Postfix & Courier & Letsencrypt

First of all, create your certificates (the regular way). I created one with multiple domains: webmail.rootspirit.com, mail.rootspirit.com, smtp.rootspirit.com.

In my case, as the mailserver and webserver are behind a proxy (postfix, imap, Roundcube Webmail), I create the certificate on the proxy (nginx) and scp the cert to the mail server. All this is automated with a tiny script.

For Postfix, edit main.cf and change/edit/add these lines (check the right path too!):

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/letsencrypt/webmail.privkey.pem
smtpd_tls_cert_file = /etc/ssl/letsencrypt/webmail.fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dhparams.pem
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_loglevel=1
smtp_tls_loglevel=1

And restart postfix: /etc/init.d/postfix restart

As for Courier you’ll need to concatenate the files (again, check the path, it’s most likely /etc/letsencrypt/live/domain/xyz.pem):

cat /etc/ssl/letsencrypt/webmail.privkey.pem /etc/ssl/letsencrypt/webmail.fullchain.pem > /etc/ssl/letsencrypt/webmail.all.pem

Then edit both /etc/courier/pop3d-ssl and /etc/courier/imapd-ssl

And add/change the path of the certificate:

TLS_CERTFILE=/etc/ssl/letsencrypt/webmail.all.pem

And restart Courier: /etc/init.d/courier-imap-ssl restart && /etc/init.d/courier-pop-ssl restart

Postfix delete mails from/to one address

Monit suddenly sending 18.000 e-mail? Gmail blocking your mx IP & getting all other incoming emails to your Gmail account (as it’s getting forwarded to Gmail) delayed?

Have no fear…

mailq | grep monit@hawk-62e9e0.botnet.corp.flatturtle.com | cut -d' ' -f1 | xargs -rn1 postsuper -d

Edit the e-mail address.

Note: mainly a reminder for myself. 😉

Courier IMAP and auto deleting trash after 7 days

E-mails that had been deleted for over 7 days were automatically removed from the IMAP server. E-mail date was ignored (ie the mail could have been from 2010; the actual time in “Trash” counted). This didn’t happen to other folders (Sent, Archive, Spam). This recently happened and hadn’t happened before.

I had to restore my trash folder from backups every 7 days (yay for rdiff-backup).

It took me a while to figure it out… The problem first appeared in October, right after several big changes:

  • Yosemite update
  • Airmail to Airmail 2 update (I was convinced this was the root cause, looking at my clients instead of the server)
  • Android 5.0.x
  • Android Email app sunset, changes to GMail app
  • IPv6 working decently at home after updating my RPi to Fritzbox devices.
  • Random connection errors in GMail app (this was due to misconfigured DNS in the GMail app and causing IPv6 catch all to redirect to the webserver instead of the mailserver. It didn’t happen consistently because over mobile (4G & lower) there is no IPv6 and at home is randomly falls back to IPv4 as well. IPv4 DNS was well configured.
  • Moving my ~100.000 deleted e-mails from “Deleted Items” (OS X Mail default) to “Trash” (Android & Courier default) to stop having to move them manually from one folder to the other every so often. => this was eventually the cause but I didn’t realize.

Being convinced it was most likely Airmail 2 and very maybe Android I had been looking in that direction.

Debugging was also extremely slow as I had to wait 7 days before being able to check if the changes I made helped anything.

I eventually figured out that it was not Airmail when I rebuild my whole mail database and it defaulted back to putting my deleted mails into the Archive folder instead of Trash. Archive mails were kept over 7 days, but items in Trash still removed.

That’s when I started looking at Courier IMAP config: /etc/courier/imapd (and not imapd-ssl).

There’s an option that says:

##NAME: IMAP_EMPTYTRASH:0
#
# The following setting is optional, and causes messages from the given
# folder to be automatically deleted after the given number of days.
# IMAP_EMPTYTRASH is a comma-separated list of folder:days.  The default
# setting, below, purges 7 day old messages from the Trash folder.
# Another useful setting would be:
#  
# IMAP_EMPTYTRASH=Trash:7,Sent:30
#
# This would also delete messages from the Sent folder (presumably copies
# of sent mail) after 30 days.  This is a global setting that is applied to
# every mail account, and is probably useful in a controlled, corporate
# environment.
#
# Important: the purging is controlled by CTIME, not MTIME (the file time
# as shown by ls).  It is perfectly ordinary to see stuff in Trash that's
# a year old.  That's the file modification time, MTIME, that's displayed.
# This is generally when the message was originally delivered to this
# mailbox.  Purging is controlled by a different timestamp, CTIME, which is
# changed when the file is moved to the Trash folder (and at other times too).
#
# You might want to disable this setting in certain situations - it results
# in a stat() of every file in each folder, at login and logout.
#
IMAP_EMPTYTRASH=Trash:7

Comment out that last line, and restart courier-imap(-ssl)… Simple as that.

This solved my issue.

I’m not sure when that config change happened (Debian update?) and I do not know who at Courier thought it was a good idea …. But sheesh.

Postfix + maildrop + recipient_delimiter

I suddenly noticed issues with Postfix not accepting e-mails that are tagged (“user+TAG@fqdn”) anymore. Even though it always had.

Postfix main.cfg:

recipient_delimiter = +

Log snippet:

Apr 16 13:07:52 vm-dns-mail postfix/pipe[6119]: 55D1C2005E4: to=<user+test@rootspirit.com>, 
relay=maildrop, delay=0.06, delays=0.01/0/0/0.05, dsn=5.1.1, status=bounced 
(user unknown. Command output: Invalid user specified. )

Tried to find what’s wrong in MySQL, change the delimiter, Debug Maildrop, etc. Not much progress… 🙁 And after 6 hours I was starting to get annoyed.

The clue was changing this line in master.cfg:

maildrop unix - n n - - pipe
 flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

to

maildrop unix - n n - - pipe
 flags=ODRhu user=vmail argv=/usr/bin/maildrop -w 90 -d ${user}@${nexthop}
 ${extension} ${recipient} ${user} ${nexthop}

Source where I ripped the line from.

Fixing GrowlMail with Mac OS X 10.6.7 and Mail 4.5

Add following two lines to Info.plist:

<string>9049EF7D-5873-4F54-A447-51D722009310</string>
<string>1C58722D-AFBD-464E-81BB-0E05C108BE06</string>

Between

<key>SupportedPluginCompatibilityUUIDs</key>
<array>

And

</array>

You can find the Info.plist in:

~/Library/Mail/Bundles/GrowlMail.mailbundle/Contents/

Or

/Library/Mail/Bundles/GrowlMail.mailbundle/Contents/

If you already opened Mail (and received the disable warning), it’s probably in a folder named “Bundles (Disabled)”; just move the content to Bundles again.

You can do the same ‘hack’ with GPGMail; it’s located at

(~ or /)Library/Mail/Bundles/GPGMail.mailbundle/Contents/

These UUIDs can be found in these two files (they get updated every Mac OS X update, and thus break plugins each time):

/Applications/Mail.app/Contents/Info.plist
/System/Library/Frameworks/Message.framework/Resources/Info.plist