User Tools

Site Tools


mail

This is an old revision of the document!


wormnet mail

marmot provides a multi-domain IMAP/SMTP mail service, powered by Exim and Cyrus IMAP.

It doesn't use SSL, partly because of the paying-for-a-server-certificate issue, and partly because of the multi-domain-but-one-IP-address issue.

All IPC with backend services (spamd, clamd, pgsql, lmtpd) is performed over unix domain sockets.

client configuration

At present, please use marmot.wormnet.eu for the IMAP (port 143) and SMTP (port 25 or 587) service; imap.wormnet.eu and smtp.wormnet.eu are still aliases for chipmunk while it still hosts most domains.

Please use DIGEST-MD5, CRAM-MD5 or NTLM authentication, and username@domain as the username.

unexpunge / mail folder recovery

The Cyrus unexpunge command can unexpunge (and optionally undelete) any messages recently expunged. Also, deleting folders is really a rename into a special DELETED/ namespace. A nightly “expire” job purges all expunged messages and deleted folders after 30 days.

This is really a side-effect of the features' original design, to minimise the latency of user delete operations.

webmail

http://webmail.wormnet.eu/ (http://mebwail.wormnet.eu/ might work if you're stuck behind a stoopid web filter). It uses HTTP Digest authentication, which is reasonably secure (although Basic auth could be spoofed by a MITM), but logging out can be a bit of a pain since browsers tend not to want to forget your credentials–so please consider this service beta at best.

server-side filtering

There are two approaches:

  • simply use the username+folder@domain syntax; mail will automatically be delivered into INBOX/folder if it exists and has appropriate permission (in webmail: “Personal Settings” → Folders → folder → Sharing → Advanced → “+” → All users (anyone) → Post)
    • some web forms falsely think “+” is invalid in an e-mail address; “” (two hyphens) and “__” (two underscores) will be rewritten to “+
  • use SIEVE (there's a UI in webmail: the “Filters” tab in “Personal Settings”)

Please try to avoid client-side filters.

Managing sieve rules with text files

You can also write rules by hand and upload them when you're ready. Currently you can only do this locally like thus:-

$ sieveshell --authname='me@my.domain' --exec='put sieve-script' localhost
$ sieveshell --authname='me@my.domain' --exec='activate sieve-script' localhost

account creation

Enter the username, domain (“realm”) and password into the shadow table of the mail database on marmot.

If it's a new domain, please add it to the loginrealms line in /etc/imapd.conf on marmot.

Then use cyradm -u cyrus localhost on marmot (password in aformentioned shadow table) and issue “cm user/username@domain”. Then set an appropriate quota, eg sq user/username@domain 100000.

aliases/forwarding

This is governed by the alias table of the mail database on marmot. If there's an entry for a domain (realm), then Exim will treat the entire domain as local.

There are two booleans available (both defaulting to false) per alias:

  • suffixes: allow local_part+suffix (for an arbitrary suffix, which is stripped)
  • bulk: add a Precedence: bulk header to help stop auto-responders etc

anti-spam

The strategy is to be tolerant of standards-compliant MTAs which honour timeouts, use deliverable return-paths, aren't blacklisted etc etc

Greylisting is applied, but only in cases where dodginess is suspected, and then hints are sent to SpamAssassin. Most spam comes from zombies which never retry, so SpamAssassin shouldn't even need running.

Malware is rejected at SMTP time; a suitable SpamAssassin score (currently 6.0) will cause a rejection too. So will a dodgy attachment extension, or more general MIME-corruptness. However, even after a 550 after the DATA phase, Exim can store the message somewhere. This allows us to examine mail we've rejected :)

DKIM

Any sender domain can be signed using DKIM. Choose a “selector” and record it in the dkim table:

INSERT INTO dkim VALUES ('wormnet.eu', 'cat');

Then generate a keypair on marmot:

cd /etc/exim4/dkim
mkdir -m 750 wormnet.eu
cd wormnet.eu
openssl genrsa -out cat 1024
openssl rsa -in cat -out cat.pub -pubout -outform PEM
chmod o= cat*

And finally mangle the public key into a DNS TXT record. See here for some tweakables.

_adsp._domainkey IN TXT "dkim;"
cat._domainkey   IN TXT "v=DKIM1; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzl70kXqRENAgRfWRZ2WyvLtdQe22E1OvZMgIAwPV8GHraN2z0YCXgkeO7DW5t/0sOOa9z/hOmASTilds0oo2qgCmcJwV/YzGNAY0nw1CWAawIr5LlkLGzrLwvSv69iMsQJlsHMbqij0ljQpVuJ+DY5S0FYsgMlnyYWgE4EmEL5wIDAQAB; t=s"

Allowing mail relaying from particular hosts

It may be useful to allow home gateways, for example, to relay mail via. marmot. The configuration for this is in the relay_host table.

packages

Mail on wormnet is provided by the following Debian packages (where a * denotes a backport from testing or unstable):

  • exim4-daemon-heavy* (MTA)
    • clamav-daemon (antivirus)
    • spamassassin (main anti-spam thing, plus lots of friggery)
  • cyrus-imapd-2.4* (IMAP server)
  • libsasl2-modules-sql (accounts, passwords)
    • postgresql-8.4
      • postgresql-contrib-8.4 (for the pgcrypto functions for generating HTTP Digest hashes)
  • roundcube-core* (webmail)
    • roundcube-plugins-extra* (for UI for sieve rules)
mail.1325351563.txt.gz · Last modified: 2011/12/31 17:12 by mb