Courier

useful commands and hints..

in case of fast sending, spam problems, ..: always check the mailq! - it is stored in /var/lib/courier/msgs and /var/lib/courier/msgq - you may delete and loose all pending outgoing mail by deleting these folders after stopping courier-mta.

mailq displays a list of all messages that have not been delivered yet:

 mailq|less

delete message from mailq - cancelmsg sends an an error mail to the user!:

cancelmsg msgID

Delete ALL messages from mailq - soft version - cancelmsg sends an an error mail to the user!

for i in `mailq | egrep '^[0-9]' | awk ' {print $1}'`; do echo "Dropping message $i..."; cancelmsg $i; done

Brutal way:

/etc/init.d/courier-mta stop
/etc/init.d/courier-mta-ssl stop
cd /var/lib/courier
mv msgs msgserror
mv msgq msgqerror
mkdir msgs
mkdir msgq
chown courier:courier msgs
chown courier:courier msgq

/etc/init.d/courier-mta start 
/etc/init.d/courier-mta-ssl start 

better scripts: https://github.com/svarshavchik/courier-contrib

generate, check and activate aliases:

 makealiases; makealiases -chk; courier flush

find relay errors:

 grep "error,relay"  /var/log/mail.log|less

config tricks

SSL Certificates

…tricky!

All config files use these two variables, so I set them to the same cert files in all configs:

Private Key and Cert and intermediate-cert and root-cert(s) combined in one file. The order is unclear. I had the private key first for many years, but documentations speak about putting the cert first:

cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem 
              
TLS_CERTFILE=/etc/courier/cert.pem

This contains the intermidiate-certs - i use the ca-bundle provided by the vert dealer This seems to be only used by eSMTP - IMAP and POP works without it

TLS_TRUSTCERTS=/etc/courier/inter.crt

Checks:

openssl s_client -starttls imap -connect myserver.example.com:143

https://www.sslchecker.com/sslchecker

SMTP-Error after cert install: “no cipher suites found”: ~might~ have been a problem with gnutls, which was fixed by updating (2018.01). he cert order is irrelavant and an old TLS_TRUSTCERTS works, too.

disable sslv2 and insecure ciphers

WORK IN PROGRESS

set the following in /etc/courier/imapd-ssl, pop3d-ssl, esmtpd,esmtpd-ssl, courierd:

TLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"
TLS_CIPHER_LIST="!SSLv2:!SSLv3:TLSv1:TLSv1_1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"

and additionally this in /etc/courier/imapd-ssl, pop3d-ssl

TLS_STARTTLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"

.forward

there are two ways, to configure forwarding of all mails:

1. use $HOME/.courier to setup $HOME/.forward for one account

|| dotforward
| /usr/bin/maildrop

2. NOT TESTED: use /etc/courier/courierd to setup “dotforward” for all accounts

DEFAULTDELIVERY="||dotforward
| /usr/bin/maildrop"

Put the addresses to forward to in $HOME/.forward.

original-receiver@example.com,test@example.com,test2@example.com

Slow Connections

Disable TCPDOPTS -noidentlookup for imap, pop, esamtp. It performs an ident lookup and waits for timeout then.

If SMTP sending is slow, e.g. in webmail, add “-noidentlookup” to /etc/courier/esmtpd's TCPDOPTS

Bugs & Fixes

outbound authentication

 courieresmtpd: error,relay=::ffff:9x.2x6.7x.1x5,from=<mymail@m<domain.net>,
 to=<friend@otherdomain.net>: 513 Relaying denied.

outbound authentication must be checked within the email client!

(This is the second method if pop-before-smtp fails.)

Please make sure that “Server requires authentication” is enabled in your email client.

554 error - blacklisted :(

importantDNS / reverse DNS rules:

  1. Mailserver-Software verwendet ausgehend einen vernünftigen DNS Namen z.B. servername.domain.tld
  2. A / AAAA Record setzen z.B. servername.domain.tld ⇒ IP
  3. PTR - ReverseDNS vom Provider setzen lassen z.B. IP ⇒ servername.domain.tld
  4. MX Record setzen z.B. MX1 PRIO 10 = servername.domain.tld
  5. DNS TXT / SPF Record setzen z.B. v=spf1 mx -all
  6. abuse@domain alias einrichten
  7. check blacklists!

556 Address unavailable error

There have been too many errors sending to this local address, so courier disables it for 2 hours to avoid backscatter.

This should show (all) 556 blocked addresses, but does not work:

courier show all | <email>

This releases the lock, so the address becomes available (maybe restart courier):

courier clear all | <email>

Spamassassin

DNSBL AHBL is dead

DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org

remove it from /usr/share/spamassassin/20_dnsbl_tests.cf

auto-whitelist

if someone sends spam, the address can get a high POSITIVE ranking which leads to spam

remove an address from spam - must be run as root in root's folder:

  • copy auto-whitelist to /root/.spamassassin/auto-whitelist
  • spamassassin –remove-addr-from-whitelist=user@example.com
  • check: sa-awl root/.spamassassin/auto-whitelist | grep user@example.com
  • copy /root/.spamassassin/auto-whitelist back to user dir

check all auto-whitelists:

for i in /home/* ; do echo $i; sa-awl $i/.spamassassin/auto-whitelist| grep example; done;

Plugins

Some useful Plugins and Settings:

https://www.syn-flut.de/spamassassin-erkennungsrate-deutlich-verbessern

We use these:

  • RelayCountry
  • local DNS Resolver to avoid getting blacklisted by blacklists for too many DNS queries
 
Back to top
linux/emailserver/courier.txt · Last modified: 2018/04/03 15:27 by tkilla