Email for standalone servers: Difference between revisions

Various individuals and groups within CSE run their own servers "in the cloud" (read: AWS) which need email capability.

Email can be managed completely (i.e., sending and receiving) on the server, or some or all of the management can be offloaded to an email hosting service (e.g., Rackspace, where CSE has an account).

In this article we talk about the the different possibilities and which might be more appropriate in some use cases than others.

Incoming email

For incoming email the server can:

1. Run an email service, such as PostFix, which will receive emails directly and deliver them to local mailbox files (not discussed on this page), or
2. Can pick up emails with scripts using IMAP from an external email hosting provider. CSE has an account with Rackspace for this latter purpose and we can create mailboxes on their systems in the "cseunsw.tech" domain, e.g., "my‑email@cseunsw.tech".
   • One way of doing this is to use the fetchmail program to pick up email from a Rackspace mailbox and then either store them in a file (e.g., in mbox format), or to pass them to a script.
   • See the "netrc" reference further down in relation to sending email via Rackspace using curl for information about using Rackspace mailbox credentials.

Outgoing email

For outgoing email the server can:

1. Run an email service, such as PostFix, which queues and sends emails either directly to the recipients' email servers, or to a "smart host" which then delivers the emails to the recipients' email servers. This latter approach is indicated when the local server is not always running (and thus cannot retry later if an email can't be delivered), or when a security concern means you don't want your server to talk directly to untrusted/random destination servers, or
2. Send emails using scripts via an external email hosting provider. Mailboxes created in above mentioned account with Rackspace means email can be sent via their servers using curl (see below for an example).

Sending email as "<someuser>@cse.unsw.edu.au"

Sending email as "<someuser>@cse.unsw.edu.au" is the sort of thing you might want to do if your server will be running a service used by students and:

1. You want your emails to appear legitimate, and
2. You don't want your emails to be dropped by spam filters.

There are a numbers of hoops which you must jump through to allow a new server to do this.

1. The IP address of your server needs to be added to the list of legitimate email senders for the "cse.unsw.edu.au" domain (see SPF section below),
2. The server's full host/domain name should be listed in /etc/hostname AND there should be a DNS A record in the domain for the host name which contains the server's public IP address. Some email receivers will consider servers as likely spam senders if the host address is not set up correctly. Your server's address could end up on a blacklist, and your emails might silently disappear,
3. Don't send super-short emails. Some email receivers (such as UNSW's email filters) will silently drop emails that only only contain short text such as "This is a test message.",
4. Configure the email server software on your server so the emails it sends as "<someuser>@cse.unsw.edu.au" are consistent. If an outbound email claims to be from "<someuser>@cse.unsw.edu.au" in the "From" line, but the envelope says something different many email receivers will discard the email (see PostFix setup section below).

Sender Policy Framework (SPF)

SPF is a technique used to ensure that a server sending email as "<someuser>@cse.unsw.edu.au" is actually authorised to do so. This is an anti-spam/anti-fraud mechanism that prevent Joe Arbitrary from sending email claiming to be "<someuser>@<somedomain>" when he has no association with "<somedomain>".

The way it works is that the DNS domain administrator creates an SPF-formatted TXT DNS record which details which servers are legitimate email senders for their domain. Here's the way it's set up for CSE:

$ nslookup -q=txt cse.unsw.edu.au
...
cse.unsw.EDU.AU text = "v=spf1 exists:%{i}.spf.hc1127-81.ap.iphmx.com a include:spf.protection.outlook.com include:emailsrvr.com include:authorisedsenders.cseunsw.tech ~all"

$ nslookup -q=txt authorisedsenders.cseunsw.tech
...
authorised senders.cseunsw.tech text = "v=spf1 ip4:3.27.195.149 ip4:54.66.182.104 ~all"

$ 

The first nslookup fetches the SPF TXT record for "cse.unsw.edu.au". This record contains a reference to the SPF record for "authorisedsenders.cseunsw.tech". This latter record contains a list of IPv4 addresses of servers which are authorised to send, and because this list is included in the CSE SPF record, they are thereby authorised for "cse.unsw.edu.au".

UNSW's IronPort email filters will reject email claiming to be from "<someuser>@cse.unsw.edu.au" if the server originating the email isn't in somehow referenced (directly or indirectly) in the CSE SPF record.

Configuring PostFix to send email as "cse.unsw.edu.au"

PostFix is one of the standard email server packages supported by Debian. This is the server software we (CSG) recommend for users. It's the one we are most familiar with and can assist with, if necessary.

The only configuration file you need to customise is /etc/postfix/main.cf. Here's an example of the customised /etc/postfix/main.cf file generated for the host "zammad" when "Internet Site" was selected during installation (or when you run dpkg-reconfigure postfix after PostFix has been installed). The parts in red need to be customised for the host and the domain.

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = zammad.cse.unsw.edu.au
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = cse.unsw.edu.au
mydestination = $myhostname, zammad.cse.unsw.edu.au, zammad, localhost.localdomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

Sending email using curl via Rackspace

Here's an example script showing how you can send an email via Rackspace using curl. It uses an external "netrc" file which contains the password for the Rackspace account. This is to avoid having the password as a command-line argument where it might be visible to other users.

#!/bin/bash

set -x

(
cat <<- EOF
From: "cs3231" <cs3231@cseunsw.tech>
To: "Peter Linich" <plinich@cse.unsw.edu.au>
Date: $(date -R)
Subject: Test email at this time --> $(date "+%H:%M:%S")

Sent at $(date).

This is a test email with test text as the body.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ultricies leo integer malesuada nunc vel risus commodo. Vitae justo eget magna fermentum iaculis eu. Commodo odio aenean sed adipiscing diam donec adipiscing. Mauris cursus mattis molestie a iaculis at erat pellentesque adipiscing. Tellus mauris a diam maecenas. Lectus quam id leo in. Massa placerat duis ultricies lacus sed turpis. Varius sit amet mattis vulputate enim nulla aliquet porttitor. Non enim praesent elementum facilisis.

Est placerat in egestas erat imperdiet sed euismod. Leo a diam sollicitudin tempor id eu nisl. Ac feugiat sed lectus vestibulum mattis ullamcorper. Urna cursus eget nunc scelerisque viverra mauris. Ipsum consequat nisl vel pretium lectus quam. Phasellus egestas tellus rutrum tellus. Rhoncus dolor purus non enim praesent elementum facilisis. Integer quis auctor elit sed vulputate mi sit. Hac habitasse platea dictumst quisque sagittis purus sit amet volutpat. Urna nec tincidunt praesent semper. Vitae semper quis lectus nulla at volutpat diam ut. Neque viverra justo nec ultrices dui sapien eget mi proin. Non odio euismod lacinia at quis risus sed. Eros donec ac odio tempor orci dapibus. Pellentesque id nibh tortor id aliquet lectus proin nibh nisl.

Condimentum mattis pellentesque id nibh tortor id aliquet lectus proin. Ac auctor augue mauris augue neque gravida in. Pellentesque adipiscing commodo elit at imperdiet dui accumsan sit. Mattis ullamcorper velit sed ullamcorper morbi tincidunt. Velit sed ullamcorper morbi tincidunt ornare massa eget. Lectus sit amet est placerat in. Mattis rhoncus urna neque viverra justo nec. Quis hendrerit dolor magna eget est lorem ipsum dolor sit. Sed lectus vestibulum mattis ullamcorper velit sed ullamcorper. Cras pulvinar mattis nunc sed blandit libero. Aliquet sagittis id consectetur purus ut faucibus pulvinar elementum integer.

Enim ut tellus elementum sagittis vitae et. Faucibus scelerisque eleifend donec pretium vulputate. Pellentesque id nibh tortor id aliquet lectus proin nibh. Netus et malesuada fames ac turpis egestas integer. Eu facilisis sed odio morbi quis commodo odio aenean. Ultrices tincidunt arcu non sodales. Morbi tristique senectus et netus. Eget dolor morbi non arcu. Ac odio tempor orci dapibus. Consectetur purus ut faucibus pulvinar elementum integer enim neque volutpat. Interdum varius sit amet mattis vulputate enim. Felis bibendum ut tristique et egestas quis ipsum suspendisse ultrices. Turpis massa tincidunt dui ut ornare lectus sit. Purus sit amet volutpat consequat mauris nunc congue. Vulputate mi sit amet mauris commodo quis imperdiet. Mattis nunc sed blandit libero volutpat sed cras ornare.

Sit amet luctus venenatis lectus magna. Blandit massa enim nec dui. Massa tempor nec feugiat nisl pretium fusce id. Nulla porttitor massa id neque aliquam vestibulum. Aenean pharetra magna ac placerat vestibulum lectus mauris. Cras pulvinar mattis nunc sed. Ultrices in iaculis nunc sed augue. Auctor urna nunc id cursus metus aliquam eleifend mi. Vel pharetra vel turpis nunc eget lorem dolor. Pulvinar neque laoreet suspendisse interdum. Aliquam vestibulum morbi blandit cursus risus at ultrices mi tempus. Elementum eu facilisis sed odio. Facilisi etiam dignissim diam quis enim lobortis. Lorem ipsum dolor sit amet consectetur adipiscing elit. Tempus iaculis urna id volutpat lacus laoreet non curabitur gravida. Et odio pellentesque diam volutpat commodo sed egestas. Aliquet enim tortor at auctor urna nunc id cursus.
EOF
)                                        | \
curl                                     \
-v                                       \
--ssl-reqd                               \
--url 'smtps://secure.emailsrvr.com:465' \
--netrc-file /root/netrc-rackspace-smtps \
--mail-from cs3231@cseunsw.tech          \
--mail-rcpt plinich@cse.unsw.edu.au      \
--upload-file -

/root/netrc-rackspace-smtps

machine secure.emailsrvr.com
login cs3231@cseunsw.tech
password xMyPasswordx

Page structure sketch (delete when page is complete)

• Create an SPF record for the server's sending domain containing its IP address

• Using PostFix to send email
  • Configure the full domain in /etc/hostname

• Mailboxes managed by Rackspace
  • The cseunsw.tech domain mail exchangers (MX)
  • Using Rackspace's email servers to send email as a single user
    • Sending email using curl
    • Using PostFix
  • Rackspace mailboxes
    • Simple email, not Exchange
    • Picking up email using IMAP
    • Forwarding email from a cse.unsw.edu.au address using mlalias

• Configuring a server to send email as cse.unsw.edu.au
  • Add IP address to authorisedsenders.cseunsw.tech TXT record
  • /etc/postfix/main.cf