krypted.com

Tiny Deathstars of Foulness

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In Mavericks Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers. As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should have the chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…

But back to the point of the article, setting up mail. The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:
  • Static IP address. The WAN (and LAN probably) address should be static.
  • Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
  • DNS records. An MX record and some kind of mail.domain.com type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
  • Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
  • Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
  • Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…
Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service in Server app 3. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on Certificates in the SERVER section of the sidebar. Here, use the “Secure services using” drop-down list and click on Custom… for each protocol to select the appropriate certificate to be used for the service. Screen Shot 2013-10-06 at 9.04.25 PM Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar. Screen Shot 2013-10-06 at 9.05.02 PMAt the configuration screen is a sparse number of settings:
  • Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of charles@pretendco.com and charles@krypted.com per the Domain Name listing below.Screen Shot 2013-10-06 at 9.05.45 PM
  • Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.Screen Shot 2013-10-06 at 9.06.17 PM
  • Push Notifications: If Push is configured previously there’s no need to use this option. Otherwise, use your institutional APNS account to configure Push Notifications.Screen Shot 2013-10-06 at 9.07.25 PM
  • Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).Screen Shot 2013-10-06 at 9.07.57 PM
  • Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
  • Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.Screen Shot 2013-10-06 at 9.08.44 PM
Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server: telnet mail.krypted.com 25 You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service: sudo serveradmin fullstatus mail Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following: mail:startedTime = "" mail:setStateVersion = 1 mail:state = "STOPPED" mail:protocolsArray:_array_index:0:status = "ON" mail:protocolsArray:_array_index:0:kind = "INCOMING" mail:protocolsArray:_array_index:0:protocol = "IMAP" mail:protocolsArray:_array_index:0:state = "STOPPED" mail:protocolsArray:_array_index:0:service = "MailAccess" mail:protocolsArray:_array_index:0:error = "" mail:protocolsArray:_array_index:1:status = "ON" mail:protocolsArray:_array_index:1:kind = "INCOMING" mail:protocolsArray:_array_index:1:protocol = "POP3" mail:protocolsArray:_array_index:1:state = "STOPPED" mail:protocolsArray:_array_index:1:service = "MailAccess" mail:protocolsArray:_array_index:1:error = "" mail:protocolsArray:_array_index:2:status = "ON" mail:protocolsArray:_array_index:2:kind = "INCOMING" mail:protocolsArray:_array_index:2:protocol = "SMTP" mail:protocolsArray:_array_index:2:state = "STOPPED" mail:protocolsArray:_array_index:2:service = "MailTransferAgent" mail:protocolsArray:_array_index:2:error = "" mail:protocolsArray:_array_index:3:status = "ON" mail:protocolsArray:_array_index:3:kind = "OUTGOING" mail:protocolsArray:_array_index:3:protocol = "SMTP" mail:protocolsArray:_array_index:3:state = "STOPPED" mail:protocolsArray:_array_index:3:service = "MailTransferAgent" mail:protocolsArray:_array_index:3:error = "" mail:protocolsArray:_array_index:4:status = "OFF" mail:protocolsArray:_array_index:4:kind = "INCOMING" mail:protocolsArray:_array_index:4:protocol = "" mail:protocolsArray:_array_index:4:state = "STOPPED" mail:protocolsArray:_array_index:4:service = "ListServer" mail:protocolsArray:_array_index:4:error = "" mail:protocolsArray:_array_index:5:status = "ON" mail:protocolsArray:_array_index:5:kind = "INCOMING" mail:protocolsArray:_array_index:5:protocol = "" mail:protocolsArray:_array_index:5:state = "STOPPED" mail:protocolsArray:_array_index:5:service = "JunkMailFilter" mail:protocolsArray:_array_index:5:error = "" mail:protocolsArray:_array_index:6:status = "ON" mail:protocolsArray:_array_index:6:kind = "INCOMING" mail:protocolsArray:_array_index:6:protocol = "" mail:protocolsArray:_array_index:6:state = "STOPPED" mail:protocolsArray:_array_index:6:service = "VirusScanner" mail:protocolsArray:_array_index:6:error = "" mail:protocolsArray:_array_index:7:status = "ON" mail:protocolsArray:_array_index:7:kind = "INCOMING" mail:protocolsArray:_array_index:7:protocol = "" mail:protocolsArray:_array_index:7:state = "STOPPED" mail:protocolsArray:_array_index:7:service = "VirusDatabaseUpdater" mail:protocolsArray:_array_index:7:error = "" mail:logPaths:Server Error Log = "/Library/Logs/Mail/mail-err.log" mail:logPaths:IMAP Log = "/Library/Logs/Mail/mail-info.log" mail:logPaths:Server Log = "/Library/Logs/Mail/mail-info.log" mail:logPaths:POP Log = "/Library/Logs/Mail/mail-info.log" mail:logPaths:SMTP Log = "/var/log/mail.log" mail:logPaths:List Server Log = "/Library/Logs/Mail/listserver.log" mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log" mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log" mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log" mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log" mail:imapStartedTime = "" mail:postfixStartedTime = "" mail:servicePortsRestrictionInfo = _empty_array mail:servicePortsAreRestricted = "NO" mail:connectionCount = 0 mail:readWriteSettingsVersion = 1 mail:serviceStatus = "DISABLED" To stop the service: sudo serveradmin stop mail And to start it back up: sudo serveradmin start mail To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options: sudo serveradmin settings mail One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be: sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** " A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option: sudo serveradmin settings mail:postfix:greylist_disable = no To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine: sudo serveradmin settings mail:postfix:virus_quarantine = "diespammersdie@krypted.com" The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option: sudo serveradmin settings mail:postfix:virus_notify_admin = yes I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable: sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes Or even better, just set new limit: sudo serveradmin settings mail:postfix:message_size_limit = 10485760 And to configure the percentage of someone’s quota that kicks an alert (soft quota): sudo serveradmin settings mail:imap:quotawarn = 75 Additionally, the following arrays are pretty helpful, which used to have GUI options:
  • mail:postfix:mynetworks:_array_index:0 = “127.0.0.0/8” – Add entries to this one to add “local” clients
  • mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
  • mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
  • mail:postfix:black_hole_domains:_array_index:0 = “zen.spamhaus.org” – Add additional RBL Servers
The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

October 23rd, 2013

Posted In: Kerio, Mac OS X, Mac OS X Server

Tags: , , , , , , , , , , , , , , , ,

Sometimes it seems like sqlite just isn’t equipped for some tasks. Sometimes it seems like some developers aren’t. Sometimes it ends up being a mystery as to what is really going on behind the scenes. Like watching CNN on a television right next to Fox News at the gym. Both can’t be reality. But what is real, is that journabl.db files get corrupt in Kerio all the time. And the logs often say something about SQLITE_CORRUPT &/or “database disk image is malformed”. To correct, first stop the Kerio server, then nuke the .journal.db file. Assuming the mail store is /usr/local/kerio/mailserver/store/mail on a Mac (swap /usr/local with /opt if using Linux) then the command to do so would be: rm /usr/local/kerio/mailserver/store/mail/.journal.db Then start up Kerio and the .journal.db file will automatically rebuild and the errors about some malformed whatnot should be out of those logs.

August 16th, 2013

Posted In: Kerio, Mac OS X, Mac OS X Server

Tags: , , , , , , , ,

When you setup a Kerio server, by default there’s a feature called AutoExpunge. This feature keeps mail clients from showing a message with a strikethrough through it when a message is marked for deletion. Once items are processed the message is moved to deleted and the strikethrough message is removed from the folder it was deleted from. Many users can get confused by this, so Kerio built a feature called AutoExpunge. That AutoExpunge feature instead of striking through messages just tosses them. That causes you to be unable to undo a delete. To disable AutoExpunge, stop Kerio Mail Server and then look for AutoExpungeOnDelete option in /usr/local/Kerio/mailserver/mailserver.cfg (I like to back that file up before making any changes). Then change the value for that from 1 to 0. Then save your changes to the file and start Kerio Connect back up. Once started, test that you can undo a delete and if so, you’re good to go! Note: If you change settings like this when the mail server is running then it can revert the settings back as the daemon is running. If that happens to you, double-check that the service is stopped before editing the file.

April 23rd, 2013

Posted In: Kerio, Mac OS X Server

Tags: , , , ,

Kerio has a few maximums set by default. There are also a few items that are not in the Kerio Connection Administration page. When using IMAP (and some other services), you can increase the maximum number of allowed connections to allow users to be able to connect to your servers using the variety of devices they likely now have. We’ll look at doing this with IMAP (given that each account accessed by each user is likely using at minimum 2 connections) but you can do this with many other services as well.

To increase the total number of available IMAP connections:

  • Open the Kerio Connect Administration page.
  • Click on the Configuration disclosure box to see Services.
  • Click on Services.
  • From the Services page, double-click on IMAP.
  • At the IMAP box, click on the Access tab.
  • Increase the field for Maximum number of concurrent connections.
  • Click OK.
  • Click Restart to restart the IMAP service.
Screen Shot 2013-04-03 at 8.44.28 AM Now, let’s say that all of the IMAP connections are coming from what the server sees as the same IP (somewhat common with certain types of routers). Well, there’s also a setting not exposed in the web configuration tool that limits the total number of connections available for a given IP address, so let’s go ahead and increase that as well. To do so, open the mailserver.cfg file located in /usr/local/kerio/mailserver. Here, look in the service-imap table and find the MaxConnectionsIP variable. Change that to, let’s say 300 and then save the changes and restart the IMAP service again. Now you’re done. Good luck!

April 4th, 2013

Posted In: Kerio, Mac OS X, Mac OS X Server

Tags: , , , ,

There is no built-in support for GroupWise on the iPhone. Apple supports a number of other services, but GroupWise has not been high on the priority list and honestly, I don’t know that it would be high on mine either… Having said that, it did pop up on my radar and I was able to find a couple of ways to achieve a good sync. The first is Entourage. You can use Entourage as a conduit to then grab information and sync it with GroupWise. This has a hopefully obvious disadvantage, which is that it does not synchronize wirelessly – you have to cradle sync to get the data onto the iPhone. The second and third options are outsourced services that just handle everything for you. Of these, GroupWise Sync is a great option (they have a free version that just grabs mail or pay-per-month for contacts and calendars) as is the monthly version of the CompanionLink GroupWise sync. CompanionLink has a separate desktop client, but much of what it does can be obtained by using GroupWise 6.5 along with Office 2003 and iTunes to synchronize contacts and calendars while cradled. Finally there’s NotifyLink, which works with Exchange, Kerio, Gmail, CommuniGate Pro, FirstClass, Scalix, Zimbra and about anything else you could ask for, providing synchronization services to iPhone, Palm, Windows Mobile, Blackberry and Symbian.  In short NotifyLink is the Swiss Army knife of the mobile sync world.  Take anything, sync to pretty much anything else, for a monthly fee.  Just make sure your users look at the results before you put it into production en masse as it is a little different than the standard screens they’re used to seeing in some cases…

June 3rd, 2009

Posted In: Kerio, Mac OS X, Mac OS X Server, Microsoft Exchange Server

Tags: , , , , , , , , , ,

The good people at Kerio have been kind enough to distribute their mail server software bundled into a CentOS installation on a Virtual Machine. You can just snap it into Fusion very easily, if you want to take the Kerio Mail Server (KMS) for a ride. I can’t say I would recommend running it full time in Fusion on Mac hardware though, you might be better served installing the package installer that Kerio distributes in that case.. There is a second nice thing about the VM in that it does most of the work in setting up Kerio for you. When you download and run the VM, it immediately fires up into a wizard
To Install Kerio?

To Install Kerio?

At this step, you can really just type yes to get started going through the interactive shell script. Next, you’ll be asked to read and accept the EULA for KMS, read it, use the down arrow (or space bar) to scroll down the screen and type yes to accept the agreement (assuming you accept it).
Accept the EULA

Accept the EULA

Now KMS will install all the various parts and components. When it’s done and prompts you, hit enter to start the funny LILO looking configuration wizard (at this point it’s installed, we’re just going to config it). At the Welcome screen, click Next and you will find yourself at the Mail Hostname and Internet Domain screen. Here, type the domain that you’ll be accepting mail for (eg – krypted.com) and the name of the host that will accept mail for that domain. When you’re satisfied with your settings, tab to the Next button and press enter.
picture-11

Kerio Domain and Host Name

Next, you will be prompted to configure an administrative account, here enter the username and password you’d like to use to log into either the web administration console or the GUI administration console to access this server. When you are satisfied with your selections, select Next.
Kerio Admin Account

Kerio Admin Account

Next, select where Kerio will store its data. You can leave it at a default, but Kerio makes it easy by putting this into the configuration wizard to use your iSCSI SAN or some other path outside of the VM. This data can then be interchangeable with a Kerio install on, let’s say Mac OS X. When you have the path just as you’d like it, hit Finish.
Kerio Path

Kerio Path

Next, the KMS documentation will fire up in Firefox on your VM. Go ahead and type http://127.0.0.1/ into a new browser window and verify that the webmail screen opens up. Now would also be a good time for you to test localhost mail flow by sending a message to the server admin account you created earlier.picture-16You should also fire up the Kerio Administration Console, from the CentOS desktop. Once you authenticate you can use the Kerio Administration Console to perform most of the standard administrative tasks. Since we’re using a trial in this demo, the most important might be finding the expiration date of the trial. To find this, simply click on Kerio Mail Server at the root level of the configuration screens. Here, you can also register your software if you have a serial number.
KMS Administration Console

KMS Administration Console

You can, and should, also check the logs, configure message hygiene and setup any required users before you go further… Anyway, more on Kerio later (like AD/OD integration). But this quick tutorial should have you serving mail, sharing mailboxes, contacts and calendars and in general collaborating in 10 minutes or less (minus the download of course) – just think of that next time you’re pulling an all-nighter with Exchange 2007…

February 16th, 2009

Posted In: Kerio, Unix

Tags: , ,

Ever wonder if there’s something else out there other than Exchange?  Well, if you are a company with less than 400 accounts and you don’t need some of the more advanced features of Exchange, like site replication then Kerio might just be the app for you: http://www.kerio.com

May 11th, 2008

Posted In: Kerio

Tags: , ,

To setup an Out of Office message with Kerio Mail Server, log into the web portal to access your mail.  Then click on Settings and select Out of Office.  Move the bulleted option to I am out of office now and then type in the our of office message you’d like to use.  When finished, click on the OK button.

January 20th, 2008

Posted In: Kerio

Tags: , ,

Sometimes when you’re setting up permissions for certain folders using Microsoft Entourage, the process will fail.  If it does you can still set permissions using the web portal.  To do so, log into your webmail.  Then control-click the folder in question and click on the Access Rights… button.  Here, you will be able to define who can read, write or delete items.  Make sure that if you’re giving someone access to a folder that you don’t forget to give access to the parent folder (eg – the parent folder to INBOX is the root of your email hierarchy).  This is one of the more common mistakes we see there.

January 14th, 2008

Posted In: Kerio

Tags: , ,

Kerio has a variety of features available for mitigating the evil spam gremlins.  These include: 1 – SpamAssassin – Open Source spam filter 2 – Directory Harvest Attack Protection – track email coming in for non-existent users and limit the number allowed per host 3 – Policies – tag emails with X-Spam headers, then use local policies, etc.  Also write custom filters that identify certain keywords as spam 4 – RBL – A standard with mail servers, Realtime BlackList servers mark common spammers or hosts that do not meet a minimum criteria for being acceptable mail servers 5 – SPF – Rely on srv reccords from domains to specify what IPs are allowed to send mail as a domain 6 – Domain Name Verification – Seems simple enough, don’t accept mail if the domain doesn’t exist 7 – Connection throttling – Don’t allow more than a certain number of sockets to be opened from a given host 8 – SMTP whitelist and blacklist – always accept or always deny mail from a given host that can be defined in the Kerio Admin 9 – Microsoft Caller ID: http://download.microsoft.com/download/2/e/2/2e2850b8-2747-4394-a5a9-d06b5b9b1a4c/callerid_email.pdf 10 – Spam Repellent – delay the SMTP handshake process to deter spammers

June 23rd, 2007

Posted In: Kerio

Tags: , ,

Next Page »