |
| This may be for legal, or other reasons. | | This may be for legal, or other reasons. |
| | | |
− | The following instructions will create a new user account (maillog) and forward every email that goes through your SME server to it. | + | The following instructions will create a new user account (default is maillog) and forward every email that goes through your SME server to it. |
| | | |
| First, log onto the server-manager and create the user '''maillog''' | | First, log onto the server-manager and create the user '''maillog''' |
Line 204: |
Line 748: |
| If you want to view the emails, point your email client at the SME and log on as maillog. | | If you want to view the emails, point your email client at the SME and log on as maillog. |
| | | |
− | =====Set max email size===== | + | You can modify the default user: |
− | Restrict the size of email messages that can pass through your mail server
| + | |
− | config setprop qmail MaxMessageSize x | + | config setprop qpsmtpd BccUser someuser |
| + | |
| + | ====Keep a copy of outgoing emails only==== |
| + | In addition to the commands in the [[#Keep_a_copy_of_all_emails | previous section]] we will also have to create a custom template as follows: |
| + | |
| + | Log in as root or a user with root privileges |
| + | mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/ |
| + | cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/13bcc /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/ |
| + | cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/ |
| + | nano -w 13bcc |
| + | |
| + | change the code to: |
| + | { |
| + | return "# bcc disabled" unless ($qpsmtpd{Bcc} eq "enabled"); |
| + | return "bcc mode " . $qpsmtpd{BccMode} . " outgoing " . $qpsmtpd{BccUser}; |
| + | } |
| + | |
| + | Save by pressing Ctrl x at the same time and confirm with y |
| + | |
| + | Then enable the changes with |
| + | signal-event email-update |
| + | More info: |
| + | perldoc /usr/share/qpsmtpd/plugins/bcc |
| + | |
| + | ===Set Helo hostname=== |
| + | Default is set to the hostname.domain, but sometime you might want to have something else to answer with the same as your reverseDNS. You can do one of the followings to only adjust the helo name: |
| + | |
| + | config setprop smtpd HeloHost mydomainname |
| + | signal-event email-update |
| + | |
| + | or the following to adjust the way your server will present itself everywhere (httpd, qpsmtd...) This might trigger the generation of new ssl certificate, so use it only if you are sure this is what you want to do. |
| + | |
| + | config set DomainName mydomainname |
| + | signal-event domain-modify |
| + | signal-event email-update |
| + | |
| + | ===Set max email size=== |
| + | |
| + | *IMPORTANT: [[bugzilla: 7876]] points out that if your system has ''/var/service/qpsmtpd/config/databytes'' it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see [[bugzilla: 8329]]). |
| + | |
| + | There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server. |
| + | |
| + | Be aware that ''email size'' is not the same thing as ''attachment size''. Binary attachments to email are encoded using techniques that result in email sizes that can be as much as 30% larger than the original attachment. Most major email clients (Thunderbird, Apple Mail, Outlook) allow you to enable a "message size" column in the message list that will show you the size of your email messages ([http://forums.contribs.org/index.php/topic,48366.msg241720.html#msg241720 More]). |
| + | |
| + | {| width="100%" cellspacing="0" cellpadding="5" border="1" |
| + | !Subsystem |
| + | !Function |
| + | !Default Limit |
| + | !Command to change size |
| + | !Notes |
| + | |- |
| + | |qmail |
| + | |Delivers email to local mailboxes and to remote servers |
| + | |15000000 |
| + | |config setprop qmail MaxMessageSize xx000000 |
| + | |Value is in BYTES. 15000000 equals approximately 15MB.<br>No value means no limit. |
| + | |- |
| + | |clamav |
| + | |Used to scan emails and attachments |
| + | |15M |
| + | |config setprop clamav MaxFileSize 15M |
| + | |Value includes human-readable abbreviations. "15M" equals 15 MegaBytes. |
| + | |- |
| + | |clamd |
| + | |Involved in attachment virus scanning |
| + | |1400000000 |
| + | |config setprop clamd MemLimit 1400000000 |
| + | |May require increase per [https://forums.contribs.org/index.php?topic=54070.0;topicseen this forum topic] |
| + | |- |
| + | |qpsmtpd |
| + | |The clamav plugin to qpsmtpd is called with a specified size limit. |
| + | |25000000 |
| + | |config setprop qpsmtpd MaxScannerSize xx000000 |
| + | |Value is in BYTES.<br>Question: does this value override the setting of 'MaxFileSize', or will the smaller value prevail? |
| + | |- |
| + | |php |
| + | |The php maximum file upload size will determine the largest file you can attach to an email message using horde (or any other php email client) |
| + | |10M |
| + | |config setprop php UploadMaxFilesize 10M |
| + | | |
| + | |- |
| + | |} |
| + | ====clamav==== |
| + | A note about clamav:<br> |
| + | ClamAV includes settings to prevent the scanning of archives that could cause problems if fully expanded; if an attachment cannot be scanned, it will be rejected. |
| + | |
| + | In order for changes to take effect, run: |
| + | signal-event email-update |
| + | |
| + | These attributes could result in the rejection of a compressed attachment on a SME server: |
| + | |
| + | *ArchiveMaxCompressionRatio (default 300) |
| + | *MaxFiles (default 1500) |
| + | *MaxRecursion (default 8) |
| + | |
| + | ====spamassassin==== |
| + | By default the qpsmtpd 'spamassassin' plugin does not pass any messages over 500,000 bytes to spamassassin for scanning. |
| + | |
| + | To change this behavior: |
| + | db configuration setprop spamassassin MaxMessageSize 2000000 |
| + | increases message size to 2,000,000 bytes. Apply the change with |
| + | signal-event email-update |
| + | |
| + | ===Change Horde Webmail Login Page 'Welcome To' Title=== |
| + | The login page for Webmail defaults to "Welcome to Horde Webmail". In order to change this to something like "Welcome to MyDomain Mail" |
| + | config setprop horde Name "MyDomain Mail" |
| signal-event email-update | | signal-event email-update |
| | | |
− | where x is in bytes, eg 6000000 = 6 MB
| + | See also: |
| | | |
− | =====add the admin user as an administrator for Horde===== | + | Other configurable Horde settings [[DB_Variables Configuration#Horde_(webmail)]] |
| + | |
| + | Forum post [http://forums.contribs.org/index.php/topic,31093.0.html 31093] |
| + | |
| + | ===Add the admin user as an administrator for Horde=== |
| | | |
| config setprop horde Administration enabled | | config setprop horde Administration enabled |
| signal-event email-update | | signal-event email-update |
| | | |
− | =====Disable mail to a user from an external network===== | + | ===Large attachments not displaying in webmail=== |
| + | Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also [[bugzilla:3990]]). The following entries are related to the error and can be found in the log files: |
| + | |
| + | '''/var/log/messages''' |
| + | Mar 13 00:00:12 box1 httpd: PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 154 bytes) in /home/httpd/html/horde/imp/lib/MIME/Contents.php on line 173 |
| + | |
| + | '''/var/log/httpd/error_log''' |
| + | Allowed memory size of 33554432 bytes exhausted (tried to allocate 0 bytes) |
| + | |
| + | The default MemoryLimit setting in PHP is set to 32M the value can be changed using the commands below replacing ''XX'' with the value you desire. |
| + | {{Note box|You can set the MemoryLimit any value you like but be sure to add the capital M as a suffix for Megabytes.}} |
| + | db configuration setprop php MemoryLimit XXM |
| + | expand-template /etc/php.ini |
| + | sv t httpd-e-smith |
| + | |
| + | ===Disable mail to a user from an external network=== |
| + | However, this seems to only affect /var/qmail/control/badrcptto - denying external delivery to your users but allowing outbound emails: |
| + | http://forums.contribs.org/index.php?topic=40449.5 |
| + | |
| Can be either a user, pseudonym or group | | Can be either a user, pseudonym or group |
− | db accounts setprop groupname/username Visible internal | + | db accounts setprop groupname/username/pseudonym Visible internal |
| signal-event email-update | | signal-event email-update |
| | | |
− | =====I can't receive mail at: user@mail.domain.tld===== | + | If you want to remove |
| + | db accounts delprop groupname/username/pseudonym Visible |
| + | signal-event email-update |
| + | |
| + | *If you need to restrict emails for all users you can perform this command line |
| + | |
| + | db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts setprop $USER Visible internal; done |
| + | signal-event email-update |
| + | |
| + | If you want to remove |
| + | db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts delprop $USER Visible; done |
| + | signal-event email-update |
| + | {{Note box|Please note that admin and other system accounts can not be hidden from external network this way. |
| + | |
| + | Also note that Pseudonyms can be set to internal only using the server-manager.}} |
| + | |
| + | ===I can't receive mail at: user@mail.domain.tld=== |
| Add mail.domain.tld as a virtualdomain. | | Add mail.domain.tld as a virtualdomain. |
| -login to SERVER-MANAGER | | -login to SERVER-MANAGER |
Line 228: |
Line 915: |
| -type: mail.domain.tld | | -type: mail.domain.tld |
| | | |
− | =====How do I find out who is logged into webmail and what IP number.=====
| + | ===How do I find out who is logged into webmail and what IP number.=== |
| This is logged is in /var/log/messages. | | This is logged is in /var/log/messages. |
| | | |
− | =====How do I enable smtp authentication for users on the internal network.===== | + | ===Allow SMTP relay of mail without encryption/authentication=== |
| + | |
| + | Change the configuration of the system from the default, so that it no longer requires encryption/authentication before allowing relaying of mail. |
| + | |
| + | * For most case, you really want to allow few specific clients on your LAN or trusted networks, this is done by setting a coma separated list of ip this way (replace IP1, IP2, IP3 by valid ips). |
| + | config set qpsmtpd UnauthenticatedRelayClients IP1,IP2,IP3 |
| + | signal-event email-update |
| + | |
| + | * In some case you would have a whole dedicated network with appliances needing to send email without auth, this is done this way |
| + | db networks setprop {$network} RelayRequiresAuth disabled |
| + | signal-event email-update |
| + | |
| + | * In case you needs are not fulfilled because you need to accommodate a list of remote IP or a sub network of a larger trusted network, you can create a custom template. Here for reference the accepted formats: |
| + | mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients |
| + | # a subnetwork by only using a prefix of full ip |
| + | echo "10.10.0.">> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom |
| + | # an external ip |
| + | echo "99.10.1.23" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom |
| + | # an external network you control |
| + | echo "164.163.12.1/30" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom |
| + | signal-event email-update |
| + | |
| + | * Disable smtp authentication on all local interfaces as shown in [[Bugzilla: 6522]] |
| + | |
| + | config setprop qpsmtpd RelayRequiresAuth disabled |
| + | signal-event email-update |
| + | |
| + | ===SMTP Authentication TLS before Auth disable & enable=== |
| + | Since SME v7.5 the default for SMTP Authentication is 'requires TLS before Auth' to increase security. |
| + | Where a SME7.4 or earlier server with SMTP & SSMTP authentication enabled has been upgraded, users are now unable to send mail. |
| + | Users will need to enable TLS or Auto for the Authentication encryption setting in their email clients. Some older email clients and devices do not support TLS. |
| + | |
| + | A fix was released in SME7.5.1 to allow this setting to be disabled (ie revert to SME7.4 functionality). Upgrade to SME7.5.1 before using these commands. |
| + | |
| + | To disable this (AUTH without TLS) & revert to SME7.4 defaults do |
| + | config setprop qpsmtpd TlsBeforeAuth 0 |
| + | signal-event email-update |
| + | |
| + | To change back to the sme7.5 & greater default (AUTH with TLS) do |
| + | config setprop qpsmtpd TlsBeforeAuth 1 |
| + | signal-event email-update |
| + | See http://forums.contribs.org/index.php/topic,46218.0.html |
| + | |
| + | http://bugs.contribs.org/show_bug.cgi?id=5997 |
| + | |
| + | ===Internet provider's outgoing port 25 is blocked: How to set an alternative outgoing port for the SMTP server=== |
| + | If your Internet provider is blocking outgoing smtp port 25 on your internet connection but your provider is offering an alternative outgoing port (or when using some relay service) you can simply set this alternative port by adding it to the 'Address of Internet provider's mail server' value in the 'E-mail delivery settings' screen of the server-manager like this: |
| + | <internet providers mail server name or ip-address>:<alternative port> |
| + | For example: mail.mydomain.com:587 |
| + | |
| + | This setting does not alter the incoming smtp mail server port on SME server, which will still use port 25. Refer to a workaround in http://wiki.contribs.org/PortRedirect |
| + | |
| + | ===How do I enable and configure a disclaimer in email messages=== |
| + | A disclaimer message can be added to the footer of all outgoing email messages. |
| + | |
| + | The message can be the same for all domains or it can be different for all domains. |
| + | |
| + | This functionality is part of sme7.2 release so make sure you have upgraded before doing this. |
| + | |
| + | To create a general disclaimer for all domains on your sme server |
| + | config setprop smtpd disclaimer enabled |
| + | nano -w /service/qpsmtpd/config/disclaimer |
| + | Enter the required disclaimer text |
| + | |
| + | To save & exit |
| + | Ctrl o |
| + | Ctrl x |
| + | To make the changes take effect |
| + | signal-event email-update |
| + | |
| + | |
| + | To create domain specific disclaimers, create seperate domain based disclaimer text files |
| + | |
| + | Delete the general (all domains) disclaimer file if you have already created it |
| + | rm /service/qpsmtpd/config/disclaimer |
| + | config setprop smtpd disclaimer enabled |
| + | nano -w /service/qpsmtpd/config/disclaimer_domain1.com.au |
| + | nano -w /service/qpsmtpd/config/disclaimer_domain2.com |
| + | nano -w /service/qpsmtpd/config/disclaimer_domain3.org |
| + | |
| + | Enter the required text in each disclaimer file |
| + | |
| + | To save & exit |
| + | Ctrl o |
| + | Ctrl x |
| + | After making any changes remember to do |
| + | signal-event email-update |
| + | |
| + | |
| + | Note if you only wish to have a disclaimer for some domains, then only create a disclaimer text file for those domains |
| + | |
| + | |
| + | Note also the criteria for when a disclaimer is attached |
| + | |
| + | (see http://bugs.contribs.org/show_bug.cgi?id=2648) |
| + | |
| + | eg a disclaimer is added to internal to external messages but not internal to internal messages. |
| + | |
| + | To disable the disclaimer function for all domains on your sme server |
| + | config setprop smtpd disclaimer disabled |
| + | signal-event email-update |
| + | |
| + | ===Email WBL server manager panel=== |
| + | |
| + | There is a server-manager contrib to allow GUI control of email white and black lists, detailed in the wiki article: [[:Email_Whitelist-Blacklist_Control]]. |
| + | |
| + | The panel allows easy configuration of functionality that is built into qmail, qpsmtpd and spamassassin. For more information google for qmail & qpsmtpd, read the spamassassin section in this wiki article and see [[:Email#Default_Plugin_Configuration default qpsmtpd plugin confguration]]). |
| + | |
| + | There are two main sections, Blacklist and Whitelist, where you can control settings. |
| + | |
| + | Note that there are subtle differences in syntax between whitelist and blacklist entries |
| + | |
| + | Blacklist - Black lists are used for rejecting e-mail traffic |
| + | |
| + | DNSBL status - DNSBL is an abbreviation for "DNS blacklist". |
| + | It is a list of IP addresses known to be spammers. |
| + | RHSBL status - RHSBL is an abbreviation for "Right Hand Side Blacklist". |
| + | It is a list of domain names known to be spammers. |
| + | qpsmtpd badhelo - Check a HELO message delivered from a connecting host. |
| + | Reject any that appear in badhelo during the 'helo' stage. |
| + | qmail badmailfrom - Check envelope sender addresses. |
| + | Reject any that appear (@host or user@host) in badmailfrom during the 'mail' |
| + | stage. |
| + | spamassassin blacklist_from - Any envelope sender of a mail (*@host or user@host) matching an |
| + | entry in blacklist_from will be rejected by spamassassin. |
| + | |
| + | Whitelists - White lists are used for accepting e-mail traffic |
| + | |
| + | Whitelists status - White Lists: ACCEPT |
| + | qpsmtpd whitelisthosts - Any IP address listed in whitelisthosts will be exempted |
| + | from any further validation during the 'connect' stage. |
| + | qpsmtpd whitelisthelo - Any host that issues a HELO matching an entry in whitelisthelo |
| + | will be exempted from further validation during the 'helo' stage. |
| + | qpsmtpd whitelistsenders - Any envelope sender of a mail (host or user@host) matching an |
| + | entry in whitelistsenders will be exempted from further validation |
| + | during the 'mail' stage. |
| + | spamassassin whitelist_from - Any envelope sender of a mail (*@host or user@host) matching an |
| + | entry in whitelist_from will be exempted from spamassassin rejection. |
| + | |
| + | ===How to block email from one address to another address with check_badmailfromto plugin=== |
| + | |
| + | Enable the check_badmailfromto plugin. Adapted from [http://forums.contribs.org/index.php/topic,35667.0.html this Forum post] |
| + | |
| + | This is based heavily on the similar check_badmailfrom, but this plugin references both the |
| + | FROM: and TO: lines, and if they both are present in the badmailfromto |
| + | config file (a tab delimited list of FROM/TO pairs), then the message is |
| + | blocked as if the recipient (TO) didn't exist. This is specifically designed |
| + | to not give the impression that the sender is blocked (good for cases of |
| + | harassment). |
| + | |
| + | ====Prior SME9.2 : qpsmtpd check_badmailfromto plugin==== |
| + | To control mail from external locations to internal locations do |
| + | mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0 |
| + | mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins |
| + | echo "check_badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto |
| + | ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto |
| + | signal-event email-update |
| + | |
| + | To control mail sent from internal locations to internal locations, in addition to the above also do |
| mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local | | mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local |
− | cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local | + | ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto |
− | cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local . | + | signal-event email-update |
| + | |
| + | |
| + | ====Since SME9.2 : qpsmtpd badmailfromto plugin==== |
| + | remove previous templates, if you are updating |
| + | rm /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto \ |
| + | /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto \ |
| + | /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto |
| + | |
| + | To control mail from external locations to internal locations do |
| + | mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0 |
| + | mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins |
| + | echo "badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto |
| + | ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31badmailfromto |
| + | signal-event email-update |
| + | |
| + | To control mail sent from internal locations to internal locations, in addition to the above also do |
| + | mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local |
| + | ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31badmailfromto |
| + | signal-event email-update |
| + | |
| + | ====For Qmail==== |
| + | |
| + | Create and configure the badmailfromto custom template fragment |
| + | mkdir -p /etc/e-smith/templates-custom/var/qmail/control/badmailfromto |
| + | nano -w /etc/e-smith/templates-custom/var/qmail/control/badmailfromto/template-begin |
| + | |
| + | Type in the From and To pairs that you want to stop email delivery for, with a tab between them and a carriage return at the end of the line, with additional pairs on a new line ie |
| + | user@bad-domain.com tab user@yourdomain.com enter |
| + | user@bad-domain2 tab user2@yourdomain enter |
| + | |
| + | Note also that wildcards or blank spaces are not supported |
| + | |
| + | eg |
| + | john@aol.com mary@yourdomain |
| + | bill@yahoo.com paul@yourdomain.com |
| + | |
| + | then save using |
| + | Ctrl o |
| + | Ctrl x |
| + | |
| + | Expand the template to update the /var/qmail/control/badmailfromto config file |
| + | expand-template /var/qmail/control/badmailfromto |
| + | |
| + | Restart mail services |
| + | signal-event email-update |
| + | |
| + | ===Redirect mail.domain.net to Webmail=== |
| + | Setup external dns records |
| + | |
| + | Add mail.domain.net in Domains panel in server-manager |
| + | db domains setprop mail.dom.ain TemplatePath ProxyPassVirtualHosts ProxyPassTarget http://sme.dom.ain/webmail |
| + | signal-event remoteaccess-update |
| + | |
| + | where http://sme.dom.ain/webmail is servername.domainname/webmail |
| + | |
| + | ===E-mail Retrieval=== |
| + | http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Retrieval |
| + | |
| + | If your ISP does not provide a custom sort field and you experience the following errors occuring when Multidrop is enabled and the "Select Sort Method (for multi-drop)" is set to Default: |
| + | |
| + | fetchmail: warning: multidrop for pop3.mypopserver.com requires envelope option! |
| + | fetchmail: warning: Do not ask for support if all mail goes to postmaster! |
| + | |
| + | and/or |
| + | |
| + | fetchmail: warning: multidrop for my.isp.domain requires envelope option! |
| + | fetchmail: warning: Do not ask for support if all mail goes to postmaster! |
| + | |
| + | |
| + | Set "Select Sort Method (for multi-drop) to 'Received' or 'for' |
| + | As described at [[bugzilla:5602]] [[bugzilla:6483]] |
| + | |
| + | ===Domain Authentication=== |
| + | {{WIP box|trex1512}} |
| + | Major mail hosting companies (Google, Yahoo, Microsoft) have made domain-authentication mandatory so as to not mark incoming mail as spam. |
| + | |
| + | To facilitate this support for DomainKeys and DKIM signing needs to be enabled in SME's mail subsystem. These techniques require the adding of records in the DNS zone for the user's domain. The DKIM/DK/SPF/SenderID configuration has to be added to your your DNS server / registrar. |
| + | |
| + | ===How do I remove an email address from the everyone group=== |
| + | By default, all users are automatically added to the user group "everyone". If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username. |
| + | |
| + | db accounts setprop username EveryoneEmail no |
| + | signal-event user-modify username |
| + | |
| + | |
| + | ===How do I remove an email address from any regular group=== |
| + | By default, all users member of a group "group1" are automatically added as recipients of mail sent to group1@domain. If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username. |
| + | |
| + | db accounts setprop group1 EmailExcludeUsers tom,jack |
| + | signal-event group-modify group1 |
| + | |
| + | If you want to prevent all the user members from another group "group2" from receiving emails addressed to group1@domain while they are also member of group1, you could connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username. |
| + | |
| + | db accounts setprop group1 EmailExcludeGroups group2 |
| + | signal-event group-modify group1 |
| + | |
| + | All members of the group will still be member for all other purpose (samba access to ibays as an example) |
| + | |
| + | This behaviour is only available as per e-smith-qmail-2.4.0-7.sme see bug #9540 |
| + | |
| + | ===Change the number of logs retained for qpsmtpd and/or sqpsmtpd=== |
| + | The normal retention is 5 logs for both qpsmptd and sqpsmtpd. This may or may not fit all installations. This information is pulled from bugzilla. |
| + | |
| + | Check your config to see if any change has been made to the default log retention rules. Note there are different rules for qpsmtpd and sqpsmtpd. You have to make changes to both as you require. |
| + | config show qpsmtpd |
| + | If the KeepLogFiles property isn't listed, the default rules apply. Determine how many logs you would like to keep and apply that to the following example. In the command below, 15 is used to keep 15 qpsmtpd logs. |
| + | db configuration setprop qpsmtpd KeepLogFiles 15 |
| + | Restart multilog with the following. |
| + | sv t /service/qpsmtpd/log |
| + | Check that your setting saved. |
| + | ps aux | grep qpsmtpd | grep multi |
| + | Look for the line that ends with /var/log/qpsmtpd and verify the number after n equals your KeepLogFiles property from above. |
| + | |
| + | ==DKIM Setup - qpsmtpd version<0.96== |
| + | |
| + | A plugin has been written and is available in SME |
| + | |
| + | To activate it manually follow the steps below, or download a shell script that will do the server based stuff for you & guide you on the DNS stuff [ftp://ftp.gfitc.com.au:2121/e-smith/setup_dkim.sh setup_dkim.sh]:- |
| + | |
| + | Note: I'd recommend reviewing the script first to make sure you're happy to run it on your system |
| + | |
| + | Create a folder: |
| + | mkdir /var/service/qpsmtpd/config/dkimkeys/ |
| + | Then: |
| + | cd /var/service/qpsmtpd/config/dkimkeys/ |
| + | openssl genrsa -out dkim.private 1024 |
| + | openssl rsa -in dkim.private -pubout -out dkim.public |
| + | chown qpsmtpd:qpsmtpd -R /var/service/qpsmtpd/config/dkimkeys/ |
| + | chmod 0700 dkim.private |
| + | For each domain you want to sign: |
| + | cp -a dkim.private <fully qualified domain name>.private (less the <> brackets) |
| + | Then create a template fragment: |
| + | mkdir --parent /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local |
| + | echo "dkim_sign keys dkim">/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign |
| + | signal-event email-update |
| + | |
| + | Finally propagate your public key "dkim.public" content (<key text>) to your DNS. |
| + | |
| + | Check with your DNS server / registrar. Something similar to the following should work but it varies depending on provider - replace <fully qualified domain name> with your doman details e.g "mydomain.org" (less the <> brackets): |
| + | |
| + | When extracting the key text from the dkim.public file it's on multiple lines. For the key to work for us in the DNS TXT record we need to exclude the header & footer lines & have just the key text as a single line string (the setup_dkim.sh script provides this info in the format required). |
| + | |
| + | default._domainkey.<fully qualified domain name> IN TXT "k=rsa; p=<key text>; t=y" |
| + | |
| + | |
| + | With Zonedit the following works within your Zone : |
| + | |
| + | Subdomain : default._domainkey |
| + | |
| + | Type : TXT |
| + | |
| + | Text : "v=DKIM1;k=rsa; p=<key text>; t=y" |
| + | |
| + | |
| + | If you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only. |
| + | |
| + | #keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY) |
| + | #dk_method : for domainkey method , default "nofws" |
| + | #selector : the selector you want, default "default" |
| + | #algorithm : algorithm for DKIM signing, default "rsa-sha1" |
| + | #dkim_method : for DKIM, default "relaxed" |
| + | |
| + | NB: key files can not be defined in parameters, they need to be in /var/service/qpsmtpd/config/dkimkeys/{SENDER_DOMAIN}.private |
| + | |
| + | {{Tip box|msg=You can verify that your settings are correct by sending an email to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com], a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See [[bugzilla:4558#c6]] }} |
| + | |
| + | See also : [[bugzilla:8251]] [[bugzilla:8252]] |
| + | |
| + | ==DKIM Setup - qpsmtpd version >= 0.96== |
| + | |
| + | Version 0.96 and above supports DKIM natively without the need for extra plugins. |
| + | |
| + | All you have to do is to enable the DKIM signing and promulgate the DNS TXT entries to support it. |
| + | |
| + | Enable the signing: |
| + | db configuration setprop qpsmtpd DKIMSigning enabled |
| + | signal-event email-update |
| + | |
| + | and then run: |
| + | qpsmtpd-print-dns <domain name> |
| + | |
| + | to show the DNS entry(s) required. |
| + | |
| + | Then you have to update your DNS. |
| + | |
| + | {{Tip box|msg=You can verify that your settings are correct by sending an email to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com], a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See [[bugzilla:4558#c6]] }} |
| + | |
| + | also see [[bugzilla:9694]] and https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation |
| + | |
| + | More details are available [https://wiki.contribs.org/Email#Inbound_DKIM_.2F_SPF_.2F_DMARC here] |
| + | |
| + | Incoming DKIM checking is also enabled out of the box. |
| + | |
| + | |
| + | In case you got a problem using the DKIM field provided with your DNS provider /registrar, please first contact them to ensure the problem is not how you try to enter the information. In the likelihood, you got "invalid field" or "too long field" errors and your provider is not able to help you or update its interface, you can generate a shorter DKIM key (with 1024 instead of the default 2048) this way: |
| + | |
| + | cd /home/e-smith/dkim_keys/default |
| + | mv private private.long |
| + | mv public public.long |
| + | openssl genrsa -out private 1024 |
| + | openssl rsa -in private -pubout -out public |
| + | chown qpsmtpd:qpsmtpd private |
| + | chown root:qpsmtpd public |
| + | chmod 0400 private |
| + | signal-event email-update |
| + | qpsmtpd-print-dns |
| + | |
| + | ===Outbound DKIM signing / SPF / DMARC policy FOR MULTIPLE DOMAINS=== |
| + | The default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domains that you manage: |
| + | db configuration setprop qpsmtpd DKIMSigning enabled |
| + | signal-event email-update |
| + | If you want to disable dkim signing for a domain, you can use: |
| + | db domains setprop domain.com DKIMSigning disabled |
| + | signal-event email-update |
| + | The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain: |
| + | cd /home/e-smith/dkim_keys |
| + | mkdir domain.net |
| + | cd domain.net |
| + | echo default > selector |
| + | openssl genrsa -out private 2048 |
| + | openssl rsa -in private -out public -pubout |
| + | chown qpsmtpd:qpsmtpd private |
| + | chmod 400 private |
| signal-event email-update | | signal-event email-update |
− | (note the "." at the end of the 3rd line)<br>
| + | Now, the emails using a domain.net sender address will be signed by this new key instead of the default one. |
− | Authentication for the local network will now follow the setting of config::qpsmtpd::Authentication
| + | |
| + | ==Domain Keys== |
| + | |
| + | There is a plugin to check incoming mail has been signed |
| + | |
| + | Please read here for more details : http://bugs.contribs.org/show_bug.cgi?id=4569 |
| + | |
| + | {{Warning box|msg=There is a plugin for signing with DomainKeys but it is not installed by default. It has not been tested on Koozali SME Server: |
| + | |
| + | http://wiki.qpsmtpd.org/doku.php?id=plugins:spam:domainkeys_sign}} |
| + | |
| + | ==Other information== |
| + | |
| + | DomainKeys seem to be deprecated in favour of DKIM. |
| + | |
| + | The DomainKeys plugin only CHECKS incoming email. Spamassassin checks for DKIM. |
| + | |
| + | ===Temporary_error_on_maildir_delivery=== |
| | | |
− | ====External Access====
| + | In certains cases you have some mailboxes which can't delivery messages and the qmail log say: |
− | =====Allow external IMAP mail access=====
| + | |
| + | deferral: Temporary_error_on_maildir_delivery._(#4.3.0)/ |
| + | |
| + | It is probably that your users want to go beyond the upper limit of their quota, [[SME_Server:Documentation:Administration_Manual:Chapter9#Quotas|so you have to increase it]]. This could solve their problems. |
| + | |
| + | ==External Access== |
| + | ===Allow external IMAP mail access=== |
| There was a deliberate decision to remove non-SSL protected username/password | | There was a deliberate decision to remove non-SSL protected username/password |
| services from the external interface. | | services from the external interface. |
| | | |
− | to allow unsecure IMAP access | + | {{Warning box|Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet}} |
| + | |
| + | to allow '''unsecure IMAP access''' |
| | | |
| config setprop imap access public | | config setprop imap access public |
| signal-event email-update | | signal-event email-update |
| | | |
− | But before you do this try to use secure IMAP<br> | + | But before you do this try to use secure IMAP (IMAPS or imap over ssl) with port 993<br> |
− | fixme: explain how
| |
| | | |
− | =====POP3 & webmail HTTP=====
| + | ===POP3 & webmail HTTP=== |
| I want to set my SMESERVER to allow POP3 (or webmail HTTP) but it's not an option, I only see POP3S (or webmail HTTPS). | | I want to set my SMESERVER to allow POP3 (or webmail HTTP) but it's not an option, I only see POP3S (or webmail HTTPS). |
| | | |
| The SMESERVER is secure by design. POP3 (or webmail HTTP) is viewed as inadequate security and removed as an option from a standard installation to encourage unknowing administrators to select the 'best practice' option -a secure connection with POP3S, IMAPS, or HTTPS. | | The SMESERVER is secure by design. POP3 (or webmail HTTP) is viewed as inadequate security and removed as an option from a standard installation to encourage unknowing administrators to select the 'best practice' option -a secure connection with POP3S, IMAPS, or HTTPS. |
− | | + | {{Warning box|Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet}} |
| You can still set your SMESERVER to allow POP3 settings by: | | You can still set your SMESERVER to allow POP3 settings by: |
| config setprop pop3 access public | | config setprop pop3 access public |
| signal-event email-update | | signal-event email-update |
| | | |
− | =====Allow external pop3 access=====
| + | ===Allow external pop3 access=== |
| | | |
| Email settings > POP3 server access in SME 7.1 server-manager allows only pop3s protocol for clients outside the LAN. Some email clients (eg The Bat! v3.98.4) won't allow pop3s connections to SME 7.1 because of ssl version conflict. Until this is sorted out, a workaround is to hack SME to allow regular pop3 on the external interface using the following commands. | | Email settings > POP3 server access in SME 7.1 server-manager allows only pop3s protocol for clients outside the LAN. Some email clients (eg The Bat! v3.98.4) won't allow pop3s connections to SME 7.1 because of ssl version conflict. Until this is sorted out, a workaround is to hack SME to allow regular pop3 on the external interface using the following commands. |
− |
| + | {{Warning box|Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet}} |
| config setprop pop3 access public | | config setprop pop3 access public |
| signal-event email-update | | signal-event email-update |
Line 271: |
Line 1,363: |
| more information [[bugzilla:2620]] | | more information [[bugzilla:2620]] |
| | | |
− | ====Imap====
| + | ==Imap== |
− | =====Folders with a dot in name=====
| + | ===Folders with a dot in name=== |
| Email folder names that have a period ('.') in the folder name, will be split into sub-folders. | | Email folder names that have a period ('.') in the folder name, will be split into sub-folders. |
| e.g. folder name 'www.contribs.org' is created as | | e.g. folder name 'www.contribs.org' is created as |
Line 278: |
Line 1,370: |
| contribs | | contribs |
| org | | org |
| + | ===Dovecot Idle_Notify=== |
| + | Poor battery consumption issues has been reported with K9-mail on recent Android systems. It is apparent one way of helping this is to modify the imap_idle_notify setting. The default is in Dovecot, and therefore on SME is 2 minutes. |
| + | |
| + | K9 has an idle refresh of 24 mins but it seems with Dovecot defaults at 2 mins it causes lots of wake ups and battery drain. |
| + | |
| + | This is configurable via a config db property. |
| + | |
| + | Default on install |
| + | # config show dovecot |
| + | dovecot=service |
| + | Quotas=enabled |
| + | status=enabled |
| + | |
| + | Set dovecot Idle_Notify to 20 minutes |
| + | |
| + | # config setprop dovecot Idle_Notify 20 |
| + | # config show dovecot |
| + | dovecot=service |
| + | Idle_Notify=20 |
| + | Quotas=enabled |
| + | status=enabled |
| + | |
| + | Expand template to update *.conf (can also issue a full reconfigure/reboot) |
| + | |
| + | # expand-template /etc/dovecot/dovecot.conf |
| + | # dovecot -a |grep imap_idle_notify_interval |
| + | imap_idle_notify_interval = 20 mins |
| | | |
− | ====qpsmtpd====
| + | ==qpsmtpd== |
| SME uses the [http://smtpd.develooper.com qpsmtpd] smtp daemon. | | SME uses the [http://smtpd.develooper.com qpsmtpd] smtp daemon. |
| | | |
− | =====Official Description=====
| + | ===Official Description=== |
| qpsmtpd is a flexible smtpd daemon written in Perl. Apart from the core SMTP features, all functionality is implemented in small "extension plugins" using the easy to use object oriented plugin API. | | qpsmtpd is a flexible smtpd daemon written in Perl. Apart from the core SMTP features, all functionality is implemented in small "extension plugins" using the easy to use object oriented plugin API. |
| | | |
| qpsmtpd was originally written as a drop-in qmail-smtpd replacement, but now it also includes smtp forward, postfix, exim and maildir "backends". | | qpsmtpd was originally written as a drop-in qmail-smtpd replacement, but now it also includes smtp forward, postfix, exim and maildir "backends". |
| | | |
− | qpsmtpd wiki: http://wiki.qpsmtpd.org | + | qpsmtpd wiki: http://wiki.qpsmtpd.org |
| + | |
| + | ===Log watching tool=== |
| + | qplogtail is a script to to monitor /var/log/qpsmtpd/current, see [[bugzilla:3418]] |
| + | |
| + | ===Qpsmtpd for SME versions 9.1 and earlier=== |
| + | {{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsptpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.1 and earlier, except where the plugin has been retained, See the next section for the new details.}} |
| + | ====Default Plugin Configuration==== |
| + | SME uses the following [http://wiki.qpsmtpd.org/plugins qpsmtpd plugins] to evaluate each incoming email. |
| | | |
| + | SME maintains 2 distinct configurations: one for the 'local' networks (as defined in server-manager::Security::Local networks) and another for 'remote' networks (everyone else). |
| | | |
− | =====Default Plugin Configuration=====
| + | The default configuration of each plugin is indicated in the 'Default Status' column. |
− | When configured to deliver email to an internal mail server, SME will use the following [http://wiki.qpsmtpd.org/plugins qpsmtpd plugins] to evaluate each incoming email:
| + | {| width="100%" cellspacing="0" cellpadding="5" border="1" |
− | {| style="color:brown;background-color:#ffffcc;" border="1" cellpadding="5" cellspacing="0" | |
| !Plugin | | !Plugin |
| !Purpose | | !Purpose |
Line 298: |
Line 1,425: |
| |- | | |- |
| |hosts_allow | | |hosts_allow |
− | |Prohibit more than "InstancesPerIP" connections from any single host (change with 'config setprop smtp InstancesPerIP'). Allow or deny connections according to the contents of /var/service/qpsmtpd/config/hosts_allow. See [http://svn.perl.org/qpsmtpd/trunk/plugins/hosts_allow hosts_allow SVN code] for more details. | + | |Prohibit more than "InstancesPerIP" connections from any single host (change with 'config setprop smtpd InstancesPerIP'). Allow or deny connections according to the contents of /var/service/qpsmtpd/config/hosts_allow. See [http://svn.perl.org/qpsmtpd/trunk/plugins/hosts_allow hosts_allow SVN code] for more details. |
− | |[http://bugs.contribs.org/show_bug.cgi?id=3352 upcoming] | + | |[http://bugs.contribs.org/show_bug.cgi?id=3352 enabled] |
| |- | | |- |
| |peers | | |peers |
Line 306: |
Line 1,433: |
| |- | | |- |
| |logging/logterse | | |logging/logterse |
− | |Allow greater logging detail using smaller log files | + | |Allow greater logging detail using smaller log files. Optionally supports [[Email_Statistics#qplogsumm.pl|qplogsumm.pl]] to compile qpsmtpd statistics. |
| |enabled | | |enabled |
| |- | | |- |
Line 313: |
Line 1,440: |
| |enabled (remote)<br>'''disabled (local)''' | | |enabled (remote)<br>'''disabled (local)''' |
| |- | | |- |
− | |check_earlytalker | + | |[[qpsmtpd_check_earlytalker|check_earlytalker]] |
| |reject email from servers that talk out of turn | | |reject email from servers that talk out of turn |
| |enabled (remote)<br>'''disabled (local)''' | | |enabled (remote)<br>'''disabled (local)''' |
Line 393: |
Line 1,520: |
| |'''disabled'''<br>(always disabled for local connections) | | |'''disabled'''<br>(always disabled for local connections) |
| |- | | |- |
− | |virus/clamav | + | |virus/clamav |
| |Scan incoming email with ClamAV | | |Scan incoming email with ClamAV |
| |enabled | | |enabled |
Line 403: |
Line 1,530: |
| |} | | |} |
| | | |
− | ====Internal Mail Servers==== | + | ===Qpsmtpd for SME versions 9.2 and Later=== |
− | SME can be configured as a spam and antivirus filter for one or more "Internal" mail servers on a domain-by-domain basis. The mail server specified does not have to be on the same local network as your SME server.
| + | {{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsmtpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.2 and later version, see the previous section for the details.}} |
| + | |
| + | This section has been taken from the notes prepared by the dev who made the changes, the wiki is [https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation here]. |
| + | |
| + | Here is a list of the plugins in use, and a note of any changes that might have occurred: |
| + | |
| + | *logterse: no change |
| + | *tls: no change |
| + | *auth_cvm_unix_local: no change |
| + | *check_earlytalker: '''renamed earlytalker''' |
| + | *count_unrecognized_commands: no change |
| + | *bcc: no change |
| + | *check_relay: '''renamed relay''' |
| + | *check_norelay: '''merged into the relay plugin''' |
| + | *require_resolvable_fromhost: '''renamed resolvable_fromhost''' |
| + | *check_basicheaders: '''renamed headers''' |
| + | *rhsbl: no change |
| + | *dnsbl: no change |
| + | *check_badmailfrom: '''renamed badmailfrom''' |
| + | *check_badrcptto_patterns: '''doesn't exist anymore, merged with badrcptto''' |
| + | *check_badrcptto: '''renamed badrcptto''' |
| + | *check_spamhelo: '''renamed helo''' |
| + | *check_smtp_forward: no change |
| + | *check_goodrcptto: no change |
| + | *rcpt_ok: no change |
| + | *pattern_filter: no change |
| + | *tnef2mime: no change |
| + | *spamassassin: no change |
| + | *clamav: no change |
| + | *qmail-queue: no change |
| + | |
| + | Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above]. |
| + | |
| + | ====Karma==== |
| + | |
| + | The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin: |
| + | |
| + | *Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin<br /> |
| + | *KarmaNegative (integer): Default value is 2.<br /> It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day.<br /> Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones<br /> |
| + | *KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. <br />Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad.<br />On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral<br />and won't be used in the history count |
| + | |
| + | Example: |
| + | db configuration setprop qpsmtpd Karma enabled KarmaNegative 3 |
| + | signal-event email-update |
| + | |
| + | |
| + | ====URIBL==== |
| + | |
| + | The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available: |
| + | |
| + | *URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin |
| + | *UBLList: (Comma separated list addresses): Default value is '''multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net'''.<br />This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128) |
| + | |
| + | |
| + | |
| + | Example: |
| + | db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com |
| + | signal-event email-update |
| + | |
| + | |
| + | ====Helo==== |
| | | |
− | =====Deliver ALL email to a single internal mail server=====
| + | Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting: |
− | You can deliver all email for all domains on your SME server to a single internal mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server.
| |
| | | |
− | =====Deliver email for one domain to an internal mail server=====
| + | *HeloPolicy: (lenient|rfc|strict). The default value is '''lenient'''. |
− | You can also configure only a single domain to use an internal mail server, or you can configure different domains to use different internal mail servers.
| |
| | | |
− | First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain.
| + | See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level |
| + | |
| + | Example: |
| + | db configuration setprop qpsmtpd HeloPolicy rfc |
| + | signal-event email-update |
| + | |
| + | ====Inbound DKIM / SPF / DMARC==== |
| + | |
| + | DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings: |
| + | |
| + | *DMARCReject (enabled|disabled): Default value is disabled.<br />If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)<br /> |
| + | *DMARCReporting (enabled|disabled): Default value is enabled.<br />If set to enabled, enable reporting (which is the '''r''' in dma'''r'''c). Reporting is a very important part of the DMARC standard.<br />When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local<br />SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite).<br />Then, once a day, you send the aggregate reports to the domain owner so they have feedback.<br />You can set this to disabled if you want to disable this feature<br /> |
| + | *SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy.<br />Note: this is only used when no DMARC policy is published by the sender.<br />If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests. |
| + | |
| + | :*0: do not reject anything |
| + | :*1: reject when SPF says fail |
| + | :*2: reject when SPF says softfail |
| + | :*3: reject when SPF says neutral |
| + | :*4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published |
| + | |
| + | *Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported |
| | | |
− | Then, (assuming your domain is called ''test.com'' and the actual mail server is at ''a.b.c.d'' issue the following commands:
| + | Example: |
− | db domains setprop test.com MailServer a.b.c.d | + | db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2 |
| signal-event email-update | | signal-event email-update |
| + | ====Outbound DKIM signing / SPF / DMARC policy==== |
| | | |
− | =====Setup Blacklists & Bayesian Autolearning=====
| + | Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage: |
| + | db configuration setprop qpsmtpd DKIMSigning enabled |
| + | signal-event email-update |
| | | |
− | (Much of what follows has been shamelessly copied from the Sonoracomm howto which has been offline for a while)
| + | If you want to disable dkim signing for a domain, you can use: |
| + | db domains setprop domain.com DKIMSigning disabled |
| + | signal-event email-update |
| | | |
− | The default SME settings (as you can see above) do not include DNSBL filtering, spam rejection, or (which is not obvious from the above) bayesian filtering in spamassassin to allow spamassassin to learn from received email and improve over time. | + | The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain: |
| + | cd /home/e-smith/dkim_keys |
| + | mkdir domain.net |
| + | cd domain.net |
| + | echo default > selector |
| + | openssl genrsa -out private 2048 |
| + | openssl rsa -in private -out public -pubout |
| + | chown qpsmtpd:qpsmtpd private |
| + | chmod 400 private |
| + | signal-event email-update |
| | | |
− | The following command will enable the default blacklists, enable the bayesian learning filter and set
| + | Now, the emails using a domain.net sender address will be signed by this new key instead of the default one. |
− | thresholds for the bayesian filter.
| |
| | | |
− | <nowiki>rpm -Uvh \
| + | ====Publishing your DNS entries==== |
− | http://mirror.contribs.org/smeserver/contribs/\
| |
− | michaelw/sme7/smeserver-spamassassin-features-0.0.2-0.noarch.rpm</nowiki>
| |
− | sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd
| |
− | chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_*
| |
− | chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex
| |
− | chmod 750 /var/spool/spamd/.spamassassin/bayes_*
| |
− | config setprop spamassassin status enabled
| |
− | config setprop spamassassin RejectLevel 12
| |
− | config setprop spamassassin TagLevel 4
| |
− | config setprop spamassassin Sensitivity custom
| |
− | signal-event post-upgrade
| |
− | signal-event reboot
| |
| | | |
− | These commands will:
| + | Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it: |
− | * enable spamassassin
| + | qpsmtpd-print-dns <domain name> |
− | * configure spamassassin to reject any email with a score above 12
| + | If omitted, the primary domain name is assumed. |
− | * tag spam scored between 4 and 12 in the email header
| |
− | * 'autolearn' as SPAM any email with a score above 12
| |
− | * 'autolearn' as HAM any email with a score below .10
| |
− | * enable RHSBL using the default SBLList. Note that rhsbl checking has been known to place a heavy burden on SME servers.
| |
− | * enable DNSBL using the default RBLList
| |
| | | |
− | =====The entire Sonoracomm howto from Google's text cache===== | + | Example output: |
| + | Here are sample DNS entries you should add in your public DNS |
| + | The DKIM entry can be copied as is, but others will probably need to be adjusted |
| + | to your need. For example, you should either change the reporting email adress |
| + | for DMARC (or create the needed pseudonym) |
| + | |
| + | |
| + | default._domainkey IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB" |
| + | @ IN SPF "v=spf1 mx a -all" |
| + | @ IN TXT "v=spf1 mx a -all" |
| + | _dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100" |
| + | All you have to do now is publish those records, but do note that there is a point to consider when publishing the default._domainkey DNS record, as produced by the ''qpsmtpd-print-dns'' command: if the DNS record includes '';t=y'' then as per the DKIM specification ([http://dkim.org/specs/rfc4871-dkimbase.html#keys RFC4781 section 3.6.1]) this means that your ''"...domain is testing DKIM. Verifiers MUST NOT treat messages from signers in testing mode differently from unsigned email, even should the signature fail to verify. Verifiers MAY wish to track testing mode results to assist the signer."'' |
| | | |
− | The Sonoracomm Howto has been a very well regarded set of instructions for quite a while now, but has recently been offline.
| + | On the other hand, if no '';t=y'' is included, then it means you are intending to use DKIM in production mode. It might be a good idea to publish the DKIM DNS record first in testing mode ('';t=y'' included), check how things go and if everything is alright, remove the '';t=y'' part. |
| | | |
− | These instructions are aimed mostly at configuring SME as the only mail server, not for using SME with an internal mail server.
| |
| | | |
− | Specifically, LearnAsSpam.pl is harder to configure when using an internal mail server - you would have to develop a method for getting the unmarked SPAM into an IMAP folder directly on the SME server itself. Not impossible, but difficult!
| + | ====Testing==== |
| + | You can install spfquery: |
| | | |
− | '''SONORA COMMUNICATIONS, INC.'''
| + | yum --enablerepo=epel install libspf2 libspf2-progs |
− | This is a quick configuration howto, not an in-depth look at SpamAssassin. Much more can be done
| |
− | beyond this document, but this will take a big dent out of your spam and free up CPU cycles on your server.
| |
| | | |
− | See 'More Information' at the end.
| + | Usage (try -help for help): |
| | | |
− | '''SpamAssassin'''
| + | spfquery -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld |
| | | |
− | The following command will enable the default blacklists, enable the bayesian learning filter and set thresholds for the bayesian filter.
| + | Check record via dig |
− | <nowiki>rpm -Uvh \
| |
− | http://mirror.contribs.org/smeserver/contribs/\
| |
− | michaelw/sme7/smeserver-spamassassin-features-0.0.2-0.noarch.rpm</nowiki>
| |
| | | |
− | This command will install the FuzzyOCR SA plugin designed to catch those nasty image-based spam messages.
| + | dig -t TXT +short somedomain.co.uk |
− | yum -y --enablerepo=smeupdates-testing install FuzzyOcr
| |
| | | |
− | '''Server-Manager'''
| + | ====Load==== |
| + | The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting: |
| | | |
− | Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.
| + | *MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred. |
| | | |
− | * Virus scanning Enabled
| + | ===Other QPSMTPD Plugins=== |
− | * Spam filtering Enabled
| + | The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default. |
− | * Spam sensitivity Custom
| + | {| width="100%" cellspacing="0" cellpadding="5" border="1" |
− | * Custom spam tagging level 4
| + | !Plugin |
− | * Custom spam rejection level 12
| + | !Purpose |
− | * Sort spam into junkmail folder Enabled
| + | !Default Status |
− | * Modify subject of spam messages Enabled
| + | |- |
| + | |[[Qpsmtpd_connection_time|connection_time]] |
| + | |Track the total time for each qpsmtpd connection from 'Accepted connection' through 'click, disconnecting', and output the results to the qpsmtpd log file. |
| + | |not installed - not clear if this works for SME9.2 (anyone?) |
| + | |- |
| + | |[[GeoIP]] |
| + | |Track the geographic origin of incoming email and optionally reject email from specified countries |
| + | |not installed - does work for SME 9.2 and later. |
| + | |} |
| | | |
− | I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two).
| + | ==Internal or External Mail Servers== |
| + | SME can be configured as a spam and antivirus filter for one or more "Internal or External" mail servers on a domain-by-domain basis. The mail server specified does not have to be on the same local network as your SME server, & can be hosted on an external site. |
| | | |
− | Click Save.
| + | ===Deliver ALL email to a single internal or external mail server=== |
| + | You can set the default delivery location for all domains on your SME server to a single ''internal or external'' mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server. |
| | | |
− | '''How It Works''' | + | Note: ''Address of internal mail server'' must be blank if you want any email delivered to the SME server itself. |
| | | |
− | When receiving an incoming message, the server first tests for RBL and DNSBL listings, if enabled. If the sender is blacklisted, the messages are blocked outright and Spamassassin never sees it.
| + | ===Deliver email for one domain to an internal or external mail server=== |
| + | You can override the default email delivery destination for individual domains on your SME server (forwarding all email for the specified domain to another server) as follows: |
| | | |
− | With this configuration, the spammiest messages, those marked as 12 or above, will be rejected at the SMTP level. Those spam messages marked between 4 and 12, will be routed to the users' (IMAP) junkmail folder. This is done so the users can check for false-positives...valid messages that were classified as spam by SpamAssassin.
| + | First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain. |
| | | |
− | Users may check their junkmail folders for false-positives via webmail, or, if they are using an IMAP mail client, by simply checking the junkmail folder exposed by their mail client.
| + | Then, (assuming your domain is called ''test.com'' and the actual mail server is at ''a.b.c.d'' issue the following commands: |
| + | db domains setprop test.com MailServer a.b.c.d |
| + | signal-event email-update |
| | | |
− | https://servername/webmail
| + | A FQDN can also be used for the MailServer property, eg ''aspmx.l.google.com'' instead of the IP address ''a.b.c.d'' |
| | | |
− | '''Tweaking'''
| + | db domains setprop test.com MailServer aspmx.l.google.com |
| + | signal-event email-update |
| | | |
− | The server will automatically delete old spam in the junkmail folders after 90 days. You can control the number of days old spam is kept with the following commands. Where 15 is the number of days you want to keep messages, do...
| |
| | | |
− | db configuration setprop spamassassin MessageRetentionTime 15 | + | Remove the internal or external mail server (and return email delivery for ''test.com'' to the default for your SME server) using: |
| + | db domains delprop test.com MailServer |
| signal-event email-update | | signal-event email-update |
− | svc -t /service/qpsmtpd
| |
| | | |
− | then
| + | ==Secondary/Backup Mail Server Considerations== |
| + | |
| + | Many people misunderstand the issues of using a secondary or backup |
| + | mail server (backup MX) to hold your mail before it gets delivered |
| + | to your SME Server. If you consider putting a backup mail server in |
| + | place because you are concerned about lost mail because your internet |
| + | connection may occasionally drop out, think again and consider the issues |
| + | discussed below. |
| + | |
| + | ===What is ''Backup MX''=== |
| + | |
| + | A backup MX is a system whereby through your DNS records you tell other |
| + | servers on the internet that in order to deliver mail to your domain they |
| + | first need to try the primary MX record and if they fail to connect they |
| + | can try to connect to one or more of your listed backup or secondary mail |
| + | servers. See also http://en.wikipedia.org/wiki/MX_record |
| + | |
| + | ===The process of delivering email to your SME Server=== |
| + | |
| + | So lets look at how mail gets delivered without and with a |
| + | ''backup mx'' when your Internet link, ISP or server is down. |
| + | |
| + | ===='''Without''' a backup MX==== |
| + | |
| + | *The sending mail server cannot connect to your server. |
| + | *The sending mail server MUST queue the mail and try again later. |
| + | *The mail stays on the sender's server. |
| + | *The sender's server resends the mail at a later date. |
| + | |
| + | ''The requirement to re-queue is a fundamental part of the SMTP protocol - '' |
| + | it is not optional. So, if your server is '''offline''' due to a link or ISP |
| + | outage, '''the mail just stays at the sender's server until you are once ''' |
| + | again reachable'''.''' |
| + | |
| + | ===='''With''' a backup MX==== |
| + | |
| + | *The sending mail server cannot contact your server. |
| + | *The sending mail server sends the mail to your secondary MX. |
| + | *The secondary MX queues the mail until your link/server is up. |
| + | *The mail is queued on an '''untrusted''' third-party mail server (''think about confidential mail between your company and some business partner''). |
| + | *The sending mail server's administrator ''thinks'' it has been delivered, according to their logs. |
| + | *You have no, or little, visibility over the queued mail. |
| + | *When your link comes up, the secondary MX sends the mail on to your server. |
| + | *You have added more hops, more systems and more delay to the process. |
| + | |
| + | If you think that a backup MX will protect against broken mail servers |
| + | which don't re-queue, you can't. Those servers will drop mail on the floor |
| + | at random times, for example when ''their'' Internet link is down. |
| | | |
− | config show spamassassin
| + | Those servers are also highly likely to never try your backup MX. |
| | | |
− | If you think you are losing misclassified mail, adjust the ''Custom spam rejection level'' higher.
| + | Thankfully those servers are mostly gone from the Internet, but adding a |
| + | secondary MX doesn't really improve the chances that they won't drop mail |
| + | destined for your server on the floor. |
| | | |
− | If too much spam is making through to your inbox, carefully adjust the 'Custom spam tagging level' down. Many people use the level 4. Anything below that may result in false-positives. YMMV.
| + | ===Backup MX and SPAM Filtering=== |
| | | |
− | If too much spam is building up in your (IMAP) junkmail folder, adjust the 'Custom spam rejection level' down or change the number of days spam is kept in the junkmail folder before being automatically deleted by the server.
| + | On top of the issue, indicated above, there is another issue to consider |
| + | and that is what happens with SPAM due to the use of a ''Backup MX''. |
| | | |
− | '''Bayesian (Learning) Filter'''
| + | Your SME Server takes care of filtering a lot of SPAM by checking on the full |
| + | username & domain at the time it is received. |
| | | |
− | Install the LearnAsSpam.pl, (optional) mailstats and sa-update scripts, then configure nightly cron jobs like this:
| + | For example if your server hosts '''example.com''' and someone sends |
− | <nowiki>cd /usr/bin
| + | mail to '''joeuser@example.com''', the server will '''only''' accept the mail |
− | wget http://mirror.contribs.org/smeserver/\
| + | if joeuser is a local user/alias/group/pseudonym on the server. |
− | contribs//bread/mailstats/LearnAsSpam.pl
| + | Otherwise, the mail is rejected during the SMTP transaction. |
− | wget http://mirror.contribs.org/smeserver/\
| |
− | contribs//bread/mailstats/spamfilter-stats-7.pl
| |
− | cd /etc/cron.d
| |
− | wget http://mirror.contribs.org/smeserver/\
| |
− | contribs//bread/mailstats/LearnAsSpam.cron
| |
− | wget http://mirror.contribs.org/smeserver/\
| |
− | contribs//bread/mailstats/mailstats.cron
| |
− | cd /etc/cron.daily
| |
− | wget http://mirror.contribs.org/smeserver/\
| |
− | contribs//bread/mailstats/sa-update
| |
− | chmod +x sa-update
| |
− | /etc/rc.d/init.d/crond restart</nowiki>
| |
| | | |
− | Using an IMAP mail client, create a new folder called 'LearnAsSpam' (case sensitive). It can be created at the top level (like 'Inbox') or as a sub-folder. Create the folder for each user that will help train the Bayesian filter. Webmail will work fine for creating this folder, as well as for checking the junkmail (filtered mail or quarantine) folder.
| + | A backup mail server however, generally does not have a full list of |
| + | users against which it can check if it should accept the mail for the given |
| + | domain. Hence it will accept mail for ''invalid'' users. |
| | | |
− | If any spam messages make it past the filter and into your inbox, just move them into the LearnAsSpam folder. A nightly cron job will process them and delete them for you. This is how you train the Bayesian filter.
| + | So: |
| | | |
− | '''Testing''' | + | *If you trust the secondary MX, you <u>will</u> accept a lot of SPAM when the link comes up. |
| + | *If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you. |
| + | *Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction. |
| | | |
− | You can check the auto-learning statistics with this command. You will be able to note the accumulation of the spam tokens (or not). Note that the Bayesian filtering must receive 200 spam messages before it starts to function, so don't expect instantaneous results.
| + | The SPAM backscatter can only be stopped if the secondary MX has a full list |
− | sa-learn --dump magic
| + | of users for your domain to allow filtering to occur. |
| | | |
− | You can check the spam filter log with this command:
| + | But: |
− | tail -50 /var/log/spamd/current | tai64nlocal
| |
| | | |
− | If you ever see an error such as:
| + | *You need to be able to configure this secondary MX with such user/domain lists |
− | ''warn: bayes: cannot open bayes databases /etc/mail/spamassassin/bayes_* R/W: tie failed: Permission denied''
| + | *You need to maintain these secondary configurations when users are added/deleted from your primary server configuration |
− | Try adjusting some permissions with these commands:
| + | *You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required. |
− | chown :spamd /var/spool/spamd/.spamassassin/*
| |
− | chmod g+rw /var/spool/spamd/.spamassassin/*
| |
| | | |
− | '''Whitelist and Blacklist'''
| + | Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find |
| + | out they are misconfigured is when you go to use them, and then you find that the backup MX has changed configuration and bounced all of your mail. |
| | | |
− | If mail comes in and it is misclassified as spam, you can add the sender to the whitelist so that future messages coming in from that sender are not filtered.
| + | Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you. |
| | | |
− | Conversely, you can add a spammer to the blacklist so you never see their spam again.
| + | *If you bounce mail at your server, you have logs to show what's wrong. |
| + | *If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced. |
| | | |
− | Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):
| + | ===Summary=== |
− | db spamassassin setprop wbl.global *@vonage.com White
| |
− | db spamassassin setprop wbl.global *domain2.com White
| |
− | db spamassassin setprop wbl.global This e-mail address is being protected from spam bots, you need JavaScript enabled to view it White
| |
− | db spamassassin setprop wbl.global This e-mail address is being protected from spam bots, you need JavaScript enabled to view it Black
| |
− | expand-template /etc/mail/spamassassin/local.cf
| |
− | svc -t /service/spamd
| |
| | | |
− | You can view the lists with this command:
| + | In summary, if your server/Internet connection is available most (let's say >90%) of |
− | db spamassassin show
| + | the time, you are generally better off <u>without a secondary MX</u>. |
| | | |
− | '''Clam Antivirus'''
| + | If your server/link is down more than this (e.g. dialup), you should not be delivering mail |
| + | directly to your server. |
| | | |
− | Update and check your Clam Antivirus with this command. This is normally done automatically every hour via cron.
| + | If you still want to consider setting up a seconday MX, ensure that: |
− | freshclam -v
| |
| | | |
− | or
| + | *you have fully control of the configuration of each of the email gateways for your domain |
− | freshclam --debug
| + | *each gateway can make decisions on whether to accept/reject mail for the users at the domain |
| | | |
− | Verify hourly update checking by viewing the freshclam/current log file via the Server-Manager View Log Files panel.
| + | ==Mail server on dynamic IP== |
| + | ===Problems with running a mail server on SME server using a dynamic external IP from ISP=== |
| | | |
− | '''Realtime Blackhole Lists and DNS Blacklists'''
| + | This information comes from http://bugs.contribs.org/show_bug.cgi?id=2057#c10 |
| | | |
− | To view the settings for the RBL and DNSBL, use this command:
| + | This is the chronological sequence of events that leads to issues with mail servers on dynamic IPs: |
− | config show qpsmtpd
| |
| | | |
− | If you followed the instructions above, both checks are enabled.
| + | 1) Server gets dynamic IP |
| | | |
− | To see the log of these tests, use a command like:
| + | 2) Reboot/power fail (without updating dynamic DNS to "offline") |
− | tail /var/log/qpsmtpd/current | tai64nlocal
| |
| | | |
− | To specify multiple RBLs, use a command like this:
| + | 3) Another server/someone else is allocated your old IP while your server is down |
− | config setprop qpsmtpd RBLList \
| |
− | bl.spamcop.net,combined.njabl.org,dnsbl.ahbl.org,dnsbl-1.uceprotect.net,\
| |
− | list.dsbl.org,multihop.dsbl.org,psbl.surriel.com,zen.spamhaus.org
| |
| | | |
− | Note: we have had trouble with the uceprotect.net level 2 list and sometimes remove it from the list as shown here.
| + | 4) The other server/person is running a mail server |
| | | |
− | To enable or disable both available lists, use something like:
| + | 5) The other server either gets your mail (which is bad) or bounces your mail (also bad) |
− | config setprop qpsmtpd DNSBL enabled RHSBL enabled
| |
| | | |
− | To confirm any configuration changes and enact them:
| + | You have no control over this issue and you will lose mail when it happens. If you have a dynamic IP, the recommended approach is to get someone with a static IP to queue your inbound mail and send it to you on a non-standard port, preferably with an authentication mechanism which queues the mail if the auth fails, just in case someone else happens to have a mail server on the same port (while highly unlikely, this is possible). |
− | signal-event email-update
| |
− | svc -t /service/qpsmtpd
| |
| | | |
− | '''More Information''' | + | Whether this issue is really a problem to end users, depends on how much you "value" your mail. For a home user having their own mail server, it is probably not a great problem if some messages should happen to go astray, but for all other classes of users, you should really avoid running a mail server on a dynamic IP, without implementing a suitable queueing workaround as suggested. Some ISPs change the IP very infrequently eg yearly, so in those cases it is also not a significant problem. Many/most ISP's will issue a new IP every time a connection is lost & re-established, so these situations are more problematic. |
| | | |
− | Introduction to Antispam Practices - [http://www.howtoforge.com/introduction_antispam_practices| here]
| + | ==How to re-apply procmail rules== |
| | | |
− | Here is another great [http://mirror.contribs.org/smeserver//contribs/rmitchell/smeserver/howto/Spam%20blocking%20HOWTO%20using%20qpsmtpd%20&%20RBL%20for%20sme%20server.htm| howto].
| + | If you have a folder of email that needs to have the procmail rules applied, then the trick is to be logged in as the email user, and then position your self in the home directory, and then this works: |
| + | su <username> -s /bin/bash |
| + | cd ~ |
| + | for m in <fullpath to maildirectory>/cur/*; do echo $m; procmail < $m && rm $m; done |
| | | |
− | Informative URLs:
| |
− | * http://forums.contribs.org/index.php?topic=35178.0
| |
− | * http://forums.contribs.org/index.php?topic=31278.0
| |
− | * http://forums.contribs.org/index.php?topic=31279.0
| |
− | * http://forums.contribs.org/index.php?topic=32158.0
| |
− | * http://mirror.contribs.org/smeserver/contribs/michaelw/sme7/
| |
− | * http://mirror.contribs.org/smeserver/contribs/bread/mailstats/
| |
− | * http://wiki.apache.org/spamassassin/BayesInSpamAssassin
| |
− | * Enter this command at a console:
| |
− | perldoc Mail::SpamAssassin::Conf
| |
− | Last Updated ( Thursday, 21 June 2007 )
| |
| | | |
− | <noinclude>[[Category:Howto]]</noinclude> | + | <noinclude> |
| + | [[Category:Mail]] |
| + | [[Category:Howto]] |
| + | </noinclude> |