1

Topic: System overview Postfix

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySql
- Linux/BSD distribution name and version: Debian wheezy
- Related log if you're reporting an issue:
====

So let's start with postfix overview. I'll do some graphics later on to see how things work together.

Postfix has a few posibilities to check spam internally or externally. iRedMail uses those:

Postfix pre queue filter
======================
postscreen -> not used
smtpd milter -> not used
smtp prox filter -> not used
non smtp milter -> not used

policy filter
-------------------------------
iRedAPD (tcp 7777)

Question:
- what exactly is this for and how can it be maintained?

Cluebringer (tcp 10031)
- core
- access control
- check helo
- check spf
- greylisting
- quotas

Questions:
- what is enabled/configured by default?
- what happens in case of pass / fail?


Postfix after queue filter
======================

content filter
------------------------
amavis new (tcp 10024, postfix tcp 10025)

- check bad headers -> fail: pass to recipient
- check banned attachements -> fail: pass to recipient (new release move to junk folder)
- hand over to clamav, check for virus -> fail: notify sender, delete email
- hand over to spamassassin -> fail: pass to recipient (new release move to junk folder)
- plugins loaded by spamassassin:
- DKIM, signing and verification
- SPF verification
- Pyzor
- Razor2
- SpamCop
- AutoLearnThreshold
- WhiteListSubject
- MIMEHeader
- ReplaceTags
- Bayes
- BodyEval
- DNSEval
- HTMLEval
- RelayEval
- URIEval
- WLBLEval
- VBounce
- ImageInfo
- FreeMail

Questions:
- is this correct?
- what are the plugins used for?


Are there some other filters (except built in smtpd checks)?

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: System overview Postfix

Peter wrote:

Postfix pre queue filter
======================
postscreen -> not used
smtpd milter -> not used
smtp prox filter -> not used
non smtp milter -> not used

*) We should use postscreen in iRedMail-1.0.
*) Milter is just like policy server. You can use one of them, or both. Since we can implement required restrictions with policy server, we don't use Milter.

Peter wrote:

policy filter
-------------------------------
iRedAPD (tcp 7777)

Question:
- what exactly is this for and how can it be maintained?

In the beginning, iRedMail ships Policyd for addition restrictions, e.g. throttling, white/blacklists. But we need some addition features like control who can send email to mail list, etc, so we developed iRedAPD (a simple postfix policy server) for this.

About maintenance, i assume you mean "upgrade". Upgrading iRedAPD is easy, just download new release, extract, copy config file from old release, then set correct file owner/permission for new release, done.

Peter wrote:

Cluebringer (tcp 10031)
- core
- access control
- check helo
- check spf
- greylisting
- quotas

Questions:
- what is enabled/configured by default?
- what happens in case of pass / fail?

*) All are enabled by default.
*) It will return 'action=DUNNO' for pass, sometimes is 'action=OK'. And 'action=REJECT' for fail, maybe some other actions defined by mail admin.

Peter wrote:

content filter
------------------------
amavis new (tcp 10024, postfix tcp 10025)

- check bad headers -> fail: pass to recipient
- check banned attachements -> fail: pass to recipient (new release move to junk folder)
- hand over to clamav, check for virus -> fail: notify sender, delete email
- hand over to spamassassin -> fail: pass to recipient (new release move to junk folder)

- Check bad headers: pass to inbox.
- check banned attachements: Mail will not be delivered to its recipients. A non-delivery notification (bounce) will be created and sent to the sender. ($final_banned_destiny = D_BOUNCE)
- hand over to clamav, check for virus: no notification to sender/recipient, but send notification to mail admin (it's 'root' user by default, and it's aliased to the first user created during iRedMail installation, postmaster@xxx)
- hand over to spamassassin: move detected spam to Junk folder in new release.

Peter wrote:

- plugins loaded by spamassassin:
- DKIM, signing and verification
- SPF verification
- Pyzor
- Razor2
- SpamCop
- AutoLearnThreshold
- WhiteListSubject
- MIMEHeader
- ReplaceTags
- Bayes
- BodyEval
- DNSEval
- HTMLEval
- RelayEval
- URIEval
- WLBLEval
- VBounce
- ImageInfo
- FreeMail

Questions:
- is this correct?
- what are the plugins used for?

It's better to check SpamAssassin site to see what they're used for, it will be more accurate than my description:
http://spamassassin.apache.org

Peter wrote:

Are there some other filters (except built in smtpd checks)?

HELO check in Postfix 'smtpd_helo_restrictions', rule file is /etc/postfix/helo_access.pcre.

3

Re: System overview Postfix

ZhangHuangbin wrote:

*) We should use postscreen in iRedMail-1.0.

Do you have a roadmap when to expect V1.0?


ZhangHuangbin wrote:

About maintenance, i assume you mean "upgrade". Upgrading iRedAPD is easy, just download new release, extract, copy config file from old release, then set correct file owner/permission for new release, done.

Wrong word used, sorry. I meant managed. How is iRedAPD managed? Only through web admin of pro version?


Peter wrote:

Cluebringer (tcp 10031)
- core
- access control
- check helo
- check spf
- greylisting
- quotas

Questions:
- what is enabled/configured by default?

ZhangHuangbin wrote:

*) All are enabled by default.

- how are they configured by default (what do they check/block)?
- SPF check is done in pre queue stage of postfix? SPF is not weighted in spamassassin?
- how is it managed? Everything through web admin of pro version? And free version with web admin of cluebringer?



Peter wrote:

content filter
------------------------
amavis new (tcp 10024, postfix tcp 10025)

- check bad headers -> fail: pass to recipient
- check banned attachements -> fail: pass to recipient (new release move to junk folder)
- hand over to clamav, check for virus -> fail: notify sender, delete email
- hand over to spamassassin -> fail: pass to recipient (new release move to junk folder)


ZhangHuangbin wrote:

- check banned attachements: Mail will not be delivered to its recipients. A non-delivery notification (bounce) will be created and sent to the sender. ($final_banned_destiny = D_BOUNCE)

In newest stable version it is set as D_PASS, see Spam behaviour is odd. Are you going to change this to D_BOUNCE in version 0.9 or do you move those emails to junk?


ZhangHuangbin wrote:

It's better to check SpamAssassin site to see what they're used for, it will be more accurate than my description:
http://spamassassin.apache.org

- ok I'll do that
- is DKIM / SPF handled by amavis new or spamassassin?

4

Re: System overview Postfix

Peter wrote:

Do you have a roadmap when to expect V1.0?

No yet.

Peter wrote:

How is iRedAPD managed? Only through web admin of pro version?

iRedAPD queries required data from SQL/LDAP database, so you can use your favourite SQL/LDAP management tools to update SQL/LDAP data required by iRedAPD. iRedAdmin-Pro is the easiest tool for this.

For more details, please check comment in iRedAPD plugin files to see what data they need:
https://bitbucket.org/zhb/iredapd/overview

Peter wrote:

- how are they configured by default (what do they check/block)?

Check Policyd official document please: http://wiki.policyd.org/documentation

Peter wrote:

- SPF check is done in pre queue stage of postfix? SPF is not weighted in spamassassin?

CheckSPF module is enabled by default, but SPF checking is NOT enabled in iRedMail (in SQL table "cluebringer.checkspf"). We use SpamAssassin for after-queue SPF checking.

Peter wrote:

- how is it managed? Everything through web admin of pro version? And free version with web admin of cluebringer?

iRedAdmin-Pro manages parts of Cluebringer modules, not all modules.
iRedAdmin open source edition doesn't manage Cluebringer data.

Peter wrote:

In newest stable version it is set as D_PASS, see Spam behaviour is odd. Are you going to change this to D_BOUNCE in version 0.9 or do you move those emails to junk?

Will set to D_BOUNCE in iRedMail-0.9.0.

Peter wrote:

- is DKIM / SPF handled by amavis new or spamassassin?

*) DKIM signing/verification is handled by Amavisd-new.
*) SPF checking is handled by SpamAssassin, and SpamAssassin is invoked by Amavisd-new.

5

Re: System overview Postfix

We did a lot of work for our documentation plattform (not a wiki). First topic is iRedMail and I'm happy to present this link:

http://doc.samplezone.ch/iredmail/

Documentation is still in progress and we are working hard on it. You well see an "edit" button on the top right corner. We welcome contributions to our documentation from everybody, looking forward.

Details of postfix and filtering is not released yet we are still working on it.

6

Re: System overview Postfix

Dear Peter,

How about contribute to our document repo directly?
https://bitbucket.org/zhb/docs.iredmail.org/

Documents are written in Markdown format, converted HTML documents are all available here:
http://www.iredmail.org/docs/

Another question: if you prefer your own document repo, do you allow me to copy your documents to http://www.iredmail.org/docs/ in CC-license?

7

Re: System overview Postfix

Hi ZhangHuangbin

Did you read it? If you find some errors just use the edit button.

ZhangHuangbin wrote:

How about contribute to our document repo directly?
https://bitbucket.org/zhb/docs.iredmail.org/

Documents are written in Markdown format, converted HTML documents are all available here:
http://www.iredmail.org/docs/


Our document platform will host different topics in the future. Often we miss some diagrams how things work which makes it much better understandeable. It's not a replamcement of your documents more an addition with a structure. We edit content in our content management system which has a text syntax (freedoc) similar to markdown. Documentation in versioning repos like github or bitbucket is not comfortable to us, sorry.


ZhangHuangbin wrote:

Another question: if you prefer your own document repo, do you allow me to copy your documents to http://www.iredmail.org/docs/ in CC-license?


Hmmm... we will update the content often and there might be also some changes in the structur while it grows. Are you going to copy 1:1? What I mean by that:

- do you display our content from your server and all the ressources (images, css, js) references to our server?
- do you leave all the javascript?

If you do so I see a few problems:

- ressources should be requested from your server
- js google analytics should be removed
- js for inline editing should be removed, it will not work from your domain


I did some research about CC license and decided for "CC BY-NC-SA 3.0". Hope this helps.

8

Re: System overview Postfix

Peter wrote:

Did you read it?

Yes. I see there're some new pages since last visit, well done. smile

Peter wrote:

It's not a replamcement of your documents more an addition with a structure.

I think you can link to some of our articles. For example:
http://doc.samplezone.ch/iredmail/versi … ams/debug/

Maybe you can link to articles in section "Troubleshooting and Debug":
http://www.iredmail.org/docs/index.html … -and-debug

Peter wrote:

Documentation in versioning repos like github or bitbucket is not comfortable to us, sorry.

Any easy way to track changes on your web site? e.g. RSS feed. I guess git/hg is not an option for you?

Peter wrote:

Are you going to copy 1:1?

I may copy some text content, but definitely not 1:1.

Peter wrote:

- do you display our content from your server and all the ressources (images, css, js) references to our server?
- do you leave all the javascript?
If you do so I see a few problems:
- ressources should be requested from your server
- js google analytics should be removed
- js for inline editing should be removed, it will not work from your domain

I won't use any JS/CSS code, i just want the text content in article.

Peter wrote:

I did some research about CC license and decided for "CC BY-NC-SA 3.0". Hope this helps.

That's great for sharing. Now,  call me thief. smile

Some questions:

*) Any plan to make it easy to track the changes? e.g. new topic/article added, article modified.
*) Any possible to work together for two-way sync between your CMS and http://www.iredmail.org/docs/ ?
*) Am i allowed to contact you directly?

9

Re: System overview Postfix

ZhangHuangbin wrote:

I think you can link to some of our articles. For example:
http://doc.samplezone.ch/iredmail/versi … ams/debug/

Maybe you can link to articles in section "Troubleshooting and Debug":
http://www.iredmail.org/docs/index.html … -and-debug

Thanks for your changes it's updated in the document.

ZhangHuangbin wrote:

Any easy way to track changes on your web site? e.g. RSS feed. I guess git/hg is not an option for you?
*) Any plan to make it easy to track the changes? e.g. new topic/article added, article modified.

Not for now, sorry. But I'll let you know if there is a new topic.


ZhangHuangbin wrote:

*) Any possible to work together for two-way sync between your CMS and http://www.iredmail.org/docs/ ?
*) Am i allowed to contact you directly?

Please feel free to contact me by email.