Troubleshooting Amavisd

May 13, 2009 – 4:18 am

Recently my mail server just stopped.  No indication of problems just no mail delivered.  So what do you do in this situation?  Since I have set up so I receive an email summary of mail each day, when that does not come, it tells me I have trouble.

1. Check the Logs
This seems so obvious, but in reality it is easy to do a lot of other things before you check the logs…check the logs first.  So what I find in the logs is this:

May 12 19:28:44 ns amavis[10218]: (10218-01-3) (!!)TROUBLE in process_request: Can’t create file /var/vscan/tmp/amavis-20090512T192844-10218/email.txt: File exists at ./amavisd line 5119, <GEN12> line 341.

This will tell you that the problem is amavisd but it is misleading from there on out.  In fact, if you see this error and search google you will find that the recommendation is to re-queue your messages with:

postsupper -r  ALL

But you will also find that this does not solve the issue…the issue is amavisd.  So on to step two of the analysis.

2. What Changed?
After 20 years of troubleshooting computers/servers the most powerful tool that I have found for troubleshooting is this question.  One of the most unfortunate solutions that people immediately perform is that they begin the search on google for an answer and begin applying possible solutions before asking this question. Really this stuff is not magic, there has to be a cause and effect relationship.  When you ask yourself this question first, then you will not apply those solutions which suggest that you start modifying the master.cf or the main.cf files….because they have not changed…do not make modifications for the solution.  Instead, think about the issues that relate to amavisd, things that do change over the course to time.  The first answer you should get is that it works with clamav, actually clamd, to scan for virus activity.  So you know that one thing that does change is that virus signatures will be updated and when they are updated clamd must be notifiied of the changes.

As you investigate the logs in detail you will find a number of lines that indicate a problem with amavisd but no clues as to what you need to fix.  Again, if you did not change it …look elsewhere.

May 12 18:05:18 ns amavis[5424]: (05424-07-2) (!!)TROUBLE in check_mail: parts_decode_ext FAILED: file(1) utility (/usr/bin/file)
error: run_command (open pipe): Can’t fork at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/IO/File.pm line 188, <GEN55> line 113
. at ./amavisd line 2873, <GEN55> line 113.

3. Is amavisd Running?
Typically when amavisd has a problem it stops, and when it stops it will also disable virus checking so mail cannot be delivered because it cannot be scanned. So if you find that amavisd is not running, restart clamd, spamassassin and amavisd.  You will be amazed at how many times restarting these three will solve problems, and it certiainly solved the one mentioned above.

4. Debug Mode
If this does not solve the issue run amavisd in debug mode as that will provide a wealth of information that you can use.  Read carefully the data that is delivered and it will usually point right to the problem.

amavisd debug

Summary:
When you are using amavisd, always remember that it is closely tied to clamd and spamassassin, any changes (including virus signature updates) can create problems so restart these three first.

By mike | Posted in Troubleshooting | Tagged , , | Comments (0)

Postfix: Whitelists and Blacklists

May 11, 2009 – 6:47 am

Whitelists / Blacklists
You can set up whitelists and blacklists to modify the settings to make sure certain email addresses never get blocked or always get blocked.

Prevent any Spam Checking
In order to create a situation where you have no Spam checking you can use the bypass option.  These options are added to amavisd.conf

@bypass_spam_checks_acl = qw( mike@example.com joe@example.com);

The spam lovers option makes sure that if you do a check the email is not tagged as spam and is not quarantined.

@spam_lovers_acl = (’mike@example.com’, ‘joe@example.com’);

Sender Whitelist and Blacklist
This is built based on the sender address, the FROM in the SMTP connection.  In amavisd if an address is both on the blacklist and on the whitelist both actions take place.

@blacklist_sender_acl = (’jane@example.org’, ‘john@example.com’);

@whitelist_sender_acl = (’jane@example.org’, ‘john@example.com’);

You can set up a regular expression option that looks like this.

$blacklist_sender_re = new_RE(
qr’^(money|savings|loan)@’i,
qr’^(health|workouts|diet)@’i,
qr’^(job|at_home|new-job)\d*@’i,
);

Here are the default blacklist/whitelist options in amavisd.conf.  Notice that now amavisd will increase the blacklist score so it is more likely to be Spam.  The score option helps reduce false positives if that is an issue.  In addition, you can add a “-” to decrease the Spam score.

## site-wide opinions about senders (the ‘.’ matches any recipient)
‘.’ => [  # the _first_ matching sender determines the score boost

new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
[qr'^(your_friend|greatoffers)@'i                                => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
),

#  read_hash(”/var/amavis/sender_scores_sitewide”),

{ # a hash-type lookup table (associative array)
‘nobody@cert.org’                        => -3.0,
‘cert-advisory@us-cert.gov’              => -3.0,
‘owner-alert@iss.net’                    => -3.0,
’slashdot@slashdot.org’                  => -3.0,
’securityfocus.com’                      => -3.0,
‘ntbugtraq@listserv.ntbugtraq.com’       => -3.0,
’security-alerts@linuxsecurity.com’      => -3.0,
‘mailman-announce-admin@python.org’      => -3.0,
‘amavis-user-admin@lists.sourceforge.net’=> -3.0,
‘amavis-user-bounces@lists.sourceforge.net’ => -3.0,
’spamassassin.apache.org’                => -3.0,
‘notification-return@lists.sophos.com’   => -3.0,
‘owner-postfix-users@postfix.org’        => -3.0,
‘owner-postfix-announce@postfix.org’     => -3.0,
‘owner-sendmail-announce@lists.sendmail.org’   => -3.0,
’sendmail-announce-request@lists.sendmail.org’ => -3.0,
‘donotreply@sendmail.org’                => -3.0,
‘ca+envelope@sendmail.org’               => -3.0,
‘noreply@freshmeat.net’                  => -3.0,
‘owner-technews@postel.acm.org’          => -3.0,
‘ietf-123-owner@loki.ietf.org’           => -3.0,
‘cvs-commits-list-admin@gnome.org’       => -3.0,
‘rt-users-admin@lists.fsck.com’          => -3.0,
‘clp-request@comp.nus.edu.sg’            => -3.0,
’surveys-errors@lists.nua.ie’            => -3.0,
‘emailnews@genomeweb.com’                => -5.0,
‘yahoo-dev-null@yahoo-inc.com’           => -3.0,
‘returns.groups.yahoo.com’               => -3.0,
‘clusternews@linuxnetworx.com’           => -3.0,
lc(’lvs-users-admin@LinuxVirtualServer.org’)    => -3.0,
lc(’owner-textbreakingnews@CNNIMAIL12.CNN.COM’) => -5.0,

# soft-blacklisting (positive score)
’sender@example.net’                     =>  3.0,
‘.example.net’                           =>  1.0,

},
],  # end of site-wide tables
});

You certainly can modify the default lists that are in amavisd.conf.

By mike | Posted in Spam Control, Uncategorized | Tagged , , , | Comments (0)

Zimbra: Firewall Script

May 9, 2009 – 1:05 pm

Zimbra is a great mail server replacement for Exchange.  When you install Zimbra it suggests that you do not install a firewall…well, that sounds like they want their program to work at your expense.  Anyway, here is a firewall that I am currently using that works fine.   Note as an administrator you can limit access to the Administrator port which is a good idea as well as I often limit access to the web interface as well.  The firewall has a number of variables that you can edit so you can drop it into your system.  Of course…use at your own risk.

Place the script in a file  /etc/rc.d/rc.firewall and make it executable with chmod 755 rc.firewall.  Then place a line in your /etc/rc.d/rc.local so that it starts up each time you boot, the line should look like this:

sh  /etc/rc.d/rc.firewall

#!/bin/bash
# This script comes with no warranty …use at own risk
# Copyright (C) 2009  Mike Weber
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#
LAN_INTERFACE=”eth0″
LOOPBACK_INTERFACE=”lo”
########################################
# Enter Your LAN IP Address            #
########################################
LAN_IP=”mail_server_ip”
########################################
# Enter LAN Subnet                     #
########################################
LAN_ADDRESSES=”cidr_subnet..ex. 192.168.5.0/24″
LAN_NET=”subnet..ex. 192.168.5.0/255.255.255.0″
########################################
# Enter Broadcast Address              #
########################################
LAN_BROADCAST=”network_broadcast”
########################################
# Enter Your Netmask                   #
########################################
LAN_NETMASK=”netmask…ex. 255.255.255.0″
########################################
# Enter Your DNS Server                #
########################################
NAMESERVER=”ip_dns_server”

LOOPBACK=”127.0.0.0/8″
CLASS_A=”10.0.0.0/8″
CLASS_B=”172.16.0.0/12″
CLASS_C=”192.168.0.0/16″
CLASS_D_MULTICAST=”224.0.0/4″
CLASS_E_RESERVED_NET=”240.0.0/5″
BROADCAST_SRC=”0.0.0.0″
BROADCAST_DEST=”255.255.255.255″

#############################################
# Enter the IP Address of the Administrator #
# The only IP to Access the Hardware Node   #
#############################################
ADMIN=”admin_ip_address”

#############################################
# Speical Temporary Access Site             #
############################################
SPECIAL=”2nd_admin_ip”

##################################################
# Disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don’t send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#Drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
##################################################
# remove existing rules
iptables –flush
iptables -t mangle –flush

# Unlimited traffic on the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set default policy to Drop
iptables –policy INPUT DROP
iptables –policy OUTPUT DROP

# Remove pre-existent chains
iptables –delete-chain
###################################################
# DNS to SERVER                                   #
###################################################
iptables -A INPUT -p udp –sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -j ACCEPT
##################################################
# Stealth Scans and TCP State Flags              #
##################################################
# All bits cleared
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# SY and RSY set
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST set
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
# FIN is inly bit set, without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
# PSH isn only bit set, without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
# URG is only bit without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
#######################################################
# Connection State to By-Pass Rule Checking
iptables -I INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
######################################################
# SSH ACCESS TO SERVER                               #
######################################################
iptables -A INPUT -p tcp -s $ADMIN –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –destination $ADMIN -j ACCEPT
iptables -A INPUT -p tcp -s $SPECIAL –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –destination $SPECIAL -j ACCEPT
######################################################
# Zimbra Access
iptables -A INPUT -p tcp -s $ADMIN –dport 7071 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT

######################################################
# Limit Access to DNS Server                         #

######################################################
#if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -m state –state NEW -j ACCEPT
#fi
iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -j ACCEPT

iptables -A INPUT -i $LAN_INTERFACE -p udp -s $NAMESERVER –sport 53 -d $LAN_IP –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp –sport 1024:65535 –destination $LAN_IP –dport 53 -j ACCEPT
iptables -A INPUT -p udp –destination $LAN_IP –dport 53 -j ACCEPT

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $LAN_INTERFACE -p tcp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -m state –state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $LAN_INTERFACE -p tcp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -j ACCEPT
iptables -A INPUT -i $LAN_INTERFACE -p tcp -s $NAMESERVER –sport 53 -d $LAN_IP –dport 1024:65535 -j ACCEPT

iptables -A OUTPUT -p udp –sport 53 –dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp –sport 1024:65535 –dport 53 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p udp –sport 1024:65535 –dport 53 -j ACCEPT
iptables -A OUTPUT -p udp –dport 53 -j ACCEPT
#######################################################
# Mail Server                                         #
#######################################################
iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 25 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 25 -j ACCEPT
iptables -A INPUT -p tcp ! –syn –sport 25 -d $LAN_IP –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 25 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp ! –syn -$LAN_IP –sport 25 –dport 1024:65535 -j ACCEPT
#######################################################
# IMAP                                                #
#######################################################
iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 993 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp ! –syn -s $LAN_IP –sport 993 -d 0.0.0.0/0 –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp -s 0.0.0.0/0 –sport 1024:65535 -d $LAN_IP –dport 143 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 –sport 1024:65535 -d $LAN_IP –dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp ! –syn -s $LAN_IP –sport 143 -d 0.0.0.0/0 –dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP –dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s $ADMIN –destination $LAN_IP –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –destination $LAN_IP -j DROP
#iptables -A INPUT -p udp –destination $LAN_IP -j DROP
#iptables -A INPUT -p icmp –destination $LAN_IP -j DROP
#iptables -A OUTPUT -p tcp –destination $LAN_IP -j DROP
#iptables -A OUTPUT -p udp –destination $LAN_IP -j DROP
#iptables -A OUTPUT -p icmp –destination $LAN_IP -j DROP
#####################################################
# ClamAv
iptables -A OUTPUT -p tcp -d 208.67.80.27 –dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d 209.8.40.140 –dport 80 -j ACCEPT
iptables -A INPUT  -p tcp -s 208.67.80.27 -j ACCEPT
iptables -A OUTPUT -p tcp -d 65.120.238.2 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 209.8.40.140 -j ACCEPT
iptables -A INPUT -p tcp -s 128.121.60.235 -j ACCEPT
iptables -A OUTPUT -p tcp -d 128.121.60.235 –dport 80 -j ACCEPT

#########################################################
#iptables -A INPUT -m state –state INVALID -j LOG –log-prefix “INVALID input: ”
#iptables -A INPUT -m state –state INVALID -j DROP
#iptables -A OUTPUT -m state –state INVALID -j LOG –log-prefix “INVALID output: ”
#iptables -A OUTPUT -m state –state INVALID -j DROP
###########################################################
#Source Address Spoofing/Bad Addresses
# Refuse spoofed packets
iptables -A INPUT -s $LAN_IP -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IP -j DROP
# Refuse malformed broadcast packets
iptables -A INPUT -i $LAN_INTERFACE -d $BROADCAST_SRC -j DROP
# Don’t forward limited broadcast either way
iptables -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP
#########################################################
# ICMP control and status messages
# Log and drop initial ICMP fragments
iptables -A INPUT –fragment -p icmp -j LOG –log-prefix “Fragmented incoming ICMP: ”
iptables -A INPUT –fragment -p icmp -j DROP

iptables -A OUTPUT –fragment -p icmp -j LOG –log-prefix “Fragmented outgoing ICMP: ”
iptables -A OUTPUT –fragment -p icmp -j DROP
iptables -A INPUT  -p icmp –icmp-type source-quench -d $LAN_IP -j ACCEPT

iptables -A OUTPUT -p icmp –icmp-type source-quench -j ACCEPT

iptables -A INPUT -p icmp –icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type parameter-problem -j ACCEPT

iptables -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -o $LAN_INTERFACE -p icmp –icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT

iptables -A OUTPUT -p icmp –icmp-type fragmentation-needed -j ACCEPT

# Don’t Log outgoing ICMP error messages
iptables -A OUTPUT -p icmp –icmp-type destination-unreachable -j DROP
# Intermediate traceroute resposes
#iptables -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
#–destination $LAN_ADDRESSES -j ACCEPT
#################################################
# LOGS                                          #
#################################################
iptables -A INPUT -i $LAN_INTERFACE -j LOG
iptables -A OUTPUT -j LOG
exit 0

By mike | Posted in Zimbra | Tagged , , | Comments (0)

Ubuntu 9.04 Postfix Install Evaluation

April 21, 2009 – 5:48 am

One of the newest features of Ubuntu 9.04 is the Postfix Mail Server/Dovecot enhancements to make it easier to set up a mail server.  This article is a review of those improvements and a tutorial on how to fix several problems that were experienced.

Before you jump to any conclusions about the new features it is important to understand the goal of both Ubuntu and the Ubuntu-server team, at least as I understand it.  The mail server is one of the most difficult to set up and manage correctly.  Sure Postfix is easier than some but there are a lot of issues you must deal with like; security, configuring anti_virus, spam reduction, integrating Dovecot, Spamassassin, amavisd-new, Postfix, squirrelmail, etc.  It is the integration that presents so many issues.  That said, the goal seems to be to move in the direction of a one click install to make this all happen.

Here is the claim on the enhanced mail stack:

“In Ubuntu-server team we’ve decided that this should be much easier and, based on experience of our members, created integrated mail stack with safe default setup. This setup won’t solve all mail configuration problems (we don’t setup any antispam and antivirus countermeasures), but it will enable your startup to get working e-mail server out of the box.

So, what’s included? Mail server stack is based on dovecot for IMAP/POP3 protocols and postfix for SMTP. Feature list:

  • POP3, IMAP, POP3S, IMAPS
  • SMTP, SMTP/TLS
  • Maildir storage for e-mails
  • SASL authentication (SMTP-AUTH)
  • dovecot MDA (mail delivery agent)
  • support for sieve scripting
  • managesieve protocol for managing sieve scripts on *server* from your *client*, like thunderbird or kmail
  • IMAP & POP3 workarounds for buggy clients”
  • See the whole blog article: HERE

It is an interesting idea to create a one click install, however if you are looking at easy mail installs take a look at Citadel which is easier and has more features or Zimbra which has everything done…the one click install all complete with 10 times the features.  The problem with the Ubuntu install is twofold.  First, since there is no documentation, you are left with a lot of questions about what was done and what needs yet to be done with the install.  Now as you will see below I have listed for you the changes to dovecot-postfix.conf and main.cf of Postfix.  That is a good place to see what changes were done.

Here is a look at the install procedure:

sudo apt-get install dovecot-postfix

The following extra packages will be installed:
dovecot-common dovecot-imapd dovecot-pop3d
The following NEW packages will be installed:
dovecot-common dovecot-imapd dovecot-pop3d dovecot-postfix

Creating config file /etc/dovecot/dovecot-sql.conf with new version
adduser: Warning: The home directory `/usr/lib/dovecot’ does not belong to the user you are currently creating.
You already have ssl certs for dovecot.

Creating config file /etc/dovecot/dovecot-postfix.conf with new version
* Restarting IMAP/POP3 mail server dovecot                                                                            Error: ssl_cert_file: Can’t use /etc/ssl/certs/ssl-mail.pem: No such file or directory

In fact the file does exist and once I restarted it was OK.
Fatal: Invalid configuration in /etc/dovecot/dovecot-postfix.conf
[fail]

This failure was also fixed with a restart of Dovecot.

Dovecot Not Start Correctly
After install a check with netstat showed that Postfix was running but Dovecot was not.  So I started Dovecot manually with:

/etc/init.d/dovecot start

Now a review of netstat shows it is all running.
# netstat -aunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2000            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN

Here are the config options set by default for Dovecot.  This is found in the /etc/dovecot/dovecot-postfix.conf file and is part of what has been set up by the Ubuntu team.  Note that if you do not want all options listed for imap,pop3, imaps,pop3s and managesieve just remove them and restart Dovecot and Postfix.

protocols = imap pop3 imaps pop3s managesieve

disable_plaintext_auth = yes
log_timestamp = “%Y-%m-%d %H:%M:%S ”
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/ssl-mail.pem
ssl_key_file = /etc/ssl/private/ssl-mail.ke
ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
mail_location = maildir:~/Maildir
mail_privileged_group = mail
protocol imap {
mail_max_userip_connections = 10
login_greeting_capability = yes
imap_client_workarounds = outlook-idle delay-newmail
}

protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
mail_max_userip_connections = 3
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}

protocol managesieve {
sieve=~/.dovecot.sieve
sieve_storage=~/sieve
}

protocol lda {
postmaster_address = postmaster
mail_plugins = cmusieve
quota_full_tempfail = yes
deliver_log_format = msgid=%m: %$
rejection_reason = Your message to <%t> was automatically rejected:%n%r
}
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

auth default {
mechanisms = plain login
passdb pam {

}
userdb passwd {
}

user = root
socket listen {
client { path = /var/spool/postfix/private/dovecot-auth
path = /var/spool/postfix/private/dovecot-auth
mode = 0660
user = postfix
group = postfix
}
}
}

dict {
}
plugin {
}

Postfix Configuration
These are settings hat the Ubuntu team has configured to help with setting up the mail server.  The major time savers is the TLS setup so you can have encrypted connections.  If TLS is what you want to use be sure to turn off imap and pop3 so you are forced to use the secure connections.

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA’s job.
append_dot_mydomain = no

# Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = ub904
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = ub904, localhost.localdomain, , localhost
relayhost =
mynetwork = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m “${EXTENSION}”
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom

Summary;

If you have set up Postfix with Dovecot and TLS in the past you will certainly appreciate the work done by the Ubuntu team.  This will save you a lot of time making those decisions.  On the other hand there is a lot left to do and if you are new to mail servers ….you will be lost initially trying to find the holes.  Several things you will need to fix:

1. Send mail to another user instead of root - See Here
2. Check your Relays - See Here
3. Review how the TLS and Dovecot work - See Here
4. Verify your identity settings - See Here
5. Check your Postfix install - See Here
5. Set Up Spamassassin - See Here
6. Set Up Anti-Virus - See Here

Options
7. Multiple Domains - See Here
8. Set Up filters - See Here
9. Send yourself mail stats - See Here

There is certainly a lot left to do but you have a start and it will save you time.

By mike | Posted in Postfix Configuration | Tagged , , | Comments (0)

Vacation Message for Postfix

March 28, 2009 – 8:04 am

The vacation program is not built specifically for Postfix.  So you will need to set it up separately from Postfix and then integrate it. The vacation feature allows you to configure a message that will be returned to the sender when you are out of the office.  If you are using a CentOS version you will not find vacation in any repositories so you will have to compile it, which is not too difficult.

# yum install gdbm-devel
# cd /usr/local/src/
# wget http://internap.dl.sourceforge.net/sourceforge/vacation/vacation-1.2.7.0.tar.gz
# tar -xvzf vacation*
# cd vacation-1.2.7.0
By default it will want to place the man pages in a different localtion so it may be easier just too create the necessary folders and be done with it.
# mkdir /usr/man
# mkdir /usr/man/man1
# make
# make install
The result will be that the binary will be placed in /usr/bin/vacation.

For each user, they must be local users, not virtual users, create a “.vacation.msg” file that looks something like this:
Subject: Out of the Office

I am out of the office until December 14.  I will contact you as soon as I return.

This file must be placed in the user’s home directory.

You must also create a “.forward” file in the user’s home.  The format should look like this:

\myuser, “|/usr/bin/vacation  myuser”

Be sure to replace “myuser” with the real username.

That should make it all work so that when you send a message to the user who is out of the office, Postfix will  return the message in the vacation file.

By mike | Posted in Filters | Tagged , | Comments (0)

Amavisd: Fixing Broken Perl Modules

March 20, 2009 – 6:11 am

Recently, working on amavisd-new and restarting it broke several perl modules that are required.  The results of this was that the mail server quit sending mail because it could not process mail due to the broken modules.  Here is the log file info that helped me locate the problem.

Mar 20 03:23:33 ns postfix/smtp[20284]: 992BB207DE0: to=<user@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, delays=1.7/0/0/0.07, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=19738-02, mime_decode-1 FAILED: Can’t locate object method “seek” via package “File::Temp” at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 816, <GEN13> line 65. (in reply to end of DATA command))

So once you know it is broken you can do something about it but first of all when you have a problem like this there are two external reminders.  First, my mail was not delivered.  This is a no brainer, but sometimes you just think, well….maybe things are slow.  If you have not received mail, check your logs, find the problem, verify it is all working.  Second, the pflogsumm did not arrive on schedule.  Each day I receive a log summary which provides detailed information on what has happened on the Postfix Mail Server.    Here is what was in the log summary, though it was not delivered.

smtp (total: 579)
369   Temp” at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 81…
210   4.3.2 Service shutting down, closing channel (in reply to …

Fixing the Problem:

Once you recognize perl modules are broken you need to replace them.  As root execute the CPAN shell.  and then install the two modules listed.

perl -MCPAN -e shell

cpan> install File::Temp

cpan> install IO::File

Once this is done restart amavisd-new and you will be set.

By mike | Posted in Troubleshooting | Tagged , | Comments (0)

Quarantine Spam with Amavisd

March 19, 2009 – 6:11 am

Amavisd-new acts as a connecting point between Spamassassin, Clamav and Postfix.  This is important to  remember because much of the configuration that would seem to be done on Spamassasin directly, actually occurs in the amavisd-new configuration file.

When amavisd detects spam using Spamassassin it will log it to the log file and it also is able to perform several other actions.  It is possible to send it to a quarantine.  The quarantine will be where you placed it but typically it will be /var/virusmails.  Here is a sample of the spam messages that get collected there.

spam-bKry7jNBnpNH.gz
spam-FHXfz6-3XiuU.gz
spam-JGlrlfOV5Nwg.gz

The quarantine directory is set in /etc/amavisd.conf

$QUARANTINEDIR = ‘/var/virusmails’;  # -Q

You can see from above that when mail is placed in the quarantine directory it  will tag it and compress it.  So to view it run gunzip -d and then review the email.

This example shows Spamassassin tagged this email with a score of 17.454.  It also shows that the email was delivered to the spam-quarantine.  Notice that the Spam-Status shows yo exactly why it was tagged with such a high score.

# gunzip -d /home/spam-FY4ONy4piwUl.gz
# cat /home/spam-FY4ONy4piwUl
Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: <boldindianwife@rediffmail.com>
X-Envelope-To: <user@example.com>
X-Quarantine-ID: <FY4ONy4piwUl>
X-Spam-Flag: YES
X-Spam-Score: 17.454
X-Spam-Level: *****************
X-Spam-Status: Yes, score=17.454 tag=2 tag2=6.2 kill=6.9
tests=[DNS_FROM_RFC_ABUSE=0.479, DNS_FROM_RFC_WHOIS=0.879,
HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.512, MIME_HTML_ONLY=0.001,
SUBJ_ALL_CAPS=1.166, URIBL_AB_SURBL=3.306, URIBL_JP_SURBL=3.36,
URIBL_OB_SURBL=2.617, URIBL_SC_SURBL=3.6, URIBL_WS_SURBL=1.533]
Received: from ns.example.com([127.0.0.1])
by localhost (ns.example.com[127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id FY4ONy4piwUl for <user@example.com>;
Tue, 23 Sep 2008 01:18:23 -0700 (PDT)
Received: from cardservice22.fiberop.matgnet.com (unknown [82.117.207.22])
by ns.example.com(Postfix) with SMTP id 08584207D90
for <user@example.com>; Tue, 23 Sep 2008 01:18:21 -0700 (PDT)
Message-Id: <20080923114546.8474.qmail@cardservice22.fiberop.matgnet.com>
To: <user@example.com>
Subject: RE: SALE 89% OFF
From: VIAGRA INC <user@example.com>
MIME-Version: 1.0
Content-Type: text/html
Date: Tue, 23 Sep 2008 01:18:21 -0700 (PDT)

Here are the settings fro Spamassassin found in /etc/amavisd.conf.  You can see that with a tag score of 6.9 or more an email is sent to the quarantine, blocked from the user.

$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2;  # add ’spam detected’ headers at that level
$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks mail)

$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

Delivery Status Notification (DSN) Messages
Delivery Status Notification refers to OUTBOUND emails that get a return status that it was not deliverable.   You can see that at or above level 10 no messages will be sent back to the sender.

# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off

If users are complaining about mail that is marked Spam in their mailboxes, you can drop the numbers.  For example if users are getting email that is marked as Spam and has a number of 5, then you could change to this configuration to put those email in quarantine instead of the user’s mailbox.

$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.8;  # add ’spam detected’ headers at that level
$sa_kill_level_deflt = 5.0;  # triggers spam evasive actions (e.g. blocks mail)

Of course any time that you adjust these you need to verify that you are not losing mail that is not Spam, but it should be in your quarantine.

By mike | Posted in Spam Control | Tagged , , | Comments (0)

Using Webmin to Set Up Postfix

February 28, 2009 – 5:52 pm

Postfix Basic Configuration
The basic settings for Postfix are extremely important as they will impact the  rest of the program functions. Complete these settings in the main.cf file before you make any changes with Webmin to insure you have the basics covered.

Configure the Hostname in the smtpd Banner
When your mail server connects to another mail server to transfer messages it performs a HELO which sends it’s hostname to the other server.  This is one of the reasons your hostname is so important.  In fact, many servers in order to verify the integrity of mail exchanges will do a DNS lookup to verify the FQDN (Fully Qualified Domain Name) matches what if provided in the HELO. If they do not match some servers will not allow the transfer of mail.  Therefore, make sure your FQDN is what is present in the HELO.

Edit /etc/postfix/main.cf
First, make a backup of your files located in the /etc/postfix directory.  This will provide a reference of changes you have made as well as give you a rescue file so you can start over after a mistake.  Now edit the myhostname parameter to provide the FQDN.

myhostname = mail.example.com

Postfix is smart enough to understand that the domain listed in myhostname is the domain for the server.  You can also set the mydomain parameter.

mydomain = example.com

Set your inet_interfaces to all.

inet_interfaces = all

Configure Relays
Postfix will not allow any relaying of mail for any domains by default.  It will relay mail for the localhost but all other relays must be explicitly set.  In the initial configuration for a one domain server, this setting for allowing your domain to relay mail is found in the mydestination parameter.

mydestination = $mydomain

If you would like to also accept mail for your hostname you may also add this information to the configuration.

mydestination = $mydomain, $myhostname

If you have created CNAMEs in your DNS settings for your domain that would also need to be added here.  A CNAME (Canonical Name) is like an alias, www for example.  If you want to accept mail for these they must be entered as well.  If they do not fit on one line you can enter a new one on each line with a space in front of them as Postfix will not recognize them without a space.

mydestination =
$mydomain,
$myhostname,
www.$mydomain,
tech.$mydomain

Each line ends with a comma and starts with a space.

Configure Outgoing Domain
The outgoing domain parameter provides a way to verify where mail came from.  This parameter setting will be used by Postfix whenever mail is sent for an address that is not fully qualified.  Again,this setting is located in the main.cf file.

myorigin = $mydomain

root Mail Configuration
Postfix has a focus on security, especially when it comes to running programs as root.  As a result, Postfix will deliver mail to root locally but it will not allow other programs to run as root.  This means that programs like procmail cannot be used to deliver mail to the root user.  Therefore you will need to create an alias for the root user so that mail that is intended for root  will be delivered to a non-privileged user.

Edit /etc/aliases and create a line like this:

root:            mike

Whatever user you choose make sure that it is an account that is on the system.  Do not use the admin account as it is tied to other things on the system.

Once you have added the username run the command:

newaliases

Verify that Postfix is running:

/etc/init.d/postfix start
/etc/init.d/postfix stop
/etc/init.d/postfix reload

Webmin Configuration of Postfix

Now you are ready to start with additional configuration options from the Webmin interface.

General Options

This Webmin image in “General Options” shows these “Most Useful General options”.

“What domain to use in outbound mail”
If you have your settings set in the basics you can set this to “Use domainname”.

“What domains to receive mail for”
The two settings that you see, $myhostname and $mydomain are the options you should use if you have one domain.

w1

“What trouble to report to postmaster”

This option  notify_classes, allows you to send mail reports to the postmaster.  This is additional information that is not usually reported because only the worst situations are typically reported.  Here is a list of the notify_classes that you can use.  The default for Postfix is to use resource and software.

bounce – This option will send copies of the headers that are bounced.  It will also send the information about the SMTP session that led to the bounce.

2bounce - Any undeliverable mail will be sent to the postmaster by default.

delay - When mail is delayed it will send copies of the headers to the postmaster.

policy - If a client is rejected based on UCE policy (Unsolicitated Commercial Email) the transcript of the SMTP session is sent to postmaster.

protocol - If there are client server protocol errors the transcript of the SMTP session will be sent to postmaster.

resource - If Postfix cannot deliver mail because of resource problems send a message to the postmaster.

software - This option will notify postmaster if there are software problems that are associated with why mail cannot be delivered.

If you would like to get this information delivered to an email, you may want to add your email to the postmaster aliases so it comes to your email account and you do not have to dig for it.

postmaster:        root,your_email

This will allow you to receive that information to your email account.  This is something that you can do on a temporary situation as you will surely get tired of receiving all this stuff….

Here is an example you can place in your main.cf.

notify_classes = bounce, delay, resource, software

Other General Options

w2
Each of the options you see here are default options that you can leave in place.  In a typical Postfix installation these are going to work fine.

However, these options that you see in this screen will need to be changed.

“Internet hostname of this mail system”
This is the FQDN (Fully Qualified Domain Name) of the mail server.  It should have two parts, the hostname (mail) and the domain name (example.com).  Mail servers when they talk to each other will require this setting.  So if you have having difficulties this is one of the places to look.

“Local Internet domain name”
Set his the same as the option above, your FQDN.

“Local Networks”
These are all of the networks that are connected to the mail server.  The setting will help the mail server determine who is a local client from a Spammer on the Internet.  You have two options, click the “Default” which automatically detects the networks attached to the mail server.  This is an easy option but if you have other networks that use this mail server you must select option two and list the networks that will use the mail server as you see in the example.

“Automatic local networks”
This setting has four options.  The options are “Default, Same IP Subnet, Same Network Class and Local Machine Only”.  These setting will help simply the setting above.  If you local network in on a subnet and all of your users are one the same subnet choose “Same IP Subnet”. You can expand that to many more computers if you have a large network by choosing “Same Network Class”.

“Email Content Filter”
In this example you can see an email content filter is enabled.  Do Not enable this feature using Webmin as it requires multiple edits and so it will not work unless you complete all edits at once.

The other settings here are fine as the default.

w3

SMTP Server Options

This screen SMTP server options.  You can leave all at the default except the “Restrictions on recipient addresses”.   In the example you can see that there are entries that are placed in this and it is not the default.  This entries must be placed in a specific order…be sure you check the order before you enable this and if you have problems examine the order carefully.

smtp

reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
reject_rbl_client zen.spamhaus.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client dnsbl-1.uceprotect.net
permit

Explanation of Each Setting
reject_non_fqdn_recipient
It is important that you require the FQDN for recipients.  In order to make this happen use the reject_non_fqdn_recipients option.

reject_unknown_recipient_domain
Another restriction to consider for the envelope sender is the requirement of an existing domain.  Spammers will use this as a way to conceal their true domain.  So you will want to reject all domains that are not real.  You do have to consider the fact that users may create a typo that would put them in this category and receive a bounced mail from Postfix.  However, in order to control spam this may be a requirement.

permit_mynetworks
The order of processing restrictions is important.  As you view the list in the example, note that the permit_mynetworks is a watershed in that it differentiates between clients on the outside and clients on the inside.  The options that appear up to the permit_mynetworks apply to both internal and external clients.  The options which appear after permit_mynetworks apply only to external clients.  This is why the order is so important.

permit_sasl_authenticated
Allow sasl authentication if you use secure connections.

reject_unauth_destination
Prevents your server from becoming an open relay.

reject_non_fqdn_hostname
Use the reject_non_fqdn_sender option to make sure users have a FQDN.

reject_invalid_hostname
You may also choose to reject based on a valid hostname.  The rules are that each valid hostname should contain a top level domain (com,net,org, etc), a domain, like example in example.com and it should contain a “.” separating the two.

check_helo_access pcre:/etc/postfix/helo_checks
Create a file called helo_checks in the /etc/postfix directory.  This file should contain a number of variations on your address on one line at a time.

/^ns\.example\.com$/                 550 Bad helo check
/^216\.114\.226\.157$/                   550 Bad helo check
/^\[216\.114\.226\.157\]$/               550 Bad helo check

In these examples, you will see a start of string (^)and end of string anchor ($).  The ^ matches matches the position before the first character in the string.  So ^ns will match the n and org$ will match the g.  This is a useful tool to have for Postfix to read one line at a time and not combine text strings.

check_sender_mx_access cidr:/etc/postfix/bogus_mx
Spammers will also use networks which are not routeable, thus not traceable.  You can stop this technique with Postfix, however, your network firewall should not allow these kinds of networks to enter your network at all.

Create a map that will list these unrouteable networks. Place one network on each line.

0.0.0.0/8                    550  Bad Network
10.0.0.0/8                    550  Bad Network
127.0.0.0/8                   550  Bad Network
224.0.0.0/4                   550  Bad Network
192.168.0.0/16                550  Bad Network

reject_rbl_client zen.spamhaus.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client dnsbl-1.uceprotect.net
The one thing that is important to understand when using blackholes is that these DNS blacklists require Postfix to do a DNS lookup which will take resources from your server and create latency.  However, this can be a significant reduction in SPAM.  In the example below two kinds of lists are used to block spam, these are only illustrations you should research your list carefully.  Each list will have an address that you can enter to access the list.  These two are combined in one address.  That address is then entered into your smtpd restrictions.

Having tried a number of RBLs you will see that some are going out of existence, some are either too aggressive or just do not cover all of the areas that give you the protection you need.  Here is a list that makes a good combination of protection without getting too crazy.  Be sure to try one at a time so you can determine if one is not right for you.  Use at your own risk…you could lose email.

Permit
This must be the final setting.

By mike | Posted in Webmin | Tagged , | Comments (0)

Explanation of notify_classes in Postfix

February 25, 2009 – 6:13 pm

The notify_classes allows you to send mail reports to the postmaster.  This is additional information that is not usually reported because only the worst situations are typically reported.  Here is a list of the notify_classes that you can use.  The default for Postfix is to use resource and software.

bounce – This option will send copies of the headers that are bounced.  It will also send the information about the SMTP session that led to the bounce.

2bounce - Any undeliverable mail will be sent to the postmaster by default.

delay - When mail is delayed it will send copies of the headers to the postmaster.

policy - If a client is rejected based on UCE policy (Unsolicitated Commercial Email) the transcript of the SMTP session is sent to postmaster.

protocol - If there are client server protocol errors the transcript of the SMTP session will be sent to postmaster.

resource - If Postfix cannot deliver mail because of resource problems send a message to the postmaster.

software - This option will notify postmaster if there are software problems that are associated with why mail cannot be delivered.

If you would like to get this information delivered to an email, you may want to add your email to the postmaster aliases so it comes to your email account and you do not have to dig for it.

postmaster:        root,your_email
Run newaliases once you saved our changes.

This will allow you to receive that information to your email account.  This is something that you can do on a temporary situation as you will surely get tired of receiving all this stuff….

Here is an example you can place in your main.cf.

notify_classes = bounce, delay, resource, software

By mike | Posted in Postfix Configuration | Tagged , | Comments (0)

Create a Signature in Zimbra

February 23, 2009 – 3:07 am

Create a Signature
A signature adds several lines of text automatically to your email.  Usually this is your company and contact information.  In order to create a signature in Zimbra, open your account and choose preferences.  When you open preferences you will see the signature tab.  Select the tab.

sig

When the signature tab opens you will see that it is empty.  Choose Edit and you can create your signature.

sig1

Enter the information for your signature.  Note that you can format as plain text  or you could format as HTML.  Provide a name for your signature and select “Done”.

sig2

Once you have created a signature you can see that “Add Signature” is available to add a second or third signature.  This will allow you to use different signatures for different clients or friends.  Here you can see that when you create an email you can add the signature manually.

sig3
Here is your signature added to the email.

sig4

If you want to make the signature permanent then choose “Preferences” and “Signature”.  Below your signature you will see the “Using Signatures” and now select the “Accounts Page” which will allow you to make it permanent.

sig5

Change the “Do Not Attach Signature” to the signature of your choice.

sig6

By mike | Posted in Zimbra | Tagged , | Comments (0)

Distribution List in Zimbra

February 20, 2009 – 1:43 pm

Distribution List

The Distribution List is a list of users that you can use to send mail to at one time. Instead of having to use CC: or BC: you can have a permanent list to send to. This is a great way to send company mail to one user and it is distributed to the entire staff.

When you want to create a new list choose “New” from the Administration panel and then “Distribution list”. If you select Search on the ‘Add Members to this list” you will get a return of all of the members who are users on the server. Then select each user you want to add by highlighting the user and clicking “Add”.

ls5

Once you have added members they will be listed under the “List Members”. You now need to create a List Name. Be aware that this list name will end up being an email account. For security reasons, reduce Spam, you should choose a list name that is not a common name, for example, “tr5u67h” because Spammers are less likely to gain access to this list. Once you have that done save and test by sending an email to that list name, in this example, test@my_domain.

ls2

Be careful to note that when you have checked “can receive mail” this email will send to the list of users. To protect your list when not in use, uncheck this so it cannot be abused. When it is unchecked users will get this message when they try to send to the list.

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

test@my_domain

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 <test@my_domain>: Recipient address rejected: my_domain (state 14).

Adding Lists From a .csv File

You may have a list of users in .csv format that you want to add to the server and then to your distribution list. The format for the .csv file must be three columns, email_address, user_name, password. If you do not provide a password it will ask the user to create one the first time they log in.

Here is what a .csv file should look like.

tom@example.com, tom, Ybhd45p

jane@example.com, jane, Yhnd34v

joe@example.com, joe, &iggw#

jerry@example.com, jerry, igfw34

Open the go to “Manage Distribution Lists” and select “Bulk Provision”. The window will open that will allow you to browse to the file with your users.

ls8

Your file will be read and you will be able to see the three columns with user information. Choose Next.

ls9

When you proceed it will add the users to the server.

ls9a

Now open your Distribution List and use “Search” to locate all users that you entered. Now add the ones you want and you have completed the addition of all the users.

You can add a Distribution List to another list and view the relationship between lists. Be careful with this as you can create a real mess with the intertwining of the lists.

ls11

By mike | Posted in Zimbra | Tagged , | Comments (0)

Manage Mail In the Deferred Queue

February 18, 2009 – 6:48 am

Deferred  queue
If Postfix cannot deliver a message to a recipient it is placed in the deferred queue.  The queue manager will scan the deferred queue to see it if can place mail back into the active queue.  How often this scan occurs is determined by the queue_run_delay.  Postfix will scan the incoming queue at the same time as the deferred queue just to make sure that one does not take all the resources and so each can continue to move messages.

The queue_run_delay is by default 300s or 300 seconds.  Each time the deferred queue is scanned it will only reinject a portion of the messages.

If you have a very busy mail server you may see a large deferred queue.  The first instinct is to flush the queue but that actually may be counter productive.  The only reason you would flush the deferred queue is if you think that the messages now have a good chance of delivery.  If they still do not have a good chance of delivery it will only slow down an already busy server.

The real question is, What is causing messages to be deferred?  One of the major reasons that messages are deferred is that your server is going to place mail to “unknown recipients” into the deferred queue if they do not have a legitimate user to go to.

Here is the process to view and analyze why mail is deferred.  The fist warning is that you see deferred mail in your messages logs.  In the example there are 2 listed.

Postfix log summaries for Feb 17

Grand Totals
————
messages

101   received
106   delivered
0   forwarded
2   deferred  (35  deferrals)
0   bounced
104   rejected (49%)
0   reject warnings
0   held
0   discarded (0%)

1263k  bytes received
1331k  bytes delivered
32   senders
23   sending hosts/domains
17   recipients
11   recipient hosts/domains

Once you know that mail is in the deferred queue you need to locate the message Ids so you can read the mail in the queue.  Use the command postqueue to view mail Ids.

postqueue -p
-Queue ID- –Size– —-Arrival Time—- -Sender/Recipient——-
9DF7520804A     3726 Mon Feb 16 03:06:41  MAILER-DAEMON
(connect to hydra.udag.de[89.31.140.33]: Connection timed out)
www-data@hydra.udag.de

CC1D4208048     3786 Mon Feb 16 02:39:50  MAILER-DAEMON
(connect to bootes.caixa.gov.br[200.201.166.138]: Connection timed out)
servicos@caixa.gov.br

– 8 Kbytes in 2 Requests.

Once you have the message ID you can use postcat to open the message in the queue.  The first line shows that it is one of the deferred messages.  As you view the contents of the email you can see the reason it is deferred, in this example someone is trying to send mail as if it is from the real user, thus this is SPAM and has been detected.

postcat -q 9DF7520804A
*** ENVELOPE RECORDS deferred/9/9DF7520804A ***
message_size:            3726             589               1               0
message_arrival_time: Mon Feb 16 03:06:41 2009
create_time: Mon Feb 16 03:06:41 2009
named_attribute: rewrite_context=local
named_attribute: envelope_id=AM..20090216T110641Z@ns.example.org
sender:
named_attribute: log_client_name=ns.example.org
named_attribute: log_client_address=127.0.0.1
named_attribute: log_message_origin=ns.example.org[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=ns.example.org
named_attribute: reverse_client_name=ns.example.org
named_attribute: client_address=127.0.0.1
named_attribute: helo_name=localhost
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;www-data@hydra.udag.de
original_recipient: www-data@hydra.udag.de
recipient: www-data@hydra.udag.de
*** MESSAGE CONTENTS deferred/9/9DF7520804A ***
Received: from localhost (ns.example.org [127.0.0.1])
by ns.example.org (Postfix) with ESMTP id 9DF7520804A
for <www-data@hydra.udag.de>; Mon, 16 Feb 2009 03:06:41 -0800 (PST)
Content-Type: multipart/report; report-type=delivery-status;
boundary=”———-=_1234782401-3999-0″
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Subject: Considered UNSOLICITED BULK EMAIL, apparently from you
In-Reply-To: <9d798f4d2f18e5879bdfe20b2504d376@www.team-koeln.de>
Message-ID: <SSlkPbEmzalURU@ns.example.org>
From: “Content-filter at ns.example.org” <postmaster@example.org>
To: <www-data@hydra.udag.de>
Date: Mon, 16 Feb 2009 03:06:34 -0800 (PST)

This is a multi-part message in MIME format…

————=_1234782401-3999-0
Content-Type: text/plain; charset=”iso-8859-1″
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

A message from <www-data@hydra.udag.de> to:
-> user@gmail.com

was considered unsolicited bulk e-mail (UBE).

Our internal reference code for your message is 03999-12/lkPbEmzalURU

The message carried your return address, so it was either a genuine mail
from you, or a sender address was faked and your e-mail address abused
by third party, in which case we apologize for undesired notification.

We do try to minimize backscatter for more prominent cases of UBE and
for infected mail, but for less obvious cases of UBE some balance
between losing genuine mail and sending undesired backscatter is sought,
and there can be some collateral damage on both sides.

First upstream SMTP client IP address: [89.31.140.33]
According to a ‘Received:’ trace, the message originated at: [89.31.140.33],

Return-Path: <www-data@hydra.udag.de>
From: Caixa Economica Federal <servicos@caixa.gov.br>
Message-ID: <9d798f4d2f18e5879bdfe20b2504d376@www.team-koeln.de>
Subject: Atualizacao Caixa

Delivery of the email was stopped!

————=_1234782401-3999-0
Content-Type: message/delivery-status; name=”dsn_status”
Content-Disposition: inline; filename=”dsn_status”
Content-Transfer-Encoding: 7bit
Content-Description: Delivery error report

Reporting-MTA: dns; ns.example.org
Received-From-MTA: smtp; ns.example.org ([127.0.0.1])
Arrival-Date: Mon, 16 Feb 2009 03:06:34 -0800 (PST)

Original-Recipient: rfc822;fred@example.com
Final-Recipient: rfc822;user@gmail.com
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554 5.7.0 Reject, id=03999-12 - SPAM
Last-Attempt-Date: Mon, 16 Feb 2009 03:06:34 -0800 (PST)
Final-Log-ID: 03999-12/lkPbEmzalURU

————=_1234782401-3999-0
Content-Type: text/rfc822-headers; name=”header”
Content-Disposition: inline; filename=”header”
Content-Transfer-Encoding: 7bit
Content-Description: Message header section

Return-Path: <www-data@hydra.udag.de>
Received: from hydra.udag.de (hydra.udag.de [89.31.140.33])
by ns.example.org (Postfix) with ESMTP id 4CA89208029
for <fred@example.com>; Mon, 16 Feb 2009 03:06:33 -0800 (PST)
Received: by hydra.udag.de (Postfix, from userid 33)
id 32D3E45C463; Mon, 16 Feb 2009 12:21:10 +0100 (CET)
To: fred@example.com
Subject: Atualizacao Caixa
Date: Mon, 16 Feb 2009 12:21:07 +0100
From: Caixa Economica Federal <servicos@caixa.gov.br>
Reply-to: Caixa Economica Federal <servicos@caixa.gov.br>
Message-ID: <9d798f4d2f18e5879bdfe20b2504d376@www.team-koeln.de>
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.10.2800.1409.518512323.rg.sm31
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=”iso-8859-1″

————=_1234782401-3999-0–
*** HEADER EXTRACTED deferred/9/9DF7520804A ***
*** MESSAGE FILE END deferred/9/9DF7520804A ***

By mike | Posted in Postfix Configuration | Tagged , , , | Comments (2)

Dovecot with PLAIN Authentication and SSL/TLS

February 17, 2009 – 6:01 am

Authentication with Dovecot

PLAIN authentication has the advantage of being supported by all clients.  Certainly the disadvantage is that you have visible passwords on the wire, but that is easy to solve with SSL/TLS.  This means that it is easier to set up SSL/TLS  and PLAIN passwords than it is to fight the many hassles that come with other options.  Here are some links that show how to use SSL/TLS.

Introduction to SSL/TLS

Postfix and TLS

Testing SSL Connections with Dovecot

The major drawback of storing PLAIN passwords on the box is that if you have an attacker get access to those they will own your email.  The other side of this is that you are still in trouble if they have access to your box.  The imperative is that setting up a mail server is not just about Postfix of Dovecot it is also about security that serves to protect your system as a whole including firewalls, policies, permissions, processes, etc.

By mike | Posted in Dovecot | Tagged , , | Comments (1)

Using Secure Mutt Connections with IMAPS

January 31, 2009 – 8:42 am

Getting Started with mutt

On an Ubuntu 8.10 Desktop you will need to install both mutt and sSMTP.

sudo apt-get install mutt
sudo apt-get install ssmtp

Once you have SSMTP and mutt installed you can test your email by creating two users and sending mail from one at the command line to the other user.  Here mail is sent to the user tom on the local machine.

echo “Test” | mutt -s Hello tom

The -s is the option that creates the Subject line.

Sending Email
Now you want to be able to send email to the Internet so you will want to edit your /etc/ssmtp/ssmtp.conf file.   It is important that you understand where your mail server is that you will send mail to, this is the mailhub setting.  Mail servers must have a Fully Qualified Domain Name so you will need something like mail.example.com.  Note, this setting will allow you to send email to the mail server of your ISP or your own mail server.  However, your mail server must be set up to allow you to send mail to it, if not you will have difficulty as Spam filters typically should not allow mail from anything but a properly configured mail server.

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=postmaster

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=mail.example.com

# Where will the mail seem to come from?
rewriteDomain=example.com

# The full hostname
hostname=dg

You can check your version and the options that are compiled inot your mutt with this command.
mutt -v
Mutt 1.5.18 (2008-05-17)
Copyright (C) 1996-2008 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv’.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv’ for details.

System: Linux 2.6.27-9-generic (i686)
ncurses: ncurses 5.6.20071124 (compiled with 5.6)
libidn: 1.8 (compiled with 1.8)
hcache backend: GDBM version 1.8.3. 10/15/2002 (built Jun 15 2006 21:19:27)
Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE
+USE_FCNTL  -USE_FLOCK
+USE_POP  +USE_IMAP  +USE_SMTP  +USE_GSS  -USE_SSL_OPENSSL  +USE_SSL_GNUTLS  +USE_SASL  +HAVE_GETADDRINFO
+HAVE_REGCOMP  -USE_GNU_REGEX
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  -CRYPT_BACKEND_GPGME
-EXACT_ADDRESS  -SUN_ATTACHMENT
+ENABLE_NLS  -LOCALES_HACK  +COMPRESSED  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  +HAVE_LANGINFO_YESEXPR
+HAVE_ICONV  -ICONV_NONTRANS  +HAVE_LIBIDN  +HAVE_GETSID  +USE_HCACHE
-ISPELL
SENDMAIL=”/usr/sbin/sendmail”
MAILPATH=”/var/mail”
PKGDATADIR=”/usr/share/mutt”
SYSCONFDIR=”/etc”
EXECSHELL=”/bin/sh”
MIXMASTER=”mixmaster”
To contact the developers, please mail to <mutt-dev@mutt.org>.
To report a bug, please visit http://bugs.mutt.org/.

patch-1.5.13.cd.ifdef.2
patch-1.5.13.cd.purge_message.3.4
patch-1.5.13.nt+ab.xtitles.4
patch-1.5.4.vk.pgp_verbose_mime
patch-1.5.6.dw.maildir-mtime.1
patch-1.5.8.hr.sensible_browser_position.3

Mutt Basics
Once it is all installed you can open mutt with:
mutt

This is what you will get with mutt.  Each key is defined for you at the top of the window. You may quit mutt with “q”.  Delete “d” or undelete “u” mail are options you need to get used to as this is how you will clean out your mail box.  In fact, if you look at the bottom of the example you see the directory for the mail, /var/mail/user_name.  If you want to save mail use the “s”, reply with “r”.

q:Quit  d:Del  u:Undel  s:Save  m:Mail  r:Reply  g:Group  ?:Help

—Mutt: /var/mail/mike [Msgs:0]—(threads/date)————————————(all)—

The “m” option will create a new email.  It will open the “To:” and you may then enter the email address you want to send to.

To: mike@example.com

When you hit enter it will bring up the subject line that you can fill in.

Subject: test email from mutt

Hit enter again and nano opens to allow you to edit the email you want to send.

Nano is an alternative text editor.  The  key sequences in nano are entered using the keyboard making nano  a “modeless” editor, unlike vim. With the exception of Control and Meta key sequences, all the keys will enter text into the file being edited.  You do not have to switch modes at all.  In addition, nano provides some text aids.

Opening Screen
When you issue the nano command without any options the program opens as you see below with basic command available using Ctrl+Letter(the ^ symbol represents the Ctrl key).

GNU nano 2.0.7                New Buffer

^G Get Help    ^O WriteOut    ^R Read File   ^Y Prev Page   ^K Cut Text      ^C Cur Pos
^X Exit            ^J Justify          ^W Where Is   ^V Next Page  ^U UnCut Text  ^T To Spell

Basic Commands
^G    get help
Main nano help text
The nano editor is designed to emulate the functionality and ease-of-use of  the UW Pico text editor.  There are four main sections of the editor.  The top  line shows the program version, the current filename being edited, and whether  or not the file has been modified.  Next is the main editor window showing the  file being edited.  The status line is the third line from the bottom and  shows important messages.  The bottom two lines show the most commonly used  shortcuts in the editor.

^O     write the file
If you write text you may write to a file with this command.
File Name to Write: newfile

^R    read a file
When you would like to open a file use this command and then supply the path or if it is in your path the filename.
File to insert [from ./] : /home/mike/newfile

^Y    previous page
^K    cut text
^C    current position
This will provide information about the current position.  In this example of writing an email, you will see the status line at the bottom.

GNU nano 2.0.7             File: /tmp/mutt-dg-1000-12143-0                       Modified

When you use nano you can begin typing immediately as there are no modes like in vi.
This certainly makes it easier to use as a text editor as it eliminates one layer of
complexity.

[ line 5/6 (83%), col 1/1 (100%), char 186/187 (99%) ]
^G Get Help    ^O WriteOut    ^R Read File   ^Y Prev Page   ^K Cut Text    ^C Cur Pos
^X Exit        ^J Justify     ^W Where Is    ^V Next Page   ^U UnCut Text  ^T To Spell

^X    exit
^J    justify

^W    where is
If you need to search an email you can use this command. As soon as you select ^W you will receive a search field to look for the text string you want.  It will take you to the first example of that text string.

^V    next page, scroll through pages
^U    uncut text or paste
^T    spell check

GNU nano 2.0.7             File: /tmp/mutt-dg-1000-12143-0                       Modified

When you use nano you can begin typing immediatley as there are no modes like in vi.
This certainly makes it easier to use as a text editor as it eliminates one layer of
complexity.

^G Get Help    ^O WriteOut    ^R Read File   ^Y Prev Page   ^K Cut Text    ^C Cur Pos
^X Exit        ^J Justify     ^W Where Is    ^V Next Page   ^U UnCut Text  ^T To Spell

Once you are done with your email use ^O and you will see the option to write the email:

File Name to Write: /tmp/mutt-dg-1000-12143-0
^G Get Help            ^T To Files            M-M Mac Format         M-P Prepend
^C Cancel              M-D DOS Format         M-A Append             M-B Backup File

Hit enter and it will be written.

Now use ^X to exit and then select “y” to send immediately and you should see this message at the bottom of the screen.

—Mutt: /var/mail/mike [Msgs:0]—(threads/date)————————————(all)—
Mail sent.

Until you send the email you will see your email in the /tmp directory waiting to be sent.

y:Send  q:Abort  t:To  c:CC  s:Subj  a:Attach file  d:Descrip  ?:Help
From: mike <mike@dg>
To: mike@example.com
Cc:
Bcc:
Subject: test email
Reply-To:
Fcc: ~/sent
Mix: <no chain defined>
Security: Clear

– Attachments
- I     1 /tmp/mutt-dg-1000-12143-4                       [text/plain, 7bit, us-ascii, 0.1K]

If you need help with mutt you can use the “?” and it will show you a list of options.

i:Exit  -:PrevPg  <Space>:NextPg ?:Help
^B          M <enter-command> s… call urlview to extract URLs out of a message
^D          toggle-disposition     toggle disposition between inline/attachment
^E          edit-encoding          edit attachment transfer-encoding
^F          forget-passphrase      wipe passphrase(s) from memory
<Return>    view-attach            view attachment using mailcap entry if
+                                  necessary
^T          edit-type              edit attachment content type
^Xe         edit-file              edit the file to be attached
<Esc>f      edit-from              edit the from field
<Esc>k      attach-key             attach a PGP public key
A           attach-message         attach message(s) to this message
C           copy-file              save message/attachment to a file
D           detach-file            delete the current entry
E           edit-headers           edit the message with headers
F           filter-entry           filter attachment through a shell command
G           get-attachment         get a temporary copy of an attachment
M           mix                    send the message through a mixmaster remailer
+                                  chain
P           postpone-message       save this message to send later
R           rename-file            rename/move an attached file
S           smime-menu             show S/MIME options
Help for compose

Receiving Mail

Here you can see an new email (email #3) has arrived.  By typing the number “3” you are able to open that specific email.

q:Quit  d:Del  u:Undel  s:Save  m:Mail  r:Reply  g:Group  ?:Help
1     Jan 31 Mike            (1.1K) Re: test from bs
2     Jan 31 mike            (1.0K) test email
3 N   Jan 31 mike            (1.1K) └─>

Jump to message: 3

Also notice the arrow that indicates that the email is a response to a previous email.

Delete Email
When you are working with mutt you will want to delete mail that you no loner want.  You can do that by selecting the email in the list and choosing “d” which will place a capital “D” in the front of the email and it will be removed

Using Secure Mutt Connections with IMAPS
You will need to set up your mail server so that it will be able to use IMAPS on port 993.   This means that your connection is secured with TLS, Transport Layer Security, the improvement on SSL. Once you have your server set up then you can use mutt to make a secure connection and send email as well.  In order to connect mutt just use this command to connect and start muttt.
mutt -f imaps://mike@mail.example.com

That will request the password for you account and then provide you access to the mail on the server.

If your email account is as a virtual user on the mail server.  For example, if the mail server was mail.example.com and that mail server was providing the domain mail for you at mycompany.com you would have to connect using this method:

mutt -f imaps://mike%40mycompany.com@mail.example.com

You are connecting with IMAP but you are listing your virtual user account, mike@mycompany.com as with %40 to represent the @ symbol of the virtual account.  You cannot do this:

mutt -f imaps://mike@mycompany.com@mail.example.com

Once you have that set up you should be able to login and send email.

By mike | Posted in Mail Client | Tagged , , | Comments (0)

Virtual Domain Aliases

January 29, 2009 – 7:39 am

Virtual aliases can map to addresses that do not terminate on the local system while regular aliases can only map to addresses which terminate on the local system.

Virtual Alias Domains
You will need to add these lines to the main.cf file.

virtual_alias_domains = example.com

If you were going to add a number of domains you would want to create a map file.  Create the file /etc/postfix/virtual_alias_domains and enter one domain on each line and include the creation date on the right.  Postfix will ignore the creation date but remember map files must have two sides.

myexample.com             20070608
example.com                  20070801
newexample.com            20070803

Now create the db out of this file with this command:

postmap hash:/etc/postfix/virtual_alias_domains

If you use a database file as illustrated above you will need the parameter changed to this:

virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains

Warning!
If you set up a domain as virtual DO NOT put it in the mydestination parameter.

Now you need to create the recipient address map.  Create a file called:

/etc/postfix/virtual_alias_maps

The file will then create the mappings of the virtual address on the left and the address, local or remote that you want it to go to on the right column.  The names are separated by a TAB.

test@myexample.com      test@example.com
mike@example.com         mike@another_example.com
joe@newexample.com     joe@last_example.com

Save the file.

Execute the command to create the db file.
postmap hash:/etc/postfix/virtual_alias_maps

Add this line in the main.cf.
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps

service postfix reload

Testing the Virtual Alias Settings
Enter a mail address that you have listed in your virtual_alias_maps file to test.
echo testing | /usr/sbin/sendmail test@myexample.com

By mike | Posted in Multiple Domains | Tagged , , | Comments (0)