Difference between revisions of "Email Server"
(Adding SMTPS) |
(added new postfix auth setup) |
||
Line 82: | Line 82: | ||
Our setup is based off of Postfix as the MTA/MSA and Courier as the MUA, with virtual user accounts and all emails stored in a special designated user account. The virtual user accounts are stored in a MySQL database. | Our setup is based off of Postfix as the MTA/MSA and Courier as the MUA, with virtual user accounts and all emails stored in a special designated user account. The virtual user accounts are stored in a MySQL database. | ||
+ | |||
+ | As an extra complication postfix is no longer able to authenticate using mysql via pam and sasl so we have switched to using courier's authdaemon for authentication. This requires a few symlinks to stop security features blocking the authentication. These symlinks may need to be remade if either postfix or courier are updated. Details are at https://askubuntu.com/a/806358. The code to produce the symlinks is: | ||
+ | sudo service courier-authdaemon stop | ||
+ | sudo rm -rf /var/run/courier/authdaemon/ /var/spool/postfix/var/run/courier/authdaemon/ | ||
+ | sudo mkdir -p /var/spool/postfix/var/run/courier/authdaemon/ | ||
+ | sudo ln -s /var/spool/postfix/var/run/courier/authdaemon/ /var/run/courier/authdaemon | ||
+ | sudo service courier-authdaemon start | ||
=== Advanced Features === | === Advanced Features === |
Latest revision as of 10:23, 10 October 2017
User Settings for Sector Alpha's email servers
All the settings are below. We recommend using IMAP for inbound as it leaves your emails on the server so can be accessed by multiple clients including the webmail. For desktop clients we recommend Thunderbird but any client should work. All the options available are secure, and work well. If you have problems try googling and if that doesn't work the admins may be able to help.
Inbound Server Settings
We have a few options for settings that can be used so I have formatted them as a table
Protocol | IMAP | POP3 | ||
---|---|---|---|---|
Server Address | sector-alpha.net (or alessa.sector-alpha.net) | |||
Port | 143 | 993 | 110 | 995 |
Encryption | StartTLS | SSL/TLS | StartTLS | SSL/TLS |
Username | Your full email address e.g. username@sector-alpha.net | |||
Password | Your email password (see #Webmail to change) | |||
Authentication Method | Normal password (PLAIN) |
NOTE: The email certificate is currently self signed
A unencrypted connection can be made for ports 143 and 110 but authentication isn't available until a secure connection is established and therefore neither is access to emails.
A few clients may have problems with all folders appearing inside their INBOX when connecting using IMAP this is a problem with you email client that can be worked around by setting the IMAP NAMESPACE to INBOX. see http://www.courier-mta.org/FAQ.html#namespace for more details
Outbound Email Settings
SMTP settings are
Server Address | sector-alpha.net (or alessa.sector-alpha.net) | ||
Port | 25 | 6669 | 465 |
Encryption | StartTLS | SSL (SMTPS) | |
Username | Your full email address e.g. username@sector-alpha.net | ||
Password | Your email password (see #Webmail to change) | ||
Authentication Method | Normal password (PLAIN) | ||
Standard SMTP port | Extra port to allow access if port 25 is blocked | Port for clients that can't do StartTLS |
NOTE: The email certificate is currently self signed
I may be persuadable to enable submission (port 587). Please talk to a server admin.
Both ports 25 and 6669 are unencrypted connections to start with that don't allow authentication.
- The server will accept email for local targets without authentication or encryption
- If StartTLS is used the connection is encrypted and then authentication becomes available and the server can be used to relay emails.
- Authenticated users can send emails with any from address and to any address but an invisible header is added to mark which user was authenticated to the server
For port 465 a secure connection is initiated before SMTP is started so authentication is available from the start.
Webmail
We run a webmail client at https://alessa.sector-alpha.net/webmail/. To login use your full email address and email password.
There is also the facility to change your password on the webmail client.
NOTE: The server certificate is currently self signed
Anti-Span/Virus settings
We have anti-spam and anti-virus on inbound emails using SpamAssassin and ClamAV. ClamAV is regularly updated. We also run a shared Bayes filter for SpamAssassin. To teach spam and ham (not spam) messages to the filter create folders called Learn/Spam and Learn/Ham (case sensitive) in your imap Inbox and place emails in them. Spam emails will be automatically deleted after learning. Ham will be left for you to remove at a later point. The filter learns at 3:23 Europe/London. If you have any problems please talk to a server admin.
Advanced Features
If you don't want a seperate email account we can instead setup the server to forward emails to another (external or internal) address. Our email server also has options to forward "tagged" emails to specific folders in your inbox. For either of these options please talk to a server admin.
Server Setup for Admins
For terms see https://en.wikipedia.org/wiki/Message_transfer_agent
Our setup is based off of Postfix as the MTA/MSA and Courier as the MUA, with virtual user accounts and all emails stored in a special designated user account. The virtual user accounts are stored in a MySQL database.
As an extra complication postfix is no longer able to authenticate using mysql via pam and sasl so we have switched to using courier's authdaemon for authentication. This requires a few symlinks to stop security features blocking the authentication. These symlinks may need to be remade if either postfix or courier are updated. Details are at https://askubuntu.com/a/806358. The code to produce the symlinks is:
sudo service courier-authdaemon stop sudo rm -rf /var/run/courier/authdaemon/ /var/spool/postfix/var/run/courier/authdaemon/ sudo mkdir -p /var/spool/postfix/var/run/courier/authdaemon/ sudo ln -s /var/spool/postfix/var/run/courier/authdaemon/ /var/run/courier/authdaemon sudo service courier-authdaemon start
Advanced Features
We have a feature called "sub accounts" that allows address of the form username-tag@domain to go to a configured subfolder in the username@domain accounts Inbox. This currently has to be configured directly in the DB but will be included in any administration tool developed
The columns want:
- the email address of the account - e.g. username@domain
- the tag portion (without - ) - e.g. tag
- the folder within the accounts inbox to place the email in - e.g. folder.subfolder (no initial . is required as it is added automatically)
To Migrate the Server
- Install the requires packages
- postfix
- postfix-mysql
- sasl2-bin
- libsasl2-modules-sq
- libpam-mysql
- courier-imap
- courier-pop
- courier-imap-ssl
- courier-pop-ssl
- amavisd-new
- spamassasin
- clamav
- clamav-daemon
- pyzor
- razor
- squirrelmail
- Do the actual migration
- Shutdown Postfix and Courier
- Shutdown AmavisNew, ClamAV and SpamAssassin
- Shutdown MySQL
- Copy MySQL data and settings to new server
- Reactivate MySQL
- Copy AmavisNew, ClamAC and SpamAssasin settings
- Make sure to remember the bayes DB and learning script
- Remember to activate checks in /etc/amavis/conf.d/15-content_filter_mode
- Make sure to add the amavis user to the clamav group
- Copy Mail folders over
- Copy Postfix and Courier settings
- Make sure to update if DB or vmail user details have changed
- Make sure to copy the PAM and sasl settings for Postfix and Courier over
- Make sure to add the postfix user to the sasl group
- Reactivate Postfix and check emails are being delivered
- Reactivate Courier and check can be accessed
- Only now update DNS if required
- Add sa-learnfolders.sh to crontab for root
Full List of Config files
- /etc/postfix/mysql-*.cf to same
- /etc/postfix/sasl/* to same
- /etc/postfix/master.cf and /etc/postfix/main.cf with a suffix (i.e. name then /etc/postfix/master.cf.new and the like)
- /etc/courier/authdaemonrc /etc/courier/authmysqlrc /etc/courier/imapd /etc/courier/pop3 /etc/courier/imapd-ssl /etc/courier/pop3d-ssl all with a suffix
- /root/sa-learnfolders.sh /var/lib/amavis/.spamassassin to same folder
- /etc/amavis/conf.d/50-user to same
- /etc/pam.d/imap /etc/pam.d/pop3 /etc/pam.d/smtp with suffix
- /etc/defaults/saslauthd with suffix
- /etc/aliases and /etc/aliases.db
- /etc/postfix/smtpd.* (the ssl key and certificate)
Self Signed Cert Generation
Courier uses pam certs. To generate new ones use sudo /usr/lib/courier/mkpop3dcert and sudo /usr/lib/courier/mkimapdcert