Computing Service
Mail Support

An overview of the

central email services

Techlinks seminar

21 February 2007

Tony Finch <>

Mail Support

University of Cambridge Computing Service


Cyrus message store

Cyrus message store

Currently 40TB raw storage on 20+ servers

Space for up to 6TB of email + RAID + replication

We can recover deleted email if asked within a few days

Rolling replacement & expansion plan

The storage overhead is due to RAID on each of the servers, plus paired replicated servers, plus a backup server. In the event of a live server failing we can switch over to its hot spare with little down-time. For example, at the start of the Michaelmas term we lost power to all the live Cyrus machines at once. We switched over to the hot spares so that service could continue while we checked the downed machines for signs of damage.

The oldest machines have been in use since summer 2003, and are soon to be replaced.



Storage quota default 250MB, upgradable to 1GB

Users are sent warning messages when near the limit

Maximum mailbox size 250MB (policy under review)

Message size limit 25MB = 18MB attachment plus overhead

We are planning to increase quotas from year to year. There was a stall last year owing to compatibility problems with the RAID controllers on the newest computers.

Users with larger-than-normal quotas can fall foul of the system-wide mailbox size limit, and unfortunately (unlike the overall quota) we provide little feedback about when they are at risk of this happening. We intend to fix this or possibly remove the limit entirely. (It was crucial for performance on the old (pre-2004) Hermes system but is less of an issue now.)

Useful links:


IMAP is better than POP

Supports multiple clients
e.g. work, home
yes no
Co-operates with webmail yes no
Suitable for shared accounts yes no
"Push" new mail notification yes no
Server-side backups of old email yes no
Recover from accidental deletions yes maybe
Easy to delete all email less more

POP fails to support multiple clients both because it is designed to delete email from the server (making it inaccessible to other clients) and because it does not allow concurrent access - your account is locked to other clients (including webmail) while you are using POP.

The "keep mail on server" setting for POP is a hack that is not necessary for servers that support IMAP. If users get their POP settings wrong when setting up a new computer they can accidentally lose all their email.

Our stats indicate we have about half as many POP users as we did last year, probably as a result of the reconfiguration for mandatory secure access to Hermes. I haven't counted, but there do seem to be fewer problem reports of email lost because of POP.

A caveat about "push" notifications: this depends on client support.

Correct email software settings:

Any Q's?


Sending via

Strongly prefer for email sent from MUAs

You can use any email address, e.g. department/college
"friendly name" address, role address, personal address

Good MUAs support multiple roles/personalities/accounts
so you can switch between email addresses

You should be able to send email anywhere
using the recommended settings

Almost all use of is now securely authenticated - fewer than 50 people remain to be fixed.

The reason for preferring that people use is future improvements. Anti-spam and anti-forgery mechanisms are much easier to implement for authenticated email. We may wish to tighten access to ppsw in the future, and this will be less painful if things are configured correctly in the first place.

Roaming use is subject to firewall restrictions on foreign networks. Ports 587 and 465 are most likely to work.

Configuration advice for sending email:

Sending via

Mostly for email from servers:
dept/college mail servers
multi-user machines
forms on web sites
Unix cron jobs

last resort for those who can't use their home SMTP server

Users without Hermes accounts should send email via their home SMTP server, just as Hermes users should send email via

ppsw is generally not recommended for use by MUAs


Many are sent to alumni...

Mailshots and bulk email

Preferably send via
Alternatively use
Please do not use

Please send large mailshots (more than a few hundred)
using BCC or outside working hours (19:00 - 07:00).

Large mailshots cause spikes in load which can take a while for the virus scanners to digest, which may delay other email.

We prefer people to use since it uses BCC to reduce load on ppswitch.

rate limiting

Last year we were planning to introduce rate limiting of outgoing email. This turned out to be more difficult than expected, since we need to develop a quarantining system to avoid causing problems for the bad SMTP implementations in many MUAs. This project is still stalled, though we are continuing to monitor sending rates without intervention.

Any Q's?


Types of address

fanf2@hermes - individual accounts
confide@hermes - shared accounts

fanf2@cam - forwarding set up on Jackdaw

fanf2@cus - CUS is to be shut down

fanf2@ucs - Managed Mail Domains

cup, eng, etc. - non-CS domains

Shared accounts on Hermes do not have an equivalent @cam address.

Many @cam addresses do not redirect to Hermes accounts, e.g. users @admin or @mole.

Hermes redirections changed via webmail -> manage -> redirect.

CUS is to be shut down. @cus email addresses will be transferred to a managed mail domain. The 2hermes tool on CUS helps with transferring email to Hermes.

@cam redirections changed via

Managed Mail Domains - - -

Tony.Finch@ucs : fanf2@hermes
confidential@ucs : confide@hermes
unix-support@ucs : cs-unix-support@lists
mail-support@ucs : dpc22@hermes, fanf2@hermes

Works well with Managed Web Service
and Managed Zone Service (DNS)

We will set up managed mail domain for any University-related domain.

Related services linked from

Other services

MX service for incoming email (primary & backup)

Long-form domains (e.g. quns / queens)

Email server configuration advice

Most department and college email servers receive email through our MX service to benefit from our anti-spam and anti-virus filtering, about which more later. We can also provide a backup MX for departments that run their own primary MX.

Long form domains work with managed mail domains and department-hosted domains.

Mailing lists

Only a few comments about mailman since proper coverage would require a whole talk of its own.

To move a list from the old system to Mailman, go to

Local customizations

Raven authentication

"Posting status" similar to old lists system

Knows how Managed Mail Domain aliases map to CRSIDs

The "posting status" feature is derived from standard Mailman features so

Mailman is mostly self-documenting, though there is a fairly bewildering variety of options. You can usually find the option you want after some browsing through the various pages.

This screen is under "Privacy options" -> "Spam filters"

Any Q's?

Spam and virus filtering

Junk vs legitimate email

A common support question at the moment is why people are receiving spam aparrently "To:" someone else. Spammers are sending a lot of email BCCed to 10-20 people with email addresses close to each other in the alphabet, but with only the first address in the message header.


All email is scanned for viruses with McAfee and ClamAV

External email is subject to anti-spam tests

DNS blacklists: MAPS RBL+ (40%) & Spamhaus ZEN (25%)

Some local checks, e.g. address verification (10%)

SpamAssassin scans the rest (5% scores > 5)

Remaining 20% about equally internal and external

The percentages are relative to all email.

If you reduce your SpamAssassin threshold below 5 you should expect legitimate email to be mis-classified.

Spamhaus ZEN


Any last Q's?

Tony Finch <>
21 Feb 2007: Central email services overview