simple email setup
Sun, 30 Nov 2014 16:39 categories: config, debianI was unable to find a good place that describes how to create a simple self-hosted email setup. The most surprising discovery was, how much already works after:
apt-get install postfix dovecot-imapd
Right after having finished the installation I was able to receive email (but
only in in /var/mail
in mbox format) and send email (bot not from any other
host). So while I expected a pretty complex setup, it turned out to boil down
to just adjusting some configuration parameters.
Postfix
The two interesting files to configure postfix are /etc/postfix/main.cf
and
/etc/postfix/master.cf
. A commented version of the former exists in
/usr/share/postfix/main.cf.dist
. Alternatively, there is the ~600k word
strong man page postconf(5). The latter file is documented in master(5).
/etc/postfix/main.cf
I changed the following in my main.cf
@@ -37,3 +37,9 @@
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
+
+home_mailbox = Mail/
+smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination permit_sasl_authenticated
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtp_helo_name = my.reverse.dns.name.com
At this point, also make sure that the parameters smtpd_tls_cert_file
and
smtpd_tls_key_file
point to the right certificate and private key file. So
either change these values or replace the content of
/etc/ssl/certs/ssl-cert-snakeoil.pem
and
/etc/ssl/private/ssl-cert-snakeoil.key
.
The home_mailbox
parameter sets the default path for incoming mail. Since
there is no leading slash, this puts mail into $HOME/Mail
for each user. The
trailing slash is important as it specifies ``qmail-style delivery'' which
means maildir.
The default of the smtpd_recipient_restrictions
parameter is
permit_mynetworks reject_unauth_destination
so this just adds the
permit_sasl_authenticated
option. This is necessary to allow users to send
email when they successfully verified their login through dovecot. The dovecot
login verification is activated through the smtpd_sasl_type
and
smtpd_sasl_path
parameters.
I found it necessary to set the smtp_helo_name
parameter to the reverse DNS
of my server. This was necessary because many other email servers would only
accept email from a server with a valid reverse DNS entry. My hosting provider
charges USD 7.50 per month to change the default reverse DNS name, so the easy
solution is, to instead just adjust the name announced in the SMTP helo
.
/etc/postfix/master.cf
The file master.cf
is used to enable the submission
service. The following
diff just removes the comment character from the appropriate section.
@@ -13,12 +13,12 @@
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
-#submission inet n - - - - smtpd
-# -o syslog_name=postfix/submission
-# -o smtpd_tls_security_level=encrypt
-# -o smtpd_sasl_auth_enable=yes
-# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-# -o milter_macro_daemon_name=ORIGINATING
+submission inet n - - - - smtpd
+ -o syslog_name=postfix/submission
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
Dovecot
Since above configuration changes made postfix store email in a different
location and format than the default, dovecot has to be informed about these
changes as well. This is done in /etc/dovecot/conf.d/10-mail.conf
. The second
configuration change enables postfix to authenticate users through dovecot in
/etc/dovecot/conf.d/10-master.conf
. For SSL one should look into
/etc/dovecot/conf.d/10-ssl.conf
and either adapt the parameters ssl_cert
and ssl_key
or store the correct certificate and private key in
/etc/dovecot/dovecot.pem
and /etc/dovecot/private/dovecot.pem
,
respectively.
The dovecot-core
package (which dovecot-imapd
depends on) ships tons of
documentation. The file
/usr/share/doc/dovecot-core/dovecot/documentation.txt.gz
gives an overview of
what resources are available. The path
/usr/share/doc/dovecot-core/dovecot/wiki
contains a snapshot of the dovecot
wiki at http://wiki2.dovecot.org/. The example configurations seem to be the
same files as in /etc/
which are already well commented.
/etc/dovecot/conf.d/10-mail.conf
The following diff changes the default email location in /var/mail
to a
maildir in ~/Mail
as configured for postfix above.
@@ -27,7 +27,7 @@
#
# <doc/wiki/MailLocation.txt>
#
-mail_location = mbox:~/mail:INBOX=/var/mail/%u
+mail_location = maildir:~/Mail
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
/etc/dovecot/conf.d/10-master.conf
And this enables the authentication socket for postfix:
@@ -93,9 +93,11 @@
}
# Postfix smtp-auth
- #unix_listener /var/spool/postfix/private/auth {
- # mode = 0666
- #}
+ unix_listener /var/spool/postfix/private/auth {
+ mode = 0660
+ user = postfix
+ group = postfix
+ }
# Auth process is run as this user.
#user = $default_internal_user
Aliases
Now Email will automatically put into the '~/Mail' directory of the receiver. So a user has to be created for whom one wants to receive mail...
$ adduser josch
...and any aliases for it to be configured in /etc/aliases
.
@@ -1,2 +1,4 @@
-# See man 5 aliases for format
-postmaster: root
+root: josch
+postmaster: josch
+hostmaster: josch
+webmaster: josch
After editing /etc/aliases
, the command
$ newaliases
has to be run. More can be read in the aliases(5) man page.
Finishing up
Everything is done and now postfix and dovecot have to be informed about the changes. There are many ways to do that. Either restart the services, reboot or just do:
$ postfix reload
$ doveadm reload
SPF
$ apt-get install postfix-policyd-spf-python
/etc/postfix/main.cf
policy-spf_time_limit = 3600s
/etc/postfix/master.cf
policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf
DNS TXT record with value:
v=spf1 ip4:62.75.219.19 -all
/etc/postfix-policyd-spf-python/policyd-spf.conf
debugLevel = 1
defaultSeedOnly = 1
HELO_reject = SPF_Not_Pass
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128
FIXME: the skip_addresses
field should also list all hosts that I get email
forwarded from. For example if I get my josch@debian.org email forwarded to
this server, then I should list the debian.org mail relay servers. A list of
these can be found by doing:
ldapsearch -x -LLL -b dc=debian,dc=org -h db.debian.org 'purpose=mail relay' ipHostNumber
Otherwise, senders with an SPF record with only their own IP and a final -all
will see their mail rejected by the server. This is because the email was
forwarded by the debian.org relay but that IP was not in their SPF record.
DKIM
$ apt-get install opendkim opendkim-tools
$ mkdir /etc/mail
$ cd /etc/mail
$ opendkim-genkey -t -s mail -d mister-muffin.de
$ cat mail.txt
/etc/opendkim.conf
Domain mister-muffin.de KeyFile /etc/mail/mail.private Selector mail Canonicalization relaxed/relaxed
/etc/default/opendkim
SOCKET="inet:8891@localhost"
/etc/postfix/main.cf
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
$ service opendkim restart
$ service postfix restart
automatically suspending cpu hungry applications
Fri, 07 Nov 2014 08:51 categories: configTLDR: Using the awesome window manager: how to automatically send
SIGSTOP
and SIGCONT
to application windows when they get unfocused or
focused, respectively, to let the application not waste CPU cycles when not in
use.
I don't require any fancy looking GUI, so my desktop runs no full-blown desktop environment like Gnome or KDE but instead only awesome as a light-weight window manager. Usually, the only application windows I have open are rxvt-unicode as my terminal emulator and firefox/iceweasel with the pentadactyl extension as my browser. Thus, I would expect that CPU usage of my idle system would be pretty much zero but instead firefox decides to constantly eat 10-15%. Probably to update some GIF animations or JavaScript (or nowadays even HTML5 video animations). But I don't need it to do that when I'm not currently looking at my browser window. Disabling all JavaScript is no option because some websites that I need for uni or work are just completely broken without JavaScript, so I have to enable it for those websites.
Solution: send SIGSTOP
when my firefox window looses focus and send SIGCONT
once it gains focus again.
The following addition to my /etc/xdg/awesome/rc.lua
does the trick:
local capi = { timer = timer }
client.add_signal("focus", function(c)
if c.class == "Iceweasel" then
awful.util.spawn("kill -CONT " .. c.pid)
end
end)
client.add_signal("unfocus", function(c)
if c.class == "Iceweasel" then
local timer_stop = capi.timer { timeout = 10 }
local send_sigstop = function ()
timer_stop:stop()
if client.focus.pid ~= c.pid then
awful.util.spawn("kill -STOP " .. c.pid)
end
end
timer_stop:add_signal("timeout", send_sigstop)
timer_stop:start()
end
end)
Since I'm running Debian, the class is "Iceweasel" and not "Firefox". When the
window gains focus, a SIGCONT
is sent immediately. I'm executing kill
because I don't know how to send UNIX signals from lua directly.
When the window looses focus, then the SIGSTOP
signal is only sent after a 10
second timeout. This is done for several reasons:
- I don't want firefox to stop in cases where I'm just quickly switching back and forth between it and other application windows
- When firefox starts, it doesn't have a window for a short time. So without a timeout, the process would start but immediately get stopped as there is no window to have a focus.
- when using the X paste buffer, then the application behind the source window must not be stopped when pasting content from it. I assume that I will not spend more than 10 seconds between marking a string in firefox and pasting it into another window
With this change, when I now open htop
, the process consuming most CPU
resources is htop itself. Success!
Another cool advantage is, that firefox can now be moved completely into swap space in case I run otherwise memory hungry applications without ever requiring any memory from swap until I really use it again.
I haven't encountered any disadvantages of this setup yet. If 10 seconds prove to be too short to copy and paste I can easily extend this delay. Even clicking on links in my terminal works flawlessly - the new tab will just only load once firefox gets focused again.
EDIT: thanks to Helmut Grohne for suggesting to compare the pid instead of the raw client instance to prevent misbehaviour when firefox opens additional windows like the preferences dialog.