|
|
|
EinführungDieses Crash Tutorial zeigt Dir wie man ein Mailgatway (Postfix, ClamAV, Amavisd-new, Spamassassin, OCR) auf einem Ubuntu Server 6.06LTS einrichtet. Getestet wurde dieses Tutorial mit Ubuntu Server 6.06LTS und einem Dell PowerEdge 750
Falls Du fragen oder anregungen hast kannst Du mir jederzeit ein Mail schreiben (tutorial@thetube.ch).
(Internet)=====¦Firewall¦=====[Mailgateway]=====¦Firewall¦=====[Exchange 2003]
212.203.x.x 212.203.x.y 192.168.0.x
mail.example.ch gateway.example.ch
# aptitude
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
amavisfeed unix - - n - 9 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
smtp inet n - n - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10024
-o receive_override_options=no_address_mappings
# Emfangen von AMAVISd auf port 10025
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o receive_override_options=no_unknown_recipient_checks
tlsmgr unix - - n 300 1 tlsmgr
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
# maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
# uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
# ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
# bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
# scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
# mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix mail_owner = postfix myhostname = mail.example.ch mydomain = example.ch myorigin = $myhostname mydestination = $myhostname, localhost.$mydomain, localhost mynetworks = 212.203.x.x, 212.203.x.y, 127.0.0.0/8 relay_domains = hash:/etc/postfix/relay_domains # Nur zum tt!!!! recipient_canonical_maps = hash:/etc/postfix/rewrite # biff = no empty_address_recipient = MAILER-DAEMON queue_minfree = 120000000 message_size_limit = 15240000 smtpd_banner = $myhostname ESMTP Mailer transport_maps = hash:/etc/postfix/transport local_transport = local smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient notify_classes = protocol,resource,software sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop manpage_directory = /usr/local/man sample_directory = /etc/postfix readme_directory = no html_directory = no broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/postfix.key smtpd_tls_cert_file = /etc/postfix/postfix.cert smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s # content_filter=amavisfeed:[127.0.0.1]:10024
example.ch OK mail.example.ch OK
# postmap /etc/postfix/relay_domains
example.ch smtp:[gateway.example.ch] .example.ch smtp:[gateway.example.ch]
# postmap /etc/postfix/transport
use strict;
##
## AV Scanners (Debian version)
##
@av_scanners = (
### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
@av_scanners_backup = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
"--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
1; # insure a defined return
use strict;
$MYHOME = '/var/lib/amavis'; # (default is '/var/amavis')
$mydomain = 'example.ch'; # (no useful default)
$myhostname = 'mail.example.ch'; # fqdn of this host, default by uname(3)
$daemon_user = 'amavis'; # (no default; customary: vscan or amavis)
$daemon_group = 'amavis'; # (no default; customary: vscan or amavis or sweep)
$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?
$db_home = "$MYHOME/db"; # DB databases directory, default "$MYHOME/db"
$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications
$max_servers = 10; # number of pre-forked children (default 2)
$max_requests = 20; # retire a child after that many accepts (default 10)
$child_timeout=5*60; # abort child if it does not complete each task in
# approximately n sec (default: 8*60 seconds)
@local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains
1; # insure a defined return
use strict;
# (does not apply to sendmail/milter)
# (default is true)
$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
# (default is undef, i.e. disabled)
# (usual setting is $MYHOME/amavisd.sock)
$inet_socket_port = 10024; # accept SMTP on this local TCP port
# (default is undef, i.e. disabled)
$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
# (default is '127.0.0.1')
# (default is qw(127.0.0.1 [::1]) )
1; # insure a defined return
use strict;
$final_virus_destiny = D_BOUNCE; # (defaults to D_DISCARD)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
@viruses_that_fake_sender_maps = (new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
[qr/^/ => 1], # true by default (remove or comment-out if undesired)
));
$virus_admin = 'benny@example.ch';
$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
$mailfrom_to_quarantine = ''; # override sender address with null return path
$QUARANTINEDIR = '/var/lib/amavis/virusmails';
$virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine
$banned_quarantine_to = 'banned-quarantine'; # local quarantine
$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine
$spam_quarantine_to = 'spam-quarantine'; # local quarantine
$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned')
$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it
$defang_virus = 1; # default is false: don't modify mail body
$defang_banned = 1; # default is false: don't modify mail body
$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone
# (defaults to false)
$remove_existing_spam_headers = 1; # remove existing spam headers if
# spam scanning is enabled (default)
@keep_decoded_original_maps = (new_RE(
qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
# block certain double extensions anywhere in the base name
qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
wmf|wsc|wsf|wsh)$'ix, # banned ext - long
qr'^\.(exe-ms)$', # banned file(1) types
);
$banned_namepath_re = new_RE(
# block these MIME types
qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi,
qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,
qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi,
# within traditional Unix archives allow any name and type
[ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow
# block certain double extensions in filenames
qr'(?# BLOCK DOUBLE-EXTENSIONS )
^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \.
(exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,
# banned filename extensions (in declared names) anywhere - basic
qr'(?# BLOCK COMMON NAME EXENSIONS )
^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi,
[ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi
=> 'DISCARD' ],
qr'(?# BLOCK Microsoft EXECUTABLES )
^ (.*\t)? T=exe-ms (\t.*)? $'xm, # banned file(1) type
);
$banned_namepath_re = undef; # to disable new-style
1; # insure a defined return
use strict;
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
$dspam = 'dspam';
@decoders = (
['mail', \&do_mime_decode],
['asc', \&do_ascii],
['uue', \&do_ascii],
['hqx', \&do_ascii],
['ync', \&do_ascii],
['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
['gz', \&do_gunzip],
['gz', \&do_uncompress, 'gzip -d'],
['bz2', \&do_uncompress, 'bzip2 -d'],
['lzo', \&do_uncompress, 'lzop -d'],
['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
['tar', \&do_tar],
['deb', \&do_ar, 'ar'],
['zip', \&do_unzip],
['rar', \&do_unrar, ['rar','unrar'] ],
['arj', \&do_unarj, ['arj','unarj'] ],
['arc', \&do_arc, ['nomarch','arc'] ],
['zoo', \&do_zoo, 'zoo'],
['lha', \&do_lha, 'lha'],
['cab', \&do_cabextract, 'cabextract'],
['tnef', \&do_tnef_ext, 'tnef'],
['tnef', \&do_tnef],
['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);
$sa_local_tests_only = 0; # (default: false)
$sa_timeout = 60;
$sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant
# for SA 3.0, its cf option is use_auto_whitelist)
$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
# (less than 1% of spam is > 64k)
# default: undef, no limitations
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level;
# undef is interpreted as lower than any spam level
$sa_tag2_level_deflt = 5;# add 'spam detected' headers at that level to
# passed mail (e.g. when $final_spam_destiny=D_PASS
# or for spam_lovers or when below kill_level)
$sa_kill_level_deflt = 7.31; # triggers spam evasive actions
# at or above that level: bounce/reject/drop,
# quarantine, and adding mail address extension
$sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent,
# effectively turning D_BOUNCE into D_DISCARD;
# undef disables this feature and is a default;
$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
# (only seen when spam is passed and recipient is
# in local_domains*)
@av_scanners = (
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
@av_scanners_backup = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
"--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
1; # insure a defined return
#Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #Please read /usr/share/doc/clamav-base/README.Debian.gz for details LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket User amavis AllowSupplementaryGroups ScanMail ScanArchive ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxFileSize 10M ArchiveMaxCompressionRatio 250 ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogFile /var/log/clamav/clamav.log LogTime LogFileMaxSize 0 PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 ScanOLE2 ScanPE DetectBrokenExecutables ScanHTML #ArchiveBlockMax
# Automatically created by the clamav-freshclam postinst # Comments will get lost when you reconfigure the clamav-freshclam package DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogFileMaxSize 0 MaxAttempts 5 # Check for new database 24 times a day Checks 24 DatabaseMirror db.local.clamav.net DatabaseMirror database.clamav.net DatabaseDirectory /var/lib/clamav/ NotifyClamd DNSDatabaseInfo current.cvd.clamav.net
report_safe 0 use_bayes 1 bayes_path /var/lib/amavis/.spamassassin/bayes skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 dns_available yes header LOCAL_RCVD Received =~/.*\S+\.doamin\.com\s+\[.*\]\)/ describe LOCAL_RCVD Recived from local machine score LOCAL_RCVD -50 dcc_home /var/lib/dcc score DCC_CHECK 4.000 score SPF_FAIL 1.142 score SPF_HELO_FAIL 1.142 score RAZOR2_CHECK 2.500 score BAYES_99 4.300 score BAYES_95 3.500 score BAYES_80 3.000
loadplugin Mail::SpamAssassin::Plugin::DCC loadplugin Mail::SpamAssassin::Plugin::Pyzor loadplugin Mail::SpamAssassin::Plugin::Razor2 loadplugin Mail::SpamAssassin::Plugin::SpamCop loadplugin Mail::SpamAssassin::Plugin::AWL loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject loadplugin Mail::SpamAssassin::Plugin::MIMEHeader loadplugin Mail::SpamAssassin::Plugin::ReplaceTags loadplugin ocrtext /etc/mail/spamassassin/ocrtext.pm loadplugin Mail::SpamAssassin::Timeout
# razor-admin -home=/etc/razor -d -create # razor-admin -home=/etc/razor -d -register -user=mymail@example.ch
# wget http://antispam.imp.ch/patches/patch-ocrtext
--11:12:09-- http://antispam.imp.ch/patches/patch-ocrtext
=> `patch-ocrtext'
Resolving antispam.imp.ch... 157.161.9.64
Connecting to antispam.imp.ch|157.161.9.64|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 48,507 (47K) [text/plain]
100%[====================================>] 48,507 200.76K/s
11:12:10 (200.39 KB/s) - `patch-ocrtext' saved [48507/48507]
# patch < patch-ocrtext
patching file ocrtext.cf
patching file ocrtext.pm
# cp ./ocrtext.* /etc/mail/spamassassin
# /etc/init.d/amavis start
# /etc/init.d/clamav-daemon start # /etc/init.d/clamav-freshclam start
# /etc/init.d/postfix start
# /etc/init.d/dcc-client start
# ps ax | grep postfix 3890 ? Ss 10:50 /usr/lib/postfix/master 1825 pts/2 S+ 0:00 grep postfix
# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.example.ch ESMTP Mailer EHLO thetube.ch 250-mail.example.ch 250-PIPELINING 250-SIZE 15240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH NTLM LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5 250 8BITMIME quit 221 Bye Connection closed by foreign host. #
# ps ax | grep amavisd 3620 ? Ss 0:57 amavisd (master) 1862 ? S 0:05 amavisd (ch1-01862-01-18-idle) 1864 ? S 0:01 amavisd (ch1-01864-01-4-idle) 1869 ? S 0:02 amavisd (ch1-01869-01-11-idle) 1881 ? S 0:04 amavisd (ch1-01881-01-16-idle) 2023 ? S 0:01 amavisd (ch1-02023-01-4-idle) 2144 ? S 0:01 amavisd (ch1-02144-01-5) 2177 ? S 0:01 amavisd (ch1-02177-01-4-idle) 2203 ? S 0:00 amavisd (virgin child) 2439 ? S 0:00 amavisd (virgin child) 2455 ? S 0:00 amavisd (virgin child) 2467 pts/2 S+ 0:00 grep amavisd
# telnet localhost 10024 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 [127.0.0.1] ESMTP amavisd-new service ready mail from:info@thetube.ch 250 2.1.0 Sender info@thetube.ch OK rcpt to:test@example.ch 250 2.1.5 Recipient test@example.ch OK data 354 End data with. Na dann... ein test. . 250 2.6.0 Ok, id=23281-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as 644B022C66A quit 221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel Connection closed by foreign host.
# telnet localhost 10025 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.example.ch ESMTP Mailer EHLO localhost 250-mail.example.ch 250-PIPELINING 250-SIZE 15240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH NTLM LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5 250-XFORWARD NAME ADDR PROTO HELO SOURCE 250 8BITMIME quit 221 Bye Connection closed by foreign host.
# tail -f /var/log/mail.log
# spamassassin --lint -D
# razor-report -d -home=/etc/razor < ./message.id