Wietse Venema's Postfix hasn't caused us a single bug or security issue in several years of usage, pretty impressive right!?
In order to fight spam the deployment of greylisting software (we chose postgrey) appeared very adequate. Tnx. to Arjen Baart for mentioning this!
Configure your SMTP-server as a LDAP-client. The required configuration is described here.
apt-get install postfix postfix-ldap postfix-doc sasl2-bin libsasl2-modules
Your current configuration can be viewed by issuing
postconf -n
Postfix configuration files:
/etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
# ## optional:
#smtpd_tls_CAfile = /etc/ssl/private/CA_public-key.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
myhostname = smtp.intra.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = smtp.intra.example.com, localhost.intra.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 192.168.1.0/24
mailbox_size_limit = 0
mail_name = Postfix
recipient_delimiter = +
inet_interfaces = all
mailbox_transport = lmtp:192.168.1.15:2323
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
local_recipient_maps =
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_helo_access hash:/etc/postfix/whitelist,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org
# reject_rbl_client blackholes.mail-abuse.org
# reject_rbl_client relays.mail-abuse.org
virtual_alias_maps = proxy:ldap:PostfixUser
PostfixUser_server_host = ldap.intra.example.com
PostfixUser_server_port = 389
PostfixUser_search_base = dc=intra,dc=example,dc=com
PostfixUser_scope = sub
PostfixUser_version = 3
PostfixUser_query_filter = (mailacceptinggeneralid=%s)
PostfixUser_result_attribute = maildrop
best_mx_transport = local
ignore_mx_lookup_error = yes
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_authenticated_header = yes
Create your ow whitelist file /etc/postfix/whitelist with an editor. I can contain rules like:
192.168.8.8 ok webmaster@example.com ok
Make a hashed db file from the ascii file:
postmap /etc/postfix/whitelist
/etc/postfix/master.cf
smtp inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
amavis unix - - n - 5 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
The older SSL wrapper-mode, which operated on port 465, is deprecated. If you really need it, add these lines to /etc/postfix/master.cf:
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
Postfix uses SASL for authenticated SMTP. Modify /etc/postfix/sasl/smtpd.conf like so:
pwcheck_method: saslauthd mech_list: plain login
Set proper permissions on the postfix/saslauthd environment:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
Add the Postfix user to the sasl group. This is required for authenticated SMTP.
adduser postfix sasl
Restart Postfix:
/etc/init.d/postfix restart
(and _please_ don't do that all the time as for most changes to /etc/postfix/main.cf and the postfix lookup tables /etc/init.d/postfix reload will do!)
You can direct SASL to make use of pam. Another option is to direct SASL itself to connect to LDAP.
Requirements:
Advantage (over sasl to ldap):
/etc/default/saslauthd
START=yes MECHANISMS="pam" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
/etc/pam.d/smtp
auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so password required /lib/security/pam_ldap.so use_authtok session required /lib/security/pam_ldap.so
Restart the saslauthd:
/etc/init.d/saslauthd restart
If you want to limit authenticated smtp usage to members of a certain group you might use the pam-module 'pam_succeed_if'. Insert a line in the file /etc/pam.d/smtp just above the existing line that starts with 'account':
... account required pam_succeed_if.so user ingroup asmtp ...
/etc/default/saslauthd
START=yes MECHANISMS="ldap" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Create the configuration file /etc/saslauthd.conf
ldap_servers: ldap://ldap1.intra.example.com ldap://ldap2.intra.example.com ldap_search_base: dc=intra,dc=example,dc=com ldap_start_tls: yes
Restart the saslauthd:
/etc/init.d/saslauthd restart
Install the software with
apt-get install postgrey
Configure it in the file: /etc/defaults/postgrey. The defaults are normally OK, but have to match with for example the host/port combination in the postfix/main.cf file.
Site specific whitelisting can be placed in two files. Place for example trusted neighbours in the file /etc/postgrey/whitelist_clients.local like this:
1.2.3.4 5.6.7.8 neighbours.isp.example.com
Or extra e-mail adresses in the file /etc/postgrey/whitelist_recipients.local like this:
my.1stspecialadres@my.example.com my.2ndspecialadres@my.example.com
Edit /etc/postfix/main.cf and add in the smtpd_recipient_restrictions paragraph an extra 'check_policy_service' line to let postfix connect to the postgrey daemon. Like this:
... smtpd_recipient_restrictions = ... check_policy_service inet:127.0.0.1:60000 ...
Apart from the Postgrey greylisting filter we use Spamassassin to fight spam. Clamav is open source anti-virus software.
The mailrouting to both filters is streamlined by Amavisd-new.
Install the software
apt-get install amavisd-new spamassassin clamav clamav-freshclam clamav-docs clamav-testfiles clamav-daemon
Configuration
Make sure that spamd is allowed to start.
edit /etc/default/spamassassin
... # Change to one to enable spamd ENABLED=1 ...
Customize the files in /etc/amavis/conf.d By default virus and spam checks are disabled in Amavisd-new 2.4.2. Re-enable them in the file /etc/amavis/conf.d/15-content_filter_mode
use strict; # You can modify this file to re-enable SPAM checking through spamassassin # and to re-enable antivirus checking. # # Default antivirus checking mode # Uncomment the two lines below to enable it back # @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # # Default SPAM checking mode # Uncomment the two lines below to enable it back # @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; # insure a defined return
Reload amavisd
/etc/init.d/amavis reload
/etc/clamav/clamd.conf
LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true User clamav AllowSupplementaryGroups true ScanMail true ScanArchive true ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxFileSize 10M ArchiveMaxCompressionRatio 250 ArchiveLimitMemoryUsage false ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 StreamMaxLength 10M LogSyslog false LogFacility LOG_LOCAL6 LogClean false LogVerbose false PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav TemporaryDirectory /tmp SelfCheck 3600 Foreground false Debug false ScanPE true ScanOLE2 true ScanHTML true DetectBrokenExecutables false MailFollowURLs false ArchiveBlockMax false ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true NodalCoreAcceleration false IdleTimeout 30 MailMaxRecursion 64 PhishingSignatures true LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0
Also have a look at freshclam.conf:
DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose false LogSyslog false LogFacility LOG_LOCAL6 LogFileMaxSize 0 Foreground false Debug false MaxAttempts 5 DatabaseDirectory /var/lib/clamav/ DNSDatabaseInfo current.cvd.clamav.net AllowSupplementaryGroups false PidFile /var/run/clamav/freshclam.pid ConnectTimeout 30 ReceiveTimeout 30 ScriptedUpdates yes NotifyClamd /etc/clamav/clamd.conf # Check for new database 24 times a day Checks 24 DatabaseMirror db.local.clamav.net DatabaseMirror database.clamav.net
If necessary, restart clamav
/etc/init.d/clamav-daemon restart /etc/init.d/clamav-freshclam restart
Business intelligence of the e-mail usage.
A daily summary of usage statistics in an e-mail report:
apt-get install pflogsumm
RRDTool graphs of all sent and received messages by the MTA. This requires a webserver:
apt-get install mailgraph