nethserver-mail¶
Mail system implementation based on Postfix, Dovecot, Rspamd, OpenDKIM. The mail system configuration is splitted into many RPMs, described in the following sections.
- nethserver-mail-common
- nethserver-mail-smarthost
- nethserver-mail-disclaimer
- nethserver-mail-filter
- nethserver-mail-server
- nethserver-mail-ipaccess
- nethserver-mail-getmail
- nethserver-mail-p3scan
- mail-quarantine
- Database format
- Mail quota
- Disabled users
- Testing Dovecot with Mutt
- Set special ACL on mailboxes
- IP-based IMAP access restriction
- Enable dovecot IMAP rawlog
- Access the rspamd UI
- Bayesian rules upgrade to rspamd
- Sender address validation
- Postfix SMTP listening ports
- Dynamic group aliases
nethserver-mail-common¶
- Common infrastructure for
nethserver-mail-server and nethserver-mail-filter
, Postfix-based. - Relay
- Queue parameters: age + message size
- MX record configuration
nethserver-mail-smarthost¶
- Send mail through the given MTA (smarthost), with SMTP/AUTH
- StartTLS encryption
- Set sender address for mail sent from root user (see Notifications section under nethserver-base package README)
nethserver-mail-disclaimer¶
- Attach disclaimer/legal notice to outbound messages for certain domains
- Runs
altermime
with Postfixcontent_filter
option
nethserver-mail-filter¶
- Based on Rspamd
- Anti-spam with DNSBL (see: nethserver-unbound)
- Anti-virus
- Attachment block
- Real-time Blackhole List (RBL)
- Sender Policy Framework (SPF)
- Customized spam threshold
- Sender WBL, Recipient whitelist
nethserver-mail-server¶
- IMAP/POP3 mailbox access protocols
- STARTTLS enabled by default
- Mail quota
- Sieve filters
- Postfix/dovecot-lda integration
- Multi-domain
- Domain-specific configuration
- Pseudonyms
- SMTP authentication
- Active Directory integration
- SpamAssassin’s Bayesian classifier training (
spamtrainers
group) - Spam retention time
- Sender address restriction based on login name
- Dynamic group members address list expansion
nethserver-mail-ipaccess¶
IMAP access for a specific group of users. See IP-based IMAP access restriction.
nethserver-mail-getmail¶
The package configures getmail using cron.
For each enabled account the system:
- generates a
.cfg
file inside the/var/lib/getmail
directory from the template/etc/e-smith/templates/getmailrc
- adds a line inside the
/etc/cron.d/getmail
, all getmail instances use a non-blocking flock - delivers the messages using dovecot-lda
All operations are logged in /var/log/maillog
.
If a virus is found inside a received mail, the message is dropped.
The evidence of log in /var/log/maillog
:
Feb 14 18:19:10 vm5 clamd[1791]: instream(local): Eicar-Test-Signature FOUND
Feb 14 18:19:11 test getmail: msg 4/12 (702 bytes) msgid 000008bb5785fb1d from <root@test.neth.eu> dropped by filter Filter_classifier clamdscan (allow_root_commands="True", arguments="('-c', '/etc/clamd.d/amavisd.conf', '--stdout', '--no-summary', '--infected', '-')", command="clamdscan", exitcodes_drop="('1',)", exitcodes_keep="('0',)", group="None", ignore_stderr="False", path="/usr/bin/clamdscan", unixfrom="False", user="None")
nethserver-mail-p3scan¶
This package configures p3scan, full-transparent POP3 proxy-server for email clients.
- POP3 and POP3s proxy
- Anti-virus and anti-spam checks
mail-quarantine¶
This package makes a quarantine for spam. They are sent to a mailbox (you need to manually created it), waiting a review of the sysadmin. If enabled a mail notification is sent to the postmaster (root alias) for each quarantined email.
Database format¶
configuration¶
Postfix example:
postfix=service
...
AccessPolicies=
AlwaysBccStatus=disabled
AlwaysBccAddress=
MessageQueueLifetime=4
MessageSizeMax=20000000
ConnectionsLimit=
ConnectionsLimitPerIp=
SystemUserRecipientStatus=disabled
...
SenderValidation=disabled
DynamicGroupAlias=disabled
HeloHost=
SmartHostAuth=disabled
SmartHostAuthStatus=disabled
SmartHostName=192.168.5.252
SmartHostPassword=password
SmartHostPort=25
SmartHostStatus=disabled
SmartHostTlsStatus=enabled
SmartHostUsername=ns1
AccessPolicies
: A comma separated list of values. ObsoletesSubmissionPolicyType
prop. Currently defined values aresmtpauth
andtrustednetworks
.- smtpauth enable SMTP/AUTH on port 25, otherwise it is enabled only on 587 and 465 submission ports
- trustednetworks allow relay from any host in trusted networks (green network included).
AlwaysBccStatus {enabled,disabled}
: ifenabled
any message entering Postifx mail system is copied to the givenAlwaysBccAddress
.AlwaysBccAddress
: an email address that always receives a message copy (controlled byAlwaysBccStatus
).SystemUserRecipientStatus {enabled,disabled}
enabled
, accept from any network the recipient addresses formed by user account names and domain partlocalhost
,localhost.<domainname>
and FQDN hostname.SenderValidation {enabled,disabled}
, defaultdisabled
, checks the SMTP sender is consistent with /etc/login_maps and /etc/login_maps.pcre contents.DynamicGroupAlias {enabled,disabled}
, defaultdisabled
,- if
enabled
, create distribution lists based on system groups. See also the “Dynamic group aliases” section below.
HeloHost
. FQDN hostname used by Postfix when connecting to other MTAs
Dovecot example:
dovecot=service
...
AdminIsMaster=disabled
DeletedToTrash=disabled
FtsLuceneStatus=enabled
ImapStatus=enabled
LmtpInetListenerStatus=disabled
LogActions=disabled
MaxProcesses=400
MaxUserConnectionsPerIp=12
PopStatus=enabled
QuotaDefaultSize=20
QuotaStatus=disabled
SharedMailboxesStatus=enabled
SharedSeen=disabled
SpamFolder=Junk
SpamRetentionTime=15d
TlsSecurity=required
RestrictedAccessGroup=
Properties:
AdminIsMaster {enabled,disabled}
allow root user to impersonate other usersDeletedToTrash {enabled,disabled}
deletedtotrash pluginFtsLuceneStatus {enabled,disabled}
lucene indexed search pluginImapStatus {enabled,disabled}
IMAP protocol switchLmtpInetListenerStatus {enabled,disabled}
open a TCP socket for LMTP protocolLogActions {enabled,disabled}
IMAP actions logging pluginMaxProcesses N
maximum number of worker processes spawned by dovecot. A single user session usually requires multiple processes.MaxUserConnectionsPerIp N
maximum TCP connections for one user behind the same IP. This number will be multplied by 5 for connections coming from localhost.PopStatus {enabled,disabled}
POP3 protocol switchQuotaDefaultSize N
Default user quota size (1 unit is 10MB)QuotaStatus {enabled,disabled}
General user mail quota switchSharedMailboxesStatus {disabled,enabled}
Control the “Shared” IMAP namespace for per-user folder sharingSharedSeen {disabled,enabled}
Control the Seen IMAP flag (enabled means all users will see an email as read as soon as the first user reads it)SpamFolder FolderName
Deliver spam tagged messages to the given folder (applied to all users)SpamRetentionTime Nd
Expunge messages in SpamFolder if older than the given time span. “d” is for days.TlsSecurity {optional,required}
controls dovecotdisable_plaintext_auth
parameter: if set torequired
clear-text authentication methods are disabled, whileoptional
enables them.RestrictedAccessGroup
The value is a long group name, likedomain admins@mydomain.tld
. Members of the given group can login to dovecot services only from trusted networks. Install theVszLimit
set thedefault_vsz_limit
dovecot option, values are expressed inM
nethserver-mail-server-ipaccess
package to enable this feature.
p3scan example:
p3scan=service
SSLScan=enabled
SpamScan=enabled
TCPPort=8110
Template=/etc/p3scan/p3scan-en.mail
VirusScan=enabled
access=
status=enabled
rspamd example:
rspamd=service
BlockAttachmentClassList=Exec
BlockAttachmentCustomList=doc,odt
BlockAttachmentCustomStatus=disabled
BlockAttachmentStatus=enabled
OletoolsStatus=enabled
Password=uO9QjlnRCDsT0ZCD
RecipientWhiteList=
SenderBlackList=
SenderWhiteList=
SpamCheckStatus=enabled
SpamDsnLevel=20
SpamGreyLevel=4
SpamKillLevel=15
SpamSubjectPrefixStatus=disabled
SpamSubjectPrefixString=***SPAM***
SpamTag2Level=6
SpamTagLevel=2
VirusAction=reject
VirusCheckStatus=enabled
VirusScanOnlyAttachment=false
VirusScanSize=20000000
VirusScanTimeout=90
VirusScanSoftReject=enabled
status=enabled
Properties:
BlockAttachmentClassList {Exec,Arch}
Reject the attachements matching the extension listBlockAttachmentCustomList List
Reject the attachements matching the custom extension listBlockAttachmentCustomStatus {enabled,disabled}
Enable the custom list of rejected extensionsOletoolsStatus {enabled,disabled}
Enable Oletools to reject suspicious microsoft office document macroPassword
Password to authenticate the user rspamd for the Rspamd UIRecipientWhiteList
Do not perform checks for the recipient list, always acceptSenderBlackList
Do not perform checks for the sender list, always rejectSenderWhiteList
Do not perform checks for the sender list, always acceptSpamCheckStatus {enabled,disabled}
Enable the SPAM filterSpamSubjectPrefixStatus {enabled,disabled}
Enable to rewrite the subject when a possible spam is detectedSpamSubjectPrefixString string
Rewrite the subject with the string when a possible spam is detectedVirusAction
Possible action when a virus is detected (reject is default, ‘rewrite_subject’ to tag as spam)VirusCheckStatus {enabled,disabled}
Enable the virus check with ClamavVirusScanOnlyAttachment {true,false}
If true only messages with non-image attachments will be checkedVirusScanSize
The messages > n bytes in size are not scanned (valuable for Clamav and Oletools)VirusScanTimeout
Time in seconds that clamav is allowed to scan the email before to hit a timeout (default 90)VirusScanSoftReject {enabled,disabled}
when clamav hit a timeout to scan an email, if enabled the email is soft rejected (try again)
domains¶
Record of type domain:
internal.tld=domain
...
TransportType=none
mycompany.com=domain
...
TransportType=Relay
RelayHost=10.1.1.4
RelayPort=25
DisclaimerStatus=disabled
test.tld=domain
...
TransportType=SmtpSink
example.com=domain
...
TransportType=LocalDelivery
UnknownRecipientsActionType=deliver
UnknownRecipientsActionDeliverMailbox=jdoe
AlwaysBccStatus=enabled
AlwaysBccAddress=admin``there.org
other.net=domain
...
TransportType=Relay
RelayHost=mail.other.net
RelayPort=25
accounts¶
Groups:
employees@domain.com=group
...
MailStatus=enabled
MailAccess=private
administrators@domain.com=group
...
MailStatus=enabled
MailAccess=public
info@domain.com=group
...
MailStatus=enabled
MailAccess=public
User:
jdoe=user
FirstName=John
LastName=Doe
...
MailStatus=enabled
MailQuotaType=custom
MailQuotaCustom=15
MailForwardStatus=disabled
MailForwardAddress=
MailForwardKeepMessageCopy=no
and his pseudonyms: ::
john.doe``example.com=pseudonym
Account=jdoe
ControlledBy=system
Access=public
doe``=pseudonym
Account=jdoe
ControlledBy=operators
Access=private
getmail¶
All records of type getmail
are saved inside the getmail
database.
Properties:
- The key is the mail account to be downloaded
status
: can beenabled
ordisabled
, default isenabled
Account
: local user where messages will be delivered. Should be in the form user@domainServer
: server of the mail accountUsername
: user name of the mail accountPassword
: password of the mail accountDelete
: numbers of days after downloaded messages will be deleted,-1
means never,0
means immediatelyTime
: integer number rappresenting the minutes between each check, valid valued are between 1 and 60FilterCheck
: ifenabled
, check downloaded messages for viruses and spam usingrspamc
classifierRetriever
: can be any getmail retriever, see Getmail official doc- Retrievers available in the web interface:
SimplePOP3Retriever
SimplePOP3SSLRetriever
SimpleIMAPRetriever
SimpleIMAPSSLRetriever
Example:
db getmail set test@neth.eu getmail Account pippo@neth.eu status enabled Password Nethesis,1234 Server localhost Username test@neth.eu Retriever SimplePOP3Retriever Delete enabled Time 30 VirusCheck enabled SpamCheck enabled
quarantine¶
The properties are under the rspamd
key (configuration database):
rspamd=service
...
QuarantineAccount=vmail+quarantine
QuarantineSelector=is_reject
QuarantineStatus=enabled
SpamNotificationStatus=disabled
* ``QuarantineAccount``: The local email box where to send all spams (spam check is automatically disabled on this account). You must create it manually. You could send it to an external mailbox but then you must disable the spam check on this server
* ``QuarantineSelector``: It is possible to move to quarantine all spams (add_header, rewrite_subject, reject), allowed values are ``is_reject`` (default) or ``is_spam``
* ``QuarantineStatus``: Enable the quarantine, spam are no more rejected: enabled/disabled (default)
* ``SpamNotificationStatus``: Enable the email notification when email are quarantined: enabled/disabled (default)
For example, the following commands enable the quarantine:
config setprop rspamd QuarantineAccount spam@domain.org QuarantineStatus enabled SpamNotificationStatus enabled
signal-event nethserver-mail-quarantine-save
Mail quota¶
The default mail quota is configured in dovecot.conf
. Custom user mail quota
is set by the dovecot-postlogin
script, by reading
/etc/dovecot/user-quota
(which is a template). If a custom mail quota is set
the UI interface does not show the updated value until the user performs an IMAP
login.
Disabled users¶
By default all system users are also Dovecot users. To disable a user we
configure a blacklist in dovecot.conf
: /etc/dovecot/deny.passwd
.
As Dovecot is configured as authentication backend for Postfix, a disabled user loses also SMTP AUTH access.
Testing Dovecot with Mutt¶
Read admin’s mail with Mutt IMAP client. Quickstart:
yum install mutt
cat - <<EOF > ~/.muttrc
set spoolfile="imaps://root@localhost/"
set folder=""
EOF
mutt
See: http://dev.mutt.org/doc/manual.html
When mutt starts always asks for the root
password.
To avoid typing the password again and again write it in .muttrc
:
set spoolfile="imaps://root:PASSWORD@localhost/"
set folder=""
PASSWORD
must be URL-encoded. For instance the slash character /
is encoded as %2f
.
Set special ACL on mailboxes¶
The nethserver-mail-shrmbx-modify
action applies some predefined ACL
settings to shared mailboxes (type the mailbox name twice: the action performs also rename):
/etc/e-smith/events/actions/nethserver-mail-shrmbx-modify EVENT OLDNAME NEWNAME ID PERM [ID PERM ...]
For instance, let’s grant full “admin” permissions to group “administrators”:
/etc/e-smith/events/actions/nethserver-mail-shrmbx-modify ev 'Public folder1' 'Public Folder One' group=administrators@$(hostname -d) ADMIN
You can also use doveadm
to set special ACL on a shared mailbox:
doveadm acl set -u <user> <shared_mailbox> <subject> <flags>
Example: allow insert and expunge to user goofy on public mailbox testshare (domain of the machine is local.nethserver.org):
doveadm acl set -u goofy@local.nethserver.org Public/testshare "user=goofy@local.nethserver.org" insert expunge
IP-based IMAP access restriction¶
This feature allows to restrict IMAP access for a specific group. Members of the given group have IMAP access restricted to trusted networks.
Install
nethserver-mail-ipaccess
packageyum install nethserver-mail-ipaccess
Set the limited group, remember to use the full group name:
<group>@<domain>
config setprop dovecot RestrictedAccessGroup <group>@<domain>
Example for group
collaborators@nethserver.org
:config setprop dovecot RestrictedAccessGroup collaborators@nethserver.org
Apply the configuration
signal-event nethserver-mail-server-save
Syntax of /etc/dovecot/ipaccess.conf
¶
The dovecot-postlogin
script enforces an IP-based access policy to dovecot
services when the file :file:/etc/dovecot/ipaccess.conf
exists and is readable.
The file is composed by comments and records. Comments are line starting with #
,
whilst records have the following syntax:
<long group name> = <cidr list>
A long group name is the group name with domain suffix, like domain
admins@mydomain.tld
.
The cidr list is a comma-separated list of IP and network addresses in CIDR
format, like 127.0.0.1, 192.168.1.0/24, 10.1.1.2
. The binary conversion is
implemented by the NetAddr::IP
Perl module. See perldoc NetAddr::IP
for
details.
Enable dovecot IMAP rawlog¶
This section describes how to record the list of IMAP commands sent by the client and the server during an IMAP session. For more information see Dovecot rawlog.
Create the file
/etc/e-smith/templates-custom/etc/dovecot/dovecot.conf/90rawlog
with the
following contents:
#
# 90rawlog (custom)
#
import_environment = $import_environment DEBUG=1
service imap-postlogin \{
executable = script-login -d rawlog -t /usr/libexec/nethserver/dovecot-postlogin
\}
Apply the new configuration
signal-event nethserver-mail-server-save
To enable IMAP rawlog for a specific user, identify the user (vmail) home directory with the following command:
# doveadm user -u first.user@dpnet.nethesis.it
userdb: first.user@dpnet.nethesis.it
system_groups_user: first.user@dpnet.nethesis.it
uid : 987
gid : 990
home : /var/lib/nethserver/vmail/first.user@dpnet.nethesis.it
Warning
Always use the user long name form, which includes the @domain
suffix.
In our example first.user
would not work
Create the dovecot.rawlog
directory and change permissions:
mkdir "/var/lib/nethserver/vmail/first.user@dpnet.nethesis.it/dovecot.rawlog"
chown vmail:vmail "/var/lib/nethserver/vmail/first.user@dpnet.nethesis.it/dovecot.rawlog"
Detailed IMAP rawlogs are now created under the user’s (vmail) home directory.
Each session is split into two files: .in
file for client requests, .out
file for server responses. For instance,
/var/lib/nethserver/vmail/first.user@dpnet.nethesis.it/dovecot.rawlog/20180913-143301-6293.in
/var/lib/nethserver/vmail/first.user@dpnet.nethesis.it/dovecot.rawlog/20180913-143301-6293.out
The initial timestamp helps to mix them together and obtain the complete IMAP session trace:
sort -n /var/lib/nethserver/vmail/first.user@dpnet.nethesis.it/dovecot.rawlog/20180913-143301-6293.*
Access the rspamd UI¶
The rspamd UI is available from the same httpd instance of Server Manager:
https://<IP>:980/rspamd
Access is granted to any account defined in
/etc/httpd/admin-conf/rspamd.secret
. By default a rspamd
login is
created automatically. Its password is available with the following command:
config getprop rspamd Password
Additional accounts can be created with the following command:
/usr/bin/htpasswd -b -m /etc/httpd/admin-conf/rspamd.secret username S3cr3t
If an account provider is configured, the default access policy to rspamd UI is
granting access also to admin
user and members of the domain admins
group.
Type config show admins
for details.
Bayesian rules upgrade to rspamd¶
Each Junk
(or junkmail
) folder from users’ accounts, if present, can be
used to train the Rspamd Bayesian filter database, by running the attached
script:
bash /usr/share/doc/nethserver-mail-server-*/bayes_training.sh
Sender address validation¶
If the postfix/SenderValidation
prop is set to enabled
the SMTP server
restricts the Mail from
command usage. The sender address must be associated
with the SMTP login name. The login/sender match is specified in the following
Postfix tables, both implemented with an e-smith template:
/etc/postfix/login_maps
/etc/postfix/login_maps.pcre
To enable the SenderValidation
:
config setprop postfix SenderValidation enabled
signal-event nethserver-mail-server-update
Postfix SMTP listening ports¶
The Postfix SMTP server listens on the following TCP ports
25
, standard SMTP port; used by other MTAs587
, standard SMTP submission port; STARTTLS required by default to protect login passwords; used by MUAs465
, standard SMTPS submission port; TLS always required at socket level; used by MUAs which not support STARTTLS10587
, additional SMTP submission port for localhost only; no TLS required; used by local mail applications
Dynamic group aliases¶
If the postfix/DynamicGroupAlias
prop is enabled
an additional
virtual_alias_maps
TCP table is available. It expands a long group name to
the group members list with a getent group
call. The table is implemented in
:file:/usr/libexec/nethserver/postfix-get-group
. Note that group members
lists are returned by SSSD: as such they obey to its caching rules.
When the DynamicGroupAlias
general switch is enabled, individual groups can
be disabled and marked private. If MailStatus
prop is disabled
the
group long name is not considered a valid email address anymore. The
MailAccess
prop works like the Access
prop for user
records: if set
to private
only authenticated SMTP clients are allowed to use it as
recipient.
Accounts DB group
props example:
employees@domain.com=group
...
MailStatus=enabled
MailAccess=private