Changes

From SME Server
Jump to navigationJump to search

Email (view source)

Revision as of 09:30, 18 May 2017

205 bytes removed ,  09:30, 18 May 2017
m
no edit summary
Line 1,410: Line 1,410:  
Here is a list of the plugins in use, and a note of any changes that might have occurred:
 
Here is a list of the plugins in use, and a note of any changes that might have occurred:
   −
  * logterse: no change
+
* logterse: no change
  * tls: no change
+
* tls: no change
  * auth_cvm_unix_local: no change
+
* auth_cvm_unix_local: no change
  * check_earlytalker: **renamed earlytalker**
+
* check_earlytalker: '''renamed earlytalker'''
  * count_unrecognized_commands: no change
+
* count_unrecognized_commands: no change
  * bcc: no change
+
* bcc: no change
  * check_relay: **renamed relay**
+
* check_relay: '''renamed relay'''
  * check_norelay: **merged into the relay plugin**
+
* check_norelay: '''merged into the relay plugin'''
  * require_resolvable_fromhost: **renamed resolvable_fromhost**
+
* require_resolvable_fromhost: '''renamed resolvable_fromhost'''
  * check_basicheaders: **renamed headers**
+
* check_basicheaders: '''renamed headers'''
  * rhsbl: no change
+
* rhsbl: no change
  * dnsbl: no change
+
* dnsbl: no change
  * check_badmailfrom: **renamed badmailfrom**
+
* check_badmailfrom: '''renamed badmailfrom'''
  * check_badrcptto_patterns: **doesn't exist anymore, merged with badrcptto**
+
* check_badrcptto_patterns: '''doesn't exist anymore, merged with badrcptto'''
  * check_badrcptto: **renamed badrcptto**
+
* check_badrcptto: '''renamed badrcptto'''
  * check_spamhelo: **renamed helo**
+
* check_spamhelo: '''renamed helo'''
  * check_smtp_forward: no change
+
* check_smtp_forward: no change
  * check_goodrcptto: no change
+
* check_goodrcptto: no change
  * rcpt_ok: no change
+
* rcpt_ok: no change
  * pattern_filter: no change
+
* pattern_filter: no change
  * tnef2mime: no change
+
* tnef2mime: no change
  * spamassassin: no change
+
* spamassassin: no change
  * clamav: no change
+
* clamav: no change
  * qmail-queue: no change
+
* qmail-queue: no change
    
Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above].
 
Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above].
Line 1,441: Line 1,441:  
The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:
 
The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:
   −
  * Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin<br />
+
* Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin<br />
  * KarmaNegative (integer): Default value is 2.<br /> It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day.<br /> Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones<br />
+
* KarmaNegative (integer): Default value is 2.<br /> It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day.<br /> Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones<br />
  * KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. <br />Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad.<br />On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral<br />and won't be used in the history count
+
* KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. <br />Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad.<br />On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral<br />and won't be used in the history count
    
Example:
 
Example:
<code bash>
+
db configuration setprop qpsmtpd Karma enabled KarmaNegative 3
db configuration setprop qpsmtpd Karma enabled KarmaNegative 3
+
signal-event email-update
signal-event email-update
+
 
</code>
      
==== URIBL ====
 
==== URIBL ====
Line 1,455: Line 1,454:  
The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:
 
The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:
   −
  * URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
+
* URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
  * UBLList: (Comma separated list addresses): Default value is **multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net**.<br />This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)
+
* UBLList: (Comma separated list addresses): Default value is '''multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net'''.<br />This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)
          
Example:
 
Example:
<code bash>
+
db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com
db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com
+
signal-event email-update
signal-event email-update
+
 
</code>
      
==== Helo ====
 
==== Helo ====
Line 1,470: Line 1,468:  
Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:
 
Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:
   −
  * HeloPolicy: (lenient|rfc|strict). The default value is **lenient**.  
+
* HeloPolicy: (lenient|rfc|strict). The default value is '''lenient'''.
    
See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level
 
See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level
    
Example:
 
Example:
 
+
db configuration setprop qpsmtpd HeloPolicy rfc
<code bash>
+
signal-event email-update
db configuration setprop qpsmtpd HeloPolicy rfc
  −
signal-event email-update
  −
</code>
      
==== Inbound DKIM / SPF / DMARC ====
 
==== Inbound DKIM / SPF / DMARC ====
Line 1,485: Line 1,480:  
DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:
 
DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:
   −
  * DMARCReject (enabled|disabled): Default value is disabled.<br />If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)<br />
+
* DMARCReject (enabled|disabled): Default value is disabled.<br />If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)<br />
  * DMARCReporting (enabled|disabled): Default value is enabled.<br />If set to enabled, enable reporting (which is the **r** in dma**r**c). Reporting is a very important part of the DMARC standard.<br />When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local<br />SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite).<br />Then, once a day, you send the aggregate reports to the domain owner so they have feedback.<br />You can set this to disabled if you want to disable this feature<br />
+
* DMARCReporting (enabled|disabled): Default value is enabled.<br />If set to enabled, enable reporting (which is the '''r''' in dma'''r'''c). Reporting is a very important part of the DMARC standard.<br />When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local<br />SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite).<br />Then, once a day, you send the aggregate reports to the domain owner so they have feedback.<br />You can set this to disabled if you want to disable this feature<br />
  * SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy.<br />Note: this is only used when no DMARC policy is published by the sender.<br />If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.
+
* SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy.<br />Note: this is only used when no DMARC policy is published by the sender.<br />If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.
    * 0: do not reject anything
+
:* 0: do not reject anything
    * 1: reject when SPF says fail
+
:* 1: reject when SPF says fail
    * 2: reject when SPF says softfail
+
:* 2: reject when SPF says softfail
    * 3: reject when SPF says neutral
+
:* 3: reject when SPF says neutral
    * 4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published
+
:* 4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published
  * Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported
+
* Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported
    
Example:
 
Example:
<code bash>
+
db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
+
signal-event email-update
signal-event email-update
  −
</code>
   
==== Outbound DKIM signing / SPF / DMARC policy ====
 
==== Outbound DKIM signing / SPF / DMARC policy ====
    
Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:
 
Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:
 
+
db configuration setprop qpsmtpd DKIMSigning enabled
<code bash>
+
signal-event email-update
db configuration setprop qpsmtpd DKIMSigning enabled
  −
signal-event email-update
  −
</code>
      
If you want to disable dkim signing for a domain, you can use:
 
If you want to disable dkim signing for a domain, you can use:
<code bash>
+
db domains setprop domain.com DKIMSigning disabled
db domains setprop domain.com DKIMSigning disabled
+
signal-event email-update
signal-event email-update
  −
</code>
      
The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:
 
The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:
 
+
cd /home/e-smith/dkim_keys
<code bash>
+
mkdir domain.net
cd /home/e-smith/dkim_keys
+
cd domain.net
mkdir domain.net
+
echo default > selector
cd domain.net
+
openssl genrsa -out private 2048
echo default > selector
+
openssl rsa -in private -out public -pubout
openssl genrsa -out private 2048
+
chown qpsmtpd:qpsmtpd private
openssl rsa -in private -out public -pubout
+
chmod 400 private
chown qpsmtpd:qpsmtpd private
+
signal-event email-update
chmod 400 private
  −
signal-event email-update
  −
</code>
      
Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.
 
Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.
Line 1,534: Line 1,519:     
Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:
 
Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:
 
+
qpsmtpd-print-dns <domain name>
<code bash>
  −
qpsmtpd-print-dns <domain name>
  −
</code>
   
If omitted, the primary domain name is assumed.
 
If omitted, the primary domain name is assumed.
    
Example output:
 
Example output:
<code>
+
Here are sample DNS entries you should add in your public DNS
Here are sample DNS entries you should add in your public DNS
+
The DKIM entry can be copied as is, but others will probably need to be adjusted
The DKIM entry can be copied as is, but others will probably need to be adjusted
+
to your need. For example, you should either change the reporting email adress
to your need. For example, you should either change the reporting email adress
+
for DMARC (or create the needed pseudonym)
for DMARC (or create the needed pseudonym)
+
 
+
 
+
default._domainkey IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"
default._domainkey IN TXT "v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"
+
@ IN SPF "v=spf1 mx a -all"
@ IN SPF "v=spf1 mx a -all"
+
@ IN TXT "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
+
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100"
+
All you have to do now is publish those records.
</code>
  −
 
  −
All you have to do now is publish those records
      
==== Load ====
 
==== Load ====
 
The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:
 
The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:
 
+
* MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.
  * MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.
      
===Other QPSMTPD Plugins===
 
===Other QPSMTPD Plugins===
Reqman
9

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/33425"

Navigation menu