setup_basic_mailserver_with_postfix_dovecot_sieve

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
setup_basic_mailserver_with_postfix_dovecot_sieve [02.01.2020 09:01] – [future improvements] Pascal Sutersetup_basic_mailserver_with_postfix_dovecot_sieve [20.03.2021 07:47] (current) – [add a new domain] Pascal Suter
Line 65: Line 65:
 to make sure letsencrypt will restart all our servers once the ssh keys change, we need to add this:  to make sure letsencrypt will restart all our servers once the ssh keys change, we need to add this: 
 <code> <code>
-echo -e "\npost-hook = service postfix restart service dovecot restart ; service apache2 restart" >> /etc/letsencrypt/cli.ini+cat > /etc/letsencrypt/renewal-hooks/post/restart_services.sh <<EOF 
 +#!/bin/bash 
 +service postfix restart 
 +service dovecot reload 
 +service apache2 reload 
 +EOF 
 +chmod +x /etc/letsencrypt/renewal-hooks/post/restart_services.sh 
 </code> </code>
  
Line 468: Line 475:
   * once all these settings where done, i had to login to the filter via ssh and **manually restart postfix**. otherwise postfix would bind port 25 to 127.0.0.1 only. i guess rebooting the entire filter would fix this issue as well.   * once all these settings where done, i had to login to the filter via ssh and **manually restart postfix**. otherwise postfix would bind port 25 to 127.0.0.1 only. i guess rebooting the entire filter would fix this issue as well.
  
-==== future improvements ==== +==== tag and deliver spam instead of quarantine ==== 
-=== Bayesian learning by moving mail to junk folder === +I'm not sure I or my users would be happy with waiting for reports to find out why a recently sent mail did not reach them. after all it'always a good feeling if you can tell someone on the phone that you didn't find their email in your spam folder either, to convince them that they might have had a typo in your email address :) .. 
-in order for proxmox'Bayesian filter to learn and start working you need to provide spam and ham mails. to do this, one needs to copy spam that passed the filter to a temporary location on the proxmox mail gateway and then tell the Bayesian filter that this is spam. it needs at least 200 spam and ham mails to start working. ideallywe should be able to do this by simply moving an email to the spam folder on our imap account and the email should then be submitted to the bayesian filter of PMG automatically.. +
  
-some information i will need to do this:  +First you need to make sure that spam is no longer quarantined but instead marked and forwarded
-  * the command on PMG to submit a ham or spam to the learning system is <code>sa-learn --spam filename</code> +
-  * a solution on how to use imap sieve filters to trigger a bash script when a mail is moved into a specific folder can be found in the [[https://workaround.org/ispmail/buster/filtering-out-spam-with-rspamd-2/|all mighty ISPmail tutorial]]+
  
-=== tag and deliver spam instead of quarantine === +you can either mark an email by modifying its subject or by adding header element.i don't like changing the visible part of the email messageso i opted to go for an additional header field that marks spam
-I'm not sure I or my users would be happy with waiting for reports to find out why recently sent mail did not reach themafter all it's always a good feeling if you can tell someone on the phone that you didn't find their email in your spam folder either, to convince them that they might have had a typo in your email address :) .+
  
-i've started this alreadyFirst you need to make sure that spam is no longer quarantined but instead marked and forwarded+to create it, go to the ''Mail Filter-->Action Objects'' page in the PMG web-interface and add a new action object of the ''Header Attribute'' typestart the header atribute with ''x-'' and choose something meaningful.. i went for ''x-spam-mail:yes'' 
  
-in the PMG web interface click on ''Mail Filter'' in the left column. you will now see a list of all active or inactive mail filters. by selecting a filter, you can then see on the right hand side column which actions will be executed. you can simply remove the Quarantine action from the active ones and then drag and drop the "Modify subject" up to activate it. +next we need to make sure that all spam mail is tagged with this header field instead of quarantined.   
 + 
 +in the PMG web interface click on ''Mail Filter'' in the left column. you will now see a list of all active or inactive mail filters. by selecting a filter, you can then see on the right hand side column which actions will be executed. you can simply remove the Quarantine action from the active ones and then drag and drop the newly created action object to the active actions or click the + sign to add it. 
  
 now on to your postfix mail server.. we need to add a global sieve rule to dovecot that will move spam into a spam folder.. edit ''/etc/dovecot/conf.d/90-sieve.conf'' and look for "sieve_after" templates.. add a new line after those that looks like this:  now on to your postfix mail server.. we need to add a global sieve rule to dovecot that will move spam into a spam folder.. edit ''/etc/dovecot/conf.d/90-sieve.conf'' and look for "sieve_after" templates.. add a new line after those that looks like this: 
Line 492: Line 497:
 require ["fileinto","mailbox"]; require ["fileinto","mailbox"];
  
-if header :contains "X-SPAM-LEVEL" {+if header :contains "x-spam-mail" "yes" {
  fileinto :create "INBOX.Junk";  fileinto :create "INBOX.Junk";
  stop;  stop;
Line 498: Line 503:
 EOF EOF
 </code> </code>
-** this filter won't compile.. i need to fix this!** 
 now compile the sieve filter:  now compile the sieve filter: 
   sievec /etc/dovecot/sieve-after/spam-to-folder.sieve   sievec /etc/dovecot/sieve-after/spam-to-folder.sieve
 +lastly restart dovecot to re-read the config we altered bove 
 +  systemctl restart dovecot 
 +to test, send an email from outside to your mail account with the following line in the body: 
 +<code>
 +XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
 +</code>
 +
 +==== future improvements ====
 +=== Bayesian learning by moving mail to junk folder ===
 +in order for proxmox's Bayesian filter to learn and start working you need to provide spam and ham mails. to do this, one needs to copy spam that passed the filter to a temporary location on the proxmox mail gateway and then tell the Bayesian filter that this is spam. it needs at least 200 spam and ham mails to start working. ideally, we should be able to do this by simply moving an email to the spam folder on our imap account and the email should then be submitted to the bayesian filter of PMG automatically.. 
 +
 +some information i will need to do this: 
 +  * the command on PMG to submit a ham or spam to the learning system is <code>sa-learn --spam filename</code>
 +  * a solution on how to use imap sieve filters to trigger a bash script when a mail is moved into a specific folder can be found in the [[https://workaround.org/ispmail/buster/filtering-out-spam-with-rspamd-2/|all mighty ISPmail tutorial]]
 +
  
 ==== adjustments to postfix settings on our mailserver ==== ==== adjustments to postfix settings on our mailserver ====
Line 518: Line 537:
  
 you can see all attempts that where blocked by geylisting if you go to the tracking center and check the "Include Greylist" search option, then click search.  you can see all attempts that where blocked by geylisting if you go to the tracking center and check the "Include Greylist" search option, then click search. 
 +
 +==== enterprise vs. free ====
 +PMG is free open source software with an optional enterprise subscription. For a private person, the enterprise license is too expensive, but if you use this setup for a production server in a copmany, you might want to consider getting the enterprise subscription, because besides support, it also offers access to an enterprise repository, which contains heavily tested packages whereas the non-subscription repo is kind of the "beta tester" repo, meaning, a new package gets to the no-sub repo first and only after a certain amount of time of successful distribution through the no-sub repos will it enter the enterprise repo. So you either contribute by testing new packages or by paying money :) 
 +
 +by default, PMG comes with the enterprise repo pre-configured which means you won't be able to update if you don't have a subscription. if you want to use the free repo, you need to change your apt configuration: 
 +  rm /etc/apt/sources.list.d/pmg-enterprise.list
 +  echo "deb http://download.proxmox.com/debian/pmg buster pmg-no-subscription" >> /etc/apt/sources.list.d/pmg-no-sub.list
 +
 +as a non-enterprise user you will have to run updates from the command line, while enterprise users can do it from the web-ui IIRC (i am a poor private user ;)) 
 +
 +===== Create new users =====
 +to manage user accounts, login to adminer to edit your ''mailserver'' database. 
 +
 +first make sure the domain is added by checking the ''domains'' table. if the domain does not exist, add it. 
 +
 +make note of the domain id of the domain you want to add a new user for. 
 +
 +to add a new forwarding, make a new entry in the ''aliases'' table, make sure you don't forget to fill in the ''domain_id'' field
 +
 +to add a new user account, make a new entry in the users table. make sure you don't forget to fill in the ''domain_id'' field. leave ''quota'' empty or 0 in order to not enforce a mail box quota. if you want to set a quota, enter the amount of space the mailbox is allowed to use **in bytes**. for the ''password'' field, you need to generate a password hash on the command line of your mailserver. use the command 
 +  dovecot pw -s SHA256-CRYPT
 +and then enter the new password. It will return a SHA hash which you can then enter in the password field. 
 +
 +lastly, to activate the new mail user account, send an email to that address. 
 +
 +===== add a new domain =====
 +to add a new domain to the mail system, complete the following steps: 
 +  - add the domain on the Proxmox Mail Gateway to the "Relay Domains" list
 +  - add the domain to your mailserver database, as mentioned above
 +  - update the DNS records of your domain to point to the mailfitler and also add these entries: <code>
 +autoconfig              IN      CNAME   mail
 +autodiscover            IN      CNAME   mail
 +_dmarc                  IN      TXT     "v=DMARC1; p=quarantine; pct=100"
 +@                       IN      TXT     "v=spf1 mx ~all"
 +00000000._domainkey     IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; ".... copy/paste from PMG
 +</code>you can get the correct entry for he DKIM1 key from your proxmox mail gateway web gui, just go to Configuration --> Mail Proxy --> DKIM and click on the "view DNS record" button, then copy/paste the entry to your bind config. 
  • setup_basic_mailserver_with_postfix_dovecot_sieve.1577952098.txt.gz
  • Last modified: 02.01.2020 09:01
  • by Pascal Suter