This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:emailserver:courier [2011/12/23 01:32] tkilla |
linux:emailserver:courier [2018/04/03 15:27] (current) tkilla |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Courier ====== | ====== Courier ====== | ||
- | **useful commands and hints..** | ||
- | \\ | ||
- | generate, check and activate aliases: | ||
- | | + | ===== useful commands and hints.. ===== |
- | \\ | + | |
+ | **in case of fast sending, spam problems, ..: always check the mailq!** | ||
mailq displays a list of all messages that have not been delivered yet: | mailq displays a list of all messages that have not been delivered yet: | ||
| | ||
- | \\ | + | |
+ | |||
+ | delete message from mailq - **cancelmsg sends an an error mail to the user!**: | ||
+ | cancelmsg msgID | ||
+ | |||
+ | Delete ALL messages from mailq - soft version - **cancelmsg sends an an error mail to the user!** | ||
+ | for i in `mailq | egrep ' | ||
+ | |||
+ | Brutal way: | ||
+ | / | ||
+ | / | ||
+ | cd / | ||
+ | mv msgs msgserror | ||
+ | mv msgq msgqerror | ||
+ | mkdir msgs | ||
+ | mkdir msgq | ||
+ | chown courier: | ||
+ | chown courier: | ||
+ | |||
+ | / | ||
+ | / | ||
+ | |||
+ | |||
+ | **better scripts:** https:// | ||
+ | |||
+ | |||
+ | generate, check and activate aliases: | ||
+ | |||
+ | | ||
find relay errors: | find relay errors: | ||
grep " | grep " | ||
- | \\ | + | |
+ | |||
+ | |||
+ | ===== config tricks ===== | ||
+ | |||
+ | |||
+ | ===== SSL Certificates ===== | ||
+ | |||
+ | ...tricky! | ||
+ | |||
+ | All config files use these two variables, so I set them to the same cert files in all configs: | ||
+ | |||
+ | Private Key and Cert and intermediate-cert and root-cert(s) combined in one file. The order is unclear. I had the private key first for many years, but documentations speak about putting the cert first: | ||
+ | |||
+ | cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem | ||
+ | |||
+ | |||
+ | TLS_CERTFILE=/ | ||
+ | |||
+ | This contains the intermidiate-certs - i use the ca-bundle provided by the vert dealer | ||
+ | This seems to be only used by eSMTP - IMAP and POP works without it | ||
+ | |||
+ | TLS_TRUSTCERTS=/ | ||
+ | |||
+ | |||
+ | Checks: | ||
+ | openssl s_client -starttls imap -connect myserver.example.com: | ||
+ | https:// | ||
+ | |||
+ | SMTP-Error after cert install: "no cipher suites found": | ||
+ | |||
+ | |||
+ | ==== disable sslv2 and insecure ciphers ==== | ||
+ | |||
+ | WORK IN PROGRESS | ||
+ | |||
+ | set the following in / | ||
+ | |||
+ | TLS_PROTOCOL=" | ||
+ | TLS_CIPHER_LIST=" | ||
+ | |||
+ | and additionally this in / | ||
+ | |||
+ | TLS_STARTTLS_PROTOCOL=" | ||
+ | |||
+ | |||
+ | |||
+ | ==== .forward ==== | ||
+ | |||
+ | there are two ways, to configure forwarding of all mails: | ||
+ | |||
+ | 1. use $HOME/ | ||
+ | |||
+ | || dotforward | ||
+ | | / | ||
+ | |||
+ | 2. NOT TESTED: use / | ||
+ | |||
+ | DEFAULTDELIVERY=" | ||
+ | | / | ||
+ | |||
+ | |||
+ | Put the addresses to forward to in $HOME/ | ||
+ | |||
+ | original-receiver@example.com, | ||
+ | |||
+ | |||
+ | ==== Slow Connections ==== | ||
+ | |||
+ | Disable TCPDOPTS -noidentlookup for imap, pop, esamtp. It performs an ident lookup and waits for timeout then. | ||
+ | |||
+ | If SMTP sending is slow, e.g. in webmail, add " | ||
===== Bugs & Fixes ===== | ===== Bugs & Fixes ===== | ||
+ | |||
+ | ==== outbound authentication ==== | ||
+ | |||
| | ||
| | ||
Line 25: | Line 126: | ||
(This is the second method if pop-before-smtp fails.) | (This is the second method if pop-before-smtp fails.) | ||
- | |||
**Please make sure that " | **Please make sure that " | ||
+ | |||
+ | ==== 554 error - blacklisted :( ==== | ||
+ | |||
+ | importantDNS / reverse DNS rules: | ||
+ | |||
+ | - Mailserver-Software verwendet ausgehend einen vernünftigen DNS Namen z.B. servername.domain.tld | ||
+ | - A / AAAA Record setzen z.B. servername.domain.tld => IP | ||
+ | - PTR - ReverseDNS vom Provider setzen lassen z.B. IP => servername.domain.tld | ||
+ | - MX Record setzen z.B. MX1 PRIO 10 = servername.domain.tld | ||
+ | - DNS TXT / SPF Record setzen z.B. v=spf1 mx -all | ||
+ | - abuse@domain alias einrichten | ||
+ | - **check blacklists!** | ||
+ | |||
+ | |||
+ | ==== 556 Address unavailable error ==== | ||
+ | |||
+ | There have been too many errors sending to this local address, so courier disables it for 2 hours to avoid backscatter. | ||
+ | |||
+ | This should show (all) 556 blocked addresses, but does not work: | ||
+ | courier show all | < | ||
+ | |||
+ | |||
+ | This releases the lock, so the address becomes available (maybe restart courier): | ||
+ | courier clear all | < | ||
+ | | ||
+ | |||
+ | |||
+ | ===== Spamassassin ===== | ||
+ | |||
+ | ==== DNSBL AHBL is dead ==== | ||
+ | |||
+ | DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org | ||
+ | |||
+ | remove it from / | ||
+ | |||
+ | |||
+ | ==== auto-whitelist ==== | ||
+ | |||
+ | if someone sends spam, the address can get a high POSITIVE ranking which leads to spam | ||
+ | |||
+ | remove an address from spam - must be run as root in root's folder: | ||
+ | * copy auto-whitelist to / | ||
+ | * spamassassin --remove-addr-from-whitelist=user@example.com | ||
+ | * check: sa-awl root/ | ||
+ | * copy / | ||
+ | |||
+ | check all auto-whitelists: | ||
+ | |||
+ | for i in /home/* ; do echo $i; sa-awl $i/ | ||
+ | |||
+ | |||
+ | ==== Plugins ==== | ||
+ | |||
+ | Some useful Plugins and Settings: | ||
+ | |||
+ | https:// | ||
+ | |||
+ | We use these: | ||
+ | * RelayCountry | ||
+ | * local DNS Resolver to avoid getting blacklisted by blacklists for too many DNS queries | ||