User Tools

Site Tools


doc:appunti:linux:sa:postfix_spamassassin_clamav_dovecot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
doc:appunti:linux:sa:postfix_spamassassin_clamav_dovecot [2018/01/30 23:55] – [Dovecot-lda Quota] niccolodoc:appunti:linux:sa:postfix_spamassassin_clamav_dovecot [2023/10/30 11:09] (current) – [Enable SSL, imaps and pop3s] niccolo
Line 39: Line 39:
 We want a **single authentication mechanism** for SMTP, POP3 and IMAP, and we want to let the user to authenticate using the Unix **username** or the full **email address** and the password. Dovecot authentication is suitable for the task; the default Debian configuration provides authentication against the system usernames via the PAM module. The configuration file is **/etc/dovecot/conf.d/auth-system.conf.ext**. We want a **single authentication mechanism** for SMTP, POP3 and IMAP, and we want to let the user to authenticate using the Unix **username** or the full **email address** and the password. Dovecot authentication is suitable for the task; the default Debian configuration provides authentication against the system usernames via the PAM module. The configuration file is **/etc/dovecot/conf.d/auth-system.conf.ext**.
  
-To let authentication using the email address, we provide a passwd-like file **/etc/dovecot/userdb**, we will leave //gecos//, //shell// and //extra_fields// blank. See [[https://wiki2.dovecot.org/AuthDatabase/PasswdFile|PasswdFile]] wiki page for details:+To let authentication using the email address, we provide a passwd-like file **/etc/dovecot/users**, we will leave //gecos//, //shell// and //extra_fields// blank. See [[https://wiki2.dovecot.org/AuthDatabase/PasswdFile|PasswdFile]] wiki page for details:
  
 <file> <file>
Line 50: Line 50:
 passdb { passdb {
   driver = passwd-file   driver = passwd-file
-  args = scheme=CRYPT /etc/dovecot/userdb+  args = scheme=CRYPT username_format=%u /etc/dovecot/users
 } }
  
 userdb { userdb {
   driver = passwd-file   driver = passwd-file
-  args = /etc/dovecot/userdb+  args = username_format=%u /etc/dovecot/users
 } }
 </file> </file>
Line 64: Line 64:
  
 <file> <file>
-!include auth-system.conf.ext+# Order matters: we use passwdfile first because it is most likely used 
 +# and because system autentication (PAM) does a 2-seconds delay on fail.
 !include auth-passwdfile.conf.ext !include auth-passwdfile.conf.ext
 +!include auth-system.conf.ext
 </file> </file>
  
Line 85: Line 87:
 </code> </code>
  
-The file **/etc/dovecot/userdb** should be built e.g. by a cron-job, joining Postfix ''virtual_alias_maps'' and ''/etc/shadow'' passwords. It is re-read at each lookup. We need also to protect it:+The file **/etc/dovecot/users** should be built e.g. by a cron-job, joining Postfix ''virtual_alias_maps'' and ''/etc/shadow'' passwords. It is re-read at each lookup. We need also to protect it:
  
 <code> <code>
-chmod 0640 /etc/dovecot/userdb +chmod 0640 /etc/dovecot/users 
-chown root:dovecot /etc/dovecot/userdb+chown root:dovecot /etc/dovecot/users
 </code> </code>
 +
 +If you need to **generate the hash for a password**, you can use the following command line:
 +
 +<code>
 +openssl passwd -1
 +</code>
 +
 +When the **/etc/dovecot/users** is updated, there is **no need to reload** the Dovecot service. Beside the **passwd-file** driver, Dovecot can use other database types, check the **[[https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/#lookup-database|lookup databases]]** paragraph if you need more performances.
 +
 +
 ===== Postfix SASL over Dovecot Auth ===== ===== Postfix SASL over Dovecot Auth =====
  
-See **[[https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL|Postfix And Dovecot SASL]]**.+See **[[https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL|Postfix and Dovecot SASL]]**.
  
 First of all we need to activate the socket used by Posfix for authentication. In **/etc/dovecot/conf.d/10-master.conf** ensure that into the //service auth// section there is: First of all we need to activate the socket used by Posfix for authentication. In **/etc/dovecot/conf.d/10-master.conf** ensure that into the //service auth// section there is:
Line 137: Line 149:
 ... ...
 </code> </code>
 +
 +**WARNING**: The **AUTH** capability is not announced over an unencrypted connection, if it is enabled only over TLS connections; see the **smtpd_tls_auth_only** Postfix option. Modern Postfix installations does not offer AUTH over **smtp** (port 25/tcp), but only over **submission** (port 587/tcp). Check if the option **smtpd_sasl_auth_enable=yes** is declared into **main.cf** or into the //submission// section of **master.cf**.
  
 ===== Dovecot IMAP and POP3 ===== ===== Dovecot IMAP and POP3 =====
Line 145: Line 159:
   * **dovecot-pop3d**   * **dovecot-pop3d**
  
-Once installed, the basic services **IMAP2** on port **TCP/143** and **POP3** on port **TCP/110** are already working, eventually with the **Dovecot Authentication on userdb** as seen above.+Once installed, the basic services **IMAP2** on port **TCP/143** and **POP3** on port **TCP/110** are already working, eventually with the **Dovecot Authentication on users** as seen above.
  
 ==== Enable SSL, imaps and pop3s ==== ==== Enable SSL, imaps and pop3s ====
Line 159: Line 173:
 </file> </file>
  
-Dovecot will read the SSL files with root privileges, so no particular settings should be required.+Dovecot will read the SSL files with root privileges, so no particular settings should be required. If the certificate is **renewed**, you must **reload** the **dovecot.service** to re-read it. 
 + 
 +Once restarted the **dovecot.service**, we will find the services listening on the well known ports, and we can check the SSL certificates. 
 + 
 +==== Client connections are being dropped ==== 
 + 
 +You may encounter wanring messages like these into the mail log: 
 + 
 +<code> 
 +dovecot: master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped 
 +</code> 
 + 
 +To increase the number of process that are allowed to spawn, edit the **/etc/dovecot/conf.d/10-master.conf** file and set 
 + 
 +<file> 
 +default_process_limit = 200 
 +</file>
  
-Once restarted the //dovecot.service//, we will find the services listening on the well known ports, and we can check the SSL certificates. 
 ===== SpamAssassin Filter ===== ===== SpamAssassin Filter =====
  
Line 184: Line 213:
 CRON=1 CRON=1
 </file> </file>
 +
 +To force a manual update you can run **/etc/cron.daily/spamassassin**, downloaded rules will be stored into **/var/lib/spamassassin/3.004001/**. If something goes wrong (e.g. rules with errors), the **spamd** daemon may stop to work, in this case you should remove the above directory and just run with default, not updated rules.
  
 ===== Sanitizer/ClamAV Filter ===== ===== Sanitizer/ClamAV Filter =====
  
-For virus scanning of email attachments we use the ClamAV antivirus software. We install the daemon, the client and the database periodic update utility:+For virus scanning of email attachments we use the ClamAV antivirus software. We install scanner, the daemon, the client and the database periodic update utility:
  
 +  * **clamav**
   * **clamav-daemon**   * **clamav-daemon**
   * **clamdscan**   * **clamdscan**
   * **clamav-freshclam**   * **clamav-freshclam**
 +  * **libclamunrar9** (non-free package to scan inside RAR archives)
  
 Periodic download (update) of viruses database is performed by the **clamav-freshclam.service**, you can check the **/var/log/clamav/freshclam.log**. Periodic download (update) of viruses database is performed by the **clamav-freshclam.service**, you can check the **/var/log/clamav/freshclam.log**.
Line 202: Line 235:
 cat message.txt | /usr/bin/sanitizer /etc/sanitizer.cfg cat message.txt | /usr/bin/sanitizer /etc/sanitizer.cfg
 </code> </code>
 +
 +Beware that the **clamd** daemon runs per default with the **clamav user**, if you want regular users to scan their files (e.g. their mail attachments) you have to use the **%%--fdpass%%** argument when invoking the **clamdscan** client, otherwise you will get the error message:
 +
 +<code>
 +eicar-antivirus.com: lstat() failed: Permission denied. ERROR
 +</code>
 +
 +The ''%%--fdpass%%'' option works only if ''clamdscan'' connects to ''clamd'' via the Unix socket.
 ===== Dovecot Local Delivery Agent ===== ===== Dovecot Local Delivery Agent =====
  
Line 226: Line 267:
 mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
 </file> </file>
 +
 +==== Error stats-writer Broken pipe ====
 +
 +**WARNING**: At least in **Debian 11 Bullseye** it seems that the **dovecot-lda** sometimes (not always!) tries to write to the **Dovecot Stats Service** using the **/run/dovecot/stats-writer** socket. Unfortunately the socket is owned by **root:dovecot** and has mode **0660** (default Debian settings), whereas the LDA is invoked by Postfix with just the user's privileges. So you will find error messages like this into the mail.log:
 +
 +<code>
 +postfix/local[76866]: 7E67B7D3F4: to=<user@domain.tld>, ...,
 +    status=bounced (Command died with status 134:
 +    "/usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"".
 +    Command output: lda(lica-marilena):
 +    Error: net_connect_unix(/run/dovecot/stats-writer) failed:
 +    Permission denied Aborted Unable to flush stdout: Broken pipe )
 +</code>
 +
 +It seems that the quickest and simplest solution is to make the socket **0666 mode** (which will risk the stats service to be abused). Add the following snippet to **/etc/dovecot/conf.d/15-lda.conf**:
 +
 +<file>
 +service stats {
 +  unix_listener stats-writer {
 +    mode = 0666
 +  }
 +}
 +</file>
 +
 +See the following posts about the problem:
 +
 +  * [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961033|stats-writer permission issue when using LDA via procmail - Debian bug #961033]]
 +  * [[https://dovecot.org/pipermail/dovecot/2022-February/124267.html|postfix, dovecot-lda, /run/dovecot/stats-writer socket permision and local user delivery, again]]
 +
 +==== Error Command output: Aborted ====
 +
 +Another subtle error with Dovecot LDA can be reported generically into the Postfix log as:
 +
 +<code>
 +postfix/local[1615363]: E85037D1C6: to=<user@domain.tld>, ...
 +    status=bounced (Command died with status 134:
 +    "/usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"".
 +    Command output: Aborted )
 +</code>
 +
 +To get some hints about the problem you can enable logging in Dovecot LDA; you can add the following in **/etc/dovecot/conf.d/15-lda.conf**:
 +
 +<file>
 +protocol lda {
 +  ...
 +  log_path = /var/log/dovecot-lda-errors.log
 +  info_log_path = /var/log/dovecot-lda.log
 +}
 +</file>
 +
 +and create the log files with suitable permissions (in my case the LDA is executed with user's privileges, so I made it world-writable).
 +
 +<code>
 +lda(username)<1619235><QdsSDJpj72MjtRgACo+hHQ>: Error: program
 +    exec:/usr/local/lib/dovecot/sieve-filter/spamc-filter.sh (1619240):
 +    Execution timed out (> 10000 msecs)
 +lda(username)<1619235><QdsSDJpj72MjtRgACo+hHQ>: Error: program
 +    exec:/usr/local/lib/dovecot/sieve-filter/spamc-filter.sh (1619240):
 +    Forcibly terminated with signal 15
 +lda(username)<1619235><QdsSDJpj72MjtRgACo+hHQ>: Panic:
 +    output stream (temp iostream in /tmp/dovecot.lda.
 +    for (program client seekable output)) is missing error handling
 +lda(username)<1619235><QdsSDJpj72MjtRgACo+hHQ>: Error:
 +    Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(backtrace_append+0x42)...
 +</code>
 +
 +There was a problem with **the filter program responding too slowly**. It is possible to change the **exec timeout**, in this case for the **filter** extension, just add the following in **/etc/dovecot/conf.d/90-sieve-extprograms.conf** (notice that you can configure ''sieve_pipe_exec_timeout'', ''sieve_filter_exec_timeout'' and ''sieve_execute_exec_timeout''):
 +
 +<file>
 +plugin {
 +  ...
 +  # Change the default timeout (10 seconds) for the filter extension.
 +  sieve_filter_exec_timeout = 60s
 +
 +  # Change the default timeout (10 seconds) for the execute extension.
 +  sieve_execute_exec_timeout = 60s
 +}
 +</file>
 +
 +==== Error Unable to flush stdout ====
 +
 +FIXME This error message has an unwknown origin.
 +
 +<code>
 +postfix/local[1485291]: 5BDBD7D1C6: to=<user@domain.tld>, ...
 +    status=bounced (Command died with status 134:
 +    "/usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"".
 +    Command output: Aborted Unable to flush stdout: Broken pipe )
 +</code>
  
 ===== Sieve filtering ===== ===== Sieve filtering =====
Line 286: Line 416:
 <code bash> <code bash>
 #!/bin/sh #!/bin/sh
-/usr/bin/spamc+/usr/bin/spamc --connect-timeout=5 --timeout=15
 </code> </code>
 +
 +Notice that we set two timeouts on spamassassin client, one to connect to the daemon and one to get the result. If the daemon does not respond timely, the message is passed unchanged. Beware that **the timeouts should be lower** than the one specified into the **Dovecot LDA Sieve Extprograms plugin** configuration.
  
 ==== How to Test an User's Sieve Filter File ==== ==== How to Test an User's Sieve Filter File ====
Line 327: Line 459:
  
 Every Sieve script will be **compiled** by Dovecot at the first execution; you will find a file **.svbin** for each **.sieve** file. Beware that **global Sieve files** are usually stored in non-user-writable directories, to the sysadmin must compile them with **sievec**. Every Sieve script will be **compiled** by Dovecot at the first execution; you will find a file **.svbin** for each **.sieve** file. Beware that **global Sieve files** are usually stored in non-user-writable directories, to the sysadmin must compile them with **sievec**.
 +
 +If one of the Sieve filters generate an error, you can see a log entry like this:
 +
 +<code>
 +dovecot: lda(username)<20922><FIB4Kq5DKmC6UQAACo+hHQ>:
 +    program `/usr/local/lib/dovecot/sieve-filter/clamav-filter.sh'
 +    terminated with non-zero exit code 127
 +</code>
 +
 +FIXME How to handle errors in filter external commands? The default action is to send a **non-delivery notification**, but you may want to fall-back to deliver the message anyway (e.g. if your antispam filter goes broken).
 +
 ==== Multiple Sieve Scripts ==== ==== Multiple Sieve Scripts ====
  
Line 369: Line 512:
  
 The files (with the .sieve extension) will be searched into the proper directory. The files (with the .sieve extension) will be searched into the proper directory.
 +
 +==== Using Sieve to decode winmail.dat attachments ====
 +
 +Microsoft Outlook uses the infamous **winmail.dat** attachment to forward emails: it is the proprietary **TNEF** format. In this article you can find a recipe to filter that attachments using a Sieve filter: **[[sieve_filtering_tnef]]**.
 +
  
 ===== Roundcube with MySQL ===== ===== Roundcube with MySQL =====
Line 425: Line 573:
 The only drawback is that you have to populate the **users** and **identities** database tables before the user can login into Roundcube: The only drawback is that you have to populate the **users** and **identities** database tables before the user can login into Roundcube:
  
-<code sql>+<code> 
 +INSERT INTO users (username, mail_host, language) 
 +    VALUES ('niccolo', '127.0.0.1', 'it_IT'); 
 +SELECT user_id FROM users WHERE username = 'niccolo'; 
 +INSERT INTO identities (user_id, standard, name, email) 
 +    VALUES (1234, 1, 'Niccolo Rigacci', 'niccolo@domain.org');
 </code> </code>
  
-FIXME Add SQL recipes above. 
 ===== ManageSieve Daemon ===== ===== ManageSieve Daemon =====
  
Line 652: Line 804:
 ===== Quota ===== ===== Quota =====
  
-See **[[https://wiki.dovecot.org/Quota|Dovecot Quota]]**. Enable overall quota plugin in **/etc/dovecot/conf.d/10-mail.conf**:+See **[[https://doc.dovecot.org/configuration_manual/quota_plugin/|Dovecot Quota]]**. 
 + 
 +If Dovecot is started via **Systemd**, you must disable the **PrivateDevices** directive (which is enabled e.g. in Debian 10 Buster), otherwise the service does not have access to the **/dev/** directory and cannot check filesystem quota. To override the defaults, just run: 
 + 
 +<code> 
 +systemctl edit dovecot 
 +</code> 
 + 
 +and insert the following: 
 + 
 +<file> 
 +[Service] 
 +PrivateDevices=off 
 +</file> 
 + 
 +That settings will be saved into **/etc/systemd/system/dovecot.service.d/override.conf**. To enforce the new settings execute: 
 + 
 +<code> 
 +systemctl daemon-reload 
 +systemctl restart dovecot.service  
 +</code> 
 + 
 +Enable overall quota plugin in **/etc/dovecot/conf.d/10-mail.conf**:
  
 <file> <file>
Line 667: Line 841:
 </file> </file>
  
-The Dovecot plugin will return mailbox full when user will reach the filesystem quota **soft limit**. You may want to set the **hard limit** a bit above the soft one, so that the system can still write mailbox indexes, Spamassassin stats, etc. +The Dovecot plugin will return mailbox full when user will reach the **filesystem quota soft limit**. You may want to set the **hard limit** a bit above the soft one, so that the system can still write mailbox indexes, Spamassassin stats, etc. 
-==== Dovecot Quota service for Postfix ====+ 
 +==== Enable Filesystem Quota ==== 
 + 
 +Enabling **filesystem quota** in GNU/Linux can be as simple as running (notice we activated only **user** quota, not **group**): 
 + 
 +<code> 
 +mount -o remount,usrquota /home 
 +quotacheck --user --create-files /home 
 +quotaon /home 
 +</code> 
 + 
 +You must add the ''usrquota'' mount option in **/etc/fstab**. To check if quota is enabled: 
 + 
 +<code> 
 +quotaon -p /home 
 +group quota on /home (/dev/sdb) is off 
 +user quota on /home (/dev/sdb) is on 
 +project quota on /home (/dev/sdb) is off 
 +</code> 
 + 
 +To check quota for each user: 
 + 
 +<code> 
 +repquota /home 
 +*** Report for user quotas on device /dev/sdb 
 +Block grace time: 7days; Inode grace time: 7days 
 +                        Block limits                File limits 
 +User            used    soft    hard  grace    used  soft  hard  grace 
 +---------------------------------------------------------------------- 
 +root      --      24                          3                
 +niccolo   --     288   30000   31000             71                
 +</code> 
 + 
 +==== Checking Dovecot Quota ==== 
 + 
 +To query the Dovecot quota backend, use **doveadm quota** (notice that you can use the Dovecot login name): 
 + 
 +<code> 
 +doveadm quota get -u username@example.org 
 +Quota name Type     Value  Limit    % 
 +User quota STORAGE   2880  30000    9 
 +</code> 
 + 
 +**NOTICE**: The Dovecot's quota limit is the **soft limit** imposed by the filesystem. 
 + 
 +==== Dovecot quota status service for Postfix ====
  
 We enable a service that will be checked by Postfix when accepting mail via SMTP. Into **/etc/dovecot/conf.d/90-quota.conf** add the following: We enable a service that will be checked by Postfix when accepting mail via SMTP. Into **/etc/dovecot/conf.d/90-quota.conf** add the following:
Line 682: Line 901:
 </file> </file>
  
-In the same configuration file, set also the responses returned by the service. Notice that you cannot set any grace quota space, because it is enforced by the kernel on the filesystem:+In the same configuration file, set also the responses returned by the service. Notice that if you set a **grace quota space** of 10%you must set the filesystem **soft quota** limit 10% smaller than the **hard one**; or even more, to be safe:
  
 <file> <file>
 plugin { plugin {
-  quota_grace = 0%%+  quota_grace = 10%%
   quota_status_success = DUNNO   quota_status_success = DUNNO
   quota_status_nouser = DUNNO   quota_status_nouser = DUNNO
Line 692: Line 911:
 } }
 </file> </file>
 +
 +The Postfix quota-status service may uses also a **quota_over_flag** provided by the **userdb** backend. We don't have such a field into the userdb, neverthless we have to configure the parameters **quota_over_flag_value** and **quota_over_script**, otherwise the quota check is skipped entirely (don't be fooled if the ''doveadm'' tool is working, verify also that the Postfix check is actually working!):
 +
 +<file>
 +# === WARNING ===
 +# Both "quota_over_flag_value" and "quota_over_script" are 
 +# required, otherwise the Postfix quota-status check will always 
 +# return DUNNO (i.e. user is under quota). This is because 
 +# without those two parameters the quota check is skipped 
 +# completely, as seen in the mail_debug = yes log:
 +# Debug: quota: quota_over_flag check: quota_over_script unset - skipping
 +#
 +# Actually we don't have a "quota_over_flag" field in userdb; 
 +# when quota-status service is called by Postfix, the value 
 +# quota_over_flag=0(*dummy*) is assumed due the config values 
 +# below. Current quota status for the user is then checked by 
 +# querying the filesystem and it will be 1 for overquota, 0 
 +# otherwise.
 +#
 +# As a side effect, the quota-warning script is executed at 
 +# every check if the user is overquota because 0 mismatches 1.
 +plugin {
 +  quota_over_flag_value = FALSE
 +  quota_over_flag = "*dummy*"
 +  quota_over_script = quota-warning mismatch %u
 +}
 +</file>
 +
 +We have to define also a **quota-warning service**, which basically is a script called when the user crosses some quota barriers, we can use it to send warning messages. The script needs to be run as root, because we want it to be able to switch to the final user (this is required by our system which uses Maildir and user's filters). The **/var/run/dovecot/quota-warning** socket must be world-writable so the user can write to it.
 +
 +<file>
 +service quota-warning {
 +  executable = script /usr/local/bin/quota-warning.sh
 +  user = root
 +  unix_listener quota-warning {
 +    user = dovecot
 +    group = dovecot
 +    mode = 0666
 +  }
 +}
 +</file>
 +
 +To have the script executed when crossing some quota limits, add the following:
 +
 +<file>
 +plugin {
 +  quota_warning = storage=90%% quota-warning 90 %u
 +  quota_warning2 = storage=75%% quota-warning 75 %u
 +}
 +</file>
 +
 +So, all after all, here it is the script executed when an user is crossing some quota levels and when the fake **quota_over_flag** does not match the actual quota status (i.e. it is called when the user is over quota, and we just do nothing in that case!):
 +
 +**/usr/local/bin/quota-warning.sh**
 +
 +<code bash>
 +#!/bin/sh
 +ARG1=$1
 +USER=$2
 +DATE="$(date -R)"
 +
 +# ==== WARGNING ====
 +#  * The user is set by Dovecot "service quota-warning", in our
 +#    configuration is: uid=0(root) gid=0(root) groups=0(root)
 +#  * Working directory is /run/dovecot/
 +#  * /tmp directory is /tmp/systemd-private-<...>-dovecot.service-<...>/tmp
 +
 +# Do nothing if called on Dovecot quota_over_flag_value mismatch.
 +test "$ARG1" = "mismatch" && exit 0
 +
 +# Send the warning message.
 +#cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=fs:User quota:noenforcing"
 +cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER
 +From: postmaster@supermail.texnet.it
 +Subject: Attenzione: mailbox quasi piena
 +Date: $DATE
 +Content-Type: text/plain; charset=UTF-8; format=flowed
 +Content-Transfer-Encoding: 8bit
 +
 +La tua mailbox è quasi piena; lo spazio occupato ha superato il ${ARG1}%.
 +Eliminare i messaggi non più necessari ed eventualmente svuotare il cestino.
 +EOF
 +</code>
 +
 +==== Troubleshoting Postfix quota-status service ====
  
 After reloading **dovecot.service**, you will have a daemon listening on port **12340/TCP**. To check if the service is working, you can telnet to the TCP port and paste some strings of text, the relevant lines are **recipient** and **size** in bytes (see more on smtpd-policy language in this [[https://github.com/vdukhovni/postfix/blob/master/postfix/examples/smtpd-policy/greylist.pl|example]]): After reloading **dovecot.service**, you will have a daemon listening on port **12340/TCP**. To check if the service is working, you can telnet to the TCP port and paste some strings of text, the relevant lines are **recipient** and **size** in bytes (see more on smtpd-policy language in this [[https://github.com/vdukhovni/postfix/blob/master/postfix/examples/smtpd-policy/greylist.pl|example]]):
  
 <file> <file>
-request=smtpd_access_policy +telnet localhost 12340 
-protocol_state=RCPT +
-protocol_name=SMTP +
-sender=foo@bar.tld+
 recipient=user@domain.org recipient=user@domain.org
-client_address=1.2.3.4 +size=10000000
-client_name=another.domain.tld +
-size=123000+
  
 action=554 5.2.2 Quota exceeded (mailbox for user is full) action=554 5.2.2 Quota exceeded (mailbox for user is full)
 </file> </file>
 +
 +The **554 Quota exceeded error** should be returned when the **actual user's quota** plus the announced **size** will exceed the filesystem **soft quota** plus the **quota_grace** percentage.
 +
 +Another way to check the service using a single command line is using **netcat**:
 +
 +<code>
 +printf "recipient=user@domain.org\nsize=3000000\n\n" | nc localhost 12340
 +</code>
  
 In Postfix configuration **/etc/postfix/main.cf** add a restriction on smtpd (the order of restrictions matter): In Postfix configuration **/etc/postfix/main.cf** add a restriction on smtpd (the order of restrictions matter):
Line 729: Line 1037:
 </file> </file>
  
-So even locally generated mails (not received via SMTP) will be checked against filesystem quota, and eventually bounced generating a MAILER-DAEMON error email message.+So also locally generated mails (i.e. not received via SMTP) will be checked against filesystem quota, and eventually bounced with a MAILER-DAEMON error email message.
 ==== Dovecot Quota for IMAP ==== ==== Dovecot Quota for IMAP ====
  
 +To enable quota support into the IMAP server, add to **/etc/dovecot/conf.d/20-imap.conf**:
 +
 +<file>
 +protocol imap {
 +  mail_plugins = $mail_plugins imap_quota
 +}
 +</file>
 +
 +Verify that **QUOTA** is displayed among CAPABILITY(ies), using telnet to port **143/TCP**:
 +
 +<code>
 +telnet localhost 143
 +a1 LOGIN username SuperSecret
 +a1 OK [CAPABILITY IMAP4rev1 ... QUOTA] Logged in
 +a2 LOGOUT
 +</code>
 ===== Checking SSL Certificates ===== ===== Checking SSL Certificates =====
  
doc/appunti/linux/sa/postfix_spamassassin_clamav_dovecot.1517352922.txt.gz · Last modified: 2018/01/30 23:55 by niccolo