Contents 1 Overview 2 Local E-Mail Delivery 2.1 Delivery Overview 2.2 Using user+extension@domain addresses 2.3 Delivery Errors 2.3.1 550 User unknown in virtual mailbox table 2.3.2 Causes of rejected local mail 2.4 Filtering 2.4.1 Default maildrop filter 2.4.2 Globally disabling per-user filter files 2.4.3 Selectively disabling per-user filtering 2.4.4 Deleting all messages marked spam 2.4.5 Filtering to an external program 2.4.6 Creating a spam trap 2.4.7 Using a single SpamAssassin instance 2.4.8 Complex filtering 2.5 Forwarding 2.5.1 Delays forwarding to Gmail 3 Sending E-mail 3.1 Logging In 3.1.1 Setup in Thunderbird 3.1.2 Setup in Outlook 3.1.3 Setup in Mail.app 3.2 Unable to send outgoing e-mail 3.3 "554 Relaying Denied" error message/Modifying SMTP port 3.4 Notes on maximum message size

Overview

Local E-Mail Delivery

Delivery Overview

Postfix accepts a message either for delivery on the server or to forward to an external address. All inbound messages destined to a user account on the server go through maildrop, while external addresses (forwarding) are slipped back into Postfix's queuing system for later delivery. Messages delivered locally onto the server follow two strict rules to prevent any one user from monopolizing delivery slots under high volumes of mail:

1. Postfix will only deliver one message at a time to a given recipient. This limitation is further enforced by the needs of maildrop and SpamAssassin for mutually exclusive access to its data files. For example, SpamAssassin does not support concurrent writing to the bayes database used to record spam/ham tokens.
2. Each delivery has a 5 second pause between deliveries. A cool-down is designed to allow other messages destined to other users on the server a chance to be delivered. Optimally, 20 messages could be delivered in no fewer than 60 seconds. SpamAssassin adds an additional 15 - 20 seconds of processing overhead, so in actuality it would be closer to 5 minutes.

maildrop implements pre-delivery processing, such as filtering and inbox organization. Syntax is fairly simple with full support of Perl-compatible regular expressions (PCREs). maildrop filter files are stored in two locations, /etc/maildroprc and $HOME/.mailfilter. /etc/maildroprc is the global filter applied to all user accounts, while per-user filtering may be added in $HOME/.mailfilter.

Using user+extension@domain addresses

Plussed e-mail addresses are supported on the server. The mail server will first check the listed e-mail addresses for a user named user+extension for the specified domain. If that user does not exist, then it will fall back to user. If the lookup succeeds, then the message will be delivered to user's mailbox.

Let's look at an example:

Mailbox Routes

Username	Domain	Destination	Type
msaladna	mydomain.com	/home/myuser/Mail	V
msaladna+test	mydomain.com	/home/anotheruser/Mail	V

Given the layout in Manage Mailboxes, an e-mail sent to msaladna+foobar@mydomain.com will be delivered to the user myuser (/home/myuser/Mail) while an e-mail addressed to msaladna+test@mydomain.com will be delivered to the user anotheruser (/home/anotheruser/Mail).

Delivery Errors

550 User unknown in virtual mailbox table

Once a user goes over quota and remains over quota for more than 5 days the e-mail accounts assigned to the user are disabled. To re-enable the account first make sure the user is back under quota via Disk Usage Watcher; adjust via Manage Users if necessary. Following the basic check, visit Manage Mailboxes to re-enable the disabled accounts. These accounts are grayed out and italicized. Click on the light bulb in the Actions column to re-enable. Any messages delivered after the account was disabled will remain undeliverable.

Causes of rejected local mail

Mail destined to a recipient on your account hosted with Apis may be rejected for the following reasons

• Lack of a sender domain, e.g. the message is sent from user instead of user@mydomain.com.
• SPF record mismatch (lookup SPF record)
• Address listed in SpamHaus
• Non-existent recipient, which may have been disabled as a result of going over its disk quota

Of all the reasons only the first one will not generate a failure notice informing you of the error. Naturally, the server can't send an e-mail without a domain name.

Filtering

Message filtering is done prior to delivery via maildrop. Each message goes through two levels of filters: (1) global -- processed first in /etc/maildroprc followed by (2) local per-user filters in $HOME/.mailfilter. Basic filtering recipes are provided below. Syntax and usage may be found in mailfilter(7).

SpamAssassin is invoked from the global maildrop filter, /etc/maildroprc. The following block of code passes the message off to SpamAssassin if it is smaller than 128 KB.

if ($SIZE < 131072)
{
        xfilter "/usr/bin/spamc -u $RECIPIENT"
}

Default maildrop filter

/etc/maildroprc
# Global maildrop rules go here
# See http://www.courier-mta.org/maildrop/maildropfilter.html for syntax
if ($SIZE < 131072)
{
        exception {
                xfilter "/usr/bin/spamc -u $RECIPIENT"
        }
}
 
DELETE_THRESHOLD=10.0
if (/^X-Spam-Flag: YES/)
{
        /X-Spam-Score: (\d+)/
        if ($MATCH1 >= $DELETE_THRESHOLD)
        {
                to /dev/null
        }
        else
        {
                to Mail/.Spam/
        }
}

Explanation

If the message size is smaller than 128 KB, hand it off to SpamAssassin. DELETE_THRESHOLD is the maximum score an e-mail may have if and only if it is labeled as spam. If the score is greater or equal to DELETE_THRESHOLD, then the message will be deleted by being sent to /dev/null otherwise deliver to the Spam mailbox on the server. This mailbox may be accessed through Webmail].

Globally disabling per-user filter files

Adding to $DEFAULT at the end of the global filtering file will deliver the message to the default mailbox, $HOME/Mail, and cease further processing.

Selectively disabling per-user filtering

LOGNAME holds the current username on the server. A simple check can be used to prohibit user filtering for a specific user.

/etc/maildroprc
if ($SIZE < 131072)
{
        xfilter "/usr/bin/spamc -u $RECIPIENT"
}
# User "bill" loves his spam
if ($LOGNAME ne "bill" && /^X-Spam-Flag: YES/)
{
        to /dev/null
}

Likewise to disable checking the filter file for a user, the above recipe can be further modified...

if ($SIZE < 131072)
{
        xfilter "/usr/bin/spamc -u $RECIPIENT"
}
# User "bill" loves his spam
if ($LOGNAME ne "bill" && /^X-Spam-Flag: YES/)
{
        to /dev/null
}
# But he's prohibited from adding any filter rules
if ($LOGNAME eq "bill")
{
        to $DEFAULT
}

Deleting all messages marked spam

Before the recipe is given bear in mind this is strongly discouraged for two reasons, (1) young e-mail accounts may have a lot of variability in scoring and (2) no failure notice is generated. Consequently, neither the sender nor you will know if the message had been deleted, because no delivery failure status is generated. This is very similar to the default maildroprc, except threshold scoring is removed and all spam is deleted.

 
if (/^X-Spam-Flag: YES/)
{
to /dev/null
}
 

Filtering to an external program

maildrop's xfilter directive pipes the message to an external script for processing. A rudimentary example reverses the message text. Naturally, as this is a shell script it should be directly executable from the shell, so ensure the permissions are at least 700 (chmod 700 reverse.sh).

.mailfilter
xfilter "$HOME/reverse.sh"

reverse.sh
#!/bin/sh
exec 6<&0
while read -u 6 line ;
do 
        echo $line | rev
done
exec 6<&-
exit 0

Creating a spam trap

Spam traps are useful addresses deliberately listed on Web pages hidden from public view. Spam bots harvest these addresses and deliver spam. You can use this knowledge to feed all e-mail destined to a particular address directly to SpamAssassin with the to directive. In addition to delivering to mailboxes, to can forward outbound to another address (!) or to another program (|) with a simple prefix. The following assumes spam@mydomain.com maps to a virtual mailbox on the server owned by the user myuser

Mailbox Routes

Username	Domain	Destination	Type
spam	mydomain.com	/home/myuser/Mail	V
myuser	mydomain.com	/home/myuser/Mail	V

And for the recipe

if (hasaddr("spam@mydomain.com")) 
{
to "|/usr/bin/spamc --spam -u $RECIPIENT"
}

Using a single SpamAssassin instance

One user account may be delegated to handle all SpamAssassin filtering settings for all e-mail accounts. Replace the e-mail-specific variable, $RECIPIENT with the full user's login /etc/maildroprc. For example, to let the user named example on the domain example.com handle spam filtering for all users on the domain example.com:

/etc/maildroprc
# Global maildrop rules go here
# See http://www.courier-mta.org/maildrop/maildropfilter.html for syntax
if ($SIZE < 131072)
{
        exception {
                xfilter "/usr/bin/spamc -u example@example.com"
        }
}
# rest of the rules ...

Pros

• Jumpstart filtering: newly-added users will have robust spam/ham information already in place to immediately increase the effectiveness of spam filtering
• Low volume benefits from high volume: e-mail accounts that receive few e-mails will already have SpamAssassin's Bayesian classifier system activated. Bayes scores add anywhere between -2 to 3 points per message depending upon how certain SpamAssassin is of its validity. Those points are generally enough to correctly rank a false positive as a true positive.

Cons

• Privacy issues: bits of e-mail used by SpamAssassin may be viewable by the main user
• Dilution: SpamAssassin has a finite storage capacity of tokens from scanned messages. These special tokens may appear more readily in spam or non-spam. Introducing a high variability among several users may reduce SpamAssassin's effectiveness as the token counts are removed to store new tokens.

Complex filtering

Additional filtering examples may be found in the third installment of the ephemeral Weekly Tip.

Forwarding

Edit the file named .mailfilter within the user's home directory and add:

.mailfilter
to "!user@mydomain.com"

If you would like to forward and store a copy of the message on the server, then use the cc directive to maildrop:

cc "!user@mydomain.com"

Delays forwarding to Gmail

Some delays may occur when forwarding to a Gmail address. This behavior occurs on Google's end after receipt of the message. We are unclear of Google's reasoning behind quarantining forwarded messages, but if you have an external forward setup to a Gmail account, please realize there may be up to a hour delay in some cases.

Sending E-mail

Logging In

Setup in Thunderbird

Setup is similar to IMAP/POP3. Your outgoing server is the same as your incoming mail server, which is the domain name.

Setup in Outlook

Setup in Mail.app

Who has access to a Mac and wants to do this? msaladna

Unable to send outgoing e-mail

If you have recently become unable to send outgoing e-mail through your account with Apis, then your ISP has implemented SMTP restrictions. Many ISPs have introduced this policy to curb spam, which adversely affects the quality of the ISP's network.  You may attempt to change the outgoing port your e-mail client uses by reading the "554 Relaying Denied" error message/Modifying SMTP port section.  If you are still unable to send outgoing mail, then you will need to use your ISP's outgoing mail server to send e-mail.

"554 Relaying Denied" error message/Modifying SMTP port

A "554 Relaying Denied" error is caused by an unauthenticated SMTP request -or- if authentication is enabled, then filtering by your ISP. You must enable outgoing authentication within your e-mail client or change the SMTP port.

Thunderbird

Authentication:

Tools-> Account Settings -> Outgoing Server (SMTP) -> select your SMTP profile on Apis -> Edit-> under Security and Authentication tick Use name and password, User Name field is the same login as for IMAP/POP3.

SMTP Port Change:

Tools-> Account Settings -> Outgoing Server (SMTP) -> select your SMTP profile on Apis -> Edit-> change the value of "Outgoing server (SMTP)" to either 587 -or- 465 and select TLS under "Use secure connection".

---

Outlook

Authentication:

Tools-> Account Settings-> E-mail tab-> select your e-mail profile with Apis-> More Settings ...-> Outgoing Server tab -> tick "My outgoing server (SMTP) requires authentication", select "Use same settings as my incoming mail server".

SMTP Port Change:

Tools-> Account Settings-> E-mail tab-> select your e-mail profile with Apis-> More Settings ...-> Advanced tab -> change the value of "Outgoing server (SMTP)" to either 587 -or- 465 and select TLS under "Use the following type of encrypted connection".

Notes on maximum message size

The maximum message length that may be sent is 20,480,000 bytes.  File attachments undergo a conversion process called base64-encoding resulting in significantly larger file sizes.  For example, a 1 MB file of random data attached to an e-mail turns into a ~1.35 MB file, a 35% increase in size.  Bear this in mind when attempting to send large file attachments through e-mail.  An e-mail will be rejected if the message size exceeds the minimum accepted length of any relay in the delivery path.  This is an extremely important rule; if the receiving side only accepts 2 MB at most, then a 5 MB message will be undeliverable to that recipient.