MIME and mail: Difference between revisions
mNo edit summary |
|||
| Line 178: | Line 178: | ||
* https://en.wikipedia.org/wiki/DMARC | * https://en.wikipedia.org/wiki/DMARC | ||
--> | |||
=Unsorted= | |||
==Spamassassin== | |||
<!-- | |||
Spamassassin is an email spam detector. | |||
In itself, it mainly just adds a header with the spam score. | |||
--> | |||
===Hooking a working spamassassin into postfix=== | |||
{{stub}} | |||
Assuming you've already set up spamassassin itself so that it functions, | |||
the next step is to make it actually filter postfix mail. | |||
The first part is to add spamassassin as a content filter. | |||
Which mostly means it adds X-Spam headers. This does not do any rejection yet. | |||
In {{inlinecode|/etc/postfix/master.cf}} add a line like {{comment|(this can vary a little, a little reading around here can't hurt)}} | |||
spamassassin unix - n n - - pipe user=spamfilter argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} | |||
If you want to be careful about what you bounce, then you may want to put the threshold for ''marking'' it spam ({{inlinecode|required_hits}} in {{inlinecode|/etc/spamassassin/local.cf}} {{comment|(defaults to 5, which seems sensible)}} lower than the rejection threshold (next bit:). | |||
To do the actual filtering, edit/create a {{inlinecode|/etc/postfix/header_checks}}, which is a rule system based on header matches. Which we do based on X-Spam headers we've just configured it to add. | |||
You can get control of what level to filter by looking at X-Spam-Level. For example to reject level 7 or higher: | |||
/^X-Spam-Level: \*\*\*\*\*\*\*/ REJECT spam content | |||
You can choose to | |||
* REJECT for an explicit bounce | |||
* DISCARD to say you accepted it, but actually drop it | |||
* HOLD for review (only makes sense if you have someone actually doing this) | |||
* REDIRECT to a spam address, e.g. a local mailbox (if you have someone looking at this, or want to collect it for fun) | |||
Also ensure this header_checks file is hooked into {{inlinecode|main.cf}}, looking for a line like: | |||
header_checks = regexp:/etc/postfix/header_checks | |||
Restart postfix | |||
/etc/init.d/postfix reload | |||
and send a test. The following is a test string that is always considered spam[http://spamassassin.apache.org/gtube/] | |||
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X | |||
Check your mail log to see the response. | |||
tail -F /var/log/mail.log | |||
<!-- | |||
You can argue over whether discarding or rejecting is better. | |||
In both cases spammers will know the same thing (address exists) so that's not the question. | |||
Arguments for DISCARD: | |||
* if there is no check that sender looks forged, then | |||
** you're getting mail server to spam someone else for you | |||
** if the sender looks like an internal address that may affect how people and later spam filters respond to it | |||
Arguments for REJECT: | |||
* avoids "You never sent that sales report" | |||
* gives people feedback that there is something off | |||
The details are more interesting, e.g. that an early-enough reject will actually cause the sending MTA to decide it can't deliver, meaning a rejection will come from them, not us. | |||
Which makes more sense against spammers, because their server likely looks less trustworthy than ours. | |||
--> | |||
==.forward== | |||
{{stub}} | |||
<!-- | |||
In unices, a file called <tt>~/.forward</tt> will likely be picked up by a mail server. | |||
Apparently this was a convention started by sendmail, and followed by other MTAs. | |||
You can have multiple commands (often used to store a local copy ''and'' forward a copy). | |||
Multiple commands can be separated by newlines (i.e. one per line), or by commas. | |||
There are four types of commands, which you combine comma-separated | |||
* address, to send to | |||
user | |||
user@example.com | |||
* force delivery to user's mailbox (as in, don't try to expand - this can avoid loops) | |||
\user | |||
* filename, to append to | |||
/home/me/filename | |||
* pipe, to pipe into | |||
|prog | |||
"|prog" | |||
|"prog" | |||
e.g. | |||
|"ssh host2 'mail username'" | |||
e.g. | |||
|"/usr/bin/vacation username" | |||
chmod 644 .forward | |||
See also: | |||
* http://www.softpanorama.org/Mail/pipes_in_dot_forward_file.shtml | |||
* http://www.nevis.columbia.edu/twiki/bin/view/Nevis/DotForward | |||
* http://www.courier-mta.org/dot-forward.html | |||
--> | |||
==sendmail== | |||
<!-- | |||
Sendmail is a very thin wrapper, which you can see as | |||
* a "script that puts a raw email into the MTA, whatever that is, and by whatever method works". | |||
* you not needing to know anything about MTA config, as long as sendmail is properly configured on the host you're running it on | |||
--> | --> | ||
Revision as of 18:46, 22 January 2024
MIME
MIME (Multipurpose Internet Mail Extensions) is a container format mostly commonly used in mail sent through SMTP.
(The combination is sometimes called SMTP/MIME, but this is often avoided to avoid confusion with S/MIME, a public-key scheme that allows the signing and encrypting of MIME messages)
MIME deals with text coding (character set specification, and non-ASCII headers), but also with message structure, particularly multi-part bodies, which allows attachments (text and non-text), and message nesting (useful in replying and forwarding messages verbatim, including attachments).
Also related: Binary-to-text coding#Base64 and Binary-to-text coding#Quoted_printable
'MIME compatible'
MIME compatible basically means "this text data does not contain characters that would mess up if you dumped this verbatim within MIME message".
It is most usually seen wherever you want to transfer arbitrary data via MIME, that should not break things and should not be altered in the process.
Specific parts of MIME-formatted messages may not contain certain characters.
They may not control characters (0x00-0x1F, 0x7F), or non-ASCII (0x80-0xFF)(verify).
Some characters (like 0x0D and 0x0A) may well be altered or parsed out in the process of MIME parsing, so aren't used in any significant way.
As a result:
- arbitrary binary data cannot be safely embedded as-is, and must be encoded, most typically using Base64, which is a transformation to just printable ASCII characters (similar to uuencode, binhex), taking more space in the process.
- most character codings cannot be used without being Base64'd.
Both mean space efficiency isn't what it could theoretically be
MIME types
'MIME type' is technically now called Internet media type.
See also
Standards:
- RFC 2821: 'Simple Mail Transfer Protocol)' (SMTP)
- RFC 2822: 'Internet Message Format' (mostly outdates RFC 822)
- RFC 822: 'Standard for the Format of ARPA Internet Text Messages'
And also:
- RFC 2045: 'MIME Part One: Format of Internet Message Bodies'
- RFC 2046: 'MIME Part Two: Media Types'
- RFC 2047: 'MIME Part Three: Message Header Extensions for Non-ASCII Text'
- RFC 2231: 'MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations'
Also related, perhaps a little less interesting:
- RFC 4288: 'Media Type Specifications and Registration Procedures'
- RFC 4289: 'MIME Part Four: Registration Procedures'
- RFC 2077: 'The Model Primary Content Type for Multipurpose Internet Mail Extensions'
S/MIME
delivery tricks for admins
Sending to another host, via SSH
I wanted this to aggregate admin-ish mail such as "drive is starting to fail" errors -- stuff I script myself -- from various workstations to one server. That server has local-only delivery (and I didn't want a real mail server because properly securing one is a special hell).
My solution: Use a passphraseless ssh keypair, and a command like the following:
echo "Message for root on host2" | ssh mailuser@host2 "mailx root"
...which is really just running mailx remotely and piping some text into it.
Forwarding mail to another host, via SSH
The above only works if you're a script willing to run that ssh command yourself.
I wanted all of root's mail (e.g. cron, logwatch, and other such messages) to be sent elsewhere.
Since .forward allows commands[1], this amounts to a variation of the above:
|"ssh user@host2 'mailx user2'"
Anti-spoofing
SPF, DKIM, DMARC
Unsorted
Spamassassin
Hooking a working spamassassin into postfix
Assuming you've already set up spamassassin itself so that it functions, the next step is to make it actually filter postfix mail.
The first part is to add spamassassin as a content filter.
Which mostly means it adds X-Spam headers. This does not do any rejection yet.
In /etc/postfix/master.cf add a line like (this can vary a little, a little reading around here can't hurt)
spamassassin unix - n n - - pipe user=spamfilter argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
If you want to be careful about what you bounce, then you may want to put the threshold for marking it spam (required_hits in /etc/spamassassin/local.cf (defaults to 5, which seems sensible) lower than the rejection threshold (next bit:).
To do the actual filtering, edit/create a /etc/postfix/header_checks, which is a rule system based on header matches. Which we do based on X-Spam headers we've just configured it to add.
You can get control of what level to filter by looking at X-Spam-Level. For example to reject level 7 or higher:
/^X-Spam-Level: \*\*\*\*\*\*\*/ REJECT spam content
You can choose to
- REJECT for an explicit bounce
- DISCARD to say you accepted it, but actually drop it
- HOLD for review (only makes sense if you have someone actually doing this)
- REDIRECT to a spam address, e.g. a local mailbox (if you have someone looking at this, or want to collect it for fun)
Also ensure this header_checks file is hooked into main.cf, looking for a line like:
header_checks = regexp:/etc/postfix/header_checks
Restart postfix
/etc/init.d/postfix reload
and send a test. The following is a test string that is always considered spam[2]
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Check your mail log to see the response.
tail -F /var/log/mail.log
.forward