Install MariaDB as a database management system DBMS
sudo apt install mariadb-server
Create a new database named srvmail
for a mail server:
sudo mysql -e 'create database if not exists srvmail character set "utf8";'
Create database user srvmail
, with password dbpass
.
This user will be used by Postfix and Dovecot.
It is granted select
permissions on this DB.
sudo mysql -e 'grant select on srvmail.* to "srvmail"@"localhost" identified by "dbpass";'
The domain table contains all domains, which shall be served by the mail server.
CREATE TABLE `domains` (
`id` int unsigned NOT NULL AUTO_INCREMENT,
`domain` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY (`domain`)
);
The account table contains all data regarding user mailbox accounts, such as username, domain, password, and quota.
Quota is in Megabyte (MB).
If the enabled
field if set to true
a mailbox account is active and can be used.
If sendonly
is set to true
this account is not able to receive mails.
CREATE TABLE `accounts` (
`id` int unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(64) NOT NULL,
`domain` varchar(255) NOT NULL,
`password` varchar(255) NOT NULL,
`quota` int unsigned DEFAULT '0',
`enabled` boolean DEFAULT '0',
`sendonly` boolean DEFAULT '0',
PRIMARY KEY (id),
UNIQUE KEY (`username`, `domain`),
FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)
);
The alias table contains all alias definitions / redirects.
CREATE TABLE `aliases` (
`id` int unsigned NOT NULL AUTO_INCREMENT,
`source_username` varchar(64) NOT NULL,
`source_domain` varchar(255) NOT NULL,
`destination_username` varchar(64) NOT NULL,
`destination_domain` varchar(255) NOT NULL,
`enabled` boolean DEFAULT '0',
PRIMARY KEY (`id`),
UNIQUE KEY (`source_username`, `source_domain`, `destination_username`, `destination_domain`),
FOREIGN KEY (`source_domain`) REFERENCES `domains` (`domain`)
);
The TLS policy table defines policies regarding TLS-encryption to foreign mail servers.
CREATE TABLE `tlspolicies` (
`id` int unsigned NOT NULL AUTO_INCREMENT,
`domain` varchar(255) NOT NULL,
`policy` enum('none', 'may', 'encrypt', 'dane', 'dane-only', 'fingerprint', 'verify', 'secure') NOT NULL,
`params` varchar(255),
PRIMARY KEY (`id`),
UNIQUE KEY (`domain`)
);
Place these table definitions into srvmail-tables.sql
file and import them to the database
sudo mysql srvmail < srvmail-tables.sql
All e-mails and sieve scripts are saved into a special directory /var/srvmail
.
Only the associated srvmail
user has access to it.
Dovecot will use this user account to do its operations on the file system.
Create srvmail
home's directory together with some subdirectories:
sudo mkdir -p /var/srvmail/mailboxes
sudo mkdir -p /var/srvmail/sieve/global
Create srvmail
user
sudo adduser --system --group --disabled-login --disabled-password --home /var/srvmail srvmail
Change permissions on /var/srvmail
:
sudo chown -R srvmail:srvmail /var/srvmail
sudo chmod -R 770 /var/srvmail
Rspamd, Postfix / Postscreen and more services on your system heavily depend on DNS requests.
Therefore, it is recommend to install unbound
as a local DNS resolver and cache!
Some server providers rate-limit your access to their pre-defined DNS resolvers, which might cause trouble.
Especially Rspamd does a lot of DNS requests depending on the mail system load.
Furthermore, Spamhaus blocklists often can be used with own DNS resolvers only.
Install unbound
sudo apt install unbound
Update DNSSEC
Root key and reload Unbound service
su -c "unbound-anchor -a /var/lib/unbound/root.key" - unbound
systemctl reload unbound
To use the DNS lookup utility dig
install dnsutils
sudo apt install dnsutils
Try to use local DSN server:
dig @127.0.0.1 denic.de +short +dnssec
which should lead to something like
81.91.170.12
A 8 2 3600 20190516090000 20190502090000 26155 denic.de. ZenvfYTndSmVHFrrt2klbfjT5bce3TxXtrdZvUKBHh3nsmCGTim67cbk dtQS/G9V2+XIE26I+xbSGl96e1RkHMB
6KFry5hSr+40eBP9ogUuB7LJV UREmTvb/pd5Pw7KamW0qlK9kGCqETS3sCr/PN3V30cV5I1Xi+cxWW0de XRfcktHmotciedpLtszq3OttlVnzrxD7XGdtMYsSe+9WpUKD3xlUVQqH Bl1j/
bXRyf84sLTqrfcPLtc6z/jz3set
If the dig-command worked,
it's time to double-check that unbound
is set as the primary DNS resolver for your mail system:
The result of
nslookup denic.de | grep Server
should now be:
Server: 127.0.0.1
By default openresolv
should be already installed on your system
sudo apt install openresolv
Also, take a look at the openresolv
configuration file
which should take into account the existence of unbound
setup.
sudoedit /etc/resolvconf.conf
A modern email server can’t be operated seriously without TLS certificates. We will use Let’s Encrypt certificates for this purpose, as they are free and yet accepted by all browsers, mail clients and operating systems. If you already have valid certificates, you can use them instead.
Use the official certbot
command line client to get new certificates for your mail system:
sudo apt install certbot
sodo certbot certonly --standalone --rsa-key-size 4096 -d mail.example.com -d imap.example.com -d smtp.example.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
Install the following Dovecot components
sudo apt install dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-sieve dovecot-managesieved
driver=mysql
connect = "host=127.0.0.1 dbname=srvmail user=vmail password=dbpass"
default_pass_scheme = SHA512-CRYPT
password_query = SELECT username AS user, domain, password FROM accounts WHERE username = '%n' AND domain = '%d' and enabled = true;
user_query = SELECT concat('*:storage=', quota, 'M') AS quota_rule FROM accounts WHERE username = '%n' AND domain = '%d' AND sendonly = false;
iterate_query = SELECT username, domain FROM accounts where sendonly = false;
Create a new Sieve filter script spam-global.sieve
in /var/srvmail/sieve/global/
require "fileinto";
if header :contains "X-Spam-Flag" "YES" {
fileinto "Spam";
}
if header :is "X-Spam" "Yes" {
fileinto "Spam";
}
Rspamd
shall learn from its mistakes if you move a mail out of your “Spam” folder and vice versa. Sieve recognizes the moving process and triggers a Rspam learning process. Create to following two sieve config files in /var/srvmail/sieve/global/
:
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];
sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'No configuration'" # optional
sudo apt install postfix postfix-mysql
During installation of the Postfix packages you will be asked what type of configuration you want to create. Select “No configuration”. Then stop Postfix:
sudo systemctl stop postfix
Although you selected “No configuration” there will be configuration files in /etc/postfix
. Delete some of them:
cd /etc/postfix
rm -r sasl
rm master.cf main.cf.proto master.cf.proto
Then create the following new config files in /etc/postfix
:
##
## Network settings
##
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = 127.0.0.1, ::1, 212.86.55.94
myhostname = mail.zyfron.com
##
## Mail queue settings
##
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
##
## TLS settings
##
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
### Outbound SMTP connections (Postfix as sender)
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
### Inbound SMTP connections
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.zyfron.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.zyfron.com/privkey.pem
##
## Local mail delivery to Dovecot via LMTP
##
virtual_transport = lmtp:unix:private/dovecot-lmtp
##
## Spam filter and DKIM signatures via Rspamd
##
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
##
## Server Restrictions for clients, cecipients and relaying
## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)
##
### Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)
### check_recipient_access checks if an account is "sendonly"
smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf
### Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions = permit_mynetworks
check_client_access hash:/etc/postfix/without_ptr
reject_unknown_client_hostname
### Foreign mail servers must present a valid "HELO"
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining
##
## Restrictions for MUAs (Mail user agents)
##
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
##
## Postscreen Filter
##
### Postscreen Whitelist / Blocklist
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
# Drop connections if other server is sending too quickly
postscreen_greet_action = drop
### DNS blocklists
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2
zen.spamhaus.org*2
postscreen_dnsbl_action = drop
##
## MySQL queries
##
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
local_recipient_maps = $virtual_mailbox_maps
##
## Miscellaneous
##
### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0
### Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800
### Do not notify system users on new e-mail
biff = no
### Users always have to provide full e-mail addresses
append_dot_mydomain = no
### Delimiter for "Address Tagging"
recipient_delimiter = +
Settings to adjust:
- inet_interfaces: IP addresses of your server. 212.86.55.94, 2a00:f820:417::7647:b2c2 must be replaced by your own IPv4- and IPv6-address.
- myhostname: Replace by your own hostname
- smtpd_tls_cert_file: Path to certificate file
- smtpd_tls_key_file: Path to certificate key
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - 1 postscreen
-o smtpd_sasl_auth_enable=no
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o cleanup_service_name=submission-header-cleanup
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=regexp:/etc/postfix/submission_header_cleanup
Create a new file /etc/postfix/submission_header_cleanup
with this content:
### Removes headers of MUAs for privacy reasons
/^Received:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNORE
SQL queries for Postfix sit in the /etc/postfix/sql/
subdirectory:
sudo mkdir /etc/postfix/sql && cd $_
Create these files with their corresponding content:
user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = select 1 as found from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = select concat(destination_username, '@', destination_domain) as destinations from aliases where source_username = '%u' and source_domain = '%d' and enabled = true;
user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = SELECT domain FROM domains WHERE domain='%s'
user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = select if(sendonly = true, 'REJECT', 'OK') AS access from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;
user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = select concat(username, '@', domain) as 'owns' from accounts where username = '%u' AND domain = '%d' and enabled = true union select concat(destination_username, '@', destination_domain) AS 'owns' from aliases where source_username = '%u' and source_domain = '%d' and enabled = true;
user = srvmail
password = dbpass
hosts = 127.0.0.1
dbname = srvmail
query = SELECT policy, params FROM tlspolicies WHERE domain = '%s';
Don’t forget to modify dbpass
in all of the above files, in case you are using another password!
Set proper permissions for /etc/postfix/sql
:
sudo chmod -R 640 /etc/postfix/sql
Create two new files in /etc/postfix
. You can leave them empty.
sudo touch /etc/postfix/without_ptr
sudo touch /etc/postfix/postscreen_access
In without_ptr
you can define entries like this:
1.2.3.4 OK
This will result in a policy, which allows server 1.2.3.4
to send e-mails to this host even if it does not have a valid PTR-record. After every change, without_ptr
has to be converted into a database file and Postfix
must be reloaded:
sudo postmap /etc/postfix/without_ptr
sudo systemctl reload postfix
In postscreen_access
file you can define exceptions for the postscreen filter. If any mail server is blocked by postscreen and you want to grant access for any reason, add an entry similar to the following:
1.2.3.4 permit
You can do the opposite, too: If you always want to block a certain server, add “reject” instead of “permit”.
Execute
sudo newaliases
to create the alias database file /etc/aliases.db
. This file is expected by Postfix by default.
The official Debian repositories contain an outdated version of Rspamd, so use the Rspamd-Repository for installation instead:
sudo apt install -y lsb-release wget
wget -O- https://rspamd.com/apt-stable/gpg.key | sudo apt-key add -
echo "deb http://rspamd.com/apt-stable/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src http://rspamd.com/apt-stable/ $(lsb_release -c -s) main" >> /etc/apt/sources.list.d/rspamd.list
Update package sources and install Rspamd:
sudp apt update
sudo apt install rspamd
On raspbian, there is no deb up to date package available. To build it from source install the following packages
sudo apt install devscripts fakeroot debhelper libcurl4-openssl-dev dh-systemd libjemalloc-dev libunwind-dev ragel libevent-dev lua5.1 liblua5.1-dev cmake sqlite3 libmagic-dev libsqlite3-dev libicu-dev libglib2.0-dev libssl-dev libsodium-dev
Clone the sourse code
git clone --recursive https://github.com/vstakhov/rspamd.git
#git checkout tags/1.9.4 #optionally
To build rspamd it's recommended to create a separate build directory:
cd rspamd
mkdir build
cd build
cmake ..
If you decide to install it from source run
make
sudo make install
The prefered way is to create a package:
tar xvf rspamd-2.0.tar.xz
cd rspamd-2.0
debuild -uc -us
cd ..
dpkg -i *.deb
Following files are now created in /etc/rspamd/local.d/
:
/etc/rspamd/local.d/options.inc
: Network settings and definition of the DNS resolver to use.
local_addrs = "127.0.0.0/8, ::1";
dns {
nameserver = ["127.0.0.1:53:10"];
}
/etc/rspamd/local.d/worker-normal.inc
: Settings for the normal Rspamd worker
bind_socket = "localhost:11333";
### Anzahl der zu nutzenden Worker. Standard: Anzahl der virtuellen Prozessorkerne.
# count = 1
/etc/rspamd/local.d/worker-controller.inc
: Worker controller settings: Password for web interface access, e.g.:
password = "$2$91sbzekafgbaew494epqfsm1bziewza4$wmdqdgjt4ehet7i5i9sczmpbsow7s7g3eo47obuzp8aieb6bzduy";
The password hash (“$2$ …”) must be generated by
rspamadm pw
Enter a password you would like to set, copy the hash and paste it into the configuration file above.
/etc/rspamd/local.d/worker-proxy.inc
: Worker proxy (Milter-Module for Postfix)
bind_socket = "localhost:11332";
milter = yes;
timeout = 120s;
upstream "local" {
default = yes;
self_scan = yes;
}
/etc/rspamd/local.d/logging.inc
: Error logging
type = "file";
filename = "/var/log/rspamd/rspamd.log";
level = "error";
debug_modules = [];
Milter Headers /etc/rspamd/local.d/milter_headers.conf
use = ["x-spamd-bar", "x-spam-level", "authentication-results"];
authenticated_headers = ["authentication-results"];
Use Redis for Bayesian filter: /etc/rspamd/local.d/classifier-bayes.conf
backend = "redis";
Rspamd
uses Redis
as a data cache. Installation is simple:
sudo apt install redis-server
servers = "127.0.0.1";
sudo systemctl start rspamd
So get easy and secure access to the Rspamd web interface, you can install Nginx as a HTTP proxy with TLS-termination. As an alternative, access via a SSH tunnel is sufficient in some cases (see below).
Installation:
sudo apt install nginx
sudoedit /etc/nginx/sites-available/mail.zyfron.com
Config file /etc/nginx/sites-available/mail.zyfron.com
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mail.zyfron.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.zyfron.com/privkey.pem;
server_name mail.zyfron.com;
# root /var/www/default;
if ($ssl_protocol = "") {
return 301 https://$server_name$request_uri;
}
location /rspamd/ {
proxy_pass http://localhost:11334/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Settings to adapt:
ssl_certificate
: Path to certificatessl_certificate_key
: Path to certificate keyserver_name
Activate site configuration, reload and start nginx
:
sudo ln -s /etc/nginx/sites-available/mail.zyfron.com /etc/nginx/sites-enabled/mail.zyfron.com
sudo nginx -t
sudo systemctl reload nginx
You should now be able to access the Rspamd web interface via https://mail.zyfron.com/rspamd/ . Then enter the password you chose during rspamd
configuration.
If your local machine is a Linux or MAC computer, enter the following command to bind the webinterface to your local TCP port 8080
:
ssh -L 8080:localhost:11334 benutzer@mail.zyfron.com -N
The web interface can then be browsed via http://localhost:8080. CTRL+C cancels the connection.
If you have mailboxes in Maildir-format with spam e-mails and normal e-mails, you can use them to train Rspamd on some real world examples. Copy those mailbox folders to your new server and execute commands like this:
Train e-mails in ./oldserver/var/srvmail/mailboxes/*/*/mail/Spam/cur
as spam:
find ./oldserver/var/srvmail/mailboxes/*/*/mail/Spam/cur -type f -exec /usr/bin/rspamc learn_spam {} \;
Train e-mails as “ham”:
find ./oldserver/var/srvmail/mailboxes/*/*/mail/cur -type f -exec /usr/bin/rspamc learn_ham {} \;
find ./oldserver/var/srvmail/mailboxes/*/*/mail/Sent/cur -type f -exec /usr/bin/rspamc learn_ham {} \;
Before the mailserver can be used reasonably, at least one domain and a corresponding user account must be existent. Fire up your mysql command shell one more time:
sudo mysql
change to the srvmail
database:
use srvmail;
New user accounts can only be created for already existing domains, so create a new data set for your primary domain:
insert into domains (domain) values ('zyfron.com');
Now that the corresponding domains exists, a new user account for this domain can be created. Create a new password hash shell via:
doveadm pw -s SHA512-CRYPT
A password hash looks similar to this:
{SHA512-CRYPT}$6$fzigcyORcWEpHdBQ$oK6.FpBs9aiylKOn.Zp6LRE/qAScbYHqTzaDORdlHOZVFxaG/OCqgMjrD51LWSzvxDDtd7ktvDIUCCmV73mdb0
Create a new user account based on this hash value:
insert into accounts (username, domain, password, quota, enabled, sendonly) values ('hello', 'zyfron.com', '{SHA512-CRYPT}$6$fzigcyORcWEpHdBQ$oK6.FpBs9aiylKOn.Zp6LRE/qAScbYHqTzaDORdlHOZVFxaG/OCqgMjrD51LWSzvxDDtd7ktvDIUCCmV73mdb0', 2048, true, false);
The value for the password field must now be replaced with the individual hash you’ve created before. In this example, an account for hello@zyfron.com
is created, with a storage quota of 2 GB, and the account is able to send and receive messages.
Creating an alias address for another address is pretty streight forward:
insert into aliases (source_username, source_domain, destination_username, destination_domain, enabled) values ('hallo', 'zyfron.com', 'hello', 'zyfron.com', true);
This would result in a re-direction of e-mails from hallo@zyfron.com to hello@zyfron.com.