859
edits
Changes
From SME Server
Jump to navigationJump to search→How do I enable and configure a disclaimer in email messages
{{usefulnote}}
{{usefulnote}}
{{Languages}}
Information on the email subsystem used in SME Server covering sending/recieving, spam filtering, virus checking, webmail, domains and users.
Information on the email subsystem used in SME Server covering sending/recieving, spam filtering, virus checking, webmail, domains and users.
signal-event email-update
signal-event email-update
====Spam score Level and Spam score rejection====
The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom.
The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom.
<ol></li><li>Open server-manager.
<ol><li>Open server-manager.
</li><li>Click e-mail in the navigation pane (left-hand side).
</li><li>Click e-mail in the navigation pane (left-hand side).
</li><li>Click Change e-mail filtering settings.
</li><li>Click Change e-mail filtering settings.
This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first.
This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first.
As a reference, the following setting will have the following behaviours :
{| class="wikitable"
|-
! Sensitivity !! Spam tagging level !! Spam rejection level
|-
| Custom || TagLevel value <br>(Custom spam tagging level) || RejectLevel value <br>(Custom spam rejection level)
|-
| veryhigh || 2 || No rejection
|-
| high || 3 || No rejection
|-
| medium || 5 || No rejection
|-
| low || 7 || No rejection
|-
| verylow || 9 || No rejection
|}
====X-Spam-Level Header in Email Messages====
====X-Spam-Level Header in Email Messages====
====SPF mail rejection/flagging policy====
====SPF mail rejection/flagging policy====
{{Warning box|Please note that these instructions do not apply to SME9.2 where the version of qpsmtpd (0.96) does all this out of the box. Indeed if
{{Warning box|Please note that these instructions do not apply to SME9.2 where the version of qpsmtpd (0.96) does all this out of the box. Indeed if
the custom template below is applied (or left in?) to an SEM9.2 system, then you may find that emails are denied when they ought to be accepted!}}
the custom template below is applied (or left in?) to an SME9.2 system, then you may find that emails are denied when they ought to be accepted!}}
SME server can protect based of SPF records using spamassassin and the 'sender_permitted_from' plugin. The following lines will enable the plugin.
SME server can protect based of SPF records using spamassassin and the 'sender_permitted_from' plugin. The following lines will enable the plugin.
====Possible issues with RBL====
====Possible issues with RBL====
When an external dns provider is set in the console menu, it may interfere with some blaclists activated here (RHSBL and DNSBL). the black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case
When an external dns provider is set in the console menu, it may interfere with some blacklists activated here (RHSBL and DNSBL). The black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case
* Remove the black.uribl.com of your SBLList
* Remove the black.uribl.com of your SBLList
config setprop qpsmtpd SBLList multi.surbl.org:rhsbl.sorbs.net:dbl.spamhaus.org
config setprop qpsmtpd SBLList multi.surbl.org:rhsbl.sorbs.net:dbl.spamhaus.org
====Learn Contrib====
====Learn Contrib====
The [[Learn]] contrib was intended to install and configure the bayes training tools LearnAsSpam & LarnAsHam but is no longer maintained(?)
The [[Learn]] contrib is intended to install and configure the bayes training tools LearnAsSpam & LarnAsHam.
====Reset the Bayes Database====
====Reset the Bayes Database====
* Preferences, Advanced, Config editor (aka about:config): filter on tls.
* Preferences, Advanced, Config editor (aka about:config): filter on tls.
* set security.enable_tls to false
* set security.enable_tls to false
If the total concurrency limit is reached, it'll look like this in /var/log/dovecot/current:
@400000005a1c2c1f19c9381c master: Warning: service(imap): process_limit (2) reached, client connections are being dropped
@400000005a1c2c291a4712dc imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)
@400000005a1c2c291a471aac imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)
For the per IP concurrency limit, it'll be like this:
@400000005a1c2c6214542b94 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<abcdefgh>
@400000005a1c2c6233f1bcb4 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<ijklmnop>
The following commands will give your the current value:
db configuration getprop imap ConcurrencyLimit || echo 400
db configuration getprop imap ConcurrencyLimitPerIP || echo 12
You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure)
You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure)
signal-event post-upgrade; signal-event reboot
signal-event post-upgrade; signal-event reboot
{{Note box| for sme9, only the key imap has properties ConcurrencyLimitPerIP,checkConcurrencyLimit,ProcessMemoryLimit. If you set these properties to the key imaps, a migrate fragment will remove them automatically}}
{{Note box| for sme9, only the key imap has properties ConcurrencyLimitPerIP,checkConcurrencyLimit,ProcessMemoryLimit. If you set these properties to the key imaps, a migrate fragment will remove them automatically}}
To see configuration:
config show imap
tail -f /var/log/dovecot/current | tai64nlocal #out of date
tail -f /var/log/imap/current | tai64nlocal
More detail can be found [http://forums.contribs.org/index.php?topic=33124.0 here].
More detail can be found [http://forums.contribs.org/index.php?topic=33124.0 here] or [https://forums.contribs.org/index.php/topic,51872.0 here].
{{Tip box|You can see if you are running out of the number of available connections in your log file /var/log/imaps/current and look for messages like the log extract below where the ConcurrencyLimitPerIP was set to 20. A 21st connection was attempted and was denied.
{{Tip box|You can see if you are running out of the number of available connections in your log file /var/log/imaps/current and look for messages like the log extract below where the ConcurrencyLimitPerIP was set to 20. A 21st connection was attempted and was denied.
-click OK > NEXT > FINISHED
-click OK > NEXT > FINISHED
-you're finished, your email should work now
-you're finished, your email should work now
===Outlook 2013 on Windows 10 gives "An unknown error occurred, error code 0x8004011c" when attempting an IMAP connection for a DOMAIN user===
This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: [http://bugs.contribs.org/show_bug.cgi?id=9618 Bug 9618]).
The following registry key resolves the issue:
To work around this problem, set the value of the ProtectionPolicy registry entry to 1 to enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001
The PortectionPolicy entry may need to be created
===Outlook 2013 on Windows 8.1 gives error 0x800CCC1A when sending over SMTP port 465===
===Outlook 2013 on Windows 8.1 gives error 0x800CCC1A when sending over SMTP port 465===
This may be for legal, or other reasons.
This may be for legal, or other reasons.
The following instructions will create a new user account (maillog) and forward every email that goes through your SME server to it.
The following instructions will create a new user account (default is maillog) and forward every email that goes through your SME server to it.
First, log onto the server-manager and create the user '''maillog'''
First, log onto the server-manager and create the user '''maillog'''
If you want to view the emails, point your email client at the SME and log on as maillog.
If you want to view the emails, point your email client at the SME and log on as maillog.
You can modify the default user:
config setprop qpsmtpd BccUser someuser
====Keep a copy of outgoing emails only====
====Keep a copy of outgoing emails only====
More info:
More info:
perldoc /usr/share/qpsmtpd/plugins/bcc
perldoc /usr/share/qpsmtpd/plugins/bcc
===Set Helo hostname===
Default is set to the hostname.domain, but sometime you might want to have something else to answer with the same as your reverseDNS. You can do one of the followings to only adjust the helo name:
config setprop smtpd HeloHost mydomainname
signal-event email-update
or the following to adjust the way your server will present itself everywhere (httpd, qpsmtd...) This might trigger the generation of new ssl certificate, so use it only if you are sure this is what you want to do.
config set DomainName mydomainname
signal-event domain-modify
signal-event email-update
===Set max email size===
===Set max email size===
Be aware that ''email size'' is not the same thing as ''attachment size''. Binary attachments to email are encoded using techniques that result in email sizes that can be as much as 30% larger than the original attachment. Most major email clients (Thunderbird, Apple Mail, Outlook) allow you to enable a "message size" column in the message list that will show you the size of your email messages ([http://forums.contribs.org/index.php/topic,48366.msg241720.html#msg241720 More]).
Be aware that ''email size'' is not the same thing as ''attachment size''. Binary attachments to email are encoded using techniques that result in email sizes that can be as much as 30% larger than the original attachment. Most major email clients (Thunderbird, Apple Mail, Outlook) allow you to enable a "message size" column in the message list that will show you the size of your email messages ([http://forums.contribs.org/index.php/topic,48366.msg241720.html#msg241720 More]).
{| width="100%" border="1" cellpadding="5" cellspacing="0"
{| width="100%" cellspacing="0" cellpadding="5" border="1"
! Subsystem
! Subsystem
! Function
! Function
eg a disclaimer is added to internal to external messages but not internal to internal messages.
eg a disclaimer is added to internal to external messages but not internal to internal messages.
To disable the disclaimer function for all domains on your sme server
To disable the disclaimer function for all domains on your sme server
harassment).
harassment).
====Prior SME9.2 : qpsmtpd check_badmailfromto plugin====
To control mail from external locations to internal locations do
To control mail from external locations to internal locations do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
echo "check_badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto
signal-event email-update
To control mail sent from internal locations to internal locations, in addition to the above also do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto
signal-event email-update
====Since SME9.2 : qpsmtpd badmailfromto plugin====
remove previous templates, if you are updating
rm /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto \
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto \
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto
To control mail from external locations to internal locations do
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
echo "badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31badmailfromto
signal-event email-update
signal-event email-update
To control mail sent from internal locations to internal locations, in addition to the above also do
To control mail sent from internal locations to internal locations, in addition to the above also do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31badmailfromto
signal-event email-update
signal-event email-update
====For Qmail====
Create and configure the badmailfromto custom template fragment
Create and configure the badmailfromto custom template fragment
/etc/init.d/qmail restart
/etc/init.d/qmail restart
==DKIM Setup - qpsmtpd version<0.96==
===How do I remove an email address from any regular group===
By default, all users member of a group "group1" are automatically added as recipients of mail sent to group1@domain. If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.
db accounts setprop group1 EmailExcludeUsers tom,jack
signal-event group-modify group1
If you want to prevent all the user members from another group "group2" from receiving emails addressed to group1@domain while they are also member of group1, you could connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.
db accounts setprop group1 EmailExcludeGroups group2
signal-event group-modify group1
All members of the group will still be member for all other purpose (samba access to ibays as an example)
This behaviour is only available as per e-smith-qmail-2.4.0-7.sme see bug #9540
=== Change the number of logs retained for qpsmtpd and/or sqpsmtpd ===
The normal retention is 5 logs for both qpsmptd and sqpsmtpd. This may or may not fit all installations. This information is pulled from bugzilla.
Check your config to see if any change has been made to the default log retention rules. Note there are different rules for qpsmtpd and sqpsmtpd. You have to make changes to both as you require.
config show qpsmtpd
If the KeepLogFiles property isn't listed, the default rules apply. Determine how many logs you would like to keep and apply that to the following example. In the command below, 15 is used to keep 15 qpsmtpd logs.
db configuration setprop qpsmtpd KeepLogFiles 15
Restart multilog with the following.
sv t /service/qpsmtpd/log
Check that your setting saved.
ps aux | grep qpsmtpd | grep multi
Look for the line that ends with /var/log/qpsmtpd and verify the number after n equals your KeepLogFiles property from above.
==DKIM Setup - qpsmtpd version<0.96==
A plugin has been written and is available in SME
A plugin has been written and is available in SME
also see [[bugzilla:9694]] and https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation
also see [[bugzilla:9694]] and https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation
More details are available [https://wiki.contribs.org/Email#Inbound_DKIM_.2F_SPF_.2F_DMARC here]
Incoming DKIM checking is also enabled out of the box.
Incoming DKIM checking is also enabled out of the box.
In case you got a problem using the DKIM field provided with your DNS provider /registrar, please first contact them to ensure the problem is not how you try to enter the information. In the likelihood, you got "invalid field" or "too long field" errors and your provider is not able to help you or update its interface, you can generate a shorter DKIM key (with 1024 instead of the default 2048) this way:
cd /home/e-smith/dkim_keys/default
mv private private.long
mv public public.long
openssl genrsa -out private 1024
openssl rsa -in private -pubout -out public
chown qpsmtpd:qpsmtpd private
chown root:qpsmtpd public
chmod 0400 private
signal-event email-update
qpsmtpd-print-dns
=== Outbound DKIM signing / SPF / DMARC policy FOR MULTIPLE DOMAINS ===
The default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domains that you manage:
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update
If you want to disable dkim signing for a domain, you can use:
db domains setprop domain.com DKIMSigning disabled
signal-event email-update
The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:
cd /home/e-smith/dkim_keys
mkdir domain.net
cd domain.net
echo default > selector
openssl genrsa -out private 2048
openssl rsa -in private -out public -pubout
chown qpsmtpd:qpsmtpd private
chmod 400 private
signal-event email-update
Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.
==Domain Keys==
==Domain Keys==
qplogtail is a script to to monitor /var/log/qpsmtpd/current, see [[bugzilla:3418]]
qplogtail is a script to to monitor /var/log/qpsmtpd/current, see [[bugzilla:3418]]
===Default Plugin Configuration===
===Qpsmtpd for SME versions 9.1 and earlier===
{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsptpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.1 and earlier, except where the plugin has been retained, See the next section for the new details.}}
====Default Plugin Configuration====
SME uses the following [http://wiki.qpsmtpd.org/plugins qpsmtpd plugins] to evaluate each incoming email.
SME uses the following [http://wiki.qpsmtpd.org/plugins qpsmtpd plugins] to evaluate each incoming email.
The default configuration of each plugin is indicated in the 'Default Status' column.
The default configuration of each plugin is indicated in the 'Default Status' column.
{| width="100%" border="1" cellpadding="5" cellspacing="0"
{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Plugin
!Plugin
!Purpose
!Purpose
|}
|}
===Other QPSMTPD Plugins===
===Qpsmtpd for SME versions 9.2 and Later===
The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default.
{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsmtpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.2 and later version, see the previous section for the details.}}
{| width="100%" border="1" cellpadding="5" cellspacing="0"
!Plugin
This section has been taken from the notes prepared by the dev who made the changes, the wiki is [https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation here].
!Purpose
!Default Status
Here is a list of the plugins in use, and a note of any changes that might have occurred:
|-
|[[Qpsmtpd_connection_time|connection_time]]
* logterse: no change
|Track the total time for each qpsmtpd connection from 'Accepted connection' through 'click, disconnecting', and output the results to the qpsmtpd log file.
* tls: no change
|not installed
* auth_cvm_unix_local: no change
|-
* check_earlytalker: '''renamed earlytalker'''
|[[GeoIP]]
* count_unrecognized_commands: no change
|Track the geographic origin of incoming email and optionally reject email from specified countries
* bcc: no change
|not installed
* check_relay: '''renamed relay'''
|}
* check_norelay: '''merged into the relay plugin'''
* require_resolvable_fromhost: '''renamed resolvable_fromhost'''
* check_basicheaders: '''renamed headers'''
==Internal or External Mail Servers==
* rhsbl: no change
SME can be configured as a spam and antivirus filter for one or more "Internal or External" mail servers on a domain-by-domain basis. The mail server specified does not have to be on the same local network as your SME server, & can be hosted on an external site.
* dnsbl: no change
* check_badmailfrom: '''renamed badmailfrom'''
===Deliver ALL email to a single internal or external mail server===
* check_badrcptto_patterns: '''doesn't exist anymore, merged with badrcptto'''
You can set the default delivery location for all domains on your SME server to a single ''internal or external'' mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server.
* check_badrcptto: '''renamed badrcptto'''
* check_spamhelo: '''renamed helo'''
Note: ''Address of internal mail server'' must be blank if you want any email delivered to the SME server itself.
* check_smtp_forward: no change
* check_goodrcptto: no change
===Deliver email for one domain to an internal or external mail server===
* rcpt_ok: no change
You can override the default email delivery destination for individual domains on your SME server (forwarding all email for the specified domain to another server) as follows:
* pattern_filter: no change
* tnef2mime: no change
First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain.
* spamassassin: no change
* clamav: no change
Then, (assuming your domain is called ''test.com'' and the actual mail server is at ''a.b.c.d'' issue the following commands:
* qmail-queue: no change
Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above].
==== Karma ====
The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:
* Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin<br />
* KarmaNegative (integer): Default value is 2.<br /> It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day.<br /> Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones<br />
* KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. <br />Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad.<br />On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral<br />and won't be used in the history count
Example:
db configuration setprop qpsmtpd Karma enabled KarmaNegative 3
signal-event email-update
==== URIBL ====
The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:
* URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
* UBLList: (Comma separated list addresses): Default value is '''multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net'''.<br />This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)
Example:
db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com
signal-event email-update
==== Helo ====
Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:
* HeloPolicy: (lenient|rfc|strict). The default value is '''lenient'''.
See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level
Example:
db configuration setprop qpsmtpd HeloPolicy rfc
signal-event email-update
==== Inbound DKIM / SPF / DMARC ====
DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:
* DMARCReject (enabled|disabled): Default value is disabled.<br />If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)<br />
* DMARCReporting (enabled|disabled): Default value is enabled.<br />If set to enabled, enable reporting (which is the '''r''' in dma'''r'''c). Reporting is a very important part of the DMARC standard.<br />When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local<br />SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite).<br />Then, once a day, you send the aggregate reports to the domain owner so they have feedback.<br />You can set this to disabled if you want to disable this feature<br />
* SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy.<br />Note: this is only used when no DMARC policy is published by the sender.<br />If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.
:* 0: do not reject anything
:* 1: reject when SPF says fail
:* 2: reject when SPF says softfail
:* 3: reject when SPF says neutral
:* 4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published
* Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported
Example:
db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
signal-event email-update
==== Outbound DKIM signing / SPF / DMARC policy ====
Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update
If you want to disable dkim signing for a domain, you can use:
db domains setprop domain.com DKIMSigning disabled
signal-event email-update
The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:
cd /home/e-smith/dkim_keys
mkdir domain.net
cd domain.net
echo default > selector
openssl genrsa -out private 2048
openssl rsa -in private -out public -pubout
chown qpsmtpd:qpsmtpd private
chmod 400 private
signal-event email-update
Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.
==== Publishing your DNS entries ====
Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:
qpsmtpd-print-dns <domain name>
If omitted, the primary domain name is assumed.
Example output:
Here are sample DNS entries you should add in your public DNS
The DKIM entry can be copied as is, but others will probably need to be adjusted
to your need. For example, you should either change the reporting email adress
for DMARC (or create the needed pseudonym)
default._domainkey IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100"
All you have to do now is publish those records, but do note that there is a point to consider when publishing the default._domainkey DNS record, as produced by the ''qpsmtpd-print-dns'' command: if the DNS record includes '';t=y'' then as per the DKIM specification ([http://dkim.org/specs/rfc4871-dkimbase.html#keys RFC4781 section 3.6.1]) this means that your ''"...domain is testing DKIM. Verifiers MUST NOT treat messages from signers in testing mode differently from unsigned email, even should the signature fail to verify. Verifiers MAY wish to track testing mode results to assist the signer."''
On the other hand, if no '';t=y'' is included, then it means you are intending to use DKIM in production mode. It might be a good idea to publish the DKIM DNS record first in testing mode ('';t=y'' included), check how things go and if everything is alright, remove the '';t=y'' part.
==== Testing ====
You can install spfquery:
yum --enablerepo=epel install libspf2 libspf2-progs
Usage (try -help for help):
spfquery -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld
Check record via dig
dig -t TXT +short somedomain.co.uk
==== Load ====
The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:
* MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.
===Other QPSMTPD Plugins===
The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default.
{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Plugin
!Purpose
!Default Status
|-
|[[Qpsmtpd_connection_time|connection_time]]
|Track the total time for each qpsmtpd connection from 'Accepted connection' through 'click, disconnecting', and output the results to the qpsmtpd log file.
|not installed - not clear if this works for SME9.2 (anyone?)
|-
|[[GeoIP]]
|Track the geographic origin of incoming email and optionally reject email from specified countries
|not installed - does work for SME 9.2 and later.
|}
==Internal or External Mail Servers==
SME can be configured as a spam and antivirus filter for one or more "Internal or External" mail servers on a domain-by-domain basis. The mail server specified does not have to be on the same local network as your SME server, & can be hosted on an external site.
===Deliver ALL email to a single internal or external mail server===
You can set the default delivery location for all domains on your SME server to a single ''internal or external'' mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server.
Note: ''Address of internal mail server'' must be blank if you want any email delivered to the SME server itself.
===Deliver email for one domain to an internal or external mail server===
You can override the default email delivery destination for individual domains on your SME server (forwarding all email for the specified domain to another server) as follows:
First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain.
Then, (assuming your domain is called ''test.com'' and the actual mail server is at ''a.b.c.d'' issue the following commands:
db domains setprop test.com MailServer a.b.c.d
db domains setprop test.com MailServer a.b.c.d
signal-event email-update
signal-event email-update
* The sender's server resends the mail at a later date.
* The sender's server resends the mail at a later date.
''The requirement to re-queue is a fundamental part of the SMTP protocol -
''The requirement to re-queue is a fundamental part of the SMTP protocol - ''
it is not optional. So, if your server is '''offline''' due to a link or ISP
it is not optional. So, if your server is '''offline''' due to a link or ISP
outage, '''the mail just stays at the sender's server until you are once
outage, '''the mail just stays at the sender's server until you are once '''
again reachable'''.
again reachable'''.'''
===='''With''' a backup MX====
===='''With''' a backup MX====
Whether this issue is really a problem to end users, depends on how much you "value" your mail. For a home user having their own mail server, it is probably not a great problem if some messages should happen to go astray, but for all other classes of users, you should really avoid running a mail server on a dynamic IP, without implementing a suitable queueing workaround as suggested. Some ISPs change the IP very infrequently eg yearly, so in those cases it is also not a significant problem. Many/most ISP's will issue a new IP every time a connection is lost & re-established, so these situations are more problematic.
Whether this issue is really a problem to end users, depends on how much you "value" your mail. For a home user having their own mail server, it is probably not a great problem if some messages should happen to go astray, but for all other classes of users, you should really avoid running a mail server on a dynamic IP, without implementing a suitable queueing workaround as suggested. Some ISPs change the IP very infrequently eg yearly, so in those cases it is also not a significant problem. Many/most ISP's will issue a new IP every time a connection is lost & re-established, so these situations are more problematic.
<noinclude>
[[Category:Mail]]
<noinclude>[[Category:Mail]][[Category:Howto]]</noinclude>
[[Category:Howto]]
</noinclude>
