in case of fast sending, spam problems, ..: always check the mailq! - it is stored in /var/lib/courier/msgs and /var/lib/courier/msgq - you may delete and loose all pending outgoing mail by deleting these folders after stopping courier-mta.
mailq displays a list of all messages that have not been delivered yet:
mailq|less
delete message from mailq - cancelmsg sends an an error mail to the user!:
cancelmsg msgID
Delete ALL messages from mailq - soft version - cancelmsg sends an an error mail to the user!
for i in `mailq | egrep '^[0-9]' | awk ' {print $1}'`; do echo "Dropping message $i..."; cancelmsg $i; done
Brutal way:
/etc/init.d/courier-mta stop /etc/init.d/courier-mta-ssl stop cd /var/lib/courier mv msgs msgserror mv msgq msgqerror mkdir msgs mkdir msgq chown courier:courier msgs chown courier:courier msgq /etc/init.d/courier-mta start /etc/init.d/courier-mta-ssl start
better scripts: https://github.com/svarshavchik/courier-contrib
generate, check and activate aliases:
makealiases; makealiases -chk; courier flush
find relay errors:
grep "error,relay" /var/log/mail.log|less
…tricky!
All config files use these two variables, so I set them to the same cert files in all configs:
Private Key and Cert and intermediate-cert and root-cert(s) combined in one file. The order is unclear. I had the private key first for many years, but documentations speak about putting the cert first:
cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem
TLS_CERTFILE=/etc/courier/cert.pem
This contains the intermidiate-certs - i use the ca-bundle provided by the vert dealer This seems to be only used by eSMTP - IMAP and POP works without it
TLS_TRUSTCERTS=/etc/courier/inter.crt
Checks:
openssl s_client -starttls imap -connect myserver.example.com:143
https://www.sslchecker.com/sslchecker
SMTP-Error after cert install: “no cipher suites found”: ~might~ have been a problem with gnutls, which was fixed by updating (2018.01). he cert order is irrelavant and an old TLS_TRUSTCERTS works, too.
WORK IN PROGRESS
set the following in /etc/courier/imapd-ssl, pop3d-ssl, esmtpd,esmtpd-ssl, courierd:
TLS_PROTOCOL="TLS1_2:TLS1_1:TLS1" TLS_CIPHER_LIST="!SSLv2:!SSLv3:TLSv1:TLSv1_1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
and additionally this in /etc/courier/imapd-ssl, pop3d-ssl
TLS_STARTTLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"
there are two ways, to configure forwarding of all mails:
1. use $HOME/.courier to setup $HOME/.forward for one account
|| dotforward | /usr/bin/maildrop
2. NOT TESTED: use /etc/courier/courierd to setup “dotforward” for all accounts
DEFAULTDELIVERY="||dotforward | /usr/bin/maildrop"
Put the addresses to forward to in $HOME/.forward.
original-receiver@example.com,test@example.com,test2@example.com
Disable TCPDOPTS -noidentlookup for imap, pop, esamtp. It performs an ident lookup and waits for timeout then.
If SMTP sending is slow, e.g. in webmail, add “-noidentlookup” to /etc/courier/esmtpd's TCPDOPTS
courieresmtpd: error,relay=::ffff:9x.2x6.7x.1x5,from=<mymail@m<domain.net>, to=<friend@otherdomain.net>: 513 Relaying denied.
outbound authentication must be checked within the email client!
(This is the second method if pop-before-smtp fails.)
Please make sure that “Server requires authentication” is enabled in your email client.
importantDNS / reverse DNS rules:
There have been too many errors sending to this local address, so courier disables it for 2 hours to avoid backscatter.
This should show (all) 556 blocked addresses, but does not work:
courier show all | <email>
This releases the lock, so the address becomes available (maybe restart courier):
courier clear all | <email>
DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org
remove it from /usr/share/spamassassin/20_dnsbl_tests.cf
if someone sends spam, the address can get a high POSITIVE ranking which leads to spam
remove an address from spam - must be run as root in root's folder:
check all auto-whitelists:
for i in /home/* ; do echo $i; sa-awl $i/.spamassassin/auto-whitelist| grep example; done;
Some useful Plugins and Settings:
https://www.syn-flut.de/spamassassin-erkennungsrate-deutlich-verbessern
We use these: