Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HowTo Postfix Antispam Server
View unanswered posts
View posts from last 24 hours
View posts from last 7 days

 
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German) Deutsche Dokumentation
View previous topic :: View next topic  
Author Message
gabelhonz
Apprentice
Apprentice


Joined: 30 Aug 2004
Posts: 222
Location: 10010100111110011

PostPosted: Mon Mar 03, 2008 4:17 pm    Post subject: HowTo Postfix Antispam Server Reply with quote

HowTo Postfix Antispam Server

In meinem HowTo wird auf Sicherheit, Schnelligkeit und einfachheit wertgelegt.
Wir installieren als MTA Postfix. Als MDA Dovecot und benutzen DSPAM zum Spam filtern.
Ich mach dieses HowTo da ich im Netz nichts anständiges gefunden habe, entweder waren die
configs falsch oder es hat was gefehlt. Die für mich beste Lösung war die obengenante Software,
ihr könnt euch die Features selbst durchlesen:

http://www.postfix.org/
http://dspam.nuclearelephant.com/
http://www.dovecot.org/
http://sourceforge.net/projects/postfixadmin/
http://johannes.sipsolutions.net/Projects/dovecot-dspam-integration
http://www.spamhaus.org/zen/
http://dsbl.org/main

Am Ende des HowTo hast du:

1. Einen Postfix MTA mit UCE, DSBL
2. Einen der besten Spamfilter.
3. Einen super schnellen und sicheren IMAP Server.
4. Das ganze ist natürlich SSL verschlüsselt.
5. Du hast ein Webinterface für deine Virtuellen User
6. Du hast ein Webinterface für dspam, dort kann jeder User sein Spamfilter trainieren und seine Quarantine managen.

Wer dann restlos begeistert ist und das alles haben will kann anfangen!
Ich gehe davon aus das bereits Mysql und Apache installiert ist und sich damit jeder auskennt.
Außerdem erkläre ich nicht jedes Detail. Wer diese Lösung hier möchte und hilfe bei der Konfiguration braucht ist genau richtig.
Man muss schon selbst wissen wie das ganze funktionert und warum das haben will.


1. Latest Packages und USE Flags.

Ich benutze immer die latest Packages für meine Installation.
Ihr könnt aber auch die stable Dovecot nehmen.
Es ist auch so das das dovecot-dspam Plugin momentan nur mit der dovecot stable funktioniert (1.0)
Wer das haben will nimmt das stable dovecot Package. Das Plugin erlaubt es den filter zu trainieren,
indem ihr einfach über euren Mailclient die Spam Mail dann in den SPAM Ordner verschiebt.

GO:
Code:

echo "mail-mta/postfix" >> /etc/portage/package.keywords
echo "net-mail/dovecot" >> /etc/portage/package.keywords
echo "mail-filter/dspam" >> /etc/portage/package.keywords
echo "www-apps/dspam-web" >> /etc/portage/package.keywords

echo "mail-mta/postfix dovecot-sasl mysql" >> /etc/portage/package.use
echo "net-mail/dovecot mysql" >> /etc/portage/package.use
echo "mail-filter/dspam mysql syslog virtual-users" >> /etc/portage/package.use
echo "Für dspam-webs dependencies braucht man glaub gif png usw..."


Code:

emerge postfix dovecot dspam dspam-web


Bitte USE Flags für eventuellen pop3 Support und clamav beachten!


2. Postfixadmin

Postfixadmin ziehen wir selbst runter, da im Portage Tree nur eine alte Version vorhanden ist.
Eine Anleitung und die entsprechenden configs sind im Package enthalten.
Einfach der Anleitung folgen.

Wir brauchen jedoch zuvor ein MySQL User und passwort für die installation.

Code:

mysql -p
create database postfixadmin;
grant all privileges on postfixadmin.* to user@localhost identified by 'password';
flush privileges;
exit


Dann dort die MYSQL.TXT mit:
Code:
mysql postfixadmin < MYSQL.TXT -u user -ppassword
einlesen.

Als nächstes müssen die configs angelegt werden, dazu s. entsprechende TXT File.


3.Postfix Configs

Nun müssen wir die Postfix config files main.cf und master.cf anpassen.
Natürlich muss das jeder seinen bedürfnissen anpassen.
Hier sind jedoch meine configs:

main.cf
Code:

# Global Postfix configuration file.

##Main things
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
myhostname = FQDN
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-2.4.6-r2/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.4.6-r2/readme
home_mailbox = .maildir/

##Virtual things
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:207
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 207
virtual_transport = virtual
virtual_uid_maps = static:207

##TLS things
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/your.domain.de.key
smtpd_tls_cert_file = /etc/ssl/your.domain.de.crt
smtpd_tls_CAfile = /etc/ssl/your.domain.de.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

##Dovecot things (Hier wird Dovecot integriert)
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_auth_enable = yes

##Some UCE things (UCE und DSBL)
smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination


Es müssen natürlich Zertifikate generiert werden und die UIDs angepasst werden ggf.
Das ist wie gesagt nur mein beispiel.

Hier die master.cf
Code:


#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=lmtp:unix:/var/run/dspam/dspam.sock
localhost:10026 inet  n -       n       -       -        smtpd
  -o content_filter=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache



4. Dovecot Conf

dovecot.conf
Code:


##Dovecot Config file

protocols = imap imaps
listen = *
login_process_size = 64
mail_location = maildir:/home/vmail/%u/
mail_extra_groups = postfix
verbose_proctitle = yes
first_valid_uid = 207
first_valid_gid = 207
#umask = 0077
mbox_read_locks = fcntl
mbox_write_locks = fcntl

log_path = /var/log/mail.log
syslog_facility = mail

ssl_disable = no
ssl_cert_file = /etc/ssl/your.domain.de.crt
ssl_key_file = /etc/ssl/your.domain.de.key

protocol imap {
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep
}

protocol lda {
postmaster_address = postmaster@yourdomain.de
}

auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

auth_debug = yes
auth_verbose = yes
auth default {

mechanisms = plain login

socket listen {

client {

# Assuming the default Postfix $queue_directory setting
path = /var/spool/postfix/private/auth
mode = 0660
# Assuming the default Postfix user and group
user = postfix
group = postfix
        }
                }

passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
              }



dovecot-sql.conf
Code:

# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki.dovecot.org/AuthDatabase/SQL

driver = mysql

connect = host=localhost dbname=postfix user=postfix password=yourpass

default_pass_scheme = CRYPT

password_query = SELECT password FROM mailbox WHERE username = '%u' AND active = '1'

user_query = SELECT maildir, 207 AS uid, 207 AS gid FROM mailbox WHERE username = '%u' AND active = '1'


5. DSPAM

dspam.conf
Code:

## $Id: dspam.conf.in,v 1.82 2006/06/23 03:11:31 jonz Exp $
## dspam.conf -- DSPAM configuration file
##

#
# DSPAM Home: Specifies the base directory to be used for DSPAM storage
#
Home /var/spool/dspam

StorageDriver /usr/lib/dspam/libmysql_drv.so
TrustedDeliveryAgent "/usr/sbin/sendmail"

DeliveryHost        127.0.0.1
DeliveryPort        10026
DeliveryIdent       localhost
DeliveryProto       SMTP

OnFail error

Trust root
Trust dspam
Trust apache
Trust mail
Trust mailnull
Trust smmsp
Trust daemon
Trust nobody
Trust postfix
#Trust majordomo

TrainingMode teft
TestConditionalTraining on
Feature whitelist

Algorithm graham burton

Tokenizer chain
PValue bcr

# WebStats: Enable this if you are using the CGI, which writes .stats files
WebStats on

ImprobabilityDrive on

Preference "spamAction=quarantine"
Preference "signatureLocation=headers"  # 'message' or 'headers'
Preference "showFactors=on"

AllowOverride trainingMode
AllowOverride spamAction spamSubject
AllowOverride statisticalSedation
AllowOverride enableBNR
AllowOverride enableWhitelist
AllowOverride signatureLocation
AllowOverride showFactors
AllowOverride optIn optOut
AllowOverride whitelistThreshold

# --- MySQL ---

MySQLServer     /var/run/mysqld/mysqld.sock
#MySQLPort
MySQLUser               dspam
MySQLPass               pass
MySQLDb                 dspam
MySQLCompress           false
#MySQLReconnect         true

HashRecMax              98317

HashAutoExtend          on
HashMaxExtents          0

HashExtentSize          49157
HashPctIncrease 10
HashMaxSeek             10
HashConnectionCache     10
Notifications   off
#
PurgeSignature  off # Specified in purge.sql
PurgeNeutral   90
PurgeUnused    off # Specified in purge.sql
PurgeHapaxes   off # Specified in purge.sql
PurgeHits1S    off # Specified in purge.sql
PurgeHits1I    off # Specified in purge.sql

LocalMX 127.0.0.1
SystemLog on
UserLog   on
Opt out
ParseToHeaders on
ChangeModeOnParse on
ChangeUserOnParse full
ServerPID              /var/run/dspam/dspam.pid
ServerMode auto
ServerParameters        "--deliver=innocent -d %u"
#ServerIdent            "localhost.localdomain"
ServerDomainSocketPath  "/var/run/dspam/dspam.sock"

ClientHost      "/var/run/dspam/dspam.sock"
ProcessorURLContext on
ProcessorBias on

## EOF


Das sind die Configs die wir brauchen um das ganze zum laufen zu bekommen. Natürlich müssen diese entsprechend angepasst werden.


6. Dspam-web

Für unser Webinterface sollten wir uns einen eigenen Vhost eintragen.
Da wir ja unsere User in einer DB speichern können wir über www-apache/mod_auth_mysql direkt diese dort abfragen.

Hier das Beispiel:

Code:

<VirtualHost *:80>
 DocumentRoot /var/www/localhost/htdocs
 ServerName dspam.yourdomain.de

 #Use dspam.cgi as main index
 RewriteEngine On
 RewriteRule ^/?$ /cgi-bin/dspam.cgi [redirect,last]
 SuexecUserGroup dspam dspam
 ScriptAlias /cgi-bin/ /var/www/localhost/cgi-bin/

<Directory "/var/www/localhost/cgi-bin">
        Options FollowSymLinks ExecCGI
        SetHandler cgi-script
        AllowOverride None
        Order deny,allow
        Allow from all

<IfDefine AUTH_MYSQL>
        LoadModule mysql_auth_module modules/mod_auth_mysql.so

        AuthBasicAuthoritative Off
        AuthName "DSPAM Quarantine Login"
        AuthType Basic

        AuthMySQLEnable On
        AuthMySQLPwEncryption crypt
        AuthMySQLHost localhost
        AuthMySQLUser postfix
        AuthMySQLPassword yourpass
        AuthMySQLDB postfix
        AuthMySQLUserTable mailbox
        AuthMySQLNameField username
        AuthMySQLPasswordField password

        require valid-user
</IfDefine>

</Directory>

</VirtualHost>



Ja toll und wie läuft das jetzt ab?

So:

Code:
[Postfix] (LMTP) -> [DSPAM]                     [Postfix] -> { Delivery }
                       |___ (SMTP Reinjection) ____|


Info:
Mit net-mail/pflogsumm kann man sich die Postfix logs in /var/log/message filtern und schön ausgeben lassen.
Sehr nützlich!

Certification Request:
Code:
openssl genrsa -out webmail.mydomain.com.key 1024
openssl req -new -key webmail.mydomain.com.key -out webmail.mydomain.com.csr


gruß
_________________
Wenn Chuck Norris ins Wasser fällt, wird Chuck Norris nicht nass. Wasser wird Chuck Norris.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German) Deutsche Dokumentation All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum