This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
mail [2012/05/30 21:31] mb |
mail [2019/09/29 15:34] (current) mb [account creation] |
||
---|---|---|---|
Line 2: | Line 2: | ||
marmot provides a multi-domain IMAP/SMTP mail service, powered by [[http://www.exim.org/|Exim]] and [[http://www.cyrusimap.org/|Cyrus IMAP]]. | marmot provides a multi-domain IMAP/SMTP mail service, powered by [[http://www.exim.org/|Exim]] and [[http://www.cyrusimap.org/|Cyrus IMAP]]. | ||
- | |||
- | It doesn't use SSL, partly because of the paying-for-a-server-certificate issue, and partly because of the multi-domain-but-one-IP-address issue. | ||
All IPC with backend services (spamd, clamd, pgsql, lmtpd) is performed over unix domain sockets. | All IPC with backend services (spamd, clamd, pgsql, lmtpd) is performed over unix domain sockets. | ||
Line 18: | Line 16: | ||
This is really a side-effect of the features' original design, to minimise the latency of user delete operations. | This is really a side-effect of the features' original design, to minimise the latency of user delete operations. | ||
+ | |||
+ | For example, to undelete everything you have expunged today, run the following as the ''cyrus'' user... | ||
+ | |||
+ | cyrus@marmot:/$ /usr/lib/cyrus/bin/unexpunge -t1d user/me@jamie.lentin.co.uk | ||
+ | restoring expunged messages in mailbox 'jamie.lentin.co.uk!user.me' | ||
+ | restored 297 expunged messages | ||
===== webmail ===== | ===== webmail ===== | ||
[[http://webmail.wormnet.eu/]] ([[http://mebwail.wormnet.eu/]] might work if you're stuck behind a stoopid web filter). It uses HTTP Digest authentication, which is reasonably secure (although Basic auth could be spoofed by a MITM), but logging out can be a bit of a pain since browsers tend not to want to forget your credentials--so please consider this service beta at best. | [[http://webmail.wormnet.eu/]] ([[http://mebwail.wormnet.eu/]] might work if you're stuck behind a stoopid web filter). It uses HTTP Digest authentication, which is reasonably secure (although Basic auth could be spoofed by a MITM), but logging out can be a bit of a pain since browsers tend not to want to forget your credentials--so please consider this service beta at best. | ||
+ | |||
+ | The HTTP Digest authentication is backed by PostgreSQL; if you restart the database (eg for a security update) you'll need to do an ''/etc/init.d/apache2 graceful'' at the bare minimum for webmail to continue to work. | ||
===== server-side filtering ===== | ===== server-side filtering ===== | ||
Line 47: | Line 53: | ||
If it's a new domain, please add it to the ''loginrealms'' line in ''/etc/imapd.conf'' on marmot. | If it's a new domain, please add it to the ''loginrealms'' line in ''/etc/imapd.conf'' on marmot. | ||
- | Then use ''cyradm -u cyrus localhost'' on marmot (password in aformentioned ''shadow'' table) and issue "''cm user/username@domain''". Then set an appropriate quota, eg ''sq user/username@domain 100000''. | + | Then use ''cyradm -u cyrus localhost'' on marmot (password in aformentioned ''shadow'' table) and issue "''cm user/username@domain''". Then set an appropriate quota, eg ''sq user/username@domain STORAGE 100000''. |
+ | |||
+ | ==== shared mailboxes ==== | ||
+ | |||
+ | A mailbox which does //not// begin ''user/'' is not in an INBOX, but a shared mailbox. You can create them in ''cyradm'' with ''cm'', as above, then use ''sam'' and ''lam'' to set and view appropriate permissions, eg: | ||
+ | |||
+ | localhost> lam admin/postmaster@wormnet.eu | ||
+ | anyone p | ||
+ | lentinj@wormnet.eu lrswipkxtecd | ||
+ | mb@wormnet.eu lrswipkxtecd | ||
+ | |||
+ | If, as in this example, you set ''anyone p'', then Exim will deliver straight into that mailbox with e-mail address ''+admin/postmaster@wormnet.eu''. | ||
===== aliases/forwarding ===== | ===== aliases/forwarding ===== | ||
Line 64: | Line 81: | ||
Malware is rejected at SMTP time; a suitable SpamAssassin score (currently 5.0) will cause a rejection too. So will a dodgy attachment extension, or more general MIME-corruptness. However, even after a 550 after the DATA phase, Exim can store the message somewhere. This allows us to examine mail we've rejected :) | Malware is rejected at SMTP time; a suitable SpamAssassin score (currently 5.0) will cause a rejection too. So will a dodgy attachment extension, or more general MIME-corruptness. However, even after a 550 after the DATA phase, Exim can store the message somewhere. This allows us to examine mail we've rejected :) | ||
+ | |||
+ | ==== SpamAssassin Bayesian classifier training folders ==== | ||
+ | |||
+ | Please note these as their filesystem locations below, suitable for cutting & pasting. Please ensure that ham folders //only// contain ham, and spam folders //only// spam. If you put something in the wrong folder, please delete it, expunge it and then ask postmaster to purge the expunged files. | ||
+ | |||
+ | === ham === | ||
+ | |||
+ | sa-learn --ham --progress /var/spool/cyrus/mail/domain/j/jamie.lentin.co.uk/m/user/me/{archive,projects/*}/*. | ||
+ | |||
+ | === spam === | ||
+ | |||
+ | sa-learn --spam --progress /var/spool/cyrus/mail/domain/d/digriz.org.uk/a/user/alex/\:spam/*. | ||
+ | sa-learn --spam --progress /var/spool/cyrus/mail/domain/w/wormnet.eu/r/admin/rejected/malware/*. | ||
+ | sa-learn --spam --progress /var/spool/cyrus/mail/domain/j/jamie.lentin.co.uk/m/user/me/spam/*. | ||
+ | sa-learn --spam --progress /var/spool/cyrus/mail/domain/w/wormnet.eu/r/admin/rejected/spamassassin/*. | ||
+ | sa-learn --spam --progress /var/spool/cyrus/mail/domain/w/wormnet.eu/m/user/mb/spam/*. | ||
===== DKIM ===== | ===== DKIM ===== | ||
Line 71: | Line 104: | ||
INSERT INTO dkim VALUES ('wormnet.eu', 'cat'); | INSERT INTO dkim VALUES ('wormnet.eu', 'cat'); | ||
| | ||
- | Then generate a keypair on marmot: | + | Then generate a keypair on marmot (1024-bit considered right in 2014; latterly 2048 suggested in RFC8301): |
+ | SELECTOR="cat" | ||
cd /etc/exim4/dkim | cd /etc/exim4/dkim | ||
mkdir -m 750 wormnet.eu | mkdir -m 750 wormnet.eu | ||
cd wormnet.eu | cd wormnet.eu | ||
- | openssl genrsa -out cat 1024 | + | openssl genrsa -out ${SELECTOR} 1024 |
- | openssl rsa -in cat -out cat.pub -pubout -outform PEM | + | openssl rsa -in ${SELECTOR} -out ${SELECTOR}.pub -pubout -outform PEM |
- | chmod o= cat* | + | chmod o= ${SELECTOR}* |
+ | echo "v=DKIM1; h=sha256; p=$(grep -vE '^\-\-\-' ${SELECTOR}.pub | tr -d '\n'); t=s;" | ||
And finally mangle the public key into a DNS TXT record. See [[http://www.zytrax.com/books/dns/ch9/dkim.html|here]] for some tweakables. | And finally mangle the public key into a DNS TXT record. See [[http://www.zytrax.com/books/dns/ch9/dkim.html|here]] for some tweakables. | ||
- | _adsp._domainkey IN TXT "dkim;" | + | _adsp._domainkey IN TXT "dkim=all;" |
- | cat._domainkey IN TXT "v=DKIM1; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzl70kXqRENAgRfWRZ2WyvLtdQe22E1OvZMgIAwPV8GHraN2z0YCXgkeO7DW5t/0sOOa9z/hOmASTilds0oo2qgCmcJwV/YzGNAY0nw1CWAawIr5LlkLGzrLwvSv69iMsQJlsHMbqij0ljQpVuJ+DY5S0FYsgMlnyYWgE4EmEL5wIDAQAB; t=s" | + | cat._domainkey IN TXT "v=DKIM1; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzl70kXqRENAgRfWRZ2WyvLtdQe22E1OvZMgIAwPV8GHraN2z0YCXgkeO7DW5t/0sOOa9z/hOmASTilds0oo2qgCmcJwV/YzGNAY0nw1CWAawIr5LlkLGzrLwvSv69iMsQJlsHMbqij0ljQpVuJ+DY5S0FYsgMlnyYWgE4EmEL5wIDAQAB; t=s;" |
+ | ==== key rotation ==== | ||
+ | |||
+ | Just make a new keypair (with a new name) / and associated TXT record. Then ''UPDATE'' your row in the ''dkim'' table. The old TXT record can be deleted after a week. | ||
+ | |||
+ | People seem to think rotating keys quarterly is a good idea. | ||
===== Allowing mail relaying from particular hosts ===== | ===== Allowing mail relaying from particular hosts ===== | ||
Line 92: | Line 132: | ||
Mail on wormnet is provided by the following Debian packages (where a * denotes a backport from testing or unstable or experimental): | Mail on wormnet is provided by the following Debian packages (where a * denotes a backport from testing or unstable or experimental): | ||
- | * exim4-daemon-heavy* (MTA) //(need to hack the ''debian/control'' file to change build dependency from ''libdb5.1-dev'' to ''libdb4.8-dev'')// | + | * exim4-daemon-heavy* (MTA) //(need to hack the ''debian/control'' file to change build dependency from ''libdb5.1-dev'' to ''libdb4.8-dev'', and the ''debian/rules'' file to uncomment ''OPENSSL:=1'')// |
* clamav-daemon (antivirus) | * clamav-daemon (antivirus) | ||
* spamassassin (main anti-spam thing, plus lots of friggery) | * spamassassin (main anti-spam thing, plus lots of friggery) |