Showing posts with label Mail. Show all posts
Showing posts with label Mail. Show all posts

Sunday, 31 August 2008

Dovecot terminates unexpectedly

Recently my dovecot IMAP server died regularly. In my log files I found the following message:
...
dovecot: 2008-08-31 09:12:50 Fatal: Time just moved backwards by 11 seconds. This might cause a lot of problems, so I'll just kill myself now. http://wiki.dovecot.org/TimeMovedBackwards
...
The wiki describes the cause - the clock of my server is not in sync - but does not offer much of help. Usage of ntp is suggested.

Openntpd syncs the system clock but does not slow it down (effectively causing the same problem). ntp offers to slow down the clock with side effects to database and CMS.

Examination of the logfile reveals that webmin runs a time sync just before dovecots unnatural death. OK, here's the cause.
...
Aug 31 09:13:01 myserver /USR/SBIN/CRON[12345]: (root) CMD (/etc/webmin/time/sync.pl)
dovecot: 2008-08-31 09:12:50 Fatal: Time just moved backwards by 11 seconds. This might cause a lot of problems, so I'll just kill myself now. http://wiki.dovecot.org/TimeMovedBackwards
...
Restarting dovecot right after the time sync will solve the problem. You can do that from the webmin user interface:
System/Scheduled Cron Job/Create a new scheduled cron job
enter
/etc/init.d/dovecot restart
select time right after /etc/webmin/time/sync.pl
and you are done.

Friday, 21 March 2008

Adding Spamassassin to Postfix

Adding spam protection to Postfix, I installed Spamassassin. The Postfix web documentation describes installing Amavis as this also provides virus protection. I kept it simple by just using Spamassassin as a post queue filter.

First install the package:
sudo apt-get install spamassassin spamc
(You will need the spamassassin client later).

By default, Spamassassin logs into syslog. So you do not need to modify /etc/spamassassin/local.cf. You do need to enable Spamassassin by enabling launching the spamd daemon. Modify /etc/default/spamassassin by setting:
ENABLED=1
This will do the trick.

Finally you need to modify /etc/postfix/master.cf. Edit the line:
smtp inet n - - - - smtpd
to
smtp inet n - - - - smtpd -o content_filter=spamassassin
and add:
spamassassin unix - n n - - pipe
user=nobody argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
to the end of the file (you have to indent line 2 and 3 in order to maintain the logic of filters). You also might find these lines in different forums. They suggest creating a new user account "spamd". I was reluctant to do this as it roadens the attack surface to the server. Starting Spamassassin with user nobody works perfectly fine.

Start Spamassassin and restart Postfix and there you are.

Tuesday, 11 March 2008

Installing Postfix SMTP server

Actually I installed Postfix before installing Dovecot. However, it took some tweaking to get dovecot running.

By default, postfix installs inboxes into /var/mail in a flat file format. This disallows creation of folder structures in the INBOX. I also run several domains on one server. It is simple to tell postfix to accept any combination of username@domain_x. In operation, this will lead to combinations that are certainly not desirable.

To fix this, I had to set up some domains as virtual domains in /etc/postfix/main.cf:
virtual_alias_domains = my.domain
virtual_alias_maps = hash:/etc/postfix/virtual
I also want to allow for certain type errors. If someone does not know the correct email address, I consider it convenient to give some support. So I set up aliases in /etc/aliases like:
first.last@my.domain user
f.last@my.domain user
first_last@my.domain user
flast@my.domain user
This usually provides a reasonable catch for misspelled email addresses. The same procedure applies to mail aliases for the virtual domaines. However the translation table goes into /etc/postfix/virtual.

I used domain masquerading to conceal mail sent from client computers. They are sent with my main domain:
masquerade_domains = my.domain
Did I already mention I am aware about security? Well, I am. I adjusted which client is allowed to connect:
smptd_client_restriction = permit_mynetworks, reject_unknown_client, permit

smtpd_helo_restrictions = permit_mynetworks, reject_unknown_client, reject_invalid_hostname, reject_unknown_hostname, permit_naked_ip_address, reject_non_fqdn_hostname, permit

smtpd_sender_restrictions = permit_mynetworks, reject_unknown_client, reject_invalid_hostname, reject_unknown_hostname, permit_naked_ip_address, reject_non_fqdn_hostname, reject_unknown_sender_domain, reject_non_fqdn_sender, permit

smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_client, reject_invalid_hostname, reject_unknown_hostname, permit_naked_ip_address, reject_non_fqdn_hostname, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unknown_recipient_domain, permit
These restrictions are set in order of Postfix processing. I kept all restrictions in each line in order to catch Windows client behaviour.

Finally, in order to allow dovecot to connect and manipulate my folder structure without limitations, I had to set the mailbox directory:
home_mailbox = Maildir/
I experimented here and it did work. But it never was right. Some mistakes were:

home_mailbox = ~/Maildir/ ... created a directory ~/~/Maildir/ that is hard to cd into.
home_mailbox = /home/%u/Maildir/ ... created a %u directory in /home. As all mailboxes are stored into this directory, this leads to collisions. Not so good.

I am happy with the current setting. A symlink from /var/mail/user to /home/user allows for easy administration.

Finally postfix works as intended, domains are separated correctly, users can store folders in their INBOX and dovecot connects beautifully ;-)

Thursday, 6 March 2008

Installing Dovecot IMAP server

It's time to replace my good old Exchange server with something more open source. Dovecot seemed a pretty stable and secure IMAP server.

Dovecot requires some tweaking. First, the logs are placed into syslog. If you don't like it (like myself) you have to change the location of the logfile. In the configuration file /etc/dovecot/dovecot.conf enter (or change if set):
log_path = /var/log/dovecot.log
This will produce a log file that grows in size without any restriction. I didn't like this so I added a script that rotates the log files on a daily basis:
# dovecot SIGUSR1: Re-opens the log files.
/var/log/dovecot*.log {
missingok
notifempty
delaycompress
compress
sharedscripts
postrotate
/bin/kill -USR1 `cat /var/run/dovecot/master.pid
2>/dev/null` 2> /dev/null || true
endscript
}
Name this file /etc/logrotate.d/dovecot and place it into the correct directory.

I also changed the greeting string in /etc/dovecot/dovecot.conf to:
login_greeting = *
as I do not want Dovecot to notify every weired spammer about who it is.

There is a caveat in dovecot. If your server adjusts the system time regularly and your system clock runs slightly faster than the NTP server, dovecot will terminate itself with an error message:
dovecot: 2008-03-06 23:59:54 Fatal: Time just moved backwards by 9 seconds. This might cause a lot of problems, so I'll just kill myself now. http://wiki.dovecot.org/TimeMovedBackwards

As the wiki states, there is no easy way around this. I created a cron job to restart dovecot each day at 0:02. If the server terminated, the script will start the daemon. If the server is running, restarting it will not harm the system.

This is a dirty workaround. I shall have to get through to installing ntpd later.

Saturday, 13 October 2007

Migrating Thunderbird nx8220 -> 8510p

I use Thunderbird as my Mail and Calendar client. Main reason for this is that Thunderbird has an excellent spam filter built in. My current settings are:
  • Thunderbird 2.0.0.6
  • Additional address books
  • IMAP and POP connections
  • Extended German dictionary
  • Dictionary switcher 1.1.2
  • Enigmail 0.95.3
  • Lightning 0.5 (2MB version that supports calendar publishing)
  • QuoteColors 0.2.8
  • QuoteCollapse 0.7
  • Signature Switch 1.5.4
Target machine is the HP 8510p. Here are the results:
  • Thunderbird 2.0.0.6 works fine.
    I had trouble maintaining the date format (US format shown, EU format required).
    I installed language-pack-de.
    In .profile I added a line to export LC_TIME=de_AT.utf8. This did the trick
  • Addressbooks had to be exported on the source machine and re-imported on the target machine. Only the default address book (abook.map can be copied)
  • Extended German dictionary went in ok.
  • Dictionary switcher 1.1.2 works fine. Due to installed language pack I see all English and all German settings. This can be awkward but works
  • Enigmail 0.95.0 was installed from the repository (originally I installed a separate xpi). Adding the keys for communication required me to copy the folder .gnupg onto the target machine.
  • Lightning 0.5 could not be installed (32 bit version). Even the 64 bit version crashes the system. Installing Ubuntu package lightning-extension 0.5-0ubuntu4 works. Copied storage.db to get all calendar setting and data.
  • QuoteColors 0.2.8 works fine
  • QuoteCollapse 0.7 works fine
  • Signature Switch 1.4.2 upgraded to 1.5.4 without problem. Added the signatures which I kept in separate files.
Errors I ran into:

I tried to shortcut porting my settings by copying the profile folder. This did not work for several reasons:
  • Some files contain absolute path description
  • The extension folder contained the old 32 bit version of Lightning
  • Thunderbird crashed unexpectedly and none reproducable
I resorted to install a plain vanilla Thunderbird and add extensions and settings iteratively. There is a detailed description of porting profiles in the Mozilla knowledge base. It helped migrating address books, key rings and other account settings.

Installing Lightning from the Mozilla download site resulted in reproducible crashes. Installing from the Ubuntu repository solved the issue.