Mail system implementation based on Postfix, Dovecot, Rspamd, OpenDKIM. The mail system configuration is splitted into many RPMs, described in the following sections.
- nethserver-mail-common
- nethserver-mail-smarthost
- nethserver-mail-disclaimer
- nethserver-mail-filter
- nethserver-mail-server
- nethserver-mail-ipaccess
- nethserver-mail-getmail
- nethserver-mail-p3scan
- mail-quarantine
- Database format
- Mail quota
- Disabled users
- Testing Dovecot with Mutt
- Set special ACL on mailboxes
- IP-based IMAP access restriction
- Enable dovecot IMAP rawlog
- Access the rspamd UI
- Bayesian rules upgrade to rspamd
- Sender address validation
- Postfix SMTP listening ports
- Dynamic group aliases
- Common infrastructure for
nethserver-mail-server and nethserver-mail-filter
, Postfix-based. - Relay
- Queue parameters: age + message size
- MX record configuration
- Send mail through the given MTA (smarthost), with SMTP/AUTH
- StartTLS encryption
- Set sender address for mail sent from root user (see Notifications section under nethserver-base package README)
- Attach disclaimer/legal notice to outbound messages for certain domains
- Runs
altermime
with Postfixcontent_filter
option
- Based on Rspamd
- Anti-spam with DNSBL (see: nethserver-unbound)
- Anti-virus
- Attachment block
- Real-time Blackhole List (RBL) (default disabled)
- Sender Policy Framework (SPF) (default disabled)
- Customized spam threshold
- Sender WBL, Recipient whitelist
- IMAP/POP3 mailbox access protocols
- STARTTLS enabled by default
- Mail quota
- Sieve filters
- Postfix/dovecot-lda integration
- Multi-domain
- Domain-specific configuration
- Pseudonyms
- SMTP authentication
- Active Directory integration
- SpamAssassin's Bayesian classifier training (
spamtrainers
group) - Spam retention time
- Sender address restriction based on login name
- Dynamic group members address list expansion
IMAP access for a specific group of users. See IP-based IMAP access restriction.
The package configures getmail using cron.
For each enabled account the system:
- generates a
.cfg
file inside the/var/lib/getmail
directory from the template/etc/e-smith/templates/getmailrc
- adds a line inside the
/etc/cron.d/getmail
, all getmail instances use a non-blocking flock - delivers the messages using dovecot-lda
All operations are logged in /var/log/maillog
.
If a virus is found inside a received mail, the message is dropped.
The evidence of log in /var/log/maillog
:
Feb 14 18:19:10 vm5 clamd[1791]: instream(local): Eicar-Test-Signature FOUND
This package configures p3scan, full-transparent POP3 proxy-server for email clients.
- POP3 and POP3s proxy
- Anti-virus and anti-spam checks
This package makes a quarantine for spam. They are sent to a mailbox (you need to manually created it), waiting a review of the sysadmin. If enabled a mail notification is sent to the postmaster (root alias) for each quarantined email.
Postfix example:
postfix=service ... AccessPolicies= AlwaysBccStatus=disabled AlwaysBccAddress= MessageQueueLifetime=4 MessageSizeMax=20000000 ConnectionsLimit= ConnectionsLimitPerIp= SystemUserRecipientStatus=disabled ... SenderValidation=disabled DynamicGroupAlias=disabled HeloHost= SmartHostAuth=disabled SmartHostAuthStatus=disabled SmartHostName=192.168.5.252 SmartHostPassword=password SmartHostPort=25 SmartHostStatus=disabled SmartHostTlsStatus=enabled SmartHostUsername=ns1
AccessPolicies
: A comma separated list of values. ObsoletesSubmissionPolicyType
prop. Currently defined values aresmtpauth
andtrustednetworks
.- smtpauth enable SMTP/AUTH on port 25, otherwise it is enabled only on 587 and 465 submission ports
- trustednetworks allow relay from any host in trusted networks (green network included).
AlwaysBccStatus {enabled,disabled}
: ifenabled
any message entering Postifx mail system is copied to the givenAlwaysBccAddress
.AlwaysBccAddress
: an email address that always receives a message copy (controlled byAlwaysBccStatus
).SystemUserRecipientStatus {enabled,disabled}
enabled
, accept from any network the recipient addresses formed by user account names and domain partlocalhost
,localhost.<domainname>
and FQDN hostname.SenderValidation {enabled,disabled}
, defaultdisabled
, checks the SMTP sender is consistent with /etc/login_maps and /etc/login_maps.pcre contents.DynamicGroupAlias {enabled,disabled}
, defaultdisabled
,- if
enabled
, create distribution lists based on system groups. See also the "Dynamic group aliases" section below.
HeloHost
. FQDN hostname used by Postfix when connecting to other MTAs
Dovecot example:
dovecot=service ... AdminIsMaster=disabled DeletedToTrash=disabled FtsLuceneStatus=enabled ImapStatus=enabled LmtpInetListenerStatus=disabled LogActions=disabled MaxProcesses=400 MaxUserConnectionsPerIp=12 PopStatus=enabled QuotaDefaultSize=20 QuotaStatus=disabled SharedMailboxesStatus=enabled SpamFolder=Junk SpamRetentionTime=15d TlsSecurity=required RestrictedAccessGroup=
Properties:
AdminIsMaster {enabled,disabled}
allow root user to impersonate other usersDeletedToTrash {enabled,disabled}
deletedtotrash pluginFtsLuceneStatus {enabled,disabled}
lucene indexed search pluginImapStatus {enabled,disabled}
IMAP protocol switchLmtpInetListenerStatus {enabled,disabled}
open a TCP socket for LMTP protocolLogActions {enabled,disabled}
IMAP actions logging pluginMaxProcesses N
maximum number of worker processes spawned by dovecot. A single user session usually requires multiple processes.MaxUserConnectionsPerIp N
maximum TCP connections for one user behind the same IPPopStatus {enabled,disabled}
POP3 protocol switchQuotaDefaultSize N
Default user quota size (1 unit is 10MB)QuotaStatus {enabled,disabled}
General user mail quota switchSharedMailboxesStatus {disabled,enabled}
Control the "Shared" IMAP namespace for per-user folder sharingSpamFolder FolderName
Deliver spam tagged messages to the given folder (applied to all users)SpamRetentionTime Nd
Expunge messages in SpamFolder if older than the given time span. "d" is for days.TlsSecurity {optional,required}
controls dovecotdisable_plaintext_auth
parameter: if set torequired
clear-text authentication methods are disabled, whileoptional
enables them.RestrictedAccessGroup
The value is a long group name, likedomain [email protected]
. Members of the given group can login to dovecot services only from trusted networks. Install thenethserver-mail-server-ipaccess
package to enable this feature.
p3scan example:
p3scan=service SSLScan=enabled SpamScan=enabled TCPPort=8110 Template=/etc/p3scan/p3scan-en.mail VirusScan=enabled access= status=enabled
rspamd example:
rspamd=service BlockAttachmentClassList=Exec BlockAttachmentCustomList=doc,odt BlockAttachmentCustomStatus=disabled BlockAttachmentStatus=enabled OletoolsStatus=enabled Password=uO9QjlnRCDsT0ZCD RecipientWhiteList= SenderBlackList= SenderWhiteList= SpamCheckStatus=enabled SpamDsnLevel=20 SpamGreyLevel=4 SpamKillLevel=15 SpamSubjectPrefixStatus=disabled SpamSubjectPrefixString=***SPAM*** SpamTag2Level=6 SpamTagLevel=2 VirusAction=reject VirusCheckStatus=enabled VirusScanOnlyAttachment=false VirusScanSize=20000000 status=enabled
Properties:
BlockAttachmentClassList {Exec,Arch}
Reject the attachements matching the extension listBlockAttachmentCustomList List
Reject the attachements matching the custom extension listBlockAttachmentCustomStatus {enabled,disabled}
Enable the custom list of rejected extensionsOletoolsStatus {enabled,disabled}
Enable Oletools to reject suspicious microsoft office document macroPassword
Password to authenticate the user rspamd for the Rspamd UIRecipientWhiteList
Do not perform checks for the recipient list, always acceptSenderBlackList
Do not perform checks for the sender list, always rejectSenderWhiteList
Do not perform checks for the sender list, always acceptSpamCheckStatus {enabled,disabled}
Enable the SPAM filterSpamSubjectPrefixStatus {enabled,disabled}
Enable to rewrite the subject when a possible spam is detectedSpamSubjectPrefixString string
Rewrite the subject with the string when a possible spam is detectedVirusAction
Possible action when a virus is detected (reject is default, 'rewrite_subject' to tag as spam)VirusCheckStatus {enabled,disabled}
Enable the virus check with ClamavVirusScanOnlyAttachment {true,false}
If true only messages with non-image attachments will be checkedVirusScanSize
The messages > n bytes in size are not scanned (valuable for Clamav and Oletools)
Record of type domain:
internal.tld=domain ... TransportType=none mycompany.com=domain ... TransportType=Relay RelayHost=10.1.1.4 RelayPort=25 DisclaimerStatus=disabled test.tld=domain ... TransportType=SmtpSink example.com=domain ... TransportType=LocalDelivery UnknownRecipientsActionType=deliver UnknownRecipientsActionDeliverMailbox=jdoe AlwaysBccStatus=enabled AlwaysBccAddress=admin``there.org other.net=domain ... TransportType=Relay RelayHost=mail.other.net RelayPort=25
Groups:
[email protected]=group ... MailStatus=enabled MailAccess=private [email protected]=group ... MailStatus=enabled MailAccess=public [email protected]=group ... MailStatus=enabled MailAccess=public
User:
jdoe=user FirstName=John LastName=Doe ... MailStatus=enabled MailQuotaType=custom MailQuotaCustom=15 MailForwardStatus=disabled MailForwardAddress= MailForwardKeepMessageCopy=no and his pseudonyms: :: john.doe``example.com=pseudonym Account=jdoe ControlledBy=system Access=public doe``=pseudonym Account=jdoe ControlledBy=operators Access=private
All records of type getmail
are saved inside the getmail
database.
Properties:
- The key is the mail account to be downloaded
status
: can beenabled
ordisabled
, default isenabled
Account
: local user where messages will be delivered. Should be in the form user@domainServer
: server of the mail accountUsername
: user name of the mail accountPassword
: password of the mail accountDelete
: numbers of days after downloaded messages will be deleted,-1
means never,0
means immediatelyTime
: integer number rappresenting the minutes between each check, valid valued are between 1 and 60FilterCheck
: ifenabled
, check downloaded messages for viruses and spam usingrspamc
classifierRetriever
: can be any getmail retriever, see Getmail official doc- Retrievers available in the web interface:
SimplePOP3Retriever
SimplePOP3SSLRetriever
SimpleIMAPRetriever
SimpleIMAPSSLRetriever
Example:
db getmail set [email protected] getmail Account [email protected] status enabled Password Nethesis,1234 Server localhost Username [email protected] Retriever SimplePOP3Retriever Delete enabled Time 30 VirusCheck enabled SpamCheck enabled
The properties are under the rspamd
key (configuration database):
rspamd=service ... QuarantineAccount=vmail+quarantine QuarantineSelector=is_reject QuarantineStatus=enabled SpamNotificationStatus=disabled * ``QuarantineAccount``: The local email box where to send all spams (spam check is automatically disabled on this account). You must create it manually. You could send it to an external mailbox but then you must disable the spam check on this server * ``QuarantineSelector``: It is possible to move to quarantine all spams (add_header, rewrite_subject, reject), allowed values are ``is_reject`` (default) or ``is_spam`` * ``QuarantineStatus``: Enable the quarantine, spam are no more rejected: enabled/disabled (default) * ``SpamNotificationStatus``: Enable the email notification when email are quarantined: enabled/disabled (default)
- For example, the following commands enable the quarantine: ::
- config setprop rspamd QuarantineAccount [email protected] QuarantineStatus enabled SpamNotificationStatus enabled signal-event nethserver-mail-quarantine-save
The default mail quota is configured in dovecot.conf
. Custom user mail quota
is set by the dovecot-postlogin
script, by reading
/etc/dovecot/user-quota
(which is a template). If a custom mail quota is set
the UI interface does not show the updated value until the user performs an IMAP
login.
By default all system users are also Dovecot users. To disable a user we
configure a blacklist in dovecot.conf
: /etc/dovecot/deny.passwd
.
As Dovecot is configured as authentication backend for Postfix, a disabled user loses also SMTP AUTH access.
Read admin's mail with Mutt IMAP client. Quickstart:
yum install mutt cat - <<EOF > ~/.muttrc set spoolfile="imaps://root@localhost/" set folder="" EOF mutt
See: http://dev.mutt.org/doc/manual.html
When mutt starts always asks for the root
password.
To avoid typing the password again and again write it in .muttrc
:
set spoolfile="imaps://root:PASSWORD@localhost/" set folder=""
PASSWORD
must be URL-encoded. For instance the slash character /
is encoded as %2f
.
The nethserver-mail-shrmbx-modify
action applies some predefined ACL
settings to shared mailboxes (type the mailbox name twice: the action performs also rename):
/etc/e-smith/events/actions/nethserver-mail-shrmbx-modify EVENT OLDNAME NEWNAME ID PERM [ID PERM ...]
For instance, let's grant full "admin" permissions to group "administrators":
/etc/e-smith/events/actions/nethserver-mail-shrmbx-modify ev 'Public folder1' 'Public Folder One' group=administrators@$(hostname -d) ADMIN
You can also use doveadm
to set special ACL on a shared mailbox:
doveadm acl set -u <user> <shared_mailbox> <subject> <flags>
Example: allow insert and expunge to user goofy on public mailbox testshare (domain of the machine is local.nethserver.org):
doveadm acl set -u [email protected] Public/testshare "[email protected]" insert expunge
This feature allows to restrict IMAP access for a specific group. Members of the given group have IMAP access restricted to trusted networks.
Install
nethserver-mail-ipaccess
packageyum install nethserver-mail-ipaccess
Set the limited group, remember to use the full group name:
<group>@<domain>
config setprop dovecot RestrictedAccessGroup <group>@<domain>
Example for group
[email protected]
:config setprop dovecot RestrictedAccessGroup [email protected]
Apply the configuration
signal-event nethserver-mail-server-save
The dovecot-postlogin
script enforces an IP-based access policy to dovecot
services when the file :file:/etc/dovecot/ipaccess.conf
exists and is readable.
The file is composed by comments and records. Comments are line starting with #
,
whilst records have the following syntax:
<long group name> = <cidr list>
A long group name is the group name with domain suffix, like domain
[email protected]
.
The cidr list is a comma-separated list of IP and network addresses in CIDR
format, like 127.0.0.1, 192.168.1.0/24, 10.1.1.2
. The binary conversion is
implemented by the NetAddr::IP
Perl module. See perldoc NetAddr::IP
for
details.
This section describes how to record the list of IMAP commands sent by the client and the server during an IMAP session. For more information see Dovecot rawlog.
Create the file
/etc/e-smith/templates-custom/etc/dovecot/dovecot.conf/90rawlog
with the
following contents:
# # 90rawlog (custom) # import_environment = $import_environment DEBUG=1 service imap-postlogin \{ executable = script-login -d rawlog -t /usr/libexec/nethserver/dovecot-postlogin \}
Apply the new configuration
signal-event nethserver-mail-server-save
To enable IMAP rawlog for a specific user, identify the user (vmail) home directory with the following command:
# doveadm user -u [email protected] userdb: [email protected] system_groups_user: [email protected] uid : 987 gid : 990 home : /var/lib/nethserver/vmail/[email protected]
Warning
Always use the user long name form, which includes the @domain
suffix.
In our example first.user
would not work
Create the dovecot.rawlog
directory and change permissions:
mkdir "/var/lib/nethserver/vmail/[email protected]/dovecot.rawlog" chown vmail:vmail "/var/lib/nethserver/vmail/[email protected]/dovecot.rawlog"
Detailed IMAP rawlogs are now created under the user's (vmail) home directory.
Each session is split into two files: .in
file for client requests, .out
file for server responses. For instance,
/var/lib/nethserver/vmail/[email protected]/dovecot.rawlog/20180913-143301-6293.in /var/lib/nethserver/vmail/[email protected]/dovecot.rawlog/20180913-143301-6293.out
The initial timestamp helps to mix them together and obtain the complete IMAP session trace:
sort -n /var/lib/nethserver/vmail/[email protected]/dovecot.rawlog/20180913-143301-6293.*
The rspamd UI is available from the same httpd instance of Server Manager:
https://<IP>:980/rspamd
Access is granted to any account defined in
/etc/httpd/admin-conf/rspamd.secret
. By default a rspamd
login is
created automatically. Its password is available with the following command:
config getprop rspamd Password
Additional accounts can be created with the following command:
/usr/bin/htpasswd -b -m /etc/httpd/admin-conf/rspamd.secret username S3cr3t
If an account provider is configured, the default access policy to rspamd UI is
granting access also to admin
user and members of the domain admins
group.
Type config show admins
for details.
Each Junk
(or junkmail
) folder from users' accounts, if present, can be
used to train the Rspamd Bayesian filter database, by running the attached
script:
bash /usr/share/doc/nethserver-mail-server-*/bayes_training.sh
If the postfix/SenderValidation
prop is set to enabled
the SMTP server
restricts the Mail from
command usage. The sender address must be associated
with the SMTP login name. The login/sender match is specified in the following
Postfix tables, both implemented with an e-smith template:
/etc/postfix/login_maps
/etc/postfix/login_maps.pcre
To enable the SenderValidation
:
config setprop postfix SenderValidation enabled signal-event nethserver-mail-server-update
The Postfix SMTP server listens on the following TCP ports
25
, standard SMTP port; used by other MTAs587
, standard SMTP submission port; STARTTLS required by default to protect login passwords; used by MUAs465
, standard SMTPS submission port; TLS always required at socket level; used by MUAs which not support STARTTLS10587
, additional SMTP submission port for localhost only; no TLS required; used by local mail applications
If the postfix/DynamicGroupAlias
prop is enabled
an additional
virtual_alias_maps
TCP table is available. It expands a long group name to
the group members list with a getent group
call. The table is implemented in
:file:/usr/libexec/nethserver/postfix-get-group
. Note that group members
lists are returned by SSSD: as such they obey to its caching rules.
When the DynamicGroupAlias
general switch is enabled, individual groups can
be disabled and marked private. If MailStatus
prop is disabled
the
group long name is not considered a valid email address anymore. The
MailAccess
prop works like the Access
prop for user
records: if set
to private
only authenticated SMTP clients are allowed to use it as
recipient.
Accounts DB group
props example:
[email protected]=group ... MailStatus=enabled MailAccess=private