Electronic Mail Service (SMTP/POP3-IMAP4)¶
Zentyal uses Postfix [6] as a MTA. For the MDA (POP3, IMAP), it uses Dovecot [7]. Both come with support for secure communication over SSL. To fetch mail from external accounts, Zentyal uses Fetchmail [8] .
[6] | Postfix The Postfix Home Page http://www.postfix.org . |
[7] | Dovecot Secure IMAP and POP3 Server http://www.dovecot.org . |
[8] | Fetchmail http://www.fetchmail.info/ . |
SMTP/POP3-IMAP4 server configuration with Zentyal¶
Receiving and relaying mail¶
To understand the mail system configuration, the difference between receiving mail and relaying mail must be clear.
Reception occurs when the server accepts a mail message which recipients contain an account that belongs to any of its virtual mail domains. Mail can be received from any client that is able to connect to the server.
Relay occurs when the mail server receives a message which recipients do not belong to any of its managed virtual mail domains, thus requiring forwarding of the message to other servers. Mail relay is restricted, otherwise spammers could use the server to send spam all over the Internet.
Zentyal allows mail relay in two cases:
- Authenticated users.
- A source address that belongs to a network object which has a allowed relay policy enabled.
General configuration¶
Accessing Mail ‣ General ‣ Mail server options ‣ Options, you can configure the general settings for the mail service:
Smarthost to send mail:
If this option is set, Zentyal will not send its messages directly, but each received e-mail will be forwarded to the smarthost without keeping a copy. In this case, Zentyal is an intermediary between the user who sends the e-mail and the server that actually sends the message.
Here you can set the domain name or IP address of the smarthost. You could also specify a port adding :[port_number] after the address. The default port is the standard SMTP port, 25.
Smarthost authentication:
This sets whether the smarthost requires authentication using a user and password pair, or not.
Server mailname:
This sets the visible mail name of the system; it will be used by the mail server as the local address of the system.
Postmaster address:
The postmaster address by default is an alias of the root user, but it could be set to any account; either belonging to any of the managed virtual mail domains or not.
This account is intended to be a standard way to reach the administrator of the mail server. Automatically-generated notification mails will typically use postmaster as reply address.
Maximum mailbox size allowed:
Using this option you could set a maximum size in MB for any user’s mailboxes. All mail that exceeds the limit will be rejected and the sender will receive a notification. This setting could be overridden for any user in the Users and Computers ‣ Manage page.
Maximum message size accepted:
It indicates, if necessary, the maximum message size accepted by the smarthost in MB. This is enforced regardless of any user mailbox size limit.
Expiration period for deleted mails:
If you enable this option, those mail messages that are in the users’ trash folder will be deleted when their dates exceeds the established limit.
Expiration period for spam mails:
This option applies, in the same way as the previous option, but refers to the users’ spam folder.
In addition to this, Zentyal can be configured to relay mail without authentication from some network addresses. To do this, you can add relay policies for Zentyal network objects through Mail ‣ General ‣ Relay policy for network objects. The policies are based on the source mail client IP address. If relay is allowed by an object, then each object member can relay e-mails through Zentyal.
Warning
Be careful when using an Open Relay policy, i.e. forwarding e-mail from everywhere, your mail server could become a source of spam and be blacklisted.
Finally, the mail server can be configured to use a content filter for messages [10]. To do so, the filter server must receive the message from a specific port and send the result back to another port where the mail server is bound to listen to the response. You can choose a custom mailfilter or use Zentyal as a mail filter through Mail ‣ General ‣ Mail filter options. If the mailfilter module is installed and enabled, it will be used by default.
[10] | This topic is explained in depth in the Mail filter section. |
Virtual domains and e-mail accounts¶
To set up an e-mail account, at least a virtual domain and one user are required. You can create as many virtual domains as you want from Mail ‣ Virtual Domains. They provide the domain name for e-mail accounts of Zentyal users. Moreover, it is possible to set aliases for a virtual domain, so that sending an e-mail to a particular virtual domain or to any of its aliases becomes transparent.
In order to set up e-mail accounts, you have to follow the same rules used when configuring filesharing. You can select the main virtual domain for the user from Users and Computers ‣ Manage. You can create aliases if you want to set more than a single e-mail address for a user. Regardless of whether aliases have been used, the e-mail messages are kept just once in a mailbox.
Note that you can decide whether an e-mail account should be created by default when a new user is added to Zentyal. You can change this behaviour in Users and Computers ‣ User Template.
Likewise, you can set up aliases for user groups. Messages received by these aliases are sent to every user of the group with an e-mail account. Group aliases are created through Users and Computers ‣ Manage, select desired group and create an alias for the mail account. The group aliases are only available when, at least, one user of the group has an e-mail account.
You can define an alias to an external account as well, that is, mail accounts associated to domains not managed by your server. The mail sent to that alias will be forwarded to the external account. These kind of aliases are set on a virtual domain basis and do not require an e-mail account. They can be set in Mail ‣ Virtual Domains ‣ External accounts aliases.
Retrieve mail from external accounts with Fetchmail¶
Sometimes your users want to keep getting new emails from their old accounts, for example from a previous job, if that is the case Zentyal includes a feature based on Fetchmail [11] that functions as an additional email client for domain users.
To activate the Fetchmail feature go to Mail ‣ General ‣ Mail server options and in the Mail retrieval services section, at the bottom, you can select the option Retrieve mail for external accounts.
Once the Fetchmail option is activated, save the changes, then you can configure the external account from Users and Computers ‣ Manage. Select the user and right at the end of the configuration panel, at Mail account settings, you can include the configuration of the external account:
[11] | http://www.fetchmail.info/ |
Webmail¶
Apart from the described functionality using native clients, it could be very useful to deploy a web based client to access our e-mail, calendars and contacts.
Zentyal integrates SOGo 4.0, the newest version of the Open Source Groupware solution [14].
To use this module, you just need to install it and enable it.
Once you have enabled the module, you can access the web platform accessing the URL ‘https://<server_FQDN>/SOGo/‘
Accessing this URL, you can see the main login screen, where you can also choose the desired language for the user.
You will first be shown the email interface.
Using the icons that you have available in the top-right part of the interface, you can access the calendars.
And also the address book, where you can view the Global Address List (GAL), which contains all the users registered in your domain, the personal address books of the user and custom distribution lists that can be used for mails.
[14] | http://sogo.nu |
ActiveSync® support¶
The ActiveSync® protocol is widely used to synchronize mobile devices and also the most recent versions of Microsoft® Outlook.
Webmail module needs to be installed as SOGo provides this protocol implementation in its sogo-activesync package.
Once you have installed installed and enabled the module, you will be able to enable or disable the ActiveSync option from Mail ‣ ActiveSync on the Zentyal interface.
Devices will access ActiveSync® through Zentyal’s webserver, ports 80 and 443 (SSL enabled) by default.
Hardening the mail server¶
Because of the importance of the mail services and the continuous attacks against this service, the use of the SPF [15] protocol and the DKIM [16] authentication method have become ‘mandatory’ to increase the security of the mail services. In this section we will explain in detail how to configure the SFP record in the DNS server and how to implement DKIM on Zentyal.
[15] | SFP https://en.wikipedia.org/wiki/Sender_Policy_Framework |
[16] | DKIM https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail |
SPF¶
To configure the SPF protocol on Zentyal, first you need to create a TXT record which stores information of the machines which have permission to send e-mail from your domain. To do this, you can can use one of the multiple websites that use forms to help to generate the TXT record.
Tip
A recommended web page to generate the DNS record is SPFwizard [17]
An example of a DNS register of type ‘TXT’ generated:
zentyal-domain.lan. IN TXT "v=spf1 mx a ip4:192.168.6.1 a:zentyal.zentyal-domain.lan -all"
Once you have the DNS record to implement the SPF protocol, you have to add it to the your DNS module.
Finally, to confirm that the record has been successfully added to the domain, one of the most recommended ways is to use the MXtoolbox website [18]
[17] | https://www.spfwizard.net/ |
[18] | https://mxtoolbox.com/spf.aspx |
DKIM¶
To implement this authentication mechanism you can use a third party software called OpenDKIM. These are the steps you have to follow to deploy DKIM.
Install the necessary packages:
sudo apt-get install -y opendkim opendkim-tools
Create the folder for the DKIM keys:
sudo mkdir -vp /etc/opendkim/keys
Generate the DKIM keys:
sudo opendkim-genkey -s mail -d zentyal-domain.lan -D /etc/opendkim/keys
Configure the folder permissions:
chown -R opendkim:opendkim /etc/opendkim/ sudo chmod 0640 /etc/opendkim/keys/*.private
Create the /etc/opendkim/TrustedHosts configuration file where you indiate the trusted hosts:
127.0.0.1 localhost 192.168.6.0/24 *.zentyal-domain.lan
Create the /etc/opendkim/SigningTable configuration file that will contain the domain and subdomains which will be signed by DKIM:
*@zentyal-domain.lan mail
Define the selector name and the path of the private key to sign the /etc/opendkim/KeyTable configuration file:
mail zentyal-domain.lan:mail:/etc/opendkim/keys/mail.private
Once you have finished defining these configuration files, you have to create the main OpenDKIM configuration file located in the /etc/opendkim.conf:
Mode sv PidFile /var/run/opendkim/opendkim.pid UserID opendkim:opendkim Socket inet:8891@127.0.0.1 SignatureAlgorithm rsa-sha256 AutoRestart Yes AutoRestartRate 10/1h Syslog yes SyslogSuccess yes LogWhy Yes UMask 002 OversignHeaders From Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable Signingtable refile:/etc/opendkim/SigningTable
Set the address and listening port of DKIM in the /etc/default/opendkim configuration file:
SOCKET="inet:8891@127.0.0.1"
To finish the OpenDKIM configuration, start the service a enable it:
sudo systemctl restart opendkim sudo systemctl enable opendkim
Then you will have to add the following configuration parameters to the /usr/share/zentyal/stubs/mail/main.cf.mas configuration template of the Mail module to use OpenDKIM:
## DKIM Configuration milter_protocol = 6 milter_default_action = accept smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = inet:127.0.0.1:8891
Warning
Read the Zentyal documentation about stubs. [19]
Restart the Zentyal Mail module to apply the changes:
sudo zs mail restart
Then you will have to add the TXT record to the DNS module with the content of the /etc/opendkim/keys/mail.txt configuration file. An example of its content:
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn66wkANz7HGd2KvNadQnPRH7g4uU2Ur54VBxG8VFJJcHNCj/D3c8gAqh6kb/B8ZVQ5oG7+1w7KLZJUKwYhPUaYZ3t8CUQOI1+klhSAJGOQRqpUkAGQcEBhSuQFBAR057j/UZrUcwBZTONp5LrhqLWw0duC2G8UaWDdxzIyugYplzZUmtzMqzx4jo9sjH3cRc/1kNRg7lzzvay" "Q/PxyxpEFGxsx8A6AJe0lZBbntSgXtd3ycnVmgIlX1nn9FHJkA8/xrFcN4tyu5GHGv/zPzC9a6ah73AKNL1P+u4yqGGBrLNkJ7ERLmmLuIOAdNisBKj9u93cT9ba7V1LD39xHiwwIDAQAB" ) ; ----- DKIM key mail for zentyal-domain.lan
And the command [20] to add this particular record:
samba-tool dns add zentyal.zentyal-domain.lan zentyal-domain.lan mail._domainkey.zentyal-domain.lan TXT '"v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn66wkANz7HGd2KvNadQnPRH7g4uU2Ur54VBxG8VFJJcHNCj/D3c8gAqh6kb/B8ZVQ5oG7+1w7KLZJUKwYhPUaYZ3t8CUQOI1+klhSAJGOQRqpUkAGQcEBhSuQFBAR057j/UZrUcwBZTONp5LrhqLWw0duC2G8UaWDdxzIyugYplzZUmtzMqzx4jo9sjH3cRc/1kNRg7lzzvay" "Q/PxyxpEFGxsx8A6AJe0lZBbntSgXtd3ycnVmgIlX1nn9FHJkA8/xrFcN4tyu5GHGv/zPzC9a6ah73AKNL1P+u4yqGGBrLNkJ7ERLmmLuIOAdNisBKj9u93cT9ba7V1LD39xHiwwIDAQAB"'
Warning
Pay attention to the content of the file before adding the TXT record.
- Finally, to confirm that the record has been successfully added to the domain, one of the most recommended ways is to use the MXtoolbox website [21] . When sending and e-mail, in the header of the message you should see an excerpt similar to this:
[19] | Stubs https://doc.zentyal.org/en/appendix-c.html#stubs |
[20] | Samba-tool https://wiki.samba.org/index.php/DNS_Administration#Administering_DNS_on_Linux.2FUnix_with_samba-tool |
[21] | Mxtoolbox DKIM https://mxtoolbox.com/dkim.aspx |