Differences

This shows you the differences between two versions of the page.

--- linux:emailserver:courier [2013/05/11 20:19]
tkilla
+++ linux:emailserver:courier [2018/04/03 15:27] (current)
tkilla
@@ Line 3: / Line 3: @@
 ===== useful commands and hints.. =====
-generate, check and activate aliases:
+**in case of fast sending, spam problems, ..: always check the mailq!** - it is stored in /var/lib/courier/msgs and /var/lib/courier/msgq - you may delete and loose all pending outgoing mail by deleting these folders after stopping courier-mta.
-   makealiases; makealiases -chk; courier flush
 mailq displays a list of all messages that have not been delivered yet:
    mailq|less
+delete message from mailq - **cancelmsg sends an an error mail to the user!**:
+  cancelmsg msgID
+Delete ALL messages from mailq - soft version - **cancelmsg sends an an error mail to the user!**
+  for i in `mailq | egrep '^[0-9]' | awk ' {print $1}'`; do echo "Dropping message $i..."; cancelmsg $i; done
+Brutal way:
+  /etc/init.d/courier-mta stop
+  /etc/init.d/courier-mta-ssl stop
+  cd /var/lib/courier
+  mv msgs msgserror
+  mv msgq msgqerror
+  mkdir msgs
+  mkdir msgq
+  chown courier:courier msgs
+  chown courier:courier msgq
+  /etc/init.d/courier-mta start
+  /etc/init.d/courier-mta-ssl start
+**better scripts:** https://github.com/svarshavchik/courier-contrib
+generate, check and activate aliases:
+   makealiases; makealiases -chk; courier flush
@@ Line 17: / Line 43: @@
    grep "error,relay"  /var/log/mail.log|less
+===== config tricks =====
+===== SSL Certificates =====
+...tricky!
+All config files use these two variables, so I set them to the same cert files in all configs:
+Private Key and Cert and intermediate-cert and root-cert(s) combined in one file. The order is unclear. I had the private key first for many years, but documentations speak about putting the cert first:
+  cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem
+  TLS_CERTFILE=/etc/courier/cert.pem
+This contains the intermidiate-certs - i use the ca-bundle provided by the vert dealer
+This seems to be only used by eSMTP - IMAP and POP works without it
+  TLS_TRUSTCERTS=/etc/courier/inter.crt
+Checks:
+  openssl s_client -starttls imap -connect myserver.example.com:143
+https://www.sslchecker.com/sslchecker
+SMTP-Error after cert install: "no cipher suites found": ~might~ have been a problem with gnutls, which was fixed by updating (2018.01). he cert order is irrelavant and an old TLS_TRUSTCERTS works, too.
+==== disable sslv2 and insecure ciphers ====
+WORK IN PROGRESS
+set the following in /etc/courier/imapd-ssl, pop3d-ssl, esmtpd,esmtpd-ssl, courierd:
+  TLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"
+  TLS_CIPHER_LIST="!SSLv2:!SSLv3:TLSv1:TLSv1_1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
+and additionally this in /etc/courier/imapd-ssl, pop3d-ssl
+  TLS_STARTTLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"
+==== .forward ====
+there are two ways, to configure forwarding of all mails:
+. use $HOME/.courier to setup $HOME/.forward for one account
+  || dotforward
+  | /usr/bin/maildrop
+. NOT TESTED: use /etc/courier/courierd to setup "dotforward" for all accounts
+  DEFAULTDELIVERY="||dotforward
+  | /usr/bin/maildrop"
+Put the addresses to forward to in $HOME/.forward.
+  original-receiver@example.com,test@example.com,test2@example.com
+==== Slow Connections ====
+Disable TCPDOPTS -noidentlookup for imap, pop, esamtp. It performs an ident lookup and waits for timeout then.
+If SMTP sending is slow, e.g. in webmail, add "-noidentlookup" to /etc/courier/esmtpd's TCPDOPTS
@@ Line 36: / Line 133: @@
 importantDNS / reverse DNS rules:
-. Mailserver-Software verwendet ausgehend einen vernünftigen DNS Namen z.B. servername.domain.tld
+  - Mailserver-Software verwendet ausgehend einen vernünftigen DNS Namen z.B. servername.domain.tld
-. A / AAAA Record setzen z.B. servername.domain.tld => IP
+  - A / AAAA Record setzen z.B. servername.domain.tld => IP
-. PTR - ReverseDNS vom Provider setzen lassen z.B. IP => servername.domain.tld
+  - PTR - ReverseDNS vom Provider setzen lassen z.B. IP => servername.domain.tld
-. MX Record setzen z.B. MX1 PRIO 10 = servername.domain.tld
+  - MX Record setzen z.B. MX1 PRIO 10 = servername.domain.tld
-. DNS TXT / SPF Record setzen z.B. v=spf1 mx -all
+  - DNS TXT / SPF Record setzen z.B. v=spf1 mx -all
-. abuse@domain alias einrichten
+  - abuse@domain alias einrichten
+  - **check blacklists!**
+==== 556 Address unavailable error ====
+There have been too many errors sending to this local address, so courier disables it for 2 hours to avoid backscatter.
+This should show (all) 556 blocked addresses, but does not work:
+  courier show all | <email>
+This releases the lock, so the address becomes available (maybe restart courier):
+  courier clear all | <email>
+=====  Spamassassin =====
+==== DNSBL AHBL is dead ====
+  DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org
+remove it from /usr/share/spamassassin/20_dnsbl_tests.cf
+==== auto-whitelist ====
+if someone sends spam, the address can get a high POSITIVE ranking which leads to spam
+remove an address from spam - must be run as root in root's folder:
+  * copy auto-whitelist to /root/.spamassassin/auto-whitelist
+  * spamassassin --remove-addr-from-whitelist=user@example.com
+  * check: sa-awl root/.spamassassin/auto-whitelist | grep user@example.com
+  * copy /root/.spamassassin/auto-whitelist back to user dir
+check all auto-whitelists:
+  for i in /home/* ; do echo $i; sa-awl $i/.spamassassin/auto-whitelist| grep example; done;
+==== Plugins ====
+Some useful Plugins and Settings:
+https://www.syn-flut.de/spamassassin-erkennungsrate-deutlich-verbessern
+We use these:
+  * RelayCountry
+  * local DNS Resolver to avoid getting blacklisted by blacklists for too many DNS queries

fr33.info

User Tools

Site Tools

Differences

Page Tools