Services/Mail: Difference between revisions
mNo edit summary |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
| account = global-reg |
| account = global-reg |
||
| ipv6 = true |
| ipv6 = true |
||
| security_notes = Access to the mail services are fully secured, and to your data, nevertheless most mail exchange on the Internet are not. Complete security can be achieved using signed and encrypted |
| security_notes = Access to the mail services are fully secured, and to your data, nevertheless most mail exchange on the Internet are not. MX DNS records are protected with DNSSEC and we publish a MTA-STS policy as well as DANE/TLSA records to use secure connections as much as possible. Complete security can be achieved using signed and encrypted mails (see [[wikipedia:Pretty_Good_Privacy|OpenPGP]] and [[wikipedia:S/MIME|S/MIME]]) |
||
}} |
}} |
||
Line 28: | Line 28: | ||
A [https://webmail.duckcorp.org/ webmail interface] is available. |
A [https://webmail.duckcorp.org/ webmail interface] is available. |
||
==== Securing Your Account ==== |
|||
We strongly suggest you enable [https://en.wikipedia.org/wiki/Multi-factor_authentication Two Factor Authentication (2FA)] to protect your account. With this system your login and password is not sufficient to log in, an external secret is needed. |
We strongly suggest you enable [https://en.wikipedia.org/wiki/Multi-factor_authentication Two Factor Authentication (2FA)] to protect your account. With this system your login and password is not sufficient to log in, an external secret is needed. |
||
Currently only one method is available: |
Currently only one method is available: |
||
* TOTP: using an application on your phone (FreeOTP available on [ |
* TOTP: using an application on your phone (FreeOTP available on [https://f-droid.org/ F-Droid] is working fine) |
||
In the ''settings'' menu click on the ''2-Factor Authentication'' tab and follow these steps: |
In the ''settings'' menu click on the ''2-Factor Authentication'' tab and follow these steps: |
||
Line 41: | Line 43: | ||
* click the ''Save'' button, you will be logged out |
* click the ''Save'' button, you will be logged out |
||
* check you can login again |
* check you can login again |
||
==== Mail Encryption and Signing ==== |
|||
It is possible to encrypt and sign your emails via PGP. In the past is was possible to upload your key on the server but there is a more secure method now: with [https://www.mailvelope.com/ Mailvelope] you can use your key on your machine without exposing your secrets. The company behind Mailvelope proposes various plans but you don't need to subscribe or pay for anything, just install the Free Software plugin for your browser. |
|||
== Antivirus and Antispam == |
== Antivirus and Antispam == |
||
Line 108: | Line 114: | ||
You can read more info about SIEVE here: |
You can read more info about SIEVE here: |
||
* supported SIEVE features on our server: |
* supported SIEVE features on our server: https://pigeonhole.dovecot.org/ |
||
* http://www.fastmail.fm/docs/sieve/ |
|||
* http://sieve.info/ |
* http://sieve.info/ |
||
Line 196: | Line 201: | ||
This service is made using: |
This service is made using: |
||
* [https://www. |
* [https://www.clamav.net/ ClamAV] |
||
* [https://dovecot.org/ Dovecot] |
* [https://dovecot.org/ Dovecot] |
||
* [https:// |
* [https://www.postfix.org/ Postfix] |
||
* [https:// |
* [https://github.com/Snawoot/postfix-mta-sts-resolver postfix-mta-sts-resolver] |
||
* [https://www.roundcube.net/ RoundCube] |
* [https://www.roundcube.net/ RoundCube] |
||
* [https://rspamd.com/ Rspamd] |
|||
* [https://projects.duckcorp.org/projects/spoolinger Spoolinger] |
Latest revision as of 06:23, 8 April 2020
Description | Available services:
If you want email addresses using you own domain(s), see the mail hosting service. | |||
---|---|---|---|---|
Prerequisite | None | |||
Account | Global (registration required) | IPv6 Ready | Yes | |
Security Notes | Access to the mail services are fully secured, and to your data, nevertheless most mail exchange on the Internet are not. MX DNS records are protected with DNSSEC and we publish a MTA-STS policy as well as DANE/TLSA records to use secure connections as much as possible. Complete security can be achieved using signed and encrypted mails (see OpenPGP and S/MIME) |
Access
Using a Mail Reader
You can retrieve your mails, in case of a real mailbox, using either:
- IMAP+TLS (TCP 143) / IMAPS (TCP 993) on imap.duckcorp.org
- or POP3+TLS (TCP 110) / POP3S (TCP 995) on pop.duckcorp.org
The IMAP protocol is recommended over POP3, as it provides many interesting features. If you want to download all your mails absolutely at home, loosing the ability to read your mail from anywhere on the planet, you can do that with IMAP too (look at your mail client settings).
You can use our servers to send mails out too via smtp.duckcorp.org using:
- SUBMISSION (TCP 587) which is the recommended way and has less chance to be filtered, or alternatively SMTP+TLS (TCP 25) / SMTPS (TCP 465)
- and SASL authentication
Using a Web Interface
A webmail interface is available.
Securing Your Account
We strongly suggest you enable Two Factor Authentication (2FA) to protect your account. With this system your login and password is not sufficient to log in, an external secret is needed.
Currently only one method is available:
- TOTP: using an application on your phone (FreeOTP available on F-Droid is working fine)
In the settings menu click on the 2-Factor Authentication tab and follow these steps:
- click on the Setup all fields (needs Save) button
- on your phone, open the TOPT application and scan the QR code
- on your phone generate a code, put it in the Check code text field and click on the button to validate it works fine
- click on the show recovery codes button and store them is a safe place: print then (or store then on an encrypted disk)
- click the Save button, you will be logged out
- check you can login again
Mail Encryption and Signing
It is possible to encrypt and sign your emails via PGP. In the past is was possible to upload your key on the server but there is a more secure method now: with Mailvelope you can use your key on your machine without exposing your secrets. The company behind Mailvelope proposes various plans but you don't need to subscribe or pay for anything, just install the Free Software plugin for your browser.
Antivirus and Antispam
Mails stored on our server are checked upon arrival for viruses and SPAMs. Outgoing mails from our services are checked too.
Mails being viruses are suppressed automatically upon arrival. Mails with a huge probability of being SPAM are destroyed too. Good mails and possibly spammy mails are delivered to your mailbox.
SPAMs are more difficult to detect, and it is an error-prone process, so we chose to use a learning software instead of using a global database. After a few weeks of teaching it is able to recognize most of your habits and block a lot of annoying SPAM.
Probable SPAM Notification
Mails are delivered normally with a special field added (X-Spam-Status) to your mail headers (not always visible depending on your mail client and its configuration) indicating if the mail is a SPAM and its spamminess score.
This is quite handy if you prefer SPAMs arranged in a specific folder. You may use then the provided filtering system to sort them properly, or configure your eMail client.
Retraining
Teaching the system what is SPAM and HAM (non-SPAM) is called retraining.
If you have of create a folder named Junk, then it is automatically magic:
- if you move mail into it, it is automatically retrained as SPAM
- if you move mail out of it, it is automatically retrained as HAM
- with time, certain old mails automatically expire, see below
If you are using an IMAP Sync client which does not support the MOVE operation (isync, offlineimap…) then you unfortunately cannot use this method, please look at the next chapter.
To use this folder properly, SPAMs must be delivered in the Junk folder automatically, so you can move them out in case of error. You just need to subscribe to this folder in your mail software (this folder is always auto-created). It is not recommended to use your mail software for this filtering, this is horribly inefficient and you would have to set things up on each device and manually synchronize your settings.
Automatic expiration logic, based on delivery time (and not the mail timestamp):
- deleted mails are purged after 1 day
- read mails without an important flag are purge after 7 days
- unread mails without an important flag are purge after 30 days
If you use the incoming_spam global rule, then SPAMs newly discovered by the system are flagged as important, which means these mails will never by purged until you review it and decide to delete them or mark them as not important. Custom rules might play with this flag and achieve an automatic selection.
Retraining for feature-limited IMAP Sync clients
If your client does not support the MOVE operation (isync, offlineimap…) then you can only copy (APPEND) mail, which does not work with the magic Junk folder.
In this case, you can create special folders called SyncSPAM and SyncHAM and copy SPAM and HAM in them. Every two hours a script will pickup these mails, do the retraining, and remove them. Removing these mails from their original locations will be left to you though.
Mail Filtering
With your favourite mail client, you can probably filter your mails in proper folders already. Nevertheless, this can be an annoying operation:
- blocking you mail client for a long time if you have to process plenty of mails
- downloading each mail information, and sometimes content (depending on your filters), is lenghty too, and cost much bandwidth
- syncing filters across your machines (home desktop, laptop, office machine…) is a pain in the ass
- processing only when you're online prevents triggering actions in a timely manner (automatic redirect, vacation messages…), and running a machine 24/7 with a mail client polling new mails every 30s is not a solution
We provide a much better way to do this using the SIEVE filters. Shortly, SIEVE is a language dedicated to expressing mail filters (also called rules). Our server is able to process your mails according to these filters as soon as they arrive. You then don't have to care about them anymore, and may use light mail clients or webmails when you're not on your machine with your favourite software.
Rules Configuration
You can express sort/reject/vacation/… filters using these rules, as the capabilities are very rich. Several softwares support managing SIEVE rules:
- Icedove/Thunderbird:
- using the SIEVE extension (in xul-ext-sieve Debian package), it provides a rules editor (for power-users)
- Roundcube:
- coupled with the sieverules extension, provides an easy to use web interface
- this webmail has been made available here
- sieve-connect:
- provides a CLI to upload/download/activate your rules files
- this tool is available on shell hosts
(tell us if you know more software supporting this feature)
To push your filters on the server, a dedicated protocol exists: MANAGESIEVE (TCP 4190) on sieve.duckcorp.org. Our webmails are already configured to use it, but it you use sieve-connect from our hosts or your own mail software, you'll need these parameters.
You can read more info about SIEVE here:
- supported SIEVE features on our server: https://pigeonhole.dovecot.org/
- http://sieve.info/
Global Rules
Global rules are provided to ease configuration on specific filters. They can easily be included in your own configuration.
Available rules:
- incoming_spam:
- SPAMs will automatically be delivered in the Junk folder and marked as important
If you write your own custom rules, here is an example on how to use one of them:
require ["include"]; include :global "<rule-name>";
Default Rules
The default settings (since 2112-02-11) are to use the global incoming_spam rule (see below), in order to provide a simple default configuration for most users. All other mails will end-up in your Inbox folder and you may then sort them by yourself.
If you create your own rules, the default rules won't apply anymore, so power-users can replace the default behavior completely to achieve what they really need. If you want to use the default behavior you can use:
require ["include"]; include :global "incoming_spam";
You can also take advantage of the antispam spaminess score to use a different threshold like this:
require ["fileinto", "spamtestplus", "relational", "comparator-i;ascii-numeric"]; # if SPAM score is >37% then move into the junk box if spamtest :percent :value "gt" :comparator "i;ascii-numeric" "37" { fileinto "Junk"; stop; }
Fetching eMails from an External Mailbox
This is not supported anymore; you may still redirect mails from your external mailbox to your DuckCorp's email address though.
This is unfortunately not supported by the synchronization system between our two main mail servers; it was not used anyway. Private (non-shared) namespaces are possible though.
You may need to share mails or messages with friends or people you do stuff with (in a project or association). Depending on your needs, two solutions are possible:
- share some of your own private folders, thus called shared folders
- manage a special folder hierarchy, called public folders (even if they may not be accessible to everyone)
- if you need one, ask an administrator; the namespace name can be freely chosen but must be unambiguous and is subject to approval
Namespaces
Through IMAP, or our webmails internally using IMAP, it is possible to partition the folder hierarchy into namespaces. Traditionally you are using the root namespace for your private folders. Additional namespaces can be created and will appear among your own folders or separate, depending on your mail client's choice of representation. To avoid name clashes, we decided to prefix all additional namespace names with a #.
Since 2011-05-14, the following extra namespaces are created and reserved:
- #Shared, containing all folders other users decided to share with you
- #MilkyPond, containing public MP/DC informational mailboxes you may subscribe at will
Folders Permissions
Using IMAP, it is possible to setup rights (read only, write allowed…) to your own folders in order to share them with other users, or group of users.
Public folders are owned by no-one, and must be created by the administrators. Once your request is accepted we will delegate its administration to your care. It can then can be managed like shared folders.
Software Support
Client mail softwares support:
- RoundCube:
- support namespaces, shared and public folders configurable via Settings->Folders, selecting a folder then using the Sharing tab
- Icedove/Thunderbird:
- support namespaces, shared and public folders configurable via folder selection and Tools->Imap-ACL menu action
Most other softwares have namespace support only, so you should be able to use shared/public folders you have rights on but not configure them yourself (tell us if you know more software supporting this feature).
Limitations
Maximum Mail Size
Mail you send or receive are limited to 20MB. If you need to transmit much bigger data, then a mail transport is not appropriate, you'd better use a file sharing method instead.
Quotas
Even if it would be nice to live without it, we had to establish quotas to force people sort their mails out once in a while and delete useless things instead of leaving an ever-growing mess behind.
The default quota is 512MB which is not that big but should match needs of most users. This said, you may ask us for more and there's no reason we would refuse a reasonable demand.
Technical Details
This service is made using: