MTA: Mail server: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
(14 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Overview = | |||
* Do not confuse the different parts of an entire mail system. The MTA (Mail Transfert Agent) is responsible for the delivery of messages across the network, whereas the MDA (Mail Delivery Agent) deliver finally the email to the user's mailbox. On some systems, the MTA and MDA are one and the same. But most software packages act as either MDA or MTA. | * Do not confuse the different parts of an entire mail system. The MTA (Mail Transfert Agent) is responsible for the delivery of messages across the network, whereas the MDA (Mail Delivery Agent) deliver finally the email to the user's mailbox. On some systems, the MTA and MDA are one and the same. But most software packages act as either MDA or MTA. | ||
Line 5: | Line 5: | ||
* Mail servers can be very tricky about the DNS / reverse DNS configuration. In particular your mail server should have a reverse DNS configured. For more information see the wiki page about [[Hostnames, Domains]]. | * Mail servers can be very tricky about the DNS / reverse DNS configuration. In particular your mail server should have a reverse DNS configured. For more information see the wiki page about [[Hostnames, Domains]]. | ||
* When using the command line '''mail''' client, it actually needs a running MTA on the system (it can be sendmail, or postfix). However note that there is a standard way of writing to the disk before the MTA picks up the letter and send it, since you can invoke mail and only later start postfix - the mail will still be sent out. | |||
* Installation on Gentoo is fairly straightforward. | == Troubleshooting == | ||
* The first thing to check if you have trouble sending mail is checking if your ISP does not block traffic on port 25. You can do that easily by installing telnet. | |||
* Port 25 is usually blocked by ISPs. For Free, it is blocked by default but you can deblock it on your administration console. If the port is blocked, obviously no mail will come through. | |||
* You can test if this port is blocked with nc (package netcat), a network tool: | |||
nc smtp.gmail.com 25 | |||
== Spam and Greylisting == | |||
* If you relay mail to Gmail addresses, chances are high that you'll end up receiving spam at your base address, which will then be considered as spam from Google originating from your server. It may then be rate limited. | |||
* Try to setup a SPF DNS record and use a reverse DNS that corresponds to your mail address (for the SMTP server). This can improve things. | |||
= Postfix = | |||
* Installation on Gentoo is fairly straightforward. If there is not a /etc/mail/aliases.db file, you can create it via the newaliases command. | |||
* To clear the Postfix queue (postqueue -p to see it): | |||
postsuper -d ALL | |||
== Virtual Domains == | |||
* The option I currently use ([http://www.postfix.org/VIRTUAL_README.html#forwarding documented here]) is to add the two following lines to /etc/postfix/main.cf: | |||
virtual_alias_domains = shoopz.com | |||
virtual_alias_maps = hash:/etc/postfix/virtual | |||
* The /etc/postfix/virtual should also be correctly configured. Note than when upgrading postfix, be sure to carefully run etc-update as there are changes to /etc/postfix/main.cf. | |||
== STMP == | |||
* To authenticate via SASL (which allows a remote user to login with credentials), postfix must be compiled with the "sasl" USE flag. In addition, you must choose an SASL authentication mechanism. The simplest one is probably to use Cyrus BerkeleyDB. You create an user with the command: | |||
saslpasswd2 -c -u gmail.com elvanor | |||
The -c switch means create, the -u switch means user domain. You should then use user@userdomain.com as login, not just plain user. Note also that you can delete an account with | |||
saslpasswd2 -d elvanor@gmail.com | |||
* The sasldblistusers2 command will list active users (without their associated passwords). | |||
* The SASL configuration file will then look like: | |||
<pre> | |||
pwcheck_method: auxprop | |||
auxprop_plugin: sasldb | |||
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM | |||
</pre> | |||
* You must add the following lines to your Postfix configuration file (this also includes the TLS configuration): | |||
<pre> | |||
smtp_use_tls = yes | |||
smtp_tls_note_starttls_offer = yes | |||
smtpd_use_tls = yes | |||
smtpd_tls_auth_only = yes | |||
smtpd_tls_key_file = /etc/postfix/newkey.pem | |||
smtpd_tls_cert_file = /etc/postfix/newcert.pem | |||
smtpd_tls_CAfile = /etc/postfix/cacert.pem | |||
smtpd_tls_loglevel = 3 | |||
smtpd_tls_received_header = yes | |||
smtpd_tls_session_cache_timeout = 3600s | |||
smtpd_sasl_auth_enable = yes | |||
smtpd_sasl_path = smtpd | |||
tls_random_source = dev:/dev/urandom | |||
</pre> | |||
=== TLS Encryption === | |||
* In order to have the SASL layer mechanism encrypted (else traffic is sent in clear), it is recommended to setup TLS. For this, you need [http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap5 to create a certificate]. Once it is done, just copy the certificates to /etc/postfix and use the above configuration file. | |||
=== Postfix Database files | === Cyrus SASL Library === | ||
* On Gentoo you *must* compile dev-libs/cyrus-sasl with the urandom flag. Else you will have severe slowdowns on the use of this library (this is very similar to the problem with Tomcat and its entropy source). | |||
== Postfix Database files == | |||
* You can specify Postfix configuration or data in plain text files, but then Postfix converts them to indexed files that end with the *.db extension. Thus if you make a change to one of your text files, you need to recompile a database file like this: | * You can specify Postfix configuration or data in plain text files, but then Postfix converts them to indexed files that end with the *.db extension. Thus if you make a change to one of your text files, you need to recompile a database file like this: | ||
Line 15: | Line 90: | ||
postmap /etc/postfix/virtual | postmap /etc/postfix/virtual | ||
== Installing Qmail on OS X 10.4 | * You can comma separate destination addresses in order to get a virtual address to forward to more than one address. | ||
== Logs == | |||
* On Gentoo the logs are at /var/log/messages, but it requires a logging daemon like syslog-ng to be started and running. | |||
= Installing Qmail on OS X 10.4 = | |||
* WARNING: Qmail is not fully open-source, and has been unmaintained for years. It is recommended to use Postfix instead. | * WARNING: Qmail is not fully open-source, and has been unmaintained for years. It is recommended to use Postfix instead. | ||
Line 217: | Line 298: | ||
* Setting up an alias is pretty simple. Create in /var/qmail/alias the file .qmail-alias_name, for example .qmail-contact. In that file, as in a normal .qmail file, specify the users you want to forward to (a single line with &elvanor will cause the message to be delivered to elvanor for example). | * Setting up an alias is pretty simple. Create in /var/qmail/alias the file .qmail-alias_name, for example .qmail-contact. In that file, as in a normal .qmail file, specify the users you want to forward to (a single line with &elvanor will cause the message to be delivered to elvanor for example). | ||
Latest revision as of 16:52, 21 December 2015
Overview
- Do not confuse the different parts of an entire mail system. The MTA (Mail Transfert Agent) is responsible for the delivery of messages across the network, whereas the MDA (Mail Delivery Agent) deliver finally the email to the user's mailbox. On some systems, the MTA and MDA are one and the same. But most software packages act as either MDA or MTA.
- Mail servers can be very tricky about the DNS / reverse DNS configuration. In particular your mail server should have a reverse DNS configured. For more information see the wiki page about Hostnames, Domains.
- When using the command line mail client, it actually needs a running MTA on the system (it can be sendmail, or postfix). However note that there is a standard way of writing to the disk before the MTA picks up the letter and send it, since you can invoke mail and only later start postfix - the mail will still be sent out.
Troubleshooting
- The first thing to check if you have trouble sending mail is checking if your ISP does not block traffic on port 25. You can do that easily by installing telnet.
- Port 25 is usually blocked by ISPs. For Free, it is blocked by default but you can deblock it on your administration console. If the port is blocked, obviously no mail will come through.
- You can test if this port is blocked with nc (package netcat), a network tool:
nc smtp.gmail.com 25
Spam and Greylisting
- If you relay mail to Gmail addresses, chances are high that you'll end up receiving spam at your base address, which will then be considered as spam from Google originating from your server. It may then be rate limited.
- Try to setup a SPF DNS record and use a reverse DNS that corresponds to your mail address (for the SMTP server). This can improve things.
Postfix
- Installation on Gentoo is fairly straightforward. If there is not a /etc/mail/aliases.db file, you can create it via the newaliases command.
- To clear the Postfix queue (postqueue -p to see it):
postsuper -d ALL
Virtual Domains
- The option I currently use (documented here) is to add the two following lines to /etc/postfix/main.cf:
virtual_alias_domains = shoopz.com virtual_alias_maps = hash:/etc/postfix/virtual
- The /etc/postfix/virtual should also be correctly configured. Note than when upgrading postfix, be sure to carefully run etc-update as there are changes to /etc/postfix/main.cf.
STMP
- To authenticate via SASL (which allows a remote user to login with credentials), postfix must be compiled with the "sasl" USE flag. In addition, you must choose an SASL authentication mechanism. The simplest one is probably to use Cyrus BerkeleyDB. You create an user with the command:
saslpasswd2 -c -u gmail.com elvanor
The -c switch means create, the -u switch means user domain. You should then use user@userdomain.com as login, not just plain user. Note also that you can delete an account with
saslpasswd2 -d elvanor@gmail.com
- The sasldblistusers2 command will list active users (without their associated passwords).
- The SASL configuration file will then look like:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
- You must add the following lines to your Postfix configuration file (this also includes the TLS configuration):
smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/newkey.pem smtpd_tls_cert_file = /etc/postfix/newcert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd tls_random_source = dev:/dev/urandom
TLS Encryption
- In order to have the SASL layer mechanism encrypted (else traffic is sent in clear), it is recommended to setup TLS. For this, you need to create a certificate. Once it is done, just copy the certificates to /etc/postfix and use the above configuration file.
Cyrus SASL Library
- On Gentoo you *must* compile dev-libs/cyrus-sasl with the urandom flag. Else you will have severe slowdowns on the use of this library (this is very similar to the problem with Tomcat and its entropy source).
Postfix Database files
- You can specify Postfix configuration or data in plain text files, but then Postfix converts them to indexed files that end with the *.db extension. Thus if you make a change to one of your text files, you need to recompile a database file like this:
postmap /etc/postfix/virtual
- You can comma separate destination addresses in order to get a virtual address to forward to more than one address.
Logs
- On Gentoo the logs are at /var/log/messages, but it requires a logging daemon like syslog-ng to be started and running.
Installing Qmail on OS X 10.4
- WARNING: Qmail is not fully open-source, and has been unmaintained for years. It is recommended to use Postfix instead.
- Excellent Mac OS X resource for Qmail.
- Issue the following commands (the following tutorial is adapted from Life with Qmail, with some OS X specific notes):
- Download source packages, setup:
cd /usr/local/src curl http://www.qmail.org/netqmail-1.05.tar.gz -RO curl http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz -RO curl http://cr.yp.to/daemontools/daemontools-0.76.tar.gz -RO curl http://http.netdevice.com:9080/qmail/patch/panther.patch -RO mkdir /var/qmail
- Setup necessary system accounts:
nireport . /groups name gid niload group . <<EOF > qmail:*:2107: > nofiles:*:2108: > EOF nidump group . >/etc/group nireport . /users name uid niload passwd . <<EOF > alias:*:7790:2108::0:0::/var/qmail/alias:/bin/true > qmaild:*:7791:2108::0:0::/var/qmail:/bin/true > qmaill:*:7792:2108::0:0::/var/qmail:/bin/true > qmailp:*:7793:2108::0:0::/var/qmail:/bin/true > qmailq:*:7794:2107::0:0::/var/qmail:/bin/true > qmailr:*:7795:2107::0:0::/var/qmail:/bin/true > qmails:*:7796:2107::0:0::/var/qmail:/bin/true > EOF nidump passwd . >/etc/passwd
- Compile packages (applying patches):
gunzip -cd netqmail-1.05.tar.gz | tar -xf - cd netqmail-1.05 ./collate.sh cd netqmail-1.05 patch </usr/local/src/panther.patch make setup check ./config cd ../.. gunzip -cd ucspi-tcp-0.88.tar.gz |tar -xf - cd ucspi-tcp-0.88 make setup check cd .. mkdir -p /package mv daemontools-0.76.tar.gz /package chmod 1755 /package cd /package gunzip -cd daemontools-0.76.tar.gz |tar -xf - echo x >> /package/admin/daemontools-0.76/src/trypoll.c # This is a necessary patch for OS X 10.4 cd admin/daemontools-0.76 package/install
- Lots of configuration follows:
cat /etc/rc.local csh -cf '/command/svscanboot &' rm /etc/rc.local mkdir /Library/StartupItems/svscanboot cd /Library/StartupItems/svscanboot nano svscanboot
#!/bin/sh . /etc/rc.common StartService( ) { ConsoleMessage "Starting svscanboot" csh -cf '/command/svscanboot &' } RunService "\$1"
chmod 755 svscanboot nano StartupParameters.plist
{ Description = svscanboot; Provides = (svscanboot); Requires = (Network); OrderPreference = None; }
nano /var/qmail/rc
#!/bin/sh # Using stdout for logging # Using control/defaultdelivery from qmail-local to deliver messages by default exec env - PATH="/var/qmail/bin:$PATH" qmail-start "`cat /var/qmail/control/defaultdelivery`"
chmod 755 /var/qmail/rc echo ./Maildir/ >/var/qmail/control/defaultdelivery cd /var/qmail/bin curl http://lifewithqmail.org/qmailctl-script-dt70 -RO mv qmailctl-script-dt70 qmailctl chmod 755 qmailctl ln -s /var/qmail/bin/qmailctl /usr/bin cp -p /etc/periodic/daily/500.daily /etc/periodic/500.daily.0 sh -c "cat /etc/periodic/daily/500.daily |sed -e s/mailq/qmailctl\ queue/ >/etc/periodic/daily/500.daily" mkdir -p /var/qmail/supervise/qmail-send/log mkdir -p /var/qmail/supervise/qmail-smtpd/log nano /var/qmail/supervise/qmail-send/run
#!/bin/sh exec /var/qmail/rc
nano /var/qmail/supervise/qmail-send/log/run
#!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail
nano /var/qmail/supervise/qmail-smtpd/run
#!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in echo /var/qmail/supervise/qmail-smtpd/run exit 1 fi if [ ! -f /var/qmail/control/rcpthosts ]; then echo "No /var/qmail/control/rcpthosts!" echo "Refusing to start SMTP listener because it'll create an open relay" exit 1 fi exec /usr/local/bin/softlimit -m 2000000 /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd 2>&1
echo 20 >/var/qmail/control/concurrencyincoming chmod 644 /var/qmail/control/concurrencyincoming nano /var/qmail/supervise/qmail-smtpd/log/run
#!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpd
chmod 755 /var/qmail/supervise/qmail-send/run chmod 755 /var/qmail/supervise/qmail-send/log/run chmod 755 /var/qmail/supervise/qmail-smtpd/run chmod 755 /var/qmail/supervise/qmail-smtpd/log/run mkdir -p /var/log/qmail/smtpd chown qmaill /var/log/qmail /var/log/qmail/smtpd ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service echo '127.:allow,RELAYCLIENT=""' >>/etc/tcp.smtp qmailctl cdb mv /usr/sbin/sendmail /usr/sbin/sendmail.old chmod 0 /usr/sbin/sendmail.old ln -s /var/qmail/bin/sendmail /usr/sbin
- Last configuration step, involving the main account on the server:
echo elvanor >/var/qmail/alias/.qmail-root echo elvanor >/var/qmail/alias/.qmail-postmaster ln -s .qmail-postmaster /var/qmail/alias/.qmail-mailer-daemon chmod 644 /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-postmaster sudo -u elvanor -s cd /var/qmail/bin/maildirmake Maildir echo ./Maildir/ >.qmail /Developer/Tools/SetFile -a V Maildir # This is optional, it will make Maildir invisible in the Finder exit
- Reboot and test:
reboot qmailctl stat
Configuring Qmail
- If you need to relay through your ISP SMTP server, modify the file /var/qmail/control/smtproutes:
:smtp.free.fr
- To add a mailbox to a new user, run:
/var/qmail/bin/maildirmake Maildir
in the root directory of the user, and as the user to add the Maildir to.
- Setting up forwarding is pretty simple for an user. Just edit the .qmail file in the user's home directory:
./Maildir/ &elvanor@gmail.com
The first line specifies that a copy should go to the Maildir directory; the second forwards a copy to elvanor@gmail.com.
- Setting up an alias is pretty simple. Create in /var/qmail/alias the file .qmail-alias_name, for example .qmail-contact. In that file, as in a normal .qmail file, specify the users you want to forward to (a single line with &elvanor will cause the message to be delivered to elvanor for example).