=====Mail transfer agent=====
Wietse Venema's Postfix hasn't caused us a single bug or security issue in several years of usage, pretty impressive right!?
In order to fight spam the deployment of greylisting software (we chose postgrey) appeared very adequate. Tnx. to Arjen Baart for mentioning this!
====Pre-installation====
Configure your SMTP-server as a LDAP-client. The required configuration is [[hannibal:ldap-auth|described here]].
====Installation====
apt-get install postfix postfix-ldap postfix-doc sasl2-bin libsasl2-modules
====Configuration====
Your current configuration can be viewed by issuing
postconf -n
Postfix configuration files:
/etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
# ## optional:
#smtpd_tls_CAfile = /etc/ssl/private/CA_public-key.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
myhostname = smtp.intra.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = smtp.intra.example.com, localhost.intra.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 192.168.1.0/24
mailbox_size_limit = 0
mail_name = Postfix
recipient_delimiter = +
inet_interfaces = all
mailbox_transport = lmtp:192.168.1.15:2323
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
local_recipient_maps =
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_helo_access hash:/etc/postfix/whitelist,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org
# reject_rbl_client blackholes.mail-abuse.org
# reject_rbl_client relays.mail-abuse.org
virtual_alias_maps = proxy:ldap:PostfixUser
PostfixUser_server_host = ldap.intra.example.com
PostfixUser_server_port = 389
PostfixUser_search_base = dc=intra,dc=example,dc=com
PostfixUser_scope = sub
PostfixUser_version = 3
PostfixUser_query_filter = (mailacceptinggeneralid=%s)
PostfixUser_result_attribute = maildrop
best_mx_transport = local
ignore_mx_lookup_error = yes
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_authenticated_header = yes
Create your ow whitelist file /etc/postfix/whitelist with an editor. I can contain rules like:
192.168.8.8 ok
webmaster@example.com ok
Make a hashed db file from the ascii file:
postmap /etc/postfix/whitelist
/etc/postfix/master.cf
smtp inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
amavis unix - - n - 5 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
The older SSL wrapper-mode, which operated on port 465, is deprecated. If you really need it, add these lines to /etc/postfix/master.cf:
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Postfix uses SASL for authenticated SMTP.
Modify /etc/postfix/sasl/smtpd.conf like so:
pwcheck_method: saslauthd
mech_list: plain login
Set proper permissions on the postfix/saslauthd environment:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
Add the Postfix user to the sasl group. This is required for authenticated SMTP.
adduser postfix sasl
Restart Postfix:
/etc/init.d/postfix restart
(and _please_ don't do that all the time as for most changes to /etc/postfix/main.cf and the postfix lookup tables /etc/init.d/postfix reload will do!)
You can direct SASL to make use of pam. Another option is to direct SASL itself to connect to LDAP.
===SASL to pam===
Requirements:
* ldap-authentication
Advantage (over sasl to ldap):
* auth-smtp (with group membership)
/etc/default/saslauthd
START=yes
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
/etc/pam.d/smtp
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so use_authtok
session required /lib/security/pam_ldap.so
Restart the saslauthd:
/etc/init.d/saslauthd restart
If you want to limit authenticated smtp usage to members of a certain group you might use the pam-module 'pam_succeed_if'.
Insert a line in the file /etc/pam.d/smtp just above the existing line that starts with 'account':
...
account required pam_succeed_if.so user ingroup asmtp
...
===SASL to LDAP===
/etc/default/saslauthd
START=yes
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Create the configuration file /etc/saslauthd.conf
ldap_servers: ldap://ldap1.intra.example.com ldap://ldap2.intra.example.com
ldap_search_base: dc=intra,dc=example,dc=com
ldap_start_tls: yes
Restart the saslauthd:
/etc/init.d/saslauthd restart
===Spam control===
==Postgrey configuration==
Install the software with
apt-get install postgrey
Configure it in the file: /etc/defaults/postgrey. The defaults are normally OK, but have to match with for example the host/port combination in the postfix/main.cf file.
Site specific whitelisting can be placed in two files. Place for example trusted neighbours in the file /etc/postgrey/whitelist_clients.local like this:
1.2.3.4
5.6.7.8
neighbours.isp.example.com
Or extra e-mail adresses in the file /etc/postgrey/whitelist_recipients.local like this:
my.1stspecialadres@my.example.com
my.2ndspecialadres@my.example.com
Edit /etc/postfix/main.cf and add in the smtpd_recipient_restrictions paragraph an extra 'check_policy_service' line to let postfix connect to the postgrey daemon. Like this:
...
smtpd_recipient_restrictions =
...
check_policy_service inet:127.0.0.1:60000
...
===Virus control===
==Spamassassin configuration==
Apart from the Postgrey greylisting filter we use Spamassassin to fight spam. Clamav is open source anti-virus software.
The mailrouting to both filters is streamlined by Amavisd-new.
Install the software
apt-get install amavisd-new spamassassin clamav clamav-freshclam clamav-docs clamav-testfiles clamav-daemon
Configuration
Make sure that spamd is allowed to start.
edit /etc/default/spamassassin
...
# Change to one to enable spamd
ENABLED=1
...
Customize the files in /etc/amavis/conf.d
By default virus and spam checks are disabled in Amavisd-new 2.4.2. Re-enable them in the file /etc/amavis/conf.d/15-content_filter_mode
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Uncomment the two lines below to enable it back
#
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Uncomment the two lines below to enable it back
#
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # insure a defined return
Reload amavisd
/etc/init.d/amavis reload
/etc/clamav/clamd.conf
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
User clamav
AllowSupplementaryGroups true
ScanMail true
ScanArchive true
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxFileSize 10M
ArchiveMaxCompressionRatio 250
ArchiveLimitMemoryUsage false
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
StreamMaxLength 10M
LogSyslog false
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
TemporaryDirectory /tmp
SelfCheck 3600
Foreground false
Debug false
ScanPE true
ScanOLE2 true
ScanHTML true
DetectBrokenExecutables false
MailFollowURLs false
ArchiveBlockMax false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
NodalCoreAcceleration false
IdleTimeout 30
MailMaxRecursion 64
PhishingSignatures true
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Also have a look at freshclam.conf:
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav/
DNSDatabaseInfo current.cvd.clamav.net
AllowSupplementaryGroups false
PidFile /var/run/clamav/freshclam.pid
ConnectTimeout 30
ReceiveTimeout 30
ScriptedUpdates yes
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
If necessary, restart clamav
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart
====Statistics and reporting====
Business intelligence of the e-mail usage.
A daily summary of usage statistics in an e-mail report:
apt-get install pflogsumm
RRDTool graphs of all sent and received messages by the MTA. This requires a webserver:
apt-get install mailgraph