Electronic Mail Service (SMTP/POP3-IMAP4)

Zentyal uses Postfix [6] as a MTA. For the MDA (POP3, IMAP), it uses Dovecot [7]. Both come with support for secure communication over SSL. To fetch mail from external accounts, Zentyal uses Fetchmail [8] .

[6]Postfix The Postfix Home Page http://www.postfix.org .
[7]Dovecot Secure IMAP and POP3 Server http://www.dovecot.org .
[8]Fetchmail http://www.fetchmail.info/ .

SMTP/POP3-IMAP4 server configuration with Zentyal

Receiving and relaying mail

To understand the mail system configuration, the difference between receiving mail and relaying mail must be clear.

Reception occurs when the server accepts a mail message which recipients contain an account that belongs to any of its virtual mail domains. Mail can be received from any client that is able to connect to the server.

Relay occurs when the mail server receives a message which recipients do not belong to any of its managed virtual mail domains, thus requiring forwarding of the message to other servers. Mail relay is restricted, otherwise spammers could use the server to send spam all over the Internet.

Zentyal allows mail relay in two cases:

  1. Authenticated users.
  2. A source address that belongs to a network object which has a allowed relay policy enabled.

General configuration

Accessing Mail ‣ General ‣ Mail server options ‣ Options, you can configure the general settings for the mail service:

Mail general configuration

General Mail configuration

Smarthost to send mail:

If this option is set, Zentyal will not send its messages directly, but each received e-mail will be forwarded to the smarthost without keeping a copy. In this case, Zentyal is an intermediary between the user who sends the e-mail and the server that actually sends the message.

Here you can set the domain name or IP address of the smarthost. You could also specify a port adding :[port_number] after the address. The default port is the standard SMTP port, 25.

Smarthost authentication:

This sets whether the smarthost requires authentication using a user and password pair, or not.

Server mailname:

This sets the visible mail name of the system; it will be used by the mail server as the local address of the system.

Postmaster address:

The postmaster address by default is an alias of the root user, but it could be set to any account; either belonging to any of the managed virtual mail domains or not.

This account is intended to be a standard way to reach the administrator of the mail server. Automatically-generated notification mails will typically use postmaster as reply address.

Maximum mailbox size allowed:

Using this option you could set a maximum size in MB for any user’s mailboxes. All mail that exceeds the limit will be rejected and the sender will receive a notification. This setting could be overridden for any user in the Users and Computers ‣ Manage page.

Maximum message size accepted:

It indicates, if necessary, the maximum message size accepted by the smarthost in MB. This is enforced regardless of any user mailbox size limit.

Expiration period for deleted mails:

If you enable this option, those mail messages that are in the users’ trash folder will be deleted when their dates exceeds the established limit.

Expiration period for spam mails:

This option applies, in the same way as the previous option, but refers to the users’ spam folder.

In addition to this, Zentyal can be configured to relay mail without authentication from some network addresses. To do this, you can add relay policies for Zentyal network objects through Mail ‣ General ‣ Relay policy for network objects. The policies are based on the source mail client IP address. If relay is allowed by an object, then each object member can relay e-mails through Zentyal.

Relay policy for network objects

Relay policy for network objects

Warning

Be careful when using an Open Relay policy, i.e. forwarding e-mail from everywhere, your mail server could become a source of spam and be blacklisted.

Finally, the mail server can be configured to use a content filter for messages [10]. To do so, the filter server must receive the message from a specific port and send the result back to another port where the mail server is bound to listen to the response. You can choose a custom mailfilter or use Zentyal as a mail filter through Mail ‣ General ‣ Mail filter options. If the mailfilter module is installed and enabled, it will be used by default.

_images/mailfilter-options.png

Mailfilter options

[10]This topic is explained in depth in the Mail filter section.

Virtual domains and e-mail accounts

To set up an e-mail account, at least a virtual domain and one user are required. You can create as many virtual domains as you want from Mail ‣ Virtual Domains. They provide the domain name for e-mail accounts of Zentyal users. Moreover, it is possible to set aliases for a virtual domain, so that sending an e-mail to a particular virtual domain or to any of its aliases becomes transparent.

Virtual mail domains

Virtual mail domains

In order to set up e-mail accounts, you have to follow the same rules used when configuring filesharing. You can select the main virtual domain for the user from Users and Computers ‣ Manage. You can create aliases if you want to set more than a single e-mail address for a user. Regardless of whether aliases have been used, the e-mail messages are kept just once in a mailbox.

Mail settings for a user

Mail settings for a user

Note that you can decide whether an e-mail account should be created by default when a new user is added to Zentyal. You can change this behaviour in Users and Computers ‣ User Template.

Likewise, you can set up aliases for user groups. Messages received by these aliases are sent to every user of the group with an e-mail account. Group aliases are created through Users and Computers ‣ Manage, select desired group and create an alias for the mail account. The group aliases are only available when, at least, one user of the group has an e-mail account.

You can define an alias to an external account as well, that is, mail accounts associated to domains not managed by your server. The mail sent to that alias will be forwarded to the external account. These kind of aliases are set on a virtual domain basis and do not require an e-mail account. They can be set in Mail ‣ Virtual Domains ‣ External accounts aliases.

Retrieve mail from external accounts with Fetchmail

Sometimes your users want to keep getting new emails from their old accounts, for example from a previous job, if that is the case Zentyal includes a feature based on Fetchmail [11] that functions as an additional email client for domain users.

To activate the Fetchmail feature go to Mail ‣ General ‣ Mail server options and in the Mail retrieval services section, at the bottom, you can select the option Retrieve mail for external accounts.

Once the Fetchmail option is activated, save the changes, then you can configure the external account from Users and Computers ‣ Manage. Select the user and right at the end of the configuration panel, at Mail account settings, you can include the configuration of the external account:

Recibir correos desde cuentas externas

Retriving emails from an external account

[11]http://www.fetchmail.info/

Webmail

Apart from the described functionality using native clients, it could be very useful to deploy a web based client to access our e-mail, calendars and contacts.

Zentyal integrates SOGo 4.0, the newest version of the Open Source Groupware solution [14].

To use this module, you just need to install it and enable it.

Once you have enabled the module, you can access the web platform accessing the URL ‘https://<server_FQDN>/SOGo/

Accessing this URL, you can see the main login screen, where you can also choose the desired language for the user.

_images/webmail2.png

Login screen

You will first be shown the email interface.

_images/webmail3.png

Electronic mail

Using the icons that you have available in the top-right part of the interface, you can access the calendars.

_images/webmail4.png

Shared calendars and events

And also the address book, where you can view the Global Address List (GAL), which contains all the users registered in your domain, the personal address books of the user and custom distribution lists that can be used for mails.

_images/webmail5.png

Address books and distribution lists

[14]http://sogo.nu

ActiveSync® support

The ActiveSync® protocol is widely used to synchronize mobile devices and also the most recent versions of Microsoft® Outlook.

Webmail module needs to be installed as SOGo provides this protocol implementation in its sogo-activesync package.

Once you have installed installed and enabled the module, you will be able to enable or disable the ActiveSync option from Mail ‣ ActiveSync on the Zentyal interface.

_images/activesync.png

ActiveSync® gateway

Devices will access ActiveSync® through Zentyal’s webserver, ports 80 and 443 (SSL enabled) by default.

Hardening the mail server

Because of the importance of the mail services and the continuous attacks against this service, the use of the SPF [15] protocol and the DKIM [16] authentication method have become ‘mandatory’ to increase the security of the mail services. In this section we will explain in detail how to configure the SFP record in the DNS server and how to implement DKIM on Zentyal.

[15]SFP https://en.wikipedia.org/wiki/Sender_Policy_Framework
[16]DKIM https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

SPF

To configure the SPF protocol on Zentyal, first you need to create a TXT record which stores information of the machines which have permission to send e-mail from your domain. To do this, you can can use one of the multiple websites that use forms to help to generate the TXT record.

Tip

A recommended web page to generate the DNS record is SPFwizard [17]

An example of a DNS register of type ‘TXT’ generated:

zentyal-domain.lan.  IN TXT "v=spf1 mx a ip4:192.168.6.1 a:zentyal.zentyal-domain.lan -all"

Once you have the DNS record to implement the SPF protocol, you have to add it to the your DNS module.

_images/spf_en_txt.png

SPF TXT record

Finally, to confirm that the record has been successfully added to the domain, one of the most recommended ways is to use the MXtoolbox website [18]

[17]https://www.spfwizard.net/
[18]https://mxtoolbox.com/spf.aspx

DKIM

To implement this authentication mechanism you can use a third party software called OpenDKIM. These are the steps you have to follow to deploy DKIM.

  1. Install the necessary packages:

    sudo apt-get install -y opendkim opendkim-tools
    
  2. Create the folder for the DKIM keys:

    sudo mkdir -vp /etc/opendkim/keys
    
  3. Generate the DKIM keys:

    sudo opendkim-genkey -s mail -d zentyal-domain.lan -D /etc/opendkim/keys
    
  4. Configure the folder permissions:

    chown -R opendkim:opendkim /etc/opendkim/
    sudo chmod 0640 /etc/opendkim/keys/*.private
    
  5. Create the /etc/opendkim/TrustedHosts configuration file where you indiate the trusted hosts:

    127.0.0.1
    localhost
    192.168.6.0/24
    *.zentyal-domain.lan
    
  6. Create the /etc/opendkim/SigningTable configuration file that will contain the domain and subdomains which will be signed by DKIM:

    *@zentyal-domain.lan mail
    
  7. Define the selector name and the path of the private key to sign the /etc/opendkim/KeyTable configuration file:

    mail zentyal-domain.lan:mail:/etc/opendkim/keys/mail.private
    
  8. Once you have finished defining these configuration files, you have to create the main OpenDKIM configuration file located in the /etc/opendkim.conf:

    Mode                    sv
    PidFile                 /var/run/opendkim/opendkim.pid
    UserID                  opendkim:opendkim
    Socket                  inet:8891@127.0.0.1
    SignatureAlgorithm      rsa-sha256
    AutoRestart             Yes
    AutoRestartRate         10/1h
    Syslog                  yes
    SyslogSuccess           yes
    LogWhy                  Yes
    UMask                   002
    OversignHeaders         From
    Canonicalization        relaxed/simple
    
    ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
    InternalHosts           refile:/etc/opendkim/TrustedHosts
    KeyTable                refile:/etc/opendkim/KeyTable
    Signingtable            refile:/etc/opendkim/SigningTable
    
  9. Set the address and listening port of DKIM in the /etc/default/opendkim configuration file:

    SOCKET="inet:8891@127.0.0.1"
    
  10. To finish the OpenDKIM configuration, start the service a enable it:

    sudo systemctl restart opendkim
    sudo systemctl enable opendkim
    
  11. Then you will have to add the following configuration parameters to the /usr/share/zentyal/stubs/mail/main.cf.mas configuration template of the Mail module to use OpenDKIM:

    ## DKIM Configuration
    milter_protocol = 6
    milter_default_action = accept
    smtpd_milters = inet:127.0.0.1:8891
    non_smtpd_milters = inet:127.0.0.1:8891
    

Warning

Read the Zentyal documentation about stubs. [19]

  1. Restart the Zentyal Mail module to apply the changes:

    sudo zs mail restart
    
  2. Then you will have to add the TXT record to the DNS module with the content of the /etc/opendkim/keys/mail.txt configuration file. An example of its content:

    mail._domainkey   IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; "
        "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn66wkANz7HGd2KvNadQnPRH7g4uU2Ur54VBxG8VFJJcHNCj/D3c8gAqh6kb/B8ZVQ5oG7+1w7KLZJUKwYhPUaYZ3t8CUQOI1+klhSAJGOQRqpUkAGQcEBhSuQFBAR057j/UZrUcwBZTONp5LrhqLWw0duC2G8UaWDdxzIyugYplzZUmtzMqzx4jo9sjH3cRc/1kNRg7lzzvay"
        "Q/PxyxpEFGxsx8A6AJe0lZBbntSgXtd3ycnVmgIlX1nn9FHJkA8/xrFcN4tyu5GHGv/zPzC9a6ah73AKNL1P+u4yqGGBrLNkJ7ERLmmLuIOAdNisBKj9u93cT9ba7V1LD39xHiwwIDAQAB" )  ; ----- DKIM key mail for zentyal-domain.lan
    

And the command [20] to add this particular record:

samba-tool dns add zentyal.zentyal-domain.lan zentyal-domain.lan mail._domainkey.zentyal-domain.lan TXT '"v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn66wkANz7HGd2KvNadQnPRH7g4uU2Ur54VBxG8VFJJcHNCj/D3c8gAqh6kb/B8ZVQ5oG7+1w7KLZJUKwYhPUaYZ3t8CUQOI1+klhSAJGOQRqpUkAGQcEBhSuQFBAR057j/UZrUcwBZTONp5LrhqLWw0duC2G8UaWDdxzIyugYplzZUmtzMqzx4jo9sjH3cRc/1kNRg7lzzvay" "Q/PxyxpEFGxsx8A6AJe0lZBbntSgXtd3ycnVmgIlX1nn9FHJkA8/xrFcN4tyu5GHGv/zPzC9a6ah73AKNL1P+u4yqGGBrLNkJ7ERLmmLuIOAdNisBKj9u93cT9ba7V1LD39xHiwwIDAQAB"'

Warning

Pay attention to the content of the file before adding the TXT record.

  1. Finally, to confirm that the record has been successfully added to the domain, one of the most recommended ways is to use the MXtoolbox website [21] . When sending and e-mail, in the header of the message you should see an excerpt similar to this:
_images/dkim_firma.png

DKIM header

[19]Stubs https://doc.zentyal.org/en/appendix-c.html#stubs
[20]Samba-tool https://wiki.samba.org/index.php/DNS_Administration#Administering_DNS_on_Linux.2FUnix_with_samba-tool
[21]Mxtoolbox DKIM https://mxtoolbox.com/dkim.aspx