User Tools

Site Tools


mail_setup50

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
mail_setup50 [2019/02/13 10:23]
root
mail_setup50 [2020/06/11 15:45] (current)
zog
Line 1: Line 1:
-=====Mailserver settings=====+=====Settings=====
  
-The "​Settings"​ module is located in the "​Mail"​ menu. This module ​allows to set up the mail server and contains three tabs: "​Settings",​ "Antispam" and "​Address book".+The "​Settings"​ module is located in the "​Mail"​ menu. This module ​is designed for configuring ​the mail server and contains three tabs: "​Settings",​ "Spam protection" and "​Address book".
  
-====="​Settings"​ tab=====+==== The "​Settings"​ tab====
  
-====The network ​settings ​part.====+=== Network ​settings. ===
  
-{{en50-ics-mail-settings01.png}}+{{:​mail_setup1.png?|}}
  
-The SMTP/​POP3/​IMAP port allows to change ports of receiving and sending ​mail from standars. The SMTP/​POP3/​IMAP interfaces allow to choose server'​s interfaces, that are used for send and receive mail. By default all interfaces are used. When you mark the checkbox "​**Create allow rule automatically**",​ the allow rule for SMTP/​POP3/​IMAP ports will be created. You can navigate to the rule list and theirs settings using the hyperlink "Mail server access"​.+SMTP/​POP3/​IMAP port allows ​you to change ​the standard ​ports for receiving and sending ​emails
  
-====The sending mail part.====+The "SMTP interfaces"​ and "​POP3/​IMAP interfaces"​ fields are intended for specifying the interfaces established on the ICS CUBE, on which the SMTP/​POP3/​IMAP protocols will work. By default, work is done on all interfaces
  
-{{en50-ics-mail-settings2.png}}+If you select the "​Automatically create a permitting rule" flag, the permitting rule will be set in the firewall for SMTP/​POP3/​IMAP ports. You can go to the list of permitting rules and their settings by clicking on the "​Access to the mail server"​ hyperlink that appears.
  
-The following settings are nesessary for setting up restrictions for mail sending:+=== Encryption. ===
  
-The **"Maximum size"​** ​field - sets the restriction for attachments ​in webmail (built-in roundcube client).+The ICS CUBE mail server by default works in the **"Not use"​** ​mode using the SMTP, POP3/IMAP protocols. We recommend using this mode only on a secure network, since in this mode, hackers can get information about the User's name and password by listening to the channel.
  
-The **"Restrict frequent mail sending"​** ​sets restrictions for mail sending using ICS CUBE mail server.+The **"May use"​** ​mode. If the client software does not support encryption, the password is transmitted over an unencrypted channel, in plain text. If the client software supports encryption, authorization occurs already inside the encrypted connection.
  
-The **"Maximum amount of mails allowed from one IP-address per minute"​** ​sets the maximum amount of mail that can be sent from one IP-address per minuteThis restriction doesn'​t affect mailsent from web-interface of preset e-mail client.+The **"Use"​** ​modeIn this modewhen users log in via SMTP, POP3/IMAP, or STARTTLS, the password is transmitted only inside the encrypted connection.
  
-- The **"Ignore when sending mail from addresses and networks from white list"** sets an exception in the "Restrict frequent mail sending" ​restriction for IP-addresses ​and networks that are specified in the "White list" below.+Configuration of the "Encryption" ​block for the "May use" and "Use" ​modes is described ​below.
  
-====The mail queue part.====+{{:​mail_setup2.png?|}}
  
-Mail messagesthat weren'​t ​sent, are placed ​in the mail queue for re-sending.+  * The "SMTP certificate"​ field allows you to select a certificate for the SMTP protocol from the ones set up on the ICS CUBE. It enables the use of an encrypted connection using the STARTTLS method over the use of a normal TCP connection over the SMTP protocol on the standard port 25. This encryption is a compromise. If the remote party does not support encryptionthe message will be sent/received over the non-encrypted SMTP protocol. 
 +  * The "​POP3/​IMAP certificate"​ field allows you to select a certificate for POP3/IMAP/ protocols from the ones set up on the ICS CUBE. It enables the use of an encrypted connection using the STARTTLS method over the use of a normal TCP connection using the POP3/IMAP protocols on standard ports 143/110respectively. 
 +  * The "​Enable SMTPS" and "​Enable POP3S/​IMAPS"​ flags enable encryption for SMTPS, IMAPS, and POP3S protocols on non-classic ports in parallel to ports 25/110/143. The main difference is the mandatory use of encryption; a compromise is not possible. The ICS CUBE mail server uses only the TLSv1, TLSv1.1, and TLSv1.2 cryptographic protocols. SSL2 and SSL3 usage for security purposes is disabled. 
 +  * The "SMTPS port", "POP3S port", and "IMAPS port" fields allow you to set port numbers for the SMTPS, IMAPS, and POP3S protocols, respectively. 
 +  * The "DH (Diffie-Hellman) key length"​ field allows you to set the key length for STARTTLS encryption and for TLS cryptographic protocols of various versions, when using the IMAP/POP3 and IMAPS/POP3S protocols. Please note that the recommended key length is 2048 bits, and by default it is 1024 bits to optimize the first launch of the ICS CUBE.
  
-The following settings are nesessary for setting up different frequency when re-sending ​mail messages:+=== Mail sending. ===
  
-- The **"​Inverval between sending attempt"​** sets the time of daemon launch (daemon is the program, that works in background),​ which it will use to check the amount of time mail message spends in the queue (by default - 30 minutes).+{{:​mail_setup3.png?|}}
  
-The **"Waiting queue time"** field allows to set amount of time for a mail message ​in queue, while daemon will try to re-send this message from queue (by default from 180 to 300 minutes). For example, ​the message wasn't sent, and daemon is launched by default every 30 minutes, which means, than daemon will be launched in "delta" ​time when delta can be between 0 and 30 minnutes. So, the re-sending will be performed in 180+deltaIf re-sending hasn't happened, the mail message will return ​to the queue, ​the queue timer for this message becomes 0 and the minimum value (in our case, 180 minutes) for this letter will change automatically,​ but will not be above maximum. Attempts will follow until the general time of mail message being in the queue will not reach the value set for "Maximum amount of time for mail to be in queue".+The following settings are necessary for setting various restrictions when sending emails: 
 +  ​The "Maximum message size" field sets limit on uploading attachments via web mail (built-in roundcube client). 
 +  * The "​Restrict frequent mail sending"​ flag enables restrictions on sending emails via the ICS CUBE mail server. 
 +  * The "Maximum number of messages from one IP per minute" ​field sets the maximum number of emails sent per minute from one IP-addressThis restriction does not apply to emails sent from the web interface of the pre-installed email client. 
 +  * The "​Ignore sending mails from permitted addresses ​and networks"​ flag creates an exception ​in the "​Restrict frequent ​mail sending"​ restriction for IP-addresses and networks specified ​in the "Whitelist" ​section below.
  
-- The **"​Maximum amount of time for mail to be in queue"** field - allows to set the maximum time that mail message will be kept in the queue, after which the sender will receive a notification that the message wasn't sent (by default, 5760 minutes).+=== Mail queue. ​===
  
-====The sending using external SMTP part.====+Mail messages that were not sent are placed in the queue for resending.
  
-{{en50-ics-mail-settings03.png}}+{{:​mail_setup4.png?|}}
  
-In ICS CUBE you can set up the mail sending via different SMTP-server for all messages ​except the ones meant for local domain or receiver. To turn on sending ​via different SMTP-server, ​you need to set its address ​(domain name or IP-address) in the "default ​relay" field and set the port for the connection. The "​SSL"​ checkbox is used only for SMTPS connection via 465 port. So, to send mail to the 465 portthis checkbox ​is mandatory. For connecting via 25 port, the SSL checkbox shouldn'​t be marked because connection encryption using STARTTLS will be set by default, ​if the remote side supports it. If the external SMTP-server requires user authenticationthen the checkbox "Use SMTP-authorization"​ should be marked and the login and password should be set. Please note that for sending ​mail messages via SMTP servers mail.ru / yandex.ru / gmail.com etc the "​Switch ​the sender'​s name" checkbox should be markedbecause ​for these mail servers ​it is nessesary that the sender'​s address (the FROM header) matches ​the user that passed authorization,​ and also set the sender address ​in the "Sender address" field.+The following settings are necessary for setting different time intervals when sending ​mail messages ​again: 
 +  * The "​Interval between ​sending ​queued mails" field allows ​you to set the time when the daemon starts ​(the daemon is a program running in the background), after which it will check the time when the message is in the queue (by default, it is 30 minutes). 
 +  * The "Queue delay from ... to ..." field allows you to set the time interval ​for a message in the queuewhen the daemon will try to re-send this message from the queue (by defaultit is from 180 minutes to 300 minutes). For examplean email was not sent, and the daemon starts every 30 minutes ​by default, ​which means that the daemon will start after delta time, where delta can take a value from the interval - [0m;30m]. Thus, re-sending will be done after 180+delta. If re-sending did not occur, the message is re-placed in the sending ​queue, ​the time counter for the message being in the queue becomes zeroand the lower limit (in our case, 180 minutes) ​for this message will be shifted automatically,​ but it will not exceed ​the upper limit. Attempts to send an email will be repeated until the total time spent in the queue reaches ​the value specified ​in the "Maximum queue lifetime" field
 +  * The "​Maximum queue lifetime"​ field allows you to specify the maximum total time spent in the queue, after which the sender will be notified that their email was not sent (by default, 5760 minutes).
  
-====Whitelist part.====+=== Sending throuth external SMTP. ===
  
-{{en50-ics-mail-settings04.png}}+{{:​mail_setup5.png?|}}
  
-Allows ​to add list of IP-addresses and domainsfrom which ICS CUBE will receive ​mail without checking ​it with grey lists and DNS reverse zone check.+In the ICS CUBE you can configure outgoing mail to be sent via different SMTP server for all messagesexcept for messages the destination address of which is a local domain or recipient. In order to enable sending of outgoing ​mail through another SMTP server, ​it is necessary to enter its address (domain name or IP) in the "​Default relay" field and specify the connection port
  
-The **"Allowed networks"** field allows to set networks, that are specified in ICS CUBE network interfaces settingsTo send mail from this networkssender doesn'​t have to authorize via SMTP on ICS CUBEand ICS CUBE will always process mail from these networks without checking it with grey lists and DNS reverse zone check.+The "Use SMTPS" ​flag is only used for SMTPS connections on port 465Thusthe flag for sending messages ​to the destination port 465 is mandatory. When connecting to port 25the SSL flag should not be set, because encryption of the connection via the STARTTLS extension ​will be selected automatically,​ depending on the support of this method for encrypting the connection by the remote party
  
-- The **"Addresses from which sending is allowed"** field is the list of allowed IP-addresses,​ mailsersers (for example, @gmail.com), ​domains ​and mailboxes.+If the external SMTP server requires user authentication,​ you must set the "Use SMTP authentication" ​flag and specify ​the user's username and password. Please note that when sending mail messages via SMTP servers yahoo.com / gmail.com ​and so on, you need to set the "​Change sender email" flag, because for these mail servers, the sender'​s address (FROM headershall match the user who was logged in, and also set the sender'​s address in the "​Sender email" field.
  
-====Blacklist part (addresses from which sending is denied).====+=== Restriction lists. ===
  
-{{:en50-ics-mail-settings5.png}}+{{:mail_setup6.png?|}}
  
-Allows ​you to add a list of IP-addresses, mail servers ​(for example, @gmail.com), ​domains and mailboxes, from which ICS CUBE will always ​deny mail.+It allows ​you to add white and black address lists from which incoming correspondence is allowed or forbidden. When you click on the "​Whitelist"​ button, ​new dialog box will open, where you can add: IP-address, domain name, network (including the one created in the ICS CUBE), mail server ​(for example, @google.com), ​mailbox. ​ICS CUBE will always ​accept emails without checking grey lists and checking the correspondence of forward and reverse DNS records, as well as without authorization.  
 +** 
 +Attention! Only senders who are truly trustworthy should be included in this list.**
  
-====RBL ​(Real time Blackhole Listblack lists part.====+When you click on the "​Blacklist"​ button, a new dialog box will open, where you can add IP-address, domain name, network, mail server ​(for example, @google.com), mailbox. ICS CUBE will not accept emails from them.
  
-This block allows to add/delete hosts that contain RBL black lists. These lists are used for spam protection. When ICS CUBE receive mail, it request information from all the hosts from the list and checks whether sender'​s IP-address is in black list. If ICS CUBE gets positive response or none at all, the mail is considered to be spam. Then it drops the message and the reveiver gets bulked message 5xx (unmanagable error).+=== General settings===
  
-====Default authorization domain part.====+{{:​mail_setup7.png?|}}
  
-This block allows to choose a domain placed in ICS CUBE for client ​authorization. For example, you have a domain.local domain on ICS CUBE, and User has a mailbox with "​usermail"​ name. Then, if the "​domain.local"​ is specified in this field, user can access ICS CUBE mail server via client or web-interface using just "​usermail"​ and don't have to type "​usermail@domain.local"​.+== Default ​authorization domain. ​==
  
-====The ​"automatically create folders when mailbox ​is created" ​part.====+This block allows you to select a mail domain that is set up on the ICS CUBE during client authorization. For example, the ICS CUBE has a domain.local mail domain, and the user from this domain receives the "​usermail" mailbox ​name. Then when you select ​"domain.local",​ the user when accessing the ICS CUBE mail server via the mail client or via the web interface in the "User name" field can only specify "​usermail",​ and not usermail@domain.local.
  
-Allows to set a list of standart folders, that will be created in the mailbox. You can change this list if necessary.+== Drive for keeping mail==
  
-====Antivirus scan part.====+This block allows you to move the mail storage to a separate hard drive. By default, mail is stored in the primary system partition (where the ICS CUBE is installed). If you change the storage location of your mail, all emails will be copied from the current hard drive to the new one. You can track the progress of copying mail from drive to drive in the Menu – Maintenance – System – Tasks. If the new hard drive already contains files with mail, then copying will not be performed (only for ICS CUBE 5.1.7 and higher).
  
-This block enables antivirus scan for income and outcome mail messages. If the result is positive, the receiver will get a message from the antivirus with the result instead of the letter itself, and the letter will be attached in it. Antivirus scan (for ClamAV, DrWeb, Kaspersky to be used, the appropriate setup should be performed) is activated by checkbox near the antivirus name.+== Server name for SMTP HELO when sending email==
  
-The greylisting part. This part is meant for automate spam blockiration. When the checkbox "Use ICS CUBE's greylisting"​ is marked, ICS CUBE will track the activity of mailservers that send messages ​to ICS CUBE. You can find more about this method in the https://​ru.wikipedia.org/​wiki/​%D0%A1%D0%B5%D1%80%D1%8B%D0%B9_%D1%81%D0%BF%D0%B8%D1%81%D0%BE%D0%BA.+It allows you to specify ​the host name that will be passed in the SMTP HELO or EHLO command ​to the remote party when sending an email. 
 +  
 +== On creating a mailbox automatically create next folders==
  
-The greylisting setup contains three parameters - the "igore resending"​ field in seconds (it's supposed that valid mail server will not send a double mail message so soon); the "wait for resending"​ field in hours (it's supposed ​that the letter should be received before this time will exceed) the "​contain ​in the white list" field in days (it's supposed that the mail server that passed the test, will not be inspected again for this amount of days).+It allows you to set list of standard folders ​that are created ​in the mailbox. If necessary, you can change ​the composition.
  
-====The SMTP server name part.====+=== Anti-virus attachment check. ===
  
-Allows to set a hostname that will be sent in the SMTP HELO and EHLO commands to the remote server when the mail is being sent.+{{:​mail_setup8.png?|}}
  
-====The ciphering part.====+This block includes checking incoming and outgoing messages for viruses in them. If the result is positive, the recipient will receive a message about the results of this check instead of the email itself, and the email itself will be attached to the message. Anti-virus check (Clamav, Kaspersky Antivirus, you must perform the appropriate configuration to use the antivirus) is activated by setting the appropriate flag next to the name of the antivirus.
  
-By default ICS CUBE mail server doesn'​t use ciphering. You can set it up if you want to increase the level of mail security.+=== DKIM-signature===
  
-- The **"​SMTP certificate"​** field - allows to choose a certificate for SMTP protocol from the ones uploaded to ICS. It enables using ciphered connection via STARTTLS method over the ordinary tcp SMTP connection on 25 port. Thiw ciphering is a compromise. If the remote side doesn'​t support the ciphering, mail will be sent and received via unciphered SMTP connection.+{{:​mail_setup9.png?|}}
  
-The **"IMAP/POP3 certificate"*allows to choose ​certificate for IMAP/POP3 protocol ​from the ones uploaded to ICS. It enables using ciphered connection via STARTTLS method over the ordinary tcp IMAP/POP3 connection on 143/110 accordingly.+More information about DKIM-signatures can be found here: https://​en.wikipedia.org/​wiki/​DomainKeys_Identified_Mail 
 +  ​The "Verify DKIM-signature" ​flag. It enables checking of incoming emails for the DKIM-signature availability and correctness. 
 +  ​The "Add DKIM-signature"​ flag. It activates the addition of DKIM-signature to emails sent from ICS CUBE. 
 +  * The "​Selector"​ field. By default, ​the "​default"​ selector is used in ICS CUBESince there can be multiple mail servers for a single domain, you must create your own DKIM selector for each mail server in the same domain.
  
-- The **"​Enable SSL/TLS ciphering (SMTPS, IMAPS, POP3S)»** checkbox allows to enable ciphering for  SMTPS, IMAPS, POP3S protocols using non-typical ports in parallel with 25/110/143 ports. The main difference is that ciphering becomes mandatory and there can be no compromise. In ICS CUBE's mail server only TLSv1, TLSv1.1, TLSv1.2 protocols are used. The SSL2 and SSL3 using is disabled for security reasons.+=== Miscellaneous===
  
-- The **«SMTPS port», «POP3S port», «IMAPS port»** fields allow to set port numbers for SMTPS, IMAPS, POP3S protocols respectively.+{{:​mail_setup10.png?|}}
  
-====Use DLP part.====+== Use DLP. ==
  
-When enabledturn on the DLP check for mail messages ​(when the flag Menu - Security - DLP - Settings - "Use DLP for mail" ​is set), if the DLP module is correctly ​set up and running.+When the flag is setit enables ​the DLP module checking of emails ​(by setting ​the flag in Menu - Security - DLP - Settings - the "Use DLP for mail" ​flag), provided that the DLP module is correctly ​configured ​and that it is working.
  
-====The "hard drive for mail storage"​ part.====+== Recode subject to UTF-8. ==
  
-This part allows to move mail storage to a separate hard drive. By defaultmail is stored in the main system partition (where ​the ICS CUBE is installed). If the mail storage path will be changed, all stored mail will be copied from old drive to new. You can track the progress of the process in the Menu Service - System - Tasks. If the new hard drive already contains mail files, then copying will not be performed (ICS CUBE 5.1.7 and newer only).+If this flag is setmessages sent from the ICS CUBE mail server ​will have UTF-8 subject encoding.
  
-====Using signature part.====+== SMTPUTF8 support. ==
  
-Allows to set the signature automatically ​when the mail is created. It works only for Roundcube. Should be noted, that the signature will be automatically created only for the accounts that are added after this option is set. The changes in the signature will also be applied only to the mailboxes added after the changes were performed.+This flag enables / disables support of UTF-8 encoding ​when receiving and sending messages.
  
-You can use variables in the signature as [varname]. Possible variable values: cn (username), ou (group user is into), mail (mail address), description (the user's "​description"​ field), notes (user'​s "​notes"​ field), telephonenumber (the user's "​phone"​ field), title (the user's "​title"​ field), url (the user's "​web-site"​ field), postaladdress (the user's "​address"​ field), pager (the user's "​icq"​ field), ounotes (the user's group "​description"​ field). The values for the variables are taken from the user's description.+==== Spam protection====
  
-To insert images ​you can use the data:url encoding. This is done as following: using the service http://​dataurl.net/#​dataurlmaker (or a similar one) the image is converted to the <img src=«data:​image/​png;​…» …> format, and then the text is insert ​in the html-code of the signature.+In the **"​Spam protection"​ tab**, ​you can configure servers that contain black lists, ​as well as configure ​the operation mode of the grey list in the ICS CUBE.
  
-====The Roundcube part.====+{{:​mail_setup11.png?|}}
  
-Allows to upload and change the logo, icon and background of the roundcube interface.+=== DNSBL blacklists (DNS Blackhole List)===
  
-====The DKIM-signature part.====+This block allows you to add / remove hosts that contain DNSBL blacklists. These lists are used to fight spam. When receiving an email, the ICS CUBE mail server addresses all the hosts specified in this list and checks them for the IP-address of the sender from which it receives the message. If there is no response at all or at least a positive response from one of the hosts, ICS CUBE considers that an attempt is being made to receive spam messages. The message is not received, and the sender'​s server gets a 5xx error (fatal error).
  
-{{en50-ics-mail-settings6.png}}+=== Grey lists (Greylisting)===
  
-You can find more information ​about DKIM-signatures in the https://ru.wikipedia.org/​wiki/​DomainKeys_Identified_Mail.+This block is intended for installation of automatic spam blocking system. When you set the "Use grey lists" flag, the ICS CUBE will track the behavior of mail servers that send messages to the ICS CUBE. You can read about the blocking methodology at the following address: ​https://en.wikipedia.org/​wiki/​Greylisting_(email)
  
-The **"check DKIM-signature"** checkbox turnes on the scan of incoming on ICS CUBE mail for the presence and correctness ​of DKIM-signature.+Grey lists are set up according to three parameters ​the "ignore resending" ​field in seconds (it is assumed that a reliable mail server will not send an email again at this time); the "await resending"​ field is indicated in hours (it is assumed that the email should arrive not later than the specified time); the "keep in white list" field is indicated in days (it is assumed that the mail server that has passed ​the scan will not go through it for a certain number ​of days).
  
-- The **"​Create DKIM-signature"​** checkbox activates adding DKIM-signature to mail messages sent via ICS CUBE.+==== Address book====
  
-- The **"​Selector"​** field. By default, ICS uses the "​default"​ selector. Since for one domain there can be several mail servers, for each mail server in the domain its own DKIM-selector should be created.+{{:​mail_setup12.png?|}}
  
-====Theme transcoding part.====+The **"​Address book" tab** defines the parameters of the address book of the ICS CUBE mail server for client programs of the users. Here you can define the port on which LDAP is running, configure the Base DN parameter (LDAP search base, you can specify several of them using semicolons),​ enable or disable the use of the address book, and set the "Use ICS Address Book" flag
  
-Allows ​to set **"​transcode theme to UTF-8" parameter**. When this checkbox ​is marked, mail sent from ICS CUBE mail server, will have UTF-8 encoding.+Please note that this flag allows you to send the address book to all mail clients, but if this flag is setit is possible not to transfer the address book to Roundcube (the corresponding settings are made in the Menu - "​Mail"​ - "Web-mail" ​the "​Settings"​ tab).
  
-=====Anti-spam tab===== 
  
-In the anti-spam tab you can perform setup of mail filtering system, including turning on/off anti-spam filters, such as: SpamAssassin,​ Rspamd or Kaspersky. You can enable all three at once. SpamAssassin (https://​wiki.apache.org/​spamassassin/​RoundingIssues) allows to set a threshold for mail to be considered spam. If a mail is marked as spam, it will add an according text in the mail header. When threshold value is set to zero, all mail is considered to be spam. 
  
-Rspamd (https://​rspamd.com/​doc/​) allows to set a threshold for mail to be considered spam and also a threshold to deny mail. If a mail is marked as spam, it will add an according text in the mail header. When threshold value is set to zero, all mail is considered to be spam. 
- 
-For Kaspersky Antispam to work correctly you need to set this filter up. For using additional checking, like:: 
- 
-  * DKIM-signature test; 
-  * SPF test; 
-  * SURBL test 
- 
-you need to mark the appropriate checkboxes. 
- 
-=====The "​Address book" tab===== 
- 
-The "​Address book" tab is a list of settings for ICS mail server address book and for the user's mail clients. You can set the LDAP threshold here, set up the Base DN parameter (the LDAP search base, you can set several using semicolon), turn using address books in Roundcube web-interface on or off (the "Use ICS address book" checkbox). 
mail_setup50.1550042588.txt.gz · Last modified: 2019/02/13 10:23 by root