SMTP
Contents
Subpages
| /postfix |
About
Standards
Implementations
Netiquette
Analogue to
IETF RFC2142 MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS
it is recommended to support the following addresses.
Mailbox |
Area |
Usage |
ABUSE |
Customer Relations |
Inappropriate public behaviour |
NOC |
Network Operations |
Network infrastructure |
SECURITY |
Network Security |
Security bulletins or queries |
POSTMASTER |
SMTP |
Email related messages |
HOSTMASTER |
DNS |
Domain related requests |
WEBMASTER |
HTTP |
Error reports of users regarding webservices |
PRIVACY |
Privacy Security |
Privacy violations |
ROOT |
Administration |
General reports, notices generated by hosts |
Specially postmaster and hostmaster are indispensable. These addresses should exist for every domain.
Please see also
Dynamic IPs
Don't create a SMTP server on a dynamic IP. The provider dependent address space will probably be listed on a Blocklist like Spamhouse PBL. Spamhouse PBL Example for Vodafone dynamic IPs
A MX will work, but you will need a SMTP relay to send email to somebody that checks these blocklists (like freenet).
FQDN
The system itself must be able to determine its FQDN. According to man 1 hostname
The recommended method of setting the FQDN is to make the hostname be an alias for the fully qualified name using /etc/hosts, DNS, or NIS.
For example, if the hostname was "ursula", one might have a line in /etc/hosts which reads1P.ADD.4E.55 ursula.example.com ursula
IMHO this should be configured in DNS.
So make sure to get the A- and PTR DNS-RR right before starting the system configuration.
DNS records
Please see DNS#Mail eXchanger (MX)
Autodiscovery
Possibilities:
via DNS please see DNS#SRV Mail
via xml-file over https
Create a directory structure
1 install -d /var/www/autoconfig/mail
Create a file
/var/www/autoconfig/mail/config-v1.1.xml
1 <?xml version="1.0"?>
2 <clientConfig version="1.1">
3 <emailProvider id="rockstable.it">
4 <domain>rockstable.it</domain>
5
6 <displayName>Rockstable Mail</displayName>
7 <displayShortName>RSIT Mail</displayShortName>
8
9 <!-- type=
10 "imap": IMAP
11 "pop3": POP3
12 -->
13 <incomingServer type="imap">
14 <hostname>mx1.rockstable.it</hostname>
15 <port>993</port>
16 <!-- "plain": no encryption
17 "SSL": SSL 3 or TLS 1 on SSL-specific port
18 "STARTTLS": on normal plain port and mandatory upgrade to TLS via STARTTLS
19 -->
20 <socketType>SSL</socketType>
21 <!-- <username>%EMAILLOCALPART%</username> -->
22 <username>%EMAILADDRESS%</username>
23 <!-- Authentication methods:
24 "password-cleartext",
25 Send password in the clear
26 (dangerous, if SSL isn't used either).
27 AUTH PLAIN, LOGIN or protocol-native login.
28 "password-encrypted",
29 A secure encrypted password mechanism.
30 Can be CRAM-MD5 or DIGEST-MD5. Not NTLM.
31 "NTLM":
32 Use NTLM (or NTLMv2 or successors),
33 the Windows login mechanism.
34 "GSSAPI":
35 Use Kerberos / GSSAPI,
36 a single-signon mechanism used for big sites.
37 "client-IP-address":
38 The server recognizes this user based on the IP address.
39 No authentication needed, the server will require no username nor password.
40 "TLS-client-cert":
41 On the SSL/TLS layer, the server requests a client certificate and the client sends one (possibly after letting the user select/confirm one), if available. (Not yet supported by Thunderbird)
42 "OAuth2":
43 OAuth2. Works only on specific hardcoded servers, please see below. Should be added only as second alternative.
44 "none":
45 No authentication
46 -->
47 <authentication>password-cleartext</authentication>
48 <password>optional: the user's password</password>
49 </incomingServer>
50
51 <outgoingServer type="smtp">
52 <hostname>mx1.rockstable.it</hostname>
53 <port>587</port>
54 <socketType>STARTTLS</socketType> <!-- see <incomingServer> -->
55 <username>%EMAILADDRESS%</username> <!-- if smtp-auth -->
56 <!-- smtp-auth (RFC 2554, 4954) or other auth mechanism.
57 For values, see incoming.
58 Additional options here:
59 "SMTP-after-POP":
60 authenticate to incoming mail server first
61 before contacting the smtp server.
62 Compatibility note: Thunderbird 3.0 accepts only "plain",
63 "secure", "none", and "smtp-after-pop".
64 It will ignore the whole XML file, if other values are given.
65 -->
66 <authentication>password-cleartext</authentication>
67 <!-- If the server makes some additional requirements beyond
68 <authentication>.
69 "client-IP-address": The server is only reachable or works,
70 if the user is in a certain IP network, e.g.
71 the dialed into the ISP's network (DSL, cable, modem) or
72 connected to a company network.
73 Note: <authentication>client-IP-address</>
74 means that you may use the server without any auth.
75 <authentication>password-cleartext</> *and*
76 <restriction>client-IP-address</> means that you need to
77 be in the correct IP network *and* (should) authenticate.
78 Servers which do that are highly discouraged and
79 should be avoided, see {{bug|556267}}.
80 Not yet implemented. Spec (element name?) up to change.
81 -->
82 <restriction>client-IP-address</restriction>
83 <!-- remove the following and leave to client/user? -->
84 <addThisServer>true</addThisServer>
85 <useGlobalPreferredServer>true</useGlobalPreferredServer>
86 <password>optional: the user's password</password>
87 </outgoingServer>
88
89 <!-- A page where the ISP describes the configuration.
90 This is purely informational and currently mainly for
91 maintenance of the files and not used by the client at all.
92 Note that we do not necessarily use exactly the config suggested
93 by the ISP, e.g. when they don't recommend SSL, but it's available,
94 we will configure SSL.
95 The text content should contains a description in the native
96 language of the ISP (customers), and a short English description,
97 mostly for us.
98 -->
99 <!-- TODO
100 <documentation url="http://www.example.com/help/mail/thunderbird">
101 <descr lang="en">Configure Thunderbird 2.0 for IMAP</descr>
102 <descr lang="de">Thunderbird 2.0 mit IMAP konfigurieren</descr>
103 </documentation>
104 -->
105 </emailProvider>
106
107 <!-- This allows to access the webmail service of the provider.
108 The URLs are loaded into a standard webbrowser for the user.
109 Specifying this is optional. -->
110 <webMail>
111 <!-- Webpage where the user has to log in manually by entering username
112 and password himself.
113 HTTPS required. -->
114 <loginPage url="https://mx1.rockstable.it/" />
115
116 <!-- Same as loginAutomaticDOM, but the website makes checks that
117 the user comes from the login page. So, open the login page
118 in the browser, get the page's DOM, fill out name and password
119 fields for the user, and trigger the login button.
120 The login button might not be an HTML button, just a div, so
121 to trigger it, send a click event to it.
122 HTTPS is required for the URL. -->
123 <loginPageInfo url="https://mx1.rockstable.it/">
124 <!-- What to fill into the usernameField.
125 Format is the same as for <username> within <incomingServer>,
126 including placeholders. See below for valid placeholders. -->
127 <username>%EMAILADDRESS%</username>
128 <!-- Allows to find the textfield on the page, to fill it out.
129 The id attribute give the DOM ID,
130 The name attribute give the DOM name attribute.
131 One or both of id and name attributes must exist.
132 Try the ID first (e.g. using getElementById()), if existing.
133 Otherwise, try finding the element by name.
134 Don't treat the IDs given in this XML file as trusted,
135 but before using them, verify the format
136 (e.g. only characters and digits for IDs).
137 If you use powerful functions like jQuery, and the XML returns
138 you code in the username ID, and you feed it unchecked to jQuery,
139 it may be executed. -->
140 <usernameField id="email_field" name="email" />
141 <passwordField name="password" />
142 <!-- The submit button to trigger the server submit
143 after filling in the fields.
144 id and name attributes: See <usernameField> -->
145 <loginButton id="submit_button" name="login"/>
146 </loginPageInfo>
147 </webMail>
148 </clientConfig>
/etc/apache2/sites-available.d/autoconfig_ssl.conf
1 <IfModule mod_ssl.c>
2 <VirtualHost *:443>
3 Define SERVER_NAME autoconfig.rockstable.it
4 ServerName ${SERVER_NAME}
5 ServerAdmin webmaster@rockstable.it
6
7 DocumentRoot /var/www/autoconfig
8 <Directory /var/www/autoconfig>
9 Options -Indexes
10 </Directory>
11
12 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
13 # error, crit, alert, emerg.
14 # It is also possible to configure the loglevel for particular
15 # modules, e.g.
16 LogLevel info ssl:warn
17
18 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
19 # error, crit, alert, emerg.
20 # It is also possible to configure the loglevel for particular
21 # modules, e.g.
22 #LogLevel info ssl:warn
23
24 ErrorLog ${APACHE_LOG_DIR}/${SERVER_NAME}_error.log
25 CustomLog ${APACHE_LOG_DIR}/${SERVER_NAME}_access.log combined
26
27 # For most configuration files from conf-available/, which are
28 # enabled or disabled at a global level, it is possible to
29 # include a line for only one particular virtual host. For example the
30 # following line enables the CGI configuration for this host only
31 # after it has been globally disabled with "a2disconf".
32 #Include conf-available/serve-cgi-bin.conf
33
34 # SSL Engine Switch:
35 # Enable/Disable SSL for this virtual host.
36 SSLEngine on
37
38 # A self-signed (snakeoil) certificate can be created by installing
39 # the ssl-cert package. See
40 # /usr/share/doc/apache2/README.Debian.gz for more info.
41 # If both key and certificate are stored in the same file, only the
42 # SSLCertificateFile directive is needed.
43 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
44 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
45 SSLCertificateFile /etc/letsencrypt/live/mx1.rockstable.it/fullchain.pem
46 SSLCertificateKeyFile /etc/letsencrypt/live/mx1.rockstable.it/privkey.pem
47
48 # Always ensure Cookies have "Secure" set (JAH 2012/1)
49 Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
50 </VirtualHost>
51 </IfModule>
52
53 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Make sure your certificate is valid for autoconfig.your-domain.tld, enable the apache2 config and restart the webserver
Now the Email client can fetch configuration using
https://autoconfig.rockstable.it/mail/config-v1.1.xml
Sender Policy Framework (SPF)
Only the server behind MX-Record may send email. v=spf1 mx -all Example SPF resource record
There is also the possibility to allow A-records or even include SPF-records from other domains
1 "v=spf1 mx a a:your.sender-domain.example.com include:domain.example.com -all"
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.
Subdomains may have a separate DMARC-record, which is to be checked first and fallen back to the parent later.
Example DMARC resource record
1 $TTL 86400
2 $ORIGIN rockstable.it.
3
4 ; SOA RECORD WITH INCREMENTED SERIAL OMITTED
5
6 @ MX 10 mx1
7 _dmarc TXT ( nach so langer"v=DMARC1; p=none; pct=100; "
8 "rua=mailto:postmaster@rockstable.it!10m; "
9 "ruf=mailto:postmaster@rockstable.it!10m; "
10 "adkim=s; aspf=r"
11 )
12 ;rockstable.it._report._dmarc TXT "v=DMARC1;"
Key |
Existence |
Description |
Values |
Default |
v= |
REQUIRED |
Version |
must be DMARC1 and first in list |
- |
p= |
REQUIRED |
Requested Mail Receiver policy |
none,quarantine or reject |
- |
sp= |
OPTIONAL |
Requested Mail Receiver policy for all subdomains |
none,quarantine or reject |
apply p= |
pct= |
OPTIONAL |
Percentage of messages to be applied |
0…100 |
100 |
fo |
OPTIONAL |
Failure reporting options |
0 if all fail, 1 if any fail, d DKIM-specific or s SPF-specific |
0 |
rf |
OPTIONAL |
Report format |
arfr auth-failure report type |
afrf |
ri |
OPTIONAL |
Report interval [s] |
u_int32 |
86400 |
rua= |
OPTIONAL |
Report user aggregation |
mailto:comma@separat.ed, mailto:email@address.es |
- |
ruf= |
OPTIONAL |
Report user failure infomation |
comma@separat.ed, email@address.es |
- |
adkim= |
OPTIONAL |
DKIM Identifier Alignment |
s strict, r relaxed |
r |
aspf= |
OPTIONAL |
SPF Identifier Alignment |
s strict, r relaxed |
r |
A DMARC report may also be send to a third party email-address. In this case the third party has to publish a record, to proof that it wants to receive the report. Which may also be a wildcard.
Benchmark
Postal
Install
1 apt install postal
Prepare a working directory for the benchmark
Create a file containing the receiver addresses
receiver.list
1 blackhole@rockstable.it
Create a file containing the sender addresses. The default is to use the receiver addresses.
sender.list
1 postal@rockstable.it
#WIP
/usr/local/share/postal_wrap.sh
Make script executable
1 chmod a+x /usr/local/share/postal_wrap.sh
Benchmark (local) SMTP-server
1 cd ~/postal
2 postal_wrap.sh "$(hostname -f)" receiver.list
3 MTA: "mx1.rockstable.it"
4 RECIPIENTS: "receiver.list"
5 CSV: "postal_2021-02-16_20:39:55.csv"
6
7 time,messages,data(K),errors,connections,SSL connections
8 20:40,4,26,0,4,4
9 20:41,46,239,0,0,0
10 20:42,73,402,0,0,0
11 20:43,61,368,0,0,0
12 20:44,50,217,0,0,0
13 20:45,47,252,0,0,0
14 20:46,62,366,0,0,0
15 20:47,73,393,0,0,0
16 20:48,84,459,0,0,0
17 20:49,87,488,0,0,0
18 20:50,76,427,0,0,0
19 20:51,81,441,0,0,0
20 ^C^\#
Benchmarking output
postal_2021-02-16_20:39:55.csv
1 time,messages,data(K),errors,connections,SSL connections
2 20:40,4,26,0,4,4
3 20:41,46,239,0,0,0
4 20:42,73,402,0,0,0
5 20:43,61,368,0,0,0
6 20:44,50,217,0,0,0
7 20:45,47,252,0,0,0
8 20:46,62,366,0,0,0
9 20:47,73,393,0,0,0
10 20:48,84,459,0,0,0
11 20:49,87,488,0,0,0
12 20:50,76,427,0,0,0
13 20:51,81,441,0,0,0
Plotting the data
Install GNUplot
1 apt install gnuplot gnuplot-doc
Create a plot file
postal.gnuplot
1 #https://raymii.org/s/tutorials/GNUplot_tips_for_nice_looking_charts_from_a_CSV_file.html
2
3 set title TITLE
4
5 set datafile separator ','
6 #set datafile commentschars "#"
7 set xdata time
8 set timefmt "%H:%M"
9
10 set key autotitle columnhead
11 set xlabel 'Time'
12 set ylabel 'Messages'
13
14
15 set y2tics # enable second axis
16 set ytics nomirror # dont show the tics on that side
17 set y2label "Data in KiB" # label for second axis
18
19 set style line 100 lt 1 lc rgb "grey" lw 0.5
20 set grid ls 100
21
22 set ytics 10
23 set xtics 60 rotate
24 #set key right center # legend placement
25 set key outside right bottom
26
27 set style line 102 lw 3 lt rgb "#f62aa0" # style (pink)
28 set style line 103 lw 3 lt rgb "#26dfd0" # style (light blue)
29 set style line 104 lw 4 lt rgb "#b8ee30" # style (limegreen)
30
31 set term svg size 800,600 dynamic enhanced
32 set output OUT
33
34 plot \
35 CSV using 1:2 with lines ls 102, \
36 '' using 1:3 with lines axis x1y2 ls 103, \
37 '' using 1:4 with lines ls 104
Create a plot script
plot.sh
1 #!/bin/bash
2 SCRIPT="$1"
3 CSV="$2"
4 OUT="$3"
5 #PLOTTITLE="$(grep -i -e header -e footer "$(echo "$CSV")" \
6 # |sed s/\"\//g \
7 # |sed s/\#//g);"
8
9 DATE="$(grep -Eo '[0-9]{4}-[0-9]{2}-[0-9]{2}' <<< "$CSV")"
10 TIME="$(grep -Eo '[0-9]{2}:[0-9]{2}:[0-9]{2}' <<< "$CSV")"
11 SIZE="$(sed -r 's/.+[0-9]{2}:[0-9]{2}:[0-9]{2}-([0-9]+).csv/\1/' <<< "$CSV")"
12
13 PLOTTITLE_RAW="Postal Benchmark - $DATE $TIME ${SIZE}KiB"
14 PLOTTITLE="$(sed -r 's/_/\\_/g' <<< "$PLOTTITLE_RAW")"
15
16 gnuplot -p -e "TITLE='${PLOTTITLE}'; CSV='${CSV}'; OUT='${OUT}'" "$SCRIPT"
Plot them all!
mailto
IETF RFC5322 - Internet Message Format
- Email Address Specification
Small example
1 mailto:Firstname Lastname <email-address@example.com>?subject=Subject%20Hello%20world&body=Body%20Hello%20world