Email, ISP style

The Stage

My setup requires a bit more than the original setup of the guide that I will be following.

I’m going to use multiple SSL certificates to denote the same server, on different IPs what this does, is let me tell postfix and dovecot, that yes, I do in fact really want multiple ssl-certificates.

 

I’ve set up an email server before. Last time, I ended up with a secure strict email-server that couldn’t send emails. Now I know why. And it’s one of those reasons you want to bang your head through the wall for.

I’ll get to that later. Right now, let’s start with finding the guides to follow. I used Lee Hutchinson‘s 2014 guide. It’s two years old, “so what?” I thought.

Now, Lee suggests we use a package that is named mail-stack-delivery, only problem is that this is a Ubuntu package. Now, that might not be too bad. It’s just that I quite like the Debian system structure.

Startup checklist: Domain(s): got em; DNS-service: got that too, though won’t change to amazons system..;SSL Certificates: Got them;

Installing stuff in debian is a system call as root away:

sudo apt-get  install postfix dovecot-imapd SpamAssassin spamass-milter Nginx PHP5-FPM

Postfix will ask you questions covered in the guide.

On to guide two! I’ll intersperse the guide with my changes.

First difference, the guide for getting a SSL certificate needs a slight update.
I can’t re-evaluate myself, however this is where you find the validation guide.
Domain validation

You’ll want to go through this guide, which will show StartSSL that you actually own that domain.

After that, you can go through the guide to get the SSL certificate. (pics below)
552

553

 

554

That’s it! Click “here” to download the certificates and you can do the rest. Back to Lee for a few lines, we’re going to go a different way with the placement of the certificates. We’re going to put them inside the master.cf-file in stead of Lees usage of main.cf

We’ll be using this fella’s short blog-post for making postfix submit to our strange multi SSL certificate ways.

I will however, leave the smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt line there, as it can be global for my tastes. I’ll add another thing here, that’ll make more sense when we’ve played around with the master.cf-file.
smtpd_tls_wrappermode=yes
smtpd_sasl_auth_enable=yes

These two will work out for us, since we’re going with adding a

-o smtpd_tls_wrappermode=no

on our smtp-servers in master.cf

If you have a single key for every domain, you need the lines

-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

under both your smtps and submission servers. If you have a single key-file for every of the domains you want to use, you can set it globally in the main.cf file.

A complete set of IPV6/4 servers look like this:

# localhost
127.0.0.1:smtp      inet  n       -       y       -       20      smtpd
  -o smtpd_tls_wrappermode=no
  -o syslog_name=postfix-smtp
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain


127.0.0.1:smtps   inet    n       -       y       -       -       smtpd
  -o syslog_name=postfix-smtps
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

127.0.0.1:submission  inet  n     -       y       -       -       smtpd
  -o syslog_name=postfix-submission
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain


# IPv4 Your domain servers
yourIP:smtp      inet  n       -       y       -       20      smtpd
  -o smtpd_tls_wrappermode=no
  -o syslog_name=postfix-smtp
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

yourIP:smtps   inet    n       -       y       -       -       smtpd
  -o syslog_name=postfix-smtps
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

yourIP:submission  inet  n     -       y       -       -       smtpd
  -o syslog_name=postfix-submission
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

# IPv6 Your Domain IPV6
[fe80::]:smtp      inet  n       -       y       -       20      smtpd
  -o smtpd_tls_wrappermode=no
  -o syslog_name=postfix-smtp
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

[fe80::]:smtps   inet    n       -       y       -       -       smtpd
  -o syslog_name=postfix-smtps
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

[fe80::]:submission  inet  n     -       y       -       -       smtpd
  -o syslog_name=postfix-submission
  -o smtpd_tls_key_file=/etc/ssl/private/ssl-key-decrypted-mail.key
  -o smtpd_tls_cert_file=/etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
  -o myhostname=yourdomain
  -o smtp_helo_name=yourdomain

This allows our server the ability to have differing certificates depending on the IPs connections come from. REMEMBER to rename all the instances of “yourdomain” with your domain, the first three entries are for calls to localhost, these require your main server certificates. The next six, are two lists of three servers, and the needed options. One of the sets come from IPV4, and the other comes from IPV6, if you prefer one of them, you can leave the other out. Speaking of which. advised to replace YourIP with the IP for that domain. As well as “fe80::” to whatever your servers IPV6-IP is.

That’s it for Postfix, Oh wait. There’s one super-needed line you need to uncomment. In the middle of the list of commented stuff, you’ll find the line:

#smtp      unix  -       -       -       -       -       smtp

If you don’t uncomment that line, you’ll get the fantastically helpful message:
postfix/qmgr[]: warning: connect to transport private/smtp: Connection refused
postfix/error[]: : to=<emailhere@gmail.com>, relay=none, delay=0.07, delays=0.03/0/0/0.03, dsn=4.3.0, status=deferred (mail transport unavailable)

What it’s trying to tell us, is that the private unix smtp socket that runs the smtpd command is unavailable. Sending will not happen.

(THIS IS WHAT MADE MY LAST SERVER NOT SEND EMAILS.) And what made my current setup not ship emails for a week. Dedication is what ended up landing me with an answer.

Let’s go back to Lee for a bit but skip “Master control”  and head right to “Mappity-map, then hash back”.

“A home for your virtual users’ mail” I wanted to slap the virtual mail files in /home/vmail

We’re also going to do something funny for dovecot and the SSL certificates, and config. You see, first of all don’t uncomment line #12 and 13 in /etc/dovecot/conf.d/10-ssl.conf  We’ll need to recreate /etc/dovecot/conf.d/01-mail-stack-delivery.conf  since the package this comes from doesn’t exist for debian, just go nano the file and paste the contents.

You’ll need to change the /var/mail/ references to /home/vmail not only here, but all the places in Lees guide will you need to do this.

Let’s leave lee’s trail for a bit, we’ll get back to it in a little while. We’ll need to follow the official dovecot WIKI to get dovecot to conform. The file in question is: /etc/dovecot/conf.d/01-mail-stack-delivery.conf

local 192.0.2.10 { # instead of IP you can also use hostname, which will be resolved
  protocol imap {
    ssl_cert = </etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
    ssl_key  = </etc/ssl/private/ssl-key-decrypted-mail.key
  }
}

local 192.0.2.20 {
  protocol imap {
    ssl_cert = </etc/ssl/private/ssl-key-encrypted-mail-yourdomain.pem
    ssl_key  = </etc/ssl/private/ssl-key-decrypted-mail.key
  }
}

You’ll still need a main certificate and key file set up, otherwise beautiful error messages show up:
doveconf: Error: ssl enabled, but ssl_cert not set

Buggar on with SpamAssassin, ClamAV, and OpenDKim. Not much has changed till now from when Lee wrote the article. If you did go move your domain to another service for management, then go fiddle with it. And get it right. Most systems I’ve seen has been a bit fiddly. But play a round with it, and you’ll get it right.

Remember that you don’t NEED to carry the same spam filters that Lee uses in his guide. These are there to show you what a regular setup will look like.  I didn’t throw away mail above 10 points of “spam assuredness” from spamassassin, mostly because I don’t trust it yet.

Now, we’ve gotten to number four of the guides that  wrote. And I’ll start off with saying that we’ll skip his “Postscreen and additional filtering” step. In fact, we’ll actually open master.cf and comment away the two that were originally uncommented, the field will look like so:

#smtp       inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet  n       -       -       -       -       smtpd

I’m sure I could replace some of my servers with postscreen, however at this point, I was REALLY REALLY TIRED of the entire deal. You see, I didn’t really learn about the commented line further down until six, yeah, you read that right six days after I first finished this step.

I did follow through with the security tip. And this is where I’ve currently dropped out. I’ll be looking into the remainder of the guide. I’ll be doing a similar thing with my nginx/php5-fpm-setup. Suffice to say, that as far as I can read, getting different ssl-certificates in Nginx is about as hard as Dovecot…

I’d like to thank the contributors to this experience, specifically Lee Hutchinson, and WPKG

One podcatcher to rule them all!

The one

A little bit of a different topic today… My quest for a podcatcher that works for me.

Requirements:

  1. It has to support RSS
  2. It has to number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
  3. It has to give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?

 

My test-RSS is TotalBiscuits ” http://feeds.soundcloud.com/users/soundcloud:users:35042463/sounds.rss

I will be awarding the podcatchers by the amount of requirements it fulfils. One point each.

FeedDeamon (1 point)

  1. Support RSS
    Yes
  2. Number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
    No
  3. Give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?
    No (exact case as described above)

Other than this, it seems like a fine reader. You can set the refresh rate down to 5 minutes, which I appreciate. It does force you set a delete-limit for your feed max is 2500 (If I want an RSS reader, I want to make it a monster over time. Saving EVERYTHING. Because local storage of news is paramount in this age of perpetual change)

I’ll see about whether it works as the reader of my “dreams” when I make the follow-up to this post.

Juice (1 point)

  1. Support RSS
    Yes
  2. Number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
    No
  3. Give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?
    No

Juice has been a downloader I’ve tried a couple of times before. Since it’s specifically made for this use case. I always end up discarding its use.

I’m not sure what’s wrong with Juice as a downloader, but it doesn’t give me the “advanced” options I require in this case, so we’ll see if I come back to it.

Banshee (N/A)

I NEVER GOT TO TRY BANSHEE, the current build of the podcatcher is in technical alpha. Meaning a critical bug that reffuses to boot the program on my system makes me not able to test it.

I’ll add this to a watch-list of things to test out when it is updated.

CatchUp Podcast Receiver (1.5 points)

IT’S MADE IN JAVA. This means ugly interface and strange GUI options. All from the strange hover-markup when you move your cursor above one of the items in the current stream. To when clicking an item, it won’t properly highlight the item clicked.

An experience of mine earlier with Java is slow startup times. I am no longer experiencing this, but I tend to think that comes down to a monster-machine and an SSD rather than Java actually improving. (this one boots quickly)

146

  1. Support RSS
    Yes
  2. Number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
    No
  3. Give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?
    Yes – ish (It leaves the file name that the rss provides, which is infinitely better than whatever Juice and FeedDeamon does)

Clementine (3 points)

  1. Support RSS
    Yes
  2. Number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
    Yes
  3. Give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?
    Yes

All in all, this is currently the biggest contender. That said, I might have to change out of my Foobar2000 clothes. This is a full music player, an internet enabled one at that. I’ll have to consider that later. For now, it does actually download the podcasts, and name them in a proper fashion. I’m tempted to check if Welcome to Night Vale will be downloaded with the ugly underscores, or if it’ll be okay…

Anyways, I’ll be keeping this one around unless something even better comes along.

FeedBooks (N/A)

According to Wikipedia: “Social networking client with support for podcasts.” I found no such thing on their site. And google searches yielded no results.

gPodder (N/A)

I had some troubles installing this one, there was a bug that made it not boot, so I searched google. I ended up finding out that http://python.net/crew/mhammond/win32/ was missing, so I installed it.

Now it’s giving me this:

149

This dialog hinders me from testing it out. It continues to pretend I need to install PyGTK so I can’t test it out.

HermesPod (1.5 points)

  1. Support RSS
    Yes
  2. Number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
    No
  3. Give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?
    Yes – ish “totalb~700l8l3~29-Oct~174460972-TOTALBISCUIT-STEPHEN-TOTILO-OF-KOTAK.mp3”

THIS APPLICATION HAS ADVERTISEMENTS. I thought we were over this. I thought inapp advertisements were something of the past, but no.

I will be uninstalling this, though it is closer to what I want.. It’s not quite there. I’d like something between Clementines completely overwhelming interface, and this simplistic thing.

PS: The HermesPod website claims advanced features, I found none.

MediaGo (1 point)

  1. Support RSS
    Yes
  2. Number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
    No
  3. Give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?
    No – The same problem as described above 

MediaGo is a full music library manager/player, though the lacking podcatcher system makes me dismiss it.

MediaMonkey (2.5 points)

  1. Support RSS
    Yes
  2. Number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
    No – Well, ish. You can date them which is good enough for me.
  3. Give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?
    Yes

Initial results looked good, It produced the file “Causes.mp3” Which is better than the above example. Further prodding revealed that you can as I wanted (sort of) name the files yourself, right click the podcast subscription->Edit subscription->Global Podcast Options; Here you will find a beautifully overwhelming dialog. The important parts are the top two fields “Default lownload location:” and “Download podcasts to:”

I set both of those to “G:MediaPodcastsAutoMediaMonkey<Artist><Album><Date> <Title>” I know I later might not want to download podcasts, for now it is fine.

I like it, but I prefer Clementine. They both offer similar functionality, but MediaMonkey tried to steal music-playing rights from Foobar2000 by default.

Also, when I closed it I was met with:

a151

Which, you know, always brightens the day…

Zune (2 points)

  1. Support RSS
    Yes
  2. Number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
    No
  3. Give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?
    Yes 

Personally, I like this interface. If it wasn’t for the botched numbering, and me not finding any obvious way to have the files numbered in the folder. The app was responsive, unlike a couple of the other apps.

a364

iTunes (1 point)

  1. Support RSS
    No
  2. Number the episodes, even if this isn’t done by the author (because I want to just see in the folder which order things go)
    No
  3. Give sensible names to the files “antibullying.mp3” is not a valid name for “172592521-totalbiscuit-causes.mp3” If anything “Causes.mp3” is the right option wherever does it even get antibullying from?
    Yes 

iTunes isn’t my choice. I’ll make that clear. I found no legible support for RSS, sure they had the podcast (including my test-case). But I want RSS, that way I don’t have to rely upon the apple iStore. Interface is alright.

a366

 

Conclusion

My winner is Clementine, as it does all the three things I set upon finding one that did. If provided support on the ones that didn’t work, or suggested new ones, I will update this article.