213bc63a95
This patch adds support for TLS-wrapped submission connections. Instead of clients establishing a connection over plain text and then using STARTTLS to switch over a TLS connection, this new mode allows the clients to connect directly over TLS, like it's done in HTTPS. This is not an official standard yet, but it's reasonably common in practice, and provides some advantages over the traditional submission port. The default port is 465, commonly used for this; chasquid defaults to systemd file descriptor passing as for the other protocols (for now).
chasquid
chasquid is an SMTP (email) server.
It aims to be easy to configure and maintain for a small mail server, at the expense of flexibility and functionality.
It's written in Go.
Features
- Easy to configure, hard to mis-configure in ways that are harmful or insecure (e.g. no open relay, clear-text authentication, etc.).
- Tracking of per-domain TLS support, prevents connection downgrading.
- SMTP UTF8 (international usernames).
- IDNA (international domain names).
- Hooks for easy integration with greylisting, anti-virus and anti-spam.
- Multiple domains, with per-domain user database and aliases.
- Multiple TLS certificates.
- Suffix dropping (user+something@domain -> user@domain).
- Easy integration with letsencrypt.
- SPF checking.
- Monitoring HTTP server, with exported variables and tracing to help debugging.
The following are intentionally not implemented:
- Custom email routing and transport.
- DKIM/DMARC checking (although the post-data hook can be used for it).
- Different backends for domain and user configuration (Dovecot authentication may be implemented in the future).
Status
chasquid is in beta.
It's functional and has had some production exposure, but some things may still change in backwards-incompatible way, including the configuration format. It should be rare and will be avoided if possible.
You should subscribe to the mailing list to get notifications of such changes.
Contact
If you have any questions, comments or patches please send them to the mailing list, chasquid@googlegroups.com.
To subscribe, send an email to chasquid+subscribe@googlegroups.com.
You can also browse the archives.
Installation
If you're using Debian or Ubuntu, chasquid can be installed by running
sudo apt install chasquid.
To get the code and build it, you will need a working Go environment.
# Get the code and build the binaries.
go get blitiri.com.ar/go/chasquid
cd "$GOPATH/src/blitiri.com.ar/go/chasquid"
make
# Install the binaries to /usr/local/bin.
sudo make install-binaries
# Copy the example configuration to /etc/chasquid and /etc/systemd, and create
# the /var/lib/chasquid directory.
sudo make install-config-skeleton
Configuration
The configuration is in /etc/chasquid/ by default, and has the following
structure:
- chasquid.conf Main config file.
- domains/ Domains' data.
- example.com/
- users User and password database for the domain.
- aliases Aliases for the domain.
...
- certs/ Certificates to use, one dir per pair.
- mx.example.com/
- fullchain.pem Certificate (full chain).
- privkey.pem Private key.
...
Note the certs/ directory matches certbot's structure, so if you use it you can just symlink to /etc/letsencrypt/live.
Make sure the user you use to run chasquid under ("mail" in the example config) can access the certificates and private keys.
Adding users
You can add users with:
chasquid-util user-add user@domain
This will also create the corresponding domain directory if it doesn't exist.
Checking your configuration
Run chasquid-util print-config to parse your configuration and display the
resulting values.
Checking your setup
Run smtp-check yourdomain.com, it will check:
- MX DNS records.
- SPF DNS records (will just warn if not present).
- TLS certificates.
It needs to access port 25, which is often blocked by ISPs, so it's likely that you need to run it from your server.
Greylisting, anti-spam and anti-virus
chasquid supports running a post-DATA hook, which can be used to perform greylisting, and run anti-spam and anti-virus filters.
The hook should be at /etc/chasquid/hooks/post-data.
The one installed by default is a bash script supporting:
- greylisting using greylistd.
- anti-spam using spamassassin.
- anti-virus using clamav.
To use them, they just need to be available in your system.
For example, in Debian you can run the following to install all three:
apt install greylistd spamc clamdscan
usermod -a -G greylist mail
Note that the default hook may not work in all cases, it is provided as a practical example but you should adjust it to your particular system if needed.