Mail#
The Mail application is split into four main parts:
Postfix, an SMTP server for sending and receiving mail messages.
Dovecot, an IMAP and POP3 server to read email, with Sieve language to organize it.
Rspamd, an antispam filter, antivirus and attachments blocker.
ClamAV, an antivirus engine.
Benefits are:
complete autonomy in electronic mail management
avoid problems due to the Internet Service Provider
ability to track the route of messages in order to detect errors
optimized antivirus and antispam scan
Warning
Even if Software Center allows to install multiple instances of Mail on the same node, you can configure and start only one mail server instance per node, otherwise a TCP port conflict error occurs.
A Mail instance can be integrated with other applications. For example:
WebTop groupware.
Roundcube web mail client.
Imapsync schedules periodical fetch jobs or migrates emails from external IMAP servers to local user mailboxes.
Piler archives any message sent or received by Mail with the SMTP protocol.
Configuration#
Mail requires at least one user domain already configured.
The first configuration wizard will require the following information:
Mail server hostname
: insert the mail server name, this should be the same name configured inside your MX DNS record.Primary mail domain
: insert the mail domain, likenethserver.org
; you will be able to add more domains later.
Then, select the user domain to be connected to the mail server. An email address will be created for every user in the selected domain.
Domains#
Mail can handle an unlimited number of mail domains, configurable
from the Domains
page.
Note
If a domain is deleted, email will not be deleted; any message already received is preserved.
You can add a new domain by clicking on the Create domain button and fill
the Name
field with the mail domain, like mymail.org
.
If the Add user addresses from user domain
option is disabled, you can enable the Accept unknown recipients
switch and select
a mailbox that will catch all messages sent to non-existing addresses.
Mail allows storing a hidden copy of all messages
directed to a particular domain: they will be delivered to the final
recipient and also to a custom email address. The hidden copy is
enabled by the Copy inbound messages
switch.
Warning
On some countries, enabling the Copy inbound messages switch can be against privacy laws.
If the final recipient cannot be reached (i.e. the recipient address does
not exist), the message is normally rejected. Sometimes (i.e. when a mail domain
is migrated) it could be useful to accept it and silently deliver the message to
a catch-all mailbox. This behavior can be achieved by enabling the
Accept unknown recipients
option.
This configuration is available only if Add user address from user domain
option is disabled.
DKIM signature#
DomainKeys Identified Mail (DKIM) validates the identity of the sending MTA by adding a cryptographic signature to the message’s MIME headers.
In the Domains
page, click the three-dots menu on the domain card and
select Configure DKIM
to enable or disable the DKIM signature for
messages. By default, DKIM signing is enabled for every domain, and the
key value is displayed in both raw and Bind-compatible “zone file”
formats.
DKIM signature headers are added only to messages sent through TCP ports 587 (submission) and 465 (smtps) when the “From” header matches one of the configured domains.
For DKIM to function correctly, ensure your public DNS is configured as follows, using the instructions provided by your DNS provider:
Add a TXT record with the key
default._domainKey
to your public DNS service.Copy the key text provided and paste it into the DNS record data (RDATA) field.
To further protect against mail domain spoofing, consider adding DNS records for DMARC (Domain-based Message Authentication, Reporting, and Conformance) and SPF (Sender Policy Framework).
Mailboxes#
Each user has a personal mailbox and any user name in the form <username>@<domain> is also a valid email address to deliver messages into it.
The list of mailboxes is shown on the Mailboxes
page. There
are two types of mailboxes: users and public mailboxes.
Users mailboxes#
You can disable each mailbox by selecting the Disable
item from the three-dots menu on the mailbox line.
By clicking the Edit
item from the three-dots menu it’s possible to setup the following options:
Public mailboxes#
Public mailboxes can be shared among groups of users. The Create public mailbox button allows creating a new public mailbox and defining one or more owning groups and users. Public mailboxes can also be created by any IMAP client supporting IMAP ACL protocol extension (RFC 4314).
When a new public mailbox is created, the mail server will automatically add a new address for all existing mail domains.
Addresses#
In addition to the users, groups and public mailboxes addresses, described in the
previous section, the system enables the creation of an unlimited number of email
addresses, from the Addresses
page. Each
mail address is associated with one or more destinations. A
destination can be of the following types:
user mailbox
public mailbox
external email address
A mail address can be specific to one mail domain, or generic to all configured mail domains. In the latter case, we call it a “wildcard address”. For example:
Two domains are configured, mydomain.net and example.com
A specific email address goofy for domain example.com corresponds to goofy@example.com.
A wildcard email address info is bound to all domains: it is equivalent to both info@mydomain.net and info@example.com.
Sometimes a company forbids communications from outside the organization
using personal email addresses. To change the visibility of an address,
click on the three-dots menu and select the Set as internal
action
shortcut, or select Edit
and enable the Internal
check box under
the Advanced
section.
When an address is internal it cannot receive messages from the outside. Still an internal address can be used to exchange messages with other accounts of the system.
Filter#
All transiting email messages are subjected to a list of checks that fall into two main categories, described in the following sections:
Antivirus
Antispam
Navigate to the Filter
page to adjust their settings.
Antivirus#
The ClamAV antivirus component finds email messages containing viruses. Infected messages are discarded. The virus signature database is checked for updates every hour.
The default ClamAV signatures database is normally disabled because it
consumes a large amount of memory. Select the Enable ClamAV official
signatures
checkbox if desired.
ClamAV unofficial signatures are always active instead. It is possible to choose the desired signature rating level among Low, Medium, High. Bear in mind that higher ratings may lead to unwanted false positive matches, therefore good messages can be blocked.
Antispam#
The antispam component Rspamd analyzes emails by detecting and classifying spam messages using heuristic criteria, predetermined rules and statistical evaluations of the content of messages.
The filter can also check if the sending server is listed in one or more DNS-based block lists (or DNSBL). A score is associated with each rule.
Total spam score collected at the end of the analysis allows the server to decide what to do with a message.
Statistical (or Bayesian) filters, are special rules that evolve and quickly adapt analyzing messages marked as spam or ham.
The spam score thresholds can be configured under the Antispam
section
of the Filter
page.
Spam flag threshold
determines the score value where a message is marked as spam. When a message has the spam flag set the consequent delivery action depends on the general settings of mailboxes.Deny message spam threshold
instead regulates the score that is considered too high to accept a message. If the score exceeds this value, the filter rejects the message completely.Under the
Advanced
section it is possible to enable theGreylist threshold
. When the message score exceeds this limit the filter asks the sender to try again the message delivery at later time. The Greylist spam-fighting method assumes that spammers dislike delivery retries. It is disabled by default because it introduces delivery delays also for legitimate senders.
To access additional settings and review recent Rspamd activity, navigate to the web interface of Rspamd by selecting the Open Rspamd button located in the top-right corner of the Filter page. You’ll need to provide your cluster-admin credentials for authentication.
In some cases an email client, recipient, or sender must bypass the filter
checks: the Bypass rules
section allows to define a set of rules based
on the follwing criteria:
Sender IP address or network (CIDR format).
Complete sender email address.
Sender email domain (exact match).
Complete recipient email address.
Recipient email domain (exact match).
Queue#
The Queue
page shows the status of the Postifx mail queue. Under
normal conditions the queue should be empty because messages are
immediately exchanged between mail servers.
If the mail queue contains some messages, try to click the Refresh button to quickly check if the condition is temporary.
As alternative, trigger an immediate new delivery attempt with the button Resend all, or remove all messages from the queue with Delete all.
The same actions can be selectively executed for each message in the
queue, from its three-dots menu. The message delay reason, queue ID,
arrival time, size, sender, and recipients can be inspected with the See
details
action.
Hint
The Message ID
value can be used to search the message in both
Rspamd web interface and
System logs.
If the delay reason is not resolved, and the message is not deleted, the message is returned to the sender after a configurable amount of time. Click the Settings button to modify it. See Queue settings for details.
Relay#
When a message is received from another mail server (MTA), or from a mail user agent (MUA), Postfix determines if and how to relay it towards its final destination. This decision is typically based on relay authorization and the domain suffix of the recipient address.
If the domain is handled by Postfix (i.e. it is listed in Domains) the message is delivered locally.
Otherwise, if the domain is external and relay authorization is valid, the destination server (also known as the “next-hop” server) is resolved using an MX DNS query.
The Relay
page allows to configure a set of rules that overrides the
external domain resolution based on DNS.
To configure IP-based relay authorization, see Relay settings.
Rules priority#
Relay rules can be of three types:
Recipient rule.
Sender rule.
Default rule. Only one default rule is allowed.
The rules evaluation order is Recipient, Sender, Default: the first matching rule is applied. A match occurs based on the message sender or recipient, or if a default rule (that one matching any sender and recipient) is defined.
Sender and Recipient matches can be an exact correspondence of the full email address, or match only the domain suffix. In the rules evaluation order, exact match is evaluated before the domain suffix match.
Managing rules#
Click on button Add relay rule to define a Sender or a Recipient rule. Specify the rule type and subject value (sender or recipient), then fill the remaining fields:
Hostname, the name or IP address of the server where the message is relayed if the rule match.
Port, the TCP port number used by the server.
Authentication. If the server requires SMTP authentication provide the necessary credentials here.
TLS. Enable this switch if the server expects TLS or STARTTLS encryption. It is recommended to enable it to encrypt both credentials and data during SMTP connections.
The Set default rule defines a rule that matches if none of the remaining rules do, or if no rule is defined at all. This type of rule is used to configure a smarthost, a mail server where mail messages for external domains is relayed.
When a Default or Recipient rule is created or modified, existing rules of the same type with the same Hostname and Port combination are updated automatically. The new TLS and Authentication settings are applied collectively to these rules. This ensures that messages sent through a given Hostname and Port use consistent credentials and TLS preferences, regardless of the destination address.
Once created, a rule can be edited, disabled or deleted from the three-dots menu. When a rule is edited, the rule type and subject cannot be changed: delete it instead.
See also Relay settings for other configurations about the
relay of messages towards other mail servers. In the Relay
page, the
Settings button leads to them.
Settings#
Application settings are split up and accessible under the cards described by the following sections.
General settings#
The following values are set at application first configuration time. They should not be changed in production:
Mail server hostname
configures how the MTA identifies itself with other MTAs. To successfully receive email messages, use this host name to configure the following DNS records:A record, resolving the Mail server hostname to the public and static IP address of the server.
PTR record, resolving back the IP address to the Mail server hostname.
MX records, one for each mail domain handled by the Mail application instance.
TXT records, as specified by DKIM, SPF and DMARC.
User domain
selects a LDAP database with user, groups and passwords. If the DB is changed existing mailboxes are not removed! A mailbox is still accessible if the same user name is present in both the old and the new database.
Mailboxes#
Under the Mailboxes
card you can configure the Default mail quota
.
If the general mailbox quota is enabled, the Mailboxes
page summarizes the quota usage for
each user. This summary is updated when a user logs in or a message is
delivered.
Under the Shared mailboxes
section, Shared seen
selects if the
IMAP seen flag is shared or not with other users. In general, the seen
flag is used to mark if a message has been read or not. In a shared
mailbox, each user can access the same message.
If users accessing the shared mailbox prefer to know if a mail has already been read by someone else, set
Shared seen
toenabled
(default).If users accessing the shared mailbox are not interested if a message has been already read by someone else, set
Shared seen
todisabled
.
Messages marked as spam (see Filter) can be automatically
moved into the Junk
folder by enabling the option Move spam to junk folder
.
Spam messages can be expunged automatically after a period of time.
You can configure it from the Default spam retention
option.
Master users#
Under the Master users
card, you can setup a user that can impersonate another user, gaining full rights
to any mailbox contents and folder permissions.
Credentials are accepted by the IMAP server:
user name of the master user, e.g.
master
master user password
For instance, to access as john
with root password secr3t
,
use the following credentials:
user name:
john*master
password:
secr3t
Queue settings#
The Maximal queue lifetime
parameter defines how many hours a message
can remain in the mail queue before it is returned to the sender.
The default value, 120 hours (5 days), is the retry time suggested by RFC5321. Lower values might be set to warn the sender early if some error occurs. For example, if the remote mail server refuses a message because our IP address is in a public block list, the message sender will be notified after 5 days: it might be considered too late.
Relay settings#
This section controls the Mail application configuration for special scenarios, described in the following sections.
IP-based relay#
Some old mail clients, like scanners, which provide limited software capabilities, might not support SMTP authentication or encryption: in this case it is possible to authorize the relay of messages to external domains by looking at their IP address instead of the usual credentials check.
List the IP address of such devices in the Allow relay from these IP
addresses
field. The address can be in IPv4 or IPv6 format. The IP based
policy can be spread to a whole network, specifying it in CIDR format.
For example, a value for the field can be
192.168.12.42
10.77.4.0/24
The IP address 192.168.12.42 (e.g. a document scanner) and the clients in the network subnet 10.77.4.0/24 can send mail messages without providing SMTP authentication.
Sender/login correspondence#
To avoid the unauthorized use of email addresses and the sender address
spoofing within the organization, enable the Enforce sender/login
match
switch.
If the switch is enabled the sender address of a message must correspond to the login name used by the mail client to connect with the mail server. Search the login name in the Addresses page to see what are the addresses it can use.
For example, with that switch enabled, if user john
has email address
john.doe@example.org
he cannot write an email message with a different
sender address, like sarah.smith@example.org
.
If the switch is disabled, as per default Mail configuration, an
authenticated mail client is allowed to send messages using any sender
address, so back to our example john
could write the message also as
sarah.smith@example.org
.
Warning
If you decide to enable the switch consider that public mailboxes and LDAP group addresses are not evaluated for the login/address correspondence.
Mail archive#
The Always BCC
switch controls a feature often required by mail
archiving solutions.
The acronym BCC stands for Blind Carbon Copy. When the switch is enabled,
enter a value in the Always BCC address
field: this address will
receive a hidden copy of any email message sent or received by the Mail
server.
Hint
Making a hidden copy of private email messages is a privacy-sensitive feature. Ensure its use complies with your country’s privacy laws, regulations, and company policies.
The Piler application can automatically configure
this field with the appropriate value, such as archive@piler1
or similar.
In this case, changing the address might prevent Piler from archiving new
messages.
Client configuration#
The server supports standard-compliant email clients using the following IANA ports:
imap/143
pop3/110
smtp/587
sieve/4190
Authentication requires the STARTTLS command and supports the following variants:
LOGIN
PLAIN
Also the following TLS-enabled ports are available for legacy software that still does not support STARTTLS:
imaps/993
pop3s/995
smtps/465
Warning
The standard SMTP port 25 is reserved for mail transfers between MTA servers. Mail user agents (MUA) must use the submission port.