Szybka konfiguracja serwera pocztowego na Ubuntu

    Konfiguracja dla Ubuntu 14.04 LTS

    Komponenty

    postifx, cyrus-imapd, clamav, greylisting

    Konfiguracja nie uwzględnia żadnego antyspamu poza greylistingiem

    Baza danych userów w sasldb (BerkleyDB) – rozwiązanie to jest mało skalowalne (problem z wydajnością bazy danych na serwerze MySQL na serwerze jest powodem użycia tej bazy).

    Instalacja cyrus-imapd i postfix

    apt-get install -y postfix postfix-pcre cyrus-pop3d-2.4 cyrus-clients-2.4  cyrus-imapd-2.4 cyrus-admin-2.4 sasl2-bin
    

    Po instalacji startujemy cyrus-imapd (cyrmaster) tak jak w Debian/Ubuntu.

    Niestety /etc/init.d/cyrus-imapd może go nie zatrzymać (błąd w konfiguracji -wskazany jest niepoprawny plik pid).

    To może już być poprawione w nowszej wersji deb-ów. Jeśli nie to trzeba ubić serwer ręcznie:

    killall cyrmaster
    rm -f /var/run/cyrus-master.pid
    

     

    Tworzymy katalogi:

    mkdir -p /storage/mail/{spool,sieve}
    chmod 700 /storage/mail /storage/mail/{spool,sieve}
    chown -R cyrus:mail /storage/mail
    

    Oraz bazę sasldb

    mkdir -m 770 /etc/sasl
    chgrp mail /etc/sasl
    gpasswd -a postfix mail
    gpasswd -a cyrus mail
    saslpasswd2 -f /etc/sasl/mail.db -c -u optimus.example.pl administrator
    

    Konfigurujemy uprawnienia oraz sprawdzamy, czy user dodał się poprawnie:

    chmod 660 /etc/sasl/mail.db
    chgrp mail /etc/sasl/mail.db
    sasldblistusers2 -f /etc/sasl/mail.db
    

    Konfiguracja cyrus-imapd

    vim /etc/default/cyrus-imapd

    CYRUS_VERBOSE=0
    CONF=/etc/imapd.conf
    MASTERCONF=/etc/cyrus.conf
    CHKCYRUS=1
    PIDFILE=/var/run/cyrus-master.pid
    OPTIONS=""
    

    vim /etc/imapd.conf

    servername: optimus.example.pl
    defaultdomain: optimus.example.pl
    postmaster: postmaster@optimus.example.pl
    configdirectory: /var/lib/cyrus
    proc_path: /run/cyrus/proc
    mboxname_lockpath: /run/cyrus/lock
    defaultpartition: default
    partition-default: /storage/mail/spool
    sievedir: /storage/mail/sieve
    sieveusehomedir: false
    altnamespace: yes
    unixhierarchysep: yes
    reject8bit: yes
    #munge8bit: no
    admins: administrator
    proxyservers: administrator
    hashimapspool: true
    allowanonymouslogin: no
    allowplaintext: yes
    # Nie działa prawidłowo?
    #autocreatequota: 20485760
    umask: 077
    normalizeuid: yes
    virtdomains: userid
    username_tolower: yes
    allowapop: no
    delete_mode: immediate
    expunge_mode: immediate
    lmtp_downcase_rcpt: yes
    lmtp_over_quota_perm_failure: yes
    lmtp_strict_quota: yes
    imapidresponse: no
    allowusermoves: yes
    sasl_mech_list: PLAIN LOGIN CRAM-MD5
    sasl_minimum_layer: 0
    #sasl_maximum_layer: 256
    sasl_option: yes
    sasl_pwcheck_method: auxprop
    sasl_auxprop_plugin: sasldb
    sasl_sasldb_path: /etc/sasl/mail.db
    sasl_auto_transition: yes
    lmtpsocket: /var/run/cyrus/socket/lmtp
    idlesocket: /var/run/cyrus/socket/idle
    notifysocket: /var/run/cyrus/socket/notify
    syslog_prefix: cyrus
    serverinfo: min
    

    vim /etc/cyrus.conf

    START {
            recover         cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
            delprune        cmd="/usr/sbin/cyrus expire -E 3"
            tlsprune        cmd="/usr/sbin/cyrus tls_prune"
    }
    
    SERVICES {
            imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=25 proto=tcp4
            #imaps          cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
            pop3            cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=25 proto=tcp4
            #pop3s          cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50
            lmtpunix        cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20
            sieve           cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100
    }
    
    EVENTS {
            checkpoint      cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30
            delprune        cmd="/usr/sbin/cyrus expire -E 3" at=0401
            tlsprune        cmd="/usr/sbin/cyrus tls_prune" at=0401
            squatter_a      cmd="/usr/sbin/cyrus squatter" at=0210
    }
    

    Startujemy serwer mailowy:

    update-rc.d cyrus-imapd enable
    update-rc.d saslauthd  disable
    service cyrus-imapd start
    

    Testowanie

    Utworzenie mailbox-a dla konta administrator

    cyradm -u administrator@optimus.example.pl localhost
    

    Następnie z CLI:

    cm user/administrator@optimus.example.pl
    sq user/administrator@optimus.example.pl 0
    lq user/administrator@optimus.example.pl
    

    Powyższe ustawia quote na 0.

    Testowanie połączenia POP/IMAP

    pop3test -m PLAIN -a administrator@optimus.example.pl localhost
    --&gt; QUIT</code>
    
    pop3test -m LOGIN -a administrator@optimus.example.pl localhost
    --&gt; QUIT
    
    imtest -m PLAIN -a administrator@optimus.example.pl localhost
    --&gt; 00 LOGOUT
    
    imtest -m LOGIN -a administrator@optimus.example.pl localhost
    --&gt; 00 LOGOUT
    
    imtest -m CRAM-MD5 -a administrator@optimus.example.pl localhost
    --&gt; 00 LOGOUT
    
    

    Konfiguracja postfix

    vim /etc/postfix/main.cf

    myhostname = optimus.example.pl
    myorigin = optimus.example.pl
    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no
    inet_interfaces = all
    mynetworks_style = host
    inet_protocols = ipv4
    local_recipient_maps =
    alias_database =
    alias_maps =
    mydestination =
    relayhost =
    mynetworks = 127.0.0.0/8
    readme_directory = no
    delay_warning_time = 8h
    unknown_local_recipient_reject_code = 450
    maximal_queue_lifetime = 3d
    bounce_queue_lifetime = 0
    minimal_backoff_time = 1000s
    maximal_backoff_time = 8000s
    smtp_helo_timeout = 60s
    smtpd_recipient_limit = 16
    smtpd_soft_error_limit = 3
    smtpd_hard_error_limit = 12
    smtpd_helo_restrictions =
            permit_mynetworks
            warn_if_reject
            reject_non_fqdn_hostname
            reject_invalid_helo_hostname
            permit
    smtpd_sender_restrictions =
            permit_mynetworks
            warn_if_reject
            reject_non_fqdn_sender
            reject_unknown_sender_domain
            reject_unlisted_sender
            reject_unauth_pipelining
            permit
    smtpd_client_restrictions =
            reject_rbl_client cbl.abuseat.org
            reject_rbl_client zen.spamhaus.org=127.0.0.10
            reject_rbl_client zen.spamhaus.org=127.0.0.11
            reject_rbl_client zen.spamhaus.org
            warn_if_reject
            permit
    smtpd_recipient_restrictions =
            reject_unauth_pipelining
            permit_mynetworks
            reject_non_fqdn_recipient
            reject_unknown_recipient_domain
            reject_unauth_destination
            permit
    smtpd_data_restrictions =
            reject_unauth_pipelining
            permit
    message_size_limit = 20971520
    smtpd_helo_required = yes
    smtpd_delay_reject = no
    disable_vrfy_command = yes
    virtual_mailbox_maps = hash:/etc/postfix/db/user hash:/etc/postfix/db/alias
    virtual_alias_maps = hash:/etc/postfix/db/alias
    virtual_mailbox_domains = hash:/etc/postfix/db/domain
    virtual_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
    virtual_destination_recipient_limit = 1
    header_checks = pcre:/etc/postfix/attachment.pcre
    strict_rfc821_envelopes = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_etrn_restrictions = reject
    smtpd_discard_ehlo_keywords=silent-discard,dsn,etrn
    unknown_client_reject_code=450
    show_user_unknown_table_name=no
    smtpd_milters = inet:127.0.0.1:11125 inet:127.0.0.1:11025
    milter_default_action = tempfail
    milter_protocol = 6
    milter_mail_macros = {auth_author} {auth_type} {auth_authen} {mail_addr}
    milter_connect_macros = j {daemon_name} v {client_addr} _
    milter_end_of_data_macros = b i j _ {daemon_name} {client_addr} {mail_addr}
    smtpd_sasl_path=auth
    cyrus_sasl_config_path=/etc/postfix/sasl
    

    vim /etc/postfix/attachment.pcre

    /^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(bat|exe|scr|com|cmd|lnk|vbs|js|pif|msi))(\?=)?"?\s*(;|$)/x     REJECT Attachment name "$2" may not end with ".$3"
    

    vim /etc/postfix/sasl/auth.conf

    pwcheck_method: auxprop
    auxprop_plugin: sasldb
    sasldb_path: /etc/sasl/mail.db
    auto_transition: yes
    mech_list: PLAIN LOGIN CRAM-MD5
    minimum_layer: 0
    

    vim /etc/postfix/master.cf

    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd
    submission inet  n       -      n       -       -       smtpd
      -o myhostname=smtp.example.pl
      -o syslog_name=postfix/submission
      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_reject_unlisted_recipient=yes
      -o smtpd_recipient_restrictions=
      -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,permit_sasl_authenticated,reject
      -o smtpd_sender_restrictions=reject_non_fqdn_sender
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o smtpd_milters=inet:127.0.0.1:11025
      -o smtpd_sasl_auth_enable=yes
      -o milter_macro_daemon_name=ORIGINATING
    pickup    unix  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       n       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    

    Tworzymy bazy domen, kont i aliasów

    mkdir -p /etc/postfix/db/scripts
    touch /etc/postfix/db/alias.custom
    touch /etc/postfix/db/user.custom
    touch /etc/postfix/db/domain.custom
    cat >/etc/postfix/db/refresh <<"EOF" #!/bin/bash cd /etc/postfix/db echo "#DON'T EDIT BY HAND" :>user
    for usr in $(/etc/postfix/db/scripts/listusers)
    do
            echo -e "$usr\tOK" >>user
    done
    [ -f user.custom ] && cat user.custom >>user
    echo "#DON'T EDIT BY HAND" :>domain
    for dmn in $(/etc/postfix/db/scripts/listdomains)
    do
            echo -e "$dmn\tOK" >>domain
    done
    [ -f domain.custom ] && cat domain.custom >>domain
    echo "#DON'T EDIT BY HAND" :>alias
    [ -f alias.custom ] && cat alias.custom >>alias
    postmap hash:user
    postmap hash:domain
    postmap hash:alias
    echo do: postfix reload
    EOF
    chmod +x /etc/postfix/db/refresh
    cat >/etc/postfix/db/scripts/listusers <<"EOF" #!/bin/bash sasldblistusers2 -f /etc/sasl/mail.db | cut -d: -f1 | sort -u | grep -v 'administrator@optimus.example.pl' EOF cat >/etc/postfix/db/scripts/listdomains <<"EOF"
    #!/bin/bash
    /etc/postfix/db/scripts/listusers | awk -F@ '{print $2}' | sort -u
    EOF
    chmod +x /etc/postfix/db/scripts/listusers 
    chmod +x /etc/postfix/db/scripts/listdomains
    

    Instalacja ClamAV i milter-greylist

    apt-get install -y clamav-daemon  clamav-freshclam  clamav   clamav-milter 
    
    apt-get install -y milter-greylist
    

    Konfiguracja clamav-milter:

    vim /etc/clamav/clamav-milter.conf

    MilterSocket inet:11025@127.0.0.1
    FixStaleSocket true
    User clamav
    AllowSupplementaryGroups true
    ReadTimeout 45
    Foreground false
    PidFile /var/run/clamav/clamav-milter.pid
    ClamdSocket unix:/var/run/clamav/clamd.ctl
    OnClean Accept
    OnInfected Reject
    OnFail Defer
    AddHeader no
    LogSyslog true
    LogFacility LOG_LOCAL6
    LogVerbose false
    LogInfected Basic
    LogClean Off
    LogRotate true
    MaxFileSize 25M
    SupportMultipleRecipients false
    RejectMsg Virus detected - %v
    TemporaryDirectory /tmp
    LogFile /var/log/clamav/clamav-milter.log
    LogTime true
    LogFileUnlock false
    LogFileMaxSize 25M
    MilterSocketGroup clamav
    MilterSocketMode 660
    

    Konfiguracja milter-greylist:

    vim /etc/default/milter-greylist

    ENABLED=1
    SOCKET="inet:11125@127.0.0.1"
    

    vim /etc/milter-greylist/greylist.conf

    pidfile "/var/run/milter-greylist.pid"
    dumpfile "/var/lib/milter-greylist/greylist.db" 600
    dumpfreq 10m
    nospf
    stat "|logger -p local7.info" "%T{%Y/%m/%d %T} %d [%i] %r -> %f %S (ACL %A) %Xc %Xe %Xm %Xh"
    quiet
    list "my network" addr { 127.0.0.1/8  }
    # This is a list of broken MTAs that break with greylisting. Derived from
    # http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?rev=1.16
    list "broken mta" addr {   \
            12.5.136.141/32    \ # Southwest Airlines (unique sender)
            12.5.136.142/32    \ # Southwest Airlines
            12.5.136.143/32    \ # Southwest Airlines
            12.5.136.144/32    \ # Southwest Airlines
            12.107.209.244/32  \ # kernel.org (unique sender)
            12.107.209.250/32  \ # sourceware.org (unique sender)
            63.82.37.110/32    \ # SLmail
            63.169.44.143/32   \ # Southwest Airlines
            63.169.44.144/32   \ # Southwest Airlines
            64.7.153.18/32     \ # sentex.ca (common pool)
            64.12.136.0/24     \ # AOL (common pool)
            64.12.137.0/24     \ # AOL
            64.12.138.0/24     \ # AOL
            64.124.204.39      \ # moveon.org (unique sender)
            64.125.132.254/32  \ # collab.net (unique sender)
            64.233.160.0/19    \ # Google
            66.94.237.16/28    \ # Yahoo Groups servers (common pool)
            66.94.237.32/28    \ # Yahoo Groups servers (common pool)
            66.94.237.48/30    \ # Yahoo Groups servers (common pool)
            66.100.210.82/32   \ # Groupwise?
            66.135.192.0/19    \ # Ebay
            66.162.216.166/32  \ # Groupwise?
            66.206.22.82/32    \ # Plexor
            66.206.22.83/32    \ # Plexor
            66.206.22.84/32    \ # Plexor
            66.206.22.85/32    \ # Plexor
            66.218.66.0/23     \ # Yahoo Groups servers (common pool)
            66.218.67.0/23     \ # Yahoo Groups servers (common pool)
            66.218.68.0/23     \ # Yahoo Groups servers (common pool)
            66.218.69.0/23     \ # Yahoo Groups servers (common pool)
            66.27.51.218/32    \ # ljbtc.com (Groupwise)
            66.102.0.0/20      \ # Google
            66.249.80.0/20     \ # Google
            72.14.192.0/18     \ # Google
            74.125.0.0/16      \ # Google
            152.163.225.0/24   \ # AOL
            194.245.101.88/32  \ # Joker.com
            195.235.39.19/32   \ # Tid InfoMail Exchanger v2.20
            195.238.2.0/24     \ # skynet.be (wierd retry pattern, common pool)
            195.238.3.0/24     \ # skynet.be
            195.46.220.208/32  \ # mgn.net
            195.46.220.209/32  \ # mgn.net
            195.46.220.210/32  \ # mgn.net
            195.46.220.211/32  \ # mgn.net
            195.46.220.221/32  \ # mgn.net
            195.46.220.222/32  \ # mgn.net
            195.238.2.0/24     \ # skynet.be (wierd retry pattern)
            195.238.3.0/24     \ # skynet.be
            204.107.120.10/32  \ # Ameritrade (no retry)
            205.188.0.0/16     \ # AOL
            205.206.231.0/24   \ # SecurityFocus.com (unique sender)
            207.115.63.0/24    \ # Prodigy - retries continually
            207.171.168.0/24   \ # Amazon.com
            207.171.180.0/24   \ # Amazon.com
            207.171.187.0/24   \ # Amazon.com
            207.171.188.0/24   \ # Amazon.com
            207.171.190.0/24   \ # Amazon.com
            209.132.176.174/32 \ # sourceware.org mailing lists (unique sender)
            209.85.128.0/17    \ # Google
            211.29.132.0/24    \ # optusnet.com.au (wierd retry pattern)
            213.136.52.31/32   \ # Mysql.com (unique sender)
            216.33.244.0/24    \ # Ebay
            216.239.32.0/19    \ # Google
            217.158.50.178/32  \ # AXKit mailing list (unique sender)
    }
    list "whitelist users" rcpt {  \
            socha@socha.it \
    }
    racl whitelist list "my network"
    racl whitelist list "broken mta"
    racl whitelist list "whitelist users"
    racl greylist default delay 15m autowhite 3d
    

    Uruchomienie usług:

    update-rc.d milter-greylist enable
    service milter-greylist restart
    update-rc.d clamav-freshclam enable
    update-rc.d clamav-daemon enable
    update-rc.d clamav-milter enable
    service clamav-freshclam restart
    service clamav-daemon restart
    service clamav-milter restart
    

    Restart postfixa:

    postfix check
    service postfix restart
    

    Testowanie

    AV – port 25

    smtptest localhost
    >>
    MAIL FROM: <test@dataspace.pl>
    RCPT TO: <socha@dataspace.pl>
    DATA
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    .
    

    AV – port 587 (submission)

    smtptest -m PLAIN -p 587 -a administrator@optimus.example.pl localhost
    smtptest -m LOGIN -p 587 -a administrator@optimus.example.pl localhost
    smtptest -m CRAM-MD5 -p 587 -a administrator@optimus.example.pl localhost
    
    >>
    MAIL FROM: <socha@dataspace.pl>
    RCPT TO: <socha@dataspace.pl>
    DATA
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    .
    

    Testowanie grey-listing, odrzucanie błędnych adresów, relaying itp\\
    Adres testowy admin@ilgwysylka.pl

    Z innego hosta w sieci:

    nc mail.example.pl 25
    >>
    EHLO l.pl
    MAIL FROM: <socha@dataspace.pl>
    RCPT TO: <socha@socha.it>
    RCPT TO: <none@ilgwysylka.pl>
    RCPT TO: <admin@ilgwysylka.pl>
    

    Tworzenie użytkowników/domen

    Dodanie użytkownika do bazy sasldb:

    saslpasswd2 -f /etc/sasl/mail.db -c -u <DOMAIN> <USER>
    

    Utworzenie mailbox-a:

    cyradm -u administrator@optimus.example.pl localhost
    

    Następnie z CLI:

    cm user/<USER>@<DOMAIN>
    sq user/<USER>@<DOMAIN> 20971520
    

    Quota jest wyrażona w KB (powyższe ustawia limit na 20GB)

    Rekonfiguracja posttfix-a:

    /etc/postfix/db/refresh
    postfix reload
    

    Potrzebujesz pomocy z konfiguracją i utrzymaniem serwera?

    Outsourcing IT może być rozwiązaniem dla Ciebie!