| 1 | The =distorted.org.uk= mail system |
| 2 | |
| 3 | * Delivery |
| 4 | |
| 5 | The mail delivery agent is Exim. If you don't do anything special, mail |
| 6 | is delivered into =/var/mail/USER= on stratocaster, in mbox format. |
| 7 | |
| 8 | There are a number of ways you can affect mail delivery. |
| 9 | |
| 10 | ** The =~/.forward= file |
| 11 | |
| 12 | In traditional Unix style, you can write delivery instructions into a |
| 13 | file named =.forward= in your home directory. This file can contain a |
| 14 | comma-separated list of email address and/or file or directory names to |
| 15 | which your mail should be sent. Mail is written to files in traditional |
| 16 | Unix `mbox' format, and to directories in `Maildir' format. The |
| 17 | =:fail:= and =:defer:= items are permitted, but may not be very useful. |
| 18 | |
| 19 | This file can instead be an Exim or Sieve filter file, as marked by a |
| 20 | special comment on the first line. See the document `Exim's interfaces |
| 21 | to mail filtering', available via the command =info filter=, for details |
| 22 | about these files. |
| 23 | |
| 24 | ** The =~/.mail/forward= file |
| 25 | |
| 26 | If you prefer, you can write delivery instructions to =~/.mail/forward= |
| 27 | instead. If you have lots of mail configuration files, you may find it |
| 28 | tidier to keep them all together in =~/.mail=. |
| 29 | |
| 30 | ** The =~/.mail/forward.suffix= file |
| 31 | |
| 32 | You will receive mail sent to =USER@distorted.org.uk=. You can also |
| 33 | receive mail sent to =USER-SUFFIX@distorted.org.uk= or |
| 34 | =USER+SUFFIX@distorted.org.uk=, for any =SUFFIX= string if you create a |
| 35 | file =~/.mail/forward.suffix=. While this can be a simple forward file, |
| 36 | it's probably much more useful to write an Exim filter file to analyse |
| 37 | the suffix string and take appropriate action. |
| 38 | |
| 39 | If this file exists, it should be world-readable, because it will be |
| 40 | used by the mail server at SMTP time in order to decide whether a |
| 41 | particular =SUFFIX= string is valid. |
| 42 | |
| 43 | |
| 44 | * Reading mail |
| 45 | |
| 46 | ** Reading mail locally |
| 47 | |
| 48 | The servers =stratocaster= and =jem= have a few mail user agents |
| 49 | installed, most notably trad BSD =mail=, =mutt=, and Emacs's various |
| 50 | mail-reading interfaces; more can be added. |
| 51 | |
| 52 | ** Fetching mail through IMAP |
| 53 | |
| 54 | There's an IMAP server running on =mail.distorted.org.uk=. ... |
| 55 | |
| 56 | ** Forwarding mail off-site |
| 57 | |
| 58 | |
| 59 | * Spam filtering |
| 60 | |
| 61 | The mail server checks incoming mail using SpamAssassin at SMTP time. |
| 62 | Suspected spam is rejected immediately. There are no `junk' mail |
| 63 | folders. Legitimate senders will likely receive bounces; spammers will |
| 64 | probably ignore the error and continue. |
| 65 | |
| 66 | ** SpamAssassin |
| 67 | |
| 68 | SpamAssassin works by having a large collection of rules: it tests an |
| 69 | incoming message against these rules, and adds up the /scores/ for the |
| 70 | rules that match. If the total score is above a given threshold then |
| 71 | the message is declared to be probably spam, and rejected. |
| 72 | |
| 73 | If the mail server accepts a message, it adds two headers to it. |
| 74 | |
| 75 | + =X-SpamAssassin-Score= has the form =SCORE/LIMIT (BAR)=, where |
| 76 | =SCORE= is the actual score for the message, =LIMIT= is the maximum |
| 77 | score allowed, and =BAR= is a little bar chart showing the score in |
| 78 | a way which can be matched easily using regular expressions. The |
| 79 | bar chart uses =+= or =-= signs, depending on whether the score is |
| 80 | positive or negative, or consists of a single =/= sign if it's close |
| 81 | to zero. |
| 82 | |
| 83 | + =X-SpamAssassin-Status= consists of space-separated =KEY=VAUE= |
| 84 | pairs. The keys currently are: =score= and =limit=, which are the |
| 85 | message's score and limit again; and =tests=, which lists the rules |
| 86 | which matched the message and their individual scores, as a |
| 87 | comma-separated list of items of the form =RULE:SCORE=. |
| 88 | |
| 89 | ** Custom spam limits |
| 90 | |
| 91 | The default spam limit is currently 5 points. However, you can override |
| 92 | this limit for mail sent to you by creating a world-readable file |
| 93 | =~/.mail/spam-limit= in your home directory on stratocaster. This file |
| 94 | should contain lines of the form |
| 95 | |
| 96 | : PATTERN: LIMIT |
| 97 | |
| 98 | where =PATTERN= is an Exim =nwildlsearch= pattern matched against a |
| 99 | string of the form =RECIPIENT/SENDER=, and the =LIMIT= is ten times the |
| 100 | maximum SpamAssassin score you're willing to tolerate for this message. |
| 101 | See the Exim manual for full details; in short, the pattern may be a |
| 102 | literal string, a string beginning with a =*= to match a particular |
| 103 | suffix (usually a sender address or domain, which is why the sender is |
| 104 | on the right), or a Perl-style regular expression starting with =^=. |
| 105 | |
| 106 | You may not want information about who is sending you spam (or honest |
| 107 | but spamlike mail) to be public knowledge, so instead you can make a |
| 108 | file =~/.mail/spam-limit.userv= of the same format. This file need not |
| 109 | be readable by anyone other than you. |
| 110 | |
| 111 | Be careful with this facility: if a single incoming message has multiple |
| 112 | recipients, and they assign it different spam score limits (either |
| 113 | explicitly, or implicitly by accepting the system default) then the |
| 114 | sender will be told to defer delivery to some recipients. It's |
| 115 | therefore probably a bad idea to apply custom spam score limits for mail |
| 116 | for popular mailing lists, for example. |
| 117 | |
| 118 | ** SAUCE |
| 119 | |
| 120 | I'm not currently running SAUCE, but I'm giving it some consideration. |
| 121 | If you have comments on the matter, either way, I'm interested. |
| 122 | |
| 123 | |
| 124 | * Sending mail |
| 125 | |
| 126 | ** Submission mechanisms |
| 127 | |
| 128 | Mail can be sent in a number of ways. |
| 129 | |
| 130 | + The =sendmail= program. This is really Exim in disguise. |
| 131 | |
| 132 | + SMTP to =localhost= port 25. This doesn't require explicit |
| 133 | authentication, since it relies on an identd, which is running on |
| 134 | all =distorted.org.uk= hosts. |
| 135 | |
| 136 | + SMTP to =mail.distorted.org.uk= port 587. You must establish TLS, |
| 137 | and authenticate using a username and password; the server uses a |
| 138 | short-lived certificate signed by the =distorted.org.uk= certificate |
| 139 | authority, whose root certificate is at =/etc/ca/ca.cert= on all |
| 140 | servers. Use [[https://www.distorted.org.uk/chpwd/][Chopwood]] to set or change this password. |
| 141 | |
| 142 | ** Sender authenticity |
| 143 | |
| 144 | It is my intention that it be very hard for one =distorted.org.uk= user |
| 145 | to impersonate another to a third. To this end, the mail server is |
| 146 | rather picky about envelope sender addresses. |
| 147 | |
| 148 | + It won't accept an apparently local sender address from an external |
| 149 | mail server at all. |
| 150 | |
| 151 | + It will check locally submitted mail against the submitter's user |
| 152 | name. The precise details vary according to the submission |
| 153 | mechanism: mail submitted through =sendmail= will have additional |
| 154 | headers added; mail submitted through SMTP will be rejected unless |
| 155 | the envelope sender is acceptable. |
| 156 | |
| 157 | If I see something like DKIM catching on then this will also provide |
| 158 | external users with some kind of (probably fairly weak) sender |
| 159 | authenticity. |
| 160 | |
| 161 | On the other hand, the mail server is aware of vanity domains, extension |
| 162 | addresses, and so on, and should let you send mail apparently from an |
| 163 | such an address that you control. If you think the mail server is being |
| 164 | unnecessarily strict about something then I'm willing to discuss your |
| 165 | requirements. |
| 166 | |
| 167 | If I'm hosting your mail domain for you then you get to decide the |
| 168 | appropriate policy. |
| 169 | |
| 170 | |
| 171 | * Mail hosting and custom domains |
| 172 | |
| 173 | I think I have a fairly sane way to set up stratocaster (or some other |
| 174 | server, but strat is the obvious choice) to receive mail for domains |
| 175 | other than =distorted.org.uk=. I can easily arrange to accept mail for |
| 176 | such domains and deliver them locally or to other hosts. Pester me if |
| 177 | this sounds useful to you. |
| 178 | |
| 179 | |
| 180 | * Quick reference |
| 181 | |
| 182 | |
| 183 | |
| 184 | * COMMENT Emacs cruft |
| 185 | |
| 186 | ### Local variables: |
| 187 | ### mode: org |
| 188 | ### End: |