Contents
Description
SMTP is the mail backbone on the internet. A lot of stuff has been written. Most of this page is about FreeBSD and sendmail.
TLS
We use Letsencrypt fot the TLS in our sendmail configuration. First, get a certificate. We don't gonna tell you how, it's beyond the scope of this page. But your certificate is in /usr/local/etc/letsencrypt/live/<SMTP-HOSTNAME>/. Change the default configuration in /etc/mail/<HOSTNAME>.mc to:
define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/<SMTP-HOSTNAME>')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/privkey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')dnl define(`confCACERT', `CERT_DIR/chain.pem')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confDH_PARAMETERS', `CERT_DIR/dh_4096.param')dnl
And at the end of the configfile:
LOCAL_CONFIG O CipherList=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_CIPHER_SERVER_PREFERENCE -SSL_OP_LEGACY_SERVER_CONNECT -SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1
Letsencrypt don't give you a DH file, so lets make one in /usr/local/etc/letsencrypt/live/<SMTP-HOSTNAME>/:
$ openssl dhparam -out dh.param 4096 Generating DH parameters, 4096 bit long safe prime, generator 2 This is going to take a long time .............................. <snip> ........................++*++*++*
Then run make and make install in /etc/mail. After this has been done, only a restart is necessary, service sendmail restart
SPF
SPF records are TXT records. In the past the SPF record type was used, but now it's just TXT. It will describe where the email will originated from, and only for the domain the record is made for. Not for the subdomains! It's not inherent. Make an extra record for them.
An example for a SPF record is:
lists.example.org. 3600 TXT "v=spf1 a include:_spf.google.com ~all"
There are several options.
Options |
Description |
all |
Matches all local and remote IPs and goes at the end of the SPF record. Example: "v=spf1 +all" |
ip4 |
Specifies a single IPv4 address or an acceptable IPv4 address range. A mask of /32 is assumed if no prefix-length is included. Example: "v=spf1 ip4:192.168.0.1/16 -all" |
ip6 |
Same concept found in ip4, but, obviously, with IPv6 addresses, instead. If no prefix-length is given, /128 is assumed (singling out an individual host address). Example: "v=spf1 ip6:1080::8:800:200C:417A/96 -all" |
a |
Specifies all IPs in the DNS A record. Example: "v=spf1 a:domain.com -all" |
mx |
Specifies all A records for each host's MX record. Example: "v=spf1 mx mx:domain.com -all" |
ptr |
Specifies all A records for each host's PTR record. Example: "v=spf1 ptr:domain.com -all" |
exists |
Specifies one or more domains normally singled out as exceptions to the SPF definitions. An A query is performed on the provided domain; if a result is found a match occurs. Example: "v=spf1 exists:domain.com -all" |
include |
Specifies other domains that are authorized domains. Example: "v=spf1 include:outlook.microsoft.com -all" |
And every option has his qualifier.
Qualifier |
Description |
+ |
Pass = The address passed the test; accept the message. Example: "v=spf1 +all" |
- |
(Hard) Fail = The address failed the test; bounce any e-mail that does not comply. Example: "v=spf1 -all" |
~ |
Soft Fail = The address failed the test, but the result is not definitive; accept & tag any non-compliant mail. Example: "v=spf1 ~all" |
? |
Neutral = The address did not pass or fail the test; do whatever (probably accept the mail). Example: "v=spf1 ?all" |
The record is evaluated from left to right. More info on the site of Digital Ocean
DMARC
DKIM
DANE
DANE is a replacement for the whole CA problems like Diginotar. You need a DNS with DNSSEC enabled. You can use https://www.huque.com/bin/gen_tlsa to generate a TLSA record.
Checking
Ways to check your mailserver.
Manual SMTP session
You can telnet to your mailserver and send an email by hand. See also https://www.atmail.com/blog/smtp-101-manual-smtp-sessions/
telnet smtp.domain.tld 25 HELO sciuro.org MAIL FROM: test@sciuro.org RCPT TO: bo.ter.ham@domain.tld DATA From: test@example.org To: Bo Ter Ham <bo.ter.ham@domain.tld> Subject: Testmail checking SPF Hi. This is a test mail for checking is SPF is properly configured. Bye! .
Postfix snippets
find-senders-to.sh
set -Eeuo pipefail TO_ADDR=$1 LOGFILES="/var/log/mail.log*" LOOKBEHIND=20 # Lines while IFS= read -r -d '^' segment; do id="$(echo "$segment" | grep "to=<$TO_ADDR>" | awk '{print $6}' | cut -d ':' -f 1 | head -n 1)" from="$(echo "$segment" | grep -oP "$id: from=<\K.*?(?=>)")" [ -z "$from" ] && from='<>' echo "$id: from=$from to=$TO_ADDR" done < <(zgrep "to=<$TO_ADDR>" $LOGFILES -B "$LOOKBEHIND" --group-separator=^)
relay-flush.sh
set -Eeuo pipefail MIN_AGE="${MIN_AGE:-120}" RELAYHOST="${RELAYHOST:smtp.mail.org}" DRYRUN="${DRYRUN:-false}" SILENT="${SILENT:-false}" POSTFIX_CONFIG="${POSTFIX_CONFIG:-/etc/postfix/main.cf}" function enable_relay () { sed -ie "s/^relayhost \?=.*/relayhost = $RELAYHOST/g" "$POSTFIX_CONFIG" systemctl reload postfix.service echo "Relay '"$RELAYHOST"' enabled!" } function disable_relay () { sed -ie "s/^relayhost \?=.*/relayhost =/g" "$POSTFIX_CONFIG" systemctl reload postfix.service echo "Relay disabled." } function get_messages () { # Only select the first line for each message queue="$(/sbin/postqueue -p | grep -P '\w{3} \w{2,3} \d{1,2} \d\d:\d\d:\d\d \S*@\S*.\S' || echo '')" # Filter out active messages (id appended with '*') queue="$(echo "$queue" | grep -v '*' || echo '')" current_timestamp="$(date '+%s')" while IFS= read -r line do [ "$line" == '' ] && continue line_timestamp="$(echo "$line" | awk '{print $4, $5, $6}' | date -f - '+%s')" line_queue_id="$(echo "$line" | awk '{print $1}')" if (( "$current_timestamp" - "$line_timestamp" < "$MIN_AGE" )); then skip_messages+=("$line_queue_id") continue fi flush_messages+=("$line_queue_id") done <<< "$queue" } function flush_messages () { messages=("$@") echo "Flushing ${#messages[@]} messages.." for id in "${messages[@]}" do if [ "$DRYRUN" == 'true' ]; then echo "$id would have been flushed" else /sbin/postqueue -vi "$id" 2>&1 | grep flush_send_file | grep status fi done } function wait_until_flushed () { echo 'Waiting for flush to finish...' active_messages=1 while [ "$active_messages" -gt 0 ] do sleep 1 active_messages="$(/sbin/postqueue -p | { grep '*' || true; } | { grep -v 'Mail queue is empty' || true; } | wc -l )" echo "$active_messages messages remaining" done } function flush_stale_messages () { echo "== Flush stale messages ==" flush_messages=() skip_messages=() echo "Getting messages.." get_messages if [ "${#flush_messages[@]}" -eq 0 ]; then echo "No messages to be flushed" else if [ "$DRYRUN" != 'true' ]; then enable_relay flush_messages "${flush_messages[@]}" wait_until_flushed disable_relay else flush_messages "${flush_messages[@]}" fi fi if [ "${#skip_messages[@]}" -ne 0 ]; then echo "${#skip_messages[@]} messages were not flushed" fi } function flush_all_messages () { echo "== Flush all messages ==" if [ "$DRYRUN" != 'true' ]; then enable_relay /sbin/postqueue -f wait_until_flushed disable_relay else echo "flush-all has no dryrun option" fi } function help () { echo "Usage: $0 [OPTIONS] [<mode>]" echo "Description of what this command does" echo " <mode> (stale|all|relay|norelay). Default = stale" echo " stale: Flush stale messages (older than AGE) to relay" echo " all: Flush all messages to relay" echo " relay: Route mail through relay, don't flush" echo " norelay: Don't route mail through relay, don't flush " echo "" echo " -a Minimum message age in seconds. Messages younger than AGE are not flushed. Default: $MIN_AGE" echo " -r Relay host. Specify a relay host to flush messages to. Default: $RELAYHOST" echo " -d Dry-run. Don't actually flush messages" echo " -s Silent. Only show errors" echo " -h display this output" exit 1 } while getopts ':a:r:sdh' opt ; do case "$opt" in a) MIN_AGE="${OPTARG}";; r) RELAYHOST="${OPTARG}";; d) DRYRUN='true';; s) SILENT='true';; h) help ;; :) echo "$0: Must supply an argument to -$OPTARG." >&2 exit 1 ;; ?) echo "Invalid option: -${OPTARG}." exit 2 ;; esac done mode=${@:$OPTIND:1} # Prefix STDOUT, STDERR, handle silent mode if [ "$SILENT" != 'true' ]; then exec > >(awk '{ print strftime("[%Y-%m-%d %H:%M:%S]"), $0 }') else exec >/dev/null fi exec 2> >(awk '{ print strftime("[%Y-%m-%d %H:%M:%S] ERROR:"), $0 }' >&2) trap '{ echo "Exited with error!"; }' ERR if [ "$DRYRUN" == 'true' ]; then echo "Dry-run mode!" else if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi fi case "$mode" in '') flush_stale_messages;; 'stale') flush_stale_messages;; 'all') flush_all_messages;; 'relay') enable_relay;; 'norelay') disable_relay;; ?) echo "Invalid mode: $mode" help ;; esac
oneliners
# Retry all mail for yahoo.com postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } /@yahoo\.com/ { print $1 }' | tr -d '*!' | while IFS= read -r line; do postqueue -i "$line"; done # List delays grep delay mail.log | awk '{print $9}' | sed -e 's/delay=//g' -e 's/,//g' | sort -n # List delays for messages sent to outlook grep mail.protection.outlook.com mail.log | grep -v 'Server busy' | awk '{print $9}' | sed -e 's/delay=//g' -e 's/,//g' | sort -n # List receive time + id for outlook mails postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } /outlook\.com/ { print $6,$1 }' | sort -n # Show how many times a mail is send/deferred sorted on domain grep outlook.com /var/log/mail.log | grep 'status=' | grep 'Jun 8' | awk '{print $6,$7,$12 }' | sed -e 's/to=<.*@//g' -e 's/>//g' | sort -t " " -k2 | uniq -c | less # Send and deferred mails per domain grep outlook.com mail.log | grep 'status=' | grep 'Jun 8' | awk '{print $6,$7,$12 }' | sed -e 's/to=<.*@//g' -e 's/>//g' | sort -t " " -k2 | uniq -c | awk '{print $3,$4}' | sort | uniq -c # Count all mails (from one day) grep 'Jun 9' /var/log/mail.log | grep to= | awk '{print $6, $7}' | sed -e 's/to=<.*@//g' -e 's/>,//g' | sort | uniq | wc -l # Count of mails to outlook grep 'Jun 9' /var/log/mail.log | grep to= | grep outlook.com | awk '{print $6, $7}' | sed -e 's/to=<.*@//g' -e 's/>,//g' | sort | uniq | wc -l # Look for bounced mails grep status=bounced /var/log/mail.log | grep -v "Recipient address rejected\|reach does not exist\|Host or domain name not found.\|' not known (\|mailbox unavailable\|User Unknown\|This mailbox is disabled\|All recipient addresses rejected\|#5.1.0 Address rejected." | less # Show flushed messages grep queue_id /var/log/relay-flusher/script.log | awk '{print $6}' | while IFS= read line; do sudo grep "$line" /var/log/mail.log | grep 'from=\|to=' | awk '{print $6,$7}' | sort -u | awk '{print $2}' | tr '\n' ' ' ; echo ; done # Generate top 'FROM' adresses grep "from=<" /var/log/mail.log > /tmp/from_lines.txt while IFS= read -r qid; do grep "$qid from=" /tmp/from_lines.txt | awk '{print $7}'; done < <(grep status=sent /var/log/mail.log | awk '{print $6}') > top_from_adresses.txt sort top_from_adresses.txt | uniq -c | sort -n > top_from_adresses qshape deferred postqueue -p | less # Force expire & flush all gmail 'mailbox full' messages while IFS= read -r id; do sudo postsuper -f "$id" && postqueue -i "$id"; done < <(mailq | grep "The email account that you tried to reach is over quota." -B 1 --no-group-separator | grep -v "The email account that you tried to reach is over quota." | awk '{print $1}' | grep -v '^.*#$')