This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:emailserver:courier [2013/05/11 20:19] tkilla |
linux:emailserver:courier [2018/04/03 15:27] (current) tkilla |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== useful commands and hints.. ===== | ===== useful commands and hints.. ===== | ||
- | generate, check and activate aliases: | + | **in case of fast sending, spam problems, ..: always |
- | + | ||
- | | + | |
mailq displays a list of all messages that have not been delivered yet: | mailq displays a list of all messages that have not been delivered yet: | ||
| | ||
+ | |||
+ | |||
+ | delete message from mailq - **cancelmsg sends an an error mail to the user!**: | ||
+ | cancelmsg msgID | ||
+ | |||
+ | Delete ALL messages from mailq - soft version - **cancelmsg sends an an error mail to the user!** | ||
+ | for i in `mailq | egrep ' | ||
+ | |||
+ | Brutal way: | ||
+ | / | ||
+ | / | ||
+ | cd / | ||
+ | mv msgs msgserror | ||
+ | mv msgq msgqerror | ||
+ | mkdir msgs | ||
+ | mkdir msgq | ||
+ | chown courier: | ||
+ | chown courier: | ||
+ | | ||
+ | / | ||
+ | / | ||
+ | |||
+ | |||
+ | **better scripts:** https:// | ||
+ | |||
+ | |||
+ | generate, check and activate aliases: | ||
+ | |||
+ | | ||
Line 17: | Line 43: | ||
grep " | grep " | ||
+ | |||
+ | |||
+ | ===== config tricks ===== | ||
+ | |||
+ | |||
+ | ===== SSL Certificates ===== | ||
+ | |||
+ | ...tricky! | ||
+ | |||
+ | All config files use these two variables, so I set them to the same cert files in all configs: | ||
+ | |||
+ | Private Key and Cert and intermediate-cert and root-cert(s) combined in one file. The order is unclear. I had the private key first for many years, but documentations speak about putting the cert first: | ||
+ | |||
+ | cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem | ||
+ | | ||
+ | |||
+ | TLS_CERTFILE=/ | ||
+ | |||
+ | This contains the intermidiate-certs - i use the ca-bundle provided by the vert dealer | ||
+ | This seems to be only used by eSMTP - IMAP and POP works without it | ||
+ | |||
+ | TLS_TRUSTCERTS=/ | ||
+ | |||
+ | |||
+ | Checks: | ||
+ | openssl s_client -starttls imap -connect myserver.example.com: | ||
+ | https:// | ||
+ | |||
+ | SMTP-Error after cert install: "no cipher suites found": | ||
+ | |||
+ | |||
+ | ==== disable sslv2 and insecure ciphers ==== | ||
+ | |||
+ | WORK IN PROGRESS | ||
+ | |||
+ | set the following in / | ||
+ | |||
+ | TLS_PROTOCOL=" | ||
+ | TLS_CIPHER_LIST=" | ||
+ | |||
+ | and additionally this in / | ||
+ | |||
+ | TLS_STARTTLS_PROTOCOL=" | ||
+ | |||
+ | |||
+ | |||
+ | ==== .forward ==== | ||
+ | |||
+ | there are two ways, to configure forwarding of all mails: | ||
+ | |||
+ | 1. use $HOME/ | ||
+ | |||
+ | || dotforward | ||
+ | | / | ||
+ | | ||
+ | 2. NOT TESTED: use / | ||
+ | |||
+ | DEFAULTDELIVERY=" | ||
+ | | / | ||
+ | | ||
+ | |||
+ | Put the addresses to forward to in $HOME/ | ||
+ | |||
+ | original-receiver@example.com, | ||
+ | |||
+ | |||
+ | ==== Slow Connections ==== | ||
+ | |||
+ | Disable TCPDOPTS -noidentlookup for imap, pop, esamtp. It performs an ident lookup and waits for timeout then. | ||
+ | |||
+ | If SMTP sending is slow, e.g. in webmail, add " | ||
Line 36: | Line 133: | ||
importantDNS / reverse DNS rules: | importantDNS / reverse DNS rules: | ||
- | 1. Mailserver-Software verwendet ausgehend einen vernünftigen DNS Namen z.B. servername.domain.tld | + | - Mailserver-Software verwendet ausgehend einen vernünftigen DNS Namen z.B. servername.domain.tld |
- | 2. A / AAAA Record setzen z.B. servername.domain.tld => IP | + | |
- | 3. PTR - ReverseDNS vom Provider setzen lassen z.B. IP => servername.domain.tld | + | |
- | 4. MX Record setzen z.B. MX1 PRIO 10 = servername.domain.tld | + | |
- | 5. DNS TXT / SPF Record setzen z.B. v=spf1 mx -all | + | |
- | 6. abuse@domain alias einrichten | + | |
+ | - **check blacklists!** | ||
+ | |||
+ | |||
+ | ==== 556 Address unavailable error ==== | ||
+ | |||
+ | There have been too many errors sending to this local address, so courier disables it for 2 hours to avoid backscatter. | ||
+ | |||
+ | This should show (all) 556 blocked addresses, but does not work: | ||
+ | courier show all | < | ||
+ | |||
+ | |||
+ | This releases the lock, so the address becomes available (maybe restart courier): | ||
+ | courier clear all | < | ||
+ | |||
+ | |||
+ | |||
+ | ===== Spamassassin ===== | ||
+ | |||
+ | ==== DNSBL AHBL is dead ==== | ||
+ | |||
+ | DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org | ||
+ | |||
+ | remove it from / | ||
+ | |||
+ | |||
+ | ==== auto-whitelist ==== | ||
+ | |||
+ | if someone sends spam, the address can get a high POSITIVE ranking which leads to spam | ||
+ | |||
+ | remove an address from spam - must be run as root in root's folder: | ||
+ | * copy auto-whitelist to / | ||
+ | * spamassassin --remove-addr-from-whitelist=user@example.com | ||
+ | * check: sa-awl root/ | ||
+ | * copy / | ||
+ | |||
+ | check all auto-whitelists: | ||
+ | |||
+ | for i in /home/* ; do echo $i; sa-awl $i/ | ||
+ | |||
+ | |||
+ | ==== Plugins ==== | ||
+ | |||
+ | Some useful Plugins and Settings: | ||
+ | |||
+ | https:// | ||
+ | |||
+ | We use these: | ||
+ | * RelayCountry | ||
+ | * local DNS Resolver to avoid getting blacklisted by blacklists for too many DNS queries | ||