Changes

From SME Server

23,750 bytes added , 10:56, 10 June 2023

→‎LearnAsSpam / LearnAsHam (spam/ham training)

Line 1: Line 1:

Information on the email subsystem used in SME Server covering sending/recieving, spam filtering, virus checking, webmail, domains and users.

Line 19: Line 20:

It is discussed under various names

*Path MTU Discovery Blackhole http://www.phildev.net/mss/mss-talk.pdf

*Path MTU Discovery Failures http://www.wand.net.nz/~mluckie/pubs/debugging-pmtud.imc2005.pdf

Line 57: Line 59:

*Sort spam into junkmail folder Enabled

*Modify subject of spam messages Enabled

I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two).

Line 94: Line 97:

signal-event email-update

−

====Spam score Level and Spam score rejection====

The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom.

−

<ol~~></li~~><li>Open server-manager.

<ol><li>Open server-manager.

</li><li>Click e-mail in the navigation pane (left-hand side).

</li><li>Click Change e-mail filtering settings.

Line 103: Line 106:

This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first.

As a reference, the following setting will have the following behaviours :

{| class="wikitable"

!Sensitivity!!Spam tagging level!!Spam rejection level

|Custom||TagLevel value (Custom spam tagging level)||RejectLevel value (Custom spam rejection level)

|veryhigh||2||No rejection

|high||3||No rejection

|medium||5||No rejection

|low||7||No rejection

|verylow||9||No rejection

====X-Spam-Level Header in Email Messages====

Line 142: Line 164:

References:

−

* http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options

−

* http://spamassassin.apache.org/tests_3_2_x.html

*http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options

−

* http://www.rulesemporium.com/

*http://spamassassin.apache.org/tests_3_2_x.html

*http://www.rulesemporium.com/

====SPF mail rejection/flagging policy====

{{Warning box|Please note that these instructions do not apply to SME9.2 where the version of qpsmtpd (0.96) does all this out of the box. Indeed if

the custom template below is applied (or left in?) to an SME9.2 system, then you may find that emails are denied when they ought to be accepted!}}

SME server can protect based of SPF records using spamassassin and the 'sender_permitted_from' plugin. The following lines will enable the plugin.

Line 162: Line 187:

References (but instructions changed to meet new qmail structure):

−

* http://forums.contribs.org/index.php?topic=21631.0

*http://forums.contribs.org/index.php?topic=21631.0

====Pyzor Timeout====

Line 266: Line 292:

====Possible issues with RBL====

−

When an external dns provider is set in the console menu, it may interfere with some ~~blaclists~~ activated here (RHSBL and DNSBL). ~~the~~ black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case

When an external dns provider is set in the console menu, it may interfere with some blacklists activated here (RHSBL and DNSBL). The black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case

−

* Remove the black.uribl.com of your SBLList

*Remove the black.uribl.com of your SBLList

config setprop qpsmtpd SBLList multi.surbl.org:rhsbl.sorbs.net:dbl.spamhaus.org

signal-event email-update

−

* Let the SME Server being the only dns resolver by removing the dns provider/forwarder in the console menu.

*Let the SME Server being the only dns resolver by removing the dns provider/forwarder in the console menu.

See http://uribl.com/about.shtml#abuse for more information about this issue with black.uribl.com

Line 276: Line 305:

====Obsolete lists====

These lists can not be used with smeserver. A migrate fragment will remove them from your settings each time you reconfigure your server.

−

* RBLList

*RBLList

combined.njabl.org

list.dsbl.org

multihop.dsbl.org

dnsbl.ahbl.org

−

* SBLLIST

*SBLLIST

blackhole.securitysage.com

Line 314: Line 346:

config setprop spamassassin BayesAutoLearnThresholdSpam 6.00

config setprop spamassassin BayesAutoLearnThresholdNonspam 0.10

config setprop spamassassin UseBayesAutoLearn 1

expand-template /etc/mail/spamassassin/local.cf

sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd

Line 323: Line 356:

config setprop spamassassin TagLevel 4

config setprop spamassassin Sensitivity custom

config setprop spamd SpamLearning enabled

signal-event email-update

These commands will:

−

* enable spamassassin

−

* configure spamassassin to reject any email with a score above 12

*enable spamassassin

−

* tag spam scored between 4 and 12 in the email header

*configure spamassassin to reject any email with a score above 12

−

* enable bayesian filter

*tag spam scored between 4 and 12 in the email header

−

* 'autolearn' as SPAM any email with a score above 6.00

*enable bayesian filter

*'autolearn' as SPAM any email with a score above 6.00

Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body

to auto-learn as spam.

Therefore, the minimum working value for this option is 6, to be changed in increments of 3,

12 considered to be a good working value..

−

* 'autolearn' as HAM any email with a score below 0.10

*'autolearn' as HAM any email with a score below 0.10

Check the bayes stats with the command:

Line 348: Line 385:

To install:

−

~~<ol>~~

* Enable bayes database as described in [[Email#Bayesian_Autolearning | Bayesian Autolearning]] (not the best approach, prefer manual learn by user), or

−

~~<li>~~Enable bayes database as described in [[Email#Bayesian_Autolearning | Bayesian Autolearning]]~~</li>~~

* Install smeserver-learn as per wiki page [[Learn]](and keep auto-learning off), then

−

~~<li>Download~~ the ~~latest versions of LearnAsSpam.pl~~, ~~LearnAsHam.pl~~, ~~LearnAsSpam.cron and LearnAsHam.cron from~~ [[~~Bugzilla: 1701~~]]~~<pre>~~

* Instruct your users to move any SPAM they find from their Inbox to their LearnAsSpam folder, and to COPY any non-spam (ham) they find in their junkmail folder into their LearnAsHam folder.

−

~~<nowiki>curl~~ -~~o /usr/bin/LearnAsSpam.pl http://bugs.contribs.org/attachment.cgi?id=1293~~

−

~~curl -o /usr/bin/LearnAsHam.pl http://bugs.contribs.org/attachment.cgi?id=1290~~

−

~~curl -o /etc/cron.d/~~LearnAsSpam~~.cron http://bugs.contribs.org/attachment.cgi?id=1231~~

−

~~curl~~ -~~o /etc/cron.d/~~LearnAsHam.~~cron http://bugs.contribs.org/attachment.cgi?id=1232</nowiki></pre></li>~~

−

~~<li>Create LearnAsSpam & LearnAsHam folders for all users<pre>~~

−

~~<nowiki># create skellaton for new users :~~

−

~~mkdir -p /etc/e-smith/skel/user/Maildir/{~~.~~LearnAsHam/{cur~~,~~new,tmp}~~,.~~LearnAsSpam/{cur,new,tmp},.LearnInWL/{cur,new,tmp}}~~

This is a really efficient way to reduce impact of SPAM to your particular installation. Do not fear to run again files that are tagged as SPAM, as they will either get ignored if all their patterns are known, or the Bayes might catch one more pattern that could help you to get ride of the next incoming SPAM to even get accepted.

−

~~# create~~ folders for ~~existing users :~~

If you want, the code below counts how many e-mail are in LearnAsSpam and LearnAsHam directories (of all users). It's useful to know if your users are using those folders. However Learn will send you a report after each pass. If you are interested on the number of emails lefts in the junkmail directory without any attention, you could install [[mailstats | smeserver-mailstats]] and activate the option to account for them

<pre>

#!/bin/bash

# ContaLearn.sh

−

pushd /home/e-smith/files/users/~~; \~~

#for compatibility with older versions without rpm, testing

−

for u in `ls | grep -v admin`~~; \~~

[ `/sbin/e-smith/db configuration getprop LearnAsSpam dir` ] &&

−

do \

LearnAsSpam=`/sbin/e-smith/db configuration getprop LearnAsSpam dir` || LearnAsSpam='LearnAsSpam';

−

~~mkdir -p~~ $u/~~Maildir~~/~~.LearnAsHam~~/~~{cur,new,tmp}~~; \

[ `/sbin/e-smith/db configuration getprop LearnAsHam dir` ] &&

−

~~chown~~ -~~R $u:~~$~~u $u~~/Maildir/.~~LearnAsHam~~/~~; \~~

LearnAsHam=`/sbin/e-smith/db configuration getprop LearnAsHam dir` || LearnAsHam='LearnAsSpam';

−

~~mkdir~~ -p $u/Maildir/.~~LearnAsSpam~~/{cur~~,new,tmp}; \~~

JunkMail='junkmail';

−

~~chown~~ -R $~~u:$u $u~~/Maildir/.~~LearnAsSpam~~/~~; \~~

−

~~mkdir~~ -p $u/Maildir/.~~LearnInWL~~/~~{cur,~~new~~,tmp}~~; \

echo

−

~~chown~~ -R $u:$u $~~u/Maildir/.LearnInWL/; \~~

date

−

done; \

declare -i tspam

−

popd~~</nowiki~~></~~pre><~~/~~li>~~

declare -i tham

−

~~<li>Instruct your users to move any SPAM they find from their Inbox to their LearnAsSpam folder, and to COPY any non-spam (ham) they find in their junkmail folder into their LearnAsHam folder.</li>~~

declare -i tleft

−

</ol>

declare -i tnseen

printf "%-25s %-11s %-11s %-11s %-11s \n" "User" "LearnAsSpam" "LearnAsHam" "JunkMail" "NotSeen"

pushd /home/e-smith/files/users/ >>/dev/nul

for u in `ls ` #| grep -v admin`

[ "$u" = "admin" ] && mailpath="/home/e-smith/" || mailpath="/home/e-smith/files/users/$u" ;

spam=`ls -1 $mailpath/Maildir/.$LearnAsSpam/cur |wc -l`

ham=`ls -1 $mailpath/Maildir/.$LearnAsHam/cur |wc -l`

left=`ls -1 $mailpath/Maildir/.$JunkMail/cur |wc -l`

nseen=`ls -1 $mailpath/Maildir/.$JunkMail/new |wc -l`

if [[ $spam > 0 ]] || [[ $ham > 0 ]] || [[ $left > 0 ]] || [[ $nseen > 0 ]]; then

printf "%-25s %-11d %-11d %-11d %-11d \n" $u $spam $ham $left $nseen

tspam=$tspam+$spam

tham=$tham+$ham

tleft=$tleft+$left

tnseen=$tnseen+$nseen

done

echo "----------------------------------------------------------------------"

printf "%-25s %-11d %-11d %-11d %-11d \n" "Total:" $tspam $tham $tleft $tnseen

echo

popd >>/dev/nul

</pre>

====Learn Contrib====

−

The [[Learn]] contrib ~~was~~ intended to install and configure the bayes training tools LearnAsSpam & ~~LarnAsHam but is no longer maintained(?)~~

The [[Learn]] contrib is intended to install and configure the bayes training tools LearnAsSpam & LearnAsHam.

====Reset the Bayes Database====

Line 395: Line 453:

chmod 640 /var/spool/spamd/.spamassassin/bayes_*

signal-event email-update

Updates to smeserver-spamassasin now require two new config db settings to have bayesian autolearning enabled. See forum post https://forums.contribs.org/index.php/topic,54320.msg284208.html#msg284208

===The Sonora Communications "Spam Filter Configuration for SME 7" howto===

Line 441: Line 501:

To workaround thunderbirds limitations change, this thunderbird setting to false

−

* Preferences, Advanced, Config editor (aka about:config): filter on tls.

−

* set security.enable_tls to false

*Preferences, Advanced, Config editor (aka about:config): filter on tls.

*set security.enable_tls to false

If the total concurrency limit is reached, it'll look like this in /var/log/dovecot/current:

@400000005a1c2c1f19c9381c master: Warning: service(imap): process_limit (2) reached, client connections are being dropped

@400000005a1c2c291a4712dc imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)

@400000005a1c2c291a471aac imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)

For the per IP concurrency limit, it'll be like this:

@400000005a1c2c6214542b94 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<abcdefgh>

@400000005a1c2c6233f1bcb4 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<ijklmnop>

The following commands will give your the current value:

db configuration getprop imap ConcurrencyLimit || echo 400

db configuration getprop imap ConcurrencyLimitPerIP || echo 12

You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure)

Line 448: Line 528:

config setprop imaps ConcurrencyLimitPerIP 20

signal-event post-upgrade; signal-event reboot

−

{{Note box| for sme9, only the key imap has properties ConcurrencyLimitPerIP,checkConcurrencyLimit,ProcessMemoryLimit. If you set these properties to the key imaps, a migrate fragment will remove them automatically}}

To see configuration:

config show imap

−

~~config show imap~~

tail -f /var/log/dovecot/current | tai64nlocal #out of date

−

tail -f /var/log/~~imap~~/current | tai64nlocal

−

More detail can be found [http://forums.contribs.org/index.php?topic=33124.0 here].

More detail can be found [http://forums.contribs.org/index.php?topic=33124.0 here] or [https://forums.contribs.org/index.php/topic,51872.0 here].

{{Tip box|You can see if you are running out of the number of available connections in your log file /var/log/imaps/current and look for messages like the log extract below where the ConcurrencyLimitPerIP was set to 20. A 21st connection was attempted and was denied.

Line 461: Line 542:

tcpsvd: info: deny 30693 0:10.1.0.21 ::10.1.0.104:49332 ./peers/10.1.0

}}

−

{{Tip box|Mobile devices have a tendency to frequently disconnect and connect from the network. When this disconnect happens, the sessions on the server are not always immediately cleaned up (they get cleaned up after a time out of some minutes). When the email client reconnects, they create new network connections and you get into the situation that these new connections get denied because of the concurrency limit. On the mobile device this may be noted as a "Unable to connect to server" message.

−

}}

{{Tip box|Some email clients use a separate connection per imap folder, so the concurrency limits may occur for users that have many imap folders.}}

−

{{Tip box|Some email clients use a separate connection per imap folder, so the concurrency limits may occur for users that have many imap folders.

−

}}

===Mail server is not an IMAP4 mail server===

−

This is a bug in Thunderbird, the previous tips may help

This is a bug in Thunderbird, the previous tips may help.

===The Bat===

Line 494: Line 573:

-click OK > NEXT > FINISHED

-you're finished, your email should work now

===Outlook 2013 on Windows 10 gives "An unknown error occurred, error code 0x8004011c" when attempting an IMAP connection for a DOMAIN user===

This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: [http://bugs.contribs.org/show_bug.cgi?id=9618 Bug 9618]).

The following registry key resolves the issue:

To work around this problem, set the value of the ProtectionPolicy registry entry to 1 to enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]

"ProtectionPolicy"=dword:00000001

The PortectionPolicy entry may need to be created

===Outlook 2013 on Windows 8.1 gives error 0x800CCC1A when sending over SMTP port 465===

Line 566: Line 656:

Notes:

−

* Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html

−

* I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.

*Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html

−

* Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.

*I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.

*Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.

===How do I get my e-mail to show the correct From Address===

Line 574: Line 665:

The From address on an e-mail is not supplied by the server. It is supplied by the e-mail client.

−

* Configure your Account in your e-mail client with the correct FROM address.

*Configure your Account in your e-mail client with the correct FROM address.

−

* You can change the FROM address in webmail with the following:

*You can change the FROM address in webmail with the following:

**Login to webmail as the user, go to ''options-personal information'' and change the ''identity'' to have the correct FROM address. You can have multiple identities with a single user.

Some system generated email is created by the server, some contribs may send mail externally, in these cases you need a valid domain name for the server, buy one or use a free provider like dyndns.org

===Outlook 365 / Outlook 2019 IMAP Configuration===

Microsoft has disabled the ability to enter the IMAP/SMTP username in the account setup wizard in Outlook 365 / 2019 for Windows. The wizard used within Outlook requires that the IMAP/SMTP username be the full email address.

To work around this issue, setup the account using "Mail (Microsoft Outlook 2016)" in the Windows control panel:

[[File:Screen Shot 2019-12-04 at 6.44.18 AM.png|450px]]

==Server Settings==

Line 635: Line 733:

This may be for legal, or other reasons.

−

The following instructions will create a new user account (maillog) and forward every email that goes through your SME server to it.

The following instructions will create a new user account (default is maillog) and forward every email that goes through your SME server to it.

First, log onto the server-manager and create the user '''maillog'''

Line 649: Line 747:

If you want to view the emails, point your email client at the SME and log on as maillog.

You can modify the default user:

config setprop qpsmtpd BccUser someuser

====Keep a copy of outgoing emails only====

Line 671: Line 773:

More info:

perldoc /usr/share/qpsmtpd/plugins/bcc

===Set Helo hostname===

Default is set to the hostname.domain, but sometime you might want to have something else to answer with the same as your reverseDNS. You can do one of the followings to only adjust the helo name:

config setprop smtpd HeloHost mydomainname

signal-event email-update

or the following to adjust the way your server will present itself everywhere (httpd, qpsmtd...) This might trigger the generation of new ssl certificate, so use it only if you are sure this is what you want to do.

config set DomainName mydomainname

signal-event domain-modify

signal-event email-update

===Set max email size===

−

* IMPORTANT: [[bugzilla: 7876]] points out that if your system has ''/var/service/qpsmtpd/config/databytes'' it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see [[bugzilla: 8329]]).

*IMPORTANT: [[bugzilla: 7876]] points out that if your system has ''/var/service/qpsmtpd/config/databytes'' it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see [[bugzilla: 8329]]).

There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server.

Line 680: Line 794:

Be aware that ''email size'' is not the same thing as ''attachment size''. Binary attachments to email are encoded using techniques that result in email sizes that can be as much as 30% larger than the original attachment. Most major email clients (Thunderbird, Apple Mail, Outlook) allow you to enable a "message size" column in the message list that will show you the size of your email messages ([http://forums.contribs.org/index.php/topic,48366.msg241720.html#msg241720 More]).

−

{| width="100%" ~~border~~="1" cellpadding="5" ~~cellspacing~~="0"

{| width="100%" cellspacing="0" cellpadding="5" border="1"

−

! Subsystem

!Subsystem

−

! Function

!Function

−

! Default Limit

!Default Limit

−

! Command to change size

!Command to change size

−

! Notes

!Notes

|qmail

Line 697: Line 811:

|15M

|config setprop clamav MaxFileSize 15M

−

|Value includes human-readable abbreviations. "15M" equals 15 MegaBytes.

|clamd

|Involved in attachment virus scanning

|1400000000

|config setprop clamd MemLimit 1400000000

|May require increase per [https://forums.contribs.org/index.php?topic=54070.0;topicseen this forum topic]

|qpsmtpd

Line 720: Line 840:

These attributes could result in the rejection of a compressed attachment on a SME server:

−

* ArchiveMaxCompressionRatio (default 300)

−

* MaxFiles (default 1500)

*ArchiveMaxCompressionRatio (default 300)

−

* MaxRecursion (default 8)

*MaxFiles (default 1500)

*MaxRecursion (default 8)

====spamassassin====

By default the qpsmtpd 'spamassassin' plugin does not pass any messages over 500,000 bytes to spamassassin for scanning.

Line 747: Line 869:

signal-event email-update

−

=== Large attachments not displaying in webmail ===

===Large attachments not displaying in webmail===

Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also [[bugzilla:3990]]). The following entries are related to the error and can be found in the log files:

Line 767: Line 889:

Can be either a user, pseudonym or group

−

db accounts setprop groupname/username Visible internal

db accounts setprop groupname/username/pseudonym Visible internal

signal-event email-update

If you want to remove

−

db accounts delprop groupname/username Visible

db accounts delprop groupname/username/pseudonym Visible

signal-event email-update

−

* If you need to restrict emails for all users you can perform this command line

*If you need to restrict emails for all users you can perform this command line

db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts setprop $USER Visible internal; done

Line 782: Line 904:

db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts delprop $USER Visible; done

signal-event email-update

{{Note box|Please note that admin and other system accounts can not be hidden from external network this way.

Also note that Pseudonyms can be set to internal only using the server-manager.}}

===I can't receive mail at: user@mail.domain.tld===

Line 793: Line 918:

This is logged is in /var/log/messages.

−

===~~How do I enable smtp~~ authentication ~~for users on the internal network~~===

===Allow SMTP relay of mail without encryption/authentication===

−

~~mkdir -p~~ /~~etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local~~

−

~~cd /etc/e-smith/templates-custom/var/service/qpsmtpd/~~config~~/peers/local~~

Change the configuration of the system from the default, so that it no longer requires encryption/authentication before allowing relaying of mail.

−

~~cp /etc/e-smith/templates/var/service/~~qpsmtpd~~/config/peers/0/05auth_cvm_unix_local .~~

* For most case, you really want to allow few specific clients on your LAN or trusted networks, this is done by setting a coma separated list of ip this way (replace IP1, IP2, IP3 by valid ips).

config set qpsmtpd UnauthenticatedRelayClients IP1,IP2,IP3

signal-event email-update

−

~~(note the "." at the end of the 3rd line) ~~

−

~~Authentication for the local network will now follow the setting of config::qpsmtpd::Authentication~~

−

~~ie do~~

* In some case you would have a whole dedicated network with appliances needing to send email without auth, this is done this way

−

~~config~~ setprop ~~qpsmtpd Authentication enabled~~

db networks setprop {$network} RelayRequiresAuth disabled

signal-event email-update

−

~~===How do I disable SMTP relay for unauthenticated LAN clients===~~

* In case you needs are not fulfilled because you need to accommodate a list of remote IP or a sub network of a larger trusted network, you can create a custom template. Here for reference the accepted formats:

−

~~http://forums.contribs.org/index~~.~~php?topic=38797.msg176490#msg176490~~

−

* Enable smtp authentication as shown above

−

* Disable un-authenticated smtp relay for the ~~local network(s)using~~:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients

−

echo "# ~~SMTP Relay from local network denied by custom template~~" >\

# a subnetwork by only using a prefix of full ip

−

/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/~~80relayFromLocalNetwork~~

echo "10.10.0.">> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom

# an external ip

echo "99.10.1.23" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom

# an external network you control

echo "164.163.12.1/30" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom

signal-event email-update

−

* ~~Configure your email clients to use smtps with authentication: ~~

* Disable smtp authentication on all local interfaces as shown in [[Bugzilla: 6522]]

−

~~- change outgoing smtp port to 465 and select SSL ~~

−

~~- enable Authentication against the outgoing mail server~~

−

~~===Allow SMTP relay of mail without encryption/authentication===~~

−

~~Change the configuration of the system from the default, so that it no longer requires encryption/authentication before allowing relaying of mail.~~

−

Disable smtp authentication as shown in [[Bugzilla: 6522]]

config setprop qpsmtpd RelayRequiresAuth disabled

Line 897: Line 1,015:

eg a disclaimer is added to internal to external messages but not internal to internal messages.

−

~~There are also various switches that can be applied~~

−

~~(see http://bugs.contribs.org/show_bug.cgi?id=2648).~~

−

To disable the disclaimer function for all domains on your sme server

Line 914: Line 1,027:

There are two main sections, Blacklist and Whitelist, where you can control settings.

Note that there are subtle differences in syntax between whitelist and blacklist entries

Blacklist - Black lists are used for rejecting e-mail traffic

Line 936: Line 1,051:

qpsmtpd whitelisthelo - Any host that issues a HELO matching an entry in whitelisthelo

will be exempted from further validation during the 'helo' stage.

−

qpsmtpd whitelistsenders - Any envelope sender of a mail (@host or user@host) matching an

qpsmtpd whitelistsenders - Any envelope sender of a mail (host or user@host) matching an

entry in whitelistsenders will be exempted from further validation

during the 'mail' stage.

Line 953: Line 1,068:

harassment).

====Prior SME9.2 : qpsmtpd check_badmailfromto plugin====

To control mail from external locations to internal locations do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins

−

~~nano~~ -w /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto

echo "check_badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto

signal-event email-update

−

~~Type~~ in the ~~following followed by Enter~~

To control mail sent from internal locations to internal locations, in addition to the above also do

−

~~check_badmailfromto~~

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local

−

~~Then save the file and exit~~

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto

−

~~Ctrl o~~

signal-event email-update

−

~~Ctrl x~~

====Since SME9.2 : qpsmtpd badmailfromto plugin====

remove previous templates, if you are updating

rm /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto \

/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto \

/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto

−

~~Then~~ do

To control mail from external locations to internal locations do

−

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/~~31check_badmailfromto~~ /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/~~31check_badmailfromto~~

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins

echo "badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31badmailfromto

signal-event email-update

To control mail sent from internal locations to internal locations, in addition to the above also do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local

−

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/~~31check_badmailfromto~~ /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/~~31check_badmailfromto~~

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31badmailfromto

signal-event email-update

====For Qmail====

Create and configure the badmailfromto custom template fragment

Line 1,033: Line 1,162:

db accounts setprop username EveryoneEmail no

−

signal-event user-modify

signal-event user-modify username

−

/~~etc~~/~~init~~.d/~~qmail restart~~

===How do I remove an email address from any regular group===

By default, all users member of a group "group1" are automatically added as recipients of mail sent to group1@domain. If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop group1 EmailExcludeUsers tom,jack

signal-event group-modify group1

If you want to prevent all the user members from another group "group2" from receiving emails addressed to group1@domain while they are also member of group1, you could connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop group1 EmailExcludeGroups group2

signal-event group-modify group1

All members of the group will still be member for all other purpose (samba access to ibays as an example)

This behaviour is only available as per e-smith-qmail-2.4.0-7.sme see bug #9540

===Change the number of logs retained for qpsmtpd and/or sqpsmtpd===

The normal retention is 5 logs for both qpsmptd and sqpsmtpd. This may or may not fit all installations. This information is pulled from bugzilla.

Check your config to see if any change has been made to the default log retention rules. Note there are different rules for qpsmtpd and sqpsmtpd. You have to make changes to both as you require.

config show qpsmtpd

If the KeepLogFiles property isn't listed, the default rules apply. Determine how many logs you would like to keep and apply that to the following example. In the command below, 15 is used to keep 15 qpsmtpd logs.

db configuration setprop qpsmtpd KeepLogFiles 15

Restart multilog with the following.

sv t /service/qpsmtpd/log

Check that your setting saved.

ps aux | grep qpsmtpd | grep multi

Look for the line that ends with /var/log/qpsmtpd and verify the number after n equals your KeepLogFiles property from above.

−

==DKIM Setup==

==DKIM Setup - qpsmtpd version<0.96==

A plugin has been written and is available in SME

−

To activate it manually follow the steps below, or download a shell script that will do the server based stuff for you & guide you on the DNS stuff [ftp://ftp.gfitc.com.au:2121/setup_dkim.sh setup_dkim.sh]:-

To activate it manually follow the steps below, or download a shell script that will do the server based stuff for you & guide you on the DNS stuff [ftp://ftp.gfitc.com.au:2121/e-smith/setup_dkim.sh setup_dkim.sh]:-

Note: I'd recommend reviewing the script first to make sure you're happy to run it on your system

Line 1,074: Line 1,231:

Type : TXT

−

Text : "k=rsa; p=<key text>; t=y"

Text : "v=DKIM1;k=rsa; p=<key text>; t=y"

If you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only.

−

# keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY)

#keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY)

−

# dk_method : for domainkey method , default "nofws"

#dk_method : for domainkey method , default "nofws"

−

# selector : the selector you want, default "default"

#selector : the selector you want, default "default"

−

# algorithm : algorithm for DKIM signing, default "rsa-sha1"

#algorithm : algorithm for DKIM signing, default "rsa-sha1"

−

# dkim_method : for DKIM, default "relaxed"

#dkim_method : for DKIM, default "relaxed"

NB: key files can not be defined in parameters, they need to be in /var/service/qpsmtpd/config/dkimkeys/{SENDER_DOMAIN}.private

Line 1,090: Line 1,247:

See also : [[bugzilla:8251]] [[bugzilla:8252]]

==DKIM Setup - qpsmtpd version >= 0.96==

Version 0.96 and above supports DKIM natively without the need for extra plugins.

All you have to do is to enable the DKIM signing and promulgate the DNS TXT entries to support it.

Enable the signing:

db configuration setprop qpsmtpd DKIMSigning enabled

signal-event email-update

and then run:

qpsmtpd-print-dns <domain name>

to show the DNS entry(s) required.

Then you have to update your DNS.

{{Tip box|msg=You can verify that your settings are correct by sending an email to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com], a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See [[bugzilla:4558#c6]] }}

also see [[bugzilla:9694]] and https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation

More details are available [https://wiki.contribs.org/Email#Inbound_DKIM_.2F_SPF_.2F_DMARC here]

Incoming DKIM checking is also enabled out of the box.

In case you got a problem using the DKIM field provided with your DNS provider /registrar, please first contact them to ensure the problem is not how you try to enter the information. In the likelihood, you got "invalid field" or "too long field" errors and your provider is not able to help you or update its interface, you can generate a shorter DKIM key (with 1024 instead of the default 2048) this way:

cd /home/e-smith/dkim_keys/default

mv private private.long

mv public public.long

openssl genrsa -out private 1024

openssl rsa -in private -pubout -out public

chown qpsmtpd:qpsmtpd private

chown root:qpsmtpd public

chmod 0400 private

signal-event email-update

qpsmtpd-print-dns

===Outbound DKIM signing / SPF / DMARC policy FOR MULTIPLE DOMAINS===

The default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domains that you manage:

db configuration setprop qpsmtpd DKIMSigning enabled

signal-event email-update

If you want to disable dkim signing for a domain, you can use:

db domains setprop domain.com DKIMSigning disabled

signal-event email-update

The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:

cd /home/e-smith/dkim_keys

mkdir domain.net

cd domain.net

echo default > selector

openssl genrsa -out private 2048

openssl rsa -in private -out public -pubout

chown qpsmtpd:qpsmtpd private

chmod 400 private

signal-event email-update

Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.

==Domain Keys==

Line 1,155: Line 1,370:

contribs

org

===Dovecot Idle_Notify===

Poor battery consumption issues has been reported with K9-mail on recent Android systems. It is apparent one way of helping this is to modify the imap_idle_notify setting. The default is in Dovecot, and therefore on SME is 2 minutes.

K9 has an idle refresh of 24 mins but it seems with Dovecot defaults at 2 mins it causes lots of wake ups and battery drain.

This is configurable via a config db property.

Default on install

# config show dovecot

dovecot=service

Quotas=enabled

status=enabled

Set dovecot Idle_Notify to 20 minutes

# config setprop dovecot Idle_Notify 20

# config show dovecot

dovecot=service

Idle_Notify=20

Quotas=enabled

status=enabled

Expand template to update *.conf (can also issue a full reconfigure/reboot)

# expand-template /etc/dovecot/dovecot.conf

# dovecot -a |grep imap_idle_notify_interval

imap_idle_notify_interval = 20 mins

==qpsmtpd==

Line 1,169: Line 1,411:

qplogtail is a script to to monitor /var/log/qpsmtpd/current, see [[bugzilla:3418]]

−

===Default Plugin Configuration===

===Qpsmtpd for SME versions 9.1 and earlier===

{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsptpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.1 and earlier, except where the plugin has been retained, See the next section for the new details.}}

====Default Plugin Configuration====

SME uses the following [http://wiki.qpsmtpd.org/plugins qpsmtpd plugins] to evaluate each incoming email.

Line 1,175: Line 1,419:

The default configuration of each plugin is indicated in the 'Default Status' column.

−

{| width="100%" ~~border~~="1" cellpadding="5" ~~cellspacing~~="0"

{| width="100%" cellspacing="0" cellpadding="5" border="1"

!Plugin

!Purpose

Line 1,189: Line 1,433:

|logging/logterse

−

|Allow greater logging detail using smaller log files. Optionally supports [[Email_Statistics#qplogsumm.pl|qplogsumm.pl]] to compile qpsmtpd statistics.

|enabled

Line 1,276: Line 1,520:

|'''disabled''' (always disabled for local connections)

−

|virus/clamav

|Scan incoming email with ClamAV

|enabled

Line 1,285: Line 1,529:

===Qpsmtpd for SME versions 9.2 and Later===

{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsmtpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.2 and later version, see the previous section for the details.}}

This section has been taken from the notes prepared by the dev who made the changes, the wiki is [https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation here].

Here is a list of the plugins in use, and a note of any changes that might have occurred:

*logterse: no change

*tls: no change

*auth_cvm_unix_local: no change

*check_earlytalker: '''renamed earlytalker'''

*count_unrecognized_commands: no change

*bcc: no change

*check_relay: '''renamed relay'''

*check_norelay: '''merged into the relay plugin'''

*require_resolvable_fromhost: '''renamed resolvable_fromhost'''

*check_basicheaders: '''renamed headers'''

*rhsbl: no change

*dnsbl: no change

*check_badmailfrom: '''renamed badmailfrom'''

*check_badrcptto_patterns: '''doesn't exist anymore, merged with badrcptto'''

*check_badrcptto: '''renamed badrcptto'''

*check_spamhelo: '''renamed helo'''

*check_smtp_forward: no change

*check_goodrcptto: no change

*rcpt_ok: no change

*pattern_filter: no change

*tnef2mime: no change

*spamassassin: no change

*clamav: no change

*qmail-queue: no change

Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above].

====Karma====

The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:

*Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin

*KarmaNegative (integer): Default value is 2. It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day. Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones

*KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad. On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral and won't be used in the history count

Example:

db configuration setprop qpsmtpd Karma enabled KarmaNegative 3

signal-event email-update

====URIBL====

The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:

*URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin

*UBLList: (Comma separated list addresses): Default value is '''multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net'''. This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)

Example:

db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com

signal-event email-update

====Helo====

Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:

*HeloPolicy: (lenient|rfc|strict). The default value is '''lenient'''.

See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level

Example:

db configuration setprop qpsmtpd HeloPolicy rfc

signal-event email-update

====Inbound DKIM / SPF / DMARC====

DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:

*DMARCReject (enabled|disabled): Default value is disabled. If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)

*DMARCReporting (enabled|disabled): Default value is enabled. If set to enabled, enable reporting (which is the '''r''' in dma'''r'''c). Reporting is a very important part of the DMARC standard. When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite). Then, once a day, you send the aggregate reports to the domain owner so they have feedback. You can set this to disabled if you want to disable this feature

*SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy. Note: this is only used when no DMARC policy is published by the sender. If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.

:*0: do not reject anything

:*1: reject when SPF says fail

:*2: reject when SPF says softfail

:*3: reject when SPF says neutral

:*4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published

*Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported

Example:

db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2

signal-event email-update

====Outbound DKIM signing / SPF / DMARC policy====

Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:

db configuration setprop qpsmtpd DKIMSigning enabled

signal-event email-update

If you want to disable dkim signing for a domain, you can use:

db domains setprop domain.com DKIMSigning disabled

signal-event email-update

cd /home/e-smith/dkim_keys

mkdir domain.net

cd domain.net

echo default > selector

openssl genrsa -out private 2048

openssl rsa -in private -out public -pubout

chown qpsmtpd:qpsmtpd private

chmod 400 private

signal-event email-update

Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.

====Publishing your DNS entries====

Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:

qpsmtpd-print-dns <domain name>

If omitted, the primary domain name is assumed.

Example output:

Here are sample DNS entries you should add in your public DNS

The DKIM entry can be copied as is, but others will probably need to be adjusted

to your need. For example, you should either change the reporting email adress

for DMARC (or create the needed pseudonym)

default._domainkey IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"

@ IN SPF "v=spf1 mx a -all"

@ IN TXT "v=spf1 mx a -all"

_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100"

All you have to do now is publish those records, but do note that there is a point to consider when publishing the default._domainkey DNS record, as produced by the ''qpsmtpd-print-dns'' command: if the DNS record includes '';t=y'' then as per the DKIM specification ([http://dkim.org/specs/rfc4871-dkimbase.html#keys RFC4781 section 3.6.1]) this means that your ''"...domain is testing DKIM. Verifiers MUST NOT treat messages from signers in testing mode differently from unsigned email, even should the signature fail to verify. Verifiers MAY wish to track testing mode results to assist the signer."''

On the other hand, if no '';t=y'' is included, then it means you are intending to use DKIM in production mode. It might be a good idea to publish the DKIM DNS record first in testing mode ('';t=y'' included), check how things go and if everything is alright, remove the '';t=y'' part.

====Testing====

You can install spfquery:

yum --enablerepo=epel install libspf2 libspf2-progs

Usage (try -help for help):

spfquery -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld

Check record via dig

dig -t TXT +short somedomain.co.uk

====Load====

The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:

*MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.

===Other QPSMTPD Plugins===

The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default.

−

{| width="100%" ~~border~~="1" cellpadding="5" ~~cellspacing~~="0"

{| width="100%" cellspacing="0" cellpadding="5" border="1"

!Plugin

!Purpose

Line 1,295: Line 1,694:

|[[Qpsmtpd_connection_time|connection_time]]

|Track the total time for each qpsmtpd connection from 'Accepted connection' through 'click, disconnecting', and output the results to the qpsmtpd log file.

−

|not installed

|not installed - not clear if this works for SME9.2 (anyone?)

|[[GeoIP]]

|Track the geographic origin of incoming email and optionally reject email from specified countries

−

|not installed

|not installed - does work for SME 9.2 and later.

−

==Internal or External Mail Servers==

Line 1,330: Line 1,728:

signal-event email-update

−

== Secondary/Backup Mail Server Considerations ==

==Secondary/Backup Mail Server Considerations==

Many people misunderstand the issues of using a secondary or backup

Line 1,354: Line 1,752:

===='''Without''' a backup MX====

−

* The sending mail server cannot connect to your server.

*The sending mail server cannot connect to your server.

−

* The sending mail server MUST queue the mail and try again later.

*The sending mail server MUST queue the mail and try again later.

−

* The mail stays on the sender's server.

*The mail stays on the sender's server.

−

* The sender's server resends the mail at a later date.

*The sender's server resends the mail at a later date.

−

''The requirement to re-queue is a fundamental part of the SMTP protocol -

''The requirement to re-queue is a fundamental part of the SMTP protocol - ''

it is not optional. So, if your server is '''offline''' due to a link or ISP

−

outage, '''the mail just stays at the sender's server until you are once

outage, '''the mail just stays at the sender's server until you are once '''

−

again reachable'''.

again reachable'''.'''

===='''With''' a backup MX====

−

* The sending mail server cannot contact your server.

*The sending mail server cannot contact your server.

−

* The sending mail server sends the mail to your secondary MX.

*The sending mail server sends the mail to your secondary MX.

−

* The secondary MX queues the mail until your link/server is up.

*The secondary MX queues the mail until your link/server is up.

−

* The mail is queued on an '''untrusted''' third-party mail server (''think about confidential mail between your company and some business partner'').

*The mail is queued on an '''untrusted''' third-party mail server (''think about confidential mail between your company and some business partner'').

−

* The sending mail server's administrator ''thinks'' it has been delivered, according to their logs.

*The sending mail server's administrator ''thinks'' it has been delivered, according to their logs.

−

* You have no, or little, visibility over the queued mail.

*You have no, or little, visibility over the queued mail.

−

* When your link comes up, the secondary MX sends the mail on to your server.

*When your link comes up, the secondary MX sends the mail on to your server.

−

* You have added more hops, more systems and more delay to the process.

*You have added more hops, more systems and more delay to the process.

If you think that a backup MX will protect against broken mail servers

Line 1,404: Line 1,802:

So:

−

* If you trust the secondary MX, you will accept a lot of SPAM when the link comes up.

*If you trust the secondary MX, you will accept a lot of SPAM when the link comes up.

−

* If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.

*If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.

−

* Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.

*Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.

The SPAM backscatter can only be stopped if the secondary MX has a full list

Line 1,413: Line 1,811:

But:

−

* You need to be able to configure this secondary MX with such user/domain lists

*You need to be able to configure this secondary MX with such user/domain lists

−

* You need to maintain these secondary configurations when users are added/deleted from your primary server configuration

*You need to maintain these secondary configurations when users are added/deleted from your primary server configuration

−

* You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.

*You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.

Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find

Line 1,422: Line 1,820:

Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you.

−

* If you bounce mail at your server, you have logs to show what's wrong.

*If you bounce mail at your server, you have logs to show what's wrong.

−

* If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.

*If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.

===Summary===

Line 1,435: Line 1,833:

If you still want to consider setting up a seconday MX, ensure that:

−

* you have fully control of the configuration of each of the email gateways for your domain

*you have fully control of the configuration of each of the email gateways for your domain

−

* each gateway can make decisions on whether to accept/reject mail for the users at the domain

*each gateway can make decisions on whether to accept/reject mail for the users at the domain

==Mail server on dynamic IP==

Line 1,459: Line 1,857:

Whether this issue is really a problem to end users, depends on how much you "value" your mail. For a home user having their own mail server, it is probably not a great problem if some messages should happen to go astray, but for all other classes of users, you should really avoid running a mail server on a dynamic IP, without implementing a suitable queueing workaround as suggested. Some ISPs change the IP very infrequently eg yearly, so in those cases it is also not a significant problem. Many/most ISP's will issue a new IP every time a connection is lost & re-established, so these situations are more problematic.

==How to re-apply procmail rules==

If you have a folder of email that needs to have the procmail rules applied, then the trick is to be logged in as the email user, and then position your self in the home directory, and then this works:

su <username> -s /bin/bash

cd ~

for m in <fullpath to maildirectory>/cur/*; do echo $m; procmail < $m && rm $m; done

−

<noinclude>[[Category:Mail]][[Category:Howto]]</noinclude>

[[Category:Mail]]

[[Category:Howto]]

</noinclude>

Gieres

3,054

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/30204...42108"

Changes

Email (view source)

Revision as of 10:56, 10 June 2023

Navigation menu

Page actions

Page actions

Personal tools

Koozali SME Server

Recent activities

Koozali resources

Koozali SME Server wiki

Tools

Search