Commit | Line | Data |
---|---|---|
185b5456 MW |
1 | The =distorted.org.uk= mail system |
2 | ||
3 | * Delivery | |
4 | ||
5 | The mail delivery agent is Exim. If you don't do anything special, mail | |
6 | is delivered into =/var/mail/USER= on stratocaster, in mbox format. | |
7 | ||
8 | There are a number of ways you can affect mail delivery. | |
9 | ||
10 | ** The =~/.forward= file | |
11 | ||
12 | In traditional Unix style, you can write delivery instructions into a | |
13 | file named =.forward= in your home directory. This file can contain a | |
14 | comma-separated list of email address and/or file or directory names to | |
15 | which your mail should be sent. Mail is written to files in traditional | |
16 | Unix `mbox' format, and to directories in `Maildir' format. The | |
17 | =:fail:= and =:defer:= items are permitted, but may not be very useful. | |
18 | ||
19 | This file can instead be an Exim or Sieve filter file, as marked by a | |
20 | special comment on the first line. See the document `Exim's interfaces | |
21 | to mail filtering', available via the command =info filter=, for details | |
22 | about these files. | |
23 | ||
24 | ** The =~/.mail/forward= file | |
25 | ||
26 | If you prefer, you can write delivery instructions to =~/.mail/forward= | |
27 | instead. If you have lots of mail configuration files, you may find it | |
28 | tidier to keep them all together in =~/.mail=. | |
29 | ||
30 | ** The =~/.mail/forward.suffix= file | |
31 | ||
32 | You will receive mail sent to =USER@distorted.org.uk=. You can also | |
33 | receive mail sent to =USER-SUFFIX@distorted.org.uk= or | |
34 | =USER+SUFFIX@distorted.org.uk=, for any =SUFFIX= string if you create a | |
35 | file =~/.mail/forward.suffix=. While this can be a simple forward file, | |
36 | it's probably much more useful to write an Exim filter file to analyse | |
37 | the suffix string and take appropriate action. | |
38 | ||
39 | If this file exists, it should be world-readable, because it will be | |
40 | used by the mail server at SMTP time in order to decide whether a | |
41 | particular =SUFFIX= string is valid. | |
42 | ||
43 | ||
44 | * Reading mail | |
45 | ||
46 | ** Reading mail locally | |
47 | ||
48 | The servers =stratocaster= and =jem= have a few mail user agents | |
49 | installed, most notably trad BSD =mail=, =mutt=, and Emacs's various | |
50 | mail-reading interfaces; more can be added. | |
51 | ||
52 | ** Fetching mail through IMAP | |
53 | ||
54 | There's an IMAP server running on =mail.distorted.org.uk=. ... | |
55 | ||
56 | ** Forwarding mail off-site | |
57 | ||
58 | ||
59 | * Spam filtering | |
60 | ||
61 | The mail server checks incoming mail using SpamAssassin at SMTP time. | |
62 | Suspected spam is rejected immediately. There are no `junk' mail | |
63 | folders. Legitimate senders will likely receive bounces; spammers will | |
64 | probably ignore the error and continue. | |
65 | ||
66 | ** SpamAssassin | |
67 | ||
68 | SpamAssassin works by having a large collection of rules: it tests an | |
69 | incoming message against these rules, and adds up the /scores/ for the | |
70 | rules that match. If the total score is above a given threshold then | |
71 | the message is declared to be probably spam, and rejected. | |
72 | ||
73 | If the mail server accepts a message, it adds two headers to it. | |
74 | ||
75 | + =X-SpamAssassin-Score= has the form =SCORE/LIMIT (BAR)=, where | |
76 | =SCORE= is the actual score for the message, =LIMIT= is the maximum | |
77 | score allowed, and =BAR= is a little bar chart showing the score in | |
78 | a way which can be matched easily using regular expressions. The | |
79 | bar chart uses =+= or =-= signs, depending on whether the score is | |
80 | positive or negative, or consists of a single =/= sign if it's close | |
81 | to zero. | |
82 | ||
83 | + =X-SpamAssassin-Status= consists of space-separated =KEY=VAUE= | |
84 | pairs. The keys currently are: =score= and =limit=, which are the | |
85 | message's score and limit again; and =tests=, which lists the rules | |
86 | which matched the message and their individual scores, as a | |
87 | comma-separated list of items of the form =RULE:SCORE=. | |
88 | ||
89 | ** Custom spam limits | |
90 | ||
91 | The default spam limit is currently 5 points. However, you can override | |
92 | this limit for mail sent to you by creating a world-readable file | |
93 | =~/.mail/spam-limit= in your home directory on stratocaster. This file | |
94 | should contain lines of the form | |
95 | ||
96 | : PATTERN: LIMIT | |
97 | ||
98 | where =PATTERN= is an Exim =nwildlsearch= pattern matched against a | |
99 | string of the form =RECIPIENT/SENDER=, and the =LIMIT= is ten times the | |
100 | maximum SpamAssassin score you're willing to tolerate for this message. | |
101 | See the Exim manual for full details; in short, the pattern may be a | |
102 | literal string, a string beginning with a =*= to match a particular | |
103 | suffix (usually a sender address or domain, which is why the sender is | |
104 | on the right), or a Perl-style regular expression starting with =^=. | |
105 | ||
106 | You may not want information about who is sending you spam (or honest | |
107 | but spamlike mail) to be public knowledge, so instead you can make a | |
108 | file =~/.mail/spam-limit.userv= of the same format. This file need not | |
109 | be readable by anyone other than you. | |
110 | ||
111 | Be careful with this facility: if a single incoming message has multiple | |
112 | recipients, and they assign it different spam score limits (either | |
113 | explicitly, or implicitly by accepting the system default) then the | |
114 | sender will be told to defer delivery to some recipients. It's | |
115 | therefore probably a bad idea to apply custom spam score limits for mail | |
116 | for popular mailing lists, for example. | |
117 | ||
118 | ** SAUCE | |
119 | ||
120 | I'm not currently running SAUCE, but I'm giving it some consideration. | |
121 | If you have comments on the matter, either way, I'm interested. | |
122 | ||
123 | ||
124 | * Sending mail | |
125 | ||
126 | ** Submission mechanisms | |
127 | ||
128 | Mail can be sent in a number of ways. | |
129 | ||
130 | + The =sendmail= program. This is really Exim in disguise. | |
131 | ||
132 | + SMTP to =localhost= port 25. This doesn't require explicit | |
133 | authentication, since it relies on an identd, which is running on | |
134 | all =distorted.org.uk= hosts. | |
135 | ||
136 | + SMTP to =mail.distorted.org.uk= port 587. You must establish TLS, | |
137 | and authenticate using a username and password; the server uses a | |
138 | short-lived certificate signed by the =distorted.org.uk= certificate | |
139 | authority, whose root certificate is at =/etc/ca/ca.cert= on all | |
140 | servers. Use [[https://www.distorted.org.uk/chpwd/][Chopwood]] to set or change this password. | |
141 | ||
142 | ** Sender authenticity | |
143 | ||
144 | It is my intention that it be very hard for one =distorted.org.uk= user | |
145 | to impersonate another to a third. To this end, the mail server is | |
146 | rather picky about envelope sender addresses. | |
147 | ||
148 | + It won't accept an apparently local sender address from an external | |
149 | mail server at all. | |
150 | ||
151 | + It will check locally submitted mail against the submitter's user | |
152 | name. The precise details vary according to the submission | |
153 | mechanism: mail submitted through =sendmail= will have additional | |
154 | headers added; mail submitted through SMTP will be rejected unless | |
155 | the envelope sender is acceptable. | |
156 | ||
157 | If I see something like DKIM catching on then this will also provide | |
158 | external users with some kind of (probably fairly weak) sender | |
159 | authenticity. | |
160 | ||
161 | On the other hand, the mail server is aware of vanity domains, extension | |
162 | addresses, and so on, and should let you send mail apparently from an | |
163 | such an address that you control. If you think the mail server is being | |
164 | unnecessarily strict about something then I'm willing to discuss your | |
165 | requirements. | |
166 | ||
167 | If I'm hosting your mail domain for you then you get to decide the | |
168 | appropriate policy. | |
169 | ||
170 | ||
171 | * Mail hosting and custom domains | |
172 | ||
173 | I think I have a fairly sane way to set up stratocaster (or some other | |
174 | server, but strat is the obvious choice) to receive mail for domains | |
175 | other than =distorted.org.uk=. I can easily arrange to accept mail for | |
176 | such domains and deliver them locally or to other hosts. Pester me if | |
177 | this sounds useful to you. | |
178 | ||
179 | ||
180 | * Quick reference | |
181 | ||
182 | ||
183 | ||
184 | * COMMENT Emacs cruft | |
185 | ||
186 | ### Local variables: | |
187 | ### mode: org | |
188 | ### End: |