Run Your Own Mail Server - Errata

Intro

I’ve just finished working through the book Run Your Own Mail Server and I learned a lot! This is the first book I’ve read by world-renowned author Michael W. Lucas and I will definitely be purchasing more in the future.

This is not a review from any position of expertise - quite the opposite. I knew almost nothing about running an email server going into this. This book is an excellent resource for anyone looking to understand the complexities of modern email, even if you have no desire to run your own server.

The author provides insight into the challenges of running an email server, explaining that SMTP is a 50 year-old protocol that has evolved to enable new security and features, while maintaining backwards compatibility with other email servers at unknown levels of evolution.

The book begins by setting up an email server to work as they did in the 1970’s: for sending email to other users of the same computer. We gradually build to sending email between computers, and eventually enable virtual hosts, virtual users, and establish techniques for managing them. The second half of the book explains the various mechanisms for managing spam and enhancing security of the system.

As much as I appreciate the book, I did find a few errors that, as a novice, took me some time to figure out. I hope if Mr. Lucas (or anyone else) reads this article, he will consider it as a supplement from a fan, rather than a criticism.

Errata

Chapter 4: Virtual Domains

The Postfix Aliases File

This section gives example commands to query defined aliases, such as:

$ postalias -q sshd aliases

Correction: The command above only works if you are in the /etc directory. That is because the last argument (aliases) is a reference to a file name. Technically, it is a reference to /etc/aliases.db but, for some reason, you don’t include the .db. The command will work from anywhere with a fully qualified path.

$ postalias -q sshd /etc/aliases

Dovecot User Database

The end of this section instructs the reader to configure “Dovecot to use the Maildir format and to stick the mail directly in the user’s home directory” with the following configuration.

mail_location = maildir:~

userdb {
  driver = passwd-file
  args = /etc/dovecot/passwd
  default_fields = uid=vmail gid=vmail home=/vhosts/%d/%n
}

This does, indeed, have the desired effect for virtual mailboxes, but it also causes Dovecot to place mail for real users directly in their home directory, which is problematic. A better approach is to point mail_location to a subdirectory for local users, and override the mail location for virtual users, like so:

mail_location = maildir:~/Maildir

userdb {
  driver = passwd-file
  args = /etc/dovecot/passwd
  default_fields = uid=vmail gid=vmail home=/vhosts/%d/%n mail=maildir:~
}

Local Mail Transport Protocol (LMTP)

The configuration for the LMTP service in Dovecot contains an error.

protocols lmtp

service = lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}

Correction: The equals sign should be on the protocols line, rather than the service line.

protocols = lmtp

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}

Chapter 5: IMAP and Submission

Configuring Postfix SASL

This section contains an error in the Postfix configuration example:

smtpd_sender_login_maps = $virtual_alias_maps

Correction: This should be:

smtpd_sender_login_maps = $virtual_mailbox_maps

Connecting SASL to Submission: master.cf

This section includes the configuration of the submission service to be added to master.cf

smtpds inet n - n - - smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=yes
  -o { smtpd_client_restrictions=permit_mynetworks,
  	 permit_sasl_authenticated,reject }
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o { smtpd_recipient_restrictions=
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   permit_sasl_authenticated,reject }

Correction: There are two problems with this configuration

  1. The service name should be submissions. You could also use submission here, but that would be the STARTTLS version that listens on port 587. All the following examples assume the service is running TLS on port 465, and we get that by using the service name submissions (with the ’s’ at the end).
  2. It is missing the smtpd_sasl_auth_enable=yes option. SASL authentication does not work without it.
submissions inet n - n - - smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o { smtpd_client_restrictions=permit_mynetworks,
  	 permit_sasl_authenticated,reject }
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o { smtpd_recipient_restrictions=
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   permit_sasl_authenticated,reject }

Chapter 7: Rspamd Essentials

Talking to Redis

This section gives instructions to “run this command from /var/run/bayes-redis”.

Correction: The previous instructions create the sockets in /var/run/rspamd-redis, so the command should be run from there.

Redis

This section gives instructions to create a classifier-bayes.conf, but does not provide the path.

Correction: The classifier-bayes.conf file belongs in the /etc/rspamd/local.d directory.

The provided content for the redis.conf file contains an incorrect path for the servers setting.

Correction: The the contents of redis.conf should be as follows:

password = "HanShotFirst";
servers = "/var/run/rspamd/redis/rspamd.sock";