Changes

9,098 bytes added , 11:06, 10 June 2023

→‎LearnAsSpam / LearnAsHam (apprentissage spam/ham)

Line 313: Line 313:

===Je veux activer GreyListing===

−

GreyListing ~~support is under the covers~~ et peut facilement être activé ~~pour~~ ceux qui savent ce qu'ils font. Cependant, de nombreux utilisateurs expérimentés ont constaté qu'ils ont passé plus de temps à la configuration de la liste grise qu'ils en ont reçu en services rendus.

Le support de GreyListing est confidentiel et peut facilement être activé par ceux qui savent ce qu'ils font. Cependant, de nombreux utilisateurs expérimentés ont constaté qu'ils ont passé plus de temps à la configuration de la liste grise qu'ils en ont reçu en services rendus.

Voir la [[Greylisting]].

Line 329: Line 329:

config setprop spamassassin BayesAutoLearnThresholdSpam 6.00

config setprop spamassassin BayesAutoLearnThresholdNonspam 0.10

config setprop spamassassin UseBayesAutoLearn 1

expand-template /etc/mail/spamassassin/local.cf

sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd

Line 338: Line 339:

config setprop spamassassin TagLevel 4

config setprop spamassassin Sensitivity custom

config setprop spamd SpamLearning enabled

signal-event email-update

Ces commandes :

* activeront spamassassin ;

* configuront spamassassin pour rejeter tout courriel de score supérieur à 12 ;

* marqueront comme pourriel dans l'objet ceux de score compris entre 4 et 12 ;

* activeront le filtre bayésien ;

−

* '~~autoapprendront~~' comme POURRIEL tout courriel de score supérieur à 6.00 ;

* 'auto-apprendront' comme POURRIEL tout courriel de score supérieur à 6.00 ;

Note : SpamAssassin a besoin d'au moins 3 points de l'objet (header) et de 3 points du corps pour auto-apprendre à détecter un pourriel.

−

Par conséquent, la valeur minimale de fonctionnement de cette option est 6, à modifier par incrément de 3, 12 étant considéré comme une

Par conséquent, la valeur minimale de fonctionnement de cette option est 6, à modifier par incrément de 3, 12 étant considéré comme une bonne valeur de fonctionnement.

−

bonne valeur de fonctionnement.

* 'auto-apprendront' comme HAM tout courriel de score inférieur à 0.10.

Line 355: Line 357:

sa-learn --dump magic

−

La base de données est située dans /var/spool/spamd/.spamassassin/bayes

La base de données est située dans /var/spool/spamd/.spamassassin/bayes.

====LearnAsSpam / LearnAsHam (apprentissage spam/ham)====

Line 363: Line 365:

Pour l'installation :

−

~~<ol>~~

* Activez la base de données bayes comme décrit dans [[Email/fr#Autoapprentissage_bay.C3.A9sien | Auto-apprentissage bayésien]] (ce n'est pas la meilleure approche, préférez l'apprentissage manuel par l'utilisateur), ou

−

~~<li>Activer~~ la base de données bayes comme décrit dans [[Email/fr#Autoapprentissage_bay.C3.A9sien | Auto-apprentissage bayésien]]~~</li>~~

* Installez smeserver-learn comme indiqué sur la page du wiki [[Learn/fr | Learn]] (et maintenez l'autoapprentissage désactivé), puis

−

~~<li>~~Installez smeserver-learn comme indiqué sur la page du wiki [[Learn/fr | Learn]]~~</li>~~

* Demandez à vos utilisateurs de déplacer tout le courrier indésirable trouvé dans leur boîte de réception vers leur dossier LearnAsSpam et de COPIER tout courriel non spam (ham) trouvé dans leur dossier junkmail dans leur dossier LearnAsHam.

−

~~<li>~~Demandez à vos utilisateurs de déplacer tout le courrier indésirable trouvé dans leur boîte de réception vers leur dossier LearnAsSpam et de COPIER tout courriel non spam (ham) trouvé dans leur dossier junkmail dans leur dossier LearnAsHam.

−

~~.</li>~~

−

~~</ol>~~

C'est un moyen très efficace de réduire l'impact du spam sur votre installation. Ne craignez pas de réexécuter des fichiers étiquetés en tant que SPAM, car ils seront soit ignorés si tous leurs modèles sont connus, soit les Bayes risquent d’attraper un modèle de plus qui pourrait vous aider à éviter le prochain SPAM entrant d'être accepté.

Line 435: Line 434:

chmod 640 /var/spool/spamd/.spamassassin/bayes_*

signal-event email-update

Les mises à jour de smeserver-spamassasin nécessitent désormais deux nouveaux paramètres de base de données de configuration pour activer l'auto-apprentissage bayésien. Voir le message du forum à https://forums.contribs.org/index.php/topic,54320.msg284208.html#msg284208

===The Sonora Communications "Spam Filter Configuration for SME 7" howto===

Line 473: Line 474:

Des modèles supplémentaires de signature de fichier peuvent être ajoutés aux valeurs par défaut SME. Voir le guide pratique [[Virus:Email_Attachment_Blocking | Virus: Email Attachment Blocking]] (en anglais) pour plus d'informations.

−

===~~Attachment Filtering~~===

===Filtrage des pièces jointes===

−

~~The functionality to block possible executable and~~ virus ~~files attached to emails has been incorporated into~~ SME Server v7.x. ~~See the~~ [[SME_Server:Documentation:Administration_Manual:Chapter13#~~E-mail_Filtering~~|Email]] ~~panel in server manager~~.

La fonctionnalité permettant de bloquer les éventuels fichiers exécutables et virus joints aux courriels a été intégrée à SME Server v7.x. Voir le panneau [[https://wiki.koozali.org/SME_Server:Documentation:Administration_Manual:Chapter13/fr#13.10.2._Param.C3.A8tres_de_filtrage_des_courriels|Email]] dans le gestionnaire de serveur.

−

~~Additional file~~ signature ~~patterns can be added to the~~ SME ~~defaults~~. ~~See the~~ [[Virus:Email_Attachment_Blocking|Virus:Email Attachment Blocking]] ~~Howto for further information~~

Des modèles de signature de fichier supplémentaires peuvent être ajoutés aux valeurs par défaut de SME. Voir le tutoriel [[Virus:Email_Attachment_Blocking|Virus:Email Attachment Blocking]] pour plus d'informations.

−

==~~Email~~ Clients==

==Clients de messagerie (courrielleurs)==

−

==="concurrency limit reached~~" when using~~ IMAP===

===Message « concurrency limit reached » en utilisation IMAP===

−

~~Sometime shows as~~ Thunderbird ~~giving this error message,~~

Ce message d'erreur apparaît parfois de Thunderbird :

''This Mail-server is not a imap4 mail-server''

−

~~To workaround thunderbirds~~ limitations ~~change~~, ~~this thunderbird setting to~~ false

Pour contourner ces limitations de Thunderbirds, changer ce paramètre de Thunderbird sur false

−

* ~~Preferences~~, ~~Advanced~~, ~~Config editor~~ (~~aka~~ about:config): ~~filter on~~ tls.

−

* ~~set~~ security.enable_tls to false

*Préférences, Avancé, Éditeur de configuration (alias about:config) : filtre sur tls.

* définir security.enable_tls sur « false ».

Si la limite totale de simultanéité est atteinte, cela ressemblera à ceci dans /var/log/dovecot/current :

@400000005a1c2c1f19c9381c master: Warning: service(imap): process_limit (2) reached, client connections are being dropped

@400000005a1c2c291a4712dc imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)

@400000005a1c2c291a471aac imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)

Pour la limite de simultanéité par adresse IP, cela ressemblera à ceci :

@400000005a1c2c6214542b94 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<abcdefgh>

@400000005a1c2c6233f1bcb4 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<ijklmnop>

Les commandes suivantes vous donneront la valeur actuelle :

db configuration getprop imap ConcurrencyLimit || echo 400

db configuration getprop imap ConcurrencyLimitPerIP || echo 12

−

~~You can also increase the~~ ConcurrencyLimitPerIP ~~and~~/or ConcurrencyLimit ~~value for~~ imap ~~and~~/or imaps (~~secure~~)

Vous pouvez aussi augmenter les valeurs des paramètres ConcurrencyLimitPerIP et/ou ConcurrencyLimit pour imap et/ou imaps (sécure)

config setprop imap ConcurrencyLimitPerIP 20

config setprop imaps ConcurrencyLimitPerIP 20

signal-event post-upgrade; signal-event reboot

−

{{Note box| ~~for sme9~~, ~~only the key~~ imap ~~has properties~~ ConcurrencyLimitPerIP,checkConcurrencyLimit,ProcessMemoryLimit. ~~If you set these properties to the key~~ imaps, ~~a migrate~~ fragment ~~will remove them automatically~~}}

{{Note box|type=Note : |pour SME9, seules les clés imap ont des propriétés ConcurrencyLimitPerIP, checkConcurrencyLimit, ProcessMemoryLimit. si vous réglez ces propriétés sur les clés imaps, un fragment de migration les supprimera automatiquement.}}

Pour voir la configuration :

config show imap

−

~~config show imap~~

tail -f /var/log/dovecot/current | tai64nlocal #anciennement

−

tail -f /var/log/~~imap~~/current | tai64nlocal

−

~~More detail can be found~~ [http://forums.contribs.org/index.php?topic=33124.0 ~~here~~].

Plus de détails peuvent être trouvés en anglais [http://forums.contribs.org/index.php?topic=33124.0 ici] ou [https://forums.contribs.org/index.php/topic,51872.0 ici].

−

{{Tip box|~~You can see if you are running out of the number of available connections in your log file~~ /var/log/imaps/current ~~and look for~~ messages ~~like the log extract below where the~~ ConcurrencyLimitPerIP ~~was set to~~ 20. ~~A 21st connection was attempted and was denied~~.

{{Tip box|type=Astuce : |vous pouvez voir si vous manquez de connexions disponibles dans votre fichier journal /var/log/imaps/current et rechercher des messages comme l'extrait de journal ci-dessous où le paramètre ConcurrencyLimitPerIP a été défini sur 20. Une 21e connexion a été tentée et a été refusée.

tcpsvd: info: pid 30693 from 10.1.0.104

Line 504: Line 526:

tcpsvd: info: deny 30693 0:10.1.0.21 ::10.1.0.104:49332 ./peers/10.1.0

}}

−

{{Tip box|~~Mobile devices have a tendency to frequently disconnect and connect from the network~~. ~~When this disconnect happens~~, ~~the~~ sessions ~~on the server are not always immediately cleaned up~~ (~~they get cleaned up after a time out of some~~ minutes). ~~When the email~~ client ~~reconnects~~, ~~they create new network connections and you get into the~~ situation ~~that these new connections get denied because of the concurrency limit~~. ~~On the mobile device this may be noted as a "Unable to connect to server"~~ message.

{{Tip box|type=Astuce :| les oordinateurs portables ont tendance à se déconnecter fréquemment du réseau et à se reconnecter. Quand cette déconnection se fait, les sessions créées sur le serveur ne sont pas immédiatement nettoyées (il faut un délai de quelques minutes avant qu'elles ne le soient. Quand le client courriel se reconnecte, il crée de nouvelles connexions réseau et vous vous trouvez dans la situation où ces nouvelles connexions sont refusées à cause de la limite de simultanéité. Sur l'ordinateur portable, cela peut générer un message comme « Impossible de se connecter au serveur ».}}

−

}}

{{Tip box|type=Astuce : |certains clients de messagerie utilisent une connexion distincte par dossier imap, de sorte que les limites de simultanéité peuvent se produire pour les utilisateurs qui ont de nombreux dossiers imap.}}

−

{{Tip box|~~Some email~~ clients ~~use a separate connection per~~ imap ~~folder~~, ~~so the concurrency limits may occur for users that have many~~ imap ~~folders~~.

−

}}

−

===Mail server is not an IMAP4 mail server===

===« Mail server is not an IMAP4 mail server »===

−

~~This is a bug in~~ Thunderbird, ~~the previous tips may help~~

C'est un bogue de Thunderbird, les précédentes astuces peuvent aider.

===The Bat===

Line 583: Line 603:

signal-event email-update

−

===~~After I upgrade my~~ SME ~~Server~~, ~~my email folders have disappeared when using~~ IMAP===

===Après avoir mis à niveau mon serveur SME, mes dossiers de messagerie ont disparu en utilisant l'IMAP===

−

~~After upgrade~~, ~~if there are missing~~ IMAP ~~folders~~, ~~the~~ client ~~may need to re-subscribe to folders~~. ~~This may affect either~~ webmail ~~users or users who use an~~ IMAP ~~email client~~.

Après une mise à niveau vers une nouvelle version, s'il y a des dossiers IMAP manquants, le client peut avoir besoin de se réabonner aux dossiers. Cela peut affecter soit les utilisateurs de webmail, soit ceux qui utilisent un client de messagerie IMAP.

===Entourage: Using SME's Self-Signed Certificate for SSL Connections from Entourage on OS X 10.4===

Line 615: Line 635:

If you are accessing your SME server using a different name than the one encoded in the certificate you will still receive a security warning from Entourage, but "OK" will now grant access to your folders.

−

Notes:

Notes :

* Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html

* I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.

* Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.

−

===~~How do I get my e~~-~~mail to show the correct From Address~~===

===Comment puis-je faire en sorte que mon courriel affiche l'adresse d'expéditeur correcte===

L'adresse « De : » d'un courriel n'est pas fournie par le serveur. Elle est fournie par le client de messagerie.

−

~~The From address on an e~~-~~mail is not supplied by the server~~. ~~It is supplied by the e-mail client~~.

* Configurez votre compte dans votre client de messagerie avec la bonne adresse « De : ».

* Vous pouvez changer l'adresse « De : » dans le webmail avec ce qui suit :

**Connectez-vous au webmail en tant qu'utilisateur, allez dans ''options-informations personnelles'' et changez ''identité'' pour avoir la bonne adresse « De : ». Vous pouvez avoir plusieurs identités avec un seul utilisateur.

−

* Configure your Account in your e-~~mail client with the correct FROM address.~~

Certains e-courriels générés par le système sont créés par le serveur, certaines contributions peuvent envoyer des courriels en externe, dans ces cas, vous avez besoin d'un nom de domaine valide pour le serveur, achetez-en un ou utilisez un fournisseur gratuit comme dyndns.org.

−

* You can change the FROM address in webmail with the following:

−

**Login to webmail as the user, ~~go to~~ '~~'options~~-~~personal information'' and change the ''identity'' to have the correct FROM address~~. ~~You can have multiple identities with a single user~~.

−

~~Some system generated email is created by the server, some contribs may send mail externally, in these cases you need a valid domain name for the server, buy one or use a free provider like dyndns.org~~

===Outlook 365 / Outlook 2019 IMAP Configuration===

Line 636: Line 658:

[[File:Screen Shot 2019-12-04 at 6.44.18 AM.png|450px]]

−

==~~Server Settings~~==

==Réglages du serveur==

===qmail ConcurrencyLocal===

−

~~The default value for~~ /var/qmail/control/concurrencylocal is 20. ~~This setting controls the~~ maximum ~~amount of simultaneous~~ local ~~deliveries~~.

La valeur par défaut pour /var/qmail/control/concurrencylocal est 20. Ce réglage controle le nombre maximum d'envois simultanés en local.

−

~~There is~~ a ~~optional database property~~ (~~does not show unless changed from the default setting~~) ~~called~~ ConcurrencyLocal ~~for~~ qmail ~~in the config database~~. ~~The~~ ConcurrencyLocal ~~property changes the value stored in~~ /var/qmail/control/concurrencylocal.

Il y a une propriété optionnelle de la base de données (qui n'apparaît pas jusqu'à qu'elle soit modifiée de sa valeur par défaut) dénommée ConcurrencyLocal pour qmail dans la base de données de configuration. La propriété ConcurrencyLocal change la valeur enregistrée dans /var/qmail/control/concurrencylocal.

−

~~It can be set~~, ~~for example to decrease the local concurrency limit~~

Elle peut être réglée, par exemple, pour diminuer la limite de concurrence :

config setprop qmail ConcurrencyLocal 6

signal-event email-update

===qmail ConcurrencyRemote===

−

~~The default value for~~ /var/qmail/control/concurrencyremote is 20. ~~This setting controls the~~ maximum ~~amount of simultaneous remote deliveries~~.

La valeur par défaut pour /var/qmail/control/concurrencyremote est 20. Ce réglage controle le nombre maximum d'envois simultanés à distance.

−

~~There is~~ a ~~optional database property~~ (~~does not show unless changed from the default setting~~) ~~called~~ ConcurrencyRemote ~~for~~ qmail ~~in the config database~~. ~~The~~ ConcurrencyRemote ~~property changes the value stored in~~ /var/qmail/control/concurrencyremote.

Il y a une propriété optionnelle de la base de données (qui n'apparaît pas jusqu'à qu'elle soit modifiée de sa valeur par défaut) dénommée ConcurrencyRemote pour qmail dans la base de données de configuration. La propriété ConcurrencyRemote change la valeur enregistrée dans /var/qmail/control/concurrencyremote.

−

~~It can be set~~, ~~for example to decrease the remote concurrency limit~~

Elle peut être réglée, par exemple, pour diminuer la limite de concurrence à distance :

config setprop qmail ConcurrencyRemote 10

signal-event email-update

−

~~Refer also this comment by~~ CB

Se référer également à ce commentaire de CB http://forums.contribs.org/index.php/topic,50091.msg251320.html#msg251320

−

http://forums.contribs.org/index.php/topic,50091.msg251320.html#msg251320

−

===~~How long retry before return e-mail as undeliverable~~===

===Pendant combien de temps renvoyer un courriel avant de le déclarer comme non livrable===

−

~~To configure how long~~ SME ~~server will try to delivery a~~ message ~~before return a permanent error~~

Pour configurer la durée pendant laquelle le serveur SME essaiera de livrer un message avant de renvoyer une erreur permanente :

mkdir -p /etc/e-smith/templates-custom/var/qmail/control

Line 667: Line 687:

sv t qmail

−

~~The default value is~~ 604800 ~~seconds~~, ~~or one week~~.

La valeur par défaut est 604800 secondes, soit une semaine.

−

~~The example above shows~~ 172800 ~~seconds~~, ~~or two days~~ (~~a weekend for~~ infra ~~upgrade~~!)

L'exemple ci-dessus montre 172800 secondes, soit deux jours (une fin de semaine pour la mise à niveau infra !)

source: http://forums.contribs.org/index.php/topic,47471.0.html

−

===~~Double bounce messages~~===

===Messages à double rebond===

−

~~To stop admin receiving~~ double ~~bounce messages~~

Pour empêcher l'administrateur de recevoir des messages à double rebond :

−

config setprop qmail DoubleBounceTo ~~someoneuser~~

config setprop qmail DoubleBounceTo nom_d_utilisateur

−

signal-event email-update

−

~~Or just delete them~~. ~~You risk losing legitimate double bounces~~ (~~which are~~

Ou simplement les supprimer. Vous risquez de perdre des doubles rebonds légitimes (qui sont rares, mais vous voulez les regarder quand ils se produisent) :

−

~~rare~~, ~~but you want to look at them when they do occur~~)

−

config setprop qmail DoubleBounceTo devnull

−

signal-event email-update

−

~~see a longer explaination~~ [[Email_delete_double-bounce_messages | ~~here~~]]

Voir une explication plus longue [[Email_delete_double-bounce_messages | ici]].

−

===~~Keep a copy of all emails~~===

===Conservez une copie de tous les courriels===

−

~~You may need to keep a copy of all emails sent to or from your email server~~.

Vous devrez peut-être conserver une copie de tous les e-mails envoyés vers ou depuis votre serveur de messagerie.

−

~~This may be for legal, or other reasons~~.

Cela peut être pour des raisons juridiques ou autres.

−

~~The following~~ instructions ~~will create a new user account~~ (maillog) ~~and forward every email that goes through your~~ SME ~~server to it~~.

Les instructions suivantes créeront un nouveau compte utilisateur (maillog par défaut) et lui transmettront tous les courriels qui transitent par votre serveur SME.

−

~~First~~, ~~log onto the server~~-~~manager and create the user~~ '''maillog'''

Tout d'abord, connectez-vous au gestionnaire de serveur et créez l'utilisateur '''maillog'''.

−

~~Go to the~~ SME ~~Command Line~~ (~~logon as~~ root) ~~and issue the following commands~~:

Accédez à la ligne de commande SME (connectez-vous en tant qu'utilisateur root) et émettez les commandes suivantes :

config setprop qpsmtpd Bcc enabled

signal-event email-update

−

~~Optionally make the forwarding of the emails~~ invisible ~~to the end user~~. ~~Without it~~, ~~there will be an~~ X-Copied-To: ~~header in each email~~. ~~Run this command before the~~ signal-event

En option, rendez le transfert des courriels invisible pour l'utilisateur final. Sans cela, il y aura un en-tête X-Copied-To: dans chaque courriel. Exécutez cette commande avant le « signal-event » :

config setprop qpsmtpd BccMode bcc

−

~~If you want to view the emails~~, ~~point your email~~ client ~~at the~~ SME ~~and log on as~~ maillog.

Si vous souhaitez afficher les courriels, pointez votre client de messagerie vers le SME et connectez-vous en tant que maillog.

Vous pouvez modifier l'utilisateur par défaut :

config setprop qpsmtpd BccUser someuser

====Keep a copy of outgoing emails only====

Line 727: Line 750:

More info:

perldoc /usr/share/qpsmtpd/plugins/bcc

−

===Set Helo hostname===

Line 741: Line 763:

signal-event email-update

−

===~~Régler la taille maximale des courriels~~===

===Set max email size===

−

* IMPORTANT : [[bugzilla: 7876]] ~~souligne que si votre système a~~ ''/var/service/qpsmtpd/config/databytes''~~, cela doit être supprimé~~. (~~Corrigé depuis cette version de~~ smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - ~~voir~~ [[bugzilla: 8329]]).

*IMPORTANT: [[bugzilla: 7876]] points out that if your system has ''/var/service/qpsmtpd/config/databytes'' it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see [[bugzilla: 8329]]).

−

~~Il y~~ a ~~plusieurs composants concernés dans l'envoi d'un courriel sur le serveur~~ SME ~~KOOZALI~~. ~~Chaque composant~~ a ~~une limite de taille qui peut affecter un courriel qui transite par le serveur~~.

There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server.

−

~~Sachez que la~~ ''~~taille des courriels~~'' n'~~est pas la même chose que la~~ '~~'taille des pièces jointes~~''. ~~Les pièces binaires jointes aux courriels sont codées à l'aide de~~ techniques ~~qui entraînent des tailles de courriels pouvant être jusqu'à~~ 30 % ~~plus importantes que la pièce jointe d'origine~~. ~~La plupart des principaux courrielleurs~~ (Thunderbird, Apple Mail, Outlook) ~~vous permettent d'activer une colonne~~ "~~taille du~~ message" ~~dans la liste des messages qui vous montrera la taille de vos~~ messages ~~électroniques~~ ([http://forums.contribs.org/index.php/topic,48366.msg241720.html#msg241720 ~~Plus~~]).

Be aware that ''email size'' is not the same thing as ''attachment size''. Binary attachments to email are encoded using techniques that result in email sizes that can be as much as 30% larger than the original attachment. Most major email clients (Thunderbird, Apple Mail, Outlook) allow you to enable a "message size" column in the message list that will show you the size of your email messages ([http://forums.contribs.org/index.php/topic,48366.msg241720.html#msg241720 More]).

−

{| cellspacing="0" cellpadding="5~~" width="100%~~" border="1"

{| width="100%" cellspacing="0" cellpadding="5" border="1"

−

! ~~Sous-système~~

!Subsystem

−

! ~~Fonction~~

!Function

−

! ~~Limite par défaut~~

!Default Limit

−

! ~~Commande pour changer la taille~~

!Command to change size

−

! Notes

!Notes

|qmail

Line 767: Line 788:

|15M

|config setprop clamav MaxFileSize 15M

−

|Value includes human-readable abbreviations. "15M" equals 15 MegaBytes.

|clamd

Line 796: Line 817:

These attributes could result in the rejection of a compressed attachment on a SME server:

−

* ArchiveMaxCompressionRatio (default 300)

−

* MaxFiles (default 1500)

*ArchiveMaxCompressionRatio (default 300)

−

* MaxRecursion (default 8)

*MaxFiles (default 1500)

*MaxRecursion (default 8)

====spamassassin====

By default the qpsmtpd 'spamassassin' plugin does not pass any messages over 500,000 bytes to spamassassin for scanning.

Line 823: Line 846:

signal-event email-update

−

=== Large attachments not displaying in webmail ===

===Large attachments not displaying in webmail===

Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also [[bugzilla:3990]]). The following entries are related to the error and can be found in the log files:

Line 843: Line 866:

Can be either a user, pseudonym or group

−

db accounts setprop groupname/username Visible internal

db accounts setprop groupname/username/pseudonym Visible internal

signal-event email-update

If you want to remove

−

db accounts delprop groupname/username Visible

db accounts delprop groupname/username/pseudonym Visible

signal-event email-update

−

* If you need to restrict emails for all users you can perform this command line

*If you need to restrict emails for all users you can perform this command line

db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts setprop $USER Visible internal; done

Line 858: Line 881:

db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts delprop $USER Visible; done

signal-event email-update

{{Note box|Please note that admin and other system accounts can not be hidden from external network this way.

Also note that Pseudonyms can be set to internal only using the server-manager.}}

===I can't receive mail at: user@mail.domain.tld===

Line 869: Line 895:

This is logged is in /var/log/messages.

−

===~~How do I enable smtp~~ authentication ~~for users on the internal network~~===

===Allow SMTP relay of mail without encryption/authentication===

−

~~mkdir -p~~ /~~etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local~~

−

~~cd /etc/e-smith/templates-custom/var/service/qpsmtpd/~~config~~/peers/local~~

Change the configuration of the system from the default, so that it no longer requires encryption/authentication before allowing relaying of mail.

−

~~cp /etc/e-smith/templates/var/service/~~qpsmtpd~~/config/peers/0/05auth_cvm_unix_local .~~

* For most case, you really want to allow few specific clients on your LAN or trusted networks, this is done by setting a coma separated list of ip this way (replace IP1, IP2, IP3 by valid ips).

config set qpsmtpd UnauthenticatedRelayClients IP1,IP2,IP3

signal-event email-update

−

~~(note the "." at the end of the 3rd line) ~~

−

~~Authentication for the local network will now follow the setting of config::qpsmtpd::Authentication~~

−

~~ie do~~

* In some case you would have a whole dedicated network with appliances needing to send email without auth, this is done this way

−

~~config~~ setprop ~~qpsmtpd Authentication enabled~~

db networks setprop {$network} RelayRequiresAuth disabled

signal-event email-update

−

~~===How do I disable SMTP relay for unauthenticated LAN clients===~~

* In case you needs are not fulfilled because you need to accommodate a list of remote IP or a sub network of a larger trusted network, you can create a custom template. Here for reference the accepted formats:

−

~~http://forums.contribs.org/index~~.~~php?topic=38797.msg176490#msg176490~~

−

* Enable smtp authentication as shown above

−

* Disable un-authenticated smtp relay for the ~~local network(s)using~~:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients

−

echo "# ~~SMTP Relay from local network denied by custom template~~" >\

# a subnetwork by only using a prefix of full ip

−

/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/~~80relayFromLocalNetwork~~

echo "10.10.0.">> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom

# an external ip

echo "99.10.1.23" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom

# an external network you control

echo "164.163.12.1/30" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom

signal-event email-update

−

* ~~Configure your email clients to use smtps with authentication: ~~

* Disable smtp authentication on all local interfaces as shown in [[Bugzilla: 6522]]

−

~~- change outgoing smtp port to 465 and select SSL ~~

−

~~- enable Authentication against the outgoing mail server~~

−

~~===Allow SMTP relay of mail without encryption/authentication===~~

−

~~Change the configuration of the system from the default, so that it no longer requires encryption/authentication before allowing relaying of mail.~~

−

Disable smtp authentication as shown in [[Bugzilla: 6522]]

config setprop qpsmtpd RelayRequiresAuth disabled

Line 1,026: Line 1,045:

harassment).

====Prior SME9.2 : qpsmtpd check_badmailfromto plugin====

To control mail from external locations to internal locations do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins

−

~~nano~~ -w /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto

echo "check_badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto

signal-event email-update

To control mail sent from internal locations to internal locations, in addition to the above also do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto

signal-event email-update

−

~~Type in the following followed by Enter~~

====Since SME9.2 : qpsmtpd badmailfromto plugin====

−

~~check_badmailfromto~~

remove previous templates, if you are updating

−

~~Then save the file and exit~~

rm /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto \

−

~~Ctrl o~~

/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto \

−

~~Ctrl x~~

/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto

−

~~Then~~ do

To control mail from external locations to internal locations do

−

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/~~31check_badmailfromto~~ /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/~~31check_badmailfromto~~

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins

echo "badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31badmailfromto

signal-event email-update

To control mail sent from internal locations to internal locations, in addition to the above also do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local

−

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/~~31check_badmailfromto~~ /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/~~31check_badmailfromto~~

ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31badmailfromto

signal-event email-update

====For Qmail====

Create and configure the badmailfromto custom template fragment

Line 1,106: Line 1,139:

db accounts setprop username EveryoneEmail no

−

signal-event user-modify

signal-event user-modify username

−

~~/etc/init.d/qmail restart~~

−

===How do I remove an email address from any regular group===

Line 1,124: Line 1,155:

This behaviour is only available as per e-smith-qmail-2.4.0-7.sme see bug #9540

−

=== Change the number of logs retained for qpsmtpd and/or sqpsmtpd ===

===Change the number of logs retained for qpsmtpd and/or sqpsmtpd===

The normal retention is 5 logs for both qpsmptd and sqpsmtpd. This may or may not fit all installations. This information is pulled from bugzilla.

Line 1,180: Line 1,212:

If you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only.

−

# keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY)

#keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY)

−

# dk_method : for domainkey method , default "nofws"

#dk_method : for domainkey method , default "nofws"

−

# selector : the selector you want, default "default"

#selector : the selector you want, default "default"

−

# algorithm : algorithm for DKIM signing, default "rsa-sha1"

#algorithm : algorithm for DKIM signing, default "rsa-sha1"

−

# dkim_method : for DKIM, default "relaxed"

#dkim_method : for DKIM, default "relaxed"

NB: key files can not be defined in parameters, they need to be in /var/service/qpsmtpd/config/dkimkeys/{SENDER_DOMAIN}.private

Line 1,194: Line 1,226:

==DKIM Setup - qpsmtpd version >= 0.96==

−

~~Version~~ 0.96 ~~and above supports~~ DKIM ~~natively without the need for extra~~ plugins.

La version 0.96 et supérieure prend en charge DKIM de manière native sans avoir besoin de plugins supplémentaires.

−

~~All you have to do is to enable the~~ DKIM ~~signing and promulgate the~~ DNS TXT ~~entries to support it~~.

Tout ce que vous avez à faire est d'activer la signature DKIM et de créer les entrées DNS TXT pour la prendre en charge.

−

~~Enable the signing~~:

Activez la signature :

db configuration setprop qpsmtpd DKIMSigning enabled

signal-event email-update

−

~~and then run~~:

et ensuite exécutez :

−

qpsmtpd-print-dns <~~domain name~~>

qpsmtpd-print-dns <nom_de_domaine>

pour voir la ou les entrée(s) DNS nécessaire(s).

Ensuite, vous devez mettre à jour votre DNS.

{{Tip box|type=Astuce : |msg=vous pouvez vérifier que vos paramètres sont corrects en envoyant un courriel à check-auth@verifier.port25.com, un service gratuit dont le but est de vérifier si votre domaine ne contredit pas les politiques de messagerie. Veuillez vérifier attentivement la réponse. Voir [[bugzilla:4558#c6]].}}

Voir aussi [[bugzilla:9694]] et https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation .

Plus de détails sur les entrées DNS à créer sont disponibles [https://wiki.contribs.org/Email/fr#Inbound_DKIM_.2F_SPF_.2F_DMARC ici.]

−

~~to show the DNS entry(s) required~~.

La vérification DKIM entrante est également activée par défaut.

−

~~Then you have to update your~~ DNS.

Si vous rencontrez un problème lors de l'utilisation du champ DKIM fourni ci-dessus avec votre fournisseur/registraire DNS, veuillez d'abord le contacter pour vous assurer que le problème n'est pas lié à la manière dont vous essayez de saisir les informations. S'il est probable que vous ayez des erreurs « champ invalide » ou « champ trop long » et que votre fournisseur ne soit pas en mesure de vous aider ou de mettre à jour son interface, vous pouvez générer une clé DKIM plus courte (de 1024 au lieu du 2048 bits par défaut) de cette façon :

cd /home/e-smith/dkim_keys/default

mv private private.long

mv public public.long

openssl genrsa -out private 1024

openssl rsa -in private -pubout -out public

chown qpsmtpd:qpsmtpd private

chown root:qpsmtpd public

chmod 0400 private

signal-event email-update

qpsmtpd-print-dns

−

~~{{Tip box|msg~~=~~You can verify that your settings are correct by sending an email to [mailto~~:~~check~~-~~auth@verifier.port25.com check~~-~~auth@verifier.port25.com], a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See [[bugzilla:4558#c6]] }}~~

===Signature DKIM sortante / Politique SPF / DMARC pour plusieurs domaines ===

La clé DKIM par défaut est créée dans /home/e-smith/dkim_keys/default. Pour activer la signature DKIM pour tous les domaines que vous gérez :

db configuration setprop qpsmtpd DKIMSigning enabled

signal-event email-update

−

~~also see [[bugzilla~~:~~9694]] and https://wikit~~.~~firewall~~-~~services.com/doku.php/smedev/qpsmtpd_096#documentation~~

Si vous voulez désactiver la signature DKIM pour un domaine, vous pouvez utilser :

db domains setprop domain.com DKIMSigning disabled

signal-event email-update

−

~~More details are available [https~~://~~wiki.contribs.org~~/~~Email#Inbound_DKIM_~~.~~2F_SPF_~~.~~2F_DMARC here]~~

Le comportement par défaut consiste à utiliser la même paire de clés pour tous vos domaines. Mais vous pouvez créer d'autres paires de clés pour un domaine spécifique si vous le souhaitez. Par exemple, si vous souhaitez utiliser une paire de clés spécifique pour le domaine domain.net :

cd /home/e-smith/dkim_keys

mkdir domain.net

cd domain.net

echo default > selector

openssl genrsa -out private 2048

openssl rsa -in private -out public -pubout

chown qpsmtpd:qpsmtpd private

chmod 400 private

signal-event email-update

−

~~Incoming DKIM checking is also enabled out of the box~~.

Maintenant, les courriels utilisant une adresse d'expédition de domain.net sender seront signés par cette nouvelle clé, à la place de celle par défaut.

==Domain Keys==

Line 1,281: Line 1,348:

contribs

org

===Dovecot Idle_Notify===

Poor battery consumption issues has been reported with K9-mail on recent Android systems. It is apparent one way of helping this is to modify the imap_idle_notify setting. The default is in Dovecot, and therefore on SME is 2 minutes.

K9 has an idle refresh of 24 mins but it seems with Dovecot defaults at 2 mins it causes lots of wake ups and battery drain.

This is configurable via a config db property.

Default on install

# config show dovecot

dovecot=service

Quotas=enabled

status=enabled

Set dovecot Idle_Notify to 20 minutes

# config setprop dovecot Idle_Notify 20

# config show dovecot

dovecot=service

Idle_Notify=20

Quotas=enabled

status=enabled

Expand template to update *.conf (can also issue a full reconfigure/reboot)

# expand-template /etc/dovecot/dovecot.conf

# dovecot -a |grep imap_idle_notify_interval

imap_idle_notify_interval = 20 mins

==qpsmtpd==

Line 1,303: Line 1,397:

The default configuration of each plugin is indicated in the 'Default Status' column.

−

{| cellspacing="0" cellpadding="5~~" width="100%~~" border="1"

{| width="100%" cellspacing="0" cellpadding="5" border="1"

!Plugin

!Purpose

Line 1,317: Line 1,411:

|logging/logterse

−

|Allow greater logging detail using smaller log files. Optionally supports [[Email_Statistics#qplogsumm.pl|qplogsumm.pl]] to compile qpsmtpd statistics.

|enabled

Line 1,404: Line 1,498:

|'''disabled''' (always disabled for local connections)

−

|virus/clamav

|Scan incoming email with ClamAV

|enabled

Line 1,415: Line 1,509:

===Qpsmtpd for SME versions 9.2 and Later===

−

{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to ~~qpsptpd~~ version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.2 and later version, see the previous section for the details.}}

{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsmtpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.2 and later version, see the previous section for the details.}}

This section has been taken from the notes prepared by the dev who made the changes, the wiki is [https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation here].

Line 1,421: Line 1,515:

Here is a list of the plugins in use, and a note of any changes that might have occurred:

−

* logterse: no change

*logterse: no change

−

* tls: no change

*tls: no change

−

* auth_cvm_unix_local: no change

*auth_cvm_unix_local: no change

−

* check_earlytalker: **renamed earlytalker**

*check_earlytalker: '''renamed earlytalker'''

−

* count_unrecognized_commands: no change

*count_unrecognized_commands: no change

−

* bcc: no change

*bcc: no change

−

* check_relay: **renamed relay**

*check_relay: '''renamed relay'''

−

* check_norelay: **merged into the relay plugin**

*check_norelay: '''merged into the relay plugin'''

−

* require_resolvable_fromhost: **renamed resolvable_fromhost**

*require_resolvable_fromhost: '''renamed resolvable_fromhost'''

−

* check_basicheaders: **renamed headers**

*check_basicheaders: '''renamed headers'''

−

* rhsbl: no change

*rhsbl: no change

−

* dnsbl: no change

*dnsbl: no change

−

* check_badmailfrom: **renamed badmailfrom**

*check_badmailfrom: '''renamed badmailfrom'''

−

* check_badrcptto_patterns: **doesn't exist anymore, merged with badrcptto**

*check_badrcptto_patterns: '''doesn't exist anymore, merged with badrcptto'''

−

* check_badrcptto: **renamed badrcptto**

*check_badrcptto: '''renamed badrcptto'''

−

* check_spamhelo: **renamed helo**

*check_spamhelo: '''renamed helo'''

−

* check_smtp_forward: no change

*check_smtp_forward: no change

−

* check_goodrcptto: no change

*check_goodrcptto: no change

−

* rcpt_ok: no change

*rcpt_ok: no change

−

* pattern_filter: no change

*pattern_filter: no change

−

* tnef2mime: no change

*tnef2mime: no change

−

* spamassassin: no change

*spamassassin: no change

−

* clamav: no change

*clamav: no change

−

* qmail-queue: no change

*qmail-queue: no change

Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above].

−

==== Karma ====

====Karma====

The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:

−

* Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin

*Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin

−

* KarmaNegative (integer): Default value is 2. It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day. Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones

*KarmaNegative (integer): Default value is 2. It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day. Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones

−

* KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad. On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral and won't be used in the history count

*KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad. On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral and won't be used in the history count

Example:

−

~~<code bash>~~

db configuration setprop qpsmtpd Karma enabled KarmaNegative 3

−

db configuration setprop qpsmtpd Karma enabled KarmaNegative 3

signal-event email-update

−

signal-event email-update

−

~~</code>~~

−

==== URIBL ====

====URIBL====

The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:

−

* URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin

*URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin

−

* UBLList: (Comma separated list addresses): Default value is **multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net**. This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)

*UBLList: (Comma separated list addresses): Default value is '''multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net'''. This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)

Example:

−

~~<code bash>~~

db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com

−

db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com

signal-event email-update

−

signal-event email-update

−

~~</code>~~

−

==== Helo ====

====Helo====

Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:

−

* HeloPolicy: (lenient|rfc|strict). The default value is **lenient**. See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level

*HeloPolicy: (lenient|rfc|strict). The default value is '''lenient'''.

See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level

Example:

db configuration setprop qpsmtpd HeloPolicy rfc

signal-event email-update

−

~~<code bash>~~

====Inbound DKIM / SPF / DMARC====

−

~~db configuration setprop qpsmtpd HeloPolicy rfc~~

−

~~signal-event~~ email~~-update~~

DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:

−

~~</code>~~

−

~~==== Inbound DKIM~~ / SPF / DMARC =~~===~~

*DMARCReject (enabled|disabled): Default value is disabled. If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)

*DMARCReporting (enabled|disabled): Default value is enabled. If set to enabled, enable reporting (which is the '''r''' in dma'''r'''c). Reporting is a very important part of the DMARC standard. When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite). Then, once a day, you send the aggregate reports to the domain owner so they have feedback. You can set this to disabled if you want to disable this feature

*SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy. Note: this is only used when no DMARC policy is published by the sender. If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.

−

~~DMARC is a policy on top of DKIM and~~ SPF~~. By default,~~ SPF ~~and DKIM are now checked on every inbound emails, but no~~ reject ~~is attempted. The dmarc plugin can decide to~~ reject ~~the email~~ (~~depending on the sender policy~~)~~. dkim and spf plugins are always enabled. dmarc has two settings:~~

:*0: do not reject anything

:*1: reject when SPF says fail

:*2: reject when SPF says softfail

:*3: reject when SPF says neutral

:*4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published

−

* DMARCReject (enabled|disabled): Default value is disabled. If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)

*Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported

−

* DMARCReporting (enabled|disabled): Default value is enabled. If set to enabled, enable reporting (which is the **r** in dma**r**c). Reporting is a very important part of the DMARC standard. When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite). Then, once a day, you send the aggregate reports to the domain owner so they have feedback. You can set this to disabled if you want to disable this feature

−

* SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy. Note: this is only used when no DMARC policy is published by the sender. If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.

−

* 0: do not reject anything

−

* 1: reject when SPF says fail

−

* 2: reject when SPF says softfail

−

* 3: reject when SPF says neutral

−

* 4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published

−

* Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported

Example:

−

~~<code bash>~~

db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2

−

db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2

signal-event email-update

−

signal-event email-update

====Outbound DKIM signing / SPF / DMARC policy====

−

~~</code>~~

−

==== Outbound DKIM signing / SPF / DMARC policy ====

Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:

−

db configuration setprop qpsmtpd DKIMSigning enabled

−

~~<code bash>~~

signal-event email-update

−

db configuration setprop qpsmtpd DKIMSigning enabled

−

signal-event email-update

−

~~</code>~~

If you want to disable dkim signing for a domain, you can use:

−

~~<code bash>~~

db domains setprop domain.com DKIMSigning disabled

−

db domains setprop domain.com DKIMSigning disabled

signal-event email-update

−

signal-event email-update

−

~~</code>~~

The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:

−

cd /home/e-smith/dkim_keys

−

~~<code bash>~~

mkdir domain.net

−

cd /home/e-smith/dkim_keys

cd domain.net

−

mkdir domain.net

echo default > selector

−

cd domain.net

openssl genrsa -out private 2048

−

echo default > selector

openssl rsa -in private -out public -pubout

−

openssl genrsa -out private 2048

chown qpsmtpd:qpsmtpd private

−

openssl rsa -in private -out public -pubout

chmod 400 private

−

chown qpsmtpd:qpsmtpd private

signal-event email-update

−

chmod 400 private

−

signal-event email-update

−

~~</code>~~

Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.

−

==== ~~Publishing your~~ DNS ~~entries~~ ====

====Publier vos entrées DNS====

−

~~Signing your outbound emails is just part of the process~~. ~~You now need to publish some~~ DNS ~~entries so everyone can check if the email they receive matches your policy~~. ~~This part is not to be done on your~~ SME ~~Server~~, ~~but on your~~ public DNS ~~provider~~. A script ~~helps you by creating some sample~~ DNS ~~entries already formatted for a~~ bind~~-like zone file~~. ~~To use it~~:

La signature de vos courriels sortants n'est qu'une partie du processus. Vous devez maintenant publier certaines entrées DNS afin que chacun puisse vérifier si le courriel qu'il reçoit correspond à votre politique. Cette partie n'est pas à faire sur votre serveur Koozali SME, mais sur votre fournisseur public de DNS. Un script vous aide en créant des exemples d'entrées DNS déjà formatées pour un fichier de zone de type bind. Pour l'utiliser :

qpsmtpd-print-dns <nom_de_domaine>

−

~~<code bash>~~

S'il est omis, le nom de domaine principal est inclus.

−

~~qpsmtpd-print-dns <domain name>~~

−

~~</code>~~

−

~~If omitted~~, ~~the primary domain name is assumed~~.

−

~~Example output:~~

Exemple de retour de la commande

−

~~<code>~~

Voici des exemples d'entrées DNS que vous devriez ajouter dans votre DNS public.

−

~~Here are sample~~ DNS ~~entries you should add in your~~ public ~~DNS~~

L'entrée DKIM peut être copiée telle quelle, mais d'autres devront probablement être ajustées à votre besoin. Par exemple, vous devez soit modifier l'adresse courriel de signalement pour DMARC (ou créez le pseudonyme nécessaire).

−

~~The~~ DKIM ~~entry can be copied as is~~, ~~but others will probably need to be adjusted~~

−

~~to your need~~. ~~For example~~, ~~you should either change the reporting email adress~~

default._domainkey IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"

−

~~for~~ DMARC (~~or create the needed pseudonym~~)

@ IN SPF "v=spf1 mx a -all"

@ IN TXT "v=spf1 mx a -all"

_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100"

−

~~ ~~

Tout ce que vous avez à faire maintenant est de publier ces enregistrements, mais notez qu'il y a un point à prendre en compte lors de la publication de l'enregistrement DNS default._domainkey, tel que produit par la commande ''qpsmtpd-print-dns'' : si l'enregistrement DNS inclut '';t=y'' alors selon la spécification DKIM ([http://dkim.org/specs/rfc4871-dkimbase.html#keys RFC4781 section 3.6.1]) cela signifie que votre ''"... domaine teste DKIM. Les vérificateurs NE DOIVENT PAS traiter les messages des signataires en mode test différemment des courriels non signés, même si la signature n'est pas vérifiée. Les vérificateurs PEUVENT souhaiter suivre les résultats du mode test pour aider le signataire."''

−

default._domainkey ~~IN TXT "v=DKIM1~~;p=~~MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs~~/~~Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn~~/~~nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X~~/~~fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB~~/~~ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"~~

−

~~@ IN SPF "v=spf1 mx a~~ -~~all~~"

−

~~@ IN TXT "v=spf1 mx a -all"~~

−

~~_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain~~.~~net; pct=100~~"

−

~~</code>~~

−

~~All you have to do now is publish those records~~

D'un autre côté, si aucun '';t=y'' n'est inclus, cela signifie que vous avez l'intention d'utiliser DKIM en mode production. Il peut être judicieux de publier d'abord l'enregistrement DNS DKIM en mode test ('';t=y'' inclus), de vérifier comment ça se passe et si tout va bien, de supprimer la partie '';t=y''.

−

==== Testing ====

====Testing====

You can install spfquery:

Line 1,576: Line 1,656:

dig -t TXT +short somedomain.co.uk

−

==== Load ====

====Load====

The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:

−

* MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.

*MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.

===Other QPSMTPD Plugins===

The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default.

−

{| cellspacing="0" cellpadding="5~~" width="100%~~" border="1"

{| width="100%" cellspacing="0" cellpadding="5" border="1"

!Plugin

!Purpose

Line 1,624: Line 1,704:

signal-event email-update

−

== Secondary/Backup Mail Server Considerations ==

==Secondary/Backup Mail Server Considerations==

Many people misunderstand the issues of using a secondary or backup

Line 1,648: Line 1,728:

===='''Without''' a backup MX====

−

* The sending mail server cannot connect to your server.

*The sending mail server cannot connect to your server.

−

* The sending mail server MUST queue the mail and try again later.

*The sending mail server MUST queue the mail and try again later.

−

* The mail stays on the sender's server.

*The mail stays on the sender's server.

−

* The sender's server resends the mail at a later date.

*The sender's server resends the mail at a later date.

''The requirement to re-queue is a fundamental part of the SMTP protocol - ''

it is not optional. So, if your server is '''offline''' due to a link or ISP

−

outage, '''the mail just stays at the sender's server until you are once'''

outage, '''the mail just stays at the sender's server until you are once '''

again reachable'''.'''

===='''With''' a backup MX====

−

* The sending mail server cannot contact your server.

*The sending mail server cannot contact your server.

−

* The sending mail server sends the mail to your secondary MX.

*The sending mail server sends the mail to your secondary MX.

−

* The secondary MX queues the mail until your link/server is up.

*The secondary MX queues the mail until your link/server is up.

−

* The mail is queued on an '''untrusted''' third-party mail server (''think about confidential mail between your company and some business partner'').

*The mail is queued on an '''untrusted''' third-party mail server (''think about confidential mail between your company and some business partner'').

−

* The sending mail server's administrator ''thinks'' it has been delivered, according to their logs.

*The sending mail server's administrator ''thinks'' it has been delivered, according to their logs.

−

* You have no, or little, visibility over the queued mail.

*You have no, or little, visibility over the queued mail.

−

* When your link comes up, the secondary MX sends the mail on to your server.

*When your link comes up, the secondary MX sends the mail on to your server.

−

* You have added more hops, more systems and more delay to the process.

*You have added more hops, more systems and more delay to the process.

If you think that a backup MX will protect against broken mail servers

Line 1,698: Line 1,778:

So:

−

* If you trust the secondary MX, you will accept a lot of SPAM when the link comes up.

*If you trust the secondary MX, you will accept a lot of SPAM when the link comes up.

−

* If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.

*If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.

−

* Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.

*Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.

The SPAM backscatter can only be stopped if the secondary MX has a full list

Line 1,707: Line 1,787:

But:

−

* You need to be able to configure this secondary MX with such user/domain lists

*You need to be able to configure this secondary MX with such user/domain lists

−

* You need to maintain these secondary configurations when users are added/deleted from your primary server configuration

*You need to maintain these secondary configurations when users are added/deleted from your primary server configuration

−

* You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.

*You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.

Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find

Line 1,716: Line 1,796:

Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you.

−

* If you bounce mail at your server, you have logs to show what's wrong.

*If you bounce mail at your server, you have logs to show what's wrong.

−

* If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.

*If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.

===Summary===

Line 1,729: Line 1,809:

If you still want to consider setting up a seconday MX, ensure that:

−

* you have fully control of the configuration of each of the email gateways for your domain

*you have fully control of the configuration of each of the email gateways for your domain

−

* each gateway can make decisions on whether to accept/reject mail for the users at the domain

*each gateway can make decisions on whether to accept/reject mail for the users at the domain

==Mail server on dynamic IP==

Line 1,752: Line 1,832:

Whether this issue is really a problem to end users, depends on how much you "value" your mail. For a home user having their own mail server, it is probably not a great problem if some messages should happen to go astray, but for all other classes of users, you should really avoid running a mail server on a dynamic IP, without implementing a suitable queueing workaround as suggested. Some ISPs change the IP very infrequently eg yearly, so in those cases it is also not a significant problem. Many/most ISP's will issue a new IP every time a connection is lost & re-established, so these situations are more problematic.

==How to re-apply procmail rules==

If you have a folder of email that needs to have the procmail rules applied, then the trick is to be logged in as the email user, and then position your self in the home directory, and then this works:

su <username> -s /bin/bash

cd ~

for m in <fullpath to maildirectory>/cur/*; do echo $m; procmail < $m && rm $m; done

−

[[Category:Mail~~/fr~~]]

[[Category:Mail]]

−

[[Category:Howto~~/fr~~]]

[[Category:Howto]]

</noinclude>

Gieres

3,054

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/41117...42109"

Changes

Email/fr (view source)

Revision as of 11:06, 10 June 2023

Navigation menu

Search