Quick Menu : [Disclaimer]  [Blog]	[Home]

Mailgateway mit OpenBSD 3.8

Einführung

Dieses Crash Tutorial zeigt Dir wie man ein Mailgatway (Sendmail, ClamAV, Spamassassin, smtp-vilter) unter OpenBSD 3.8 einrichtet. Getestet wurde dieses Tutorial mit OpenBSD 3.8 und einem Dell PowerEdge 750
Falls Du fragen oder anregungen hast kannst Du mir jederzeit ein Mail schreiben (tutorial@thetube.ch).

1. Was es dazu braucht :

• OpenBSD 3.8
• OpenBSD Ports
• DCC

2. Szenario :

(Internet)=====¦Firewall¦=====[Mailgateway]=====¦Firewall¦=====[Exchange 2003]

		               212.203.x.x     212.203.x.y      192.168.0.x

			       mail.example.ch gateway.example.ch

2. Vorbereitung :

# mount /dev/cd0a /mnt
# cd /usr

# tar xzvf /mnt/ports.tar.gz

# cd /usr/ports/net/wget
# make
# make install

3. Sendmail :

# cd /usr/share/sendmail/cf
# cp openbsd-localhost.mc openbsd-example.mc

divert(-1)
#
# Copyright (c) 1998 Sendmail, Inc.  All rights reserved.
# Copyright (c) 1983 Eric P. Allman.  All rights reserved.
# Copyright (c) 1988, 1993
#       The Regents of the University of California.  All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

#
#  This configuration only runs sendmail on the localhost interface.
#  This allows mail on the local host to work without accepting
#  connections from the net at large.
#

divert(0)dnl
VERSIONID(`@(#)openbsd-localhost.mc $Revision: 1.4 $')
OSTYPE(openbsd)dnl
INPUT_MAIL_FILTER(`smtp-vilter', `S=unix:/var/smtp-vilter/smtp-vilter.sock, F=T, T=S:10m;R:10m;E:15m')dnl
FEATURE(`domaintable')
FEATURE(nouucp, `reject')dnl
# FEATURE(`accept_unresolvable_domains')dnl
FEATURE(`no_default_msa')dnl
FEATURE(`mailertable')
FEATURE(`access_db')
FEATURE(dnsbl, `dnsbl.sorbs.net', `"554 Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl
MAILER(local)dnl
MAILER(smtp)dnl
DAEMON_OPTIONS(`Family=inet, address=0.0.0.0, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet6, address=::, Name=MTA6, M=O')dnl
DAEMON_OPTIONS(`Family=inet, address=0.0.0.0, Port=587, Name=MSA, M=E')dnl
DAEMON_OPTIONS(`Family=inet6, address=::, Port=587, Name=MSA6, M=O, M=E')dnl
CLIENT_OPTIONS(`Family=inet6, Address=::')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
dnl
dnl Some broken nameservers will return SERVFAIL (a temporary failure)
dnl on T_AAAA (IPv6) lookups.
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
dnl
dnl Enforce valid Message-Id to help stop spammers
dnl
LOCAL_RULESETS
HMEssage-Id: $>CheckMessageId

SCheckMessageId
R< $+ @ $+ >            $@ OK
R$*                     $#error $: 553 Header Error

# m4 ../m4/cf.m4 openbsd-example.mc > openbsd-example.cf

# cp openbsd-example.cf /etc/mail/

# cd /etc/mail
# vi access

# $OpenBSD: access,v 1.1 2003/09/23 21:37:11 millert Exp $
#
# sendmail(8) access database.  Rebuild by running as root:
#   makemap hash /etc/mail/access < /etc/mail/access
#
# See /usr/share/sendmail/README for a description of this file
# under the "access_db" feature.
#
Localhost               RELAY
127.0.0.1               RELAY
gateway.example.ch      RELAY
212.203.x.y          RELAY

# makemap hash /etc/mail/access < /etc/mail/access

# vi mailertable

# $OpenBSD: mailertable,v 1.1 2003/09/23 21:37:11 millert Exp $
#
# The sendmail(8) mailer table is used to override routing for particular
# non-local hostnames and domains (i.e., names other the local hostname
# or names listed in local-host-names).
#
# Rebuild by running as root:
#   makemap hash /etc/mail/mailertable < /etc/mail/mailertable
#
# Each line is of the form "mailer:domain" (without the quotes)
# where "mailer" is the internal mailer name, and "domain" is
# where to send the message.  See /usr/share/sendmail/README for
# more information.
#
example.ch      smtp:[gateway.example.ch]

# makemap hash /etc/mail/mailertable < /etc/mail/mailertable

# $OpenBSD: relay-domains,v 1.2 2003/12/23 21:17:04 miod Exp $
#
# List of other domains to relay mail for here (one per line).
# By default, sendmail(8) will not relay for foreign domains.  If the mail
# is not destined for (or sent by) a user in the local domain the message
# will be rejected.  Alternately, domains may be listed in /etc/mail/access
# with the RELAY attribute instead of being enumerated here.
#
# This file is read only at startup or when sendmail(8) is sent SIGHUP.
#
example.ch

#       $OpenBSD: hosts,v 1.11 2002/09/26 23:35:51 krw Exp $
#
# Host Database
#
# RFC 1918 specifies that these networks are "internal".
# 10.0.0.0      10.255.255.255
# 172.16.0.0    172.31.255.255
# 192.168.0.0   192.168.255.255
#
::1 localhost.example.ch localhost
127.0.0.1 localhost.example.ch localhost
::1 mail.example.ch mail
212.203.x.x mail.example.ch mail
212.203.x.y gateway.example.ch

# kill -15 `head -1 /var/run/sendmail.pid`

# sendmail -L sm-mta -C /etc/mail/openbsd-example.cf -bd -q30m

4. Spam-Daemon einrichten :

#       $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="em0"

table <spamd> persist
#table <spamd-white> persist

scrub all
rdr pass on $ext_if proto tcp from <spamd> to port smtp \
        -> 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
#       -> 127.0.0.1 port spamd

block in log on $ext_if
pass out all keep state

#antispoof quick for { lo $ext_if }

pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
pass in on $ext_if proto tcp to ($ext_if) port https keep state
pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

pass in quick on lo0
pass out quick on lo0

# $OpenBSD: spamd.conf,v 1.16 2005/08/29 15:52:45 millert Exp $
#
# spamd config file, read by spamd-setup(8) for spamd(8)
#
# See spamd.conf(5)
#
# Configures whitelists and blacklists for spamd
#
# Strings follow getcap(3) convention escapes, other than you
# can have a bare colon (:) inside a quoted string and it
# will deal with it. See spamd-setup(8) for more details.
#
# "all" must be here, and defines the order in which lists are applied.
# Whitelists apply to the previous blacklist. More than one whitelist
# may be applied to each blacklist.
#
# As of November 2004, a place to search for black lists is
#     http://spamlinks.net/filter-bl.htm
#
# Some of the URLs below point to www.openbsd.org locations.  Those
# files are likely to be mirrored to other OpenBSD www mirrors located
# around the world.  Hence, it is possible to edit this file and rewrite
# www.openbsd.org with, for instance, to www.de.openbsd.org

all:\
        :spews1:spews2:china:korea:spamhaus:

# Mirrored from http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2
spamhaus:\
        :black:\
        :msg="SPAM. Your address %A is in the Spamhaus Block List\n\
        See http://www.spamhaus.org/sbl and\
        http://www.abuse.net/sbl.phtml?IP=%A for more details":\
        :method=http:\
        :file=www.openbsd.org/spamd/SBL.cidr.gz:

# Mirrored from http://www.spews.org/spews_list_level1.txt
spews1:\
        :black:\
        :msg="SPAM. Your address %A is in the spews level 1 database\n\
        See http://www.spews.org/ask.cgi?x=%A for more details":\
        :method=http:\
        :file=www.openbsd.org/spamd/spews_list_level1.txt.gz:

# Mirrored from http://www.spews.org/spews_list_level2.txt
spews2:\
        :black:\
        :msg="SPAM. Your address %A is in the spews level 2 database\n\
        See http://www.spews.org/ask.cgi?x=%A for more details":\
        :method=http:\
        :file=www.openbsd.org/spamd/spews_list_level2.txt.gz:

# Mirrored from http://www.okean.com/chinacidr.txt
china:\
        :black:\
        :msg="SPAM. Your address %A appears to be from China\n\
        See http://www.okean.com/asianspamblocks.html for more details":\
        :method=http:\
        :file=www.openbsd.org/spamd/chinacidr.txt.gz:

# Mirrored from http://www.okean.com/koreacidr.txt
korea:\
        :black:\
        :msg="SPAM. Your address %A appears to be from Korea\n\
        See http://www.okean.com/asianspamblocks.html for more details":\
        :method=http:\
        :file=www.openbsd.org/spamd/koreacidr.txt.gz:

# /usr/libexec/spamd

# /usr/libexec/spamd-setup

5. CLAMAV (Antivirus) :

# cd ports/security/cd clamav
# make
# make install

# cd /var/db/clamav
# chown 701 /var/db/clamav
# wget http://db.local.clamav.net/main.cvd
# wget http://db.local.clamav.net/daily.cvd
# chown _vilter._vilter *
# chmod 701 /var/clamav

6. Spamassassin :

# cd /usr/ports/mail/p5-Mail-SpamAssassin
# make
# make install

###########################################################################
#
# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
# Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)
required_hits           5

# Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)
report_safe             1

# Enable the Bayes system
use_bayes               1

# Enable Bayes auto-learning
bayes_auto_learn              1

bayes_path      /var/log/.spamassassin/bayes

# Enable or disable network checks
skip_rbl_checks         0
use_razor2              1
use_dcc                 1
use_pyzor               0

# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_languages            all

# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales              all

whitelist_from "*@example.ch"

7. Razor-Agents :

# cd /usr/ports/mail/razor-agents
# make
# make install

# razor-admin -home=/etc/razor -d -create
# razor-admin -home=/etc/razor -d -register -user=mymail@example.ch

8. DCC :

# cd ~
# wget http://www.rhyolite.com/anti-spam/dcc/source/dcc-1.3.20.tar.Z
# tar -xzvf dcc-1.3.20.tar.Z
# cd dcc-1.3.20
# ./configure
# make
# make install

9. SMTP-VILTER :

# cd /usr/ports/mail/smtp-vilter

# make
# make install

# mkdir smtp-vilter
# chown _vilter.wheel ./smtp-vilter
# cd smtp-vilter
# mkdir etc
# chown _vilter._vilter ./etc
# cp /etc/hosts ./
# chown _vilter._vilter hosts
# mkdir smtp-vilter
# chown _vilter._vilter ./
# cd smtp-vilter
# cp /etc/smtp-vilter/attachment-notification ./
# cp /etc/smtp-vilter/recipient-notification ./
# chown _vilter._vilter ./*
# cd ../..
# mkdir tmp
# chown _vilter._vilter ./tmp

10. Alles starten :

# /usr/local/bin/spamd -u _vilter -d /var/log/spamd.log

# /usr/local/sbin/clamd

# /usr/local/sbin/smtp-vilter

11. Automatisch bei jedem Boot starten :

smtpvilter_flags=""
spamassassin_flags="-u _vilter -d /var/log/spamd.log"
clamav_flags=""
mailgraph_flags="-l /var/log/maillog -d --daemon-rrd /var/lib/ --ignore-localhost"

if [ X"${vilter_flags}" != X"NO" ]; then
        echo -n ' smtp-vilter';		/usr/local/sbin/smtp-vilter ${vilter_flags}
fi

if [ X"${spamassassin_flags}" != X"NO" ]; then
        echo -n ' spamassassin'; 	/usr/local/bin/spamd ${spamassassin_flags}
fi

if [ X"${clamav_flags}" != X"NO" ]; then
        echo -n ' ClamAV';		/usr/local/sbin/clamd ${clamav_flags}
fi

if [ X"${mailgraph_flags}" != X"NO" ]; then
        echo -n ' mailgraph';		/usr/local/bin/mailgraph.pl ${mailgraph_flags}
fi

99. Diverses :

# /usr/local/bin/freshclam

# razor-report -d -home=/etc/razor < ./message.id

Referenzen

1. OpenBSD Seite — Offizielle OpenBSD Seite
2. UnixScout Seite — Jede Menge HowTo's!
3. smtp-vilter — miro systems smtp-vilter software
4. SpamAssassin — SpamAssassin Homepage
5. ClamAV — Clam AntiVir
6. Razor — Vipul's Razor
7. DCC — Distributed Checksum Clearinghouse