681
edits
Changes
From SME Server
Jump to navigationJump to search→How to re-apply procmail rules
It is discussed under various names
It is discussed under various names
*Path MTU Discovery Blackhole http://www.phildev.net/mss/mss-talk.pdf
*Path MTU Discovery Blackhole http://www.phildev.net/mss/mss-talk.pdf
*Path MTU Discovery Failures http://www.wand.net.nz/~mluckie/pubs/debugging-pmtud.imc2005.pdf
*Path MTU Discovery Failures http://www.wand.net.nz/~mluckie/pubs/debugging-pmtud.imc2005.pdf
*Sort spam into junkmail folder Enabled
*Sort spam into junkmail folder Enabled
*Modify subject of spam messages Enabled
*Modify subject of spam messages Enabled
I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two).
I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two).
{| class="wikitable"
{| class="wikitable"
|-
|-
! Sensitivity !! Spam tagging level !! Spam rejection level
!Sensitivity!!Spam tagging level!!Spam rejection level
|-
|-
| Custom || TagLevel value <br>(Custom spam tagging level) || RejectLevel value <br>(Custom spam rejection level)
|Custom||TagLevel value <br>(Custom spam tagging level)||RejectLevel value <br>(Custom spam rejection level)
|-
|-
| veryhigh || 2 || No rejection
|veryhigh||2||No rejection
|-
|-
| high || 3 || No rejection
|high||3||No rejection
|-
|-
| medium || 5 || No rejection
|medium||5||No rejection
|-
|-
| low || 7 || No rejection
|low||7||No rejection
|-
|-
| verylow || 9 || No rejection
|verylow||9||No rejection
|}
|}
References:
References:
* http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options
* http://spamassassin.apache.org/tests_3_2_x.html
*http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options
* http://www.rulesemporium.com/
*http://spamassassin.apache.org/tests_3_2_x.html
*http://www.rulesemporium.com/
====SPF mail rejection/flagging policy====
====SPF mail rejection/flagging policy====
<br>
<br>
References (but instructions changed to meet new qmail structure):
References (but instructions changed to meet new qmail structure):
* http://forums.contribs.org/index.php?topic=21631.0
*http://forums.contribs.org/index.php?topic=21631.0
====Pyzor Timeout====
====Pyzor Timeout====
====Possible issues with RBL====
====Possible issues with RBL====
When an external dns provider is set in the console menu, it may interfere with some blacklists activated here (RHSBL and DNSBL). The black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case
When an external dns provider is set in the console menu, it may interfere with some blacklists activated here (RHSBL and DNSBL). The black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case
* Remove the black.uribl.com of your SBLList
*Remove the black.uribl.com of your SBLList
config setprop qpsmtpd SBLList multi.surbl.org:rhsbl.sorbs.net:dbl.spamhaus.org
config setprop qpsmtpd SBLList multi.surbl.org:rhsbl.sorbs.net:dbl.spamhaus.org
signal-event email-update
signal-event email-update
* Let the SME Server being the only dns resolver by removing the dns provider/forwarder in the console menu.
*Let the SME Server being the only dns resolver by removing the dns provider/forwarder in the console menu.
See http://uribl.com/about.shtml#abuse for more information about this issue with black.uribl.com
See http://uribl.com/about.shtml#abuse for more information about this issue with black.uribl.com
====Obsolete lists====
====Obsolete lists====
These lists can not be used with smeserver. A migrate fragment will remove them from your settings each time you reconfigure your server.
These lists can not be used with smeserver. A migrate fragment will remove them from your settings each time you reconfigure your server.
* RBLList
*RBLList
combined.njabl.org
combined.njabl.org
list.dsbl.org
list.dsbl.org
multihop.dsbl.org
multihop.dsbl.org
dnsbl.ahbl.org
dnsbl.ahbl.org
* SBLLIST
*SBLLIST
blackhole.securitysage.com
blackhole.securitysage.com
These commands will:
These commands will:
* enable spamassassin
* configure spamassassin to reject any email with a score above 12
*enable spamassassin
* tag spam scored between 4 and 12 in the email header
*configure spamassassin to reject any email with a score above 12
* enable bayesian filter
*tag spam scored between 4 and 12 in the email header
* 'autolearn' as SPAM any email with a score above 6.00
*enable bayesian filter
*'autolearn' as SPAM any email with a score above 6.00
Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body
Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body
to auto-learn as spam.
to auto-learn as spam.
Therefore, the minimum working value for this option is 6, to be changed in increments of 3,
Therefore, the minimum working value for this option is 6, to be changed in increments of 3,
12 considered to be a good working value..
12 considered to be a good working value..
* 'autolearn' as HAM any email with a score below 0.10
*'autolearn' as HAM any email with a score below 0.10
Check the bayes stats with the command:
Check the bayes stats with the command:
To workaround thunderbirds limitations change, this thunderbird setting to false
To workaround thunderbirds limitations change, this thunderbird setting to false
* Preferences, Advanced, Config editor (aka about:config): filter on tls.
* set security.enable_tls to false
*Preferences, Advanced, Config editor (aka about:config): filter on tls.
*set security.enable_tls to false
If the total concurrency limit is reached, it'll look like this in /var/log/dovecot/current:
If the total concurrency limit is reached, it'll look like this in /var/log/dovecot/current:
Notes:
Notes:
* Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html
* I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.
*Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html
* Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.
*I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.
*Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.
===How do I get my e-mail to show the correct From Address===
===How do I get my e-mail to show the correct From Address===
The From address on an e-mail is not supplied by the server. It is supplied by the e-mail client.
The From address on an e-mail is not supplied by the server. It is supplied by the e-mail client.
* Configure your Account in your e-mail client with the correct FROM address.
*Configure your Account in your e-mail client with the correct FROM address.
* You can change the FROM address in webmail with the following:
*You can change the FROM address in webmail with the following:
**Login to webmail as the user, go to ''options-personal information'' and change the ''identity'' to have the correct FROM address. You can have multiple identities with a single user.
**Login to webmail as the user, go to ''options-personal information'' and change the ''identity'' to have the correct FROM address. You can have multiple identities with a single user.
===Set max email size===
===Set max email size===
* IMPORTANT: [[bugzilla: 7876]] points out that if your system has ''/var/service/qpsmtpd/config/databytes'' it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see [[bugzilla: 8329]]).
*IMPORTANT: [[bugzilla: 7876]] points out that if your system has ''/var/service/qpsmtpd/config/databytes'' it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see [[bugzilla: 8329]]).
There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server.
There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server.
{| width="100%" cellspacing="0" cellpadding="5" border="1"
{| width="100%" cellspacing="0" cellpadding="5" border="1"
! Subsystem
!Subsystem
! Function
!Function
! Default Limit
!Default Limit
! Command to change size
!Command to change size
! Notes
!Notes
|-
|-
|qmail
|qmail
|15M
|15M
|config setprop clamav MaxFileSize 15M
|config setprop clamav MaxFileSize 15M
|Value includes human-readable abbreviations. "15M" equals 15 MegaBytes.
|Value includes human-readable abbreviations. "15M" equals 15 MegaBytes.
|-
|-
|clamd
|clamd
These attributes could result in the rejection of a compressed attachment on a SME server:
These attributes could result in the rejection of a compressed attachment on a SME server:
* ArchiveMaxCompressionRatio (default 300)
* MaxFiles (default 1500)
*ArchiveMaxCompressionRatio (default 300)
* MaxRecursion (default 8)
*MaxFiles (default 1500)
*MaxRecursion (default 8)
====spamassassin====
====spamassassin====
By default the qpsmtpd 'spamassassin' plugin does not pass any messages over 500,000 bytes to spamassassin for scanning.
By default the qpsmtpd 'spamassassin' plugin does not pass any messages over 500,000 bytes to spamassassin for scanning.
signal-event email-update
signal-event email-update
=== Large attachments not displaying in webmail ===
===Large attachments not displaying in webmail===
Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also [[bugzilla:3990]]). The following entries are related to the error and can be found in the log files:
Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also [[bugzilla:3990]]). The following entries are related to the error and can be found in the log files:
signal-event email-update
signal-event email-update
* If you need to restrict emails for all users you can perform this command line
*If you need to restrict emails for all users you can perform this command line
db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts setprop $USER Visible internal; done
db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts setprop $USER Visible internal; done
===How do I disable SMTP relay for unauthenticated LAN clients===
===How do I disable SMTP relay for unauthenticated LAN clients===
http://forums.contribs.org/index.php?topic=38797.msg176490#msg176490
http://forums.contribs.org/index.php?topic=38797.msg176490#msg176490
* Enable smtp authentication as shown above
* Disable un-authenticated smtp relay for the local network(s)using:
*Enable smtp authentication as shown above
*Disable un-authenticated smtp relay for the local network(s)using:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
echo "# SMTP Relay from local network denied by custom template" >\
signal-event email-update
signal-event email-update
* Configure your email clients to use smtps with authentication:<br>
*Configure your email clients to use smtps with authentication:<br>
- change outgoing smtp port to 465 and select SSL<br>
- change outgoing smtp port to 465 and select SSL<br>
- enable Authentication against the outgoing mail server
- enable Authentication against the outgoing mail server
This behaviour is only available as per e-smith-qmail-2.4.0-7.sme see bug #9540
This behaviour is only available as per e-smith-qmail-2.4.0-7.sme see bug #9540
=== Change the number of logs retained for qpsmtpd and/or sqpsmtpd ===
===Change the number of logs retained for qpsmtpd and/or sqpsmtpd===
The normal retention is 5 logs for both qpsmptd and sqpsmtpd. This may or may not fit all installations. This information is pulled from bugzilla.
The normal retention is 5 logs for both qpsmptd and sqpsmtpd. This may or may not fit all installations. This information is pulled from bugzilla.
If you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only.
If you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only.
# keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY)
#keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY)
# dk_method : for domainkey method , default "nofws"
#dk_method : for domainkey method , default "nofws"
# selector : the selector you want, default "default"
#selector : the selector you want, default "default"
# algorithm : algorithm for DKIM signing, default "rsa-sha1"
#algorithm : algorithm for DKIM signing, default "rsa-sha1"
# dkim_method : for DKIM, default "relaxed"
#dkim_method : for DKIM, default "relaxed"
NB: key files can not be defined in parameters, they need to be in /var/service/qpsmtpd/config/dkimkeys/{SENDER_DOMAIN}.private
NB: key files can not be defined in parameters, they need to be in /var/service/qpsmtpd/config/dkimkeys/{SENDER_DOMAIN}.private
qpsmtpd-print-dns
qpsmtpd-print-dns
=== Outbound DKIM signing / SPF / DMARC policy FOR MULTIPLE DOMAINS ===
===Outbound DKIM signing / SPF / DMARC policy FOR MULTIPLE DOMAINS===
The default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domains that you manage:
The default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domains that you manage:
db configuration setprop qpsmtpd DKIMSigning enabled
db configuration setprop qpsmtpd DKIMSigning enabled
|-
|-
|logging/logterse
|logging/logterse
|Allow greater logging detail using smaller log files. Optionally supports [[Email_Statistics#qplogsumm.pl|qplogsumm.pl]] to compile qpsmtpd statistics.
|Allow greater logging detail using smaller log files. Optionally supports [[Email_Statistics#qplogsumm.pl|qplogsumm.pl]] to compile qpsmtpd statistics.
|enabled
|enabled
|-
|-
|'''disabled'''<br>(always disabled for local connections)
|'''disabled'''<br>(always disabled for local connections)
|-
|-
|virus/clamav
|virus/clamav
|Scan incoming email with ClamAV
|Scan incoming email with ClamAV
|enabled
|enabled
Here is a list of the plugins in use, and a note of any changes that might have occurred:
Here is a list of the plugins in use, and a note of any changes that might have occurred:
* logterse: no change
*logterse: no change
* tls: no change
*tls: no change
* auth_cvm_unix_local: no change
*auth_cvm_unix_local: no change
* check_earlytalker: '''renamed earlytalker'''
*check_earlytalker: '''renamed earlytalker'''
* count_unrecognized_commands: no change
*count_unrecognized_commands: no change
* bcc: no change
*bcc: no change
* check_relay: '''renamed relay'''
*check_relay: '''renamed relay'''
* check_norelay: '''merged into the relay plugin'''
*check_norelay: '''merged into the relay plugin'''
* require_resolvable_fromhost: '''renamed resolvable_fromhost'''
*require_resolvable_fromhost: '''renamed resolvable_fromhost'''
* check_basicheaders: '''renamed headers'''
*check_basicheaders: '''renamed headers'''
* rhsbl: no change
*rhsbl: no change
* dnsbl: no change
*dnsbl: no change
* check_badmailfrom: '''renamed badmailfrom'''
*check_badmailfrom: '''renamed badmailfrom'''
* check_badrcptto_patterns: '''doesn't exist anymore, merged with badrcptto'''
*check_badrcptto_patterns: '''doesn't exist anymore, merged with badrcptto'''
* check_badrcptto: '''renamed badrcptto'''
*check_badrcptto: '''renamed badrcptto'''
* check_spamhelo: '''renamed helo'''
*check_spamhelo: '''renamed helo'''
* check_smtp_forward: no change
*check_smtp_forward: no change
* check_goodrcptto: no change
*check_goodrcptto: no change
* rcpt_ok: no change
*rcpt_ok: no change
* pattern_filter: no change
*pattern_filter: no change
* tnef2mime: no change
*tnef2mime: no change
* spamassassin: no change
*spamassassin: no change
* clamav: no change
*clamav: no change
* qmail-queue: no change
*qmail-queue: no change
Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above].
Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above].
==== Karma ====
====Karma====
The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:
The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:
* Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin<br />
*Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin<br />
* KarmaNegative (integer): Default value is 2.<br /> It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day.<br /> Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones<br />
*KarmaNegative (integer): Default value is 2.<br /> It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day.<br /> Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones<br />
* KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. <br />Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad.<br />On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral<br />and won't be used in the history count
*KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. <br />Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad.<br />On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral<br />and won't be used in the history count
Example:
Example:
==== URIBL ====
====URIBL====
The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:
The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:
* URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
*URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
* UBLList: (Comma separated list addresses): Default value is '''multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net'''.<br />This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)
*UBLList: (Comma separated list addresses): Default value is '''multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net'''.<br />This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)
==== Helo ====
====Helo====
Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:
Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:
* HeloPolicy: (lenient|rfc|strict). The default value is '''lenient'''.
*HeloPolicy: (lenient|rfc|strict). The default value is '''lenient'''.
See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level
See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level
signal-event email-update
signal-event email-update
==== Inbound DKIM / SPF / DMARC ====
====Inbound DKIM / SPF / DMARC====
DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:
DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:
* DMARCReject (enabled|disabled): Default value is disabled.<br />If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)<br />
*DMARCReject (enabled|disabled): Default value is disabled.<br />If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)<br />
* DMARCReporting (enabled|disabled): Default value is enabled.<br />If set to enabled, enable reporting (which is the '''r''' in dma'''r'''c). Reporting is a very important part of the DMARC standard.<br />When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local<br />SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite).<br />Then, once a day, you send the aggregate reports to the domain owner so they have feedback.<br />You can set this to disabled if you want to disable this feature<br />
*DMARCReporting (enabled|disabled): Default value is enabled.<br />If set to enabled, enable reporting (which is the '''r''' in dma'''r'''c). Reporting is a very important part of the DMARC standard.<br />When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local<br />SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite).<br />Then, once a day, you send the aggregate reports to the domain owner so they have feedback.<br />You can set this to disabled if you want to disable this feature<br />
* SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy.<br />Note: this is only used when no DMARC policy is published by the sender.<br />If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.
*SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy.<br />Note: this is only used when no DMARC policy is published by the sender.<br />If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.
:* 0: do not reject anything
:* 1: reject when SPF says fail
:*0: do not reject anything
:* 2: reject when SPF says softfail
:*1: reject when SPF says fail
:* 3: reject when SPF says neutral
:*2: reject when SPF says softfail
:* 4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published
:*3: reject when SPF says neutral
* Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported
:*4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published
*Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported
Example:
Example:
db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
signal-event email-update
signal-event email-update
==== Outbound DKIM signing / SPF / DMARC policy ====
====Outbound DKIM signing / SPF / DMARC policy====
Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:
Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:
Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.
Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.
==== Publishing your DNS entries ====
====Publishing your DNS entries====
Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:
Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:
==== Testing ====
====Testing====
You can install spfquery:
You can install spfquery:
dig -t TXT +short somedomain.co.uk
dig -t TXT +short somedomain.co.uk
==== Load ====
====Load====
The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:
The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:
* MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.
*MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.
===Other QPSMTPD Plugins===
===Other QPSMTPD Plugins===
signal-event email-update
signal-event email-update
== Secondary/Backup Mail Server Considerations ==
==Secondary/Backup Mail Server Considerations==
Many people misunderstand the issues of using a secondary or backup
Many people misunderstand the issues of using a secondary or backup
===='''Without''' a backup MX====
===='''Without''' a backup MX====
* The sending mail server cannot connect to your server.
*The sending mail server cannot connect to your server.
* The sending mail server MUST queue the mail and try again later.
*The sending mail server MUST queue the mail and try again later.
* The mail stays on the sender's server.
*The mail stays on the sender's server.
* The sender's server resends the mail at a later date.
*The sender's server resends the mail at a later date.
''The requirement to re-queue is a fundamental part of the SMTP protocol - ''
''The requirement to re-queue is a fundamental part of the SMTP protocol - ''
===='''With''' a backup MX====
===='''With''' a backup MX====
* The sending mail server cannot contact your server.
*The sending mail server cannot contact your server.
* The sending mail server sends the mail to your secondary MX.
*The sending mail server sends the mail to your secondary MX.
* The secondary MX queues the mail until your link/server is up.
*The secondary MX queues the mail until your link/server is up.
* The mail is queued on an '''untrusted''' third-party mail server (''think about confidential mail between your company and some business partner'').
*The mail is queued on an '''untrusted''' third-party mail server (''think about confidential mail between your company and some business partner'').
* The sending mail server's administrator ''thinks'' it has been delivered, according to their logs.
*The sending mail server's administrator ''thinks'' it has been delivered, according to their logs.
* You have no, or little, visibility over the queued mail.
*You have no, or little, visibility over the queued mail.
* When your link comes up, the secondary MX sends the mail on to your server.
*When your link comes up, the secondary MX sends the mail on to your server.
* You have added more hops, more systems and more delay to the process.
*You have added more hops, more systems and more delay to the process.
If you think that a backup MX will protect against broken mail servers
If you think that a backup MX will protect against broken mail servers
So:
So:
* If you trust the secondary MX, you <u>will</u> accept a lot of SPAM when the link comes up.
*If you trust the secondary MX, you <u>will</u> accept a lot of SPAM when the link comes up.
* If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.
*If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.
* Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.
*Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.
The SPAM backscatter can only be stopped if the secondary MX has a full list
The SPAM backscatter can only be stopped if the secondary MX has a full list
But:
But:
* You need to be able to configure this secondary MX with such user/domain lists
*You need to be able to configure this secondary MX with such user/domain lists
* You need to maintain these secondary configurations when users are added/deleted from your primary server configuration
*You need to maintain these secondary configurations when users are added/deleted from your primary server configuration
* You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.
*You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.
Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find
Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find
Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you.
Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you.
* If you bounce mail at your server, you have logs to show what's wrong.
*If you bounce mail at your server, you have logs to show what's wrong.
* If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.
*If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.
===Summary===
===Summary===
If you still want to consider setting up a seconday MX, ensure that:
If you still want to consider setting up a seconday MX, ensure that:
* you have fully control of the configuration of each of the email gateways for your domain
*you have fully control of the configuration of each of the email gateways for your domain
* each gateway can make decisions on whether to accept/reject mail for the users at the domain
*each gateway can make decisions on whether to accept/reject mail for the users at the domain
==Mail server on dynamic IP==
==Mail server on dynamic IP==
su <username> -s /bin/bash
su <username> -s /bin/bash
cd ~
cd ~
for m in <fullp ath to maildirectory>/cur/*; do echo $m; procmail < $m && rm $m; done
