I thought I'd better start writing my notes which is a good thing as I did not understand what I'd written and they did not cover updating the key.

One thing I'd noticed is that the e-mails get signed three times going through my mailstack. Client to server, server to amavis (spam filter) and amavis to external. This pollutes the headers a bit as you see three signatures. I've just tried playing around setting:

RemoveOldSignatures	True

SoftwareHeader	no

in /etc/opendkim.conf. The first just leaves the final signature, the second removes the "DKIM-Filter" headers (x3)

Nick Howitt wrote:

DKIM was not too bad to get going. I used a combination of a couple of CentOS instructions I found. I scored an own goal in that I had the parameter "localize-queries" set in dnsmasq. This stopped all DNS lookups to my domain escaping my server (you'll find heaps do), but is also stopped the test lookup to my DKIM record. That took a while to diagnose.

With DKIM you are recommended to create new keys every few months and leave the old one active for about two weeks after you publish a new one. I am not good at this discipline.

For DKIM and SPF have you set your records to fail the mail if either test fails? So far I have not had the confidence to do it and left both tests as neutral. I'd be interested in knowing what you've done, although I suppose you should not set up DKIM to fail for a couple of weeks yet.

I doubt if I'll go gown the S/MIME route. There seems to be too much to do with webmail. Also I effectively use a couple of external POP accounts which are set up to auto-forward e-mail to me and I have not got the time to get my head round all the implications.

If you are using Let's Encrypt for e-mails, have you hooked onto the certificate renewal mechanism so it restarts postfix and cyrus-imapd when the certificates are renewed? Triggers go in /var/clearos/events/lets_encrypt, fired off by /sbin/trigger each time a renewal happens? It looks like you can just drop in another file into the folder and I think it is the intention to allow the file to be created by the webconfig, but it is not there yet. I need to test again, but when I tried Let's Encypt for e-mails I found I had to go round my clients accepting the new certificate (for both sending and receiving), so I may have been missing a trick and stopped it for the moment.

When i get back home today nick, I'll type a bit more of what I found getting SPF/DKIM/DMARC running. I've got a major network rebuild happening today so i have a full day ahead of me

DKIM was not too bad to get going. I used a combination of a couple of CentOS instructions I found. I scored an own goal in that I had the parameter "localize-queries" set in dnsmasq. This stopped all DNS lookups to my domain escaping my server (you'll find heaps do), but is also stopped the test lookup to my DKIM record. That took a while to diagnose.

With DKIM you are recommended to create new keys every few months and leave the old one active for about two weeks after you publish a new one. I am not good at this discipline.

For DKIM and SPF have you set your records to fail the mail if either test fails? So far I have not had the confidence to do it and left both tests as neutral. I'd be interested in knowing what you've done, although I suppose you should not set up DKIM to fail for a couple of weeks yet.

I doubt if I'll go gown the S/MIME route. There seems to be too much to do with webmail. Also I effectively use a couple of external POP accounts which are set up to auto-forward e-mail to me and I have not got the time to get my head round all the implications.

If you are using Let's Encrypt for e-mails, have you hooked onto the certificate renewal mechanism so it restarts postfix and cyrus-imapd when the certificates are renewed? Triggers go in /var/clearos/events/lets_encrypt, fired off by /sbin/trigger each time a renewal happens? It looks like you can just drop in another file into the folder and I think it is the intention to allow the file to be created by the webconfig, but it is not there yet. I need to test again, but when I tried Let's Encypt for e-mails I found I had to go round my clients accepting the new certificate (for both sending and receiving), so I may have been missing a trick and stopped it for the moment.

Nick Howitt wrote:

According to this, postfix (2.10 in ClearOS) delays for 300s which is, miraculously, the same as the default delay in the greylisting app. It looks easily tweakable.

I also have a somewhat modified postfix heavily tightening down on spam (but potentially OTT). I also do not allow any external user/pass access on port 25 and leave that to STARTTLS/587 and that is a manual config. By default (due to a bug?) ClearOS allows user/pass access to SMTPS/465 even if authentication is turned off. This (or STARTTLS) is great if you want to relay from, say, a smartphone when out and about, as most bots only try to brute force port 25. All you need to do is open tcp:465. Then tcp:25 can be left for just receiving external e-mails. I'm a bit lazy hand have not set up the PC's at home to use 465 except the laptop, so I use trusted networks for that. A bit less secure. If you do open up the mail server to external user/pass access, I recommend using the Attack Detector app (or fail2ban, the underlying package).

I'll see if I can write up DKIM sometime. Probably after Jan '18.

I suppose its the inner geek in me Nick, but I forged ahead, and got the following items working flawlessly:

DKIM
DMARC

So now with my SMTP Server, it's running the Lets Encrypt Digital Certificate, plus it's got running the afore mentioned modules

DKIM I can understand why it was a PITA to get going. So many sites recommending you do this and that, when they didnt all work

About 2 days was all it took me to get DKIM & DMARC running (Google recommends running DMARC in reporting mode till it's settled, then slowly ramp it up, which is what I'm doing

Now all thats left is to get my damn SMTP Server to run S/MIME, that's it

According to this, postfix (2.10 in ClearOS) delays for 300s which is, miraculously, the same as the default delay in the greylisting app. It looks easily tweakable.

I also have a somewhat modified postfix heavily tightening down on spam (but potentially OTT). I also do not allow any external user/pass access on port 25 and leave that to STARTTLS/587 and that is a manual config. By default (due to a bug?) ClearOS allows user/pass access to SMTPS/465 even if authentication is turned off. This (or STARTTLS) is great if you want to relay from, say, a smartphone when out and about, as most bots only try to brute force port 25. All you need to do is open tcp:465. Then tcp:25 can be left for just receiving external e-mails. I'm a bit lazy hand have not set up the PC's at home to use 465 except the laptop, so I use trusted networks for that. A bit less secure. If you do open up the mail server to external user/pass access, I recommend using the Attack Detector app (or fail2ban, the underlying package).

I'll see if I can write up DKIM sometime. Probably after Jan '18.

No worries nick

I did think about deleting those 2 certificates, but atm i've been able to get the lets encrypt certificate working flawlessly with the box/domain/mail server. Absolutely no issues/errors. I'd be keen to know about the ca-cert & sys-0-cert thing too, if you can ever find it out

As I've seen over the years from having worked in Small Business/Corporate IT Providers, if your intending to send emails and don't want to be blacklisted, you NEED an MX & SPF/TXT record, appropriately setup. Then it's just a case of waiting for the ever popular DNS Propogation to take effect. My domain atm is with godaddy (Cost me $1.39AUD for 1yr, cannot argue with that)

Don't even start to mention those damn SPF Records >_>. Once you've gotten your head around the logic of them, they really aren't that bad.

I'd certainly be keen on DKIM, i was reading about that too. The other thing atm I'm doing some researching on is postfix SMTP Bouncing errors. As it seems a lot of Email servers out there implement a greylist for new domains which they havent seen before, to see if they are spam or not. Good mate of mine who came over today and helped me rewire the phone sockets sent me an email, i replied, and i watched the maillog as it was going (yes, i know, I'm such a geek), and i could see that postfix on clearos seems to be rather brutal when it comes to the resending of emails if they first one gets rejected, it doesn't seem to wait that long before it tries again.....and again...and again, before it gets blacklisted/bounced by the receiving email server.

Waiting for a little while and then trying again, it goes through, but it's still a PITA it does it anyway. So it could also be a possible tweak you can offer is for the mail retransmit delay, to have a few options available (research told me it's apparent 4000sec or something low, but maybe offering a choice between default 4000, 6000 for medium delay & 8000 for long delay. This will enable users who are experiencing issues with 450/550 errors to overcome/alleviate it

The first run wizard would be good, but the logic behind it would probably need a bit of work. And I also use the same domain internally as i do externally. But them I'm never truly satisfied with just leaving something at default, so like the SMTP server, I just have to tweak hahaha

Thanks for posting back. It looks like most of the issues were somewhat external. Like you, I also use cyrus-imap.

For certificates, you should have been able to delete your ca-cert.pem and sys-0-cert.pem and regenerate them with your own domain, which (I think) comes from the domain setting in Network > Settings > IP Settings but I would need to check *but* this would not have got rid of the login warnings as the certificate is self-created rather than set up with a trusted CA. You can get you browser to create an exception and you can import your own CA into the browser if you want. The only real way round is to use a proper certificate signed externally and Let's Encrypt, being free and integrated, is great for that.

I don't think you need an MX record if your A record points to you (which it may not if you have a dynamic IP). My A record did not used to point to me when I used an external registrar for my domain, but when I switched to Clearcenter, they can handle an A record with a dynamic IP. Also with Clearcenter as your Domain registrar (or DNS provider - the functions can be split) you get the added benefit of MX backup so if you go off-line for up to a week they will temporarily store your mail. Great if your IP keeps changing.

SPF is a PITA if you have a dynamic IP as I do. It means, to avoid blacklists, you have to relay out via your ISP's SMTP servers (or third party ones) and "include" their SMTP servers' SPF record in yours and this info can be hard to find.

If you ever want DKIM, I've done it but I never got round to writing it up.

I like your idea for the first run wizard. Again I need to check but it may already just about do that for mail, but that assumes you understand the meaning if the questions when they pop up in the wizard. I use the same domain internally and externally but there is no requirement to do so and if you don't, it muddies the waters.

Hi Nick,
Well in the end i went with cyrus-imap. I've been sending emails back & forth now, and am slowly over the coming week/s switching to hosted email by me instead of external.

The biggest issues I had while setting up? Before you guys added Letsencrypt to the marketplace,it was chaos. Unable to get a certificate running properly to match up to my domain

That was the other thing as well, was getting the Certificate to match up with my box, so i didnt get errors when i logged in. Then there's the DNS Records i had to wrestle with. The two BIGGEST PITA's were the MX & TXT/SPF Record.

The rest were easy, but finding the right settings between the domain name, the server & the email program so they all synced up, gave me a hell of a challenge

I'll probably upgrade to the home edition in the next few weeks just to get some of the added rules that come with the IDS/IPS

What def would be cool, is if there was an option during setup (Or can be run at any time) that assists with the settings update required when establishing a server on a domain (with external facing domain name)

So if it asked "Do you have a domain you wish to use for this install, and a selector box to choose between Mail and/or Web. Then you just put your details in and assuming you have your DNS Records mapped correctly, the module would then change the settings on ClearOS to suit

Thats just me thinking out loud, lol

Apart from that, she's all smooth sailing now

Welcome to the fun! Time to go snag the Plex Media app and watch a movie with your popcorn.

Welcome aboard!

It would be great if you could post where you had difficulties with either ClearOS or your external system.

Which mail solution did you go for? Cyrus-imap or Zarafa/Kopano?

Oh for me i'd done a lot of research over the past few months about different firewalling distros. Tried just about all of them

In the end it was the modularity of ClearOS that got me

Now i'm happy that i might finally be able to save myself a bit of extra money (heh) by cancelling the old ISP email. It's $30AUD a year ($2.5AUD a month), so not much, but still means if testing finishes ok, I'll save that money

And possibly end up adding extra features later as well, lol

Derek, Well done and welcome to a new world! Looking forward to providing more valuable applications and services over the months, quarters and years to come. How did you hear about CLEAR?