/* Command mox is a modern full-featured open source secure mail server for low-maintenance self-hosted email. - Quick and easy to set up with quickstart and automatic TLS with ACME and Let's Encrypt. - IMAP4 with extensions for accessing email. - SMTP with SPF, DKIM, DMARC, DNSBL, MTA-STS, TLSRPT for exchanging email. - Reputation-based and content-based spam filtering. - Internationalized email. - Admin web interface. # Commands mox [-config config/mox.conf] [-pedantic] ... mox serve mox quickstart [-existing-webserver] [-hostname host] user@domain [user | uid] mox stop mox setaccountpassword address mox setadminpassword mox loglevels [level [pkg]] mox queue list mox queue kick [-id id] [-todomain domain] [-recipient address] mox queue drop [-id id] [-todomain domain] [-recipient address] mox queue dump id mox import maildir accountname mailboxname maildir mox import mbox accountname mailboxname mbox mox export maildir dst-dir account-path [mailbox] mox export mbox dst-dir account-path [mailbox] mox localserve mox help [command ...] mox config test mox config dnscheck domain mox config dnsrecords domain mox config describe-domains >domains.conf mox config describe-static >mox.conf mox config account add account address mox config account rm account mox config address add address account mox config address rm address mox config domain add domain account [localpart] mox config domain rm domain mox config describe-sendmail >/etc/moxsubmit.conf mox config printservice >mox.service mox example [name] mox checkupdate mox cid cid mox clientconfig domain mox dkim gened25519 >$selector._domainkey.$domain.ed25519key.pkcs8.pem mox dkim genrsa >$selector._domainkey.$domain.rsakey.pkcs8.pem mox dkim lookup selector domain mox dkim txt <$selector._domainkey.$domain.key.pkcs8.pem mox dkim verify message mox dkim sign message mox dmarc lookup domain mox dmarc parsereportmsg message ... mox dmarc verify remoteip mailfromaddress helodomain < message mox dnsbl check zone ip mox dnsbl checkhealth zone mox mtasts lookup domain mox retrain accountname mox sendmail [-Fname] [ignoredflags] [-t] [. All ">*From " are escaped, otherwise reconstructing the original could lose a ">". usage: mox export mbox dst-dir account-path [mailbox] # mox localserve Start a local SMTP/IMAP server that accepts all messages, useful when testing/developing software that sends email. Localserve starts mox with a configuration suitable for local email-related software development/testing. It listens for SMTP/Submission(s), IMAP(s) and HTTP(s), on the regular port numbers + 1000. Data is stored in the system user's configuration directory under "mox-localserve", e.g. $HOME/.config/mox-localserve/ on linux, but can be overridden with the -dir flag. If the directory does not yet exist, it is automatically initialized with configuration files, an account with email address mox@localhost and password moxmoxmox, and a newly generated self-signed TLS certificate. All incoming email to any address is accepted (if checks pass), unless the recipient localpart ends with: - "temperror": fail with a temporary error code - "permerror": fail with a permanent error code - [45][0-9][0-9]: fail with the specific error code - "timeout": no response (for an hour) If the localpart begins with "mailfrom" or "rcptto", the error is returned during those commands instead of during "data". usage: mox localserve -dir string configuration storage directory (default "$userconfigdir/mox-localserve") # mox help Prints help about matching commands. If multiple commands match, they are listed along with the first line of their help text. If a single command matches, its usage and full help text is printed. usage: mox help [command ...] # mox config test Parses and validates the configuration files. If valid, the command exits with status 0. If not valid, all errors encountered are printed. usage: mox config test # mox config dnscheck Check the DNS records with the configuration for the domain, and print any errors/warnings. usage: mox config dnscheck domain # mox config dnsrecords Prints annotated DNS records as zone file that should be created for the domain. The zone file can be imported into existing DNS software. You should review the DNS records, especially if your domain previously/currently has email configured. usage: mox config dnsrecords domain # mox config describe-domains Prints an annotated empty configuration for use as domains.conf. The domains configuration file contains the domains and their configuration, and accounts and their configuration. This includes the configured email addresses. The mox admin web interface, and the mox command line interface, can make changes to this file. Mox automatically reloads this file when it changes. Like the static configuration, the example domains.conf printed by this command needs modifications to make it valid. usage: mox config describe-domains >domains.conf # mox config describe-static Prints an annotated empty configuration for use as mox.conf. The static configuration file cannot be reloaded while mox is running. Mox has to be restarted for changes to the static configuration file to take effect. This configuration file needs modifications to make it valid. For example, it may contain unfinished list items. usage: mox config describe-static >mox.conf # mox config account add Add an account with an email address and reload the configuration. Email can be delivered to this address/account. A password has to be configured explicitly, see the setaccountpassword command. usage: mox config account add account address # mox config account rm Remove an account and reload the configuration. Email addresses for this account will also be removed, and incoming email for these addresses will be rejected. usage: mox config account rm account # mox config address add Adds an address to an account and reloads the configuration. If address starts with a @ (i.e. a missing localpart), this is a catchall address for the domain. usage: mox config address add address account # mox config address rm Remove an address and reload the configuration. Incoming email for this address will be rejected after removing an address. usage: mox config address rm address # mox config domain add Adds a new domain to the configuration and reloads the configuration. The account is used for the postmaster mailboxes the domain, including as DMARC and TLS reporting. Localpart is the "username" at the domain for this account. If must be set if and only if account does not yet exist. usage: mox config domain add domain account [localpart] # mox config domain rm Remove a domain from the configuration and reload the configuration. This is a dangerous operation. Incoming email delivery for this domain will be rejected. usage: mox config domain rm domain # mox config describe-sendmail Describe configuration for mox when invoked as sendmail. usage: mox config describe-sendmail >/etc/moxsubmit.conf # mox config printservice Prints a systemd unit service file for mox. This is the same file as generated using quickstart. If the systemd service file has changed with a newer version of mox, use this command to generate an up to date version. usage: mox config printservice >mox.service # mox example List available examples, or print a specific example. usage: mox example [name] # mox checkupdate Check if a newer version of mox is available. A single DNS TXT lookup to _updates.xmox.nl tells if a new version is available. If so, a changelog is fetched from https://updates.xmox.nl, and the individual entries validated with a builtin public key. The changelog is printed. usage: mox checkupdate # mox cid Turn an ID from a Received header into a cid, for looking up in logs. A cid is essentially a connection counter initialized when mox starts. Each log line contains a cid. Received headers added by mox contain a unique ID that can be decrypted to a cid by admin of a mox instance only. usage: mox cid cid # mox clientconfig Print the configuration for email clients for a domain. Sending email is typically not done on the SMTP port 25, but on submission ports 465 (with TLS) and 587 (without initial TLS, but usually added to the connection with STARTTLS). For IMAP, the port with TLS is 993 and without is 143. Without TLS/STARTTLS, passwords are sent in clear text, which should only be configured over otherwise secured connections, like a VPN. usage: mox clientconfig domain # mox dkim gened25519 Generate a new ed25519 key for use with DKIM. Ed25519 keys are much smaller than RSA keys of comparable cryptographic strength. This is convenient because of maximum DNS message sizes. At the time of writing, not many mail servers appear to support ed25519 DKIM keys though, so it is recommended to sign messages with both RSA and ed25519 keys. usage: mox dkim gened25519 >$selector._domainkey.$domain.ed25519key.pkcs8.pem # mox dkim genrsa Generate a new 2048 bit RSA private key for use with DKIM. The generated file is in PEM format, and has a comment it is generated for use with DKIM, by mox. usage: mox dkim genrsa >$selector._domainkey.$domain.rsakey.pkcs8.pem # mox dkim lookup Lookup and print the DKIM record for the selector at the domain. usage: mox dkim lookup selector domain # mox dkim txt Print a DKIM DNS TXT record with the public key derived from the private key read from stdin. The DNS should be configured as a TXT record at $selector._domainkey.$domain. usage: mox dkim txt <$selector._domainkey.$domain.key.pkcs8.pem # mox dkim verify Verify the DKIM signatures in a message and print the results. The message is parsed, and the DKIM-Signature headers are validated. Validation of older messages may fail because the DNS records have been removed or changed by now, or because the signature header may have specified an expiration time that was passed. usage: mox dkim verify message # mox dkim sign Sign a message, adding DKIM-Signature headers based on the domain in the From header. The message is parsed, the domain looked up in the configuration files, and DKIM-Signature headers generated. The message is printed with the DKIM-Signature headers prepended. usage: mox dkim sign message # mox dmarc lookup Lookup dmarc policy for domain, a DNS TXT record at _dmarc., validate and print it. usage: mox dmarc lookup domain # mox dmarc parsereportmsg Parse a DMARC report from an email message, and print its extracted details. DMARC reports are periodically mailed, if requested in the DMARC DNS record of a domain. Reports are sent by mail servers that received messages with our domain in a From header. This may or may not be legatimate email. DMARC reports contain summaries of evaluations of DMARC and DKIM/SPF, which can help understand email deliverability problems. usage: mox dmarc parsereportmsg message ... # mox dmarc verify Parse an email message and evaluate it against the DMARC policy of the domain in the From-header. mailfromaddress and helodomain are used for SPF validation. If both are empty, SPF validation is skipped. mailfromaddress should be the address used as MAIL FROM in the SMTP session. For DSN messages, that address may be empty. The helo domain was specified at the beginning of the SMTP transaction that delivered the message. These values can be found in message headers. usage: mox dmarc verify remoteip mailfromaddress helodomain < message # mox dnsbl check Test if IP is in the DNS blocklist of the zone, e.g. bl.spamcop.net. If the IP is in the blocklist, an explanation is printed. This is typically a URL with more information. usage: mox dnsbl check zone ip # mox dnsbl checkhealth Check the health of the DNS blocklist represented by zone, e.g. bl.spamcop.net. The health of a DNS blocklist can be checked by querying for 127.0.0.1 and 127.0.0.2. The second must and the first must not be present. usage: mox dnsbl checkhealth zone # mox mtasts lookup Lookup the MTASTS record and policy for the domain. MTA-STS is a mechanism for a domain to specify if it requires TLS connections for delivering email. If a domain has a valid MTA-STS DNS TXT record at _mta-sts. it signals it implements MTA-STS. A policy can then be fetched at https://mta-sts./.well-known/mta-sts.txt. The policy specifies the mode (enforce, testing, none), which MX servers support TLS and should be used, and how long the policy can be cached. usage: mox mtasts lookup domain # mox retrain Recreate and retrain the junk filter for the account. Useful after having made changes to the junk filter configuration, or if the implementation has changed. usage: mox retrain accountname # mox sendmail Sendmail is a drop-in replacement for /usr/sbin/sendmail to deliver emails sent by unix processes like cron. If invoked as "sendmail", it will act as sendmail for sending messages. Its intention is to let processes like cron send emails. Messages are submitted to an actual mail server over SMTP. The destination mail server and credentials are configured in /etc/moxsubmit.conf, see mox config describe-sendmail. The From message header is rewritten to the configured address. When the addressee appears to be a local user, because without @, the message is sent to the configured default address. If submitting an email fails, it is added to a directory moxsubmit.failures in the user's home directory. Most flags are ignored to fake compatibility with other sendmail implementations. A single recipient or the -t flag with a To-header is required. With the -t flag, Cc and Bcc headers are not handled specially, so Bcc is not removed and the addresses do not receive the email. /etc/moxsubmit.conf should be group-readable and not readable by others and this binary should be setgid that group: groupadd moxsubmit install -m 2755 -o root -g moxsubmit mox /usr/sbin/sendmail touch /etc/moxsubmit.conf chown root:moxsubmit /etc/moxsubmit.conf chmod 640 /etc/moxsubmit.conf # edit /etc/moxsubmit.conf usage: mox sendmail [-Fname] [ignoredflags] [-t] [