This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:emailserver:courier [2015/11/15 15:21] tkilla |
linux:emailserver:courier [2018/04/03 15:27] (current) tkilla |
||
---|---|---|---|
Line 18: | Line 18: | ||
Brutal way: | Brutal way: | ||
/ | / | ||
- | cd / | + | |
- | / | + | |
+ | mv msgs msgserror | ||
+ | mv msgq msgqerror | ||
+ | mkdir msgs | ||
+ | mkdir msgq | ||
+ | chown courier: | ||
+ | chown courier: | ||
+ | |||
+ | | ||
+ | / | ||
+ | |||
+ | |||
+ | **better scripts:** https:// | ||
generate, check and activate aliases: | generate, check and activate aliases: | ||
Line 33: | Line 46: | ||
===== config tricks ===== | ===== config tricks ===== | ||
+ | |||
+ | |||
+ | ===== SSL Certificates ===== | ||
+ | |||
+ | ...tricky! | ||
+ | |||
+ | All config files use these two variables, so I set them to the same cert files in all configs: | ||
+ | |||
+ | Private Key and Cert and intermediate-cert and root-cert(s) combined in one file. The order is unclear. I had the private key first for many years, but documentations speak about putting the cert first: | ||
+ | |||
+ | cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem | ||
+ | | ||
+ | |||
+ | TLS_CERTFILE=/ | ||
+ | |||
+ | This contains the intermidiate-certs - i use the ca-bundle provided by the vert dealer | ||
+ | This seems to be only used by eSMTP - IMAP and POP works without it | ||
+ | |||
+ | TLS_TRUSTCERTS=/ | ||
+ | |||
+ | |||
+ | Checks: | ||
+ | openssl s_client -starttls imap -connect myserver.example.com: | ||
+ | https:// | ||
+ | |||
+ | SMTP-Error after cert install: "no cipher suites found": | ||
+ | |||
+ | |||
+ | ==== disable sslv2 and insecure ciphers ==== | ||
+ | |||
+ | WORK IN PROGRESS | ||
+ | |||
+ | set the following in / | ||
+ | |||
+ | TLS_PROTOCOL=" | ||
+ | TLS_CIPHER_LIST=" | ||
+ | |||
+ | and additionally this in / | ||
+ | |||
+ | TLS_STARTTLS_PROTOCOL=" | ||
+ | |||
+ | |||
==== .forward ==== | ==== .forward ==== | ||
Line 85: | Line 140: | ||
- abuse@domain alias einrichten | - abuse@domain alias einrichten | ||
- **check blacklists!** | - **check blacklists!** | ||
+ | |||
+ | |||
+ | ==== 556 Address unavailable error ==== | ||
+ | |||
+ | There have been too many errors sending to this local address, so courier disables it for 2 hours to avoid backscatter. | ||
+ | |||
+ | This should show (all) 556 blocked addresses, but does not work: | ||
+ | courier show all | < | ||
+ | |||
+ | |||
+ | This releases the lock, so the address becomes available (maybe restart courier): | ||
+ | courier clear all | < | ||
+ | | ||
Line 111: | Line 179: | ||
+ | ==== Plugins ==== | ||
+ | |||
+ | Some useful Plugins and Settings: | ||
+ | https:// | ||
+ | We use these: | ||
+ | * RelayCountry | ||
+ | * local DNS Resolver to avoid getting blacklisted by blacklists for too many DNS queries | ||