MTA: Mail server: Difference between revisions

From Elvanör's Technical Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Overview ==
= Overview =


* Do not confuse the different parts of an entire mail system. The MTA (Mail Transfert Agent) is responsible for the delivery of messages across the network, whereas the MDA (Mail Delivery Agent) deliver finally the email to the user's mailbox. On some systems, the MTA and MDA are one and the same. But most software packages act as either MDA or MTA.
* Do not confuse the different parts of an entire mail system. The MTA (Mail Transfert Agent) is responsible for the delivery of messages across the network, whereas the MDA (Mail Delivery Agent) deliver finally the email to the user's mailbox. On some systems, the MTA and MDA are one and the same. But most software packages act as either MDA or MTA.
Line 5: Line 5:
* Mail servers can be very tricky about the DNS / reverse DNS configuration. In particular your mail server should have a reverse DNS configured. For more information see the wiki page about [[Hostnames, Domains]].
* Mail servers can be very tricky about the DNS / reverse DNS configuration. In particular your mail server should have a reverse DNS configured. For more information see the wiki page about [[Hostnames, Domains]].


== Postfix ==
* When using the command line '''mail''' client, it actually needs a running MTA on the system (it can be sendmail, or postfix). However note that there is a standard way of writing to the disk before the MTA picks up the letter and send it, since you can invoke mail and only later start postfix - the mail will still be sent out.


* Installation on Gentoo is fairly straightforward.
== Troubleshooting ==
 
* The first thing to check if you have trouble sending mail is checking if your ISP does not block traffic on port 25. You can do that easily by installing telnet.
* Port 25 is usually blocked by ISPs. For Free, it is blocked by default but you can deblock it on your administration console. If the port is blocked, obviously no mail will come through.
* You can test if this port is blocked with nc (package netcat), a network tool:
 
nc smtp.gmail.com 25
 
== Spam and Greylisting ==
 
* If you relay mail to Gmail addresses, chances are high that you'll end up receiving spam at your base address, which will then be considered as spam from Google originating from your server. It may then be rate limited.
 
* Try to setup a SPF DNS record and use a reverse DNS that corresponds to your mail address (for the SMTP server). This can improve things.
 
= Postfix =
 
* Installation on Gentoo is fairly straightforward. If there is not a /etc/mail/aliases.db file, you can create it via the newaliases command.
 
* To clear the Postfix queue (postqueue -p to see it):
 
postsuper -d ALL
 
== Virtual Domains ==
 
* The option I currently use ([http://www.postfix.org/VIRTUAL_README.html#forwarding documented here]) is to add the two following lines to /etc/postfix/main.cf:
 
virtual_alias_domains = shoopz.com
virtual_alias_maps = hash:/etc/postfix/virtual
 
* The /etc/postfix/virtual should also be correctly configured. Note than when upgrading postfix, be sure to carefully run etc-update as there are changes to /etc/postfix/main.cf.
 
== STMP ==
 
* To authenticate via SASL (which allows a remote user to login with credentials), postfix must be compiled with the "sasl" USE flag. In addition, you must choose an SASL authentication mechanism. The simplest one is probably to use Cyrus BerkeleyDB. You create an user with the command:
 
saslpasswd2 -c -u gmail.com elvanor
 
The -c switch means create, the -u switch means user domain. You should then use user@userdomain.com as login, not just plain user. Note also that you can delete an account with
 
saslpasswd2 -d elvanor@gmail.com
 
* The sasldblistusers2 command will list active users (without their associated passwords).
 
* The SASL configuration file will then look like:
 
<pre>
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
</pre>
 
* You must add the following lines to your Postfix configuration file (this also includes the TLS configuration):
 
<pre>
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
tls_random_source = dev:/dev/urandom
</pre>
 
=== TLS Encryption ===
 
* In order to have the SASL layer mechanism encrypted (else traffic is sent in clear), it is recommended to setup TLS. For this, you need [http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap5 to create a certificate]. Once it is done, just copy the certificates to /etc/postfix and use the above configuration file.


=== Postfix Database files ===
=== Cyrus SASL Library ===
 
* On Gentoo you *must* compile dev-libs/cyrus-sasl with the urandom flag. Else you will have severe slowdowns on the use of this library (this is very similar to the problem with Tomcat and its entropy source).
 
== Postfix Database files ==


* You can specify Postfix configuration or data in plain text files, but then Postfix converts them to indexed files that end with the *.db extension. Thus if you make a change to one of your text files, you need to recompile a database file like this:
* You can specify Postfix configuration or data in plain text files, but then Postfix converts them to indexed files that end with the *.db extension. Thus if you make a change to one of your text files, you need to recompile a database file like this:
Line 15: Line 90:
  postmap /etc/postfix/virtual
  postmap /etc/postfix/virtual


== Installing Qmail on OS X 10.4 ==
* You can comma separate destination addresses in order to get a virtual address to forward to more than one address.
 
== Logs ==
 
* On Gentoo the logs are at /var/log/messages, but it requires a logging daemon like syslog-ng to be started and running.
 
= Installing Qmail on OS X 10.4 =


* WARNING: Qmail is not fully open-source, and has been unmaintained for years. It is recommended to use Postfix instead.
* WARNING: Qmail is not fully open-source, and has been unmaintained for years. It is recommended to use Postfix instead.
Line 217: Line 298:


* Setting up an alias is pretty simple. Create in /var/qmail/alias the file .qmail-alias_name, for example .qmail-contact. In that file, as in a normal .qmail file, specify the users you want to forward to (a single line with &elvanor will cause the message to be delivered to elvanor for example).
* Setting up an alias is pretty simple. Create in /var/qmail/alias the file .qmail-alias_name, for example .qmail-contact. In that file, as in a normal .qmail file, specify the users you want to forward to (a single line with &elvanor will cause the message to be delivered to elvanor for example).
== Troubleshooting ==
* Port 25 is usually blocked by ISPs. For Free, it is blocked by default but you can deblock it on your administration console. If the port is blocked, obviously no mail will come through.
* You can test if this port is blocked with nc (package netcat), a network tool:
nc smtp.gmail.com 25

Latest revision as of 16:52, 21 December 2015

Overview

  • Do not confuse the different parts of an entire mail system. The MTA (Mail Transfert Agent) is responsible for the delivery of messages across the network, whereas the MDA (Mail Delivery Agent) deliver finally the email to the user's mailbox. On some systems, the MTA and MDA are one and the same. But most software packages act as either MDA or MTA.
  • Mail servers can be very tricky about the DNS / reverse DNS configuration. In particular your mail server should have a reverse DNS configured. For more information see the wiki page about Hostnames, Domains.
  • When using the command line mail client, it actually needs a running MTA on the system (it can be sendmail, or postfix). However note that there is a standard way of writing to the disk before the MTA picks up the letter and send it, since you can invoke mail and only later start postfix - the mail will still be sent out.

Troubleshooting

  • The first thing to check if you have trouble sending mail is checking if your ISP does not block traffic on port 25. You can do that easily by installing telnet.
  • Port 25 is usually blocked by ISPs. For Free, it is blocked by default but you can deblock it on your administration console. If the port is blocked, obviously no mail will come through.
  • You can test if this port is blocked with nc (package netcat), a network tool:
nc smtp.gmail.com 25

Spam and Greylisting

  • If you relay mail to Gmail addresses, chances are high that you'll end up receiving spam at your base address, which will then be considered as spam from Google originating from your server. It may then be rate limited.
  • Try to setup a SPF DNS record and use a reverse DNS that corresponds to your mail address (for the SMTP server). This can improve things.

Postfix

  • Installation on Gentoo is fairly straightforward. If there is not a /etc/mail/aliases.db file, you can create it via the newaliases command.
  • To clear the Postfix queue (postqueue -p to see it):
postsuper -d ALL

Virtual Domains

  • The option I currently use (documented here) is to add the two following lines to /etc/postfix/main.cf:
virtual_alias_domains = shoopz.com
virtual_alias_maps = hash:/etc/postfix/virtual
  • The /etc/postfix/virtual should also be correctly configured. Note than when upgrading postfix, be sure to carefully run etc-update as there are changes to /etc/postfix/main.cf.

STMP

  • To authenticate via SASL (which allows a remote user to login with credentials), postfix must be compiled with the "sasl" USE flag. In addition, you must choose an SASL authentication mechanism. The simplest one is probably to use Cyrus BerkeleyDB. You create an user with the command:
saslpasswd2 -c -u gmail.com elvanor

The -c switch means create, the -u switch means user domain. You should then use user@userdomain.com as login, not just plain user. Note also that you can delete an account with

saslpasswd2 -d elvanor@gmail.com
  • The sasldblistusers2 command will list active users (without their associated passwords).
  • The SASL configuration file will then look like:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
  • You must add the following lines to your Postfix configuration file (this also includes the TLS configuration):
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
tls_random_source = dev:/dev/urandom

TLS Encryption

  • In order to have the SASL layer mechanism encrypted (else traffic is sent in clear), it is recommended to setup TLS. For this, you need to create a certificate. Once it is done, just copy the certificates to /etc/postfix and use the above configuration file.

Cyrus SASL Library

  • On Gentoo you *must* compile dev-libs/cyrus-sasl with the urandom flag. Else you will have severe slowdowns on the use of this library (this is very similar to the problem with Tomcat and its entropy source).

Postfix Database files

  • You can specify Postfix configuration or data in plain text files, but then Postfix converts them to indexed files that end with the *.db extension. Thus if you make a change to one of your text files, you need to recompile a database file like this:
postmap /etc/postfix/virtual
  • You can comma separate destination addresses in order to get a virtual address to forward to more than one address.

Logs

  • On Gentoo the logs are at /var/log/messages, but it requires a logging daemon like syslog-ng to be started and running.

Installing Qmail on OS X 10.4

  • WARNING: Qmail is not fully open-source, and has been unmaintained for years. It is recommended to use Postfix instead.
  • Excellent Mac OS X resource for Qmail.
  • Issue the following commands (the following tutorial is adapted from Life with Qmail, with some OS X specific notes):
  • Download source packages, setup:
cd /usr/local/src
curl http://www.qmail.org/netqmail-1.05.tar.gz -RO
curl http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz -RO
curl http://cr.yp.to/daemontools/daemontools-0.76.tar.gz -RO
curl http://http.netdevice.com:9080/qmail/patch/panther.patch -RO
mkdir /var/qmail
  • Setup necessary system accounts:
nireport . /groups name gid
niload group . <<EOF
> qmail:*:2107:
> nofiles:*:2108:
> EOF
nidump group . >/etc/group
nireport . /users name uid
niload passwd . <<EOF
> alias:*:7790:2108::0:0::/var/qmail/alias:/bin/true
> qmaild:*:7791:2108::0:0::/var/qmail:/bin/true
> qmaill:*:7792:2108::0:0::/var/qmail:/bin/true
> qmailp:*:7793:2108::0:0::/var/qmail:/bin/true
> qmailq:*:7794:2107::0:0::/var/qmail:/bin/true
> qmailr:*:7795:2107::0:0::/var/qmail:/bin/true
> qmails:*:7796:2107::0:0::/var/qmail:/bin/true
> EOF
nidump passwd . >/etc/passwd
  • Compile packages (applying patches):
gunzip -cd netqmail-1.05.tar.gz | tar -xf -
cd netqmail-1.05
./collate.sh
cd netqmail-1.05
patch </usr/local/src/panther.patch
make setup check
./config
cd ../..
gunzip -cd ucspi-tcp-0.88.tar.gz |tar -xf -
cd ucspi-tcp-0.88
make setup check
cd ..
mkdir -p /package
mv daemontools-0.76.tar.gz /package
chmod 1755 /package
cd /package
gunzip -cd daemontools-0.76.tar.gz |tar -xf -
echo x >> /package/admin/daemontools-0.76/src/trypoll.c # This is a necessary patch for OS X 10.4
cd admin/daemontools-0.76
package/install
  • Lots of configuration follows:
cat /etc/rc.local
csh -cf '/command/svscanboot &'
rm /etc/rc.local
mkdir /Library/StartupItems/svscanboot
cd /Library/StartupItems/svscanboot
nano svscanboot
#!/bin/sh
. /etc/rc.common
StartService( )
{
ConsoleMessage "Starting svscanboot"
csh -cf '/command/svscanboot &'
}
RunService "\$1"
chmod 755 svscanboot
nano StartupParameters.plist
{
Description = svscanboot;
Provides = (svscanboot);
Requires = (Network);
OrderPreference = None;
}
nano /var/qmail/rc
#!/bin/sh
# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default
exec env - PATH="/var/qmail/bin:$PATH" qmail-start "`cat /var/qmail/control/defaultdelivery`"
chmod 755 /var/qmail/rc
echo ./Maildir/ >/var/qmail/control/defaultdelivery
cd /var/qmail/bin
curl http://lifewithqmail.org/qmailctl-script-dt70 -RO
mv qmailctl-script-dt70 qmailctl
chmod 755 qmailctl
ln -s /var/qmail/bin/qmailctl /usr/bin
cp -p /etc/periodic/daily/500.daily /etc/periodic/500.daily.0
sh -c "cat /etc/periodic/daily/500.daily |sed -e s/mailq/qmailctl\ queue/ >/etc/periodic/daily/500.daily"
mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log
nano /var/qmail/supervise/qmail-send/run
#!/bin/sh
exec /var/qmail/rc
nano /var/qmail/supervise/qmail-send/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail
nano /var/qmail/supervise/qmail-smtpd/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softlimit -m 2000000 /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd 2>&1
echo 20 >/var/qmail/control/concurrencyincoming
chmod 644 /var/qmail/control/concurrencyincoming
nano /var/qmail/supervise/qmail-smtpd/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpd
chmod 755 /var/qmail/supervise/qmail-send/run
chmod 755 /var/qmail/supervise/qmail-send/log/run
chmod 755 /var/qmail/supervise/qmail-smtpd/run
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run
mkdir -p /var/log/qmail/smtpd
chown qmaill /var/log/qmail /var/log/qmail/smtpd
ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service
echo '127.:allow,RELAYCLIENT=""' >>/etc/tcp.smtp
qmailctl cdb
mv /usr/sbin/sendmail /usr/sbin/sendmail.old
chmod 0 /usr/sbin/sendmail.old
ln -s /var/qmail/bin/sendmail /usr/sbin
  • Last configuration step, involving the main account on the server:
echo elvanor >/var/qmail/alias/.qmail-root
echo elvanor >/var/qmail/alias/.qmail-postmaster
ln -s .qmail-postmaster /var/qmail/alias/.qmail-mailer-daemon
chmod 644 /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-postmaster
sudo -u elvanor -s
cd
/var/qmail/bin/maildirmake Maildir
echo ./Maildir/ >.qmail
/Developer/Tools/SetFile -a V Maildir # This is optional, it will make Maildir invisible in the Finder
exit
  • Reboot and test:
reboot
qmailctl stat

Configuring Qmail

  • If you need to relay through your ISP SMTP server, modify the file /var/qmail/control/smtproutes:
 :smtp.free.fr
  • To add a mailbox to a new user, run:
/var/qmail/bin/maildirmake Maildir

in the root directory of the user, and as the user to add the Maildir to.

  • Setting up forwarding is pretty simple for an user. Just edit the .qmail file in the user's home directory:
./Maildir/
&elvanor@gmail.com

The first line specifies that a copy should go to the Maildir directory; the second forwards a copy to elvanor@gmail.com.

  • Setting up an alias is pretty simple. Create in /var/qmail/alias the file .qmail-alias_name, for example .qmail-contact. In that file, as in a normal .qmail file, specify the users you want to forward to (a single line with &elvanor will cause the message to be delivered to elvanor for example).