====== Courier ======

===== useful commands and hints.. =====

**in case of fast sending, spam problems, ..: always check the mailq!** - it is stored in /var/lib/courier/msgs and /var/lib/courier/msgq - you may delete and loose all pending outgoing mail by deleting these folders after stopping courier-mta.

mailq displays a list of all messages that have not been delivered yet:

   mailq|less


delete message from mailq - **cancelmsg sends an an error mail to the user!**:
  cancelmsg msgID

Delete ALL messages from mailq - soft version - **cancelmsg sends an an error mail to the user!**
  for i in `mailq | egrep '^[0-9]' | awk ' {print $1}'`; do echo "Dropping message $i..."; cancelmsg $i; done

Brutal way:
  /etc/init.d/courier-mta stop
  /etc/init.d/courier-mta-ssl stop
  cd /var/lib/courier
  mv msgs msgserror
  mv msgq msgqerror
  mkdir msgs
  mkdir msgq
  chown courier:courier msgs
  chown courier:courier msgq
  
  /etc/init.d/courier-mta start 
  /etc/init.d/courier-mta-ssl start 


**better scripts:** https://github.com/svarshavchik/courier-contrib


generate, check and activate aliases:

   makealiases; makealiases -chk; courier flush


find relay errors:

   grep "error,relay"  /var/log/mail.log|less



===== config tricks =====


===== SSL Certificates =====

...tricky!

All config files use these two variables, so I set them to the same cert files in all configs:

Private Key and Cert and intermediate-cert and root-cert(s) combined in one file. The order is unclear. I had the private key first for many years, but documentations speak about putting the cert first:

  cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem 
                

  TLS_CERTFILE=/etc/courier/cert.pem

This contains the intermidiate-certs - i use the ca-bundle provided by the vert dealer
This seems to be only used by eSMTP - IMAP and POP works without it

  TLS_TRUSTCERTS=/etc/courier/inter.crt


Checks:
  openssl s_client -starttls imap -connect myserver.example.com:143
https://www.sslchecker.com/sslchecker

SMTP-Error after cert install: "no cipher suites found": ~might~ have been a problem with gnutls, which was fixed by updating (2018.01). he cert order is irrelavant and an old TLS_TRUSTCERTS works, too.


==== disable sslv2 and insecure ciphers ====

WORK IN PROGRESS

set the following in /etc/courier/imapd-ssl, pop3d-ssl, esmtpd,esmtpd-ssl, courierd:

  TLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"
  TLS_CIPHER_LIST="!SSLv2:!SSLv3:TLSv1:TLSv1_1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"

and additionally this in /etc/courier/imapd-ssl, pop3d-ssl

  TLS_STARTTLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"



==== .forward ====

there are two ways, to configure forwarding of all mails:

1. use $HOME/.courier to setup $HOME/.forward for one account

  || dotforward
  | /usr/bin/maildrop
  
2. NOT TESTED: use /etc/courier/courierd to setup "dotforward" for all accounts

  DEFAULTDELIVERY="||dotforward
  | /usr/bin/maildrop"
  

Put the addresses to forward to in $HOME/.forward. 

  original-receiver@example.com,test@example.com,test2@example.com


==== Slow Connections ====

Disable TCPDOPTS -noidentlookup for imap, pop, esamtp. It performs an ident lookup and waits for timeout then.

If SMTP sending is slow, e.g. in webmail, add "-noidentlookup" to /etc/courier/esmtpd's TCPDOPTS


=====  Bugs & Fixes =====

==== outbound authentication ====

   courieresmtpd: error,relay=::ffff:9x.2x6.7x.1x5,from=<mymail@m<domain.net>,
   to=<friend@otherdomain.net>: 513 Relaying denied.

outbound authentication must be checked within the email client!

(This is the second method if pop-before-smtp fails.)

**Please make sure that "Server requires authentication" is enabled in your email client.**

==== 554 error - blacklisted :( ====

importantDNS / reverse DNS rules:

  - Mailserver-Software verwendet ausgehend einen vernünftigen DNS Namen z.B. servername.domain.tld
  - A / AAAA Record setzen z.B. servername.domain.tld => IP
  - PTR - ReverseDNS vom Provider setzen lassen z.B. IP => servername.domain.tld
  - MX Record setzen z.B. MX1 PRIO 10 = servername.domain.tld
  - DNS TXT / SPF Record setzen z.B. v=spf1 mx -all
  - abuse@domain alias einrichten
  - **check blacklists!**


==== 556 Address unavailable error ====

There have been too many errors sending to this local address, so courier disables it for 2 hours to avoid backscatter.

This should show (all) 556 blocked addresses, but does not work:
  courier show all | <email>


This releases the lock, so the address becomes available (maybe restart courier):
  courier clear all | <email>
  


=====  Spamassassin =====

==== DNSBL AHBL is dead ====

  DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org

remove it from /usr/share/spamassassin/20_dnsbl_tests.cf


==== auto-whitelist ====

if someone sends spam, the address can get a high POSITIVE ranking which leads to spam

remove an address from spam - must be run as root in root's folder: 
  * copy auto-whitelist to /root/.spamassassin/auto-whitelist
  * spamassassin --remove-addr-from-whitelist=user@example.com
  * check: sa-awl root/.spamassassin/auto-whitelist | grep user@example.com
  * copy /root/.spamassassin/auto-whitelist back to user dir

check all auto-whitelists:

  for i in /home/* ; do echo $i; sa-awl $i/.spamassassin/auto-whitelist| grep example; done;


==== Plugins ====

Some useful Plugins and Settings:

https://www.syn-flut.de/spamassassin-erkennungsrate-deutlich-verbessern

We use these:
  * RelayCountry
  * local DNS Resolver to avoid getting blacklisted by blacklists for too many DNS queries