Mail server

From ArchWiki
Jump to: navigation, search

A mail server consists of multiple components. A mail transfer agent (MTA) receives and sends emails via SMTP. Received and accepted emails are then passed to a mail delivery agent (MDA), which stores the mail in a mailbox (usually in mbox or Maildir format). If you want users to be able to remotely access their mail using email clients (MUA), you need to run a POP3 and/or IMAP server.

+---------+  SMTP  +---+   +---+               +----------------+
|Other MTA| <----> |MTA| --|MDA|-> Storage <-- |POP3/IMAP server|
+---------+        +---+   +---+               +----------------+
                     ^                                 ^
                     |     SMTP    +---+               |
                     +-------------|MUA|---------------+
                                   +---+

Software

All of these software except Sendmail include a mail delivery agent.

  • Exim — A highly configurable mail transfer agent.
https://exim.org/ || exim
  • OpenSMTPD — A mail transfer agent, part of the OpenBSD project.
https://opensmtpd.org/ || opensmtpd
  • Postfix — A mail transfer agent, meant to be fast, easy to administer, and secure.
http://www.postfix.org/ || postfix
  • Sendmail — A well-known mail transfer agent.
http://www.sendmail.org/ || sendmailAUR

POP3/IMAP servers

  • Courier — A mail transfer agent, providing POP3, IMAP, webmail and mailing list services as individual components.
https://www.courier-mta.org/ || courier-mtaAUR
  • Cyrus IMAP — A mail transfer agent with a custom mail spool format, provides POP3 and IMAP services.
https://www.cyrusimap.org/ || cyrus-imapdAUR
  • Dovecot — An IMAP and POP3 server written to be secure, fast and simple to set up.
https://dovecot.org/ || dovecot
https://www.washington.edu/imap/ || imap

Standalone MDAs

  • fdm — A simple program for delivering and filtering mail.
https://github.com/nicm/fdm || fdm
  • Procmail — A program for filtering, sorting and storing email (unmaintained).
http://www.procmail.org/ || procmail

See also Wikipedia:Comparison of e-mail servers.

Ports

Purpose Port Protocol Encryption
Accept mail from other MTAs. 25 SMTP STARTTLS
Accept submissions from MUAs. 587 SMTP STARTTLS
465 SMTPS implicit TLS
Let MUAs access mail. 110 POP3 STARTTLS
995 POP3S implicit TLS
143 IMAP STARTTLS
993 IMAPS implicit TLS

Note that implicit TLS is more secure than STARTTLS because the latter is vulnerable to man-in-the-middle attacks, for more information see [1] and RFC:8314.

MX record

Hosting a mail server requires a domain name with an MX record pointing to the domain name of your mail transfer agent. The domain name used as the value of the MX record must map to at least one address record (A, AAAA) and must not have a CNAME record, otherwise you are breaking RFC 2181 and may not get mail from some mail servers. Configuring DNS records is usually done from the configuration interface of your domain name registrar.

TLS

Warning: If you deploy TLS, be sure to follow Server-side TLS to prevent vulnerabilities.

To obtain a certificate, see OpenSSL#Usage.

Authentication

There are various email authentication techniques.

Sender Policy Framework

From Wikipedia:

Sender Policy Framework (SPF) is an email validation protocol designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain's administrators.

To allow other mail exchangers to validate mails apparently sent from your domain, you need to set a DNS TXT record as explained in the Wikipedia article. To validate incoming mail using SPF you need to configure your mail transfer agent to use a SPF implementation. There are several SPF implementations available, libspf2, perl-mail-spf and perl-mail-spf-query can be found in the official repositories.

SPF validation support
Courier Yes, built-in
Postfix Yes
Sendmail through Milter and spfmilter-acmeAUR
Exim experimental, requires libspf2
OpenSMTPD No
Cyrus IMAP ?

The following websites let you validate your SPF record:

Tip: SPF can even be helpful for domains not used to send email. Publishing a policy like v=spf1 -all makes any mail server enforcing SPF reject emails from your domain name, thus preventing misuse.

Sender Rewriting Scheme

The Sender Rewriting Scheme (SRS) is a secure scheme to allow forwardable bounces for server-side forwarded emails without breaking the Sender Policy Framework.

For Postfix, see Postfix#Sender Rewriting Scheme.

DKIM

DomainKeys Identified Mail (DKIM) is a domain-level email authentication method designed to detect email spoofing.

Available DKIM implementations are OpenDKIM and dkimproxy.

Testing websites

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: There's also swaks. (Discuss in Talk:Mail server#)

There are several handy web sites that can help you test DNS records, deliverability, and encryption support.

Tips and tricks

Most mail servers can be configured to strip users' IP addresses and user agents from outgoing mail.

Available extras that can usually be integrated are: