Difference between revisions of "Mail Service"
(Letsencrypt cert renewal) |
|||
| Line 10: | Line 10: | ||
* Users have the option to use [[spamassassin]] for spam filtering. | * Users have the option to use [[spamassassin]] for spam filtering. | ||
* [[Lists Service]] | * [[Lists Service]] | ||
| + | |||
| + | === Renewing TLS certificates === | ||
| + | |||
| + | Automation is not set up at the moment and there is no incoming https, so you have to do a little work. | ||
| + | |||
| + | # Have two terminals, one on the DNS server, one of the mail server. | ||
| + | # On the DNS server, open the <code>db.tardis</code> zonefile and update the date. Go to the bottom of the file where the certificate update challenges are. | ||
| + | # On the mail server, run <code>certbot certonly --manual --cert-name isolus.tardis.ed.ac.uk --preferred-challenges=dns</code> | ||
| + | # certbot will give you the new challenges to add to the zonefile (annoyingly, one at a time). '''Don't hit return after the last one yet!''' | ||
| + | # Save the zonefile and restart bind9. | ||
| + | # Commit the new zonefile to git. | ||
| + | # Hit return in certbot to get the new certificates. | ||
| + | # Restart dovecot and postfix on the mail server. | ||
== Handling spam == | == Handling spam == | ||
Latest revision as of 14:57, 17 November 2020
The content is likely to be incomplete or incorrect.
Contents
Current setup
- The main mail server is on isolus, a virtual host.
- We're using postfix as our MTA, and the default MDA is maildrop.
- We greylist
- We also use the janet rbl
- Users have the option to use spamassassin for spam filtering.
- Lists Service
Renewing TLS certificates
Automation is not set up at the moment and there is no incoming https, so you have to do a little work.
- Have two terminals, one on the DNS server, one of the mail server.
- On the DNS server, open the
db.tardiszonefile and update the date. Go to the bottom of the file where the certificate update challenges are. - On the mail server, run
certbot certonly --manual --cert-name isolus.tardis.ed.ac.uk --preferred-challenges=dns - certbot will give you the new challenges to add to the zonefile (annoyingly, one at a time). Don't hit return after the last one yet!
- Save the zonefile and restart bind9.
- Commit the new zonefile to git.
- Hit return in certbot to get the new certificates.
- Restart dovecot and postfix on the mail server.
Handling spam
Stop it quickly. Stop all mail from leaving the queue.
- ssh into the mail host (see above)
- Stop postfix by doing
postfix stop
Determine who is spamming
- ssh into the mail host (see above)
- Read
/var/log/mail.logby doingtail -f /var/log/mail.logor usingless - Determine who is sending the spam by looking for:
- The
uidin apickupline - The
sasl_usernamein asmtpdline
- The
Please be careful that you understand the log messages before taking action. From addresses are trivially faked. You need to track the 11 character hex identifier across multiple log lines.
Stop mail from going into the queue
- Log in to the gateway server, and change their password to something very random (
sudo passwd <username>) - Now more spam mail cannot be sent through that user (because nobody can access the account).
Clear all mail in the queue being sent from that user
- ssh into the mail host (see above)
- Edit the
purge.shscript in the root folder of the mail host - Change the username in the script.
- Run the script (in a screen, possibly)
- Check
tail -f /var/log/mail.logfor "removed" messages to confirm the queue is being purged.
Wait for the queue to be purged, and put things back to how they were
- When
tailstops saying things are being removed (or when the processawkfinishes) we need to put things back to how they were before. - Start postfix by doing
postfix start(only do this when the queue is done being purged.)
Usage Guide
Tardis currently supports the following methods of accessing your email account:
- POP3
-
- Server:
pop.tardis.ed.ac.uk - Secure Connection: TLS or SSL
- Username: Your Tardis username
- Server:
- IMAP
-
- Server:
imap.tardis.ed.ac.uk, - Secure Connection: TLS or SSL
- Username: Your Tardis username
- Server:
- Webmail
- We provide RoundCube Webmail at https://webmail.tardis.ed.ac.uk
- Via SSH
- mutt and pine are both currently available on the shell server at
ssh.tardis.ed.ac.uk.
- Mail Submission
- You can now send mail via Tardis' SMTP server from the outside world.
- Configuration details:
- Server: mailhost.tardis.ed.ac.uk
- Secure Connection: TLS
- Server port: 587
- Username: Your Tardis username
You may need to install the CAcert Root certificate if you get mail server certificate warnings every time you connect.
Delivery and Filtering
Mail can be delivered by procmail or maildrop, (default) and can be spam filtered by spamassassin. Support documentation for these applications are currently unavailable, but hopefully will be soon. Before contacting us, we ask that you consult the man page and online documentation for each application.
Troubleshooting
- IMAP can fail to connect if you've deleted your Maildir folder. To recreate it, run maildirmake Maildir in your home directory on Vortis.
Admin
To change aliases (eg sysmans): edit /etc/aliases, run `newaliases`
To change virtual lookup tables (eg gamesoc emails): edit /etc/postfix/virtual, run `postmap /etc/postfix/virtual`
Breaking mail loops
(To prevent most of the loops between ecartis and majordomo installations any mail to listar@tardis or majordomo@tardis which came from majordomo-owner@... is now sent to support instead, using a small procmail filter.)
Suppose ecartis gets into a bunfight with majordomo-owner@example.com, replying to each other's automated messages. We can break the loop by instructing postfix to hold messages from majordomo-owner@example.com and delete the offending message. To put the mail on hold, edit /etc/postfix/access on the mail host, adding a line like:
majordomo-owner@example.com HOLD mail loop
The bit after HOLD is just a human-readable reason for putting the mail on hold which gets put in our logs. Then run
postmap access
to get postfix to pick up the change.
When a mail arrives, it gets put in the special hold queue. You can then check that the message isn't legitimate mail with postcat, and delete it with postsuper:
root@mccoy:/etc/postfix# cd /var/spool/postfix/hold/ root@mccoy:/var/spool/postfix/hold# ls -R [...] ./8: 886702B036 [...] root@mccoy:/var/spool/postfix/hold# postcat 8/886702B036 [The message, plus a bit of header info...] root@mccoy:/var/spool/postfix/hold# postsuper -d 886702B036 hold
If it's real mail, you can release it with postsuper -H 886702B036.
You can remove the hold from access now, but remember to run postmap so that postfix notices.
Whitelisting and blacklisting
If mail from an external source is being rejected by postfix (say, because they've got themselves listed in the RBL), they can be whitelisted so that we can get mail from them anyway. To whitelist by the claimed sender address, add an entry to /etc/postfix/access. To whitelist by the hostname, IP address and such like, use /etc/postfix/clientaccess. The entry should be followed by OK, and postmap run to recreate the database file. Then postfix will consult the new database file automatically.
You can also blacklist addresses and hosts using these files. Consult the files for details.
Webmail
Webmail (horde2) is available from webmail.tardis.ed.ac.uk. It depends on /etc/init.d/imapproxy running on azal. If IMAP on boe is not functioning, this service will eventually kill itself and webmail will start rejecting logins. In this case, restart it with:
/etc/init.d/imapproxy restart
Wish list
Amongst other things, we really really really need a better mailing list whatnot than ecartis. It occasionally completely garbles emails, and it doesn't seem to support attachments. It'd also be nice to have something that could perhaps pull userlists out of ldap? (Consider allusers, sysmans).See Lists Service
- Perhaps we should use spamhaus instead of or in addition to RBL+?
