User Tools

Site Tools


mail

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
mail [2012/05/30 21:31]
mb
mail [2019/09/29 15:34] (current)
mb [account creation]
Line 2: Line 2:
  
 marmot provides a multi-domain IMAP/SMTP mail service, powered by [[http://​www.exim.org/​|Exim]] and [[http://​www.cyrusimap.org/​|Cyrus IMAP]]. marmot provides a multi-domain IMAP/SMTP mail service, powered by [[http://​www.exim.org/​|Exim]] and [[http://​www.cyrusimap.org/​|Cyrus IMAP]].
- 
-It doesn'​t use SSL, partly because of the paying-for-a-server-certificate issue, and partly because of the multi-domain-but-one-IP-address issue. 
  
 All IPC with backend services (spamd, clamd, pgsql, lmtpd) is performed over unix domain sockets. All IPC with backend services (spamd, clamd, pgsql, lmtpd) is performed over unix domain sockets.
Line 18: Line 16:
  
 This is really a side-effect of the features'​ original design, to minimise the latency of user delete operations. This is really a side-effect of the features'​ original design, to minimise the latency of user delete operations.
 +
 +For example, to undelete everything you have expunged today, run the following as the ''​cyrus''​ user...
 +
 +    cyrus@marmot:/​$ /​usr/​lib/​cyrus/​bin/​unexpunge -t1d user/​me@jamie.lentin.co.uk ​
 +    restoring expunged messages in mailbox '​jamie.lentin.co.uk!user.me'​
 +    restored 297 expunged messages
  
 ===== webmail ===== ===== webmail =====
  
 [[http://​webmail.wormnet.eu/​]] ([[http://​mebwail.wormnet.eu/​]] might work if you're stuck behind a stoopid web filter). It uses HTTP Digest authentication,​ which is reasonably secure (although Basic auth could be spoofed by a MITM), but logging out can be a bit of a pain since browsers tend not to want to forget your credentials--so please consider this service beta at best. [[http://​webmail.wormnet.eu/​]] ([[http://​mebwail.wormnet.eu/​]] might work if you're stuck behind a stoopid web filter). It uses HTTP Digest authentication,​ which is reasonably secure (although Basic auth could be spoofed by a MITM), but logging out can be a bit of a pain since browsers tend not to want to forget your credentials--so please consider this service beta at best.
 +
 +The HTTP Digest authentication is backed by PostgreSQL; if you restart the database (eg for a security update) you'll need to do an ''/​etc/​init.d/​apache2 graceful''​ at the bare minimum for webmail to continue to work.
  
 ===== server-side filtering ===== ===== server-side filtering =====
Line 47: Line 53:
 If it's a new domain, please add it to the ''​loginrealms''​ line in ''/​etc/​imapd.conf''​ on marmot. If it's a new domain, please add it to the ''​loginrealms''​ line in ''/​etc/​imapd.conf''​ on marmot.
  
-Then use ''​cyradm -u cyrus localhost''​ on marmot (password in aformentioned ''​shadow''​ table) and issue "''​cm user/​username@domain''"​. Then set an appropriate quota, eg ''​sq user/​username@domain 100000''​.+Then use ''​cyradm -u cyrus localhost''​ on marmot (password in aformentioned ''​shadow''​ table) and issue "''​cm user/​username@domain''"​. Then set an appropriate quota, eg ''​sq user/​username@domain ​STORAGE ​100000''​. 
 + 
 +==== shared mailboxes ==== 
 + 
 +A mailbox which does //not// begin ''​user/''​ is not in an INBOX, but a shared mailbox. You can create them in ''​cyradm''​ with ''​cm'',​ as above, then use ''​sam''​ and ''​lam''​ to set and view appropriate permissions,​ eg: 
 + 
 +  localhost>​ lam admin/​postmaster@wormnet.eu 
 +  anyone p 
 +  lentinj@wormnet.eu lrswipkxtecd 
 +  mb@wormnet.eu lrswipkxtecd 
 + 
 +If, as in this example, you set ''​anyone p'',​ then Exim will deliver straight into that mailbox with e-mail address ''​+admin/​postmaster@wormnet.eu''​.
  
 ===== aliases/​forwarding ===== ===== aliases/​forwarding =====
Line 64: Line 81:
  
 Malware is rejected at SMTP time; a suitable SpamAssassin score (currently 5.0) will cause a rejection too. So will a dodgy attachment extension, or more general MIME-corruptness. However, even after a 550 after the DATA phase, Exim can store the message somewhere. This allows us to examine mail we've rejected :) Malware is rejected at SMTP time; a suitable SpamAssassin score (currently 5.0) will cause a rejection too. So will a dodgy attachment extension, or more general MIME-corruptness. However, even after a 550 after the DATA phase, Exim can store the message somewhere. This allows us to examine mail we've rejected :)
 +
 +==== SpamAssassin Bayesian classifier training folders ====
 +
 +Please note these as their filesystem locations below, suitable for cutting & pasting. Please ensure that ham folders //only// contain ham, and spam folders //only// spam. If you put something in the wrong folder, please delete it, expunge it and then ask postmaster to purge the expunged files.
 +
 +=== ham ===
 +
 +  sa-learn --ham --progress /​var/​spool/​cyrus/​mail/​domain/​j/​jamie.lentin.co.uk/​m/​user/​me/​{archive,​projects/​*}/​*.
 +
 +=== spam ===
 +
 +  sa-learn --spam --progress /​var/​spool/​cyrus/​mail/​domain/​d/​digriz.org.uk/​a/​user/​alex/​\:​spam/​*.
 +  sa-learn --spam --progress /​var/​spool/​cyrus/​mail/​domain/​w/​wormnet.eu/​r/​admin/​rejected/​malware/​*.
 +  sa-learn --spam --progress /​var/​spool/​cyrus/​mail/​domain/​j/​jamie.lentin.co.uk/​m/​user/​me/​spam/​*.
 +  sa-learn --spam --progress /​var/​spool/​cyrus/​mail/​domain/​w/​wormnet.eu/​r/​admin/​rejected/​spamassassin/​*.
 +  sa-learn --spam --progress /​var/​spool/​cyrus/​mail/​domain/​w/​wormnet.eu/​m/​user/​mb/​spam/​*.
  
 ===== DKIM ===== ===== DKIM =====
Line 71: Line 104:
   INSERT INTO dkim VALUES ('​wormnet.eu',​ '​cat'​);​   INSERT INTO dkim VALUES ('​wormnet.eu',​ '​cat'​);​
   ​   ​
-Then generate a keypair on marmot:+Then generate a keypair on marmot ​(1024-bit considered right in 2014; latterly 2048 suggested in RFC8301):
  
 +  SELECTOR="​cat"​
   cd /​etc/​exim4/​dkim   cd /​etc/​exim4/​dkim
   mkdir -m 750 wormnet.eu   mkdir -m 750 wormnet.eu
   cd wormnet.eu   cd wormnet.eu
-  openssl genrsa -out cat 1024 +  openssl genrsa -out ${SELECTOR} ​1024 
-  openssl rsa -in cat -out cat.pub -pubout -outform PEM +  openssl rsa -in ${SELECTOR} ​-out ${SELECTOR}.pub -pubout -outform PEM 
-  chmod o= cat*+  chmod o= ${SELECTOR}* 
 +  echo "​v=DKIM1;​ h=sha256; p=$(grep -vE '​^\-\-\-'​ ${SELECTOR}.pub | tr -d '​\n'​);​ t=s;"
  
 And finally mangle the public key into a DNS TXT record. See [[http://​www.zytrax.com/​books/​dns/​ch9/​dkim.html|here]] for some tweakables. And finally mangle the public key into a DNS TXT record. See [[http://​www.zytrax.com/​books/​dns/​ch9/​dkim.html|here]] for some tweakables.
  
-  _adsp._domainkey IN TXT "​dkim;"​ +  _adsp._domainkey IN TXT "dkim=all;" 
-  cat._domainkey ​  IN TXT "​v=DKIM1;​ h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzl70kXqRENAgRfWRZ2WyvLtdQe22E1OvZMgIAwPV8GHraN2z0YCXgkeO7DW5t/​0sOOa9z/​hOmASTilds0oo2qgCmcJwV/​YzGNAY0nw1CWAawIr5LlkLGzrLwvSv69iMsQJlsHMbqij0ljQpVuJ+DY5S0FYsgMlnyYWgE4EmEL5wIDAQAB;​ t=s"+  cat._domainkey ​  IN TXT "​v=DKIM1;​ h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzl70kXqRENAgRfWRZ2WyvLtdQe22E1OvZMgIAwPV8GHraN2z0YCXgkeO7DW5t/​0sOOa9z/​hOmASTilds0oo2qgCmcJwV/​YzGNAY0nw1CWAawIr5LlkLGzrLwvSv69iMsQJlsHMbqij0ljQpVuJ+DY5S0FYsgMlnyYWgE4EmEL5wIDAQAB;​ t=s;" 
 +==== key rotation ==== 
 + 
 +Just make a new keypair (with a new name) / and associated TXT record. Then ''​UPDATE''​ your row in the ''​dkim''​ table. The old TXT record can be deleted after a week. 
 + 
 +People seem to think rotating keys quarterly is a good idea.
  
 ===== Allowing mail relaying from particular hosts ===== ===== Allowing mail relaying from particular hosts =====
Line 92: Line 132:
  
 Mail on wormnet is provided by the following Debian packages (where a * denotes a backport from testing or unstable or experimental):​ Mail on wormnet is provided by the following Debian packages (where a * denotes a backport from testing or unstable or experimental):​
-  * exim4-daemon-heavy* (MTA) //(need to hack the ''​debian/​control''​ file to change build dependency from ''​libdb5.1-dev''​ to ''​libdb4.8-dev''​)//​+  * exim4-daemon-heavy* (MTA) //(need to hack the ''​debian/​control''​ file to change build dependency from ''​libdb5.1-dev''​ to ''​libdb4.8-dev'',​ and the ''​debian/​rules''​ file to uncomment ''​OPENSSL:​=1''​)//​
     * clamav-daemon (antivirus)     * clamav-daemon (antivirus)
     * spamassassin (main anti-spam thing, plus lots of friggery)     * spamassassin (main anti-spam thing, plus lots of friggery)
mail.1338413513.txt.gz · Last modified: 2012/05/30 21:31 by mb