Posts Tagged Postfix Mail Server
Posted by mike Filed Under Performance with Comments Off
One aspect of managing mail server connections is managing Keep-Alives. Managing Keep-Alives with TCP connections may increase reliability of connections or save resources on the server.
Once a connection is made with a mail server, the TCP protocol does not determine that data must be exchanged in order to maintain the connection. It is possible for a connection to remain open for a long period of time without exchanging data. Keep-Alive helps the server determine if the connection is no longer available as there is no point in maintaining resources if the connection is not available.
Resource Management
Here is an example of a client connected to a mail server. Note how many connections are made to the secure IMAP. Depending upon how many folders in your IMAP account and depending on how many accounts, you will have multiple connections to manage.
tcp 0 0 192.168.3.4:49215 192.168.3.69:993 ESTABLISHED
tcp 0 0 192.168.3.4:49216 192.168.3.69:993 ESTABLISHED
tcp 0 0 192.168.3.4:44262 192.168.3.69:993 ESTABLISHED
tcp 0 0 192.168.3.4:44226 192.168.3.69:993 ESTABLISHED
tcp 0 0 192.168.3.4:44263 192.168.3.69:993 ESTABLISHED
The problem with so many connections to the mail server is to manage resources for the mail server when you have a lot of users and many connections. Keep-Alives is one aspect of managing server resources.
By managing Keep-Alive settings you can either save resources that are being wasted or increase the Keep-Alive settings to insure more stable connections.
Keep-Alive Settings
There are three variables that refer to keep alives.
.
This setting is the interval between subsequential keepalive tests. This setting occurs regardless of what is happening on the connection.
/proc/sys/net/ipv4/tcp_keepalive_intvl
This setting is the interval between the last data packet sent and the first keepalive test. Once the connection is marked as keepalive, the counter is not used. Note, ACKs are not going to be considered data.
/proc/sys/net/ipv4/tcp_keepalive_time
This setting is the number of unacknowledged tests to send before considering the connection dead and then notifiying the application layer.
/proc/sys/net/ipv4/tcp_keepalive_probes
Here are default settings.
cat /proc/sys/net/ipv4/tcp_keepalive_intvl
75
cat /proc/sys/net/ipv4/tcp_keepalive_time
7200
cat /proc/sys/net/ipv4/tcp_keepalive_probes
9
These settings allow for connection getting dropped after 2 hours and 11 seconds. Adjusting these settings can allow for longer connection times or lesser connection times to save on system resources.
Changing Keep-Alive Settings
For testing purposes the best thing to do is to echo a setting the current setting. This will go away on restart. For example, if your connections were not as reliable as you needed, clients complained about dropped connections, then increase your Keep-Alive settings.
echo 15 > /proc/sys/net/ipv4/tcp_keepalive_probes
If you were more interested in saving resources on the mail server, then decrease the time for Keep-Alive.
echo 6000 > /proc/sys/net/ipv4/tcp_keepalive_time
Whatever you do test and listen to clients to verify your settings.
Posted by mike Filed Under Compile Postfix with Comments Off
The environmental variables in CCARGS for instance, provide the options that Postfix needs.
AUXLIBS – If you build support for any additional applications you may need to tell the linker where to look for the additional libraries for those programs. The standard location for system libraries is /usr/lib. If you want the linker to look for additional libraries you must indicate that with the -L option.
CentOS Example
AUXLIBS=’-L/usr/lib’
However, that is not enough because you must also indicate the specific library to link to with the -l option. Library files start with lib and will have an extension of .a for static libraries, .so for a shared object or .sl for a shared library. If the -l is used the library is referred to without the lib and without the file extension. So if you were going to add MySQL and mysqlclient it would look like this:
CentOS Example
AUXLIBS=’-L/usr/lib/mysql -L/usr/lib -lmysqlclient -lz -lm’
CC – Postfix will use the gcc compiler, If you want to use a different one you will need to indicate that specifically. If you look in the makedefs file you will see this text indicating the default is gcc, “${CC-gcc}”.
CCARGS – This will supply any additional arguments you want to make to the compiler. This is used to indicate files that you need that are not in default locations.
DEBUG – This will provide debugging levels that you may want to use. Typically you will want to increase debugging levels when you initially build Postfix for testing and then eliminate it when you build the final version for your production server.
OPT – These are optimization levels that you can set if you need your Postfix Mail Server to function at higher levels.
The compiler options can be set up in using the CCARGS. The standard location for the header files that you need are in /usr/include. If you need to indicate an alternative location for header files you would use the CCARGS to indicate that. The “I” options are used for each additional directory the compiler should use.
CCARGS=’-I/usr/local/include/’
The -D option gives you a method of defining a macro to include support for a particular program you want to include. So that you could tell Postfix to include support for the MySQL macro, HAS_MYSQL like this:
CCARGS=’DHAS_MYSQL’
If you want to change the location of directories you will need to include the Macro Name and the location where you want to place the directory.
Make makefiles CCARGS=’-DEF_CONFIG_DIR=\”a/location\”’
Parameters whose defaults can be specified in this way are:
Macro name default value for typical default
DEF_COMMAND_DIR command_directory /usr/sbin
DEF_CONFIG_DIR config_directory /etc/postfix
DEF_DAEMON_DIR daemon_directory /usr/libexec/postfix
DEF_DATA_DIR data_directory /var/lib/postfix
DEF_MAILQ_PATH mailq_path /usr/bin/mailq
DEF_HTML_DIR html_directory no
DEF_MANPAGE_DIR manpage_directory /usr/local/man
DEF_NEWALIAS_PATH newaliases_path /usr/bin/newaliases
DEF_QUEUE_DIR queue_directory /var/spool/postfix
DEF_README_DIR readme_directory no
DEF_SENDMAIL_PATH sendmail_path /usr/sbin/sendmail
Parameter Changes for the Environment
When you want to make changes to the parameters you will need to execute the build with two steps so that you can modify the Makefile. Here is an example of some changes you could make.
make makefiles CCARGS=’-DDEF_COMMAND_DIR=\”/usr/local/sbin\” \
-DDEF_DAEMON_DIR=\”/usr/local/libexec/postfix\” \
-DDEF_MAILQ_PATH=\”/usr/local/bin/mailq\” \
-DDEF_NEWALIAS_PATH=\”/usr/local/bin/newaliases\” \
-DHAS_MYSQL -I/usr/src/mysql/include/mysql’ \
AUXLIBS=’-L/usr/src/mysql/lib/mysql -lmysqlclient’
On any server that you are compiling Postfix on, you need to take into account where the additional programs are that you want to compile with Postfix. These directories will be in different locations depending upon the distro that you are using.
One application you may want to compile with Postifx is SASL support. The illustration using CentOS but you can see how you would change directories for Ubuntu or Debian and it can work that way also. Use yum to find out information on your version as you may have to make changes based on version. Here you can see cyrus-sasl is version 2.1.22.
yum info cyrus-sasl
Name : cyrus-sasl
Arch : i386
Version : 2.1.22
Release : 4
Size : 4.6 M
Repo : installed
Summary : The Cyrus SASL library.
URL : http://asg.web.cmu.edu/sasl/sasl-library.html
License : Freely Distributable
Description: The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding
: authentication support to connection-based protocols.
The following assumes that the Cyrus SASL include files are in /usr/local/
include, and that the Cyrus SASL libraries are in /usr/local/lib.
On some systems this generates the necessary Makefile definitions:
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS=”-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include/sasl” AUXLIBS=”-L/usr/local/lib -lsasl2″
(for Cyrus SASL version 2.1.x):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS=”-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include/sasl” AUXLIBS=”-L/usr/local/lib \
-R/usr/local/lib -lsasl2″
Why this won’t work.
ls /usr/include/sasl
hmac-md5.h md5global.h md5.h prop.h sasl.h saslplug.h saslutil.h
Modified
make makefiles CCARGS=”-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/include/sasl” AUXLIBS=”-L/usr/lib -lsasl2″
make upgrade
ldd `postconf -h daemon_directory`/smtpd
linux-gate.so.1 => (0x00bfc000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0×00464000)
libdb-4.3.so => /lib/libdb-4.3.so (0×00110000)
libnsl.so.1 => /lib/libnsl.so.1 (0×00207000)
libresolv.so.2 => /lib/libresolv.so.2 (0x003fc000)
libc.so.6 => /lib/libc.so.6 (0x0021e000)
libdl.so.2 => /lib/libdl.so.2 (0x00d22000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0×00362000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00d28000)
/lib/ld-linux.so.2 (0x00bb9000)
Posted by mike Filed Under Postfix Configuration with 1 Comment
Recently we asked administrators why they used Postfix Mail Server. Here are some of the responses:
“Being able to manage users and pretty much all mail aspects from a MySQL table”
“Security. Postfix is rock solid and I do not have to worry about the security of the system once it is set up correctly”
“Flexibility!”
“I’ve been running Postfix on an array of servers for the last eight years. I don’t think I’d ever switch to anything else.”
“We’ve run Postfix here at our company and couldn’t be happier”
“I am able to add whatever I want to it. Including webmail options which we use.”
“We use Postfix because it is easier to configure than Sendmail and the modular design helps us save resources.”
“We actually use Zimbra but underneath at the heart of the program is Postfix. We have the Zimbra interface to keep users happy”
“Stable … seems like all we do is keep getting mail like we are supposed to”
“Easy to set up”
Posted by mike Filed Under Spam Control, Uncategorized with Comments Off
Whitelists / Blacklists
You can set up whitelists and blacklists to modify the settings to make sure certain email addresses never get blocked or always get blocked.
Prevent any Spam Checking
In order to create a situation where you have no Spam checking you can use the bypass option. These options are added to amavisd.conf
@bypass_spam_checks_acl = qw( mike@example.com joe@example.com);
The spam lovers option makes sure that if you do a check the email is not tagged as spam and is not quarantined.
@spam_lovers_acl = (‘mike@example.com’, ‘joe@example.com’);
Sender Whitelist and Blacklist
This is built based on the sender address, the FROM in the SMTP connection. In amavisd if an address is both on the blacklist and on the whitelist both actions take place.
@blacklist_sender_acl = (‘jane@example.org’, ‘john@example.com’);
@whitelist_sender_acl = (‘jane@example.org’, ‘john@example.com’);
You can set up a regular expression option that looks like this.
$blacklist_sender_re = new_RE(
qr’^(money|savings|loan)@’i,
qr’^(health|workouts|diet)@’i,
qr’^(job|at_home|new-job)\d*@’i,
);
Here are the default blacklist/whitelist options in amavisd.conf. Notice that now amavisd will increase the blacklist score so it is more likely to be Spam. The score option helps reduce false positives if that is an issue. In addition, you can add a “-” to decrease the Spam score.
## site-wide opinions about senders (the ‘.’ matches any recipient)
‘.’ => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),
# read_hash(“/var/amavis/sender_scores_sitewide”),
{ # a hash-type lookup table (associative array)
‘nobody@cert.org’ => -3.0,
‘cert-advisory@us-cert.gov’ => -3.0,
‘owner-alert@iss.net’ => -3.0,
‘slashdot@slashdot.org’ => -3.0,
‘securityfocus.com’ => -3.0,
‘ntbugtraq@listserv.ntbugtraq.com’ => -3.0,
‘security-alerts@linuxsecurity.com’ => -3.0,
‘mailman-announce-admin@python.org’ => -3.0,
‘amavis-user-admin@lists.sourceforge.net’=> -3.0,
‘amavis-user-bounces@lists.sourceforge.net’ => -3.0,
‘spamassassin.apache.org’ => -3.0,
‘notification-return@lists.sophos.com’ => -3.0,
‘owner-postfix-users@postfix.org’ => -3.0,
‘owner-postfix-announce@postfix.org’ => -3.0,
‘owner-sendmail-announce@lists.sendmail.org’ => -3.0,
‘sendmail-announce-request@lists.sendmail.org’ => -3.0,
‘donotreply@sendmail.org’ => -3.0,
‘ca+envelope@sendmail.org’ => -3.0,
‘noreply@freshmeat.net’ => -3.0,
‘owner-technews@postel.acm.org’ => -3.0,
‘ietf-123-owner@loki.ietf.org’ => -3.0,
‘cvs-commits-list-admin@gnome.org’ => -3.0,
‘rt-users-admin@lists.fsck.com’ => -3.0,
‘clp-request@comp.nus.edu.sg’ => -3.0,
‘surveys-errors@lists.nua.ie’ => -3.0,
‘emailnews@genomeweb.com’ => -5.0,
‘yahoo-dev-null@yahoo-inc.com’ => -3.0,
‘returns.groups.yahoo.com’ => -3.0,
‘clusternews@linuxnetworx.com’ => -3.0,
lc(‘lvs-users-admin@LinuxVirtualServer.org’) => -3.0,
lc(‘owner-textbreakingnews@CNNIMAIL12.CNN.COM’) => -5.0,
# soft-blacklisting (positive score)
‘sender@example.net’ => 3.0,
‘.example.net’ => 1.0,
},
], # end of site-wide tables
});
You certainly can modify the default lists that are in amavisd.conf.
Posted by mike Filed Under Troubleshooting with Comments Off
Mail Does Not Send
A common problem is finding that mail is not sending correctly and that the /var/spool/clientqueue is filling up with files. This directory can actually shut down your server if you do not have a separate directory for /var when this happen. The speed at which this happens is determined by the amount of mail that is being sent.
Cause of the Problem:
The cause of the problem is most often a mis configured firewall or a mis configured tcp_wrappers.
The firewall should allow connections on port 25 for Postfix, port 143 for IMAP (web based email) and port 110 for POP3. Check your firewall that these are open.
Here is an example of a tcp_wrappers hosts.allow from a working Mail Server. Note that the is mail server does not allow POP3 but allows IMAP, and POSTFIX .
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the ‘/usr/sbin/tcpd’ server.
#
POSTFIX: ALL
SMTP: ALL
IMAP: ALL
Cannot Create Mailboxes
Even if cyrus IMAP is set up correctly there are times when the user cyrus cannot login to create a mailbox. If the password is correct the problem is probably related to /etc/hosts.allow/
Add this line to etc/hosts.allow
ALL: 127.0.0.1
Savemail Panic
If you see the error “Losing.lqfj54koqLM019255:savmail panic”
or
“savemail: cannot save rejected email anywhere”
Add this line to etc/hosts.allow
ALL: 127.0.0.1
Posted by mike Filed Under Filters with Comments Off
Header checks with Postfix can be used to deal with unwanted mail before your server wastes time with it. Created the file /etc/postfix/header_checks and then add this line in your main.cf.
header_checks = pcre:/etc/postfix/header_checks
The format line for each header check follows this pattern:
/^HEADER:.*content_for_review/ ACTION
The HEADER that you usually will act on is the Subject header. However, you can also filter headers based on the X-Mailer. One idea is to DISCARD all mail that comes from typical X-Mailers that a Spammer will use. Here is a list of X-Mailers that you could place in your header_checks file. Note that often you will use REJECT to send a message back to the user but with these known mailers you probably do not want to send anything back to them. Note also, that this method is bound to create some false positives, so test it for yourself before you make any final decisions.
# Following is a list of known mass mailer programs.
/^X-Mailer: 0001/ DISCARD
/^X-Mailer: 007 Direct Email Easy/ DISCARD
/^X-Mailer: Advanced Mass Sender/ DISCARD
/^X-Mailer: Aristotle / DISCARD
/^X-Mailer: Aureate Group Mail/ DISCARD
/^X-Mailer: Avalanche/ DISCARD
/^X-Mailer: commercialmail / DISCARD
/^X-Mailer: Copia emailFacts / DISCARD
/^X-Mailer: Crescent Internet Tool/ DISCARD
/^X-Mailer: CyberCreek/ DISCARD
/^X-Mailer: DiffondiCool/ DISCARD
/^X-Mailer: Dynamic Opt-In Emailer / DISCARD
/^X-Mailer: DMailer / DISCARD
/^X-Mailer: eGroups Message Poster / DISCARD
/^X-Mailer: E-Mail Delivery Agent/ DISCARD
/^X-Mailer: Emailer Platinum/ DISCARD
/^X-Mailer: E-mail sender / DISCARD
/^X-Mailer: e-Merge / DISCARD
/^X-Mailer: Entity/ DISCARD
/^X-Mailer: Extractor/ DISCARD
/^X-Mailer: Floodgate/ DISCARD
/^X-Mailer: GMail2 / DISCARD
/^X-Mailer: GOTO Software Sarbacane/ DISCARD
/^X-Mailer: Inet_Mail_Out / DISCARD
/^X-Mailer: jfmailer / DISCARD
/^X-Mailer: Mail Bomber / DISCARD
/^X-Mailer: MailWorkz/ DISCARD
/^X-Mailer: MassE-Mail/ DISCARD
/^X-Mailer: MaxBulk.Mailer/ DISCARD
/^X-Mailer: MailKing / DISCARD
/^X-Mailer: Mailloop / DISCARD
/^X-Mailer: MailXSender / DISCARD
/^X-Mailer: MassE-Mail / DISCARD
/^X-Mailer: MultiMailer / DISCARD
/^X-Mailer: NetMasters SMTP / DISCARD
/^X-Mailer: Opt-In Lightning / DISCARD
/^X-Mailer: PersMail / DISCARD
/^X-Mailer: PLAUZIUM / DISCARD
/^X-Mailer: Power CGI Bulk / DISCARD
/^X-Mailer: Prospect Mailer / DISCARD
/^X-Mailer: News Breaker Pro/ DISCARD
/^X-Mailer: SmartMailer/ DISCARD
/^X-Mailer: Sparc12 / DISCARD
/^X-Mailer: StormPort/ DISCARD
/^X-Mailer: SuperMail-2/ DISCARD
/^X-Mailer: Super-Duper-FastMail/ DISCARD
Posted by mike Filed Under Cyrus-Imap with Comments Off
Create Users
Create the users on the system. Create users with the false option so they cannot log into the server. This is an added security feature.
A. Create the User
useradd sue -s /bin/false
passwd sue
A common mistake is to forget to provide passwords for these users.
B. Use saslpasswd2 to create a cyrus account for the user.
echo linux23 | saslpasswd2 -p -c sue -p -u realm
Note that linux23 is the password that you are providing for this user sue.
The realm is the domain that you are using for the hostname. If you have no domain just use realm.
Here are several options for the saslpasswd2 program:
-p pipe mode
-c create
-d delete
-u domain
-f file
C. List the users to verify they were created.
Use this command to list the users created with saslpasswd2.
List Users Example
Here is an example of the sasldblistusers2 command. Notice that there are two methods of authentication; PLAIN, and CRAM-MD5.
# /usr/sbin/sasldblistusers2
user: cyrus realm: example.org mech: CRAM-MD5
user: tom realm: realm mech: CRAM-MD5
user: cyrus realm: example.org mech: PLAIN
user: tom realm: realm mech: PLAIN
user: tom realm: realm mech: DIGEST-MD5
user: cyrus realm: example.org mech: DIGEST-MD5
You may also want to send an email to the account.
echo test |/usr/sbin/sendmail -f root username
Posted by mike Filed Under Dovecot with 1 Comment
TLS or Transport Layer Security is a protocol that is encrypted and is a close relative of SSL. Actually TLS has developed from SSL and has backward compatibility. SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing. The OpenSSL project, http://openssl.org is an organization working to develop a cryptography library based on SSL v2/v3 and TLS v1.
What the Process of TLS or SSL Provides
1. TLS and SSL Provides – Authentication – the SSL server authentication allows a user to verify the server identity. The use of public-key cryptology allows a client to verify that the server has a valid certificate and public ID and that it has been issued a certificate of authority (CA). The client can hold a list of trusted CAs.
2. TLS and SSL Provides Verification of the User - the user is verified in the process in the same way as the server and using the same methods as the server verification.
3. TLS and SSL Provides Encryption – the entire communication between the client and the server is encrypted.
Installation of TLS or SSL Communication
At times it is important to encrypt the communication between the server and the client in order to protect the data that is being transferred. SSL, Secure Socket Layer ins enabled on Apache using the mod_ssl module. Once SSL has been enabled on Apache secure communication will occur over port 443 using the https:// in the browser. Note this is encrypted communication based on the 443 port where TLS is encrypted communication based on port 993. The focus at this point is creating encryption for Dovecot so the TLS application will be described not the implementation of SSL for port 443.
« Older Entries
