Szybka konfiguracja serwera pocztowego na Ubuntu Konfiguracja dla Ubuntu 14.04 LTS Komponenty postifx, cyrus-imapd, clamav, greylisting Konfiguracja nie uwzględnia żadnego antyspamu poza greylistingiem Baza danych userów w sasldb (BerkleyDB) – rozwiązanie to jest mało skalowalne (problem z wydajnością bazy danych na serwerze MySQL na serwerze jest powodem użycia tej bazy). Instalacja cyrus-imapd i postfix apt-get install -y postfix postfix-pcre cyrus-pop3d-2.4 cyrus-clients-2.4 cyrus-imapd-2.4 cyrus-admin-2.4 sasl2-bin Po instalacji startujemy cyrus-imapd (cyrmaster) tak jak w Debian/Ubuntu. Niestety /etc/init.d/cyrus-imapd może go nie zatrzymać (błąd w konfiguracji -wskazany jest niepoprawny plik pid). To może już być poprawione w nowszej wersji deb-ów. Jeśli nie to trzeba ubić serwer ręcznie: killall cyrmaster rm -f /var/run/cyrus-master.pid Tworzymy katalogi: mkdir -p /storage/mail/{spool,sieve} chmod 700 /storage/mail /storage/mail/{spool,sieve} chown -R cyrus:mail /storage/mail Oraz bazę sasldb mkdir -m 770 /etc/sasl chgrp mail /etc/sasl gpasswd -a postfix mail gpasswd -a cyrus mail saslpasswd2 -f /etc/sasl/mail.db -c -u optimus.example.pl administrator Konfigurujemy uprawnienia oraz sprawdzamy, czy user dodał się poprawnie: chmod 660 /etc/sasl/mail.db chgrp mail /etc/sasl/mail.db sasldblistusers2 -f /etc/sasl/mail.db Konfiguracja cyrus-imapd vim /etc/default/cyrus-imapd CYRUS_VERBOSE=0 CONF=/etc/imapd.conf MASTERCONF=/etc/cyrus.conf CHKCYRUS=1 PIDFILE=/var/run/cyrus-master.pid OPTIONS="" vim /etc/imapd.conf servername: optimus.example.pl defaultdomain: optimus.example.pl postmaster: postmaster@optimus.example.pl configdirectory: /var/lib/cyrus proc_path: /run/cyrus/proc mboxname_lockpath: /run/cyrus/lock defaultpartition: default partition-default: /storage/mail/spool sievedir: /storage/mail/sieve sieveusehomedir: false altnamespace: yes unixhierarchysep: yes reject8bit: yes #munge8bit: no admins: administrator proxyservers: administrator hashimapspool: true allowanonymouslogin: no allowplaintext: yes # Nie działa prawidłowo? #autocreatequota: 20485760 umask: 077 normalizeuid: yes virtdomains: userid username_tolower: yes allowapop: no delete_mode: immediate expunge_mode: immediate lmtp_downcase_rcpt: yes lmtp_over_quota_perm_failure: yes lmtp_strict_quota: yes imapidresponse: no allowusermoves: yes sasl_mech_list: PLAIN LOGIN CRAM-MD5 sasl_minimum_layer: 0 #sasl_maximum_layer: 256 sasl_option: yes sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb sasl_sasldb_path: /etc/sasl/mail.db sasl_auto_transition: yes lmtpsocket: /var/run/cyrus/socket/lmtp idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify syslog_prefix: cyrus serverinfo: min vim /etc/cyrus.conf START { recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r" delprune cmd="/usr/sbin/cyrus expire -E 3" tlsprune cmd="/usr/sbin/cyrus tls_prune" } SERVICES { imap cmd="imapd -U 30" listen="imap" prefork=0 maxchild=25 proto=tcp4 #imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100 pop3 cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=25 proto=tcp4 #pop3s cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50 lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20 sieve cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100 } EVENTS { checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30 delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401 tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401 squatter_a cmd="/usr/sbin/cyrus squatter" at=0210 } Startujemy serwer mailowy: update-rc.d cyrus-imapd enable update-rc.d saslauthd disable service cyrus-imapd start Testowanie Utworzenie mailbox-a dla konta administrator cyradm -u administrator@optimus.example.pl localhost Następnie z CLI: cm user/administrator@optimus.example.pl sq user/administrator@optimus.example.pl 0 lq user/administrator@optimus.example.pl Powyższe ustawia quote na 0. Testowanie połączenia POP/IMAP pop3test -m PLAIN -a administrator@optimus.example.pl localhost --> QUIT</code> pop3test -m LOGIN -a administrator@optimus.example.pl localhost --> QUIT imtest -m PLAIN -a administrator@optimus.example.pl localhost --> 00 LOGOUT imtest -m LOGIN -a administrator@optimus.example.pl localhost --> 00 LOGOUT imtest -m CRAM-MD5 -a administrator@optimus.example.pl localhost --> 00 LOGOUT Konfiguracja postfix vim /etc/postfix/main.cf myhostname = optimus.example.pl myorigin = optimus.example.pl smtpd_banner = $myhostname ESMTP $mail_name biff = no inet_interfaces = all mynetworks_style = host inet_protocols = ipv4 local_recipient_maps = alias_database = alias_maps = mydestination = relayhost = mynetworks = 127.0.0.0/8 readme_directory = no delay_warning_time = 8h unknown_local_recipient_reject_code = 450 maximal_queue_lifetime = 3d bounce_queue_lifetime = 0 minimal_backoff_time = 1000s maximal_backoff_time = 8000s smtp_helo_timeout = 60s smtpd_recipient_limit = 16 smtpd_soft_error_limit = 3 smtpd_hard_error_limit = 12 smtpd_helo_restrictions = permit_mynetworks warn_if_reject reject_non_fqdn_hostname reject_invalid_helo_hostname permit smtpd_sender_restrictions = permit_mynetworks warn_if_reject reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender reject_unauth_pipelining permit smtpd_client_restrictions = reject_rbl_client cbl.abuseat.org reject_rbl_client zen.spamhaus.org=127.0.0.10 reject_rbl_client zen.spamhaus.org=127.0.0.11 reject_rbl_client zen.spamhaus.org warn_if_reject permit smtpd_recipient_restrictions = reject_unauth_pipelining permit_mynetworks reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination permit smtpd_data_restrictions = reject_unauth_pipelining permit message_size_limit = 20971520 smtpd_helo_required = yes smtpd_delay_reject = no disable_vrfy_command = yes virtual_mailbox_maps = hash:/etc/postfix/db/user hash:/etc/postfix/db/alias virtual_alias_maps = hash:/etc/postfix/db/alias virtual_mailbox_domains = hash:/etc/postfix/db/domain virtual_transport = lmtp:unix:/var/run/cyrus/socket/lmtp virtual_destination_recipient_limit = 1 header_checks = pcre:/etc/postfix/attachment.pcre strict_rfc821_envelopes = yes smtpd_sasl_authenticated_header = yes smtpd_etrn_restrictions = reject smtpd_discard_ehlo_keywords=silent-discard,dsn,etrn unknown_client_reject_code=450 show_user_unknown_table_name=no smtpd_milters = inet:127.0.0.1:11125 inet:127.0.0.1:11025 milter_default_action = tempfail milter_protocol = 6 milter_mail_macros = {auth_author} {auth_type} {auth_authen} {mail_addr} milter_connect_macros = j {daemon_name} v {client_addr} _ milter_end_of_data_macros = b i j _ {daemon_name} {client_addr} {mail_addr} smtpd_sasl_path=auth cyrus_sasl_config_path=/etc/postfix/sasl vim /etc/postfix/attachment.pcre /^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(bat|exe|scr|com|cmd|lnk|vbs|js|pif|msi))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$3" vim /etc/postfix/sasl/auth.conf pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /etc/sasl/mail.db auto_transition: yes mech_list: PLAIN LOGIN CRAM-MD5 minimum_layer: 0 vim /etc/postfix/master.cf # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd submission inet n - n - - smtpd -o myhostname=smtp.example.pl -o syslog_name=postfix/submission -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_reject_unlisted_recipient=yes -o smtpd_recipient_restrictions= -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,permit_sasl_authenticated,reject -o smtpd_sender_restrictions=reject_non_fqdn_sender -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_milters=inet:127.0.0.1:11025 -o smtpd_sasl_auth_enable=yes -o milter_macro_daemon_name=ORIGINATING pickup unix n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache Tworzymy bazy domen, kont i aliasów mkdir -p /etc/postfix/db/scripts touch /etc/postfix/db/alias.custom touch /etc/postfix/db/user.custom touch /etc/postfix/db/domain.custom cat >/etc/postfix/db/refresh <<"EOF" #!/bin/bash cd /etc/postfix/db echo "#DON'T EDIT BY HAND" :>user for usr in $(/etc/postfix/db/scripts/listusers) do echo -e "$usr\tOK" >>user done [ -f user.custom ] && cat user.custom >>user echo "#DON'T EDIT BY HAND" :>domain for dmn in $(/etc/postfix/db/scripts/listdomains) do echo -e "$dmn\tOK" >>domain done [ -f domain.custom ] && cat domain.custom >>domain echo "#DON'T EDIT BY HAND" :>alias [ -f alias.custom ] && cat alias.custom >>alias postmap hash:user postmap hash:domain postmap hash:alias echo do: postfix reload EOF chmod +x /etc/postfix/db/refresh cat >/etc/postfix/db/scripts/listusers <<"EOF" #!/bin/bash sasldblistusers2 -f /etc/sasl/mail.db | cut -d: -f1 | sort -u | grep -v 'administrator@optimus.example.pl' EOF cat >/etc/postfix/db/scripts/listdomains <<"EOF" #!/bin/bash /etc/postfix/db/scripts/listusers | awk -F@ '{print $2}' | sort -u EOF chmod +x /etc/postfix/db/scripts/listusers chmod +x /etc/postfix/db/scripts/listdomains Instalacja ClamAV i milter-greylist apt-get install -y clamav-daemon clamav-freshclam clamav clamav-milter apt-get install -y milter-greylist Konfiguracja clamav-milter: vim /etc/clamav/clamav-milter.conf MilterSocket inet:11025@127.0.0.1 FixStaleSocket true User clamav AllowSupplementaryGroups true ReadTimeout 45 Foreground false PidFile /var/run/clamav/clamav-milter.pid ClamdSocket unix:/var/run/clamav/clamd.ctl OnClean Accept OnInfected Reject OnFail Defer AddHeader no LogSyslog true LogFacility LOG_LOCAL6 LogVerbose false LogInfected Basic LogClean Off LogRotate true MaxFileSize 25M SupportMultipleRecipients false RejectMsg Virus detected - %v TemporaryDirectory /tmp LogFile /var/log/clamav/clamav-milter.log LogTime true LogFileUnlock false LogFileMaxSize 25M MilterSocketGroup clamav MilterSocketMode 660 Konfiguracja milter-greylist: vim /etc/default/milter-greylist ENABLED=1 SOCKET="inet:11125@127.0.0.1" vim /etc/milter-greylist/greylist.conf pidfile "/var/run/milter-greylist.pid" dumpfile "/var/lib/milter-greylist/greylist.db" 600 dumpfreq 10m nospf stat "|logger -p local7.info" "%T{%Y/%m/%d %T} %d [%i] %r -> %f %S (ACL %A) %Xc %Xe %Xm %Xh" quiet list "my network" addr { 127.0.0.1/8 } # This is a list of broken MTAs that break with greylisting. Derived from # http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?rev=1.16 list "broken mta" addr { \ 12.5.136.141/32 \ # Southwest Airlines (unique sender) 12.5.136.142/32 \ # Southwest Airlines 12.5.136.143/32 \ # Southwest Airlines 12.5.136.144/32 \ # Southwest Airlines 12.107.209.244/32 \ # kernel.org (unique sender) 12.107.209.250/32 \ # sourceware.org (unique sender) 63.82.37.110/32 \ # SLmail 63.169.44.143/32 \ # Southwest Airlines 63.169.44.144/32 \ # Southwest Airlines 64.7.153.18/32 \ # sentex.ca (common pool) 64.12.136.0/24 \ # AOL (common pool) 64.12.137.0/24 \ # AOL 64.12.138.0/24 \ # AOL 64.124.204.39 \ # moveon.org (unique sender) 64.125.132.254/32 \ # collab.net (unique sender) 64.233.160.0/19 \ # Google 66.94.237.16/28 \ # Yahoo Groups servers (common pool) 66.94.237.32/28 \ # Yahoo Groups servers (common pool) 66.94.237.48/30 \ # Yahoo Groups servers (common pool) 66.100.210.82/32 \ # Groupwise? 66.135.192.0/19 \ # Ebay 66.162.216.166/32 \ # Groupwise? 66.206.22.82/32 \ # Plexor 66.206.22.83/32 \ # Plexor 66.206.22.84/32 \ # Plexor 66.206.22.85/32 \ # Plexor 66.218.66.0/23 \ # Yahoo Groups servers (common pool) 66.218.67.0/23 \ # Yahoo Groups servers (common pool) 66.218.68.0/23 \ # Yahoo Groups servers (common pool) 66.218.69.0/23 \ # Yahoo Groups servers (common pool) 66.27.51.218/32 \ # ljbtc.com (Groupwise) 66.102.0.0/20 \ # Google 66.249.80.0/20 \ # Google 72.14.192.0/18 \ # Google 74.125.0.0/16 \ # Google 152.163.225.0/24 \ # AOL 194.245.101.88/32 \ # Joker.com 195.235.39.19/32 \ # Tid InfoMail Exchanger v2.20 195.238.2.0/24 \ # skynet.be (wierd retry pattern, common pool) 195.238.3.0/24 \ # skynet.be 195.46.220.208/32 \ # mgn.net 195.46.220.209/32 \ # mgn.net 195.46.220.210/32 \ # mgn.net 195.46.220.211/32 \ # mgn.net 195.46.220.221/32 \ # mgn.net 195.46.220.222/32 \ # mgn.net 195.238.2.0/24 \ # skynet.be (wierd retry pattern) 195.238.3.0/24 \ # skynet.be 204.107.120.10/32 \ # Ameritrade (no retry) 205.188.0.0/16 \ # AOL 205.206.231.0/24 \ # SecurityFocus.com (unique sender) 207.115.63.0/24 \ # Prodigy - retries continually 207.171.168.0/24 \ # Amazon.com 207.171.180.0/24 \ # Amazon.com 207.171.187.0/24 \ # Amazon.com 207.171.188.0/24 \ # Amazon.com 207.171.190.0/24 \ # Amazon.com 209.132.176.174/32 \ # sourceware.org mailing lists (unique sender) 209.85.128.0/17 \ # Google 211.29.132.0/24 \ # optusnet.com.au (wierd retry pattern) 213.136.52.31/32 \ # Mysql.com (unique sender) 216.33.244.0/24 \ # Ebay 216.239.32.0/19 \ # Google 217.158.50.178/32 \ # AXKit mailing list (unique sender) } list "whitelist users" rcpt { \ socha@socha.it \ } racl whitelist list "my network" racl whitelist list "broken mta" racl whitelist list "whitelist users" racl greylist default delay 15m autowhite 3d Uruchomienie usług: update-rc.d milter-greylist enable service milter-greylist restart update-rc.d clamav-freshclam enable update-rc.d clamav-daemon enable update-rc.d clamav-milter enable service clamav-freshclam restart service clamav-daemon restart service clamav-milter restart Restart postfixa: postfix check service postfix restart Testowanie AV – port 25 smtptest localhost >> MAIL FROM: <test@dataspace.pl> RCPT TO: <socha@dataspace.pl> DATA X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* . AV – port 587 (submission) smtptest -m PLAIN -p 587 -a administrator@optimus.example.pl localhost smtptest -m LOGIN -p 587 -a administrator@optimus.example.pl localhost smtptest -m CRAM-MD5 -p 587 -a administrator@optimus.example.pl localhost >> MAIL FROM: <socha@dataspace.pl> RCPT TO: <socha@dataspace.pl> DATA X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* . Testowanie grey-listing, odrzucanie błędnych adresów, relaying itp\\ Adres testowy admin@ilgwysylka.pl Z innego hosta w sieci: nc mail.example.pl 25 >> EHLO l.pl MAIL FROM: <socha@dataspace.pl> RCPT TO: <socha@socha.it> RCPT TO: <none@ilgwysylka.pl> RCPT TO: <admin@ilgwysylka.pl> Tworzenie użytkowników/domen Dodanie użytkownika do bazy sasldb: saslpasswd2 -f /etc/sasl/mail.db -c -u <DOMAIN> <USER> Utworzenie mailbox-a: cyradm -u administrator@optimus.example.pl localhost Następnie z CLI: cm user/<USER>@<DOMAIN> sq user/<USER>@<DOMAIN> 20971520 Quota jest wyrażona w KB (powyższe ustawia limit na 20GB) Rekonfiguracja posttfix-a: /etc/postfix/db/refresh postfix reload
