Differences

This shows you the differences between two versions of the page.

--- linux:emailserver:courier [2015/11/01 11:01]
tkilla
+++ linux:emailserver:courier [2018/02/01 02:09]
tkilla
@@ Line 18: / Line 18: @@
 Brutal way:
   /etc/init.d/courier-mta stop
-  cd /var/lib/courier ; rm -fR msgs/* msgq/*
+  /etc/init.d/courier-mta-ssl stop
-  /etc/init.d/couriermta start
+  cd /var/lib/courier
+  mv msgs msgserror
+  mv msgq msgqerror
+  mkdir msgs
+  mkdir msgq
+  chown daemon:daemon msgs
+  chown daemon:daemon msgq
+  /etc/init.d/courier-mta start
+  /etc/init.d/courier-mta-ssl start
+**better scripts:** https://github.com/svarshavchik/courier-contrib
 generate, check and activate aliases:
@@ Line 33: / Line 46: @@
 ===== config tricks =====
+===== SSL Certificates =====
+...tricky!
+All config files use these two variables, so I set them to the same cert files in all configs:
+Private Key and Cert and intermediate-cert and root-cert(s) combined in one file. The order is unclear. I had the private key first for many years, but documentations speak about putting the cert first:
+  cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem
+  TLS_CERTFILE=/etc/courier/cert.pem
+This contains the intermidiate-certs - i use the ca-bundle provided by the vert dealer
+This seems to be only used by eSMTP - IMAP and POP works without it
+  TLS_TRUSTCERTS=/etc/courier/inter.crt
+Checks:
+  openssl s_client -starttls imap -connect myserver.example.com:143
+https://www.sslchecker.com/sslchecker
+SMTP-Error after cert install: "no cipher suites found": ~might~ have been a problem with gnutls, which was fixed by updating (2018.01). he cert order is irrelavant and an old TLS_TRUSTCERTS works, too.
+==== disable sslv2 and insecure ciphers ====
+WORK IN PROGRESS
+set the following in /etc/courier/imapd-ssl, pop3d-ssl, esmtpd,esmtpd-ssl, courierd:
+  TLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"
+  TLS_CIPHER_LIST="!SSLv2:!SSLv3:TLSv1:TLSv1_1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
+and additionally this in /etc/courier/imapd-ssl, pop3d-ssl
+  TLS_STARTTLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"
 ==== .forward ====
@@ Line 52: / Line 107: @@
   original-receiver@example.com,test@example.com,test2@example.com
+==== Slow Connections ====
+Disable TCPDOPTS -noidentlookup for imap, pop, esamtp. It performs an ident lookup and waits for timeout then.
+If SMTP sending is slow, e.g. in webmail, add "-noidentlookup" to /etc/courier/esmtpd's TCPDOPTS
@@ Line 77: / Line 139: @@
   - DNS TXT / SPF Record setzen z.B. v=spf1 mx -all
   - abuse@domain alias einrichten
+  - **check blacklists!**
+==== 556 Address unavailable error ====
+There have been too many errors sending to this local address, so courier disables it for 2 hours to avoid backscatter.
+This should show (all) 556 blocked addresses, but does not work:
+  courier show all | <email>
+This releases the lock, so the address becomes available (maybe restart courier):
+  courier clear all | <email>
@@ Line 103: / Line 179: @@
+==== Plugins ====
+Some useful Plugins and Settings:
+https://www.syn-flut.de/spamassassin-erkennungsrate-deutlich-verbessern
+We use these:
+  * RelayCountry
+  * local DNS Resolver to avoid getting blacklisted by blacklists for too many DNS queries

fr33.info

User Tools

Site Tools

Differences

Page Tools