This is really a follow up article to one I wrote earlier this year but is really applicable to any similar set-up, with some modifications. The only configuration similarity this requires is that mail for all users is stored on the filesystem in the same place, rather than to separate locations i.e. each user having ~/.Maildir.

EncFS

sudo apt-get install encfs

Once installed, you’ll need to make a directory for encrypted and decrypted mail to live.

sudo mkdir /var/mail/encrypted /var/mail/decrypted

You’ll need to set up permissions so your mail user can access the fuse device and the new directories.

For me, this user and group are called vmail but yours may be different.

sudo chgrp mail /var/mail/decrypted
sudo g+rw /var/mail/decrypted
sudo usermod -a -g fuse vmail
sudo chgrp fuse /dev/fuse
sudo chmod g+rw /dev/fuse

Next …

I have built and released an open-source email server in the past for testing send rates and speeds, this project was called SimpleMTA and is available here.

Recently I have rebuilt this project for an internal project at work using the Tornado framework. Sadly this project as a whole cannot be released but a version of this code will be released in the near future.

Until that is released I have launched a new service called blackhole.io

What is blackhole.io?

blackhole.io is a completely open mail relay that forgets anything that is sent to it, meaning there is no auth requirements and no storage of email data within the service. Literally anyone can send anything to it and have it never get delivered.

You can even send commands out of order, meaning you can call the DATA command without ever using HELO, MAIL FROM or RCPT TO …

A simple yet effective method for protecting your mail server from spam is to use greylisting. In simple terms, when an email is received the server will temporarily reject it with a 450 response code claiming that the server is busy, the sending server should then attempt to try to deliver at a later point in time, if enough time has passed the recipient server will then accept the incoming mail and whitelist the send address for a period of time.

This is effective because most spam servers are configured not to retry the send whereas real mail servers generally will retry. This sadly does not protect against spam coming from comprised mail servers or accounts like on Hotmail.com.

Installation

sudo apt-get install postgrey

Configuring Postgrey

By default Postgrey runs on 127.0.0.1:60000, which is the local loopback interface so it is not exposed to the …

This really should be quite a quick and simple post.

I use several tools to protect my mail servers from spam, the most effective of these I’ve found is using external lists in conjunction with reject_rbl_client and reject_rhsbl_client.

+======================+======================================================================================================+ | Service | description | +======================+======================================================================================================+ | zen.spamhaus.org | A single lookup for querying the SBL, XBL and PBL databases. | | | - SBL - Verified sources of spam, including spammers and their support services | | | - XBL - Illegal third-party exploits (e.g. open proxies and Trojan Horses) | | | - PBL - Static, dial-up & DHCP IP address space that is not meant to be initiating SMTP connections | +———————————+———————————————————————————————————————————————————+ | dnsbl.sorbs.net | Unsolicited bulk/commercial email senders | +———————————+———————————————————————————————————————————————————+ | spam.dnsbl.sorbs.net | Hosts that have allegedly sent spam to the admins of SORBS at any time | +———————————+———————————————————————————————————————————————————+ | b1.spamcop.net | IP addresses which have been used to transmit reported email to SpamCop users | +———————————+———————————————————————————————————————————————————+ | rhsbl.ahbl.org | Domains sending spam, domains owned by spammers, comment spam domains, spammed URLs …

This is part 4 of my series on configuring a mail server, please see part one, part two and part three if you’re not familiar with them.

The content of this article was written to work with the previous three articles but should work on any SpamAssassin set-up.

Razor

First off we need to install Razor.

sudo apt-get install razor

Now we need to run three commands to register and configure Razor.

sudo razor-admin -home=/etc/spamassassin/.razor -register
sudo razor-admin -home=/etc/spamassassin/.razor -create
sudo razor-admin -home=/etc/spamassassin/.razor -discover

These 3 commands should be pretty self explanatory, they register Razor, create it’s configuration and discover the Razor servers.

Pyzor

Now we’ll install Pyzor.

sudo apt-get install pyzor

Now we also need to tell Pyzor to discover it’s servers.

pyzor --homedir /etc/mail/spamassassin discover

SpamAssassin

Add the following lines to the end …

This is part 3 of my guide to getting a mail server configured with all the sexy bits to improve deliverability, spam and virus protection.

You can view part 1 here and part 2 here.

The key pair

We need to create a key pair to sign emails with:

.. code-block:: bash
openssl genrsa -out private.key 1024 openssl rsa -in private.key -out public.key -pubout -outform PEM sudo mkdir /etc/dk/ sudo cp private.key /etc/dk/dk.key

Now we can move on to DK and DKIM signing, make sure you keep the public key for later.

DKIM

First we’ll need to install an application to sign our emails.

sudo apt-get install dkim-filter

Once installed we need to configure it, open up /etc/default/dkim-filter, modify the file to look like below replacing <DOMAIN> with the domain you want to sign email from.

DAEMON_OPTS="-l -o X-DomainKeys …

This is part 2 of my series on mail servers on Debian 6/Ubuntu 10.04, it should work on other versions of each though. Part 1 is available here.

SpamAssassin

First off we’ll get SpamAssassin installed and configured.

sudo apt-get install spamassassin

We’ll be configuring SpamAssassin as a daemon that Postfix interfaces with using spamc.

SpamAssassin on Debian and Ubuntu runs as root which is NOT a good thing so we’ll need to make some changes.

We’ll add a group called spamd with GID**5001**.

sudo groupadd -g 5001 spamd

Next we add a user spamd with UID 5001 and add it to the spamd group, as well as set it’s home directory as /var/lib/spamassassin and make sure it has no shell access or SSH access.

sudo useradd -u 5001 -g spamd -s /usr/sbin/nologin -d /var/lib/spamassassin spamd

Now …

This guide is part 1 of what I plan will be a couple of guides that take you through installing a base mail system, SpamAssassin, DKIM and much more. Stay tuned.

This guide was written for Debian 6 but should be the same or similar for Debian 5 and Ubuntu 10.04 and above.

The installation

sudo apt-get install dovecot-imapd postfix sasl2-bin libsasl2-2 libsasl2-modules

Choose “Internet site” when prompted and enter the fully qualified name of your server.

Once all this is done installing we’ll need to make some changes, first off will be Postfix.

Postfix

Open up /etc/postfix/main.cf and add the following to the end of the file

home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

smtpd_sender_restrictions = permit_sasl_authenticated,
    permit_mynetworks,

smtpd_recipient_restrictions = permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unknown_sender_domain,

Here we basically tell Postfix to store all email in maildir format in the user’s home directory. We …

I have written a much newer, clearer and better article on DomainKeys signing email `here`_.

About

This guide is a sister to another guide I wrote a while back about how to use DomainKeys Identified Mail (DKIM) with Postfix on Debian, which can be read here - /2010/01/11/dkim-on-debian-with-postfix/.

DomainKeys is an older implementation than DKIM, DKIM is a merge of DomainKeys and Identified Mail. Both DomainKeys and DKIM are used so having both configured is a good idea.

Getting started

Lets start off by installing the dk-filter

sudo apt-get install dk-filter

Once installed you can can create a public and private key set using the commands below, if you’re already using DKIM you can skip this step and just use your already existing key.

openssl genrsa -out private.key 1024
openssl rsa -in private.key -out public.key -pubout -outform PEM
sudo mkdir /etc/mail
sudo …

You can get a basic overview on what SPF is, what it’s for and it’s more advanced usages here - http://www.openspf.org/

This article is to give only a basic insight in to how you can use an SPF record to valid mail from your servers.

The DNS

SPF records work from your DNS, it’s really simple. Technically there is a DNS type defined for SPF records as of RFC 4408, but since not all servers recognise this type it also works in the TXT type.

A simple usage of SPF is

v=spf1 a mx -all

Imagine this exists on this domain, syslog.tv. This spf record would mean that ALL AN and MX servers listed in the DNS records of syslog.tv would be valid senders.

The hypen (-) before all means that if the mail appears to be coming from a server that isn …

There is a much newer article on this subject `here`_ and covers DomainKeys and DKIM.

Mail and mail servers have always been my forté if I’m to be honest, my home mail server has been spam free for years now, nothing really gets past due to my love of all things installable and configurable.

Several months ago I started a new job and after a few weeks I was tasked with getting DKIM signing to work on our mail platform, DKIM was semi-new to me, I’d never bothered with anything but SPF before so I figured I’d give it a shot.

At work our servers are Debian based but are the evil that is Ubuntu, strangely though I was able to find an Ubuntu specific article that wasn’t absolute rubbish, which surprised me no end. I was able to get dkim-milter working with Postfix and …