Difference between revisions of "Email Server"

From Sector Alpha Wiki
Jump to: navigation, search
(Server Setup for Admins)
(added new postfix auth setup)
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
  
 
== User Settings for Sector Alpha's email servers ==
 
== User Settings for Sector Alpha's email servers ==
 +
 +
All the settings are below. We recommend using IMAP for inbound as it leaves your emails on the server so can be accessed by multiple clients including the webmail. For desktop clients we recommend [http://www.mozilla.org/en-GB/thunderbird/ Thunderbird] but any client should work. All the options available are secure, and work well. If you have problems try googling and if that doesn't work the admins may be able to help.
  
 
=== Inbound Server Settings ===
 
=== Inbound Server Settings ===
Line 25: Line 27:
  
 
A unencrypted connection can be made for ports 143 and 110 but authentication isn't available until a secure connection is established and therefore neither is access to emails.
 
A unencrypted connection can be made for ports 143 and 110 but authentication isn't available until a secure connection is established and therefore neither is access to emails.
 +
 +
A few clients may have problems with all folders appearing inside their INBOX when connecting using IMAP this is a problem with you email client that can be worked around by setting the IMAP NAMESPACE to INBOX. see http://www.courier-mta.org/FAQ.html#namespace for more details
  
 
===Outbound Email Settings===
 
===Outbound Email Settings===
Line 32: Line 36:
 
{|class="wikitable"
 
{|class="wikitable"
 
|-
 
|-
| Server Address ||colspan="2"|sector-alpha.net (or alessa.sector-alpha.net)
+
| Server Address ||colspan="3"|sector-alpha.net (or alessa.sector-alpha.net)
 
|-
 
|-
| Port || 25 || 6669
+
| Port || 25 || 6669 || 465
 
|-
 
|-
| Encryption ||colspan="2"| StartTLS
+
| Encryption ||colspan="2"| StartTLS || SSL (SMTPS)
 
|-
 
|-
| Username ||colspan="2"| Your full email address e.g. username@sector-alpha.net
+
| Username ||colspan="3"| Your full email address e.g. username@sector-alpha.net
 
|-
 
|-
| Password ||colspan="2"| Your email password (see [[#Webmail]] to change)
+
| Password ||colspan="3"| Your email password (see [[#Webmail]] to change)
 
|-
 
|-
| Authentication Method ||colspan="2"| Normal password (PLAIN)
+
| Authentication Method ||colspan="3"| Normal password (PLAIN)
 
|-
 
|-
|| || ''Standard SMTP port'' || ''Extra port to allow access if port 25 is blocked''
+
|| || ''Standard SMTP port'' || ''Extra port to allow access if port 25 is blocked'' || ''Port for clients that can't do StartTLS''
 
|}
 
|}
 
'''NOTE: The email certificate is currently self signed'''
 
'''NOTE: The email certificate is currently self signed'''
  
I may be persuadable to enable submission (port 587) or the historic SMPTS (SMTP over SSL/TLS, port 465) but will need a good reason. Please talk to a server admin.
+
I may be persuadable to enable submission (port 587). Please talk to a server admin.
  
Both ports are unencrypted connections to start with that don't allow authentication.
+
Both ports 25 and 6669 are unencrypted connections to start with that don't allow authentication.
 
* The server will accept email for local targets without authentication or encryption
 
* The server will accept email for local targets without authentication or encryption
 
* If StartTLS is used the connection is encrypted and then authentication becomes available and the server can be used to relay emails.
 
* If StartTLS is used the connection is encrypted and then authentication becomes available and the server can be used to relay emails.
 
** Authenticated users can send emails with any from address and to any address but an invisible header is added to mark which user was authenticated to the server
 
** Authenticated users can send emails with any from address and to any address but an invisible header is added to mark which user was authenticated to the server
 +
 +
For port 465 a secure connection is initiated before SMTP is started so authentication is available from the start.
  
 
=== Webmail ===
 
=== Webmail ===
Line 75: Line 81:
 
''For terms see https://en.wikipedia.org/wiki/Message_transfer_agent''
 
''For terms see https://en.wikipedia.org/wiki/Message_transfer_agent''
  
Our setup is based off of Postfix as the MTA/MSA and Courier as the MUA, with virtual user accounts stored in a special designated user account. The user accounts are stored in a MySQL database.
+
Our setup is based off of Postfix as the MTA/MSA and Courier as the MUA, with virtual user accounts and all emails stored in a special designated user account. The virtual user accounts are stored in a MySQL database.
 +
 
 +
As an extra complication postfix is no longer able to authenticate using mysql via pam and sasl so we have switched to using courier's authdaemon for authentication. This requires a few symlinks to stop security features blocking the authentication. These symlinks may need to be remade if either postfix or courier are updated. Details are at https://askubuntu.com/a/806358. The code to produce the symlinks is:
 +
sudo service courier-authdaemon stop
 +
sudo rm -rf /var/run/courier/authdaemon/ /var/spool/postfix/var/run/courier/authdaemon/
 +
sudo mkdir -p /var/spool/postfix/var/run/courier/authdaemon/
 +
sudo ln -s /var/spool/postfix/var/run/courier/authdaemon/ /var/run/courier/authdaemon
 +
sudo service courier-authdaemon start
  
 
=== Advanced Features ===
 
=== Advanced Features ===
Line 86: Line 99:
  
 
=== To Migrate the Server ===
 
=== To Migrate the Server ===
# Shutdown Postfix and Courier
+
# Install the requires packages
# Shutdown AmavisNew, ClamAV and SpamAssassin
+
## postfix
# Shutdown MySQL
+
## postfix-mysql
# Copy MySQL data and settings to new server
+
## sasl2-bin
# Reactivate MySQL
+
## libsasl2-modules-sq
# Copy AmavisNew, ClamAC and SpamAssasin settings
+
## libpam-mysql
#* Make sure to remember the bayes DB and learning script
+
## courier-imap
# Copy Mail folders over
+
## courier-pop
# Copy Postfix and Courier settings
+
## courier-imap-ssl
#* Make sure to update if DB or vmail user details have changed
+
## courier-pop-ssl
#* Make sure to copy the PAM settings for Postfix and Courier over
+
## amavisd-new
# Reactivate Postfix and check emails are being delivered
+
## spamassasin
# Reactivate Courier and check can be accessed
+
## clamav
# Only now update DNS if required
+
## clamav-daemon
 +
## pyzor
 +
## razor
 +
##squirrelmail
 +
# Do the actual migration
 +
## Shutdown Postfix and Courier
 +
## Shutdown AmavisNew, ClamAV and SpamAssassin
 +
## Shutdown MySQL
 +
## Copy MySQL data and settings to new server
 +
## Reactivate MySQL
 +
## Copy AmavisNew, ClamAC and SpamAssasin settings
 +
##* Make sure to remember the bayes DB and learning script
 +
##* Remember to activate checks in /etc/amavis/conf.d/15-content_filter_mode
 +
##* Make sure to add the amavis user to the clamav group
 +
## Copy Mail folders over
 +
## Copy Postfix and Courier settings
 +
##* Make sure to update if DB or vmail user details have changed
 +
##* Make sure to copy the PAM and sasl settings for Postfix and Courier over
 +
##* Make sure to add the postfix user to the sasl group
 +
## Reactivate Postfix and check emails are being delivered
 +
## Reactivate Courier and check can be accessed
 +
## Only now update DNS if required
 +
## Add sa-learnfolders.sh to crontab for root
 +
 
 +
====Full List of Config files====
 +
* /etc/postfix/mysql-*.cf to same
 +
* /etc/postfix/sasl/* to same
 +
* /etc/postfix/master.cf and /etc/postfix/main.cf with a suffix (i.e. name then /etc/postfix/master.cf.new and the like)
 +
* /etc/courier/authdaemonrc /etc/courier/authmysqlrc /etc/courier/imapd /etc/courier/pop3 /etc/courier/imapd-ssl /etc/courier/pop3d-ssl all with a suffix
 +
*/root/sa-learnfolders.sh /var/lib/amavis/.spamassassin to same folder
 +
* /etc/amavis/conf.d/50-user to same
 +
* /etc/pam.d/imap /etc/pam.d/pop3 /etc/pam.d/smtp with suffix
 +
* /etc/defaults/saslauthd with suffix
 +
* /etc/aliases and /etc/aliases.db
 +
* /etc/postfix/smtpd.* (the ssl key and certificate)
 +
 
 +
===Self Signed Cert Generation===
 +
Courier uses pam certs. To generate new ones use sudo /usr/lib/courier/mkpop3dcert and sudo /usr/lib/courier/mkimapdcert

Latest revision as of 10:23, 10 October 2017

User Settings for Sector Alpha's email servers

All the settings are below. We recommend using IMAP for inbound as it leaves your emails on the server so can be accessed by multiple clients including the webmail. For desktop clients we recommend Thunderbird but any client should work. All the options available are secure, and work well. If you have problems try googling and if that doesn't work the admins may be able to help.

Inbound Server Settings

We have a few options for settings that can be used so I have formatted them as a table

Protocol IMAP POP3
Server Address sector-alpha.net (or alessa.sector-alpha.net)
Port 143 993 110 995
Encryption StartTLS SSL/TLS StartTLS SSL/TLS
Username Your full email address e.g. username@sector-alpha.net
Password Your email password (see #Webmail to change)
Authentication Method Normal password (PLAIN)

NOTE: The email certificate is currently self signed

A unencrypted connection can be made for ports 143 and 110 but authentication isn't available until a secure connection is established and therefore neither is access to emails.

A few clients may have problems with all folders appearing inside their INBOX when connecting using IMAP this is a problem with you email client that can be worked around by setting the IMAP NAMESPACE to INBOX. see http://www.courier-mta.org/FAQ.html#namespace for more details

Outbound Email Settings

SMTP settings are

Server Address sector-alpha.net (or alessa.sector-alpha.net)
Port 25 6669 465
Encryption StartTLS SSL (SMTPS)
Username Your full email address e.g. username@sector-alpha.net
Password Your email password (see #Webmail to change)
Authentication Method Normal password (PLAIN)
Standard SMTP port Extra port to allow access if port 25 is blocked Port for clients that can't do StartTLS

NOTE: The email certificate is currently self signed

I may be persuadable to enable submission (port 587). Please talk to a server admin.

Both ports 25 and 6669 are unencrypted connections to start with that don't allow authentication.

  • The server will accept email for local targets without authentication or encryption
  • If StartTLS is used the connection is encrypted and then authentication becomes available and the server can be used to relay emails.
    • Authenticated users can send emails with any from address and to any address but an invisible header is added to mark which user was authenticated to the server

For port 465 a secure connection is initiated before SMTP is started so authentication is available from the start.

Webmail

We run a webmail client at https://alessa.sector-alpha.net/webmail/. To login use your full email address and email password.

There is also the facility to change your password on the webmail client.

NOTE: The server certificate is currently self signed

Anti-Span/Virus settings

We have anti-spam and anti-virus on inbound emails using SpamAssassin and ClamAV. ClamAV is regularly updated. We also run a shared Bayes filter for SpamAssassin. To teach spam and ham (not spam) messages to the filter create folders called Learn/Spam and Learn/Ham (case sensitive) in your imap Inbox and place emails in them. Spam emails will be automatically deleted after learning. Ham will be left for you to remove at a later point. The filter learns at 3:23 Europe/London. If you have any problems please talk to a server admin.

Advanced Features

If you don't want a seperate email account we can instead setup the server to forward emails to another (external or internal) address. Our email server also has options to forward "tagged" emails to specific folders in your inbox. For either of these options please talk to a server admin.

Server Setup for Admins

For terms see https://en.wikipedia.org/wiki/Message_transfer_agent

Our setup is based off of Postfix as the MTA/MSA and Courier as the MUA, with virtual user accounts and all emails stored in a special designated user account. The virtual user accounts are stored in a MySQL database.

As an extra complication postfix is no longer able to authenticate using mysql via pam and sasl so we have switched to using courier's authdaemon for authentication. This requires a few symlinks to stop security features blocking the authentication. These symlinks may need to be remade if either postfix or courier are updated. Details are at https://askubuntu.com/a/806358. The code to produce the symlinks is:

sudo service courier-authdaemon stop
sudo rm -rf /var/run/courier/authdaemon/ /var/spool/postfix/var/run/courier/authdaemon/
sudo mkdir -p /var/spool/postfix/var/run/courier/authdaemon/
sudo ln -s /var/spool/postfix/var/run/courier/authdaemon/ /var/run/courier/authdaemon
sudo service courier-authdaemon start

Advanced Features

We have a feature called "sub accounts" that allows address of the form username-tag@domain to go to a configured subfolder in the username@domain accounts Inbox. This currently has to be configured directly in the DB but will be included in any administration tool developed

The columns want:

  1. the email address of the account - e.g. username@domain
  2. the tag portion (without - ) - e.g. tag
  3. the folder within the accounts inbox to place the email in - e.g. folder.subfolder (no initial . is required as it is added automatically)

To Migrate the Server

  1. Install the requires packages
    1. postfix
    2. postfix-mysql
    3. sasl2-bin
    4. libsasl2-modules-sq
    5. libpam-mysql
    6. courier-imap
    7. courier-pop
    8. courier-imap-ssl
    9. courier-pop-ssl
    10. amavisd-new
    11. spamassasin
    12. clamav
    13. clamav-daemon
    14. pyzor
    15. razor
    16. squirrelmail
  2. Do the actual migration
    1. Shutdown Postfix and Courier
    2. Shutdown AmavisNew, ClamAV and SpamAssassin
    3. Shutdown MySQL
    4. Copy MySQL data and settings to new server
    5. Reactivate MySQL
    6. Copy AmavisNew, ClamAC and SpamAssasin settings
      • Make sure to remember the bayes DB and learning script
      • Remember to activate checks in /etc/amavis/conf.d/15-content_filter_mode
      • Make sure to add the amavis user to the clamav group
    7. Copy Mail folders over
    8. Copy Postfix and Courier settings
      • Make sure to update if DB or vmail user details have changed
      • Make sure to copy the PAM and sasl settings for Postfix and Courier over
      • Make sure to add the postfix user to the sasl group
    9. Reactivate Postfix and check emails are being delivered
    10. Reactivate Courier and check can be accessed
    11. Only now update DNS if required
    12. Add sa-learnfolders.sh to crontab for root

Full List of Config files

  • /etc/postfix/mysql-*.cf to same
  • /etc/postfix/sasl/* to same
  • /etc/postfix/master.cf and /etc/postfix/main.cf with a suffix (i.e. name then /etc/postfix/master.cf.new and the like)
  • /etc/courier/authdaemonrc /etc/courier/authmysqlrc /etc/courier/imapd /etc/courier/pop3 /etc/courier/imapd-ssl /etc/courier/pop3d-ssl all with a suffix
  • /root/sa-learnfolders.sh /var/lib/amavis/.spamassassin to same folder
  • /etc/amavis/conf.d/50-user to same
  • /etc/pam.d/imap /etc/pam.d/pop3 /etc/pam.d/smtp with suffix
  • /etc/defaults/saslauthd with suffix
  • /etc/aliases and /etc/aliases.db
  • /etc/postfix/smtpd.* (the ssl key and certificate)

Self Signed Cert Generation

Courier uses pam certs. To generate new ones use sudo /usr/lib/courier/mkpop3dcert and sudo /usr/lib/courier/mkimapdcert